QQmlObjectCreator: fix member func call with this == nullptr

The test example is based on
qtvirtualkeyboard/src/virtualkeyboard/content/components/PopupList.qml

Luckily ((QQmlPropertyCache *)nullptr) -> property(-1)
is ended without access to this, so this was not caught before.
But this is UB, plus I can not run Qt and my application compiled with
-fsanitizer=X, because of it crashed after the first member function
call with nullptr as this

Pick-to: 5.15
Fixes: QTBUG-85605
Change-Id: If6a71fde9a14cc4f73139dfa0e6ee3005453104d
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>

3 files changed, 21 insertions, 1 deletions

diff --git a/src/qml/qml/qqmlobjectcreator.cpp b/src/qml/qml/qqmlobjectcreator.cpp
index abd7c1f068..1c8f2b2091 100644
--- a/src/qml/qml/qqmlobjectcreator.cpp
+++ b/src/qml/qml/qqmlobjectcreator.cpp
@@ -1566,7 +1566,7 @@ bool QQmlObjectCreator::populateInstance(int index, QObject *instance, QObject *
         if (!target)
             continue;
         QQmlData *targetDData = QQmlData::get(target, /*create*/false);
-        if (!targetDData)
+        if (targetDData == nullptr || targetDData->propertyCache == nullptr)
             continue;
         int coreIndex = QQmlPropertyIndex::fromEncoded(alias->encodedMetaPropertyIndex).coreIndex();
         QQmlPropertyData *const targetProperty = targetDData->propertyCache->property(coreIndex);
diff --git a/tests/auto/qml/qqmllanguage/data/NullPointerPropertyCache.qml b/tests/auto/qml/qqmllanguage/data/NullPointerPropertyCache.qml
new file mode 100644
index 0000000000..052893936a
--- /dev/null
+++ b/tests/auto/qml/qqmllanguage/data/NullPointerPropertyCache.qml
@@ -0,0 +1,10 @@
+import QtQuick 2.0
+
+ListView {
+    property alias defaultHighlight: defaultHighlight
+
+    Component {
+        id: defaultHighlight
+        Item {}
+    }
+}
diff --git a/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp b/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp
index a902ca0f7d..187243fbbd 100644
--- a/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp
+++ b/tests/auto/qml/qqmllanguage/tst_qqmllanguage.cpp
@@ -329,6 +329,7 @@ private slots:
 
     void arrayToContainer();
     void qualifiedScopeInCustomParser();
+    void accessNullPointerPropertyCache();
 
 private:
     QQmlEngine engine;
@@ -5785,6 +5786,15 @@ void tst_qqmllanguage::qualifiedScopeInCustomParser()
     QVERIFY(!obj.isNull());
 }
 
+void tst_qqmllanguage::accessNullPointerPropertyCache()
+{
+    QQmlEngine engine;
+    QQmlComponent c(&engine, testFileUrl("NullPointerPropertyCache.qml"));
+    QVERIFY(c.isReady());
+    QScopedPointer<QObject> obj(c.create());
+    QVERIFY(!obj.isNull());
+}
+
 QTEST_MAIN(tst_qqmllanguage)
 
 #include "tst_qqmllanguage.moc"