From 970b44d61c9adc51c586069adc902e90bab09666 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@digia.com>
Date: Wed, 13 Nov 2013 11:34:35 +0100
Subject: [PATCH 14/20] Fix crash when converting QObjectList

We were passing on a PassRefPtr to multiple lower calls, since any
conversion from a PassRefPtr to a RefPtr will reset the PassRefPtr to
null, it should not be used for multiple calls.

Task-number: QTBUG-34278
Change-Id: I8d4bf28e25eb6e66baef38e0352c40a08f504538
---
 Source/WebCore/bridge/qt/qt_runtime.cpp     | 3 ++-
 Source/WebCore/bridge/qt/qt_runtime_qt4.cpp | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/Source/WebCore/bridge/qt/qt_runtime.cpp b/Source/WebCore/bridge/qt/qt_runtime.cpp
index c058cf6..7a120f2 100644
--- a/Source/WebCore/bridge/qt/qt_runtime.cpp
+++ b/Source/WebCore/bridge/qt/qt_runtime.cpp
@@ -805,10 +805,11 @@ JSValueRef convertQVariantToValue(JSContextRef context, PassRefPtr<RootObject> r
     } else if (type == static_cast<QMetaType::Type>(qMetaTypeId<QObjectList>())) {
         QObjectList ol = variant.value<QObjectList>();
         JSObjectRef array = JSObjectMakeArray(context, 0, 0, exception);
+        RefPtr<RootObject> rootRef(root); // We need a real reference, since PassRefPtr may only be passed on to one call.
         ExecState* exec = toJS(context);
         APIEntryShim entryShim(exec);
         for (int i = 0; i < ol.count(); ++i) {
-            JSValueRef jsObject = toRef(exec, QtInstance::getQtInstance(ol.at(i), root, QtInstance::QtOwnership)->createRuntimeObject(exec));
+            JSValueRef jsObject = toRef(exec, QtInstance::getQtInstance(ol.at(i), rootRef, QtInstance::QtOwnership)->createRuntimeObject(exec));
             JSObjectSetPropertyAtIndex(context, array, i, jsObject, /*ignored exception*/0);
         }
         return array;
diff --git a/Source/WebCore/bridge/qt/qt_runtime_qt4.cpp b/Source/WebCore/bridge/qt/qt_runtime_qt4.cpp
index 7397f1b..44eadec 100644
--- a/Source/WebCore/bridge/qt/qt_runtime_qt4.cpp
+++ b/Source/WebCore/bridge/qt/qt_runtime_qt4.cpp
@@ -809,10 +809,11 @@ JSValueRef convertQVariantToValue(JSContextRef context, PassRefPtr<RootObject> r
     } else if (type == static_cast<QMetaType::Type>(qMetaTypeId<QObjectList>())) {
         QObjectList ol = variant.value<QObjectList>();
         JSObjectRef array = JSObjectMakeArray(context, 0, 0, exception);
+        RefPtr<RootObject> rootRef(root); // We need a real reference, since PassRefPtr may only be passed on to one call.
         ExecState* exec = toJS(context);
         APIEntryShim entryShim(exec);
         for (int i = 0; i < ol.count(); ++i) {
-            JSValueRef jsObject = toRef(exec, QtInstance::getQtInstance(ol.at(i), root, QtInstance::QtOwnership)->createRuntimeObject(exec));
+            JSValueRef jsObject = toRef(exec, QtInstance::getQtInstance(ol.at(i), rootRef, QtInstance::QtOwnership)->createRuntimeObject(exec));
             JSObjectSetPropertyAtIndex(context, array, i, jsObject, /*ignored exception*/0);
         }
         return array;
-- 
1.8.5.3