From 3a77bbe68b087890fe966035eeb12b917b087c15 Mon Sep 17 00:00:00 2001
From: Berthold Krevert <berthold.krevert@basyskom.de>
Date: Wed, 6 Jun 2012 13:52:29 +0200
Subject: Fix: Widgets that become top-level widgets may crash the application

You can reproduce the bug with the QMainWindow demo application: Just
dock the toolbar on the left side, then try to drag the bar back to
the top and observe that the application crashes.

This happens, because the toolbar becomes a top-level widget during the
dragging action and therefore some data structures like a window are
created. After the toolbar has been docked, it loses its top-level state
and the window object is destroyed. The same is not true for the backing
store structure, which still keeps a pointer to the destroyed window.
When the toolbar is dragged the next time, a new window object is created,
but the backing store tries to access the deleted one. Crash occurs.

Change-Id: I0d1ffc04c19ec14654ceb62a0d3cf7cf65cb952d
Reviewed-by: Girish Ramakrishnan <girish.1.ramakrishnan@nokia.com>
---
 src/widgets/kernel/qwidget.cpp     | 3 +--
 src/widgets/kernel/qwidget_qpa.cpp | 6 +++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/widgets/kernel/qwidget.cpp b/src/widgets/kernel/qwidget.cpp
index cd777208f2..bf21503f6e 100644
--- a/src/widgets/kernel/qwidget.cpp
+++ b/src/widgets/kernel/qwidget.cpp
@@ -1601,9 +1601,8 @@ void QWidgetPrivate::deleteExtra()
 #endif
         if (extra->topextra) {
             deleteTLSysExtra();
-            extra->topextra->backingStoreTracker.destroy();
+            // extra->topextra->backingStore destroyed in QWidgetPrivate::deleteTLSysExtra()
             delete extra->topextra->icon;
-            delete extra->topextra->backingStore;
             delete extra->topextra;
         }
         delete extra;
diff --git a/src/widgets/kernel/qwidget_qpa.cpp b/src/widgets/kernel/qwidget_qpa.cpp
index a7dd6bf01c..04bf0be27f 100644
--- a/src/widgets/kernel/qwidget_qpa.cpp
+++ b/src/widgets/kernel/qwidget_qpa.cpp
@@ -914,9 +914,13 @@ void QWidgetPrivate::deleteTLSysExtra()
             extra->topextra->window->destroy();
         }
         setWinId(0);
-        //hmmm. should we delete window..
         delete extra->topextra->window;
         extra->topextra->window = 0;
+
+        extra->topextra->backingStoreTracker.destroy();
+        delete extra->topextra->backingStore;
+        extra->topextra->backingStore = 0;
+
     }
 }
 
-- 
cgit v1.2.3