-
Bug
-
Resolution: Done
-
P1: Critical
-
6.3, 6.4.0 Beta2, 6.5
-
Linux/X11
-
f7bac60ed8 (qt/qtdeclarative/dev) f7bac60ed8 (qt/tqtc-qtdeclarative/dev) 5374e59dc5 (qt/qtdeclarative/6.3) 5374e59dc5 (qt/tqtc-qtdeclarative/6.3) b40c17487a (qt/tqtc-qtdeclarative/6.2) 0ad96b813e (qt/qtdeclarative/6.4) 5374e59dc5 (qt/qtdeclarative/6.3.2)
I see the heap-use-after-free from LSan when running e.g. tst_basic "StackView::test_requiredProperties". Log is attached.
It does look indeed valid (albeit no clue how it manages to pass - do we do something nasty when deleting UI elements there?)
Some analysis:
When doing pop() on a stack view:
QQuickStackViewPrivate::completeTransition() [1] seems to call first `element->completeTransition(transition);` and then `viewItemTransitionFinished(element);`, where element->completeTransition(transition) also internally calls viewItemTransitionFinished(element), so we call this function twice essentially.
viewItemTransitionFinished() seems to remove the passed element in the case of the aforementioned test, so: it first deletes it and then is called again for the same element -> LSan considers this as heap-use-after-free
- blocks
-
-
- Closed
-
- is duplicated by
-
-
- Closed
-
-
-
- Closed
-
- relates to
-
QTBUG-99629 Improve safety/debuggability of item change listeners
-
- Open
-
-
-
- Closed
-
| For Gerrit Dashboard: QTBUG-98769 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 421536,2 | QQuickStackView: Avoid use-after-free | dev | qt/qtdeclarative | Status: MERGED | +2 | 0 |
| 421714,2 | QQuickStackView: Avoid use-after-free | 6.3 | qt/qtdeclarative | Status: MERGED | +2 | 0 |
| 421715,2 | QQuickStackView: Avoid use-after-free | 6.4 | qt/qtdeclarative | Status: MERGED | +2 | 0 |
| 421742,2 | QQuickStackView: Avoid use-after-free | tqtc/lts-6.2 | qt/tqtc-qtdeclarative | Status: MERGED | +2 | 0 |