Fix QScriptValue::construct.

It is not allowed to mix values that were created in different
QScriptEngine instances.

Reviewed-by: Kent Hansen

1 files changed, 14 insertions, 1 deletions

diff --git a/src/script/api/qscriptvalue.cpp b/src/script/api/qscriptvalue.cpp
index 8cd4057..6ce54f5 100644
--- a/src/script/api/qscriptvalue.cpp
+++ b/src/script/api/qscriptvalue.cpp
@@ -1716,7 +1716,14 @@ QScriptValue QScriptValue::construct(const QScriptValueList &args)
 
     QVarLengthArray<JSC::JSValue, 8> argsVector(args.size());
     for (int i = 0; i < args.size(); ++i) {
-        if (!args.at(i).isValid())
+        QScriptValue arg = args.at(i);
+        if (QScriptValuePrivate::getEngine(arg) != d->engine && QScriptValuePrivate::getEngine(arg)) {
+            qWarning("QScriptValue::construct() failed: "
+                     "cannot construct function with argument created in "
+                     "a different engine");
+            return QScriptValue();
+        }
+        if (!arg.isValid())
             argsVector[i] = JSC::jsUndefined();
         else
             argsVector[i] = d->engine->scriptValueToJSCValue(args.at(i));
@@ -1766,6 +1773,12 @@ QScriptValue QScriptValue::construct(const QScriptValue &arguments)
 
     JSC::ExecState *exec = d->engine->currentFrame;
 
+    if (QScriptValuePrivate::getEngine(arguments) != d->engine && QScriptValuePrivate::getEngine(arguments)) {
+        qWarning("QScriptValue::construct() failed: "
+                 "cannot construct function with argument created in "
+                 "a different engine");
+        return QScriptValue();
+    }
     JSC::JSValue array = d->engine->scriptValueToJSCValue(arguments);
     // copied from runtime/FunctionPrototype.cpp, functionProtoFuncApply()
     JSC::MarkedArgumentBuffer applyArgs;