third_party/WebKit/Source/core/dom/Document.cpp - Issue 2530243002: Crash in blink::getTypeExtension

Unified Diff: third_party/WebKit/Source/core/dom/Document.cpp

Issue 2530243002: Crash in blink::getTypeExtension (Closed)

Patch Set: Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

Index: third_party/WebKit/Source/core/dom/Document.cpp

diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp

index 32dd75ac6a48326702bd93bdbbb379f886b46b25..ad17990a8b7ed8de3b0817167e36c7081cbe859f 100644

--- a/third_party/WebKit/Source/core/dom/Document.cpp

+++ b/third_party/WebKit/Source/core/dom/Document.cpp

@@ -702,7 +702,20 @@ String getTypeExtension(Document* document,

if (impl.hasIs())

sof 2016/11/26 07:36:30 Is |exceptionState| intentionally ignored here?

Anton Obzhirov 2016/11/27 19:49:53 Previously getTypeExtension was called in createEl

return impl.is();

- return toCoreString(dict.v8Value()->ToString());

+ v8::Local<v8::String> stringObject;

sof 2016/11/26 07:36:30 The spec says "Let 'is' be the value of |is| membe

Anton Obzhirov 2016/11/27 19:49:53 Yes, stringification of the dictionary is for back

+ if (dict.v8Value()->IsString()) {

+ stringObject = dict.v8Value().As<v8::String>();

+ } else {

+ v8::TryCatch block(dict.isolate());

+ if (!v8Call(dict.v8Value()->ToString(dict.isolate()->GetCurrentContext()),

+ stringObject, block)) {

+ exceptionState.rethrowV8Exception(block.Exception());

+ return emptyString();

+ }

+ if (!stringObject.IsEmpty())

+ return toCoreString(stringObject);

}

return emptyString();

« no previous file with comments | « third_party/WebKit/LayoutTests/fast/dom/custom/crash-in-getTypeExtension.html ('k') | no next file » | no next file with comments »