Fix race condition in QQmlData::createPropertyCache

As noted in QJSEnginePrivate::cache, there can be a race  between
calling addRef on the QQmlPropertyCache and another thread derefing and
consequently deleting it. To avoid this, we introduce a doRef flag in
QQmlMetaTypeData::propertyCache, which tells it to ref the the cache.
This fixes the issue, as the QQmlMetaTypeDataPtr in propertyCache() acts
as a mutex.

Fixes: QTBUG-84692
Change-Id: I962d28cfd22696aad89a660e41c55f63a8791b44
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
(cherry picked from commit 90d24b807373f7b4c10d1a88ffdb5d4ebed08de8)

1 files changed, 23 insertions, 0 deletions

diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index 26737e79c4..3b7d74df63 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -78,6 +78,7 @@ private slots:
     void newDate();
     void jsParseDate();
     void newQObject();
+    void newQObjectRace();
     void newQObject_ownership();
     void newQObject_deletedEngine();
     void newQObjectPropertyCache();
@@ -784,6 +785,28 @@ void tst_QJSEngine::newQObject()
     }
 }
 
+void tst_QJSEngine::newQObjectRace()
+{
+    class Thread : public QThread
+    {
+        void run() override
+        {
+            for (int i=0;i<100;++i)
+            {
+                QJSEngine e;
+                auto obj = e.newQObject(new QObject);
+            }
+        }
+    };
+
+
+    Thread threads[8];
+    for (auto& t : threads)
+        t.start(); // should not crash
+    for (auto& t : threads)
+        t.wait();
+}
+
 void tst_QJSEngine::newQObject_ownership()
 {
     QJSEngine eng;