QML list property: Avoid crash if contained object is deleted

Task-number: QTBUG-81123 Change-Id: I3dd1a42e444f817722368cd268c2f987a99fbf1c Reviewed-by: Ulf Hermann <ulf.hermann@qt.io> (cherry picked from commit e5570eecd3a4fc61020d28699169707a2c1f5dc9)
author: Fabian Kosmale <fabian.kosmale@qt.io> 2020-01-10 15:22:20 +0100
committer: Fabian Kosmale <fabian.kosmale@qt.io> 2020-01-28 09:47:56 +0100
commit: 03df41fbcdb6e1ae3d0792d5b7806e5335b58794 (patch)
tree: 9ac6e33306be9d368f4016aa689d42d67e17bfd6
parent: ddeffeed1d933b6513f18533a9186e9f472da117 (diff)
4 files changed, 67 insertions, 10 deletions
diff --git a/src/qml/qml/qqmlvmemetaobject.cpp b/src/qml/qml/qqmlvmemetaobject.cpp
index 15fb181516..1de8b895e2 100644
--- a/src/qml/qml/qqmlvmemetaobject.cpp
+++ b/src/qml/qml/qqmlvmemetaobject.cpp
@@ -62,26 +62,27 @@ QT_BEGIN_NAMESPACE
 
 static void list_append(QQmlListProperty<QObject> *prop, QObject *o)
 {
-    QList<QObject *> *list = static_cast<QList<QObject *> *>(prop->data);
+    auto *list = static_cast<QVector<QQmlGuard<QObject>> *>(prop->data);
     list->append(o);
     static_cast<QQmlVMEMetaObject *>(prop->dummy1)->activate(prop->object, reinterpret_cast<quintptr>(prop->dummy2), nullptr);
 }
 
 static int list_count(QQmlListProperty<QObject> *prop)
 {
-    QList<QObject *> *list = static_cast<QList<QObject *> *>(prop->data);
+
+    auto *list = static_cast<QVector<QQmlGuard<QObject>> *>(prop->data);
     return list->count();
 }
 
 static QObject *list_at(QQmlListProperty<QObject> *prop, int index)
 {
-    QList<QObject *> *list = static_cast<QList<QObject *> *>(prop->data);
+    auto *list = static_cast<QVector<QQmlGuard<QObject>> *>(prop->data);
     return list->at(index);
 }
 
 static void list_clear(QQmlListProperty<QObject> *prop)
 {
-    QList<QObject *> *list = static_cast<QList<QObject *> *>(prop->data);
+    auto *list = static_cast<QVector<QQmlGuard<QObject>> *>(prop->data);
     list->clear();
     static_cast<QQmlVMEMetaObject *>(prop->dummy1)->activate(prop->object, reinterpret_cast<quintptr>(prop->dummy2), nullptr);
 }
@@ -548,7 +549,7 @@ QObject* QQmlVMEMetaObject::readPropertyAsQObject(int id) const
     return wrapper->object();
 }
 
-QList<QObject *> *QQmlVMEMetaObject::readPropertyAsList(int id) const
+QVector<QQmlGuard<QObject>> *QQmlVMEMetaObject::readPropertyAsList(int id) const
 {
     QV4::MemberData *md = propertyAndMethodStorageAsMemberData();
     if (!md)
@@ -556,12 +557,12 @@ QList<QObject *> *QQmlVMEMetaObject::readPropertyAsList(int id) const
 
     QV4::Scope scope(engine);
     QV4::Scoped<QV4::VariantObject> v(scope, *(md->data() + id));
-    if (!v || (int)v->d()->data().userType() != qMetaTypeId<QList<QObject *> >()) {
-        QVariant variant(qVariantFromValue(QList<QObject*>()));
+    if (!v || (int)v->d()->data().userType() != qMetaTypeId<QVector<QQmlGuard<QObject>> >()) {
+        QVariant variant(QVariant::fromValue(QVector<QQmlGuard<QObject>>()));
         v = engine->newVariantObject(variant);
         md->set(engine, id, v);
     }
-    return static_cast<QList<QObject *> *>(v->d()->data().data());
+    return static_cast<QVector<QQmlGuard<QObject>> *>(v->d()->data().data());
 }
 
 QRectF QQmlVMEMetaObject::readPropertyAsRectF(int id) const
@@ -688,7 +689,7 @@ int QQmlVMEMetaObject::metaCall(QObject *o, QMetaObject::Call c, int _id, void *
                             *reinterpret_cast<QVariant *>(a[0]) = readPropertyAsVariant(id);
                             break;
                         case QV4::CompiledData::Property::CustomList: {
-                            QList<QObject *> *list = readPropertyAsList(id);
+                            QVector<QQmlGuard<QObject>> *list = readPropertyAsList(id);
                             QQmlListProperty<QObject> *p = static_cast<QQmlListProperty<QObject> *>(a[0]);
                             *p = QQmlListProperty<QObject>(object, list,
                                                                   list_append, list_count, list_at,
diff --git a/src/qml/qml/qqmlvmemetaobject_p.h b/src/qml/qml/qqmlvmemetaobject_p.h
index 35bc35ce4b..08428f6123 100644
--- a/src/qml/qml/qqmlvmemetaobject_p.h
+++ b/src/qml/qml/qqmlvmemetaobject_p.h
@@ -190,7 +190,7 @@ public:
     QDateTime readPropertyAsDateTime(int id);
     QRectF readPropertyAsRectF(int id) const;
     QObject *readPropertyAsQObject(int id) const;
-    QList<QObject *> *readPropertyAsList(int id) const;
+    QVector<QQmlGuard<QObject> > *readPropertyAsList(int id) const;
 
     void writeProperty(int id, int v);
     void writeProperty(int id, bool v);
diff --git a/tests/auto/qml/qqmllanguage/data/listContainingDeleted.qml b/tests/auto/qml/qqmllanguage/data/listContainingDeleted.qml
new file mode 100644
index 0000000000..efd273ddc6
--- /dev/null
+++ b/tests/auto/qml/qqmllanguage/data/listContainingDeleted.qml
@@ -0,0 +1,36 @@
+import QtQuick 2.12
+
+Item {
+    width: 1024
+    height: 800
+
+    property Component a: Component {
+        id: a
+        Item {
+            property list<QtObject> myList: [
+                QtObject {
+                    property bool enabled: true
+                }
+            ]
+        }
+    }
+    Component {
+        id: b
+        Item {
+            property list<QtObject> myList
+
+            function test() {
+                for (var i = 0; i < myList.length; ++i)
+                    console.log(i, "==", myList[i].enabled)
+            }
+        }
+    }
+    property Item instance
+    function doAssign(o) {
+        instance = b.createObject(null, {myList: o.myList})
+    }
+    function use() {
+        instance.test()
+    }
+
+}
diff --git a/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp b/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp
index 87468c329c..d7ef9999d0 100644
--- a/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp
+++ b/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp
@@ -303,6 +303,8 @@ private slots:
 
     void typeWrapperToVariant();
 
+    void listContainingDeletedObject();
+
 private:
     QQmlEngine engine;
     QStringList defaultImportPathList;
@@ -5100,6 +5102,24 @@ void tst_qqmllanguage::typeWrapperToVariant()
     QVERIFY(target);
 }
 
+void tst_qqmllanguage::listContainingDeletedObject()
+{
+    QQmlEngine engine;
+    auto url = testFileUrl("listContainingDeleted.qml");
+    const QString message = url.toString() + ":24: TypeError: Cannot read property 'enabled' of null";
+    QTest::ignoreMessage(QtMsgType::QtWarningMsg, message.toUtf8().data());
+    QQmlComponent comp(&engine, url);
+    QScopedPointer<QObject> root(comp.create());
+    QVERIFY(root);
+
+    auto cmp = root->property("a").value<QQmlComponent*>();
+    auto o = cmp->create();
+
+    QMetaObject::invokeMethod(root.get(), "doAssign", Q_ARG(QVariant, QVariant::fromValue(o)));
+    delete o;
+    QMetaObject::invokeMethod(root.get(), "use");
+
+}
 QTEST_MAIN(tst_qqmllanguage)
 
 #include "tst_qqmllanguage.moc"
author	Fabian Kosmale <fabian.kosmale@qt.io>	2020-01-10 15:22:20 +0100
committer	Fabian Kosmale <fabian.kosmale@qt.io>	2020-01-28 09:47:56 +0100
commit	03df41fbcdb6e1ae3d0792d5b7806e5335b58794 (patch)
tree	9ac6e33306be9d368f4016aa689d42d67e17bfd6
parent	ddeffeed1d933b6513f18533a9186e9f472da117 (diff)