Fix crash when accessing QObject properties through activation object

Since objects in the scope chain have to be JSActivationObjects,
QScriptContext::setActivationObject() creates a proxy object that
should delegate access to the actual object.

This case was not handled in the toQObject() conversion function, so
for activation property access through evaluation (where the
this-object would be the proxy object, not the actual QObject), the
this-object conversion to QObject would fail, and the assert
"this-object must be a QObject" was triggered.

Cherry-picked from qt5/qtscript commit
44062ea8e2499f8d2061c7e5be8fb754f2ba4310

Task-number: QTBUG-21760
Change-Id: I284b70ea5c9af3a15dadd4243283afe0d00bcd5a
Reviewed-by: Olivier Goffart <ogoffart@woboq.com>

1 files changed, 4 insertions, 0 deletions

diff --git a/src/script/api/qscriptengine_p.h b/src/script/api/qscriptengine_p.h
index a9ed245..e3aad57 100644
--- a/src/script/api/qscriptengine_p.h
+++ b/src/script/api/qscriptengine_p.h
@@ -50,6 +50,7 @@
 #include "bridge/qscriptobject_p.h"
 #include "bridge/qscriptqobject_p.h"
 #include "bridge/qscriptvariant_p.h"
+#include "bridge/qscriptactivationobject_p.h"
 
 #include "DateConstructor.h"
 #include "DateInstance.h"
@@ -1058,6 +1059,9 @@ inline QObject *QScriptEnginePrivate::toQObject(JSC::ExecState *exec, JSC::JSVal
             if ((type == QMetaType::QObjectStar) || (type == QMetaType::QWidgetStar))
                 return *reinterpret_cast<QObject* const *>(var.constData());
         }
+    } else if (isObject(value) && value.inherits(&QScript::QScriptActivationObject::info)) {
+        QScript::QScriptActivationObject *proxy = static_cast<QScript::QScriptActivationObject *>(JSC::asObject(value));
+        return toQObject(exec, proxy->delegate());
     }
 #endif
     return 0;