Prevent premature child destruction

QQmlContextData::emitDestruction suffers from the fact that code can
delete objects while emitDestruction is ongoing. Notably, the sequence
child->emitDestruction can trigger a call to a->destruction (of one of
child's attached components), which then can indirectly delete both
child and child->nextChild (for instance, when a StackView gets
cleared).
We prevent this by using QQmlContextDataRef when iterating over the
children, which keeps the child alive for the duration of the loop.

Fixes: QTBUG-84095
Change-Id: I03a4e817904ba2735e1ffc15d509db95a1a4729e
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
(cherry picked from commit 0c8e51705ac0bb86c4b123ecd30a11b41fd50b24)

1 files changed, 3 insertions, 2 deletions

diff --git a/src/qml/qml/qqmlcontext.cpp b/src/qml/qml/qqmlcontext.cpp
index 3710cee162..d308e85673 100644
--- a/src/qml/qml/qqmlcontext.cpp
+++ b/src/qml/qml/qqmlcontext.cpp
@@ -51,6 +51,7 @@
 #include <qjsengine.h>
 #include <QtCore/qvarlengtharray.h>
 #include <private/qmetaobject_p.h>
+#include <QtQml/private/qqmlcontext_p.h>
 #include <QtCore/qdebug.h>
 
 QT_BEGIN_NAMESPACE
@@ -562,8 +563,8 @@ void QQmlContextData::emitDestruction()
                 emit a->destruction();
             }
 
-            QQmlContextData * child = childContexts;
-            while (child) {
+            QQmlContextDataRef  child = childContexts;
+            while (!child.isNull()) {
                 child->emitDestruction();
                 child = child->nextChild;
             }