Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.15.9, 6.3.0 Beta1, 6.3, 6.4.0 Beta1, 5.15, 6.2
-
5.15.2, 6.2.2, 6.3.0 Feature Freeze
-
None
-
Windows
-
720ffaeb60 (qt/qtdeclarative/dev) bfb3f8f71b (qt/qtdeclarative/6.3) 79e3420c0c (qt/qtdeclarative/6.2) 720ffaeb60 (qt/qtdeclarative/wip/iosstyle) 79e3420c0c (qt/tqtc-qtdeclarative/6.2) d54285f9e4 (qt/tqtc-qtquickcontrols2/5.15)
Description
Hi, I have a switch component whose indicator property is set to an image element having anchors hooked on to the parent switch.
indicator: Image{
id:innerImage
anchors.centerIn: parent
source: (control.checked) ? checkedIndicator : uncheckedIndicator
}
With windows debug build I see a crash in the qml engine (while navagiting away from this page) where the QQmlElement<QQuickSwitch> destructor faults while deleting a child object. This is the primary callstack:
With runtime verification enabled, if I dump the deallocation history of the faulting address then it shows the below saved deallocation secondary callstack:
This suggests that the QQmlElement<QQuickSwitch> destructor is trying to double free an already free'd indicator property's image type. I have verified that by commenting out the indicator code the crash does not happen. Wrapping the image inside an Item type also doen't seem to help as the deallocation callstack now show that the offending address was alreday free'd as part of a QQuickItem destruction(see below). Please note that both primary and secondary callstacks are part of the same event loop iteration (endresetModel). The crash does not happen or is masked with Release build.
Attachments
Issue Links
- relates to
-
QTBUG-100396 Ensure we remove listeners when a delegate is destroyed
-
- In Progress
-