From a2d5e37f0f9f7e2d8d7bf5390271f2c478a2a177 Mon Sep 17 00:00:00 2001
From: Kent Hansen <kent.hansen@nokia.com>
Date: Fri, 1 Jun 2012 20:27:05 +0200
Subject: Fix crash when accessing QObject properties through activation object

Since objects in the scope chain have to be JSActivationObjects,
QScriptContext::setActivationObject() creates a proxy object that
should delegate access to the actual object.

This case was not handled in the toQObject() conversion function, so
for activation property access through evaluation (where the
this-object would be the proxy object, not the actual QObject), the
this-object conversion to QObject would fail, and the assert
"this-object must be a QObject" was triggered.

Cherry-picked from qt5/qtscript commit
44062ea8e2499f8d2061c7e5be8fb754f2ba4310

Task-number: QTBUG-21760
Change-Id: I284b70ea5c9af3a15dadd4243283afe0d00bcd5a
Reviewed-by: Olivier Goffart <ogoffart@woboq.com>
---
 src/script/api/qscriptengine_p.h                       |  4 ++++
 tests/auto/qscriptextqobject/tst_qscriptextqobject.cpp | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/src/script/api/qscriptengine_p.h b/src/script/api/qscriptengine_p.h
index a9ed245..e3aad57 100644
--- a/src/script/api/qscriptengine_p.h
+++ b/src/script/api/qscriptengine_p.h
@@ -50,6 +50,7 @@
 #include "bridge/qscriptobject_p.h"
 #include "bridge/qscriptqobject_p.h"
 #include "bridge/qscriptvariant_p.h"
+#include "bridge/qscriptactivationobject_p.h"
 
 #include "DateConstructor.h"
 #include "DateInstance.h"
@@ -1058,6 +1059,9 @@ inline QObject *QScriptEnginePrivate::toQObject(JSC::ExecState *exec, JSC::JSVal
             if ((type == QMetaType::QObjectStar) || (type == QMetaType::QWidgetStar))
                 return *reinterpret_cast<QObject* const *>(var.constData());
         }
+    } else if (isObject(value) && value.inherits(&QScript::QScriptActivationObject::info)) {
+        QScript::QScriptActivationObject *proxy = static_cast<QScript::QScriptActivationObject *>(JSC::asObject(value));
+        return toQObject(exec, proxy->delegate());
     }
 #endif
     return 0;
diff --git a/tests/auto/qscriptextqobject/tst_qscriptextqobject.cpp b/tests/auto/qscriptextqobject/tst_qscriptextqobject.cpp
index 773df8a..cb27878 100644
--- a/tests/auto/qscriptextqobject/tst_qscriptextqobject.cpp
+++ b/tests/auto/qscriptextqobject/tst_qscriptextqobject.cpp
@@ -584,6 +584,7 @@ private slots:
     void nestedArrayAsSlotArgument();
     void nestedObjectAsSlotArgument_data();
     void nestedObjectAsSlotArgument();
+    void propertyAccessThroughActivationObject();
 
 private:
     QScriptEngine *m_engine;
@@ -3625,5 +3626,22 @@ void tst_QScriptExtQObject::nestedObjectAsSlotArgument()
     }
 }
 
+// QTBUG-21760
+void tst_QScriptExtQObject::propertyAccessThroughActivationObject()
+{
+    QScriptContext *ctx = m_engine->pushContext();
+    ctx->setActivationObject(m_engine->newQObject(m_myObject));
+
+    QVERIFY(m_engine->evaluate("intProperty").isNumber());
+    QVERIFY(m_engine->evaluate("mySlot()").isUndefined());
+    QVERIFY(m_engine->evaluate("mySlotWithStringArg('test')").isUndefined());
+
+    QVERIFY(m_engine->evaluate("dynamicProperty").isError());
+    m_myObject->setProperty("dynamicProperty", 123);
+    QCOMPARE(m_engine->evaluate("dynamicProperty").toInt32(), 123);
+
+    m_engine->popContext();
+}
+
 QTEST_MAIN(tst_QScriptExtQObject)
 #include "tst_qscriptextqobject.moc"
-- 
cgit v0.12