Details
-
Bug
-
Resolution: Out of scope
-
Not Evaluated
-
None
-
4.8.6
-
None
Description
Under some circumstances, a WorkerScript.onMessage handler can access a previously destructed ListModel reference resulting in a segmentation fault. This can occur in two cases:
a) WorkerScript.onMessage is called after a ListModel, passed through WorkerScript.sendMessage, has been destructed.
b) A ListModel is destructed while a long running WorkerScript.onMessage is being executed.
Here is an example output showing the sequence of destruction:
Component.onCompleted
ListModel.onCompleted
WorkerScript.onMessage( QDeclarativeListModelWorkerAgent(name = "") )
util/qdeclarativelistmodelworkeragent.cpp sync 192
util/qdeclarativelistmodelworkeragent.cpp sync 197
ListModel.onDestruction
util/qdeclarativelistmodelworkeragent.cpp event 214
util/qdeclarativelistmodelworkeragent.cpp event 221
util/qdeclarativelistmodelworkeragent.cpp event 224
Segmentation fault (core dumped)
The segmentation fault occurs in util/qdeclarativelistmodelworkeragent.cpp in the function trying to access m_orig list model which has been destroyed:
bool QDeclarativeListModelWorkerAgent::event(QEvent *e)
{
if (e->type() == QEvent::User) {
QMutexLocker locker(&mutex);
Sync *s = static_cast<Sync *>(e);const QList<Change> &changes = s->data.changes;
if (m_copy) {
bool cc = m_orig->count() != s->list->count(); // <<== seg fault here
...
}
There needs to be some coordination between when a WorkerScript and it's parents and siblings are destroyed.
The bug is present in 4.8.4, 4.8.5, and 4.8.6.
A sample reproducing the issue is attached.