From 73a1b230642dd3577563cf8a5ff95223e6b9bd4e Mon Sep 17 00:00:00 2001
From: Fabian Kosmale <fabian.kosmale@qt.io>
Date: Wed, 3 Jun 2020 16:32:35 +0200
Subject: Prevent premature child destruction

QQmlContextData::emitDestruction suffers from the fact that code can
delete objects while emitDestruction is ongoing. Notably, the sequence
child->emitDestruction can trigger a call to a->destruction (of one of
child's attached components), which then can indirectly delete both
child and child->nextChild (for instance, when a StackView gets
cleared).
We prevent this by using QQmlContextDataRef when iterating over the
children, which keeps the child alive for the duration of the loop.

Fixes: QTBUG-84095
Change-Id: I03a4e817904ba2735e1ffc15d509db95a1a4729e
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
(cherry picked from commit 0c8e51705ac0bb86c4b123ecd30a11b41fd50b24)
---
 src/qml/qml/qqmlcontext.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/qml/qml/qqmlcontext.cpp b/src/qml/qml/qqmlcontext.cpp
index 3710cee162..d308e85673 100644
--- a/src/qml/qml/qqmlcontext.cpp
+++ b/src/qml/qml/qqmlcontext.cpp
@@ -51,6 +51,7 @@
 #include <qjsengine.h>
 #include <QtCore/qvarlengtharray.h>
 #include <private/qmetaobject_p.h>
+#include <QtQml/private/qqmlcontext_p.h>
 #include <QtCore/qdebug.h>
 
 QT_BEGIN_NAMESPACE
@@ -562,8 +563,8 @@ void QQmlContextData::emitDestruction()
                 emit a->destruction();
             }
 
-            QQmlContextData * child = childContexts;
-            while (child) {
+            QQmlContextDataRef  child = childContexts;
+            while (!child.isNull()) {
                 child->emitDestruction();
                 child = child->nextChild;
             }
-- 
cgit v1.2.3


From f23314a639dc628661c21115b74f5be07a890845 Mon Sep 17 00:00:00 2001
From: Antti Kokko <antti.kokko@qt.io>
Date: Wed, 3 Jun 2020 13:51:21 +0300
Subject: Add changes file for Qt 5.12.9

Change-Id: I49cf28dfc9be5511f16d4675f56c3759867e4981
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
---
 dist/changes-5.12.9 | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 dist/changes-5.12.9

diff --git a/dist/changes-5.12.9 b/dist/changes-5.12.9
new file mode 100644
index 0000000000..7c705e8fc9
--- /dev/null
+++ b/dist/changes-5.12.9
@@ -0,0 +1,46 @@
+Qt 5.12.9 is a bug-fix release. It maintains both forward and backward
+compatibility (source and binary) with Qt 5.12.0 through 5.12.8.
+
+For more details, refer to the online documentation included in this
+distribution. The documentation is also available online:
+
+https://doc.qt.io/qt-5/index.html
+
+The Qt version 5.12 series is binary compatible with the 5.11.x series.
+Applications compiled for 5.11 will continue to run with 5.12.
+
+Some of the changes listed in this file include issue tracking numbers
+corresponding to tasks in the Qt Bug Tracker:
+
+https://bugreports.qt.io/
+
+Each of these identifiers can be entered in the bug tracker to obtain more
+information about a particular change.
+
+****************************************************************************
+*                                  QtQml                                   *
+****************************************************************************
+
+ - [Coverity 175402] Refactored some code so that Coverity and future human
+   readers can understand it.
+ - [Coverity 190701] Standardized QV4_SHOW_BYTECODE output for JS classes.
+ - [Coverity 193545] Fixed a dangling pointer dereference when getting
+   QML property values from dynamic accessors.
+ - [QTBUG-81581][QTBUG-83384] Fixed various crashes related to the JavaScript
+   accumulator register.
+ - JavaScript's isSafeInteger() covers a sensible range now. Before it
+   flagged anything greater than 55 as unsafe.
+ - [QTBUG-84095] Fixed a crash on QML context destruction.
+
+****************************************************************************
+*                                 QtQuick                                  *
+****************************************************************************
+
+ - [Coverity 218729] If setting a new root item on QQuickView fails, the
+   old one is no longer deleted.
+ - [QTBUG-73929][QTBUG-82474] Fixed a crash by releasing resources while
+   closing a window.
+ - [QTBUG-40220][QTBUG-83856] Recursive loops caused by items that call
+   polish() within updatePolish() are now detected and terminated earlier.
+ - [QTBUG-55879][QTBUG-79339] Fixed QQuickItem::grabToImage() with
+   QQuickWidget and QQuickRenderControl.
-- 
cgit v1.2.3


From 722caf22ad321166a6a212c74e96b5e7730c2553 Mon Sep 17 00:00:00 2001
From: Fabian Kosmale <fabian.kosmale@qt.io>
Date: Mon, 8 Jun 2020 11:52:21 +0200
Subject: Avoid duplicate call to destroy

Fixing the lifetime issue in emitDestruction led to a new issue: Setting
linkedContext to nullptr before refCount has been incremented and
invalidate has run can lead to calling destroy twice on the same
pointer, and as a result to a use-after-free crash.

Amends 0c8e51705ac0bb86c4b123ecd30a11b41fd50b24

Task-number: QTBUG-84095
Change-Id: Ib2ce76a45977217d0fb0f0e3ce06b24858b90468
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
(cherry picked from commit a84537a159e9d3b9b66a9a0d4fdf3b1b9d3168d6)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/qml/qml/qqmlcontext.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/qml/qml/qqmlcontext.cpp b/src/qml/qml/qqmlcontext.cpp
index d308e85673..66ba6fdaf3 100644
--- a/src/qml/qml/qqmlcontext.cpp
+++ b/src/qml/qml/qqmlcontext.cpp
@@ -626,12 +626,12 @@ void QQmlContextData::clearContext()
 void QQmlContextData::destroy()
 {
     Q_ASSERT(refCount == 0);
-    linkedContext = nullptr;
 
     // avoid recursion
     ++refCount;
     if (engine)
         invalidate();
+    linkedContext = nullptr;
 
     Q_ASSERT(refCount == 1);
     clearContext();
-- 
cgit v1.2.3