Ensure that v8 arrays are always converted to object vars when allowed.

To maintain synchronous scripting backward compatibility, v8 arrays should always be converted to object vars when allowed. I have added a comment explaining the conversion of objects in more detail. This CL also adds a check to ensure that when we convert an object var to a v8 value that it is never nested inside of an array or dictionary. Before we switched from NPObject to gin, this was never possible so there is no need to add this functionality now and we should restrict this case from ever happening. BUG=411445 Review URL: https://codereview.chromium.org/566463002 Cr-Commit-Position: refs/heads/master@{#294785}

Ensure that v8 arrays are always converted to object vars when allowed.
To maintain synchronous scripting backward compatibility, v8 arrays should always be converted to object vars when allowed. I have added a comment explaining the conversion of objects in more detail. This CL also adds a check to ensure that when we convert an object var to a v8 value that it is never nested inside of an array or dictionary. Before we switched from NPObject to gin, this was never possible so there is no need to add this functionality now and we should restrict this case from ever happening. BUG=411445 Review URL: https://codereview.chromium.org/566463002 Cr-Commit-Position: refs/heads/master@{#294785}
b918671e · raymes · Commit bot · 5a6c114d · b918671e
Commit b918671e authored Sep 14, 2014 by raymes Committed by Commit bot Sep 15, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 3 deletions

content/renderer/pepper/v8_var_converter.cc content/renderer/pepper/v8_var_converter.cc +19 -3

No files found.
--- a/content/renderer/pepper/v8_var_converter.cc
+++ b/content/renderer/pepper/v8_var_converter.cc
@@ -155,7 +155,15 @@ bool GetOrCreateV8Value(v8::Handle<v8::Context> context,
      *result = v8::Object::New(isolate);
      break;
    case PP_VARTYPE_OBJECT: {
-      DCHECK(object_vars_allowed == V8VarConverter::kAllowObjectVars);
+      // If object vars are disallowed, we should never be passed an object var
+      // to convert. Also, we should never expect to convert an object var which
+      // is nested inside an array or dictionary.
+      if (object_vars_allowed == V8VarConverter::kDisallowObjectVars ||
+          visited_ids->size() != 0) {
+        NOTREACHED();
+        result->Clear();
+        return false;
+      }
      scoped_refptr<V8ObjectVar> v8_object_var = V8ObjectVar::FromPPVar(var);
      if (!v8_object_var.get()) {
        NOTREACHED();
@@ -225,9 +233,15 @@ bool GetOrCreateVar(v8::Handle<v8::Value> val,
  } else if (val->IsString() || val->IsStringObject()) {
    v8::String::Utf8Value utf8(val->ToString());
    *result = StringVar::StringToPPVar(std::string(*utf8, utf8.length()));
-  } else if (val->IsArray()) {
-    *result = (new ArrayVar())->GetPPVar();
  } else if (val->IsObject()) {
+    // For any other v8 objects, the conversion happens as follows:
+    // 1) If the object is an array buffer, return an ArrayBufferVar.
+    // 2) If object vars are allowed, return the object wrapped as a
+    //    V8ObjectVar. This is to maintain backward compatibility with
+    //    synchronous scripting in Flash.
+    // 3) If the object is an array, return an ArrayVar.
+    // 4) If the object can be converted to a resource, return the ResourceVar.
+    // 5) Otherwise return a DictionaryVar.
    scoped_ptr<blink::WebArrayBuffer> web_array_buffer(
        blink::WebArrayBufferConverter::createFromV8Value(val, isolate));
    if (web_array_buffer.get()) {
@@ -238,6 +252,8 @@ bool GetOrCreateVar(v8::Handle<v8::Value> val,
      v8::Handle<v8::Object> object = val->ToObject();
      *result = content::HostGlobals::Get()->
          host_var_tracker()->V8ObjectVarForV8Object(instance, object);
+    } else if (val->IsArray()) {
+      *result = (new ArrayVar())->GetPPVar();
    } else {
      bool was_resource;
      if (!resource_converter->FromV8Value(