Fixing crash in V8ValueConverter.

content/renderer/v8_value_converter_impl.cc

Index: content/renderer/v8_value_converter_impl.cc
diff --git a/content/renderer/v8_value_converter_impl.cc b/content/renderer/v8_value_converter_impl.cc
index dc76394da5c61202cc90a57952109143538ea8ec..4182b0a705db94a34fe523c3436561cc1a8a957c 100644
--- a/content/renderer/v8_value_converter_impl.cc
+++ b/content/renderer/v8_value_converter_impl.cc
@@ -311,7 +311,19 @@ Value* V8ValueConverterImpl::FromV8Object(
   for (uint32 i = 0; i < property_names->Length(); ++i) {
     v8::Handle<v8::Value> key(property_names->Get(i));
 
-    if (!key->IsString() || !val->HasRealNamedProperty(key->ToString()))
+    // Skip this child if:
+    //  - |key| is not a string
+    //  - A property does not actually exist with |key|
+    //  - The property is actually a named callback and the object has internal
+    //    fields
+    // The last case still allows for accessor defined via __defineGetter__, but
+    // skips objects that have internally defined fields. Objects with
+    // internal named callbacks (like DOM input elements) are not meant to be
+    // converted and causes crashes: crbug.com/139933
+    if (!key->IsString() ||

[Aaron Boodman, 2012/08/02 18:13:44]

Would be more clear like:

// base::DictionaryValue can only have string properties.
// Anyway, this is probably an Array.
if (!key->IsString())
  continue;

// Whatever the reason for this is here...
if (!val->HasRealNamedProperty(key->ToString())
  continue;

... etc ...

[eaugusti, 2012/08/02 19:44:53]

Done.

+        !val->HasRealNamedProperty(key->ToString()) ||
+        (val->HasRealNamedCallbackProperty(key->ToString()) &&

[Aaron Boodman, 2012/08/02 18:13:44]

I think it is fine to just skip getters all together.

[eaugusti, 2012/08/02 19:44:53]

Done.

+            val->InternalFieldCount()))
       continue;
 
     v8::String::Utf8Value name_utf8(key->ToString());