Details
-
Bug
-
Resolution: Fixed
-
P1: Critical
-
5.10.1, 5.11.1
-
None
-
-
75ba1ce9114e320cccfbc0c14dd32675ce2e598
Description
A QAbstractListModel that removes some rows and changes the remaining rows eventually causes ListView to crash.
Q_INVOKABLE void a_crash() { beginRemoveRows(QModelIndex(), 2 , 19 ); rows_.resize( 2 ); endRemoveRows(); rows_[ 0 ] = "0 1 2 3 4 5 6 7 8 9" ; rows_[ 1 ] = "10 11 12 13 14 15 16 17 18 19" ; emit dataChanged(createIndex(0, 0), createIndex( 1 , 0)); }
Steps to reproduce:
- Run attached example
- Wait, and it should crash within a minute
The following will be a backtrace from a crash, and also errors from valgrind. It doesn't crash in valgrind, but it shows a use-after-free error.
(gdb) bt #0 0x00007ffff611a0f5 in QMetaObject::activate (sender=sender@entry=0x5555570cc5b0, signal_index=6, argv=argv@entry=0x0) at kernel/qobject.cpp:3817 #1 0x00007ffff6a21f22 in VDMModelDelegateDataType::notify (this=<optimized out>, items=..., index=<optimized out>, count=<optimized out>, roles=...) at util/qqmladaptormodel.cpp:179 #2 0x00007ffff6c4c56a in QQmlAdaptorModel::notify (roles=..., count=2, index=0, items=..., this=<optimized out>) at ../../include/QtQml/5.11.1/QtQml/private/../../../../../src/qml/util/qqmladaptormodel_p.h:136 #3 QQmlDelegateModel::_q_itemsChanged (this=<optimized out>, index=0, count=2, roles=...) at types/qqmldelegatemodel.cpp:1168 #4 0x00007ffff6c4c67a in QQmlDelegateModel::_q_dataChanged (this=<optimized out>, begin=..., end=..., roles=...) at types/qqmldelegatemodel.cpp:1592 #5 0x00007ffff6c523c4 in QQmlDelegateModel::qt_static_metacall (_o=_o@entry=0x555555813680, _c=_c@entry=QMetaObject::InvokeMetaMethod, _id=_id@entry=12, _a=_a@entry=0x7fffffffd490) at .moc/moc_qqmldelegatemodel_p.cpp:202 #6 0x00007ffff6c52918 in QQmlDelegateModel::qt_metacall (this=0x555555813680, _c=QMetaObject::InvokeMetaMethod, _id=12, _a=0x7fffffffd490) at .moc/moc_qqmldelegatemodel_p.cpp:330 #7 0x00007ffff6119934 in QMetaObject::activate (sender=0x55555596b7e0, signalOffset=<optimized out>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7fffffffd490) at kernel/qobject.cpp:3786 #8 0x00007ffff611a0d7 in QMetaObject::activate (sender=<optimized out>, m=m@entry=0x7ffff65d8520 <QAbstractItemModel::staticMetaObject>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7fffffffd490) at kernel/qobject.cpp:3633 #9 0x00007ffff609f65c in QAbstractItemModel::dataChanged (this=<optimized out>, _t1=..., _t2=..., _t3=...) at .moc/moc_qabstractitemmodel.cpp:552 #10 0x000055555555a81c in MyModel::a_crash (this=0x55555596b7e0) at ../QmlListViewCrash/mymodel.h:46 #11 0x000055555555a457 in MyModel::qt_static_metacall (_o=0x55555596b7e0, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0x7fffffffd700) at moc_mymodel.cpp:77 #12 0x000055555555a56c in MyModel::qt_metacall (this=0x55555596b7e0, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0x7fffffffd700) at moc_mymodel.cpp:112 #13 0x00007ffff6bc0389 in QQmlObjectOrGadget::metacall (this=this@entry=0x7fffffffda10, type=type@entry=QMetaObject::InvokeMetaMethod, index=index@entry=55, argv=argv@entry=0x7fffffffd700) at qml/qqmlpropertycache.cpp:1733 #14 0x00007ffff6b2e87c in CallMethod (object=..., index=55, returnType=43, argCount=argCount@entry=0, argTypes=argTypes@entry=0x0, engine=engine@entry=0x5555557a0070, callArgs=0x7fffec3ab3d0, callType=QMetaObject::InvokeMetaMethod) at jsruntime/qv4qobjectwrapper.cpp:1193 #15 0x00007ffff6b2f306 in CallPrecise (object=..., data=..., engine=engine@entry=0x5555557a0070, callArgs=callArgs@entry=0x7fffec3ab3d0, callType=callType@entry=QMetaObject::InvokeMetaMethod) at jsruntime/qv4qobjectwrapper.cpp:1441 #16 0x00007ffff6b30066 in QV4::QObjectMethod::callInternal (this=<optimized out>, thisObject=<optimized out>, argv=<optimized out>, argc=0) at jsruntime/qv4qobjectwrapper.cpp:1975 #17 0x00007ffff6b4afb0 in QV4::FunctionObject::call (argc=0, argv=0x7fffec3ab350, thisObject=0x7fffec3ab390, this=<optimized out>) at jsruntime/qv4functionobject_p.h:163 #18 QV4::Runtime::method_callProperty (engine=0x5555557a0070, base=0x7fffec3ab390, nameIndex=<optimized out>, argv=0x7fffec3ab350, argc=0) at jsruntime/qv4runtime.cpp:1062 #19 0x00007fffe439d14f in ?? () #20 0x0000000000000000 in ?? ()
Valgrind:
==13862== Invalid read of size 4 ==13862== at 0x5D4FEE8: VDMModelDelegateDataType::notify(QQmlAdaptorModel const&, QList<QQmlDelegateModelItem*> const&, int, int, QVector<int> const&) const (qqmladaptormodel.cpp:175) ==13862== by 0x5F7A569: notify (qqmladaptormodel_p.h:136) ==13862== by 0x5F7A569: QQmlDelegateModel::_q_itemsChanged(int, int, QVector<int> const&) (qqmldelegatemodel.cpp:1168) ==13862== by 0x5F803C3: QQmlDelegateModel::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (moc_qqmldelegatemodel_p.cpp:202) ==13862== by 0x5F80917: QQmlDelegateModel::qt_metacall(QMetaObject::Call, int, void**) (moc_qqmldelegatemodel_p.cpp:330) ==13862== by 0x68C0933: QMetaObject::activate(QObject*, int, int, void**) (qobject.cpp:3786) ==13862== by 0x684665B: QAbstractItemModel::dataChanged(QModelIndex const&, QModelIndex const&, QVector<int> const&) (moc_qabstractitemmodel.cpp:552) ==13862== by 0x10E81B: MyModel::a_crash() (mymodel.h:46) ==13862== by 0x10E456: MyModel::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (moc_mymodel.cpp:77) ==13862== by 0x10E56B: MyModel::qt_metacall(QMetaObject::Call, int, void**) (moc_mymodel.cpp:112) ==13862== by 0x5EEE388: QQmlObjectOrGadget::metacall(QMetaObject::Call, int, void**) const (qqmlpropertycache.cpp:1733) ==13862== by 0x5E5C87B: CallMethod(QQmlObjectOrGadget const&, int, int, int, int*, QV4::ExecutionEngine*, QV4::CallData*, QMetaObject::Call) (qv4qobjectwrapper.cpp:1193) ==13862== by 0x5E5D305: CallPrecise(QQmlObjectOrGadget const&, QQmlPropertyData const&, QV4::ExecutionEngine*, QV4::CallData*, QMetaObject::Call) (qv4qobjectwrapper.cpp:1441) ==13862== Address 0x16aaafcc is 92 bytes inside a block of size 112 free'd ==13862== at 0x4C2E2BB: operator delete(void*) (vg_replace_malloc.c:576) ==13862== by 0x5F7D16C: QQmlDelegateModelPrivate::release(QObject*) (qqmldelegatemodel.cpp:551) ==13862== by 0x5F7D19C: QQmlDelegateModel::release(QObject*) (qqmldelegatemodel.cpp:567) ==13862== by 0x51009B7: QQuickItemViewPrivate::releaseItem(FxViewItem*) (qquickitemview.cpp:2447) ==13862== by 0x511249B: QQuickListViewPrivate::releaseItem(FxViewItem*) (qquicklistview.cpp:629) ==13862== by 0x5102049: QQuickItemViewPrivate::applyModelChanges(QQuickItemViewPrivate::ChangeResult*, QQuickItemViewPrivate::ChangeResult*) (qquickitemview.cpp:2119) ==13862== by 0x51026E2: QQuickItemViewPrivate::layout() (qquickitemview.cpp:1924) ==13862== by 0x510C86F: QQuickListViewPrivate::updateHighlight() (qquicklistview.cpp:922) ==13862== by 0x50FED57: QQuickItemViewPrivate::itemGeometryChanged(QQuickItem*, QQuickGeometryChange, QRectF const&) (qquickitemview.cpp:1241) ==13862== by 0x5112632: QQuickListViewPrivate::itemGeometryChanged(QQuickItem*, QQuickGeometryChange, QRectF const&) (qquicklistview.cpp:1430) ==13862== by 0x5016668: QQuickItem::geometryChanged(QRectF const&, QRectF const&) (qquickitem.cpp:3784) ==13862== by 0x501D2FF: QQuickItem::setImplicitSize(double, double) (qquickitem.cpp:6846) ==13862== Block was alloc'd at ==13862== at 0x4C2D1FF: operator new(unsigned long) (vg_replace_malloc.c:334) ==13862== by 0x5D5041F: VDMAbstractItemModelDataType::createItem(QQmlAdaptorModel&, QQmlDelegateModelItemMetaType*, int) const (qqmladaptormodel.cpp:529) ==13862== by 0x5F7C225: createItem (qqmladaptormodel_p.h:127) ==13862== by 0x5F7C225: QQmlDelegateModelPrivate::object(QQmlListCompositor::Group, int, QQmlIncubator::IncubationMode) (qqmldelegatemodel.cpp:949) ==13862== by 0x5F7C671: QQmlDelegateModel::object(int, QQmlIncubator::IncubationMode) (qqmldelegatemodel.cpp:1039) ==13862== by 0x5101474: QQuickItemViewPrivate::createItem(int, QQmlIncubator::IncubationMode) (qquickitemview.cpp:2360) ==13862== by 0x51101A7: QQuickListViewPrivate::addVisibleItems(double, double, double, double, bool) (qquicklistview.cpp:683) ==13862== by 0x51000C9: QQuickItemViewPrivate::refill(double, double) (qquickitemview.cpp:1831) ==13862== by 0x5105ED7: QQuickItemView::componentComplete() (qquickitemview.cpp:1534) ==13862== by 0x5F2FB49: QQmlObjectCreator::finalize(QQmlInstantiationInterrupt&) (qqmlobjectcreator.cpp:1359) ==13862== by 0x5EA9D56: QQmlComponentPrivate::complete(QQmlEnginePrivate*, QQmlComponentPrivate::ConstructionState*) (qqmlcomponent.cpp:924) ==13862== by 0x5EA9E86: QQmlComponentPrivate::completeCreate() (qqmlcomponent.cpp:959) ==13862== by 0x5EA9C69: QQmlComponent::create(QQmlContext*) (qqmlcomponent.cpp:779)