Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-50551

Views caches and share in QCommonStylePrivate a copy of QStringLiteral that may go out of existence. Crash follows then.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • P4: Low
    • None
    • 5.6.0 Alpha
    • Core: Other
    • None
    • my qt5 is a static build of revision v5.6.0-alpha1-26-g4aabf3e
      x86 build

      windows 7, windows 10 (x64)

    Description

      crash occurs in QCommonStyle::subElementRect

          case SE_ItemViewItemDecoration:
    case SE_ItemViewItemText:
    case SE_ItemViewItemFocusRect:
        if (const QStyleOptionViewItem *vopt = ...) {
            if (!d->isViewItemCached(*vopt)) {
                d->viewItemLayout(...);
                if (d->cachedOption) {
>>>>                delete d->cachedOption;
                    d->cachedOption = 0;
                }
                d->cachedOption = new QStyleOptionViewItem(*vopt);
            }

      with callstack:

        QArrayData::deallocate
  QTypedArrayData<unsigned short>::deallocate(QArrayData * data)
  QString::~QString() Line 1070
  QStyleOptionViewItem::~QStyleOptionViewItem()
  QStyleOptionViewItem::`scalar deleting destructor'(unsigned int)
> QCommonStyle::subElementRect(QStyle::SubElement sr, const QStyleOption * opt, const QWidget * widget) Line 2993
  QWindowsStyle::subElementRect
  QWindowsVistaStyle::subElementRect
  QCommonStyle::drawControl
  QWindowsStyle::drawControl
  QWindowsVistaStyle::drawControl
  QStyledItemDelegate::paint
  QTableViewPrivate::drawCell
  QTableView::paintEvent
  ...

      How this occurs:
      i have QTableView with custom model that uses memmapped file filled with lots of QStringData. These QStringData are set using the technique presented in http://woboq.com/blog/qstringliteral.html for example.

      The problem is when the storage goes away (widget is closed), because there may be copies of those strings, and indeed they are.

      One of the copies is in QCommonStylePrivate::cachedOption::text field. I
      suspect these style classes use some form of sharing, so when i close the widget, the copy of qstring will survive the storage, and then when new qtableview opens, it tries to reuse the style and on the first use it destroys the old content of .text field and crash follows.

      Test program demonstrates exactly that:
      1) creates qtreeview
      2) creates qtableview with stringliterals in storage
      3) destroy qtableview and unmap storage from address space
      4) move mouse over qtreeview
      5) observe crash

      the program is not multiplatform (yet), sorry for that. you need cmake and windows in order to build and run it.
      if necessary i can try to make it work under linux.

      Attachments

        1. mmapedqstringdata.zip
          12 kB
          mojmir svoboda
        2. repro_case.zip
          11 kB
          mojmir svoboda
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            thiago Thiago Macieira
            mojmir mojmir svoboda
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes