From eb1025d7808f04e3f114b08c86a5e680b2d18010 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <albert.astals.cid@kdab.com>
Date: Fri, 21 May 2021 13:30:41 +0200
Subject: [PATCH 01/19] Give a warning when StyledText encounters a non
 supported entity

Pick-to: 6.1 5.15
Change-Id: Iea8bdf25542cd404ee71141467ac1f1398a7d0df
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
(cherry picked from commit 8cd43e370040e23fcbd03ad64969e683055bd7d0)
---
 src/quick/util/qquickstyledtext.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/quick/util/qquickstyledtext.cpp b/src/quick/util/qquickstyledtext.cpp
index 660852ba83..d531fc9205 100644
--- a/src/quick/util/qquickstyledtext.cpp
+++ b/src/quick/util/qquickstyledtext.cpp
@@ -46,6 +46,8 @@
 #include "qquickstyledtext_p.h"
 #include <QQmlContext>
 
+Q_LOGGING_CATEGORY(lcStyledText, "qt.quick.styledtext")
+
 /*
     QQuickStyledText supports few tags:
 
@@ -566,6 +568,8 @@ void QQuickStyledTextPrivate::parseEntity(const QChar *&ch, const QString &textI
                 textOut += QChar(34);
             else if (entity == QLatin1String("nbsp"))
                 textOut += QChar(QChar::Nbsp);
+            else
+                qCWarning(lcStyledText) << "StyledText doesn't support entity" << entity;
             return;
         } else if (*ch == QLatin1Char(' ')) {
             QStringRef entity(&textIn, entityStart - 1, entityLength + 1);
-- 
2.36.0

From ba07a40a2afacfb57ddb8f7cb4cc90a39560f17d Mon Sep 17 00:00:00 2001
From: Antonio Rojas <arojas@archlinux.org>
Date: Sun, 23 May 2021 14:32:46 +0200
Subject: [PATCH 02/19] Add missing limits include to fix build with GCC 11

This is not required for Qt 6, since it is indirectly pulled via
qanystrigview.h, but it is for Qt 5 (where qanystrigview does
not exist) and, in any case, it is good to declare all used headers
and not rely on them being implicitly pulled.

Pick-to: 6.1 5.15
Change-Id: I97606ea493e723006759608b7d4c4f00632f340c
Reviewed-by: Albert Astals Cid <albert.astals.cid@kdab.com>
(cherry picked from commit 367293b18ab0d0a0432c1c8ce445fee052e5eee5)
---
 src/qmldebug/qqmlprofilerevent_p.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/qmldebug/qqmlprofilerevent_p.h b/src/qmldebug/qqmlprofilerevent_p.h
index a7e37d1964..01b2f58f16 100644
--- a/src/qmldebug/qqmlprofilerevent_p.h
+++ b/src/qmldebug/qqmlprofilerevent_p.h
@@ -48,6 +48,7 @@
 #include <QtCore/qmetatype.h>
 
 #include <initializer_list>
+#include <limits>
 #include <type_traits>
 
 //
-- 
2.36.0

From eb9ebe3815ac100d4ab3b3a708f691a1dde270bf Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <albert.astals.cid@kdab.com>
Date: Fri, 21 May 2021 13:17:15 +0200
Subject: [PATCH 03/19] Document that StyledText also supports &nbsp; and
 &quot;

Change-Id: I1715f8ae8ec8d0fbaf6dbe2b8663cc169da663cd
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
(cherry picked from commit 5848c081c094a66e024493fc1e5c2569e06f73b6)
---
 src/quick/items/qquicktext.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/quick/items/qquicktext.cpp b/src/quick/items/qquicktext.cpp
index 6230186933..c1571fc6f5 100644
--- a/src/quick/items/qquicktext.cpp
+++ b/src/quick/items/qquicktext.cpp
@@ -2168,7 +2168,7 @@ void QQuickText::resetMaximumLineCount()
     <img src="" align="top,middle,bottom" width="" height=""> - inline images
     <ol type="">, <ul type=""> and <li> - ordered and unordered lists
     <pre></pre> - preformatted
-    &gt; &lt; &amp;
+    &gt; &lt; &amp; &quot; &nbsp;
     \endcode
 
     \c Text.StyledText parser is strict, requiring tags to be correctly nested.
-- 
2.36.0

From 0aea240ef6d78989ef16ea1d41e161c641c2667c Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <albert.astals.cid@kdab.com>
Date: Fri, 21 May 2021 13:42:35 +0200
Subject: [PATCH 04/19] Support &apos; in styled text

Pick-to: 6.1 5.15
Change-Id: I4a8db963e52a7899ab1796f9a560e8029cc1c929
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
(cherry picked from commit 96b528efcba1226d2980828d1255160bdceae4cf)
---
 src/quick/items/qquicktext.cpp      | 2 +-
 src/quick/util/qquickstyledtext.cpp | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/quick/items/qquicktext.cpp b/src/quick/items/qquicktext.cpp
index c1571fc6f5..e823ca1095 100644
--- a/src/quick/items/qquicktext.cpp
+++ b/src/quick/items/qquicktext.cpp
@@ -2168,7 +2168,7 @@ void QQuickText::resetMaximumLineCount()
     <img src="" align="top,middle,bottom" width="" height=""> - inline images
     <ol type="">, <ul type=""> and <li> - ordered and unordered lists
     <pre></pre> - preformatted
-    &gt; &lt; &amp; &quot; &nbsp;
+    &gt; &lt; &amp; &quot; &nbsp; &apos;
     \endcode
 
     \c Text.StyledText parser is strict, requiring tags to be correctly nested.
diff --git a/src/quick/util/qquickstyledtext.cpp b/src/quick/util/qquickstyledtext.cpp
index d531fc9205..a25af90414 100644
--- a/src/quick/util/qquickstyledtext.cpp
+++ b/src/quick/util/qquickstyledtext.cpp
@@ -564,6 +564,8 @@ void QQuickStyledTextPrivate::parseEntity(const QChar *&ch, const QString &textI
                 textOut += QChar(60);
             else if (entity == QLatin1String("amp"))
                 textOut += QChar(38);
+            else if (entity == QLatin1String("apos"))
+                textOut += QChar(39);
             else if (entity == QLatin1String("quot"))
                 textOut += QChar(34);
             else if (entity == QLatin1String("nbsp"))
-- 
2.36.0

From bdf7658d89e1df55ded318432d4412dbf1d5d0f9 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <albert.astals.cid@kdab.com>
Date: Thu, 17 Jun 2021 16:32:28 +0200
Subject: [PATCH 05/19] Remove unused QPointer<QQuickPointerMask>

Change-Id: I009fa6bbd8599dc3bb2e810176fe20e70ed50851
Reviewed-by: Shawn Rutledge <shawn.rutledge@qt.io>
(cherry picked from commit ac03b4b8ee9cc8d4522e0c8cf1018ff086f80c1b)
---
 src/quick/items/qquickmousearea_p_p.h | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/quick/items/qquickmousearea_p_p.h b/src/quick/items/qquickmousearea_p_p.h
index fba383e268..0d63618622 100644
--- a/src/quick/items/qquickmousearea_p_p.h
+++ b/src/quick/items/qquickmousearea_p_p.h
@@ -61,7 +61,6 @@ QT_BEGIN_NAMESPACE
 
 class QQuickMouseEvent;
 class QQuickMouseArea;
-class QQuickPointerMask;
 class QQuickMouseAreaPrivate : public QQuickItemPrivate
 {
     Q_DECLARE_PUBLIC(QQuickMouseArea)
@@ -100,7 +99,6 @@ public:
 #if QT_CONFIG(quick_draganddrop)
     QQuickDrag *drag;
 #endif
-    QPointer<QQuickPointerMask> mask;
     QPointF startScene;
     QPointF targetStartPos;
     QPointF lastPos;
-- 
2.36.0

From 8da88589929a1d82103c8bbfa80210f3c1af3714 Mon Sep 17 00:00:00 2001
From: Dmitry Shachnev <mitya57@gmail.com>
Date: Wed, 18 Aug 2021 22:50:29 +0300
Subject: [PATCH 06/19] Include <limits> in Yarr.h to fix build with GCC 11
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- <limits.h> (aka <climits>) is needed for UINT_MAX macro constant.
- <limits> is needed for std::numeric_limits.

Without this fix, qtdeclarative failed to build on some platforms:

 In file included from jsruntime/qv4regexp_p.h:62,
                  from jsruntime/qv4regexp.cpp:40:
 ../3rdparty/masm/yarr/Yarr.h:46:44: error: ‘numeric_limits’ is not a member of ‘std’
    46 | static const unsigned offsetNoMatch = std::numeric_limits<unsigned>::max();
       |                                            ^~~~~~~~~~~~~~

Pick-to: 5.15 6.2
Change-Id: I7cc9f7bc6624a52c8659f09034ab16064da5fd2f
Reviewed-by: Albert Astals Cid <albert.astals.cid@kdab.com>
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
(cherry picked from commit db58b8518e157b765bf2e01e6382a9eed4751f27)
---
 src/3rdparty/masm/yarr/Yarr.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/3rdparty/masm/yarr/Yarr.h b/src/3rdparty/masm/yarr/Yarr.h
index ccf78f9880..2955ea7e72 100644
--- a/src/3rdparty/masm/yarr/Yarr.h
+++ b/src/3rdparty/masm/yarr/Yarr.h
@@ -28,6 +28,7 @@
 #pragma once
 
 #include <limits.h>
+#include <limits>
 #include "YarrErrorCode.h"
 
 namespace JSC { namespace Yarr {
-- 
2.36.0

From 103503f1cae9e928a4fa8b5e7e1f7af34f1add4d Mon Sep 17 00:00:00 2001
From: Aleix Pol <aleixpol@kde.org>
Date: Tue, 21 Sep 2021 00:10:26 +0200
Subject: [PATCH 07/19] QQuickLoader: Do not incubate if the source arrives
 after setActive(false)

Otherwise we end up in the crazy place of active being false but item
being non-null and forces us to workaround within the apps.

Change-Id: I88c27c4b00ccec8b8e0c05a8e10b44fcabfc2e30
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
(cherry picked from commit e78c068700fa74ab3aca6a23ab2450563b1c3a5c)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/quick/items/qquickloader.cpp              |  3 +++
 .../data/loader-async-race-rect.qml           | 10 ++++++++++
 .../qquickloader/data/loader-async-race.qml   | 14 ++++++++++++++
 .../quick/qquickloader/tst_qquickloader.cpp   | 19 +++++++++++++++++++
 4 files changed, 46 insertions(+)
 create mode 100644 tests/auto/quick/qquickloader/data/loader-async-race-rect.qml
 create mode 100644 tests/auto/quick/qquickloader/data/loader-async-race.qml

diff --git a/src/quick/items/qquickloader.cpp b/src/quick/items/qquickloader.cpp
index cb4f79a3c2..7fbe66fdda 100644
--- a/src/quick/items/qquickloader.cpp
+++ b/src/quick/items/qquickloader.cpp
@@ -737,6 +737,9 @@ void QQuickLoaderPrivate::_q_sourceLoaded()
         return;
     }
 
+    if (!active)
+        return;
+
     QQmlContext *creationContext = component->creationContext();
     if (!creationContext) creationContext = qmlContext(q);
     itemContext = new QQmlContext(creationContext);
diff --git a/tests/auto/quick/qquickloader/data/loader-async-race-rect.qml b/tests/auto/quick/qquickloader/data/loader-async-race-rect.qml
new file mode 100644
index 0000000000..a56dcea5ad
--- /dev/null
+++ b/tests/auto/quick/qquickloader/data/loader-async-race-rect.qml
@@ -0,0 +1,10 @@
+import QtQuick 2.15
+
+Rectangle {
+    anchors.fill: parent
+    color: "blue"
+    Item {
+        Item {
+        }
+    }
+}
diff --git a/tests/auto/quick/qquickloader/data/loader-async-race.qml b/tests/auto/quick/qquickloader/data/loader-async-race.qml
new file mode 100644
index 0000000000..8ba625c5c1
--- /dev/null
+++ b/tests/auto/quick/qquickloader/data/loader-async-race.qml
@@ -0,0 +1,14 @@
+import QtQuick 2.15
+
+Item {
+    id: root
+    Component.onCompleted: {
+        myloader.active = false
+    }
+    Loader {
+        id: myloader
+        anchors.fill: parent
+        asynchronous: true
+        source: "loader-async-race-rect.qml"
+    }
+}
diff --git a/tests/auto/quick/qquickloader/tst_qquickloader.cpp b/tests/auto/quick/qquickloader/tst_qquickloader.cpp
index 0f6c811adb..dddacbaa0b 100644
--- a/tests/auto/quick/qquickloader/tst_qquickloader.cpp
+++ b/tests/auto/quick/qquickloader/tst_qquickloader.cpp
@@ -132,6 +132,7 @@ private slots:
     void statusChangeOnlyEmittedOnce();
 
     void setSourceAndCheckStatus();
+    void asyncLoaderRace();
 };
 
 Q_DECLARE_METATYPE(QList<QQmlError>)
@@ -1496,6 +1497,24 @@ void tst_QQuickLoader::setSourceAndCheckStatus()
     QCOMPARE(loader->status(), QQuickLoader::Null);
 }
 
+void tst_QQuickLoader::asyncLoaderRace()
+{
+    QQmlApplicationEngine engine;
+    auto url = testFileUrl("loader-async-race.qml");
+    engine.load(url);
+    auto root = engine.rootObjects().at(0);
+    QVERIFY(root);
+
+    QQuickLoader *loader = root->findChild<QQuickLoader *>();
+    QCOMPARE(loader->active(), false);
+    QCOMPARE(loader->status(), QQuickLoader::Null);
+    QCOMPARE(loader->item(), nullptr);
+
+    QSignalSpy spy(loader, &QQuickLoader::itemChanged);
+    QVERIFY(!spy.wait(100));
+    QCOMPARE(loader->item(), nullptr);
+}
+
 QTEST_MAIN(tst_QQuickLoader)
 
 #include "tst_qquickloader.moc"
-- 
2.36.0

From 0fdd8a998075a8b52954724743d3a04c105c6ce2 Mon Sep 17 00:00:00 2001
From: Aleix Pol <aleixpol@kde.org>
Date: Thu, 23 Sep 2021 03:43:04 +0200
Subject: [PATCH 08/19] QQmlDelegateModel: Refresh the view when a column is
 added at 0

It can happen that a model reports n>0 rows but columns=0 (See
QConcatenateTablesProxyModel). In those cases we would render glitchy
items until the elements are marked as dirty.

Change-Id: I615c9cacbb1b6f9dee3898b03476605e5ac39d0a
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
(cherry picked from commit ec9251efb918f37971aeefa1f687d137d037ff12)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
Signed-off-by: Aleix Pol <aleixpol@kde.org>
---
 src/qmlmodels/qqmldelegatemodel.cpp           | 44 +++++++++++++++++++
 src/qmlmodels/qqmldelegatemodel_p.h           |  3 ++
 .../data/redrawUponColumnChange.qml           | 11 +++++
 .../tst_qqmldelegatemodel.cpp                 | 27 ++++++++++++
 4 files changed, 85 insertions(+)
 create mode 100644 tests/auto/qml/qqmldelegatemodel/data/redrawUponColumnChange.qml

diff --git a/src/qmlmodels/qqmldelegatemodel.cpp b/src/qmlmodels/qqmldelegatemodel.cpp
index 26ded63c41..53e511303e 100644
--- a/src/qmlmodels/qqmldelegatemodel.cpp
+++ b/src/qmlmodels/qqmldelegatemodel.cpp
@@ -389,6 +389,12 @@ void QQmlDelegateModelPrivate::connectToAbstractItemModel()
                       q,  QQmlDelegateModel, SLOT(_q_rowsRemoved(QModelIndex,int,int)));
     qmlobject_connect(aim, QAbstractItemModel, SIGNAL(rowsAboutToBeRemoved(QModelIndex,int,int)),
                       q,  QQmlDelegateModel, SLOT(_q_rowsAboutToBeRemoved(QModelIndex,int,int)));
+    qmlobject_connect(aim, QAbstractItemModel, SIGNAL(columnsInserted(QModelIndex,int,int)),
+                      q, QQmlDelegateModel, SLOT(_q_columnsInserted(QModelIndex,int,int)));
+    qmlobject_connect(aim, QAbstractItemModel, SIGNAL(columnsRemoved(QModelIndex,int,int)),
+                      q, QQmlDelegateModel, SLOT(_q_columnsRemoved(QModelIndex,int,int)));
+    qmlobject_connect(aim, QAbstractItemModel, SIGNAL(columnsMoved(QModelIndex,int,int,QModelIndex,int)),
+                      q, QQmlDelegateModel, SLOT(_q_columnsMoved(QModelIndex,int,int,QModelIndex,int)));
     qmlobject_connect(aim, QAbstractItemModel, SIGNAL(dataChanged(QModelIndex,QModelIndex,QVector<int>)),
                       q, QQmlDelegateModel, SLOT(_q_dataChanged(QModelIndex,QModelIndex,QVector<int>)));
     qmlobject_connect(aim, QAbstractItemModel, SIGNAL(rowsMoved(QModelIndex,int,int,QModelIndex,int)),
@@ -413,6 +419,12 @@ void QQmlDelegateModelPrivate::disconnectFromAbstractItemModel()
                         q, SLOT(_q_rowsAboutToBeRemoved(QModelIndex,int,int)));
     QObject::disconnect(aim, SIGNAL(rowsRemoved(QModelIndex,int,int)),
                         q, SLOT(_q_rowsRemoved(QModelIndex,int,int)));
+    QObject::disconnect(aim, SIGNAL(columnsInserted(QModelIndex,int,int)), q,
+                        SLOT(_q_columnsInserted(QModelIndex,int,int)));
+    QObject::disconnect(aim, SIGNAL(columnsRemoved(QModelIndex,int,int)), q,
+                        SLOT(_q_columnsRemoved(QModelIndex,int,int)));
+    QObject::disconnect(aim, SIGNAL(columnsMoved(QModelIndex,int,int,QModelIndex,int)), q,
+                        SLOT(_q_columnsMoved(QModelIndex,int,int,QModelIndex,int)));
     QObject::disconnect(aim, SIGNAL(dataChanged(QModelIndex,QModelIndex,QVector<int>)),
                         q, SLOT(_q_dataChanged(QModelIndex,QModelIndex,QVector<int>)));
     QObject::disconnect(aim, SIGNAL(rowsMoved(QModelIndex,int,int,QModelIndex,int)),
@@ -1958,6 +1970,38 @@ void QQmlDelegateModel::_q_rowsMoved(
     }
 }
 
+void QQmlDelegateModel::_q_columnsInserted(const QModelIndex &parent, int begin, int end)
+{
+    Q_D(QQmlDelegateModel);
+    Q_UNUSED(end);
+    if (parent == d->m_adaptorModel.rootIndex && begin == 0) {
+        // mark all items as changed
+        _q_itemsChanged(0, d->m_count, QVector<int>());
+    }
+}
+
+void QQmlDelegateModel::_q_columnsRemoved(const QModelIndex &parent, int begin, int end)
+{
+    Q_D(QQmlDelegateModel);
+    Q_UNUSED(end);
+    if (parent == d->m_adaptorModel.rootIndex && begin == 0) {
+        // mark all items as changed
+        _q_itemsChanged(0, d->m_count, QVector<int>());
+    }
+}
+
+void QQmlDelegateModel::_q_columnsMoved(const QModelIndex &parent, int start, int end,
+                                        const QModelIndex &destination, int column)
+{
+    Q_D(QQmlDelegateModel);
+    Q_UNUSED(end);
+    if ((parent == d->m_adaptorModel.rootIndex && start == 0)
+        || (destination == d->m_adaptorModel.rootIndex && column == 0)) {
+        // mark all items as changed
+        _q_itemsChanged(0, d->m_count, QVector<int>());
+    }
+}
+
 void QQmlDelegateModel::_q_dataChanged(const QModelIndex &begin, const QModelIndex &end, const QVector<int> &roles)
 {
     Q_D(QQmlDelegateModel);
diff --git a/src/qmlmodels/qqmldelegatemodel_p.h b/src/qmlmodels/qqmldelegatemodel_p.h
index 8aab4badca..d140bfbaaf 100644
--- a/src/qmlmodels/qqmldelegatemodel_p.h
+++ b/src/qmlmodels/qqmldelegatemodel_p.h
@@ -152,6 +152,9 @@ private Q_SLOTS:
     void _q_itemsMoved(int from, int to, int count);
     void _q_modelReset();
     void _q_rowsInserted(const QModelIndex &,int,int);
+    void _q_columnsInserted(const QModelIndex &, int, int);
+    void _q_columnsRemoved(const QModelIndex &, int, int);
+    void _q_columnsMoved(const QModelIndex &, int, int, const QModelIndex &, int);
     void _q_rowsAboutToBeRemoved(const QModelIndex &parent, int begin, int end);
     void _q_rowsRemoved(const QModelIndex &,int,int);
     void _q_rowsMoved(const QModelIndex &, int, int, const QModelIndex &, int);
diff --git a/tests/auto/qml/qqmldelegatemodel/data/redrawUponColumnChange.qml b/tests/auto/qml/qqmldelegatemodel/data/redrawUponColumnChange.qml
new file mode 100644
index 0000000000..206133bb39
--- /dev/null
+++ b/tests/auto/qml/qqmldelegatemodel/data/redrawUponColumnChange.qml
@@ -0,0 +1,11 @@
+import QtQuick 2.8
+
+ListView {
+    id: root
+    width: 200
+    height: 200
+
+    delegate: Text {
+        text: display
+    }
+}
diff --git a/tests/auto/qml/qqmldelegatemodel/tst_qqmldelegatemodel.cpp b/tests/auto/qml/qqmldelegatemodel/tst_qqmldelegatemodel.cpp
index 71550a50f3..4c1eae7ac7 100644
--- a/tests/auto/qml/qqmldelegatemodel/tst_qqmldelegatemodel.cpp
+++ b/tests/auto/qml/qqmldelegatemodel/tst_qqmldelegatemodel.cpp
@@ -27,6 +27,8 @@
 ****************************************************************************/
 
 #include <QtTest/qtest.h>
+#include <QtCore/QConcatenateTablesProxyModel>
+#include <QtGui/QStandardItemModel>
 #include <QtQml/qqmlcomponent.h>
 #include <QtQmlModels/private/qqmldelegatemodel_p.h>
 #include <QtQuick/qquickview.h>
@@ -45,6 +47,7 @@ private slots:
     void valueWithoutCallingObjectFirst_data();
     void valueWithoutCallingObjectFirst();
     void filterOnGroup_removeWhenCompleted();
+    void redrawUponColumnChange();
 };
 
 class AbstractItemModel : public QAbstractItemModel
@@ -149,6 +152,30 @@ void tst_QQmlDelegateModel::filterOnGroup_removeWhenCompleted()
     QTest::qWaitFor([=]{ return model->count() == 2; } );
 }
 
+void tst_QQmlDelegateModel::redrawUponColumnChange()
+{
+    QStandardItemModel m1;
+    m1.appendRow({
+            new QStandardItem("Banana"),
+            new QStandardItem("Coconut"),
+    });
+
+    QQuickView view(testFileUrl("redrawUponColumnChange.qml"));
+    QCOMPARE(view.status(), QQuickView::Ready);
+    view.show();
+    QQuickItem *root = view.rootObject();
+    root->setProperty("model", QVariant::fromValue<QObject *>(&m1));
+
+    QObject *item = root->property("currentItem").value<QObject *>();
+    QVERIFY(item);
+    QCOMPARE(item->property("text").toString(), "Banana");
+
+    QVERIFY(root);
+    m1.removeColumn(0);
+
+    QCOMPARE(item->property("text").toString(), "Coconut");
+}
+
 QTEST_MAIN(tst_QQmlDelegateModel)
 
 #include "tst_qqmldelegatemodel.moc"
-- 
2.36.0

From f2d1bfa96bedb09c27f52a802b03cbefb17a0257 Mon Sep 17 00:00:00 2001
From: Vlad Zahorodnii <vlad.zahorodnii@kde.org>
Date: Sun, 10 Oct 2021 21:04:21 +0300
Subject: [PATCH 09/19] Fix sweep step for tainted QObject JavaScript wrappers

Currently, whenever the garbage collector runs, it will destroy all
valid tainted wrappers.

Only null or undefined wrappers will be preserved in the
m_multiplyWrappedQObjects map.

It seems like "!" was overlooked in
3b5d37ce3841c4bfdf1c629d33f0e33b881b47fb. Prior to that change, it
was "!it.value()->markBit()", so calling erase() in the then branch
did make sense. But with "!it.value().isNullOrUndefined()", erase()
will be called for every valid wrapper, which is the opposite what we
want.

Pick-to: 5.15 6.2
Change-Id: I2bf2630f538af8cbd4bfffcff29d67be6c278265
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
(cherry picked from commit e6b2f88d892dcf396580a61662f569bf69d6d9d1)
---
 src/qml/memory/qv4mm.cpp                   |  2 +-
 tests/auto/qml/qjsengine/tst_qjsengine.cpp | 39 ++++++++++++++++++++++
 tests/auto/qml/qv4mm/tst_qv4mm.cpp         |  6 ++--
 3 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/src/qml/memory/qv4mm.cpp b/src/qml/memory/qv4mm.cpp
index 06caf04e5a..da149a67c4 100644
--- a/src/qml/memory/qv4mm.cpp
+++ b/src/qml/memory/qv4mm.cpp
@@ -981,7 +981,7 @@ void MemoryManager::sweep(bool lastSweep, ClassDestroyStatsCallback classCountPt
 
     if (MultiplyWrappedQObjectMap *multiplyWrappedQObjects = engine->m_multiplyWrappedQObjects) {
         for (MultiplyWrappedQObjectMap::Iterator it = multiplyWrappedQObjects->begin(); it != multiplyWrappedQObjects->end();) {
-            if (!it.value().isNullOrUndefined())
+            if (it.value().isNullOrUndefined())
                 it = multiplyWrappedQObjects->erase(it);
             else
                 ++it;
diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index 3b7d74df63..b75bf820d5 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -102,6 +102,7 @@ private slots:
     void valueConversion_RegularExpression();
     void castWithMultipleInheritance();
     void collectGarbage();
+    void collectGarbageNestedWrappersTwoEngines();
     void gcWithNestedDataStructure();
     void stacktrace();
     void numberParsing_data();
@@ -1809,6 +1810,44 @@ void tst_QJSEngine::collectGarbage()
     QVERIFY(ptr.isNull());
 }
 
+class TestObjectContainer : public QObject
+{
+    Q_OBJECT
+    Q_PROPERTY(QObject *dummy MEMBER m_dummy CONSTANT)
+
+public:
+    TestObjectContainer() : m_dummy(new QObject(this)) {}
+
+private:
+    QObject *m_dummy;
+};
+
+void tst_QJSEngine::collectGarbageNestedWrappersTwoEngines()
+{
+    QJSEngine engine1;
+    QJSEngine engine2;
+
+    TestObjectContainer container;
+    QQmlEngine::setObjectOwnership(&container, QQmlEngine::CppOwnership);
+
+    engine1.globalObject().setProperty("foobar", engine1.newQObject(&container));
+    engine2.globalObject().setProperty("foobar", engine2.newQObject(&container));
+
+    engine1.evaluate("foobar.dummy.baz = 42");
+    engine2.evaluate("foobar.dummy.baz = 43");
+
+    QCOMPARE(engine1.evaluate("foobar.dummy.baz").toInt(), 42);
+    QCOMPARE(engine2.evaluate("foobar.dummy.baz").toInt(), 43);
+
+    engine1.collectGarbage();
+    engine2.collectGarbage();
+
+    // The GC should not collect dummy object wrappers neither in engine1 nor engine2, we
+    // verify that by checking whether the baz property still has its previous value.
+    QCOMPARE(engine1.evaluate("foobar.dummy.baz").toInt(), 42);
+    QCOMPARE(engine2.evaluate("foobar.dummy.baz").toInt(), 43);
+}
+
 void tst_QJSEngine::gcWithNestedDataStructure()
 {
     // The GC must be able to traverse deeply nested objects, otherwise this
diff --git a/tests/auto/qml/qv4mm/tst_qv4mm.cpp b/tests/auto/qml/qv4mm/tst_qv4mm.cpp
index 5d635aa63b..824fd89e5b 100644
--- a/tests/auto/qml/qv4mm/tst_qv4mm.cpp
+++ b/tests/auto/qml/qv4mm/tst_qv4mm.cpp
@@ -76,10 +76,10 @@ void tst_qv4mm::multiWrappedQObjects()
         QCOMPARE(engine1.memoryManager->m_pendingFreedObjectWrapperValue.size(), 1);
         QCOMPARE(engine2.memoryManager->m_pendingFreedObjectWrapperValue.size(), 0);
 
-        // Moves the additional WeakValue from m_multiplyWrappedQObjects to
-        // m_pendingFreedObjectWrapperValue. It's still alive after all.
+        // The additional WeakValue from m_multiplyWrappedQObjects hasn't been moved
+        // to m_pendingFreedObjectWrapperValue yet. It's still alive after all.
         engine1.memoryManager->runGC();
-        QCOMPARE(engine1.memoryManager->m_pendingFreedObjectWrapperValue.size(), 2);
+        QCOMPARE(engine1.memoryManager->m_pendingFreedObjectWrapperValue.size(), 1);
 
         // engine2 doesn't own the object as engine1 was the first to wrap it above.
         // Therefore, no effect here.
-- 
2.36.0

From b884339e8b6dd8dcaed9704afda2ebed4fcaf9b5 Mon Sep 17 00:00:00 2001
From: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
Date: Tue, 12 Oct 2021 13:13:01 +0200
Subject: [PATCH 10/19] Fix distorted text with subpixel matrix translation

We would pixel-align native text *before* applying the
model-view matrix, which would cause GL_NEAREST artifacts to
show up when the text was positioned at a subpixel offset in
some cases. Instead, we pixel-align the coordinates after mapping
them to the view frustum, but before applying the projection to the
screen.

To make it easier to modify the buffer layout for the shaders the
next time, this also adds some constants for offsets.

[ChangeLog][Text] Fixed an issue where text using NativeRendering
would look slightly skewed if it was inside a parent that had
been positioned at a subpixel offset.

Pick-to: 5.15 6.2
Fixes: QTBUG-96112
Fixes: QTBUG-83626
Task-number: QTBUG-55638
Change-Id: Ifb785ad5830093df94afc75a7bc288e24ca7aa38
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
(cherry picked from commit b21948f5e811ce1b7abf065bc48af61a231e86f4)
---
 .../scenegraph/qsgdefaultglyphnode_p.cpp      | 46 ++++++----
 .../scenegraph/shaders_ng/24bittextmask.frag  |  5 +-
 .../scenegraph/shaders_ng/32bitcolortext.frag |  5 +-
 .../scenegraph/shaders_ng/8bittextmask.frag   |  3 +-
 .../scenegraph/shaders_ng/8bittextmask_a.frag |  3 +-
 .../scenegraph/shaders_ng/outlinedtext.frag   |  5 +-
 .../scenegraph/shaders_ng/outlinedtext.vert   |  9 +-
 .../scenegraph/shaders_ng/outlinedtext_a.frag |  5 +-
 .../scenegraph/shaders_ng/styledtext.frag     |  3 +-
 .../scenegraph/shaders_ng/styledtext.vert     |  7 +-
 .../scenegraph/shaders_ng/styledtext_a.frag   |  3 +-
 src/quick/scenegraph/shaders_ng/textmask.frag |  3 +-
 src/quick/scenegraph/shaders_ng/textmask.vert |  7 +-
 ...text_nativerendering_subpixelpositions.qml | 91 +++++++++++++++++++
 14 files changed, 155 insertions(+), 40 deletions(-)
 create mode 100644 tests/manual/scenegraph_lancelot/data/text/text_nativerendering_subpixelpositions.qml

diff --git a/src/quick/scenegraph/qsgdefaultglyphnode_p.cpp b/src/quick/scenegraph/qsgdefaultglyphnode_p.cpp
index 3c60f830de..0fd6581dc4 100644
--- a/src/quick/scenegraph/qsgdefaultglyphnode_p.cpp
+++ b/src/quick/scenegraph/qsgdefaultglyphnode_p.cpp
@@ -428,6 +428,18 @@ QSGTextMaskRhiShader::QSGTextMaskRhiShader(QFontEngine::GlyphFormat glyphFormat)
                       QStringLiteral(":/qt-project.org/scenegraph/shaders_ng/textmask.frag.qsb"));
 }
 
+enum UbufOffset {
+    ModelViewMatrixOffset = 0,
+    ProjectionMatrixOffset = ModelViewMatrixOffset + 64,
+    ColorOffset = ProjectionMatrixOffset + 64,
+    TextureScaleOffset = ColorOffset + 16,
+    DprOffset = TextureScaleOffset + 8,
+
+    // + 1 float padding (vec4 must be aligned to 16)
+    StyleColorOffset = DprOffset + 4 + 4,
+    ShiftOffset = StyleColorOffset + 16
+};
+
 bool QSGTextMaskRhiShader::updateUniformData(RenderState &state,
                                              QSGMaterial *newMaterial, QSGMaterial *oldMaterial)
 {
@@ -443,11 +455,14 @@ bool QSGTextMaskRhiShader::updateUniformData(RenderState &state,
 
     bool changed = false;
     QByteArray *buf = state.uniformData();
-    Q_ASSERT(buf->size() >= 92);
+    Q_ASSERT(buf->size() >= DprOffset + 4);
 
     if (state.isMatrixDirty()) {
-        const QMatrix4x4 m = state.combinedMatrix();
-        memcpy(buf->data(), m.constData(), 64);
+        const QMatrix4x4 mv = state.modelViewMatrix();
+        memcpy(buf->data() + ModelViewMatrixOffset, mv.constData(), 64);
+        const QMatrix4x4 p = state.projectionMatrix();
+        memcpy(buf->data() + ProjectionMatrixOffset, p.constData(), 64);
+
         changed = true;
     }
 
@@ -456,13 +471,13 @@ bool QSGTextMaskRhiShader::updateUniformData(RenderState &state,
     if (updated || !oldMat || oldRtex != newRtex) {
         const QVector2D textureScale = QVector2D(1.0f / mat->rhiGlyphCache()->width(),
                                                  1.0f / mat->rhiGlyphCache()->height());
-        memcpy(buf->data() + 64 + 16, &textureScale, 8);
+        memcpy(buf->data() + TextureScaleOffset, &textureScale, 8);
         changed = true;
     }
 
     if (!oldMat) {
         float dpr = state.devicePixelRatio();
-        memcpy(buf->data() + 64 + 16 + 8, &dpr, 4);
+        memcpy(buf->data() + DprOffset, &dpr, 4);
     }
 
     // move texture uploads/copies onto the renderer's soon-to-be-committed list
@@ -510,11 +525,11 @@ bool QSG8BitTextMaskRhiShader::updateUniformData(RenderState &state,
     QSGTextMaskMaterial *oldMat = static_cast<QSGTextMaskMaterial *>(oldMaterial);
 
     QByteArray *buf = state.uniformData();
-    Q_ASSERT(buf->size() >= 80);
+    Q_ASSERT(buf->size() >= ColorOffset + 16);
 
     if (oldMat == nullptr || mat->color() != oldMat->color() || state.isOpacityDirty()) {
         const QVector4D color = qsg_premultiply(mat->color(), state.opacity());
-        memcpy(buf->data() + 64, &color, 16);
+        memcpy(buf->data() + ColorOffset, &color, 16);
         changed = true;
     }
 
@@ -553,12 +568,12 @@ bool QSG24BitTextMaskRhiShader::updateUniformData(RenderState &state,
     QSGTextMaskMaterial *oldMat = static_cast<QSGTextMaskMaterial *>(oldMaterial);
 
     QByteArray *buf = state.uniformData();
-    Q_ASSERT(buf->size() >= 92);
+    Q_ASSERT(buf->size() >= ColorOffset + 16);
 
     if (oldMat == nullptr || mat->color() != oldMat->color() || state.isOpacityDirty()) {
         // shader takes vec4 but uses alpha only; coloring happens via the blend constant
         const QVector4D color = qsg_premultiply(mat->color(), state.opacity());
-        memcpy(buf->data() + 64, &color, 16);
+        memcpy(buf->data() + ColorOffset, &color, 16);
         changed = true;
     }
 
@@ -608,12 +623,12 @@ bool QSG32BitColorTextRhiShader::updateUniformData(RenderState &state,
     QSGTextMaskMaterial *oldMat = static_cast<QSGTextMaskMaterial *>(oldMaterial);
 
     QByteArray *buf = state.uniformData();
-    Q_ASSERT(buf->size() >= 92);
+    Q_ASSERT(buf->size() >= ColorOffset + 16);
 
     if (oldMat == nullptr || mat->color() != oldMat->color() || state.isOpacityDirty()) {
         // shader takes vec4 but uses alpha only
         const QVector4D color(0, 0, 0, mat->color().w() * state.opacity());
-        memcpy(buf->data() + 64, &color, 16);
+        memcpy(buf->data() + ColorOffset, &color, 16);
         changed = true;
     }
 
@@ -649,20 +664,17 @@ bool QSGStyledTextRhiShader::updateUniformData(RenderState &state,
     QSGStyledTextMaterial *oldMat = static_cast<QSGStyledTextMaterial *>(oldMaterial);
 
     QByteArray *buf = state.uniformData();
-    Q_ASSERT(buf->size() >= 120);
-
-    // matrix..dpr + 1 float padding (vec4 must be aligned to 16)
-    const int startOffset = 64 + 16 + 8 + 4 + 4;
+    Q_ASSERT(buf->size() >= ShiftOffset + 8);
 
     if (oldMat == nullptr || mat->styleColor() != oldMat->styleColor() || state.isOpacityDirty()) {
         const QVector4D styleColor = qsg_premultiply(mat->styleColor(), state.opacity());
-        memcpy(buf->data() + startOffset, &styleColor, 16);
+        memcpy(buf->data() + StyleColorOffset, &styleColor, 16);
         changed = true;
     }
 
     if (oldMat == nullptr || oldMat->styleShift() != mat->styleShift()) {
         const QVector2D v = mat->styleShift();
-        memcpy(buf->data() + startOffset + 16, &v, 8);
+        memcpy(buf->data() + ShiftOffset, &v, 8);
         changed = true;
     }
 
diff --git a/src/quick/scenegraph/shaders_ng/24bittextmask.frag b/src/quick/scenegraph/shaders_ng/24bittextmask.frag
index bc3826a924..ed8da4cd30 100644
--- a/src/quick/scenegraph/shaders_ng/24bittextmask.frag
+++ b/src/quick/scenegraph/shaders_ng/24bittextmask.frag
@@ -6,8 +6,9 @@ layout(location = 0) out vec4 fragColor;
 layout(binding = 1) uniform sampler2D _qt_texture;
 
 layout(std140, binding = 0) uniform buf {
-    mat4 matrix;
-    vec4 color; // only alpha is used, but must be vec4 due to layout compat
+    mat4 modelViewMatrix;
+    mat4 projectionMatrix;
+    vec4 color;
     vec2 textureScale;
     float dpr;
 } ubuf;
diff --git a/src/quick/scenegraph/shaders_ng/32bitcolortext.frag b/src/quick/scenegraph/shaders_ng/32bitcolortext.frag
index 63e445f90b..4198a4d339 100644
--- a/src/quick/scenegraph/shaders_ng/32bitcolortext.frag
+++ b/src/quick/scenegraph/shaders_ng/32bitcolortext.frag
@@ -6,8 +6,9 @@ layout(location = 0) out vec4 fragColor;
 layout(binding = 1) uniform sampler2D _qt_texture;
 
 layout(std140, binding = 0) uniform buf {
-    mat4 matrix;
-    vec4 color; // only alpha is used, but must be vec4 due to layout compat
+    mat4 modelViewMatrix;
+    mat4 projectionMatrix;
+    vec4 color;
     vec2 textureScale;
     float dpr;
 } ubuf;
diff --git a/src/quick/scenegraph/shaders_ng/8bittextmask.frag b/src/quick/scenegraph/shaders_ng/8bittextmask.frag
index 6304e821ff..a06743876d 100644
--- a/src/quick/scenegraph/shaders_ng/8bittextmask.frag
+++ b/src/quick/scenegraph/shaders_ng/8bittextmask.frag
@@ -6,7 +6,8 @@ layout(location = 0) out vec4 fragColor;
 layout(binding = 1) uniform sampler2D _qt_texture;
 
 layout(std140, binding = 0) uniform buf {
-    mat4 matrix;
+    mat4 modelViewMatrix;
+    mat4 projectionMatrix;
     vec4 color;
     vec2 textureScale;
     float dpr;
diff --git a/src/quick/scenegraph/shaders_ng/8bittextmask_a.frag b/src/quick/scenegraph/shaders_ng/8bittextmask_a.frag
index 0d0fa1cd3a..f725cbc5e7 100644
--- a/src/quick/scenegraph/shaders_ng/8bittextmask_a.frag
+++ b/src/quick/scenegraph/shaders_ng/8bittextmask_a.frag
@@ -6,7 +6,8 @@ layout(location = 0) out vec4 fragColor;
 layout(binding = 1) uniform sampler2D _qt_texture;
 
 layout(std140, binding = 0) uniform buf {
-    mat4 matrix;
+    mat4 modelViewMatrix;
+    mat4 projectionMatrix;
     vec4 color;
     vec2 textureScale;
     float dpr;
diff --git a/src/quick/scenegraph/shaders_ng/outlinedtext.frag b/src/quick/scenegraph/shaders_ng/outlinedtext.frag
index 947d161a50..e2f82d3845 100644
--- a/src/quick/scenegraph/shaders_ng/outlinedtext.frag
+++ b/src/quick/scenegraph/shaders_ng/outlinedtext.frag
@@ -11,11 +11,12 @@ layout(location = 0) out vec4 fragColor;
 layout(binding = 1) uniform sampler2D _qt_texture;
 
 layout(std140, binding = 0) uniform buf {
-    // must match styledtext
-    mat4 matrix;
+    mat4 modelViewMatrix;
+    mat4 projectionMatrix;
     vec4 color;
     vec2 textureScale;
     float dpr;
+    // the above must stay compatible with textmask/8bittextmask
     vec4 styleColor;
     vec2 shift;
 } ubuf;
diff --git a/src/quick/scenegraph/shaders_ng/outlinedtext.vert b/src/quick/scenegraph/shaders_ng/outlinedtext.vert
index 023f9dfdc2..4068e42f28 100644
--- a/src/quick/scenegraph/shaders_ng/outlinedtext.vert
+++ b/src/quick/scenegraph/shaders_ng/outlinedtext.vert
@@ -10,11 +10,12 @@ layout(location = 3) out vec2 sCoordLeft;
 layout(location = 4) out vec2 sCoordRight;
 
 layout(std140, binding = 0) uniform buf {
-    // must match styledtext
-    mat4 matrix;
+    mat4 modelViewMatrix;
+    mat4 projectionMatrix;
     vec4 color;
     vec2 textureScale;
     float dpr;
+    // the above must stay compatible with textmask/8bittextmask
     vec4 styleColor;
     vec2 shift;
 } ubuf;
@@ -28,6 +29,6 @@ void main()
      sCoordDown = (tCoord - vec2(0.0, 1.0)) * ubuf.textureScale;
      sCoordLeft = (tCoord - vec2(-1.0, 0.0)) * ubuf.textureScale;
      sCoordRight = (tCoord - vec2(1.0, 0.0)) * ubuf.textureScale;
-     vec3 dprSnapPos = floor(vCoord.xyz * ubuf.dpr + 0.5) / ubuf.dpr;
-     gl_Position = ubuf.matrix * vec4(dprSnapPos, vCoord.w);
+     vec4 xformed = ubuf.modelViewMatrix * vCoord;
+     gl_Position = ubuf.projectionMatrix * vec4(floor(xformed.xyz * ubuf.dpr + 0.5) / ubuf.dpr, xformed.w);
 }
diff --git a/src/quick/scenegraph/shaders_ng/outlinedtext_a.frag b/src/quick/scenegraph/shaders_ng/outlinedtext_a.frag
index 5b7bd9ca82..274d891a3c 100644
--- a/src/quick/scenegraph/shaders_ng/outlinedtext_a.frag
+++ b/src/quick/scenegraph/shaders_ng/outlinedtext_a.frag
@@ -11,11 +11,12 @@ layout(location = 0) out vec4 fragColor;
 layout(binding = 1) uniform sampler2D _qt_texture;
 
 layout(std140, binding = 0) uniform buf {
-    // must match styledtext
-    mat4 matrix;
+    mat4 modelViewMatrix;
+    mat4 projectionMatrix;
     vec4 color;
     vec2 textureScale;
     float dpr;
+    // the above must stay compatible with textmask/8bittextmask
     vec4 styleColor;
     vec2 shift;
 } ubuf;
diff --git a/src/quick/scenegraph/shaders_ng/styledtext.frag b/src/quick/scenegraph/shaders_ng/styledtext.frag
index 0b16396037..2e380dfeae 100644
--- a/src/quick/scenegraph/shaders_ng/styledtext.frag
+++ b/src/quick/scenegraph/shaders_ng/styledtext.frag
@@ -8,7 +8,8 @@ layout(location = 0) out vec4 fragColor;
 layout(binding = 1) uniform sampler2D _qt_texture;
 
 layout(std140, binding = 0) uniform buf {
-    mat4 matrix;
+    mat4 modelViewMatrix;
+    mat4 projectionMatrix;
     vec4 color;
     vec2 textureScale;
     float dpr;
diff --git a/src/quick/scenegraph/shaders_ng/styledtext.vert b/src/quick/scenegraph/shaders_ng/styledtext.vert
index beadf07c79..271dae8d8a 100644
--- a/src/quick/scenegraph/shaders_ng/styledtext.vert
+++ b/src/quick/scenegraph/shaders_ng/styledtext.vert
@@ -7,7 +7,8 @@ layout(location = 0) out vec2 sampleCoord;
 layout(location = 1) out vec2 shiftedSampleCoord;
 
 layout(std140, binding = 0) uniform buf {
-    mat4 matrix;
+    mat4 modelViewMatrix;
+    mat4 projectionMatrix;
     vec4 color;
     vec2 textureScale;
     float dpr;
@@ -22,6 +23,6 @@ void main()
 {
      sampleCoord = tCoord * ubuf.textureScale;
      shiftedSampleCoord = (tCoord - ubuf.shift) * ubuf.textureScale;
-     vec3 dprSnapPos = floor(vCoord.xyz * ubuf.dpr + 0.5) / ubuf.dpr;
-     gl_Position = ubuf.matrix * vec4(dprSnapPos, vCoord.w);
+     vec4 xformed = ubuf.modelViewMatrix * vCoord;
+     gl_Position = ubuf.projectionMatrix * vec4(floor(xformed.xyz * ubuf.dpr + 0.5) / ubuf.dpr, xformed.w);
 }
diff --git a/src/quick/scenegraph/shaders_ng/styledtext_a.frag b/src/quick/scenegraph/shaders_ng/styledtext_a.frag
index b673137895..62e162c851 100644
--- a/src/quick/scenegraph/shaders_ng/styledtext_a.frag
+++ b/src/quick/scenegraph/shaders_ng/styledtext_a.frag
@@ -8,7 +8,8 @@ layout(location = 0) out vec4 fragColor;
 layout(binding = 1) uniform sampler2D _qt_texture;
 
 layout(std140, binding = 0) uniform buf {
-    mat4 matrix;
+    mat4 modelViewMatrix;
+    mat4 projectionMatrix;
     vec4 color;
     vec2 textureScale;
     float dpr;
diff --git a/src/quick/scenegraph/shaders_ng/textmask.frag b/src/quick/scenegraph/shaders_ng/textmask.frag
index 518d5c965f..ed8da4cd30 100644
--- a/src/quick/scenegraph/shaders_ng/textmask.frag
+++ b/src/quick/scenegraph/shaders_ng/textmask.frag
@@ -6,7 +6,8 @@ layout(location = 0) out vec4 fragColor;
 layout(binding = 1) uniform sampler2D _qt_texture;
 
 layout(std140, binding = 0) uniform buf {
-    mat4 matrix;
+    mat4 modelViewMatrix;
+    mat4 projectionMatrix;
     vec4 color;
     vec2 textureScale;
     float dpr;
diff --git a/src/quick/scenegraph/shaders_ng/textmask.vert b/src/quick/scenegraph/shaders_ng/textmask.vert
index 9d80d5dadb..e0b3c01bce 100644
--- a/src/quick/scenegraph/shaders_ng/textmask.vert
+++ b/src/quick/scenegraph/shaders_ng/textmask.vert
@@ -6,7 +6,8 @@ layout(location = 1) in vec2 tCoord;
 layout(location = 0) out vec2 sampleCoord;
 
 layout(std140, binding = 0) uniform buf {
-    mat4 matrix;
+    mat4 modelViewMatrix;
+    mat4 projectionMatrix;
     vec4 color;
     vec2 textureScale;
     float dpr;
@@ -17,6 +18,6 @@ out gl_PerVertex { vec4 gl_Position; };
 void main()
 {
      sampleCoord = tCoord * ubuf.textureScale;
-     vec3 dprSnapPos = floor(vCoord.xyz * ubuf.dpr + 0.5) / ubuf.dpr;
-     gl_Position = ubuf.matrix * vec4(dprSnapPos, vCoord.w);
+     vec4 xformed = ubuf.modelViewMatrix * vCoord;
+     gl_Position = ubuf.projectionMatrix * vec4(floor(xformed.xyz * ubuf.dpr + 0.5) / ubuf.dpr, xformed.w);
 }
diff --git a/tests/manual/scenegraph_lancelot/data/text/text_nativerendering_subpixelpositions.qml b/tests/manual/scenegraph_lancelot/data/text/text_nativerendering_subpixelpositions.qml
new file mode 100644
index 0000000000..c60fc4d8b0
--- /dev/null
+++ b/tests/manual/scenegraph_lancelot/data/text/text_nativerendering_subpixelpositions.qml
@@ -0,0 +1,91 @@
+import QtQuick 2.0
+
+//vary font style, native rendering at non-integer offsets
+
+Item {
+    id: topLevel
+    width: 320
+    height: 580
+
+    Repeater {
+        model: [Text.Normal, Text.Outline, Text.Raised, Text.Sunken]
+        Text {
+            y: 20 * index
+            clip: true
+            renderType: Text.NativeRendering
+            width: parent.width
+            wrapMode: Text.Wrap
+            font.pointSize: 10
+            style: modelData
+            styleColor: "green"
+            text: "The quick fox jumps in style " + modelData
+        }
+    }
+
+    Repeater {
+        model: [Text.Normal, Text.Outline, Text.Raised, Text.Sunken]
+        Text {
+            y: 100.5 + 20 * index
+            clip: true
+            renderType: Text.NativeRendering
+            width: parent.width
+            wrapMode: Text.Wrap
+            font.pointSize: 10
+            style: modelData
+            styleColor: "green"
+            text: "The quick fox jumps in style " + modelData
+        }
+    }
+
+    Repeater {
+        model: [Text.Normal, Text.Outline, Text.Raised, Text.Sunken]
+        Text {
+            y: 200.5 + 20 * index
+            x: 0.5
+            clip: true
+            renderType: Text.NativeRendering
+            width: parent.width
+            wrapMode: Text.Wrap
+            font.pointSize: 10
+            style: modelData
+            styleColor: "green"
+            text: "The quick fox jumps in style " + modelData
+        }
+    }
+
+    Repeater {
+        model: [Text.Normal, Text.Outline, Text.Raised, Text.Sunken]
+        Text {
+            y: 300.5 + 20 * index
+            x: 0.5
+            clip: true
+            renderType: Text.NativeRendering
+            width: parent.width
+            wrapMode: Text.Wrap
+            font.pointSize: 10
+            style: modelData
+            styleColor: "green"
+            text: "The quick fox jumps in style " + modelData
+        }
+    }
+
+    Repeater {
+        model: [Text.Normal, Text.Outline, Text.Raised, Text.Sunken]
+        Rectangle {
+            y: 400.5 + 20 * index
+            x: 0.5
+            width: topLevel.width
+            height: topLevel.height
+            clip: true
+            Text {
+                renderType: Text.NativeRendering
+                width: parent.width
+                wrapMode: Text.Wrap
+                font.pointSize: 10
+                style: modelData
+                styleColor: "green"
+                text: "The quick fox jumps in style " + modelData
+            }
+        }
+    }
+}
-- 
2.36.0

From 8b0a4b1a329010e056b19fdd9940bad2036b5f57 Mon Sep 17 00:00:00 2001
From: Laszlo Agocs <laszlo.agocs@qt.io>
Date: Mon, 11 Oct 2021 15:37:33 +0200
Subject: [PATCH 11/19] Revert "Fix for possible crash in
 QSGDefaultLayer::grab"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This reverts commit 1c5de027d0c31d1d6697bd0557128d92207763d8.

The fix here is not correct. Calling a QSGRhiLayer function from the gui
thread is very wrong and can cause a set of unexpected issues. The
Address Sanitizer catches this by recognizing that the render thread is
trying to do something with an object destroyed in the meantime on the
main thread in the layer->setItem(null) call.

The issue the original fix is trying to address needs to be addressed in
some different form.

Fixes: QTBUG-94975
Pick-to: 6.2 6.1 5.15
Change-Id: I46f904026281201fc6d233ed7d3bdc7080934afe
Reviewed-by: Christian Strømme <christian.stromme@qt.io>
(cherry picked from commit a5f0361622eb08eab6c3474d5fc249d1962e3d1e)
---
 src/quick/items/qquickshadereffectsource.cpp | 8 --------
 src/quick/items/qquickshadereffectsource_p.h | 1 -
 2 files changed, 9 deletions(-)

diff --git a/src/quick/items/qquickshadereffectsource.cpp b/src/quick/items/qquickshadereffectsource.cpp
index 4f61d61309..b298ed74da 100644
--- a/src/quick/items/qquickshadereffectsource.cpp
+++ b/src/quick/items/qquickshadereffectsource.cpp
@@ -344,7 +344,6 @@ void QQuickShaderEffectSource::setSourceItem(QQuickItem *item)
             d->refFromEffectItem(m_hideSource);
             d->addItemChangeListener(this, QQuickItemPrivate::Geometry);
             connect(m_sourceItem, SIGNAL(destroyed(QObject*)), this, SLOT(sourceItemDestroyed(QObject*)));
-            connect(m_sourceItem, SIGNAL(parentChanged(QQuickItem*)), this, SLOT(sourceItemParentChanged(QQuickItem*)));
         } else {
             qWarning("ShaderEffectSource: sourceItem and ShaderEffectSource must both be children of the same window.");
             m_sourceItem = nullptr;
@@ -364,13 +363,6 @@ void QQuickShaderEffectSource::sourceItemDestroyed(QObject *item)
 }
 
 
-void QQuickShaderEffectSource::sourceItemParentChanged(QQuickItem *parent)
-{
-    if (!parent && m_texture)
-        m_texture->setItem(0);
-}
-
-
 /*!
     \qmlproperty rect QtQuick::ShaderEffectSource::sourceRect
 
diff --git a/src/quick/items/qquickshadereffectsource_p.h b/src/quick/items/qquickshadereffectsource_p.h
index 4deb6c70a3..c0a1ccab78 100644
--- a/src/quick/items/qquickshadereffectsource_p.h
+++ b/src/quick/items/qquickshadereffectsource_p.h
@@ -173,7 +173,6 @@ Q_SIGNALS:
 private Q_SLOTS:
     void sourceItemDestroyed(QObject *item);
     void invalidateSceneGraph();
-    void sourceItemParentChanged(QQuickItem *parent);
 
 protected:
     void releaseResources() override;
-- 
2.36.0

From 0e201d3561cecc8a1e982f81095f14af1dc3ceca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Arve=20S=C3=A6ther?= <jan-arve.saether@qt.io>
Date: Thu, 3 Sep 2020 10:51:01 +0200
Subject: [PATCH 12/19] Fix TapHandler so that it actually registers a tap

This bug caused all quick examples that used the
shared\LauncherList.qml to be broken.

In QtGui, QSinglePointEvent will construct itself with a point id of 0
if there is a valid point, and with a point id of -1 if the point is
invalid (the default constructor does the latter).
However, QQuickSinglePointHandler::wantsPointerEvent() did not agree
with that, because it assumed that a point id of 0 meant
uninitialized/invalid point.
The fix is to change QQuickSinglePointHandler::wantsPointerEvent() and
QQuickHandlerPoint so that it assumes that the id -1 is now an invalid
point, (instead of 0)

Change-Id: I8c9683dfe06ebb77c5342a26f08174b67e7cbd90
Reviewed-by: Shawn Rutledge <shawn.rutledge@qt.io>
(cherry picked from commit 8d3a91016506fd0afedb0be535f7c34a4ca762f6)
---
 src/quick/handlers/qquickhandlerpoint.cpp       | 4 ++--
 src/quick/handlers/qquicksinglepointhandler.cpp | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/quick/handlers/qquickhandlerpoint.cpp b/src/quick/handlers/qquickhandlerpoint.cpp
index 72efdfd0f4..6aef3545dd 100644
--- a/src/quick/handlers/qquickhandlerpoint.cpp
+++ b/src/quick/handlers/qquickhandlerpoint.cpp
@@ -82,7 +82,7 @@ void QQuickHandlerPoint::localize(QQuickItem *item)
 
 void QQuickHandlerPoint::reset()
 {
-    m_id = 0;
+    m_id = -1;
     m_uniqueId = QPointingDeviceUniqueId();
     m_position = QPointF();
     m_scenePosition = QPointF();
@@ -165,7 +165,7 @@ void QQuickHandlerPoint::reset(const QVector<QQuickHandlerPoint> &points)
         pressureSum += point.pressure();
         ellipseDiameterSum += point.ellipseDiameters();
     }
-    m_id = 0;
+    m_id = -1;
     m_uniqueId = QPointingDeviceUniqueId();
     // all points are required to be from the same event, so pressed buttons and modifiers should be the same
     m_pressedButtons = points.first().pressedButtons();
diff --git a/src/quick/handlers/qquicksinglepointhandler.cpp b/src/quick/handlers/qquicksinglepointhandler.cpp
index b51f53b74f..89081b4e84 100644
--- a/src/quick/handlers/qquicksinglepointhandler.cpp
+++ b/src/quick/handlers/qquicksinglepointhandler.cpp
@@ -75,7 +75,7 @@ bool QQuickSinglePointHandler::wantsPointerEvent(QQuickPointerEvent *event)
     if (!QQuickPointerDeviceHandler::wantsPointerEvent(event))
         return false;
 
-    if (d->pointInfo.id()) {
+    if (d->pointInfo.id() != -1) {
         // We already know which one we want, so check whether it's there.
         // It's expected to be an update or a release.
         // If we no longer want it, cancel the grab.
@@ -125,7 +125,7 @@ bool QQuickSinglePointHandler::wantsPointerEvent(QQuickPointerEvent *event)
             chosen->setAccepted();
         }
     }
-    return d->pointInfo.id();
+    return d->pointInfo.id() != -1;
 }
 
 void QQuickSinglePointHandler::handlePointerEventImpl(QQuickPointerEvent *event)
-- 
2.36.0

From 5af400361da5d66427c68bf743c8def70b7cbc8e Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Tue, 16 Nov 2021 22:43:37 +0100
Subject: [PATCH 13/19] Revert "Fix TapHandler so that it actually registers a
 tap"

This reverts commit 36e8ccd434f948e4f11a8f9d59139ec072e41ff5.

It's causing regresions
---
 src/quick/handlers/qquickhandlerpoint.cpp       | 4 ++--
 src/quick/handlers/qquicksinglepointhandler.cpp | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/quick/handlers/qquickhandlerpoint.cpp b/src/quick/handlers/qquickhandlerpoint.cpp
index 6aef3545dd..72efdfd0f4 100644
--- a/src/quick/handlers/qquickhandlerpoint.cpp
+++ b/src/quick/handlers/qquickhandlerpoint.cpp
@@ -82,7 +82,7 @@ void QQuickHandlerPoint::localize(QQuickItem *item)
 
 void QQuickHandlerPoint::reset()
 {
-    m_id = -1;
+    m_id = 0;
     m_uniqueId = QPointingDeviceUniqueId();
     m_position = QPointF();
     m_scenePosition = QPointF();
@@ -165,7 +165,7 @@ void QQuickHandlerPoint::reset(const QVector<QQuickHandlerPoint> &points)
         pressureSum += point.pressure();
         ellipseDiameterSum += point.ellipseDiameters();
     }
-    m_id = -1;
+    m_id = 0;
     m_uniqueId = QPointingDeviceUniqueId();
     // all points are required to be from the same event, so pressed buttons and modifiers should be the same
     m_pressedButtons = points.first().pressedButtons();
diff --git a/src/quick/handlers/qquicksinglepointhandler.cpp b/src/quick/handlers/qquicksinglepointhandler.cpp
index 89081b4e84..b51f53b74f 100644
--- a/src/quick/handlers/qquicksinglepointhandler.cpp
+++ b/src/quick/handlers/qquicksinglepointhandler.cpp
@@ -75,7 +75,7 @@ bool QQuickSinglePointHandler::wantsPointerEvent(QQuickPointerEvent *event)
     if (!QQuickPointerDeviceHandler::wantsPointerEvent(event))
         return false;
 
-    if (d->pointInfo.id() != -1) {
+    if (d->pointInfo.id()) {
         // We already know which one we want, so check whether it's there.
         // It's expected to be an update or a release.
         // If we no longer want it, cancel the grab.
@@ -125,7 +125,7 @@ bool QQuickSinglePointHandler::wantsPointerEvent(QQuickPointerEvent *event)
             chosen->setAccepted();
         }
     }
-    return d->pointInfo.id() != -1;
+    return d->pointInfo.id();
 }
 
 void QQuickSinglePointHandler::handlePointerEventImpl(QQuickPointerEvent *event)
-- 
2.36.0

From 9a3aaa96c58d167ab9eec0d0c8105853e8c6117a Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@qt.io>
Date: Tue, 21 Dec 2021 09:20:17 +0100
Subject: [PATCH 14/19] QQmlJs::FixedPoolArray: fix UB (precondition violation)
 in allocate()

Says ubsan:

  qqmljsfixedpoolarray_p.h:90:19: runtime error: null pointer passed as argument 2, which is declared to never be null

Fix, like in so many other places, by a size check.

Pick-to: 6.3 6.2 5.15
Change-Id: I9181d6ecb467c2dc726978ce7f93b35a6bf2f944
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
(cherry picked from commit d74e931f3fc2587ac6d1e2930acbbe54ea5be2b5)
---
 src/qml/common/qqmljsfixedpoolarray_p.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/qml/common/qqmljsfixedpoolarray_p.h b/src/qml/common/qqmljsfixedpoolarray_p.h
index b65b994d6c..15a8cd6878 100644
--- a/src/qml/common/qqmljsfixedpoolarray_p.h
+++ b/src/qml/common/qqmljsfixedpoolarray_p.h
@@ -86,7 +86,7 @@ public:
         if (QTypeInfo<T>::isComplex) {
             for (int i = 0; i < count; ++i)
                 new (data + i) T(vector.at(i));
-        } else {
+        } else if (count) {
             memcpy(data, static_cast<const void*>(vector.constData()), count * sizeof(T));
         }
     }
-- 
2.36.0

From 2dc624d1f7771d4e93ad7f5293fb43cf539b1ca4 Mon Sep 17 00:00:00 2001
From: Ulf Hermann <ulf.hermann@qt.io>
Date: Thu, 3 Feb 2022 10:02:06 +0100
Subject: [PATCH 15/19] V4: Do not call dtor of an object we continue to use

After destroyObject(), the QObjectWrapper is still alive. We might use
its heap object again. Furthermore, the Heap::QObjectWrapper dtor does
not actually do anything defined. What we want to do here is clear the
QObject pointer because we've just gotten rid of the QObject. There is a
method for that: Heap::QObjectWrapper::destroy().

Finally, the internalClass must never ever be nullptr. Assert on that
rather than checking it.

Pick-to: 5.15 6.2 6.3
Task-number: QTBUG-100431
Change-Id: I794a295c182b2ed4ba80673f58d6143c861b7391
Reviewed-by: Andrei Golubev <andrei.golubev@qt.io>
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
(cherry picked from commit 6c197319f34b8098d034f1543eb5feb9d7be54c3)
---
 src/qml/jsruntime/qv4qobjectwrapper.cpp | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/qml/jsruntime/qv4qobjectwrapper.cpp b/src/qml/jsruntime/qv4qobjectwrapper.cpp
index 9899c9274e..272b85069f 100644
--- a/src/qml/jsruntime/qv4qobjectwrapper.cpp
+++ b/src/qml/jsruntime/qv4qobjectwrapper.cpp
@@ -1160,8 +1160,7 @@ void Heap::QObjectWrapper::markObjects(Heap::Base *that, QV4::MarkStack *markSta
 void QObjectWrapper::destroyObject(bool lastCall)
 {
     Heap::QObjectWrapper *h = d();
-    if (!h->internalClass)
-        return; // destroyObject already got called
+    Q_ASSERT(h->internalClass);
 
     if (h->object()) {
         QQmlData *ddata = QQmlData::get(h->object(), false);
@@ -1191,7 +1190,7 @@ void QObjectWrapper::destroyObject(bool lastCall)
         }
     }
 
-    h->~Data();
+    h->destroy();
 }
 
 
-- 
2.36.0

From 5eee7419f55c592a24d9c7746df0f197d8f0a71d Mon Sep 17 00:00:00 2001
From: Vlad Zahorodnii <vlad.zahorodnii@kde.org>
Date: Sat, 29 Jan 2022 21:59:33 +0200
Subject: [PATCH 16/19] Make sure QQuickWidget and its offscreen window's
 screens are always in sync

By default, the offscreen window is placed on the primary screen.
However, if the parent widget argument is passed to the QQuickWidget's
constructor, then QQuickWidget's and the offscreen window's screens can
be different and that can create rendering issues, e.g. blurry text if
the primary screen and QQuickWidget's screen have different scale
factors.

Change-Id: I10c62b5635664f943b11828773f14017f198a770
Reviewed-by: David Edmundson <davidedmundson@kde.org>
Reviewed-by: Laszlo Agocs <laszlo.agocs@qt.io>
(cherry picked from commit a2a2734bffa1459639b31fb3f4f83873ba44ab5c)
---
 src/quickwidgets/qquickwidget.cpp | 26 +++++++++++---------------
 1 file changed, 11 insertions(+), 15 deletions(-)

diff --git a/src/quickwidgets/qquickwidget.cpp b/src/quickwidgets/qquickwidget.cpp
index 39780f8de3..223d91f579 100644
--- a/src/quickwidgets/qquickwidget.cpp
+++ b/src/quickwidgets/qquickwidget.cpp
@@ -106,6 +106,7 @@ void QQuickWidgetPrivate::init(QQmlEngine* e)
 
     renderControl = new QQuickWidgetRenderControl(q);
     offscreenWindow = new QQuickWindow(*new QQuickOffcreenWindowPrivate(),renderControl);
+    offscreenWindow->setScreen(q->screen());
     offscreenWindow->setTitle(QString::fromLatin1("Offscreen"));
     offscreenWindow->setObjectName(QString::fromLatin1("QQuickOffScreenWindow"));
     // Do not call create() on offscreenWindow.
@@ -901,9 +902,7 @@ void QQuickWidgetPrivate::createContext()
 
         context = new QOpenGLContext;
         context->setFormat(offscreenWindow->requestedFormat());
-        const QWindow *win = q->window()->windowHandle();
-        if (win && win->screen())
-            context->setScreen(win->screen());
+        context->setScreen(q->screen());
         QOpenGLContext *shareContext = qt_gl_global_share_context();
         if (!shareContext)
             shareContext = QWidgetPrivate::get(q->window())->shareContext();
@@ -1520,19 +1519,16 @@ bool QQuickWidget::event(QEvent *e)
         d->handleWindowChange();
         break;
 
-    case QEvent::ScreenChangeInternal:
-        if (QWindow *window = this->window()->windowHandle()) {
-            QScreen *newScreen = window->screen();
-
-            if (d->offscreenWindow)
-                d->offscreenWindow->setScreen(newScreen);
-            if (d->offscreenSurface)
-                d->offscreenSurface->setScreen(newScreen);
+    case QEvent::ScreenChangeInternal: {
+        QScreen *newScreen = screen();
+        if (d->offscreenWindow)
+            d->offscreenWindow->setScreen(newScreen);
+        if (d->offscreenSurface)
+            d->offscreenSurface->setScreen(newScreen);
 #if QT_CONFIG(opengl)
-            if (d->context)
-                d->context->setScreen(newScreen);
+        if (d->context)
+            d->context->setScreen(newScreen);
 #endif
-        }
 
         if (d->useSoftwareRenderer
 #if QT_CONFIG(opengl)
@@ -1545,7 +1541,7 @@ bool QQuickWidget::event(QEvent *e)
             d->render(true);
         }
         break;
-
+    }
     case QEvent::Show:
     case QEvent::Move:
         d->updatePosition();
-- 
2.36.0

From 51efb2ed2f071beda188270a23ac450fe4b318f7 Mon Sep 17 00:00:00 2001
From: Fabian Kosmale <fabian.kosmale@qt.io>
Date: Wed, 4 May 2022 09:10:54 +0200
Subject: [PATCH 17/19] QQuickItem: Guard against cycles in
 nextPrevItemInTabFocusChain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

nextPrevItemInTabFocusChain already had a check to prevent running into
cycles, it would however only detect if we reached the original item. If
our cycle instead would loop between reachable items without ever
returning to the initial one, as in the diagram below, then we would
never terminate the loop.

            /-->other item<---next item
initial-item           \          ^
                        \         |
			 --->different item

To prevent this from happening, we keep track of all items we've seen so
far. One last complications arises due to the fact that we do visit the
parent twice under some cicrcumstances, but we already have the skip
variable to indicate that case – we simply skip the duplicate check if
it is set to true.

Pick-to: 6.2 6.3
Fixes: QTBUG-87190
Change-Id: I1449a7ebf8f325f00c296e8a8db4360faf1049e4
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit e74bcf751495d9fe27efd195bc04e2a6ae6732a4)
---
 src/quick/items/qquickitem.cpp                      |  7 ++++++-
 .../data/activeFocusOnTab_infiniteLoop3.qml         | 13 +++++++++++++
 tests/auto/quick/qquickitem2/tst_qquickitem.cpp     | 12 ++++++++++++
 3 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 tests/auto/quick/qquickitem2/data/activeFocusOnTab_infiniteLoop3.qml

diff --git a/src/quick/items/qquickitem.cpp b/src/quick/items/qquickitem.cpp
index 497672b497..81b0db0b69 100644
--- a/src/quick/items/qquickitem.cpp
+++ b/src/quick/items/qquickitem.cpp
@@ -59,6 +59,7 @@
 #include <QtCore/private/qnumeric_p.h>
 #include <QtGui/qpa/qplatformtheme.h>
 #include <QtCore/qloggingcategory.h>
+#include <QtCore/private/qduplicatetracker_p.h>
 
 #include <private/qqmlglobal_p.h>
 #include <private/qqmlengine_p.h>
@@ -2520,6 +2521,7 @@ QQuickItem* QQuickItemPrivate::nextPrevItemInTabFocusChain(QQuickItem *item, boo
     QQuickItem *current = item;
     qCDebug(DBG_FOCUS) << "QQuickItemPrivate::nextPrevItemInTabFocusChain: startItem:" << startItem;
     qCDebug(DBG_FOCUS) << "QQuickItemPrivate::nextPrevItemInTabFocusChain: firstFromItem:" << firstFromItem;
+    QDuplicateTracker<QQuickItem *> cycleDetector;
     do {
         qCDebug(DBG_FOCUS) << "QQuickItemPrivate::nextPrevItemInTabFocusChain: current:" << current;
         qCDebug(DBG_FOCUS) << "QQuickItemPrivate::nextPrevItemInTabFocusChain: from:" << from;
@@ -2586,7 +2588,10 @@ QQuickItem* QQuickItemPrivate::nextPrevItemInTabFocusChain(QQuickItem *item, boo
         // traversed all of the chain (by compare the [current] item with [startItem])
         // Since the [startItem] might be promoted to its parent if it is invisible,
         // we still have to check [current] item with original start item
-        if ((current == startItem || current == originalStartItem) && from == firstFromItem) {
+        // We might also run into a cycle before we reach firstFromItem again
+        // but note that we have to ignore current if we are meant to skip it
+        if (((current == startItem || current == originalStartItem) && from == firstFromItem) ||
+                (!skip && cycleDetector.hasSeen(current))) {
             // wrapped around, avoid endless loops
             if (item == contentItem) {
                 qCDebug(DBG_FOCUS) << "QQuickItemPrivate::nextPrevItemInTabFocusChain: looped, return contentItem";
diff --git a/tests/auto/quick/qquickitem2/data/activeFocusOnTab_infiniteLoop3.qml b/tests/auto/quick/qquickitem2/data/activeFocusOnTab_infiniteLoop3.qml
new file mode 100644
index 0000000000..889e480f3b
--- /dev/null
+++ b/tests/auto/quick/qquickitem2/data/activeFocusOnTab_infiniteLoop3.qml
@@ -0,0 +1,13 @@
+import QtQuick 2.6
+
+Item {
+    visible: true
+    Item {
+        visible: false
+        Item {
+            objectName: "hiddenChild"
+            activeFocusOnTab: true
+            focus: true
+        }
+    }
+}
diff --git a/tests/auto/quick/qquickitem2/tst_qquickitem.cpp b/tests/auto/quick/qquickitem2/tst_qquickitem.cpp
index f65650cf9c..eeff768bb4 100644
--- a/tests/auto/quick/qquickitem2/tst_qquickitem.cpp
+++ b/tests/auto/quick/qquickitem2/tst_qquickitem.cpp
@@ -66,6 +66,7 @@ private slots:
     void activeFocusOnTab10();
     void activeFocusOnTab_infiniteLoop_data();
     void activeFocusOnTab_infiniteLoop();
+    void activeFocusOnTab_infiniteLoopControls();
 
     void nextItemInFocusChain();
     void nextItemInFocusChain2();
@@ -1055,6 +1056,17 @@ void tst_QQuickItem::activeFocusOnTab_infiniteLoop()
     QCOMPARE(item, window->rootObject());
 }
 
+
+void tst_QQuickItem::activeFocusOnTab_infiniteLoopControls()
+{
+    auto source = testFileUrl("activeFocusOnTab_infiniteLoop3.qml");
+    QScopedPointer<QQuickView>window(new QQuickView());
+    window->setSource(source);
+    window->show();
+    QVERIFY(window->errors().isEmpty());
+    QTest::keyClick(window.get(), Qt::Key_Tab); // should not hang
+}
+
 void tst_QQuickItem::nextItemInFocusChain()
 {
     if (!qt_tab_all_widgets())
-- 
2.36.0

From 415cb49010e1f28405a6eeac16f3eb5a461330e5 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Tue, 16 Jul 2019 11:23:37 +0200
Subject: [PATCH 18/19] QSGOpenGLDistanceFieldGlyphCache: fix multiplication
 result truncation

The type of the expression int * int is int, so truncation has already
happened when the result is assigned to a qint64.

Fix by casting one of the multiplicants to qint64 before performing
the multiplication. This multiplication cannot overflow, because int
is 32-bit on all supported platforms.

The addition of 'size' to the pointer will still truncate the result,
on 32bit platforms, but that check is in itself UB. A follow-up commit
will fix the check, and with it the last truncation to 32bit.

Coverity-Id: 218769
Pick-to: 6.3 6.2 5.15
Change-Id: I0d71950695b9743db8c96d825e68bb1e9c47de02
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit cacfc1dbb9719c0ef55cff69dad0921ce1405438)
---
 src/quick/scenegraph/qsgrhidistancefieldglyphcache.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/quick/scenegraph/qsgrhidistancefieldglyphcache.cpp b/src/quick/scenegraph/qsgrhidistancefieldglyphcache.cpp
index 53b6fe117f..f7cb8bede3 100644
--- a/src/quick/scenegraph/qsgrhidistancefieldglyphcache.cpp
+++ b/src/quick/scenegraph/qsgrhidistancefieldglyphcache.cpp
@@ -512,7 +512,7 @@ bool QSGRhiDistanceFieldGlyphCache::loadPregeneratedCache(const QRawFont &font)
 
             int width = texInfo->allocatedArea.width();
             int height = texInfo->allocatedArea.height();
-            qint64 size = width * height;
+            qint64 size = qint64(width) * height;
             if (reinterpret_cast<const char *>(textureData + size) > qtdfTableEnd) {
                 qWarning("qtdf table too small in font '%s'.",
                          qPrintable(font.familyName()));
-- 
2.36.0

From 2454c808bfe99b50084aea59adb917e805c27afa Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Tue, 16 Jul 2019 11:31:01 +0200
Subject: [PATCH 19/19] QSGOpenGLDistanceFieldGlyphCache: fix UB (ordering of
 pointers not from the same array)

The code performed out of bounds checks by adding the size of the
buffer to a pointer and comparing the result to the the
one-past-the-end pointer of the buffer.

This is UB, for three reasons:

- in one case, a qint64 is added to a pointer, silently truncating the
  result on 32bit platforms

- if the buffer overflow is large, the pointer value may wrap around,
  yielding a result that is numerically less than the end pointer, but
  still out-of-bounds.

- pointer order is only defined within a C array, plus one past the
  end. On failure, pointers outside that range are compared.

Fix by comparing distance(it, end) with the required size for the
chunk to be written instead.

Pick-to: 6.3 6.2 5.15
Change-Id: I356bb8c8a65a93b8b1c1eb7bac381dd64bea719e
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 8d9bd6b381bfc759d575954801b683354ad6a790)
---
 src/quick/scenegraph/qsgrhidistancefieldglyphcache.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/quick/scenegraph/qsgrhidistancefieldglyphcache.cpp b/src/quick/scenegraph/qsgrhidistancefieldglyphcache.cpp
index f7cb8bede3..219cdd5966 100644
--- a/src/quick/scenegraph/qsgrhidistancefieldglyphcache.cpp
+++ b/src/quick/scenegraph/qsgrhidistancefieldglyphcache.cpp
@@ -446,7 +446,7 @@ bool QSGRhiDistanceFieldGlyphCache::loadPregeneratedCache(const QRawFont &font)
 
         const char *textureRecord = allocatorData;
         for (int i = 0; i < textureCount; ++i, textureRecord += Qtdf::TextureRecordSize) {
-            if (textureRecord + Qtdf::TextureRecordSize > qtdfTableEnd) {
+            if (qtdfTableEnd - textureRecord < Qtdf::TextureRecordSize) {
                 qWarning("qtdf table too small in font '%s'.",
                          qPrintable(font.familyName()));
                 return false;
@@ -462,7 +462,7 @@ bool QSGRhiDistanceFieldGlyphCache::loadPregeneratedCache(const QRawFont &font)
 
         const char *glyphRecord = textureRecord;
         for (quint32 i = 0; i < glyphCount; ++i, glyphRecord += Qtdf::GlyphRecordSize) {
-            if (glyphRecord + Qtdf::GlyphRecordSize > qtdfTableEnd) {
+            if (qtdfTableEnd - glyphRecord < Qtdf:: GlyphRecordSize) {
                 qWarning("qtdf table too small in font '%s'.",
                          qPrintable(font.familyName()));
                 return false;
@@ -513,7 +513,7 @@ bool QSGRhiDistanceFieldGlyphCache::loadPregeneratedCache(const QRawFont &font)
             int width = texInfo->allocatedArea.width();
             int height = texInfo->allocatedArea.height();
             qint64 size = qint64(width) * height;
-            if (reinterpret_cast<const char *>(textureData + size) > qtdfTableEnd) {
+            if (qtdfTableEnd - reinterpret_cast<const char *>(textureData) < size) {
                 qWarning("qtdf table too small in font '%s'.",
                          qPrintable(font.familyName()));
                 return false;
-- 
2.36.0