Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-69974

QML ListView crashes when model removes rows and changes data afterwards

    XMLWordPrintable

Details

    • Linux/X11
    • 75ba1ce9114e320cccfbc0c14dd32675ce2e598

    Description

      A QAbstractListModel that removes some rows and changes the remaining rows eventually causes ListView to crash.

          Q_INVOKABLE void a_crash()
    {
        beginRemoveRows(QModelIndex(),  2 , 19 );
        rows_.resize( 2 );
        endRemoveRows();

        rows_[ 0 ] =  "0 1 2 3 4 5 6 7 8 9" ;
        rows_[ 1 ] =  "10 11 12 13 14 15 16 17 18 19" ;
        emit dataChanged(createIndex(0, 0), createIndex( 1 , 0));
    }

      Steps to reproduce:

      1. Run attached example
      2. Wait, and it should crash within a minute

      The following will be a backtrace from a crash, and also errors from valgrind. It doesn't crash in valgrind, but it shows a use-after-free error.

      (gdb) bt
#0  0x00007ffff611a0f5 in QMetaObject::activate (sender=sender@entry=0x5555570cc5b0, signal_index=6, argv=argv@entry=0x0) at kernel/qobject.cpp:3817
#1  0x00007ffff6a21f22 in VDMModelDelegateDataType::notify (this=<optimized out>, items=..., index=<optimized out>, count=<optimized out>, roles=...) at util/qqmladaptormodel.cpp:179
#2  0x00007ffff6c4c56a in QQmlAdaptorModel::notify (roles=..., count=2, index=0, items=..., this=<optimized out>) at ../../include/QtQml/5.11.1/QtQml/private/../../../../../src/qml/util/qqmladaptormodel_p.h:136
#3  QQmlDelegateModel::_q_itemsChanged (this=<optimized out>, index=0, count=2, roles=...) at types/qqmldelegatemodel.cpp:1168
#4  0x00007ffff6c4c67a in QQmlDelegateModel::_q_dataChanged (this=<optimized out>, begin=..., end=..., roles=...) at types/qqmldelegatemodel.cpp:1592
#5  0x00007ffff6c523c4 in QQmlDelegateModel::qt_static_metacall (_o=_o@entry=0x555555813680, _c=_c@entry=QMetaObject::InvokeMetaMethod, _id=_id@entry=12, _a=_a@entry=0x7fffffffd490) at .moc/moc_qqmldelegatemodel_p.cpp:202
#6  0x00007ffff6c52918 in QQmlDelegateModel::qt_metacall (this=0x555555813680, _c=QMetaObject::InvokeMetaMethod, _id=12, _a=0x7fffffffd490) at .moc/moc_qqmldelegatemodel_p.cpp:330
#7  0x00007ffff6119934 in QMetaObject::activate (sender=0x55555596b7e0, signalOffset=<optimized out>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7fffffffd490) at kernel/qobject.cpp:3786
#8  0x00007ffff611a0d7 in QMetaObject::activate (sender=<optimized out>, m=m@entry=0x7ffff65d8520 <QAbstractItemModel::staticMetaObject>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7fffffffd490)
    at kernel/qobject.cpp:3633
#9  0x00007ffff609f65c in QAbstractItemModel::dataChanged (this=<optimized out>, _t1=..., _t2=..., _t3=...) at .moc/moc_qabstractitemmodel.cpp:552
#10 0x000055555555a81c in MyModel::a_crash (this=0x55555596b7e0) at ../QmlListViewCrash/mymodel.h:46
#11 0x000055555555a457 in MyModel::qt_static_metacall (_o=0x55555596b7e0, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0x7fffffffd700) at moc_mymodel.cpp:77
#12 0x000055555555a56c in MyModel::qt_metacall (this=0x55555596b7e0, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0x7fffffffd700) at moc_mymodel.cpp:112
#13 0x00007ffff6bc0389 in QQmlObjectOrGadget::metacall (this=this@entry=0x7fffffffda10, type=type@entry=QMetaObject::InvokeMetaMethod, index=index@entry=55, argv=argv@entry=0x7fffffffd700) at qml/qqmlpropertycache.cpp:1733
#14 0x00007ffff6b2e87c in CallMethod (object=..., index=55, returnType=43, argCount=argCount@entry=0, argTypes=argTypes@entry=0x0, engine=engine@entry=0x5555557a0070, callArgs=0x7fffec3ab3d0, callType=QMetaObject::InvokeMetaMethod)
    at jsruntime/qv4qobjectwrapper.cpp:1193
#15 0x00007ffff6b2f306 in CallPrecise (object=..., data=..., engine=engine@entry=0x5555557a0070, callArgs=callArgs@entry=0x7fffec3ab3d0, callType=callType@entry=QMetaObject::InvokeMetaMethod) at jsruntime/qv4qobjectwrapper.cpp:1441
#16 0x00007ffff6b30066 in QV4::QObjectMethod::callInternal (this=<optimized out>, thisObject=<optimized out>, argv=<optimized out>, argc=0) at jsruntime/qv4qobjectwrapper.cpp:1975
#17 0x00007ffff6b4afb0 in QV4::FunctionObject::call (argc=0, argv=0x7fffec3ab350, thisObject=0x7fffec3ab390, this=<optimized out>) at jsruntime/qv4functionobject_p.h:163
#18 QV4::Runtime::method_callProperty (engine=0x5555557a0070, base=0x7fffec3ab390, nameIndex=<optimized out>, argv=0x7fffec3ab350, argc=0) at jsruntime/qv4runtime.cpp:1062
#19 0x00007fffe439d14f in ?? ()
#20 0x0000000000000000 in ?? ()

       
      Valgrind:

      ==13862== Invalid read of size 4
==13862==    at 0x5D4FEE8: VDMModelDelegateDataType::notify(QQmlAdaptorModel const&, QList<QQmlDelegateModelItem*> const&, int, int, QVector<int> const&) const (qqmladaptormodel.cpp:175)
==13862==    by 0x5F7A569: notify (qqmladaptormodel_p.h:136)
==13862==    by 0x5F7A569: QQmlDelegateModel::_q_itemsChanged(int, int, QVector<int> const&) (qqmldelegatemodel.cpp:1168)
==13862==    by 0x5F803C3: QQmlDelegateModel::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (moc_qqmldelegatemodel_p.cpp:202)
==13862==    by 0x5F80917: QQmlDelegateModel::qt_metacall(QMetaObject::Call, int, void**) (moc_qqmldelegatemodel_p.cpp:330)
==13862==    by 0x68C0933: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3786)
==13862==    by 0x684665B: QAbstractItemModel::dataChanged(QModelIndex const&, QModelIndex const&, QVector<int> const&) (moc_qabstractitemmodel.cpp:552)
==13862==    by 0x10E81B: MyModel::a_crash() (mymodel.h:46)
==13862==    by 0x10E456: MyModel::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (moc_mymodel.cpp:77)
==13862==    by 0x10E56B: MyModel::qt_metacall(QMetaObject::Call, int, void**) (moc_mymodel.cpp:112)
==13862==    by 0x5EEE388: QQmlObjectOrGadget::metacall(QMetaObject::Call, int, void**) const (qqmlpropertycache.cpp:1733)
==13862==    by 0x5E5C87B: CallMethod(QQmlObjectOrGadget const&, int, int, int, int*, QV4::ExecutionEngine*, QV4::CallData*, QMetaObject::Call) (qv4qobjectwrapper.cpp:1193)
==13862==    by 0x5E5D305: CallPrecise(QQmlObjectOrGadget const&, QQmlPropertyData const&, QV4::ExecutionEngine*, QV4::CallData*, QMetaObject::Call) (qv4qobjectwrapper.cpp:1441)
==13862==  Address 0x16aaafcc is 92 bytes inside a block of size 112 free'd
==13862==    at 0x4C2E2BB: operator delete(void*) (vg_replace_malloc.c:576)
==13862==    by 0x5F7D16C: QQmlDelegateModelPrivate::release(QObject*) (qqmldelegatemodel.cpp:551)
==13862==    by 0x5F7D19C: QQmlDelegateModel::release(QObject*) (qqmldelegatemodel.cpp:567)
==13862==    by 0x51009B7: QQuickItemViewPrivate::releaseItem(FxViewItem*) (qquickitemview.cpp:2447)
==13862==    by 0x511249B: QQuickListViewPrivate::releaseItem(FxViewItem*) (qquicklistview.cpp:629)
==13862==    by 0x5102049: QQuickItemViewPrivate::applyModelChanges(QQuickItemViewPrivate::ChangeResult*, QQuickItemViewPrivate::ChangeResult*) (qquickitemview.cpp:2119)
==13862==    by 0x51026E2: QQuickItemViewPrivate::layout() (qquickitemview.cpp:1924)
==13862==    by 0x510C86F: QQuickListViewPrivate::updateHighlight() (qquicklistview.cpp:922)
==13862==    by 0x50FED57: QQuickItemViewPrivate::itemGeometryChanged(QQuickItem*, QQuickGeometryChange, QRectF const&) (qquickitemview.cpp:1241)
==13862==    by 0x5112632: QQuickListViewPrivate::itemGeometryChanged(QQuickItem*, QQuickGeometryChange, QRectF const&) (qquicklistview.cpp:1430)
==13862==    by 0x5016668: QQuickItem::geometryChanged(QRectF const&, QRectF const&) (qquickitem.cpp:3784)
==13862==    by 0x501D2FF: QQuickItem::setImplicitSize(double, double) (qquickitem.cpp:6846)
==13862==  Block was alloc'd at
==13862==    at 0x4C2D1FF: operator new(unsigned long) (vg_replace_malloc.c:334)
==13862==    by 0x5D5041F: VDMAbstractItemModelDataType::createItem(QQmlAdaptorModel&, QQmlDelegateModelItemMetaType*, int) const (qqmladaptormodel.cpp:529)
==13862==    by 0x5F7C225: createItem (qqmladaptormodel_p.h:127)
==13862==    by 0x5F7C225: QQmlDelegateModelPrivate::object(QQmlListCompositor::Group, int, QQmlIncubator::IncubationMode) (qqmldelegatemodel.cpp:949)
==13862==    by 0x5F7C671: QQmlDelegateModel::object(int, QQmlIncubator::IncubationMode) (qqmldelegatemodel.cpp:1039)
==13862==    by 0x5101474: QQuickItemViewPrivate::createItem(int, QQmlIncubator::IncubationMode) (qquickitemview.cpp:2360)
==13862==    by 0x51101A7: QQuickListViewPrivate::addVisibleItems(double, double, double, double, bool) (qquicklistview.cpp:683)
==13862==    by 0x51000C9: QQuickItemViewPrivate::refill(double, double) (qquickitemview.cpp:1831)
==13862==    by 0x5105ED7: QQuickItemView::componentComplete() (qquickitemview.cpp:1534)
==13862==    by 0x5F2FB49: QQmlObjectCreator::finalize(QQmlInstantiationInterrupt&) (qqmlobjectcreator.cpp:1359)
==13862==    by 0x5EA9D56: QQmlComponentPrivate::complete(QQmlEnginePrivate*, QQmlComponentPrivate::ConstructionState*) (qqmlcomponent.cpp:924)
==13862==    by 0x5EA9E86: QQmlComponentPrivate::completeCreate() (qqmlcomponent.cpp:959)
==13862==    by 0x5EA9C69: QQmlComponent::create(QQmlContext*) (qqmlcomponent.cpp:779)

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            yulong.bai Bai Yulong
            netcatkate Sarah K
            Votes:
            2 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes