Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-76425

Re-entrancy in QQmlDelegateModel leads to out-of-bounds access

    XMLWordPrintable

Details

    • Linux/X11
    • 75ba1ce9114e320cccfbc0c14dd32675ce2e598e

    Description

      ruqola is a QML application with a ListView and items that change section by themselves over time. This sometimes leads to an out-of-bounds assert in VDMModelDelegateDataType::notify which does:

      for (int i = 0, c = items.count(); i < c; ++i) 
    QQmlDelegateModelItem *item = items.at(i);
    ...
         [some signal emission here]

      What's happening is that some code connected to this signal removes an item, and later on `at( i )` goes out of bounds, given that items.count() is cached.

      I found out where items is modified while we're in this method. See backtrace below.

      #5 0x00007f60ecaafb60 in QQmlDelegateModelPrivate::removeCacheItem (this=0x2750540, cacheItem=<optimized out>, cacheItem@entry=0x41cbe00) at qtdeclarative/src/qml/types/qqmldelegatemodel.cpp:938
      #6 0x00007f60ecab047d in QQmlDelegateModelItem::Dispose (this=this@entry=0x41cbe00) at qtdeclarative/src/qml/types/qqmldelegatemodel.cpp:2130
      #7 0x00007f60ecab0521 in QQmlDelegateModelPrivate::release (this=0x2750540, object=0x41d4c60) at qtdeclarative/src/qml/types/qqmldelegatemodel.cpp:605
      #8 0x00007f60ecab0535 in QQmlDelegateModel::release (this=<optimized out>, item=<optimized out>) at qtdeclarative/src/qml/types/qqmldelegatemodel.cpp:616
      #9 0x00007f60ed1855c1 in QQuickItemViewPrivate::releaseItem (this=this@entry=0x274e110, item=0x41e8e80) at qtdeclarative/src/quick/items/qquickitemview.cpp:2363
      #10 0x00007f60ed196d1d in QQuickListViewPrivate::releaseItem (this=0x274e110, item=<optimized out>) at qtdeclarative/src/quick/items/qquicklistview.cpp:642
      #11 0x00007f60ed194dcc in QQuickListViewPrivate::removeItem (this=this@entry=0x274e110, item=<optimized out>, item@entry=0x41e8e80) at qtdeclarative/src/quick/items/qquicklistview.cpp:737
      #12 0x00007f60ed195dda in QQuickListViewPrivate::removeNonVisibleItems (this=0x274e110, bufferFrom=-320, bufferTo=1030) at qtdeclarative/src/quick/items/qquicklistview.cpp:779
      #13 0x00007f60ed186c0e in QQuickItemViewPrivate::refill (this=this@entry=0x274e110, from=<optimized out>, to=<optimized out>) at qtdeclarative/src/quick/items/qquickitemview.cpp:1746
      #14 0x00007f60ed186e8b in QQuickItemViewPrivate::refill (this=this@entry=0x274e110) at qtdeclarative/src/quick/items/qquickitemview.cpp:1721
      #15 0x00007f60ed187deb in QQuickItemViewPrivate::layout (this=this@entry=0x274e110) at qtdeclarative/src/quick/items/qquickitemview.cpp:1859
      #16 0x00007f60ed1882a7 in QQuickItemViewPrivate::applyPendingChanges (this=this@entry=0x274e110) at qtdeclarative/src/quick/items/qquickitemview.cpp:972
      #17 0x00007f60ed1906da in QQuickListViewPrivate::updateHighlight (this=0x274e110) at qtdeclarative/src/quick/items/qquicklistview.cpp:938
      #18 0x00007f60ed183d6c in QQuickItemViewPrivate::itemGeometryChanged (this=this@entry=0x274e110, item=item@entry=0x403f900, change=..., oldGeometry=...) at qtdeclarative/src/quick/items/qquickitemview.cpp:1148
      #19 0x00007f60ed196eab in QQuickListViewPrivate::itemGeometryChanged (this=0x274e110, item=0x403f900, change=..., oldGeometry=...) at qtdeclarative/src/quick/items/qquicklistview.cpp:1446
      #20 0x00007f60ed085b81 in QQuickItem::geometryChanged (this=this@entry=0x403f900, newGeometry=..., oldGeometry=...) at qtdeclarative/src/quick/items/qquickitem.cpp:3798
      #21 0x00007f60d4b282c8 in QQuickControl::geometryChanged (this=0x403f900, newGeometry=..., oldGeometry=...) at /d/qt/5/kde/qtquickcontrols2/src/quicktemplates2/qquickcontrol.cpp:2180
      #22 0x00007f60ed07c357 in QQuickItem::setHeight (this=0x403f900, h=<optimized out>) at qtdeclarative/src/quick/items/qquickitem.cpp:6828
      #23 0x00007f60ed08d008 in QQuickItem::qt_static_metacall (_o=<optimized out>, _c=<optimized out>, _id=<optimized out>, _a=0x7ffe1f9bdc20) at .moc/moc_qquickitem.cpp:962
      #24 0x00007f60eca2fe89 in QQmlPropertyData::writeProperty (flags=..., value=0x7ffe1f9bdc18, target=<optimized out>, this=<optimized out>) at ../../include/QtQml/5.13.0/QtQml/private/../../../../../../../qtdeclarative/src/qml/qml/qqmlpropertycache_p.h:346
      #25 GenericBinding<6>::doStore<double> (flags=..., pd=<optimized out>, value=<optimized out>, this=0x4034d10) at qtdeclarative/src/qml/qml/qqmlbinding.cpp:332
      #26 GenericBinding<6>::write (this=0x4034d10, result=..., isUndefined=<optimized out>, flags=...) at qtdeclarative/src/qml/qml/qqmlbinding.cpp:305
      #27 0x00007f60eca30e7e in QQmlNonbindingBinding::doUpdate (this=0x4034d10, watcher=..., flags=..., scope=...) at qtdeclarative/src/qml/qml/qqmlbinding.cpp:249
      #28 0x00007f60eca2da4f in QQmlBinding::update (this=0x4034d10, flags=..., flags@entry=...) at qtdeclarative/src/qml/qml/qqmlbinding.cpp:185
      #29 0x00007f60eca2e89a in QQmlBinding::expressionChanged (this=<optimized out>) at qtdeclarative/src/qml/qml/qqmlbinding.cpp:530
      #30 0x00007f60eca23def in QQmlJavaScriptExpressionGuard_callback (e=<optimized out>) at qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:414
      #31 0x00007f60eca01ad4 in QQmlNotifier::emitNotify (endpoint=<optimized out>, a=a@entry=0x0) at qtdeclarative/src/qml/qml/qqmlnotifier.cpp:104
      #32 0x00007f60ec9a30f9 in QQmlData::signalEmitted (object=0x403f900, index=18, a=0x0) at qtdeclarative/src/qml/qml/qqmlengine.cpp:887
      #33 0x00007f60e995bbba in QMetaObject::activate (sender=sender@entry=0x403f900, signalOffset=<optimized out>, local_signal_index=local_signal_index@entry=15, argv=argv@entry=0x0) at /d/qt/5/kde/qtbase/src/corelib/kernel/qobject.cpp:3676
      #34 0x00007f60e995c429 in QMetaObject::activate (sender=sender@entry=0x403f900, m=m@entry=0x7f60ed553fe0 <QQuickItem::staticMetaObject>, local_signal_index=local_signal_index@entry=15, argv=argv@entry=0x0) at /d/qt/5/kde/qtbase/src/corelib/kernel/qobject.cpp:3658
      #35 0x00007f60ed077d2c in QQuickItem::visibleChanged (this=this@entry=0x403f900) at .moc/moc_qquickitem.cpp:1160
      #36 0x00007f60ed085344 in QQuickItemPrivate::setEffectiveVisibleRecur (this=this@entry=0x403f9c0, newEffectiveVisible=true) at qtdeclarative/src/quick/items/qquickitem.cpp:6027
      #37 0x00007f60ed085474 in QQuickItemPrivate::setVisible (this=0x403f9c0, visible=<optimized out>) at qtdeclarative/src/quick/items/qquickitem.cpp:5921
      #38 0x00007f60ed07acca in QQuickItem::setVisible (this=<optimized out>, v=<optimized out>) at qtdeclarative/src/quick/items/qquickitem.cpp:5929
      #39 0x00007f60ed08d030 in QQuickItem::qt_static_metacall (_o=<optimized out>, _c=<optimized out>, _id=<optimized out>, _a=0x7ffe1f9bf9c0) at .moc/moc_qquickitem.cpp:965
      #40 0x00007f60eca30413 in QQmlPropertyData::writeProperty (flags=..., value=0x7ffe1f9bf9b2, target=<optimized out>, this=<optimized out>) at ../../include/QtQml/5.13.0/QtQml/private/../../../../../../../qtdeclarative/src/qml/qml/qqmlpropertycache_p.h:346
      #41 GenericBinding<1>::doStore<bool> (flags=..., pd=<optimized out>, value=<optimized out>, this=0x4045040) at qtdeclarative/src/qml/qml/qqmlbinding.cpp:332
      #42 GenericBinding<1>::write (this=0x4045040, result=..., isUndefined=<optimized out>, flags=...) at qtdeclarative/src/qml/qml/qqmlbinding.cpp:294
      #43 0x00007f60eca30e7e in QQmlNonbindingBinding::doUpdate (this=0x4045040, watcher=..., flags=..., scope=...) at qtdeclarative/src/qml/qml/qqmlbinding.cpp:249
      #44 0x00007f60eca2da4f in QQmlBinding::update (this=0x4045040, flags=..., flags@entry=...) at qtdeclarative/src/qml/qml/qqmlbinding.cpp:185
      #45 0x00007f60eca2e89a in QQmlBinding::expressionChanged (this=<optimized out>) at qtdeclarative/src/qml/qml/qqmlbinding.cpp:530
      #46 0x00007f60eca23def in QQmlJavaScriptExpressionGuard_callback (e=<optimized out>) at qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:414
      #47 0x00007f60eca01ad4 in QQmlNotifier::emitNotify (endpoint=<optimized out>, a=a@entry=0x0) at qtdeclarative/src/qml/qml/qqmlnotifier.cpp:104
      #48 0x00007f60ec9a30f9 in QQmlData::signalEmitted (object=0x403f900, index=110, a=0x0) at qtdeclarative/src/qml/qml/qqmlengine.cpp:887
      #49 0x00007f60e995bbba in QMetaObject::activate (sender=0x403f900, signalOffset=<optimized out>, local_signal_index=<optimized out>, argv=argv@entry=0x0) at /d/qt/5/kde/qtbase/src/corelib/kernel/qobject.cpp:3676
      #50 0x00007f60ec99c3dd in QQmlVMEMetaObject::activate (this=this@entry=0x4044e50, object=<optimized out>, index=<optimized out>, args=args@entry=0x0) at qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:1246
      #51 0x00007f60ec99ec3d in QQmlVMEMetaObject::metaCall (this=0x4044e50, o=<optimized out>, c=QMetaObject::WriteProperty, _id=<optimized out>, a=0x7ffe1f9c17e0) at qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:839
      #52 0x00007f60e99353eb in QMetaObject::metacall (object=<optimized out>, cl=cl@entry=QMetaObject::WriteProperty, idx=<optimized out>, argv=argv@entry=0x7ffe1f9c17e0) at /d/qt/5/kde/qtbase/src/corelib/kernel/qmetaobject.cpp:307
      #53 0x00007f60eca30435 in QQmlPropertyData::writeProperty (flags=..., value=0x7ffe1f9c17d2, target=<optimized out>, this=<optimized out>) at ../../include/QtQml/5.13.0/QtQml/private/../../../../../../../qtdeclarative/src/qml/qml/qqmlpropertycache_p.h:350
      #54 GenericBinding<1>::doStore<bool> (flags=..., pd=<optimized out>, value=<optimized out>, this=0x404c610) at qtdeclarative/src/qml/qml/qqmlbinding.cpp:332
      #55 GenericBinding<1>::write (this=0x404c610, result=..., isUndefined=<optimized out>, flags=...) at qtdeclarative/src/qml/qml/qqmlbinding.cpp:294
      #56 0x00007f60eca30e7e in QQmlNonbindingBinding::doUpdate (this=0x404c610, watcher=..., flags=..., scope=...) at qtdeclarative/src/qml/qml/qqmlbinding.cpp:249
      #57 0x00007f60eca2da4f in QQmlBinding::update (this=0x404c610, flags=..., flags@entry=...) at qtdeclarative/src/qml/qml/qqmlbinding.cpp:185
      #58 0x00007f60eca2e89a in QQmlBinding::expressionChanged (this=<optimized out>) at qtdeclarative/src/qml/qml/qqmlbinding.cpp:530
      #59 0x00007f60eca23def in QQmlJavaScriptExpressionGuard_callback (e=<optimized out>) at qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:414
      #60 0x00007f60eca01ad4 in QQmlNotifier::emitNotify (endpoint=<optimized out>, a=a@entry=0x0) at qtdeclarative/src/qml/qml/qqmlnotifier.cpp:104
      #61 0x00007f60ec9a30f9 in QQmlData::signalEmitted (object=0x40145d0, index=16, a=0x0) at qtdeclarative/src/qml/qml/qqmlengine.cpp:887
      #62 0x00007f60e995bbba in QMetaObject::activate (sender=sender@entry=0x40145d0, signalOffset=<optimized out>, local_signal_index=local_signal_index@entry=10, argv=argv@entry=0x0) at /d/qt/5/kde/qtbase/src/corelib/kernel/qobject.cpp:3676
      #63 0x00007f60e995c429 in QMetaObject::activate (sender=sender@entry=0x40145d0, m=m@entry=0x2760260, local_signal_index=10, argv=argv@entry=0x0) at /d/qt/5/kde/qtbase/src/corelib/kernel/qobject.cpp:3658
      #64 0x00007f60e995c473 in QMetaObject::activate (sender=sender@entry=0x40145d0, signal_index=18, argv=argv@entry=0x0) at /d/qt/5/kde/qtbase/src/corelib/kernel/qobject.cpp:3857
      #65 0x00007f60ec78f5ee in VDMModelDelegateDataType::notify (this=<optimized out>, items=QList<QQmlDelegateModelItem *> (size = 27) = {...}, index=0, count=107, roles=QVector<int> (size = 0)) at qtdeclarative/src/qml/util/qqmladaptormodel.cpp:173
      #66 0x00007f60ecab45a6 in QQmlAdaptorModel::notify (roles=QVector<int> (size = 494190725) = {...}, count=107, index=0, items=QList<QQmlDelegateModelItem *> (size = 27) = {...}, this=0x27505c8) at ../../include/QtQml/5.13.0/QtQml/private/../../../../../../../qtdeclarative/src/qml/util/qqmladaptormodel_p.h:151
      #67 QQmlDelegateModel::_q_itemsChanged (this=this@entry=0x2750440, index=index@entry=0, count=107, roles=QVector<int> (size = 0)) at qtdeclarative/src/qml/types/qqmldelegatemodel.cpp:1253
      #68 0x00007f60ecab8c0b in QQmlDelegateModel::_q_layoutChanged (this=0x2750440, parents=QList<QPersistentModelIndex> (size = 1) = {...}, hint=<optimized out>) at qtdeclarative/src/qml/types/qqmldelegatemodel.cpp:1767
      #69 0x00007f60ecab8d8f in QQmlDelegateModel::qt_static_metacall (_o=_o@entry=0x2750440, _c=_c@entry=QMetaObject::InvokeMetaMethod, _id=_id@entry=13, _a=_a@entry=0x7ffe1f9c37d0) at .moc/moc_qqmldelegatemodel_p.cpp:204
      #70 0x00007f60ecab928d in QQmlDelegateModel::qt_metacall (this=0x2750440, _c=QMetaObject::InvokeMetaMethod, _id=13, _a=0x7ffe1f9c37d0) at .moc/moc_qqmldelegatemodel_p.cpp:335
      #71 0x00007f60e99353f6 in QMetaObject::metacall (object=object@entry=0x2750440, cl=cl@entry=QMetaObject::InvokeMetaMethod, idx=idx@entry=23, argv=argv@entry=0x7ffe1f9c37d0) at /d/qt/5/kde/qtbase/src/corelib/kernel/qmetaobject.cpp:309
      #72 0x00007f60e995c1d2 in QMetaObject::activate (sender=sender@entry=0x21102b0, signalOffset=<optimized out>, local_signal_index=local_signal_index@entry=3, argv=argv@entry=0x7ffe1f9c37d0) at /d/qt/5/kde/qtbase/src/corelib/kernel/qobject.cpp:3823
      #73 0x00007f60e995c429 in QMetaObject::activate (sender=sender@entry=0x21102b0, m=m@entry=0x7f60e9dec080 <QAbstractItemModel::staticMetaObject>, local_signal_index=local_signal_index@entry=3, argv=argv@entry=0x7ffe1f9c37d0) at /d/qt/5/kde/qtbase/src/corelib/kernel/qobject.cpp:3658
      #74 0x00007f60e98d5a30 in QAbstractItemModel::layoutChanged (this=this@entry=0x21102b0, _t1=QList<QPersistentModelIndex> (size = 1) = {...}, _t2=<optimized out>, _t2@entry=QAbstractItemModel::VerticalSortHint) at .moc/moc_qabstractitemmodel.cpp:571
      #75 0x00007f60e9900f9a in QSortFilterProxyModelPrivate::_q_sourceDataChanged (this=0x2146700, source_top_left=..., source_bottom_right=..., roles=...) at /d/qt/5/kde/qtbase/src/corelib/itemmodels/qsortfilterproxymodel.cpp:1453
      #76 0x00007f60e9901b6f in QSortFilterProxyModel::qt_static_metacall (_o=_o@entry=0x21102b0, _c=_c@entry=QMetaObject::InvokeMetaMethod, _id=_id@entry=8, _a=_a@entry=0x7ffe1f9c3ad0) at .moc/moc_qsortfilterproxymodel.cpp:225
      #77 0x00007f60e995c15d in QMetaObject::activate (sender=sender@entry=0x2227d10, signalOffset=<optimized out>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7ffe1f9c3ad0) at /d/qt/5/kde/qtbase/src/corelib/kernel/qobject.cpp:3807
      #78 0x00007f60e995c429 in QMetaObject::activate (sender=0x2227d10, m=m@entry=0x7f60e9dec080 <QAbstractItemModel::staticMetaObject>, local_signal_index=local_signal_index@entry=0, argv=argv@entry=0x7ffe1f9c3ad0) at /d/qt/5/kde/qtbase/src/corelib/kernel/qobject.cpp:3658
      #79 0x00007f60e98d59a3 in QAbstractItemModel::dataChanged (this=<optimized out>, _t1=..., _t2=..., _t3=...) at .moc/moc_qabstractitemmodel.cpp:557
      #80 0x00007f60edb50c25 in RoomModel::updateSubscriptionRoom (this=0x2227d10, roomData=...) at /d/kde/src/5/playground/network/ruqola/src/ruqolacore/model/roommodel.cpp:277

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            ulherman Ulf Hermann
            dfaure_kdab David Faure
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes