QNotifiedProperty: avoid crash

We can end up in a situation where a (soon to be destroyed) observer is owned by a binding which is about to be deleted. If in that situation the binding is destroyed first, we end up with a dangling pointer and ensuing memory corruption. Instead, we now first transfer the ownership of the observer and only destroy the binding afterwards. Fixes: QTBUG-85824 Change-Id: I721c0319281ada981ae7896bd2e02e9a0cc901b8 Reviewed-by: Lars Knoll <lars.knoll@qt.io>
author: Fabian Kosmale <fabian.kosmale@qt.io> 2020-07-21 11:34:44 +0200
committer: Lars Knoll <lars.knoll@qt.io> 2020-08-04 11:28:33 +0000
commit: 652062dde33ddb0ecaf4bb9f38055d8ab87c462b (patch)
tree: 17a3ebf808541096fa67e537214304e74d91c21b /src/corelib
parent: 2b0db5593916680f3eee34c4b4dd2de16c5736a2 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/corelib/kernel/qproperty.cpp b/src/corelib/kernel/qproperty.cpp
index 3bac73909a..cbb2954a98 100644
--- a/src/corelib/kernel/qproperty.cpp
+++ b/src/corelib/kernel/qproperty.cpp
@@ -338,10 +338,10 @@ void QPropertyBase::removeBinding()
 
     if (auto *existingBinding = d.bindingPtr()) {
         auto observer = existingBinding->takeObservers();
-        existingBinding->unlinkAndDeref();
         d_ptr &= ExtraBit;
         if (observer)
             d.setObservers(observer.ptr);
+        existingBinding->unlinkAndDeref();
     }
 }
author	Fabian Kosmale <fabian.kosmale@qt.io>	2020-07-21 11:34:44 +0200
committer	Lars Knoll <lars.knoll@qt.io>	2020-08-04 11:28:33 +0000
commit	652062dde33ddb0ecaf4bb9f38055d8ab87c462b (patch)
tree	17a3ebf808541096fa67e537214304e74d91c21b /src/corelib
parent	2b0db5593916680f3eee34c4b4dd2de16c5736a2 (diff)