[Interest] Bug in Qt 4.8's destruction of QWizard fields??

[Carl Schumann]

Qt Community,

I have an application that core dumps when a user goes back and forth 
through its wizard such that some wizard fields that are initially 
created are no longer needed.   Qt does appear to detect a need to clean 
up and calls the following routine in src/gui/dialogs/qwizard.cpp:
> void QWizardPrivate::_q_handleFieldObjectDestroyed(QObject *object)
This routine finds the field to be deleted and then executes the 
following two lines:
> fieldIndexMap.remove(field.name);
> it = fields.erase(it);
where field is a reference to "*it" and "it" points to the field to be 
destroyed.  this->fieldIndexMap apparently is to contain a mapping from 
a field name to to its index in this->fields.   (I base this statement 
on the source code for QWizard::field.)    Therefore, these two lines 
appear to leave this->fields and this->fieldIndexMap in an inconsistent 
state.  Specifically,  because removing an entry from the map does not 
also shift all the values in the map higher than the value removed down 
by one.

So if we initially have the following mapping ...
"field0" -> 0,
"field1" -> 1, and
"field2" -> 2
with fields of size 3.   After destruction of "field1" we have ...
"field0" -> 0, and
"field2" -> 2
with fields of size 2.   Now attempts to look up "field2" using 
QWizard::field will have an out of bounds error and core dump because an 
attempt to access this->fields[2] will be made.   It should be accessing 
this->fields[1], but does not because the mapping is no longer correct.

So that is my theory that there is in fact a bug in 
QWizardPrivate::_q_handleFieldObjectDestroyed*. *Have I actually missed 
something instead though?   Other opinions and insights would be 
appreciated please?  Thanks in advance for any insights.

Sincerely,
Carl Schumann

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20120507/47564162/attachment.html>