content/renderer/v8_value_converter_impl.cc - Issue 10837066: Fixing crash in V8ValueConverter.

Side by Side Diff: content/renderer/v8_value_converter_impl.cc

Issue 10837066: Fixing crash in V8ValueConverter. (Closed) Base URL: http://git.chromium.org/chromium/src.git@master

Patch Set: Created 8 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "content/renderer/v8_value_converter_impl.h"	5 #include "content/renderer/v8_value_converter_impl.h"

6	6

7 #include <string>	7 #include <string>

8	8

9 #include "base/logging.h"	9 #include "base/logging.h"

10 #include "base/memory/scoped_ptr.h"	10 #include "base/memory/scoped_ptr.h"

(...skipping 293 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
304	304

305 scoped_ptr<DictionaryValue> result(new DictionaryValue());	305 scoped_ptr<DictionaryValue> result(new DictionaryValue());

306 v8::Handle<v8::Array> property_names(val->GetPropertyNames());	306 v8::Handle<v8::Array> property_names(val->GetPropertyNames());

307	307

308 if (unique_set)	308 if (unique_set)

309 unique_set->insert(val->GetIdentityHash());	309 unique_set->insert(val->GetIdentityHash());

310	310

311 for (uint32 i = 0; i < property_names->Length(); ++i) {	311 for (uint32 i = 0; i < property_names->Length(); ++i) {

312 v8::Handle<v8::Value> key(property_names->Get(i));	312 v8::Handle<v8::Value> key(property_names->Get(i));

313	313

314 if (!key->IsString() \|\| !val->HasRealNamedProperty(key->ToString()))	314 // Skip this child if:

	315 // - \|key\| is not a string

	316 // - A property does not actually exist with \|key\|

	317 // - The property is actually a named callback and the object has internal

	318 // fields

	319 // The last case still allows for accessor defined via __defineGetter__, but

	320 // skips objects that have internally defined fields. Objects with

	321 // internal named callbacks (like DOM input elements) are not meant to be

	322 // converted and causes crashes: crbug.com/139933

	323 if (!key->IsString() \|\|
	Aaron Boodman 2012/08/02 18:13:44 Would be more clear like: // base::DictionaryValu Would be more clear like: // base::DictionaryValue can only have string properties. // Anyway, this is probably an Array. if (!key->IsString()) continue; // Whatever the reason for this is here... if (!val->HasRealNamedProperty(key->ToString()) continue; ... etc ... eaugusti 2012/08/02 19:44:53 Done. Show quoted text On 2012/08/02 18:13:44, Aaron Boodman wrote: > Would be more clear like: > > // base::DictionaryValue can only have string properties. > // Anyway, this is probably an Array. > if (!key->IsString()) > continue; > > // Whatever the reason for this is here... > if (!val->HasRealNamedProperty(key->ToString()) > continue; > > ... etc ... Done.
	324 !val->HasRealNamedProperty(key->ToString()) \|\|

	325 (val->HasRealNamedCallbackProperty(key->ToString()) &&
	Aaron Boodman 2012/08/02 18:13:44 I think it is fine to just skip getters all togeth I think it is fine to just skip getters all together. eaugusti 2012/08/02 19:44:53 Done. Show quoted text On 2012/08/02 18:13:44, Aaron Boodman wrote: > I think it is fine to just skip getters all together. Done.
	326 val->InternalFieldCount()))

315 continue;	327 continue;

316	328

317 v8::String::Utf8Value name_utf8(key->ToString());	329 v8::String::Utf8Value name_utf8(key->ToString());

318	330

319 v8::TryCatch try_catch;	331 v8::TryCatch try_catch;

320 v8::Handle<v8::Value> child_v8 = val->Get(key);	332 v8::Handle<v8::Value> child_v8 = val->Get(key);

321	333

322 if (try_catch.HasCaught()) {	334 if (try_catch.HasCaught()) {

323 LOG(ERROR) << "Getter for property " << *name_utf8	335 LOG(ERROR) << "Getter for property " << *name_utf8

324 << " threw an exception.";	336 << " threw an exception.";

(...skipping 25 matching lines...) Expand all Loading...
350 // We can avoid all bugs related to this by stripping null.	362 // We can avoid all bugs related to this by stripping null.

351 if (strip_null_from_objects_ && child->IsType(Value::TYPE_NULL))	363 if (strip_null_from_objects_ && child->IsType(Value::TYPE_NULL))

352 continue;	364 continue;

353	365

354 result->SetWithoutPathExpansion(std::string(*name_utf8, name_utf8.length()),	366 result->SetWithoutPathExpansion(std::string(*name_utf8, name_utf8.length()),

355 child.release());	367 child.release());

356 }	368 }

357	369

358 return result.release();	370 return result.release();

359 }	371 }

OLD	NEW