From: Albert Astals Cid <albert.astals@canonical.com>
Date: Tue, 30 Apr 2013 21:03:03 +0000 (-0700)
Subject: Fix crash in QQmlDelegateModel
X-Git-Tag: upstream/5.2.1~798^2~88
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=9d6cd72353e4862592c016951810abf9a7ab8079;p=platform%2Fupstream%2Fqtdeclarative.git

Fix crash in QQmlDelegateModel

It can happen that when the QQmlDelegateModel goes away some of the
QQmlDelegateModelItem from d->m_cache are still incubating, this
means that isReferenced() will return true and we will not delete them.

This also means that when these QQDMIncubationTask finish they may end
up calling QQDMIncubationTask::statusChanged which will try to access
the delegate model that is already gone.

This commit makes sure we set vdm to 0 in these orphaned
QQDMIncubationTask so  in QQDMIncubationTask::statusChanged we know
no one cares about us anymore and don't reference the already gone
delegate model

Task-number:  QTBUG-30928

Change-Id: Ief6176cec151d861dad09ca2498ca27e17ee6385
Reviewed-by: Andrew den Exter <andrew.den.exter@qinetic.com.au>
---

diff --git a/src/qml/types/qqmldelegatemodel.cpp b/src/qml/types/qqmldelegatemodel.cpp
index 16572c4..5e36be1 100644
--- a/src/qml/types/qqmldelegatemodel.cpp
+++ b/src/qml/types/qqmldelegatemodel.cpp
@@ -230,6 +230,8 @@ QQmlDelegateModel::~QQmlDelegateModel()
         cacheItem->objectRef = 0;
         if (!cacheItem->isReferenced())
             delete cacheItem;
+        else if (cacheItem->incubationTask)
+            cacheItem->incubationTask->vdm = 0;
     }
 }
 
@@ -780,7 +782,21 @@ void QQmlDelegateModelPrivate::emitDestroyingPackage(QQuickPackage *package)
 
 void QQDMIncubationTask::statusChanged(Status status)
 {
-    vdm->incubatorStatusChanged(this, status);
+    if (vdm) {
+        vdm->incubatorStatusChanged(this, status);
+    } else if (status == QQmlIncubator::Ready || status == QQmlIncubator::Error) {
+        Q_ASSERT(incubating);
+        // The model was deleted from under our feet, cleanup ourselves
+        if (incubating->object) {
+            delete incubating->object;
+
+            incubating->object = 0;
+            incubating->contextData->destroy();
+            incubating->contextData = 0;
+        }
+        incubating->scriptRef = 0;
+        incubating->deleteLater();
+    }
 }
 
 void QQmlDelegateModelPrivate::releaseIncubator(QQDMIncubationTask *incubationTask)
@@ -1766,8 +1782,12 @@ QQmlDelegateModelItem::~QQmlDelegateModelItem()
     Q_ASSERT(objectRef == 0);
     Q_ASSERT(!object);
 
-    if (incubationTask && metaType->model)
-        QQmlDelegateModelPrivate::get(metaType->model)->releaseIncubator(incubationTask);
+    if (incubationTask) {
+        if (metaType->model)
+            QQmlDelegateModelPrivate::get(metaType->model)->releaseIncubator(incubationTask);
+        else
+            delete incubationTask;
+    }
 
     metaType->release();