Priority: P1: Critical
Affects Version/s: 5.15.0, 6.0.1
Commits:2cb306c194625626957fcde44bd56473b0436f83 (qt/qtdeclarative/dev) e1ab5c04c731d26af586a927321fe94413b88c89 (qt/qtdeclarative/6.0) 25e26270a1ec0ed838f009d8694f3507af1b0554 (qt/qtdeclarative/6.1) d43b92b0a9 (qt/tqtc-qtdeclarative/5.15-opensource)
If a subclass of QQmlIncubator decides that it doesn't want this object anymore during the call of "setInitialState()" and call "clear()", QQmlIncubator will crash after returning from "setInitialState()".
Steps to reproduce:
- Download the attached test case. Compile and run.
- Click the button "Load something for nothing.".
As QQmlIncubator::clear()'s documentation doesn't specify any condition which this should not be called, one might assume that it's safe to do so. If it's otherwise not safe to do so, the function should be documented as such.
The stacktrace is obtained from Qt 6.0.1, official binary. The verbose stack is attached, but the relevant frames seems to be:
The relevant commit seems to be this:
The problem is first discovered on Debian's distribution of Qt 5.15.2, before subsequently confirmed on Qt 5.15.0 and Qt 6.0.1, and verified not to happen on 5.14.2.
|For Gerrit Dashboard: QTBUG-91519|
|337369,3||QQmlIncubator: handle clear inside setinitialState||dev||qt/qtdeclarative||Status: MERGED||+2||0|
|337567,2||QQmlIncubator: handle clear inside setinitialState||6.0||qt/qtdeclarative||Status: MERGED||+2||0|
|337568,2||QQmlIncubator: handle clear inside setinitialState||6.1||qt/qtdeclarative||Status: MERGED||+2||0|
|337569,2||QQmlIncubator: handle clear inside setinitialState||tqtc/lts-5.15||qt/tqtc-qtdeclarative||Status: MERGED||+2||0|