QQuickItemView: fix releaseItem() loops

Calling releaseItem() destroys the item, which emits childrenChanged for the contentItem, and if at that point anything calls setFooMargin(), setContentHeight(), returnToBounds(), or many other methods that indirectly access the visibleItems list, it leads to a crash due to read after free. Add a releaseVisibleItems() helper method that makes a copy, clears the original list first, and then releases the items. Task-number: QTBUG-48394 Task-number: QTBUG-61294 Change-Id: I29e4d3870d33549e8bf789de84c67ab1826fca7d Reviewed-by: Robin Burchell <robin.burchell@crimson.no>
author: J-P Nurmi <jpnurmi@qt.io> 2017-06-09 23:36:49 +0200
committer: J-P Nurmi <jpnurmi@qt.io> 2017-06-12 15:32:45 +0000
commit: db6f1440cbe78018e442c1fb961310a4e619e8fe (patch)
tree: d1e88d2f82bd38ee1959bed6a19d0c074d8c05f0 /src/quick/items/qquickitemview_p_p.h
parent: 939f07695b853a4da2e237c5f1c3d50e34f9c45c (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/src/quick/items/qquickitemview_p_p.h b/src/quick/items/qquickitemview_p_p.h
index 3087682ac7..b6353246e8 100644
--- a/src/quick/items/qquickitemview_p_p.h
+++ b/src/quick/items/qquickitemview_p_p.h
@@ -269,6 +269,15 @@ public:
         q->polish();
     }
 
+    void releaseVisibleItems() {
+        // make a copy and clear the visibleItems first to avoid destroyed
+        // items being accessed during the loop (QTBUG-61294)
+        const QList<FxViewItem *> oldVisible = visibleItems;
+        visibleItems.clear();
+        for (FxViewItem *item : oldVisible)
+            releaseItem(item);
+    }
+
     QPointer<QQmlInstanceModel> model;
     QVariant modelVariant;
     int itemCount;
author	J-P Nurmi <jpnurmi@qt.io>	2017-06-09 23:36:49 +0200
committer	J-P Nurmi <jpnurmi@qt.io>	2017-06-12 15:32:45 +0000
commit	db6f1440cbe78018e442c1fb961310a4e619e8fe (patch)
tree	d1e88d2f82bd38ee1959bed6a19d0c074d8c05f0 /src/quick/items/qquickitemview_p_p.h
parent	939f07695b853a4da2e237c5f1c3d50e34f9c45c (diff)