Bug 492444

Created attachment 173160 [details]
The archive with full demo.

SUMMARY
Trying to delete QTextEdit with Sonnet::SpellCheckDecorator attached results in memory corruption (For example please see attached demo).

STEPS TO REPRODUCE
1. Create a QWidget, which contain QTextEdit with SpellCheckDecorator and QPushButton which calls `delete txtTarget`
2. Build an launch the application with -fsanitize=address flag.

OBSERVED RESULT
On QT 5.116.0
- Without -fsanitize=address: The application will remove text box, however, eventually will fail in unexpected place, because the memory was corrupted.
- With -fsanitize=address: The application will fail while deleting QTextEdit, because QTextEdit will try to remove dependent components, one of which is SpellCheckDecorator instance, which destructor in turn, will call m_plainTextEdit->removeEventFilter(q). But the m_plainTextEdit was already destroyed at this time and cannot be read.

On QT 6.5.0
- Without -fsanitize=address error while calling malloc
- With -fsanitize=address: expected behavior. 

EXPECTED RESULT
The text box should be removed without error.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: 
KDE Plasma Version: 6.1.4
KDE Frameworks Version: 6.5.0
Qt Version: 5.116.0 and 6.5.0

ADDITIONAL INFORMATION
The error may be mitigated by calling
delete sonnet_instance
// Before calling
delete txtTarget
// See the commented code in 
// void MyWindow::deleteClicked() method

The error:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8141==ERROR: AddressSanitizer: SEGV on unknown address 0x000000007bce (pc 0x7f62d54e8ff0 bp 0x7ffdd7e67e50 sp 0x7ffdd7e67e30 T0)
==8141==The signal is caused by a READ memory access.
    #0 0x7f62d54e8ff0 in QObject::removeEventFilter(QObject*) (/lib64/libQt5Core.so.5+0x2e8ff0) (BuildId: cbe9627b0e3c019c0832a55096a129215d44377b)
    #1 0x7f62d6f0e53e in Sonnet::SpellCheckDecorator::~SpellCheckDecorator() (/lib64/libKF5SonnetUi.so.5+0x1d53e) (BuildId: af8eca413a253133aec773e1002b979a12a95e5f)
    #2 0x7f62d6f0e574 in Sonnet::SpellCheckDecorator::~SpellCheckDecorator() (/lib64/libKF5SonnetUi.so.5+0x1d574) (BuildId: af8eca413a253133aec773e1002b979a12a95e5f)
    #3 0x7f62d54e0435 in QObjectPrivate::deleteChildren() (/lib64/libQt5Core.so.5+0x2e0435) (BuildId: cbe9627b0e3c019c0832a55096a129215d44377b)
    #4 0x7f62d61ccad1 in QWidget::~QWidget() (/lib64/libQt5Widgets.so.5+0x1ccad1) (BuildId: 7e21d3a186390804fdc5d6972a897f2a6db667a4)
    #5 0x7f62d636f554 in QTextEdit::~QTextEdit() (/lib64/libQt5Widgets.so.5+0x36f554) (BuildId: 7e21d3a186390804fdc5d6972a897f2a6db667a4)
    #6 0x403ef4 in MyWindow::deleteClicked() (/home/user/eclipse-workspace/QtSpellCheck/build/default/QtSpellCheck+0x403ef4) (BuildId: 8277ed9c61963add82b468c7495f7e52f07f96ee)
    #7 0x404abe in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (MyWindow::*)()>::call(void (MyWindow::*)(), MyWindow*, void**) (/home/user/eclipse-workspace/QtSpellCheck/build/default/QtSpellCheck+0x404abe) (BuildId: 8277ed9c61963add82b468c7495f7e52f07f96ee)
    #8 0x4048da in void QtPrivate::FunctionPointer<void (MyWindow::*)()>::call<QtPrivate::List<>, void>(void (MyWindow::*)(), MyWindow*, void**) (/home/user/eclipse-workspace/QtSpellCheck/build/default/QtSpellCheck+0x4048da) (BuildId: 8277ed9c61963add82b468c7495f7e52f07f96ee)
    #9 0x40477b in QtPrivate::QSlotObject<void (MyWindow::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (/home/user/eclipse-workspace/QtSpellCheck/build/default/QtSpellCheck+0x40477b) (BuildId: 8277ed9c61963add82b468c7495f7e52f07f96ee)
    #10 0x7f62d54ebf1d in void doActivate<false>(QObject*, int, void**) (/lib64/libQt5Core.so.5+0x2ebf1d) (BuildId: cbe9627b0e3c019c0832a55096a129215d44377b)
    #11 0x7f62d628a6f3 in QAbstractButton::clicked(bool) (/lib64/libQt5Widgets.so.5+0x28a6f3) (BuildId: 7e21d3a186390804fdc5d6972a897f2a6db667a4)
    #12 0x7f62d628a9de in QAbstractButtonPrivate::emitClicked() (/lib64/libQt5Widgets.so.5+0x28a9de) (BuildId: 7e21d3a186390804fdc5d6972a897f2a6db667a4)
    #13 0x7f62d628c37e in QAbstractButtonPrivate::click() (/lib64/libQt5Widgets.so.5+0x28c37e) (BuildId: 7e21d3a186390804fdc5d6972a897f2a6db667a4)
    #14 0x7f62d628c5aa in QAbstractButton::mouseReleaseEvent(QMouseEvent*) (/lib64/libQt5Widgets.so.5+0x28c5aa) (BuildId: 7e21d3a186390804fdc5d6972a897f2a6db667a4)
    #15 0x7f62d61d1597 in QWidget::event(QEvent*) (/lib64/libQt5Widgets.so.5+0x1d1597) (BuildId: 7e21d3a186390804fdc5d6972a897f2a6db667a4)
    #16 0x7f62d618cc34 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/lib64/libQt5Widgets.so.5+0x18cc34) (BuildId: 7e21d3a186390804fdc5d6972a897f2a6db667a4)
    #17 0x7f62d619540e in QApplication::notify(QObject*, QEvent*) (/lib64/libQt5Widgets.so.5+0x19540e) (BuildId: 7e21d3a186390804fdc5d6972a897f2a6db667a4)
    #18 0x7f62d54b7177 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/lib64/libQt5Core.so.5+0x2b7177) (BuildId: cbe9627b0e3c019c0832a55096a129215d44377b)
    #19 0x7f62d619328c in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool, bool) (/lib64/libQt5Widgets.so.5+0x19328c) (BuildId: 7e21d3a186390804fdc5d6972a897f2a6db667a4)
    #20 0x7f62d61ec006 in QWidgetWindow::handleMouseEvent(QMouseEvent*) (/lib64/libQt5Widgets.so.5+0x1ec006) (BuildId: 7e21d3a186390804fdc5d6972a897f2a6db667a4)
    #21 0x7f62d61ef71e in QWidgetWindow::event(QEvent*) (/lib64/libQt5Widgets.so.5+0x1ef71e) (BuildId: 7e21d3a186390804fdc5d6972a897f2a6db667a4)
    #22 0x7f62d618cc34 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/lib64/libQt5Widgets.so.5+0x18cc34) (BuildId: 7e21d3a186390804fdc5d6972a897f2a6db667a4)
    #23 0x7f62d54b7177 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/lib64/libQt5Core.so.5+0x2b7177) (BuildId: cbe9627b0e3c019c0832a55096a129215d44377b)
    #24 0x7f62d595d3f6 in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) (/lib64/libQt5Gui.so.5+0x15d3f6) (BuildId: c09f1fa05ff2307c0fe81246a5b9d28c64a9660b)
    #25 0x7f62d5939d5b in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/lib64/libQt5Gui.so.5+0x139d5b) (BuildId: c09f1fa05ff2307c0fe81246a5b9d28c64a9660b)
    #26 0x7f62cfdc1ba3 in userEventSourceDispatch(_GSource*, int (*)(void*), void*) (/lib64/libQt5WaylandClient.so.5+0xb3ba3) (BuildId: a0efeb3b2e2097819825fd38642e9eecc5eac042)
    #27 0x7f62d431ae8b in g_main_context_dispatch_unlocked.lto_priv.0 (/lib64/libglib-2.0.so.0+0x5ce8b) (BuildId: 36b60dbd02e796145a982d0151ce37202ec05649)
    #28 0x7f62d437cc97 in g_main_context_iterate_unlocked.isra.0 (/lib64/libglib-2.0.so.0+0xbec97) (BuildId: 36b60dbd02e796145a982d0151ce37202ec05649)
    #29 0x7f62d431c382 in g_main_context_iteration (/lib64/libglib-2.0.so.0+0x5e382) (BuildId: 36b60dbd02e796145a982d0151ce37202ec05649)
    #30 0x7f62d550bbec in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/lib64/libQt5Core.so.5+0x30bbec) (BuildId: cbe9627b0e3c019c0832a55096a129215d44377b)
    #31 0x7f62d54b5ada in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/lib64/libQt5Core.so.5+0x2b5ada) (BuildId: cbe9627b0e3c019c0832a55096a129215d44377b)
    #32 0x7f62d54bdf45 in QCoreApplication::exec() (/lib64/libQt5Core.so.5+0x2bdf45) (BuildId: cbe9627b0e3c019c0832a55096a129215d44377b)
    #33 0x404c90 in main (/home/user/eclipse-workspace/QtSpellCheck/build/default/QtSpellCheck+0x404c90) (BuildId: 8277ed9c61963add82b468c7495f7e52f07f96ee)
    #34 0x7f62d4c39087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 77c77fee058b19c6f001cf2cb0371ce3b8341211)
    #35 0x7f62d4c3914a in __libc_start_main_alias_1 (/lib64/libc.so.6+0x2a14a) (BuildId: 77c77fee058b19c6f001cf2cb0371ce3b8341211)
    #36 0x4032d4 in _start (/home/user/eclipse-workspace/QtSpellCheck/build/default/QtSpellCheck+0x4032d4) (BuildId: 8277ed9c61963add82b468c7495f7e52f07f96ee)