QTreeView crash in indexRowSizeHint/itemHeight [investigation, patch]

QTreeView makes use of deleted memory in one particular circumstance, let me explain and provide a patch.

KPackageKit (KPACKAGEKIT_0.6.X branch in git://git.kde.org/apper) crashes reproduceably in QTreeView when filling a tree view with many packages (e.g. typing "a" and Enter). The valgrind log (attached) explains what's happening:

1) QTreeViewPrivate::itemHeight does "const QModelIndex& index = viewItems.at(item).index;" and passes that to indexRowSizeHint()
2) indexRowSizeHint calls visualIndexAt(0)
3) and below, indexRowSizeHint uses index.row().
So if something in visualIndexAt() ends up recreating the viewItems vector, then index is a dangling reference.

This indeed happens when visualIndexAt() ends up calling sizeHintForColumn() [via QHeaderView, see 2nd vg backtrace for details] which starts with executePostedLayout() which calls doItemsLayout() ... even though all of this is from doItemsLayout already

And doItemLayouts recreates the viewItems vector -> bingo.

The fix is simple: not keeping a ref, but an actual copy of the qmodelindex.
One-liner patch attached, please apply.