Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-36150

Qml engine crash when calling a function that references a destroyed item

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Not Evaluated
    • Resolution: Cannot Reproduce
    • Affects Version/s: 5.2.0
    • Fix Version/s: 5.2.1
    • Labels:
      None
    • Environment:
      Crashes with Qt 5.2.0 on both Linux and Windows. Also tested on version 5.1.1 on Windows and it did not crash.

      Description

      I've been seeing some random crashes in qmlscene while using XMLHttpRequest to fetch data. The attached snippet of code crashes in the same way. This code destroys an item and then later invokes a callback that references that item by id. In my opinion, this should not crash the runtime; at most, it should trigger a script error.

      This code causes a segfault in QV4::__qmljs_get_id_object by dereferencing context, which is null. Stack backtrace:

      #0  0xb79a9d79 in QV4::__qmljs_get_id_object (ctx=0xbfffd27c, id=0) at jsruntime/qv4runtime.cpp:1236
      #1  0xb7a40a67 in QQmlJS::Moth::VME::run (this=0xbfffd22b, context=0xbfffd27c, code=0x822bdac "\035\bX\"\b\001", stack=0xafe270c0, stackSize=13, storeJumpTable=0x0) at jsruntime/qv4vme_moth.cpp:652
      #2  0xb7a40f04 in QQmlJS::Moth::VME::exec (ctxt=0xbfffd27c, code=0x822bd10 "\003=\r") at jsruntime/qv4vme_moth.cpp:707
      #3  0xb79df87b in QV4::Function::code (this=0x8224978, ctx=0xbfffd27c, data=0x822bd10 "\003=\r") at jsruntime/qv4function_p.h:89
      #4  0xb79dc02d in QV4::SimpleScriptFunction::call (that=0xafdeeb60, callData=0xafe27070) at jsruntime/qv4functionobject.cpp:598
      #5  0xb799993d in QV4::FunctionObject::call (this=0xafdeeb60, callData=0xafe27070) at jsruntime/qv4functionobject_p.h:130
      #6  0xb79ad666 in QV4::__qmljs_call_property (context=0xbfffda6c, name=..., callData=...) at jsruntime/qv4runtime.cpp:892
      #7  0xb7a3ba78 in QQmlJS::Moth::VME::run (this=0xbfffda1b, context=0xbfffda6c, code=0x822b100 "\035\b\b\220\"\b\001", stack=0xafe27058, stackSize=11, storeJumpTable=0x0) at jsruntime/qv4vme_moth.cpp:357
      #8  0xb7a40f04 in QQmlJS::Moth::VME::exec (ctxt=0xbfffda6c, code=0x822b0a8 "\003=\v") at jsruntime/qv4vme_moth.cpp:707
      #9  0xb79df87b in QV4::Function::code (this=0x8225620, ctx=0xbfffda6c, data=0x822b0a8 "\003=\v") at jsruntime/qv4function_p.h:89
      #10 0xb79dc02d in QV4::SimpleScriptFunction::call (that=0xafdee930, callData=0xafe27008) at jsruntime/qv4functionobject.cpp:598
      #11 0xb799993d in QV4::FunctionObject::call (this=0xafdee930, callData=0xafe27008) at jsruntime/qv4functionobject_p.h:130
      #12 0xb7b37bb8 in QQmlJavaScriptExpression::evaluate (this=0x82279f8, context=0x82256d0, function=..., callData=0xafe27008, isUndefined=0x0) at qml/qqmljavascriptexpression.cpp:166
      #13 0xb7abe81c in QQmlBoundSignalExpression::evaluate (this=0x82279e8, a=0x0) at qml/qqmlboundsignal.cpp:226
      #14 0xb7abe9d4 in QQmlBoundSignal_callback (e=0x8224a1c, a=0x0) at qml/qqmlboundsignal.cpp:353
      #15 0xb7b15a81 in QQmlNotifier::emitNotify (endpoint=0x8224a1c, a=0x0) at qml/qqmlnotifier.cpp:81
      #16 0xb7a61a34 in QQmlData::signalEmitted (object=0x822a788, index=3, a=0x0) at qml/qqmlengine.cpp:710
      #17 0xb696dabf in QMetaObject::activate (sender=0x822a788, signalOffset=3, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3456
      #18 0xb696e4ce in QMetaObject::activate (sender=0x822a788, m=0xb7c4e59c, local_signal_index=0, argv=0x0) at kernel/qobject.cpp:3438
      #19 0xb7bd089f in QQmlTimer::triggered (this=0x822a788) at .moc/moc_qqmltimer_p.cpp:247
      #20 0xb7bbd64b in QQmlTimerPrivate::animationFinished (this=0x822a7e8) at types/qqmltimer.cpp:324
      #21 0xb7b8c9f6 in QAbstractAnimationJob::finished (this=0x822a830) at animations/qabstractanimationjob.cpp:587
      #22 0xb7b8e1c0 in QAbstractAnimationJob::setState (this=0x822a830, newState=QAbstractAnimationJob::Stopped) at animations/qabstractanimationjob.cpp:392
      #23 0xb7b8e305 in QAbstractAnimationJob::stop (this=0x822a830) at animations/qabstractanimationjob.cpp:529
      #24 0xb7b8e659 in QAbstractAnimationJob::setCurrentTime (this=0x822a830, msecs=1000) at animations/qabstractanimationjob.cpp:501
      #25 0xb7b8e783 in QQmlAnimationTimer::updateAnimationsTime (this=0x8227f08, delta=1001) at animations/qabstractanimationjob.cpp:117
      #26 0xb66c4f43 in QUnifiedTimer::updateAnimationTimers (this=0x818f630, currentTick=-1) at animation/qabstractanimation.cpp:289
      #27 0xb66c8429 in QUnifiedTimer::timerEvent (this=0x818f630, event=0xbfffe850) at animation/qabstractanimation.cpp:393
      #28 0xb696bdf8 in QObject::event (this=0x818f630, e=0xbfffe850) at kernel/qobject.cpp:1122
      #29 0xb72edcb6 in QApplicationPrivate::notify_helper (this=0x8077228, receiver=0x818f630, e=0xbfffe850) at kernel/qapplication.cpp:3467
      #30 0xb72ee362 in QApplication::notify (this=0xbfffebd8, receiver=0x818f630, e=0xbfffe850) at kernel/qapplication.cpp:2888
      #31 0xb6929765 in QCoreApplication::notifyInternal (this=0xbfffebd8, receiver=0x818f630, event=0xbfffe850) at kernel/qcoreapplication.cpp:878
      #32 0xb692f97a in QCoreApplication::sendEvent (receiver=0x818f630, event=0xbfffe850) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:232
      #33 0xb69a29ad in QTimerInfoList::activateTimers (this=0x80fcb04) at kernel/qtimerinfo_unix.cpp:643
      #34 0xb69a58e6 in timerSourceDispatch (source=0x80fcad0) at kernel/qeventdispatcher_glib.cpp:185
      #35 0xb618b478 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
      #36 0xb618ec23 in ?? () from /usr/lib/libglib-2.0.so.0
      #37 0xb618eda8 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
      #38 0xb69a46ab in QEventDispatcherGlib::processEvents (this=0x80fae68, flags=...) at kernel/qeventdispatcher_glib.cpp:426
      #39 0xb2c7e942 in QPAEventDispatcherGlib::processEvents (this=0x80fae68, flags=...) at eventdispatchers/qeventdispatcher_glib.cpp:123
      #40 0xb69246b5 in QEventLoop::processEvents (this=0xbfffeae0, flags=...) at kernel/qeventloop.cpp:136
      #41 0xb6924df8 in QEventLoop::exec (this=0xbfffeae0, flags=...) at kernel/qeventloop.cpp:212
      #42 0xb692a041 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1131
      #43 0xb6cdd89d in QGuiApplication::exec () at kernel/qguiapplication.cpp:1332
      #44 0xb72f0e38 in QApplication::exec () at kernel/qapplication.cpp:2692
      #45 0x0804e19f in main (argc=6, argv=0xbfffeea4) at main.cpp:537
      

      Note: I disabjed JIT for easier debugging, but it crashes the same way with JIT enabled.

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            shausman Simon Hausmann
            Reporter:
            spencer.schumann Spencer Schumann
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes