QQuickStackView: Avoid use-after-free

The element can get deleted when stopping the transitions. Also, only
register the change listener if we are going to keep the item.

Pick-to: 6.2 6.3 6.4
Fixes: QTBUG-98769
Change-Id: I2fa6542fdc0dc92f3f1f0b20996cd59ce51a48cb
Reviewed-by: Mitch Curtis <mitch.curtis@qt.io>

src/quicktemplates2/qquickstackelement.cpp

@@ -172,7 +172,6 @@ void QQuickStackElement::initialize(RequiredProperties &requiredProperties)
     if (!(heightValid = p->heightValid()))
         item->setHeight(view->height());
     item->setParentItem(view);
-    p->addItemChangeListener(this, QQuickItemPrivate::Destroyed);
 
     if (!properties.isUndefined()) {
         QQmlEngine *engine = qmlEngine(view);
@@ -186,6 +185,7 @@ void QQuickStackElement::initialize(RequiredProperties &requiredProperties)
         QQmlComponentPrivate::setInitialProperties(v4, qmlContext, qmlObject, ipv, requiredProperties, item);
         properties.clear();
     }
+
     if (!requiredProperties.empty()) {
         QString error;
         for (const auto &property: requiredProperties) {
@@ -194,6 +194,8 @@ void QQuickStackElement::initialize(RequiredProperties &requiredProperties)
         }
         QQuickStackViewPrivate::get(view)->warn(error);
         item = nullptr;
+    } else {
+        p->addItemChangeListener(this, QQuickItemPrivate::Destroyed);
     }
 
     init = true;

src/quicktemplates2/qquickstackview_p.cpp

@@ -252,7 +252,7 @@ void QQuickStackViewPrivate::completeTransition(QQuickStackElement *element, QQu
             // the animation timer.
             // This allows us to correctly restore all the properties affected
             // by the push/pop animations.
-            element->completeTransition(transition);
+            ACTION_IF_DELETED(element, element->completeTransition(transition), return);
         } else if (element->item) {
             // At least try to move the item to its desired place. This,
             // however, is only a partly correct solution, because a lot more