Fix race condition in QQmlData::createPropertyCache

As noted in QJSEnginePrivate::cache, there can be a race between calling addRef on the QQmlPropertyCache and another thread derefing and consequently deleting it. To avoid this, we introduce a doRef flag in QQmlMetaTypeData::propertyCache, which tells it to ref the the cache. This fixes the issue, as the QQmlMetaTypeDataPtr in propertyCache() acts as a mutex. Fixes: QTBUG-84692 Pick-to: 5.15 Change-Id: I962d28cfd22696aad89a660e41c55f63a8791b44 Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
author: Fabian Kosmale <fabian.kosmale@qt.io> 2020-06-04 10:33:47 +0200
committer: Fabian Kosmale <fabian.kosmale@qt.io> 2020-06-05 13:02:29 +0200
commit: 90d24b807373f7b4c10d1a88ffdb5d4ebed08de8 (patch)
tree: 8487cc2f11489a421ae26c8c632d4b6e20dcf5f1 /src/qml/qml/qqmlengine.cpp
parent: 3d1b34e5bfd56d8035fa53ffb14726e6120f3ff0 (diff)
1 files changed, 1 insertions, 3 deletions
diff --git a/src/qml/qml/qqmlengine.cpp b/src/qml/qml/qqmlengine.cpp
index 0692124dfe..1f203fae88 100644
--- a/src/qml/qml/qqmlengine.cpp
+++ b/src/qml/qml/qqmlengine.cpp
@@ -1947,9 +1947,7 @@ QQmlData *QQmlData::createQQmlData(QObjectPrivate *priv)
 QQmlPropertyCache *QQmlData::createPropertyCache(QJSEngine *engine, QObject *object)
 {
     QQmlData *ddata = QQmlData::get(object, /*create*/true);
-    ddata->propertyCache = QJSEnginePrivate::get(engine)->cache(object);
-    if (ddata->propertyCache)
-        ddata->propertyCache->addref();
+    ddata->propertyCache = QJSEnginePrivate::get(engine)->cache(object, QTypeRevision {}, true);
     return ddata->propertyCache;
 }
author	Fabian Kosmale <fabian.kosmale@qt.io>	2020-06-04 10:33:47 +0200
committer	Fabian Kosmale <fabian.kosmale@qt.io>	2020-06-05 13:02:29 +0200
commit	90d24b807373f7b4c10d1a88ffdb5d4ebed08de8 (patch)
tree	8487cc2f11489a421ae26c8c632d4b6e20dcf5f1 /src/qml/qml/qqmlengine.cpp
parent	3d1b34e5bfd56d8035fa53ffb14726e6120f3ff0 (diff)