Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
None
-
5.1.0 Beta 1
-
None
-
03f0c55799e671d8800ef3727f71162766e103d1
Description
The exact way to reproduce this is a bit obscure:
1) Have a MouseArea with hoverEnabled = true
2) Hover over that mouse area
3) Do something that makes that first sets hoverEnabled = false, and then destroys the MouseArea
4) Move the mouse
The below demonstrates the crash:
import QtQuick 2.1 import QtQuick.Controls 1.0 Item { id: root Loader { id: my_loader anchors.fill: parent sourceComponent: my_component } Component { id: my_component Rectangle { id: rect color: 'blue' MouseArea { id: mousearea anchors.fill: parent hoverEnabled: true Button { anchors.centerIn: parent text: 'Click me (then move the mouse)' onClicked: { mousearea.hoverEnabled = false; my_loader.active = false; } } } } } }
The underlying cause is that QQuickItemPrivate::derefWindow() only removes itself from the window's hover items if hoverEnabled is set:
if ( hoverEnabled )
c->hoverItems.removeAll(q);
This leads to the QQuickMouseArea never getting removed from the hoverItems list, and then getting used-after-free:
> Qt5Quickd.dll!QQuickItemPrivate::itemToWindowTransform() Line 2555 + 0x6 bytes C++ Qt5Quickd.dll!QQuickItemPrivate::windowToItemTransform() Line 2546 + 0x12 bytes C++ Qt5Quickd.dll!QQuickWindowPrivate::sendHoverEvent(QEvent::Type type, QQuickItem * item, const QPointF & scenePos, const QPointF & lastScenePos, QFlags<enum Qt::KeyboardModifier> modifiers, bool accepted) Line 1351 C++ Qt5Quickd.dll!QQuickWindowPrivate::clearHover() Line 1135 + 0x2b bytes C++ Qt5Quickd.dll!QQuickWindow::mouseMoveEvent(QMouseEvent * event) Line 1381 + 0x8 bytes C++ Qt5Quickd.dll!QQuickView::mouseMoveEvent(QMouseEvent * e) Line 598 C++ Qt5Guid.dll!QWindow::event(QEvent * ev) Line 1833 C++