From c89315da2e836fe67c4228cfb73c25a68b0a3a95 Mon Sep 17 00:00:00 2001
From: Kent Hansen <kent.hansen@nokia.com>
Date: Mon, 25 Jun 2012 15:46:36 +0200
Subject: Don't crash if queued signal handler no longer exists

Task-number: QTBUG-26261

Change-Id: Ie269c56c0336b1c937d4ec551f913ae7537d0338
Reviewed-by: Olivier Goffart <ogoffart@woboq.com>
---
 src/script/bridge/qscriptqobject.cpp               |  8 +++++-
 .../qscriptextqobject/tst_qscriptextqobject.cpp    | 33 ++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/src/script/bridge/qscriptqobject.cpp b/src/script/bridge/qscriptqobject.cpp
index 962479f..807c94c 100644
--- a/src/script/bridge/qscriptqobject.cpp
+++ b/src/script/bridge/qscriptqobject.cpp
@@ -2092,7 +2092,13 @@ void QObjectConnectionManager::execute(int slotIndex, void **argv)
             }
         }
     }
-    Q_ASSERT(slot && slot.isObject());
+    if (!slot) {
+        // This connection no longer exists (can happen if the signal is
+        // emitted from another thread and the call gets queued, but the
+        // connection is removed before the QMetaCallEvent gets processed).
+        return;
+    }
+    Q_ASSERT(slot.isObject());
 
     if (engine->isCollecting()) {
         qWarning("QtScript: can't execute signal handler during GC");
diff --git a/tests/auto/qscriptextqobject/tst_qscriptextqobject.cpp b/tests/auto/qscriptextqobject/tst_qscriptextqobject.cpp
index d4c4caf..bbf72ad 100644
--- a/tests/auto/qscriptextqobject/tst_qscriptextqobject.cpp
+++ b/tests/auto/qscriptextqobject/tst_qscriptextqobject.cpp
@@ -585,6 +585,7 @@ private slots:
     void nestedObjectAsSlotArgument_data();
     void nestedObjectAsSlotArgument();
     void propertyAccessThroughActivationObject();
+    void connectionRemovedAfterQueuedCall();
 
 private:
     QScriptEngine *m_engine;
@@ -3672,5 +3673,37 @@ void tst_QScriptExtQObject::propertyAccessThroughActivationObject()
     m_engine->popContext();
 }
 
+class SignalEmitterThread : public QThread
+{
+public:
+    SignalEmitterThread(MyQObject *sender)
+        : m_sender(sender)
+    { }
+
+    void run()
+    { m_sender->emitMySignal(); }
+
+private:
+    MyQObject *m_sender;
+};
+
+// QTBUG-26261
+void tst_QScriptExtQObject::connectionRemovedAfterQueuedCall()
+{
+    QVERIFY(m_engine->evaluate("var pass = true; function onMySignal() { pass = false; }").isUndefined());
+    QVERIFY(m_engine->evaluate("myObject.mySignal.connect(onMySignal)").isUndefined());
+
+    SignalEmitterThread thread(m_myObject);
+    QVERIFY(m_myObject->thread() != &thread); // Premise for queued call
+    thread.start();
+    QVERIFY(thread.wait());
+
+    QVERIFY(m_engine->evaluate("myObject.mySignal.disconnect(onMySignal)").isUndefined());
+    // Should not crash
+    QCoreApplication::processEvents();
+
+    QVERIFY(m_engine->evaluate("pass").toBool());
+}
+
 QTEST_MAIN(tst_QScriptExtQObject)
 #include "tst_qscriptextqobject.moc"
-- 
cgit v1.2.1