Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-141105

[REG] SIGSEGV in QQmlDelegateModelItem::destroyObject(), accesses invalid QObjectData

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Not Evaluated Not Evaluated
    • None
    • 6.7.2, 6.8.1, 6.8.2, 6.9.0, 6.9.1, 6.9.2, 6.10.0
    • Quick: Core Declarative QML
    • None
    • Linux/Wayland

      Users on KDE Plasma 6.1 through 6.4 are experiencing random crashes during tooltip delegate teardown.

      The issue was first reported in August 2024, but only later have more crashes occurred. The crash has been hard to reproduce so far.

      Inspecting the coredump shows the `QObject` instance and associated `QQmlData` / d-pointer are in an inconsistent state when `QQmlData::get` attempts to access `QObjectData`. Possible use-after-free, lifecycle issues.

      Code history suggests there have already been various problems with the property cache. However, I am not read up on those.

      (gdb) f 10
#10 QQmlDelegateModelItem::destroyObject (this=0x5b3fb77273f0)
    at /usr/src/debug/qt6-declarative/qtdeclarative/src/qmlmodels/qqmldelegatemodel.cpp:2512
2512        QQmlData *data = QQmlData::get(object);

      (gdb) l -
2507    void QQmlDelegateModelItem::destroyObject()
2508    {
2509        Q_ASSERT(object);
2510        Q_ASSERT(contextData);
2511
2512 =>     QQmlData *data = QQmlData::get(object);
2513        Q_ASSERT(data);
2514        if (data->ownContext) {
2515            data->ownContext->clearContext();
2516            data->ownContext->deepClearContextObject(object);
2517            data->ownContext.reset();
2518            data->context = nullptr;
2519        }
2520        /* QTBUG-87228: when destroying object at the application exit, the deferred
2521         * parent by setting it to QCoreApplication instance if it's nullptr, so
2522         * deletion won't work. Not to leak memory, make sure our object has a that
2523         * the parent claims the object at the end of the lifetime. When not at the
2524         * application exit, normal event loop will handle the deferred deletion
2525         * earlier.
2526         */
2527        if (Q_UNLIKELY(static_cast<QCoreApplicationPrivate *>(QCoreApplicationPrivate::get(QCoreApplication::instance()))->aboutToQuitEmitted)) {
2528            if (object->parent() == nullptr)
2529                object->setParent(QCoreApplication::instance());
2530        }
2531        object->deleteLater();
2532
2533        if (QQmlDelegateModelAttached *attachedObject = attached())
2534            attachedObject->m_cacheItem = nullptr;
2535
2536        contextData.reset();

      (gdb) p object # cacheItem->object
$1 = {wp = {d = 0x0, value = 0x0}}

      See the original KDE Plasma bug report(s) here:
      https://bugs.kde.org/show_bug.cgi?id=491699

      I am attaching the full kcrash backtrace. Please let me know what further information to provide!

        1. backtrace-full-141105.log
          55 kB
        2. plasmashell-141105.kcrash
          190 kB
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            qt.team.quick.subscriptions Qt Quick and Widgets Team
            mydarkstar mydarkstar
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:

                There are no open Gerrit changes