use-after-free related to p_mainPlaylistController
As noted in issue #28880 (closed), with changes from !7106 (merged) applied on top of 258722d7, vlc crashes at the end of the playlist with vlc --play-and-exit --no-media-library ~/some.mp4. valgrind shows this backtrace:
==15361== Invalid read of size 8
==15361== at 0x1B1827FE: UnknownInlinedFun (atomic_base.h:837)
==15361== by 0x1B1827FE: UnknownInlinedFun (atomic:577)
==15361== by 0x1B1827FE: UnknownInlinedFun (qatomic_cxx11.h:213)
==15361== by 0x1B1827FE: UnknownInlinedFun (qbasicatomic.h:179)
==15361== by 0x1B1827FE: QObjectPrivate::connectImpl(QObject const*, int, QObject const*, void**, QtPrivate::QSlotObjectBase*, int, in
t const*, QMetaObject const*) (qobject.cpp:5180)
==15361== by 0x1B18648A: QObject::connectImpl(QObject const*, void**, QObject const*, void**, QtPrivate::QSlotObjectBase*, Qt::Connect
ionType, int const*, QMetaObject const*) (qobject.cpp:5111)
==15361== by 0x1895B5B4: connect<void (QTimer::*)(QTimer::QPrivateSignal), ModelRecoveryAgent::ModelRecoveryAgent<vlc::playlist::Playl
istController>(QSettings*, const QString&, vlc::playlist::PlaylistController*)::<lambda()> > (qobject.h:240)
==15361== by 0x1895B5B4: ??? (model_recovery_agent.hpp:107)
==15361== by 0x18954C63: make_unique<ModelRecoveryAgent, QSettings*&, QString, vlc::playlist::PlaylistController*&> (unique_ptr.h:1070
)
==15361== by 0x18954C63: operator() (qt.cpp:1032)
==15361== by 0x18954C63: call (qobjectdefs_impl.h:137)
==15361== by 0x18954C63: call<QtPrivate::List<>, void> (qobjectdefs_impl.h:339)
==15361== by 0x18954C63: ??? (qobjectdefs_impl.h:522)
==15361== by 0x1B17AA6D: QObject::event(QEvent*) (qobject.cpp:1437)
==15361== by 0x19BA49AD: QApplicationPrivate::notify_helper(QObject*, QEvent*) (in /usr/lib64/libQt6Widgets.so.6.6.3)
==15361== by 0x1B1377A7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1121)
==15361== by 0x1B137B06: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1901)
==15361== by 0x1B35A972: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:243)
==15361== by 0x18504FAB: g_main_dispatch (gmain.c:3476)
==15361== by 0x18504FAB: g_main_context_dispatch_unlocked (gmain.c:4284)
==15361== by 0x18506BCF: g_main_context_iterate_unlocked.isra.24 (gmain.c:4349)
==15361== by 0x185071CB: g_main_context_iteration (gmain.c:4414)
==15361== Address 0x2c65e238 is 8 bytes inside a block of size 24 free'd
==15361== at 0x48458F9: operator delete(void*, unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15361== by 0x18952301: ??? (qt.cpp:1199)
==15361== by 0x1B17AA6D: QObject::event(QEvent*) (qobject.cpp:1437)
==15361== by 0x19BA49AD: QApplicationPrivate::notify_helper(QObject*, QEvent*) (in /usr/lib64/libQt6Widgets.so.6.6.3)
==15361== by 0x1B1377A7: QCoreApplication::notifyInternal2(QObject*, QEvent*) (qcoreapplication.cpp:1121)
==15361== by 0x1B137B06: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (qcoreapplication.cpp:1901)
==15361== by 0x1B35A972: postEventSourceDispatch(_GSource*, int (*)(void*), void*) (qeventdispatcher_glib.cpp:243)
==15361== by 0x18504FAB: g_main_dispatch (gmain.c:3476)
==15361== by 0x18504FAB: g_main_context_dispatch_unlocked (gmain.c:4284)
==15361== by 0x18506BCF: g_main_context_iterate_unlocked.isra.24 (gmain.c:4349)
==15361== by 0x185071CB: g_main_context_iteration (gmain.c:4414)
==15361== by 0x1B3583CB: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (qeventdispatcher_glib.cpp:393)
==15361== by 0x1B141F9A: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (qeventloop.cpp:182)
==15361== Block was alloc'd at
==15361== at 0x48420FF: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15361== by 0x18954214: ??? (qt.cpp:1027)
==15361== by 0x4A7958B: start_thread (pthread_create.c:444)
==15361== by 0x4B0086F: clone (clone.S:100)