Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
4.7.1
-
None
-
X11, Linux
-
e340844bd614add505a39a3a6b915632476f6305
Description
QTreeView makes use of deleted memory in one particular circumstance, let me explain and provide a patch.
KPackageKit (KPACKAGEKIT_0.6.X branch in git://git.kde.org/apper) crashes reproduceably in QTreeView when filling a tree view with many packages (e.g. typing "a" and Enter). The valgrind log (attached) explains what's happening:
1) QTreeViewPrivate::itemHeight does "const QModelIndex& index = viewItems.at(item).index;" and passes that to indexRowSizeHint()
2) indexRowSizeHint calls visualIndexAt(0)
3) and below, indexRowSizeHint uses index.row().
So if something in visualIndexAt() ends up recreating the viewItems vector, then index is a dangling reference.
This indeed happens when visualIndexAt() ends up calling sizeHintForColumn() [via QHeaderView, see 2nd vg backtrace for details] which starts with executePostedLayout() which calls doItemsLayout() ... even though all of this is from doItemsLayout already
And doItemLayouts recreates the viewItems vector -> bingo.
The fix is simple: not keeping a ref, but an actual copy of the qmodelindex.
One-liner patch attached, please apply.