Loading...

Details

Type: Bug
Resolution: Duplicate
Priority: Not Evaluated
Fix Version/s: None
Affects Version/s: 5.1.1
Component/s: QML: Declarative and Javascript Engine
Labels:
None

Description

This example is a bit contrived, but the crash signature matches what I'm seeing in real code.

import QtQuick 2.1

Item {
  id: root
  property var model: ListModel {}

  Loader {
    id: loader
    sourceComponent: component
  }

  Component {
    id: component
    Instantiator {
      model: root.model

      onObjectAdded: object.parent = root

      Rectangle {
        color: 'red'
        x: 0
        y: model.foo * 20
        width: 18
        height: 18
      }
    }
  }

  property var __fns: [
    function() { loader.active = false; },
    function() { model.remove(1, 1); },
    function() { loader.active = true; },
  ]

  Timer {
    interval: 1000
    running: true
    repeat: true
    onTriggered: {
      __fns.shift()();
      if (!__fns.length)
      {
        running = false;
      }
    }
  }

  Component.onCompleted: {
    model.append({'foo': 1});
    model.append({'foo': 2});
  }
}

When it runs the second function (after a couple seconds... model.remove(1, 1)), it crashes at:

>	Qt5Qmld.dll!QQmlContext::isValid()  Line 233 + 0x3 bytes	C++
 	Qt5Qmld.dll!QQmlDelegateModelPrivate::emitChanges()  Line 1414 + 0x37 bytes	C++
 	Qt5Qmld.dll!QQmlDelegateModel::_q_itemsRemoved(int index, int count)  Line 1336	C++
 	Qt5Qmld.dll!QQmlDelegateModel::_q_rowsRemoved(const QModelIndex & parent, int begin, int end)  Line 1502	C++
 	Qt5Qmld.dll!QQmlDelegateModel::qt_static_metacall(QObject * _o, QMetaObject::Call _c, int _id, void * * _a)  Line 190 + 0x21 bytes	C++
 	Qt5Qmld.dll!QQmlDelegateModel::qt_metacall(QMetaObject::Call _c, int _id, void * * _a)  Line 282 + 0x15 bytes	C++
 	Qt5Cored.dll!QMetaObject::metacall(QObject * object, QMetaObject::Call cl, int idx, void * * argv)  Line 308	C++
 	Qt5Cored.dll!QMetaObject::activate(QObject * sender, int signalOffset, int local_signal_index, void * * argv)  Line 3509 + 0x30 bytes	C++
 	Qt5Cored.dll!QMetaObject::activate(QObject * sender, const QMetaObject * m, int local_signal_index, void * * argv)  Line 3369 + 0x1e bytes	C++
 	Qt5Cored.dll!QAbstractItemModel::rowsRemoved(const QModelIndex & _t1, int _t2, int _t3, QAbstractItemModel::QPrivateSignal __formal)  Line 441 + 0x14 bytes	C++
 	Qt5Cored.dll!QAbstractItemModel::endRemoveRows()  Line 2617	C++
 	Qt5Qmld.dll!QQmlListModel::emitItemsRemoved(int index, int count)  Line 1697	C++
 	Qt5Qmld.dll!QQmlListModel::remove(QQmlV8Function * args)  Line 1907	C++
 	Qt5Qmld.dll!QQmlListModel::qt_static_metacall(QObject * _o, QMetaObject::Call _c, int _id, void * * _a)  Line 122 + 0x11 bytes	C++
 	Qt5Qmld.dll!QQmlListModel::qt_metacall(QMetaObject::Call _c, int _id, void * * _a)  Line 182 + 0x15 bytes	C++
 	Qt5Cored.dll!QMetaObject::metacall(QObject * object, QMetaObject::Call cl, int idx, void * * argv)  Line 308	C++
 	Qt5Qmld.dll!QV8QObjectWrapper::Invoke(void * [2] args)  Line 2045 + 0x14 bytes	C++
 	Qt5V8d.dll!v8::internal::HandleApiCallHelper<0>(v8::internal::`anonymous-namespace'::BuiltinArguments<1> args, v8::internal::Isolate * isolate)  Line 1164 + 0xe bytes	C++
 	Qt5V8d.dll!v8::internal::Builtin_Impl_HandleApiCall(v8::internal::`anonymous-namespace'::BuiltinArguments<1> args, v8::internal::Isolate * isolate)  Line 1182 + 0x11 bytes	C++
 	Qt5V8d.dll!v8::internal::Builtin_HandleApiCall(v8::internal::`anonymous-namespace'::BuiltinArguments<1> args, v8::internal::Isolate * isolate)  Line 1181 + 0x46 bytes	C++
 	3c60a236()	
 	Qt5V8d.dll!v8::internal::Invoke(bool is_construct, v8::internal::Handle<v8::internal::JSFunction> function, v8::internal::Handle<v8::internal::Object> receiver, int argc, v8::internal::Handle<v8::internal::Object> * args, bool * has_pending_exception, v8::internal::Handle<v8::internal::Object> qml)  Line 125 + 0x17 bytes	C++
 	Qt5V8d.dll!v8::internal::Execution::Call(v8::internal::Handle<v8::internal::Object> callable, v8::internal::Handle<v8::internal::Object> receiver, int argc, v8::internal::Handle<v8::internal::Object> * argv, bool * pending_exception, bool convert_receiver, v8::internal::Handle<v8::internal::Object> qml)  Line 201 + 0x23 bytes	C++
 	Qt5V8d.dll!v8::internal::Execution::Call(v8::internal::Handle<v8::internal::Object> callable, v8::internal::Handle<v8::internal::Object> receiver, int argc, v8::internal::Handle<v8::internal::Object> * argv, bool * pending_exception, bool convert_receiver)  Line 168 + 0x2d bytes	C++
 	Qt5V8d.dll!v8::Function::Call(v8::Handle<v8::Object> recv, int argc, v8::Handle<v8::Value> * argv)  Line 3788 + 0x27 bytes	C++
 	Qt5Qmld.dll!QQmlJavaScriptExpression::evaluate(QQmlContextData * context, v8::Handle<v8::Function> function, int argc, v8::Handle<v8::Value> * args, bool * isUndefined)  Line 180 + 0x20 bytes	C++
 	Qt5Qmld.dll!QQmlJavaScriptExpression::evaluate(QQmlContextData * context, v8::Handle<v8::Function> function, bool * isUndefined)  Line 127 + 0x1c bytes	C++
 	Qt5Qmld.dll!QQmlBoundSignalExpression::evaluate(void * * a)  Line 224	C++
 	Qt5Qmld.dll!QQmlBoundSignal_callback(QQmlNotifierEndpoint * e, void * * a)  Line 385	C++
 	Qt5Qmld.dll!QQmlNotifier::emitNotify(QQmlNotifierEndpoint * endpoint, void * * a)  Line 83 + 0x1d bytes	C++
 	Qt5Qmld.dll!QQmlData::signalEmitted(QAbstractDeclarativeData * __formal, QObject * object, int index, void * * a)  Line 655 + 0x13 bytes	C++
 	Qt5Cored.dll!QMetaObject::activate(QObject * sender, int signalOffset, int local_signal_index, void * * argv)  Line 3387 + 0x1e bytes	C++
 	Qt5Cored.dll!QMetaObject::activate(QObject * sender, const QMetaObject * m, int local_signal_index, void * * argv)  Line 3369 + 0x1e bytes	C++
 	Qt5Qmld.dll!QQmlTimer::triggered()  Line 247 + 0x13 bytes	C++
 	Qt5Qmld.dll!QQmlTimer::ticked()  Line 314	C++
 	Qt5Qmld.dll!QQmlTimerPrivate::animationCurrentLoopChanged(QAbstractAnimationJob * __formal)  Line 63 + 0x1f bytes	C++
 	Qt5Qmld.dll!QAbstractAnimationJob::currentLoopChanged()  Line 577 + 0x2b bytes	C++
 	Qt5Qmld.dll!QAbstractAnimationJob::setCurrentTime(int msecs)  Line 465	C++
 	Qt5Qmld.dll!QQmlAnimationTimer::updateAnimationsTime(__int64 delta)  Line 118	C++
 	Qt5Cored.dll!QUnifiedTimer::updateAnimationTimers(__int64 currentTick)  Line 290	C++
 	Qt5Cored.dll!QUnifiedTimer::timerEvent(QTimerEvent * event)  Line 394	C++
 	Qt5Cored.dll!QObject::event(QEvent * e)  Line 1060	C++
 	Qt5Widgetsd.dll!QApplicationPrivate::notify_helper(QObject * receiver, QEvent * e)  Line 3471 + 0x11 bytes	C++
 	Qt5Widgetsd.dll!QApplication::notify(QObject * receiver, QEvent * e)  Line 2892 + 0x10 bytes	C++
 	Qt5Cored.dll!QCoreApplication::notifyInternal(QObject * receiver, QEvent * event)  Line 867 + 0x15 bytes	C++
 	Qt5Cored.dll!QCoreApplication::sendEvent(QObject * receiver, QEvent * event)  Line 232 + 0x39 bytes	C++
 	Qt5Cored.dll!QEventDispatcherWin32Private::sendTimerEvent(int timerId)  Line 585 + 0x10 bytes	C++
 	Qt5Cored.dll!QEventDispatcherWin32::event(QEvent * e)  Line 1137	C++
 	Qt5Widgetsd.dll!QApplicationPrivate::notify_helper(QObject * receiver, QEvent * e)  Line 3471 + 0x11 bytes	C++
 	Qt5Widgetsd.dll!QApplication::notify(QObject * receiver, QEvent * e)  Line 2892 + 0x10 bytes	C++
 	Qt5Cored.dll!QCoreApplication::notifyInternal(QObject * receiver, QEvent * event)  Line 867 + 0x15 bytes	C++
 	Qt5Cored.dll!QCoreApplication::sendEvent(QObject * receiver, QEvent * event)  Line 232 + 0x39 bytes	C++
 	Qt5Cored.dll!QCoreApplicationPrivate::sendPostedEvents(QObject * receiver, int event_type, QThreadData * data)  Line 1471 + 0xd bytes	C++
 	Qt5Cored.dll!QCoreApplication::sendPostedEvents(QObject * receiver, int event_type)  Line 1329 + 0x11 bytes	C++
 	Qt5Guid.dll!QWindowSystemInterface::sendWindowSystemEvents(QFlags<enum QEventLoop::ProcessEventsFlag> flags)  Line 560 + 0xa bytes	C++
 	qwindowsd.dll!QWindowsGuiEventDispatcher::sendPostedEvents()  Line 86 + 0xd bytes	C++
 	Qt5Cored.dll!qt_internal_proc(HWND__ * hwnd, unsigned int message, unsigned int wp, long lp)  Line 423	C++
 	user32.dll!_InternalCallWinProc@20()  + 0x23 bytes	
 	user32.dll!_UserCallWinProcCheckWow@36()  + 0xbd bytes	
 	user32.dll!_DispatchMessageWorker@8()  + 0xf8 bytes	
 	user32.dll!_DispatchMessageW@4()  + 0x10 bytes	
 	Qt5Cored.dll!QEventDispatcherWin32::processEvents(QFlags<enum QEventLoop::ProcessEventsFlag> flags)  Line 757	C++
 	qwindowsd.dll!QWindowsGuiEventDispatcher::processEvents(QFlags<enum QEventLoop::ProcessEventsFlag> flags)  Line 78 + 0xd bytes	C++
 	Qt5Cored.dll!QEventLoop::processEvents(QFlags<enum QEventLoop::ProcessEventsFlag> flags)  Line 137	C++
 	Qt5Cored.dll!QEventLoop::exec(QFlags<enum QEventLoop::ProcessEventsFlag> flags)  Line 212 + 0x26 bytes	C++
 	Qt5Cored.dll!QCoreApplication::exec()  Line 1120 + 0x15 bytes	C++
 	Qt5Guid.dll!QGuiApplication::exec()  Line 1221	C++
 	Qt5Widgetsd.dll!QApplication::exec()  Line 2697	C++
 	qmlscene.exe!main(int argc, char * * argv)  Line 533 + 0x6 bytes	C++
 	qmlscene.exe!__tmainCRTStartup()  Line 555 + 0x19 bytes	C
 	qmlscene.exe!mainCRTStartup()  Line 371	C

The QQmlContext at the top of the stack has been deleted, confirmed by adding some prints of the contexts:

QQmlInstantiator::makeModel 0xa6acc0
QQmlDelegateModelPrivate::emitChanges 0xa6acc0
QQmlDelegateModelPrivate::emitChanges 0xa6acc0
QQmlDelegateModelPrivate::emitChanges 0xa6acc0
QQmlDelegateModelPrivate::emitChanges 0xa6acc0
~QQmlContext  0xa6acc0
~QQmlContext  0xaa2e90
QQmlDelegateModelPrivate::emitChanges 0xa6acc0

Switching to a Repeater, it does not crash.

Attachments

Issue Links

is replaced by

QTBUG-39780 Valgrind reports read on deleted memory if model emits reset from destructor

Closed

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Instantiator: crash in QQmlDelegateModel when the QQmlContext is deleted out from under it

Details

Description

Attachments

Issue Links

Gerrit Reviews

Activity

People

Dates

Gerrit Reviews