Fix memory corruption when sharing QObjects between different QML engines

When marking the JS wrappers for QObject manually, we cannot use
ddata->jsWrapper directly but we must respect the case where the same
object is exposed to different engines and then we must mark the wrapper
that belongs to the engine that is currently collecting garbage.

Change-Id: If82883c762ccaf3431e7074243ff2ff703234d66
Task-number: QTBUG-44895
Reviewed-by: Marco Martin <mart@kde.org>
Reviewed-by: Jan Kundrát <jkt@kde.org>
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
Reviewed-by: Aleix Pol Gonzalez <aleixpol@kde.org>

1 files changed, 7 insertions, 6 deletions

diff --git a/src/qml/qml/qqmlvmemetaobject.cpp b/src/qml/qml/qqmlvmemetaobject.cpp
index 37ff696579..5b1be15869 100644
--- a/src/qml/qml/qqmlvmemetaobject.cpp
+++ b/src/qml/qml/qqmlvmemetaobject.cpp
@@ -1227,6 +1227,11 @@ void QQmlVMEMetaObject::ensureQObjectWrapper()
 
 void QQmlVMEMetaObject::mark(QV4::ExecutionEngine *e)
 {
+    QQmlEnginePrivate *ep = (ctxt == 0 || ctxt->engine == 0) ? 0 : QQmlEnginePrivate::get(ctxt->engine);
+    QV4::ExecutionEngine *v4 = (ep == 0) ? 0 : ep->v4engine();
+    if (v4 != e)
+        return;
+
     varProperties.markOnce(e);
 
     // add references created by VMEVariant properties
@@ -1234,12 +1239,8 @@ void QQmlVMEMetaObject::mark(QV4::ExecutionEngine *e)
     for (int ii = 0; ii < maxDataIdx; ++ii) { // XXX TODO: optimize?
         if (data[ii].dataType() == QMetaType::QObjectStar) {
             // possible QObject reference.
-            QObject *ref = data[ii].asQObject();
-            if (ref) {
-                QQmlData *ddata = QQmlData::get(ref);
-                if (ddata)
-                    ddata->jsWrapper.markOnce(e);
-            }
+            if (QObject *ref = data[ii].asQObject())
+                QV4::QObjectWrapper::markWrapper(ref, e);
         }
     }