Fix crash when converting QObjectList

We were passing on a PassRefPtr to multiple lower calls, since any
conversion from a PassRefPtr to a RefPtr will reset the PassRefPtr to
null, it should not be used for multiple calls.

Task-number: QTBUG-34278
Change-Id: I8d4bf28e25eb6e66baef38e0352c40a08f504538
Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/Source/WebCore/bridge/qt/qt_runtime.cpp b/Source/WebCore/bridge/qt/qt_runtime.cpp
index d382462ac..e6a3e6b9f 100644
--- a/Source/WebCore/bridge/qt/qt_runtime.cpp
+++ b/Source/WebCore/bridge/qt/qt_runtime.cpp
@@ -805,10 +805,11 @@ JSValueRef convertQVariantToValue(JSContextRef context, PassRefPtr<RootObject> r
     } else if (type == static_cast<QMetaType::Type>(qMetaTypeId<QObjectList>())) {
         QObjectList ol = variant.value<QObjectList>();
         JSObjectRef array = JSObjectMakeArray(context, 0, 0, exception);
+        RefPtr<RootObject> rootRef(root); // We need a real reference, since PassRefPtr may only be passed on to one call.
         ExecState* exec = toJS(context);
         APIEntryShim entryShim(exec);
         for (int i = 0; i < ol.count(); ++i) {
-            JSValueRef jsObject = toRef(exec, QtInstance::getQtInstance(ol.at(i), root, QtInstance::QtOwnership)->createRuntimeObject(exec));
+            JSValueRef jsObject = toRef(exec, QtInstance::getQtInstance(ol.at(i), rootRef, QtInstance::QtOwnership)->createRuntimeObject(exec));
             JSObjectSetPropertyAtIndex(context, array, i, jsObject, /*ignored exception*/0);
         }
         return array;