Details
-
Bug
-
Resolution: Fixed
-
P2: Important
-
6.5.2
-
4e41739c5 (dev), d73388596 (6.6), bbd1fcd6f (6.5)
Description
To reproduce, run attached example.
There are two cases in main.qml (Slider and ComboBox) where it looks like the destructor can access already destroyed object.
==323861== Invalid read of size 8
==323861== at 0x671E637: load (atomic_base.h:747)
==323861== by 0x671E637: load (atomic:530)
==323861== by 0x671E637: loadRelaxed<QObjectPrivate::ConnectionData*> (qatomic_cxx11.h:201)
==323861== by 0x671E637: loadRelaxed (qbasicatomic.h:190)
==323861== by 0x671E637: QMetaObjectPrivate::disconnect(QObject const*, int, QMetaObject const*, QObject const*, int, void**, QMetaObjectPrivate::DisconnectType) (qobject.cpp:3582)
==323861== by 0x671ECC9: QObject::disconnectImpl(QObject const*, void**, QObject const*, void**, QMetaObject const*) (qobject.cpp:5231)
==323861== by 0x82A4936: disconnect<void (QQuickPopup::*)(), void (QQuickComboBoxPrivate::*)()> (qobject_p.h:339)
==323861== by 0x82A4936: QQuickComboBox::~QQuickComboBox() (qquickcombobox.cpp:939)
==323861== by 0x834CA24: ~QQmlElement (qqmlprivate.h:99)
==323861== by 0x834CA24: QQmlPrivate::QQmlElement<QQuickComboBox>::~QQmlElement() (qqmlprivate.h:99)
==323861== by 0x581CE77: QQmlObjectCreator::clear() (qqmlobjectcreator.cpp:1475)
==323861== by 0x57F0C17: QQmlIncubatorPrivate::clear() (qqmlincubator.cpp:139)
==323861== by 0x57F07B0: QQmlIncubator::clear() (qqmlincubator.cpp:550)
==323861== by 0x57F0C74: QQmlIncubatorPrivate::clear() (qqmlincubator.cpp:132)
==323861== by 0x57F07B0: QQmlIncubator::clear() (qqmlincubator.cpp:550)
==323861== by 0x402564: testIncubation(QQmlIncubationController&) (main.cpp:27)
==323861== by 0x40265C: main::{lambda()#1}::operator()() const (main.cpp:39)
==323861== by 0x4029D6: QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, main::{lambda()#1}>::call(main::{lambda()#1}&, void**) (qobjectdefs_impl.h:127)
==323861== Address 0x211e6078 is 8 bytes inside a block of size 216 free'd
==323861== at 0x4C3B021: operator delete(void*) (vg_replace_malloc.c:923)
==323861== by 0x581CE77: QQmlObjectCreator::clear() (qqmlobjectcreator.cpp:1475)
==323861== by 0x57F0C17: QQmlIncubatorPrivate::clear() (qqmlincubator.cpp:139)
==323861== by 0x57F07B0: QQmlIncubator::clear() (qqmlincubator.cpp:550)
==323861== by 0x57F0C74: QQmlIncubatorPrivate::clear() (qqmlincubator.cpp:132)
==323861== by 0x57F07B0: QQmlIncubator::clear() (qqmlincubator.cpp:550)
==323861== by 0x402564: testIncubation(QQmlIncubationController&) (main.cpp:27)
==323861== by 0x40265C: main::{lambda()#1}::operator()() const (main.cpp:39)
==323861== by 0x4029D6: QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, main::{lambda()#1}>::call(main::{lambda()#1}&, void**) (qobjectdefs_impl.h:127)
==323861== by 0x4029B7: void QtPrivate::Functor<main::{lambda()#1}, 0>::call<QtPrivate::List<>, void>(main::{lambda()#1}&, void*, void**) (qobjectdefs_impl.h:241)
==323861== by 0x402985: QtPrivate::QFunctorSlotObject<main::{lambda()#1}, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (qobjectdefs_impl.h:408)
==323861== by 0x67367A4: call (qobjectdefs_impl.h:363)
==323861== by 0x67367A4: QSingleShotTimer::timerEvent(QTimerEvent*) (qtimer.cpp:307)
==323861== Block was alloc'd at
==323861== at 0x4C388C3: operator new(unsigned long) (vg_replace_malloc.c:422)
==323861== by 0x586EBA5: create (qqmltype.cpp:478)
==323861== by 0x586EBA5: QQmlType::create(void**, unsigned long) const (qqmltype.cpp:471)
==323861== by 0x5823C1F: QQmlObjectCreator::createInstance(int, QObject*, bool) (qqmlobjectcreator.cpp:1186)
==323861== by 0x58247AA: QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*, int) (qqmlobjectcreator.cpp:184)
==323861== by 0x5823889: QQmlObjectCreator::createInstance(int, QObject*, bool) (qqmlobjectcreator.cpp:1232)
==323861== by 0x58259C5: QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) (qqmlobjectcreator.cpp:780)
==323861== by 0x582758D: QQmlObjectCreator::setupBindings(QFlags<QQmlObjectCreator::BindingMode>) (qqmlobjectcreator.cpp:721)
==323861== by 0x58217CA: QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*, QV4::CompiledData::Binding const*) (qqmlobjectcreator.cpp:1646)
==323861== by 0x582358C: QQmlObjectCreator::createInstance(int, QObject*, bool) (qqmlobjectcreator.cpp:1332)
==323861== by 0x58247AA: QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*, int) (qqmlobjectcreator.cpp:184)
==323861== by 0x57F1458: QQmlIncubatorPrivate::incubate(QQmlInstantiationInterrupt&) (qqmlincubator.cpp:263)
==323861== by 0x57F215D: QQmlIncubationController::incubateFor(int) (qqmlincubator.cpp:373)
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
| For Gerrit Dashboard: QTBUG-116828 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 503663,6 | Make sure to listen for itemDestroyed when using QQuickDeferredPointer | dev | qt/qtdeclarative | Status: MERGED | +2 | 0 |
| 504389,2 | Make sure to listen for itemDestroyed when using QQuickDeferredPointer | 6.6 | qt/qtdeclarative | Status: MERGED | +2 | 0 |
| 504550,3 | Make sure to listen for itemDestroyed when using QQuickDeferredPointer | 6.5 | qt/qtdeclarative | Status: MERGED | +2 | 0 |