use-after-free when quitting the controls gallery

=================================================================
==20648==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000322b38 at pc 0x00011719c7de bp 0x7fff5695b550 sp 0x7fff5695b548
READ of size 8 at 0x611000322b38 thread T0
    #0 0x11719c7dd in QtNS::QCocoaWindow::menubar() const qcocoawindow.mm:1971
    #1 0x11721708b in QtNS::QCocoaMenuBar::~QCocoaMenuBar() qcocoamenubar.mm:82
    #2 0x117218ec4 in QtNS::QCocoaMenuBar::~QCocoaMenuBar() qcocoamenubar.mm:67
    #3 0x117218ee8 in QtNS::QCocoaMenuBar::~QCocoaMenuBar() qcocoamenubar.mm:67
    #4 0x11fc6f30c in QtNS::QQuickMenuBar1::setNativeNoNotify(bool) qquickmenubar.cpp:120
    #5 0x11fc6e983 in QtNS::QQuickMenuBar1::~QQuickMenuBar1() qquickmenubar.cpp:79
    #6 0x11fc51f0a in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickMenuBar1>::~QQmlElement() qqmlprivate.h:104
    #7 0x11fc51e64 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickMenuBar1>::~QQmlElement() qqmlprivate.h:102
    #8 0x11fc51e88 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickMenuBar1>::~QQmlElement() qqmlprivate.h:102
    #9 0x1104c4340 in QtNS::QObjectPrivate::deleteChildren() qobject.cpp:1992
    #10 0x1104c37ed in QtNS::QObject::~QObject() qobject.cpp:1022
    #11 0x10c38ca27 in QtNS::QWindow::~QWindow() qwindow.cpp:216
    #12 0x1097de52b in QtNS::QQuickWindow::~QQuickWindow() qquickwindow.cpp:1315
    #13 0x109b0fc3e in QtNS::QQuickWindowQmlImpl::~QQuickWindowQmlImpl() qquickwindowmodule_p.h:63
    #14 0x109b16616 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:104
    #15 0x109b16464 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:102
    #16 0x109b16488 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:102
    #17 0x10e8c47ee in void QtNS::qDeleteAll<QtNS::QList<QtNS::QObject*>::const_iterator>(QtNS::QList<QtNS::QObject*>::const_iterator, QtNS::QList<QtNS::QObject*>::const_iterator) qalgorithms.h:320
    #18 0x10e8bfe39 in void QtNS::qDeleteAll<QtNS::QList<QtNS::QObject*> >(QtNS::QList<QtNS::QObject*> const&) qalgorithms.h:328
    #19 0x10e8bfbfc in QtNS::QQmlApplicationEnginePrivate::cleanUp() qqmlapplicationengine.cpp:64
    #20 0x10e8c3694 in QtNS::QQmlApplicationEngine::~QQmlApplicationEngine() qqmlapplicationengine.cpp:245
    #21 0x10e8c36c4 in QtNS::QQmlApplicationEngine::~QQmlApplicationEngine() qqmlapplicationengine.cpp:242
    #22 0x1092a7faa in main main.cpp:68
    #23 0x7fffa6552234 in start (libdyld.dylib+0x5234)

0x611000322b38 is located 120 bytes inside of 232-byte region [0x611000322ac0,0x611000322ba8)
freed by thread T0 here:
    #0 0x11127abbb in wrap__ZdlPv (libclang_rt.asan_osx_dynamic.dylib+0x57bbb)
    #1 0x11717a551 in QtNS::QCocoaWindow::~QCocoaWindow() qcocoawindow.mm:505
    #2 0x11717a578 in non-virtual thunk to QtNS::QCocoaWindow::~QCocoaWindow() qcocoawindow.mm:504
    #3 0x10c38d1db in QtNS::QWindowPrivate::destroy() qwindow.cpp:1832
    #4 0x10c38c91d in QtNS::QWindow::~QWindow() qwindow.cpp:212
    #5 0x1097de52b in QtNS::QQuickWindow::~QQuickWindow() qquickwindow.cpp:1315
    #6 0x109b0fc3e in QtNS::QQuickWindowQmlImpl::~QQuickWindowQmlImpl() qquickwindowmodule_p.h:63
    #7 0x109b16616 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:104
    #8 0x109b16464 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:102
    #9 0x109b16488 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:102
    #10 0x10e8c47ee in void QtNS::qDeleteAll<QtNS::QList<QtNS::QObject*>::const_iterator>(QtNS::QList<QtNS::QObject*>::const_iterator, QtNS::QList<QtNS::QObject*>::const_iterator) qalgorithms.h:320
    #11 0x10e8bfe39 in void QtNS::qDeleteAll<QtNS::QList<QtNS::QObject*> >(QtNS::QList<QtNS::QObject*> const&) qalgorithms.h:328
    #12 0x10e8bfbfc in QtNS::QQmlApplicationEnginePrivate::cleanUp() qqmlapplicationengine.cpp:64
    #13 0x10e8c3694 in QtNS::QQmlApplicationEngine::~QQmlApplicationEngine() qqmlapplicationengine.cpp:245
    #14 0x10e8c36c4 in QtNS::QQmlApplicationEngine::~QQmlApplicationEngine() qqmlapplicationengine.cpp:242
    #15 0x1092a7faa in main main.cpp:68
    #16 0x7fffa6552234 in start (libdyld.dylib+0x5234)

previously allocated by thread T0 here:
    #0 0x11127a5fb in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib+0x575fb)
    #1 0x11714e58b in QtNS::QCocoaIntegration::createPlatformWindow(QtNS::QWindow*) const qcocoaintegration.mm:534
    #2 0x10c390dd6 in QtNS::QWindowPrivate::create(bool, unsigned long long) qwindow.cpp:438
    #3 0x10c3913a7 in QtNS::QWindow::create() qwindow.cpp:619
    #4 0x11721b3ce in QtNS::QCocoaMenuBar::handleReparent(QtNS::QWindow*) qcocoamenubar.mm:230
    #5 0x11fc70146 in QtNS::QQuickMenuBar1::setParentWindow(QtNS::QQuickWindow*) qquickmenubar.cpp:138
    #6 0x11fd09ce7 in QtNS::QQuickMenuBar1::qt_static_metacall(QtNS::QObject*, QtNS::QMetaObject::Call, int, void**) moc_qquickmenubar_p.cpp:161
    #7 0x11fd0a1bc in QtNS::QQuickMenuBar1::qt_metacall(QtNS::QMetaObject::Call, int, void**) moc_qquickmenubar_p.cpp:206
    #8 0x10e6551cd in QtNS::QQmlVMEMetaObject::metaCall(QtNS::QObject*, QtNS::QMetaObject::Call, int, void**) qqmlvmemetaobject.cpp:976
    #9 0x110408650 in QtNS::QMetaObject::metacall(QtNS::QObject*, QtNS::QMetaObject::Call, int, void**) qmetaobject.cpp:299
    #10 0x10e6c245d in QtNS::QQmlPropertyData::writeProperty(QtNS::QObject*, void*, QtNS::QFlags<QtNS::QQmlPropertyData::WriteFlag>) const qqmlpropertycache_p.h:324
    #11 0x10e6bf7d8 in QtNS::QQmlPropertyPrivate::write(QtNS::QObject*, QtNS::QQmlPropertyData const&, QtNS::QVariant const&, QtNS::QQmlContextData*, QtNS::QFlags<QtNS::QQmlPropertyData::WriteFlag>) qqmlproperty.cpp:1208
    #12 0x10e6be2a3 in QtNS::QQmlPropertyPrivate::writeValueProperty(QtNS::QObject*, QtNS::QQmlPropertyData const&, QtNS::QQmlPropertyData const&, QtNS::QVariant const&, QtNS::QQmlContextData*, QtNS::QFlags<QtNS::QQmlPropertyData::WriteFlag>) qqmlproperty.cpp:1164
    #13 0x10e6bdbb2 in QtNS::QQmlPropertyPrivate::writeValueProperty(QtNS::QVariant const&, QtNS::QFlags<QtNS::QQmlPropertyData::WriteFlag>) qqmlproperty.cpp:1143
    #14 0x10e6c2e02 in QtNS::QQmlPropertyPrivate::write(QtNS::QQmlProperty const&, QtNS::QVariant const&, QtNS::QFlags<QtNS::QQmlPropertyData::WriteFlag>) qqmlproperty.cpp:1492
    #15 0x10e6c2a3d in QtNS::QQmlProperty::write(QtNS::QVariant const&) const qqmlproperty.cpp:1408
    #16 0x10e98df5c in QtNS::QQmlBind::eval() qqmlbind.cpp:385
    #17 0x10e98f210 in QtNS::QQmlBind::componentComplete() qqmlbind.cpp:346
    #18 0x10e98f298 in non-virtual thunk to QtNS::QQmlBind::componentComplete() qqmlbind.cpp:338
    #19 0x10e8f4b8f in QtNS::QQmlObjectCreator::finalize(QtNS::QQmlInstantiationInterrupt&) qqmlobjectcreator.cpp:1236
    #20 0x10e6ce33a in QtNS::QQmlComponentPrivate::complete(QtNS::QQmlEnginePrivate*, QtNS::QQmlComponentPrivate::ConstructionState*) qqmlcomponent.cpp:900
    #21 0x10e6c97ce in QtNS::QQmlComponentPrivate::completeCreate() qqmlcomponent.cpp:936
    #22 0x10e6ce611 in QtNS::QQmlComponent::completeCreate() qqmlcomponent.cpp:929
    #23 0x10e6ccd89 in QtNS::QQmlComponent::create(QtNS::QQmlContext*) qqmlcomponent.cpp:769
    #24 0x10e8c1ddc in QtNS::QQmlApplicationEnginePrivate::finishLoad(QtNS::QQmlComponent*) qqmlapplicationengine.cpp:134
    #25 0x10e8c179d in QtNS::QQmlApplicationEnginePrivate::startLoad(QtNS::QUrl const&, QtNS::QByteArray const&, bool) qqmlapplicationengine.cpp:118
    #26 0x10e8c2eb2 in QtNS::QQmlApplicationEngine::load(QtNS::QUrl const&) qqmlapplicationengine.cpp:259
    #27 0x10e8c2f64 in QtNS::QQmlApplicationEngine::QQmlApplicationEngine(QtNS::QUrl const&, QtNS::QObject*) qqmlapplicationengine.cpp:222
    #28 0x1092a7f23 in main main.cpp:64
    #29 0x7fffa6552234 in start (libdyld.dylib+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free qcocoawindow.mm:1971 in QtNS::QCocoaWindow::menubar() const
Shadow bytes around the buggy address:
  0x1c2200064510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200064520: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2200064530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200064540: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x1c2200064550: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x1c2200064560: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x1c2200064570: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
  0x1c2200064580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200064590: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x1c22000645a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c22000645b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20648==ABORTING