Crash when returning non-QObject Python object to QML

When implementing a QML property you can return a Python object, which will work until the javascript interpreter runs the JS GC, at which point a crash occurs due to what looks like a double free.

Running the attached code produces the following output:

Python 3.8
Qt 6.4.2 (x86_64-little_endian-llp64 shared (dynamic) release build; by MSVC 2019) [limited API]
Dummy object died
Windows fatal exception: access violationCurrent thread 0x00005fc8 (most recent call first):
  File ".\refcountbug.py", line 31 in _getDummy  
  File ".\refcountbug.py", line 28 in _sendUpdate
  File ".\refcountbug.py", line 56 in <module> 

The dummy object is deleted, even though the Python class still has a reference to it. The WinDbg call stack for when the object is deleted has also been attached (I added an input() to the destructor, hence the calls to PyOS_*). WinDbg didn't have debug symbols for PySide, so the symbol names might be misleading.

On Windows the crash happens reliably on iteration 7181, while on Linux it crashes on iteration 7441. I assume these numbers relate to when the JS GC is triggered.

It is also possible to trigger the bug by calling gc from QML when more than one iteration has passed, to make the bug occur faster. An alternative version of the code doing this is attached (refcountbug_with_gc.py). The output on Windows is:

Python 3.8
Qt 6.4.1 (x86_64-little_endian-llp64 shared (dynamic) release build; by MSVC 2019) [limited API]
qml: Before GC
Dummy object died at 2
qml: After GC 

And on Linux is:

Python 3.10
Qt 6.4.1 (x86_64-little_endian-lp64 shared (dynamic) release build; by GCC 12.2.0) [limited API]
qml: Before GC
Dummy object died at 2
qml: After GC