Details
-
Bug
-
Resolution: Done
-
P2: Important
-
5.9.7, 5.11, 5.12
-
None
-
1aa4eab4a68e19702b5b3ab9b831efdc35266e66 (qt/qtdeclarative/5.13)
Description
Found here.
import QtQuick 2.9 import QtQuick.Window 2.2 import QtQml.Models 2.2 Window { id: window width: 800 height: 600 visible: true readonly property int rectCount: 3 property var rectColors: ["red", "green", "blue"] ObjectModel { id: objectModel // Crashes on exit Component.onCompleted: { for (var i = 0; i < window.rectCount; i++) { var outerRect = rectComponent.createObject(null, { "color": window.rectColors[i] }); objectModel.append(outerRect); } } // Doesn't crash // Rectangle { // height: 500 // width: listView.width // color: "red" // opacity: 0.2 // } // Rectangle { // height: 500 // width: listView.width // color: "green" // opacity: 0.2 // } // Rectangle { // height: 500 // width: listView.width // color: "blue" // opacity: 0.2 // } } ListView { id: listView height: parent.height / 2 width: parent.width / 2 model: objectModel onCountChanged: console.log("count: " + count) } Component { id: rectComponent Rectangle { height: 500 width: listView.width opacity: 0.2 } } }
12:06:42: Starting /Users/mitch/Downloads/ListViewObjectModelTest-qt5_12_fw-Debug/ListViewObjectModelTest.app/Contents/MacOS/ListViewObjectModelTest...
QML debugging is enabled. Only use this in a safe environment.
qml: count: 0
qml: count: 3
=================================================================
==94081==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d0000b41c0 at pc 0x000105d5d622 bp 0x7ffeea3afa90 sp 0x7ffeea3afa88
READ of size 8 at 0x61d0000b41c0 thread T0
#0 0x105d5d621 in QQuickItem::~QQuickItem() qquickitem.cpp:2400
#1 0x105def804 in QQuickRectangle::~QQuickRectangle() qquickrectangle_p.h:156
#2 0x105f00c24 in QQmlPrivate::QQmlElement<QQuickRectangle>::~QQmlElement() qqmlprivate.h:103
#3 0x105f00af4 in QQmlPrivate::QQmlElement<QQuickRectangle>::~QQmlElement() qqmlprivate.h:101
#4 0x105f00b18 in QQmlPrivate::QQmlElement<QQuickRectangle>::~QQmlElement() qqmlprivate.h:101
#5 0x1094b0f7b in QV4::QObjectWrapper::destroyObject(bool) qv4qobjectwrapper.cpp:1107
#6 0x108fa29e9 in QV4::MemoryManager::sweep(bool, void (*)(char const*)) qv4mm.cpp:976
#7 0x108fa7cab in QV4::MemoryManager::~MemoryManager() qv4mm.cpp:1225
#8 0x108fa87d4 in QV4::MemoryManager::~MemoryManager() qv4mm.cpp:1220
#9 0x10981cc49 in QV4::ExecutionEngine::~ExecutionEngine() qv4engine.cpp:653
#10 0x10981d5f4 in QV4::ExecutionEngine::~ExecutionEngine() qv4engine.cpp:648
#11 0x10929c933 in QJSEngine::~QJSEngine() qjsengine.cpp:378
#12 0x1099624e1 in QQmlEngine::~QQmlEngine() qqmlengine.cpp:1091
#13 0x109bc5cf2 in QQmlApplicationEngine::~QQmlApplicationEngine() qqmlapplicationengine.cpp:246
#14 0x109bc5d14 in QQmlApplicationEngine::~QQmlApplicationEngine() qqmlapplicationengine.cpp:242
#15 0x10585287a in main main.cpp:16
#16 0x7fff63afa084 in start (libdyld.dylib:x86_64+0x17084)
0x61d0000b41c0 is located 320 bytes inside of 2032-byte region [0x61d0000b4080,0x61d0000b4870)
freed by thread T0 here:
#0 0x10d0c8582 in wrap__ZdlPv (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x63582)
#1 0x106272a21 in QQuickListViewPrivate::~QQuickListViewPrivate() qquicklistview.cpp:186
#2 0x10bfa5ece in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) qscopedpointer.h:60
#3 0x10bfa5e0f in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() qscopedpointer.h:107
#4 0x10bf742e4 in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() qscopedpointer.h:105
#5 0x10bf76e34 in QObject::~QObject() qobject.cpp:1033
#6 0x105d5e10d in QQuickItem::~QQuickItem() qquickitem.cpp:2443
#7 0x1060dc9a4 in QQuickFlickable::~QQuickFlickable() qquickflickable.cpp:751
#8 0x1061f872b in QQuickItemView::~QQuickItemView() qquickitemview.cpp:170
#9 0x106264694 in QQuickListView::~QQuickListView() qquicklistview.cpp:1911
#10 0x105eedd74 in QQmlPrivate::QQmlElement<QQuickListView>::~QQmlElement() qqmlprivate.h:103
#11 0x105eedc44 in QQmlPrivate::QQmlElement<QQuickListView>::~QQmlElement() qqmlprivate.h:101
#12 0x105eedc68 in QQmlPrivate::QQmlElement<QQuickListView>::~QQmlElement() qqmlprivate.h:101
#13 0x10bf77885 in QObjectPrivate::deleteChildren() qobject.cpp:1995
#14 0x10bf76cf2 in QObject::~QObject() qobject.cpp:1021
#15 0x1071f16f0 in QWindow::~QWindow() qwindow.cpp:221
#16 0x105e0c0fd in QQuickWindow::~QQuickWindow() qquickwindow.cpp:1362
#17 0x10619cf4e in QQuickWindowQmlImpl::~QQuickWindowQmlImpl() qquickwindowmodule_p.h:63
#18 0x1061a3f8d in QQmlPrivate::QQmlElement<QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:103
#19 0x1061a3dd4 in QQmlPrivate::QQmlElement<QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:101
#20 0x1061a3df8 in QQmlPrivate::QQmlElement<QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:101
#21 0x109bc6ee4 in void qDeleteAll<QList<QObject*>::const_iterator>(QList<QObject*>::const_iterator, QList<QObject*>::const_iterator) qalgorithms.h:320
#22 0x109bc1ed6 in void qDeleteAll<QList<QObject*> >(QList<QObject*> const&) qalgorithms.h:328
#23 0x109bc1c8a in QQmlApplicationEnginePrivate::cleanUp() qqmlapplicationengine.cpp:64
#24 0x109bc5ce6 in QQmlApplicationEngine::~QQmlApplicationEngine() qqmlapplicationengine.cpp:245
#25 0x109bc5d14 in QQmlApplicationEngine::~QQmlApplicationEngine() qqmlapplicationengine.cpp:242
#26 0x10585287a in main main.cpp:16
#27 0x7fff63afa084 in start (libdyld.dylib:x86_64+0x17084)
previously allocated by thread T0 here:
#0 0x10d0c7fa2 in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x62fa2)
#1 0x10626457d in QQuickListView::QQuickListView(QQuickItem*) qquicklistview.cpp:1905
#2 0x105eedb92 in QQmlPrivate::QQmlElement<QQuickListView>::QQmlElement() qqmlprivate.h:98
#3 0x105eedb64 in QQmlPrivate::QQmlElement<QQuickListView>::QQmlElement() qqmlprivate.h:98
#4 0x105eed164 in void QQmlPrivate::createInto<QQuickListView>(void*) qqmlprivate.h:115
#5 0x109a08a75 in QQmlType::create(QObject**, void**, unsigned long) const qqmlmetatype.cpp:1049
#6 0x109be7cf3 in QQmlObjectCreator::createInstance(int, QObject*, bool) qqmlobjectcreator.cpp:1163
#7 0x109bf2552 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) qqmlobjectcreator.cpp:825
#8 0x109bef4bf in QQmlObjectCreator::setupBindings(bool) qqmlobjectcreator.cpp:777
#9 0x109c00962 in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*) qqmlobjectcreator.cpp:1461
#10 0x109bea3b3 in QQmlObjectCreator::createInstance(int, QObject*, bool) qqmlobjectcreator.cpp:1299
#11 0x109be6473 in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*) qqmlobjectcreator.cpp:203
#12 0x1099c2695 in QQmlComponentPrivate::beginCreate(QQmlContextData*) qqmlcomponent.cpp:871
#13 0x1099c1e13 in QQmlComponent::beginCreate(QQmlContext*) qqmlcomponent.cpp:823
#14 0x1099c1c3b in QQmlComponent::create(QQmlContext*) qqmlcomponent.cpp:783
#15 0x109bc4199 in QQmlApplicationEnginePrivate::finishLoad(QQmlComponent*) qqmlapplicationengine.cpp:134
#16 0x109bc3a8e in QQmlApplicationEnginePrivate::startLoad(QUrl const&, QByteArray const&, bool) qqmlapplicationengine.cpp:118
#17 0x109bc54bb in QQmlApplicationEngine::load(QUrl const&) qqmlapplicationengine.cpp:259
#18 0x105852743 in main main.cpp:11
#19 0x7fff63afa084 in start (libdyld.dylib:x86_64+0x17084)
SUMMARY: AddressSanitizer: heap-use-after-free qquickitem.cpp:2400 in QQuickItem::~QQuickItem()
Shadow bytes around the buggy address:
0x1c3a000167e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3a000167f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3a00016800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3a00016810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3a00016820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c3a00016830: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
0x1c3a00016840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3a00016850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3a00016860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3a00016870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3a00016880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==94081==ABORTING
12:06:47: The program has unexpectedly finished.
12:06:47: The process was ended forcefully.
12:06:47: /Users/mitch/Downloads/ListViewObjectModelTest-qt5_12_fw-Debug/ListViewObjectModelTest.app/Contents/MacOS/ListViewObjectModelTest crashed.