Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.15.0, 6.0.1
-
2cb306c194625626957fcde44bd56473b0436f83 (qt/qtdeclarative/dev) e1ab5c04c731d26af586a927321fe94413b88c89 (qt/qtdeclarative/6.0) 25e26270a1ec0ed838f009d8694f3507af1b0554 (qt/qtdeclarative/6.1) d43b92b0a9 (qt/tqtc-qtdeclarative/5.15-opensource)
Description
If a subclass of QQmlIncubator decides that it doesn't want this object anymore during the call of "setInitialState()" and call "clear()", QQmlIncubator will crash after returning from "setInitialState()".
Steps to reproduce:
- Download the attached test case. Compile and run.
- Click the button "Load something for nothing.".
As QQmlIncubator::clear()'s documentation doesn't specify any condition which this should not be called, one might assume that it's safe to do so. If it's otherwise not safe to do so, the function should be documented as such.
The stacktrace is obtained from Qt 6.0.1, official binary. The verbose stack is attached, but the relevant frames seems to be:
1 QQmlIncubatorPrivate::incubate qqmlincubator.cpp 334 0x7ffff7b068e4 2 QQmlIncubationController::incubateFor qintrusivelist_p.h 216 0x7ffff7b071e6 3 QQuickWindowIncubationController::incubate qquickwindow.cpp 178 0x7fffe8308107 4 QQuickWindowIncubationController::timerEvent qquickwindow.cpp 161 0x7fffe8308107
The relevant commit seems to be this:
https://github.com/qt/qtdeclarative/commit/2f3b4ec528f48747a3b7e91e9a7254c25ce24c99#diff-d91d7ca6d9f70fc8304f503b8dd34b7644ffb7674051f2aa42d7784239ba7d04R332-R337
The problem is first discovered on Debian's distribution of Qt 5.15.2, before subsequently confirmed on Qt 5.15.0 and Qt 6.0.1, and verified not to happen on 5.14.2.