Details
-
Bug
-
Resolution: Unresolved
-
Not Evaluated
-
None
-
6.4.1, 6.4.2
-
None
-
Python 3.8
Qt 6.4.2 (x86_64-little_endian-llp64 shared (dynamic) release build; by MSVC 2019)
Windows 10 or Linux
-
Linux/X11,
Windows
Description
When implementing a QML property you can return a Python object, which will work until the javascript interpreter runs the JS GC, at which point a crash occurs due to what looks like a double free.
Running the attached code produces the following output:
Python 3.8 Qt 6.4.2 (x86_64-little_endian-llp64 shared (dynamic) release build; by MSVC 2019) [limited API] Dummy object died Windows fatal exception: access violationCurrent thread 0x00005fc8 (most recent call first): File ".\refcountbug.py", line 31 in _getDummy File ".\refcountbug.py", line 28 in _sendUpdate File ".\refcountbug.py", line 56 in <module>
The dummy object is deleted, even though the Python class still has a reference to it. The WinDbg call stack for when the object is deleted has also been attached (I added an input() to the destructor, hence the calls to PyOS_*). WinDbg didn't have debug symbols for PySide, so the symbol names might be misleading.
On Windows the crash happens reliably on iteration 7181, while on Linux it crashes on iteration 7441. I assume these numbers relate to when the JS GC is triggered.
It is also possible to trigger the bug by calling gc from QML when more than one iteration has passed, to make the bug occur faster. An alternative version of the code doing this is attached (refcountbug_with_gc.py). The output on Windows is:
Python 3.8 Qt 6.4.1 (x86_64-little_endian-llp64 shared (dynamic) release build; by MSVC 2019) [limited API] qml: Before GC Dummy object died at 2 qml: After GC
And on Linux is:
Python 3.10 Qt 6.4.1 (x86_64-little_endian-lp64 shared (dynamic) release build; by GCC 12.2.0) [limited API] qml: Before GC Dummy object died at 2 qml: After GC
Attachments
Issue Links
- relates to
-
-
- Closed
-