From cdaea1696416bb2c6e1c12519c5d9d6b8bec1969 Mon Sep 17 00:00:00 2001
From: Thiago Macieira <thiago.macieira@intel.com>
Date: Wed, 15 Mar 2017 18:58:27 -0700
Subject: Protect better against timer ID replacement

Timer IDs have been reused since Qt 4.5 or thereabouts, so just checking
if the timer ID is in the timer dictionary is an incorrect check: our
timer may have been deleted and replaced by another with the same ID.

Instead of deleting the WinTimerInfo object, let's just mark it as
unregistered by setting timerId to -1 and cooperate in deleting at the
appropriate places. Since unregisterTimer skips deleting if inTimerEvent
is true, the appropriate places are everywhere that set inTimerEvent to
true.

Change-Id: I057e93314e41372ae7a5ff93c467767c8a6d92ea
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io>
Reviewed-by: Oliver Wolff <oliver.wolff@qt.io>
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
---
 src/corelib/kernel/qeventdispatcher_win.cpp | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

(limited to 'src/corelib/kernel')

diff --git a/src/corelib/kernel/qeventdispatcher_win.cpp b/src/corelib/kernel/qeventdispatcher_win.cpp
index 88dbe8e4f7..fd9d41647d 100644
--- a/src/corelib/kernel/qeventdispatcher_win.cpp
+++ b/src/corelib/kernel/qeventdispatcher_win.cpp
@@ -406,7 +406,9 @@ void QEventDispatcherWin32Private::unregisterTimer(WinTimerInfo *t)
     } else if (internalHwnd) {
         KillTimer(internalHwnd, t->timerId);
     }
-    delete t;
+    t->timerId = -1;
+    if (!t->inTimerEvent)
+        delete t;
 }
 
 void QEventDispatcherWin32Private::sendTimerEvent(int timerId)
@@ -423,8 +425,9 @@ void QEventDispatcherWin32Private::sendTimerEvent(int timerId)
         QCoreApplication::sendEvent(t->obj, &e);
 
         // timer could have been removed
-        t = timerDict.value(timerId);
-        if (t) {
+        if (t->timerId == -1) {
+            delete t;
+        } else {
             t->inTimerEvent = false;
         }
     }
@@ -1012,8 +1015,10 @@ bool QEventDispatcherWin32::event(QEvent *e)
             QTimerEvent te(zte->timerId());
             QCoreApplication::sendEvent(t->obj, &te);
 
-            t = d->timerDict.value(zte->timerId());
-            if (t) {
+            // timer could have been removed
+            if (t->timerId == -1) {
+                delete t;
+            } else {
                 if (t->interval == 0 && t->inTimerEvent) {
                     // post the next zero timer event as long as the timer was not restarted
                     QCoreApplication::postEvent(this, new QZeroTimerEvent(zte->timerId()));
-- 
cgit v1.2.3


From 99fc96fd373b6ffdf9a66e4a346885de20645533 Mon Sep 17 00:00:00 2001
From: Thiago Macieira <thiago.macieira@intel.com>
Date: Thu, 9 Mar 2017 13:44:00 +0100
Subject: QMetaType & QVariant: "load" and "save" std::nullptr_t

We don't load and save pointers usually because the pointer value cannot
be guaranteed to remain across program invocations. However, nullptr is
an exception: a null pointer is always a null pointer.

We don't actually have to read or write anything: there's only one value
possible for a std::nullptr_t and it is nullptr.

[ChangeLog][Important Behavior Changes] A QVariant containing a
std::nullptr_t is now streamable to/from QDataStream.

Task-number: QTBUG-59391
Change-Id: Iae839f6a131a4f0784bffffd14aa374f6475d283
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
---
 src/corelib/kernel/qmetatype.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'src/corelib/kernel')

diff --git a/src/corelib/kernel/qmetatype.cpp b/src/corelib/kernel/qmetatype.cpp
index 232a134718..718c42ba55 100644
--- a/src/corelib/kernel/qmetatype.cpp
+++ b/src/corelib/kernel/qmetatype.cpp
@@ -1255,7 +1255,6 @@ bool QMetaType::save(QDataStream &stream, int type, const void *data)
     case QMetaType::UnknownType:
     case QMetaType::Void:
     case QMetaType::VoidStar:
-    case QMetaType::Nullptr:
     case QMetaType::QObjectStar:
     case QMetaType::QModelIndex:
     case QMetaType::QPersistentModelIndex:
@@ -1264,6 +1263,8 @@ bool QMetaType::save(QDataStream &stream, int type, const void *data)
     case QMetaType::QJsonArray:
     case QMetaType::QJsonDocument:
         return false;
+    case QMetaType::Nullptr:
+        return true;
     case QMetaType::Long:
         stream << qlonglong(*static_cast<const long *>(data));
         break;
@@ -1477,7 +1478,6 @@ bool QMetaType::load(QDataStream &stream, int type, void *data)
     case QMetaType::UnknownType:
     case QMetaType::Void:
     case QMetaType::VoidStar:
-    case QMetaType::Nullptr:
     case QMetaType::QObjectStar:
     case QMetaType::QModelIndex:
     case QMetaType::QPersistentModelIndex:
@@ -1486,6 +1486,8 @@ bool QMetaType::load(QDataStream &stream, int type, void *data)
     case QMetaType::QJsonArray:
     case QMetaType::QJsonDocument:
         return false;
+    case QMetaType::Nullptr:
+        return true;
     case QMetaType::Long: {
         qlonglong l;
         stream >> l;
-- 
cgit v1.2.3