Fix possible double free when hiding a window

There was a race condition between the gui and the wayland event thread
which could lead to double freeing the QWaylandShmBackingStore's frame
callback. Protect the wl_callback_destroy calls using a mutex.

Change-Id: Ia70ebac208a6d4450328ba5254a850be26d84d6d
Reviewed-by: Laszlo Agocs <laszlo.agocs@theqtcompany.com>

src/plugins/platforms/wayland/qwaylandshmbackingstore.cpp

@@ -46,6 +46,7 @@
 
 #include <QtCore/qdebug.h>
 #include <QtGui/QPainter>
+#include <QMutexLocker>
 
 #include <wayland-client.h>
 #include <unistd.h>
@@ -180,6 +181,7 @@ void QWaylandShmBackingStore::endPaint()
 
 void QWaylandShmBackingStore::hidden()
 {
+    QMutexLocker lock(&mMutex);
     if (mFrameCallback) {
         wl_callback_destroy(mFrameCallback);
         mFrameCallback = Q_NULLPTR;
@@ -341,6 +343,7 @@ void QWaylandShmBackingStore::done(void *data, wl_callback *callback, uint32_t t
             static_cast<QWaylandShmBackingStore *>(data);
     if (callback != self->mFrameCallback) // others, like QWaylandWindow, may trigger callbacks too
         return;
+    QMutexLocker lock(&self->mMutex);
     QWaylandWindow *window = self->waylandWindow();
     wl_callback_destroy(self->mFrameCallback);
     self->mFrameCallback = 0;

src/plugins/platforms/wayland/qwaylandshmbackingstore_p.h

@@ -47,6 +47,7 @@
 #include <qpa/qplatformbackingstore.h>
 #include <QtGui/QImage>
 #include <qpa/qplatformwindow.h>
+#include <QMutex>
 
 QT_BEGIN_NAMESPACE
 
@@ -106,6 +107,7 @@ private:
     QWaylandShmBuffer *mBackBuffer;
     bool mFrontBufferIsDirty;
     bool mPainting;
+    QMutex mMutex;
 
     QSize mRequestedSize;
     Qt::WindowFlags mCurrentWindowFlags;