diff options
author | Mitch Curtis <mitch.curtis@qt.io> | 2019-09-23 13:42:03 +0200 |
---|---|---|
committer | Mitch Curtis <mitch.curtis@qt.io> | 2019-10-14 10:54:01 +0200 |
commit | e6ccc83aced775621c54f2b563462b57d3fe2e01 (patch) | |
tree | 2153351f15e9c8a68e68f67f3122755ba384ab36 /src | |
parent | 9d9ba61a7503047e8417a52e3799f51e76067df8 (diff) |
Fix a crash on exit when using ToolTip in a specific item hierarchy
QQuickPopup connects its parent item's (MouseArea, in this case)
windowChanged() signal to QQuickPopupPrivate::setWindow(). It does this so
that:
1) QQuickOverlay can keep track of all of the popups that it manages.
2) Fonts, palettes and locales can be resolved.
3) If the QQuickPopup component has completed loading and the popup is visible
with a valid window, start the enter transition.
The problem arises only when using a very specific item hierarchy:
Window {
width: 640
height: 480
visible: true
Item {
anchors.fill: parent
Item {
anchors.fill: parent
ColorOverlay {
source: parent
anchors.fill: parent
}
MouseArea {
anchors.fill: parent
hoverEnabled: true
ToolTip.visible: containsMouse
ToolTip.text: "ToolTip text"
}
}
}
}
When the window is closed and hence begins to be destroyed, the following events occur:
- QQuickWindow's destructor is called.
- The window's root item (QQuickRootItem) begins destruction.
- QQuickOverlay is destroyed.
- QQuickWindow's destructor is done, so the QWindow and then QObject
destructors are called.
- The QQuickItem destructor for the outer Item is called.
- The child items of the outer Item have setParentItem(nullptr) called on them,
one of which being the inner Item.
- The inner Item's setParentItem() function calls derefWindow(), which in turn
calls derefWindow() on its children. One of those children is MouseArea.
- Since the MouseArea's window is deref'd, it emits the windowChanged() signal.
MouseArea is the parentItem of the popup, so its windowChanged() signal
causes QQuickPopupPrivate::setWindow() to be called.
- setWindow() tries to remove the popup from the old overlay, which has already
been destroyed.
One approach I tried involved using QQuickOverlay::itemChange() to remove all
of the popups (via setWindow(nullptr), to ensure that their window pointer is
nullified), since that was called much earlier than the windowChanged() signal
is emitted. However, this still resulted in a heap-use-after-free in the same
place when running the newly added setOverlayParentToNull() test.
I also tried removing the popups in QQuickOverlay's destructor, but this
resulted in another heap-use-after-free (when accessing a popup in the
destructor) in tst_QQuickPopup::Universal::visible().
The remaining options were: store the window in a QPointer or return early in
overlay() if the wasDeleted member of the window was true. Using QPointer
seems like it would catch more issues than a single check in overlay(), so I
went with that.
Fixes: QTBUG-73243
Change-Id: Ieb5ce26dd76d45771d28297031ec43e27d958b5b
Reviewed-by: Mitch Curtis <mitch.curtis@qt.io>
(cherry picked from commit 83fbf44b980c4a072ede122f2f16921bfff8c08d)
Reviewed-by: Andy Shaw <andy.shaw@qt.io>
Diffstat (limited to 'src')
-rw-r--r-- | src/quicktemplates2/qquickpopup_p_p.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/quicktemplates2/qquickpopup_p_p.h b/src/quicktemplates2/qquickpopup_p_p.h index e32fdb28..8a85f914 100644 --- a/src/quicktemplates2/qquickpopup_p_p.h +++ b/src/quicktemplates2/qquickpopup_p_p.h @@ -187,7 +187,7 @@ public: QQuickPopup::ClosePolicy closePolicy = DefaultClosePolicy; QQuickItem *parentItem = nullptr; QQuickItem *dimmer = nullptr; - QQuickWindow *window = nullptr; + QPointer<QQuickWindow> window; QQuickTransition *enter = nullptr; QQuickTransition *exit = nullptr; QQuickPopupItem *popupItem = nullptr; |