Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-61781

Crash when accessing a QML singleton from anonymous function

    XMLWordPrintable

Details

    Description

      Consider the following QML singleton declared in module "constants":

      Sing.qml
      pragma Singleton
      
      import QtQuick 2.4
      
      QtObject {
          readonly property string song: "Highway to Hell"
      }
      

      We have a QML component that returns 2 callbacks:

      Page.qml
      import QtQuick 2.5
      
      import constants 1.0
      
      Item {
          id: root
      
          function crash() {
              return function() {
                  return Sing.song;
              }
          }
      
          function work() {
              var s = Sing;
              return function() {
                  return s.song;
              }
          }
      }
      

      These callbacks can also be properties, with the same result.

      Page.qml is loaded from Test.qml as follows:

      Test.qml
      import QtQuick 2.5
      
      import constants 1.0
      
      Rectangle {
          color: "white"
          width: 400
          height: 400
      
          Timer {
              id: _timer
              interval: 1000
              repeat: true
              triggeredOnStart: true
          }
      
          Loader {
              id: ldr
              source: "Page.qml"
              active: false
              onLoaded: {
                  var item = ldr.item;
      //            var work = item.work();
                  var crash = item.crash();
                  _timer.triggered.connect(function() {
      //                console.warn("work:  ", item, work());
                      console.warn("crash: ", item, crash());
                      ldr.active = false;
                  });
                  _timer.start();
              }
          }
      
          Component.onCompleted: {
              console.warn(Sing.song);
              ldr.active = true;
          }
      }
      

      This code causes the application to crash with segmentation fault on the second invocation of the callback, when the Page is destroyed:

      % qmlscene -I . Test.qml
      
      qml: Highway to Hell
      qml: crash:  Page_QMLTYPE_1(0x1795750) Highway to Hell
      zsh: segmentation fault qmlscene -I . Test.qml
      

      If I uncomment "work" callback and comment "crash", the application works and the output is this:

      % qmlscene -I . Test.qml
      
      qml: Highway to Hell
      qml: work:    Page_QMLTYPE_1(0x2e99bb0) Highway to Hell
      qml: work:    TypeError: Type error Highway to Hell
      qml: work:    TypeError: Type error Highway to Hell
      qml: work:    TypeError: Type error Highway to Hell
      ...
      

      I have 5.6.2 compiled from sources, this is the backtrace:

      #0  0x00007ffff701e700 in QV4::ExecutionEngine::qmlSingletonWrapper (this=0x7e4430, name=0x7fffe2d38450) at /home/ABusenius/qtdeclarative/src/qml/jsruntime/qv4engine.cpp:721
      #1  0x00007ffff70fc4e6 in QV4::Runtime::getQmlSingleton (engine=0x7e4430, nameIndex=6) at /home/ABusenius/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1471
      #2  0x00007ffff7fc9992 in ?? ()
      #3  0x00007ffff7ecfe70 in ?? ()
      #4  0x00007ffff7ecfe70 in ?? ()
      #5  0x00007fffe2d383e8 in ?? ()
      #6  0xd1e1af7c21137e00 in ?? ()
      #7  0x00007fffffffcb50 in ?? ()
      #8  0x00007ffff7025526 in QV4::FunctionObject::function (this=0x7fffe2d383e8) at /home/ABusenius/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:134
      #9  0x00007ffff70671fc in QV4::SimpleScriptFunction::call (that=0x7ffff7e2e080, callData=0x7fffe2d383a8) at /home/ABusenius/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:576
      #10 0x00007ffff6f99b34 in QV4::Object::call (this=0x7ffff7e2e080, d=0x7fffe2d383a8) at ../../include/QtQml/5.6.2/QtQml/private/../../../../../../qtdeclarative/src/qml/jsruntime/qv4object_p.h:326
      #11 0x00007ffff70fa697 in QV4::Runtime::callValue (engine=0x7e4430, func=..., callData=0x7fffe2d383a8) at /home/ABusenius/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1034
      #12 0x00007ffff7fc96d7 in ?? ()
      #13 0x00007ffff7ecfed0 in ?? ()
      #14 0x00007ffff7ecfed0 in ?? ()
      #15 0x00007fffe2d38360 in ?? ()
      #16 0xd1e1af7c21137e00 in ?? ()
      #17 0x00007fffffffcd60 in ?? ()
      #18 0x00007ffff7025526 in QV4::FunctionObject::function (this=0xa348f0) at /home/ABusenius/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:134
      #19 0x00007ffff70671fc in QV4::SimpleScriptFunction::call (that=0x7fffe2d38318, callData=0x7fffe2d38320) at /home/ABusenius/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:576
      #20 0x00007ffff6f99b34 in QV4::Object::call (this=0x7fffe2d38318, d=0x7fffe2d38320) at ../../include/QtQml/5.6.2/QtQml/private/../../../../../../qtdeclarative/src/qml/jsruntime/qv4object_p.h:326
      #21 0x00007ffff70dbbd9 in QV4::QObjectSlotDispatcher::impl (which=1, this_=0xa348f0, r=0x966b60, metaArgs=0x7fffffffd080, ret=0x0) at /home/ABusenius/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:813
      #22 0x00007ffff559cbfe in QMetaObject::activate(QObject*, int, int, void**) () from /home/abusenius/qt/5.6/gcc_64/bin/../lib/libQt5Core.so.5
      #23 0x00007ffff724876d in QQmlTimer::triggered (this=0x966b60) at .moc/moc_qqmltimer_p.cpp:260
      

      Attachments

        Issue Links

          For Gerrit Dashboard: QTBUG-61781
          # Subject Branch Project Status CR V

          Activity

            People

              shausman Simon Hausmann
              alexbusenius Alex Busenius
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes