Crash in blink::getTypeExtension

third_party/WebKit/Source/core/dom/Document.cpp

Index: third_party/WebKit/Source/core/dom/Document.cpp
diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp
index 696a3f2a897752505930b541a4dc930940e74ff4..a8af0083262eefdad528905e48f5670370ab4d9a 100644
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -689,10 +689,15 @@ String getTypeExtension(Document* document,
     ElementCreationOptions impl;
     V8ElementCreationOptions::toImpl(dict.isolate(), dict.v8Value(), impl,
                                      exceptionState);
+    if (exceptionState.hadException())
+      return emptyString();
+
     if (impl.hasIs())
       return impl.is();
 
-    return toCoreString(dict.v8Value()->ToString());
+    // Do not handle stringification, but count it as a string handling

[dominicc (has gone to gerrit), 2017/01/19 05:34:46]

This changes behavior because we won't toString the argument now. I would not
use count this path with this counter, because this path is already changed. If
you want to count it at all, I would add a second counter.

[Anton Obzhirov, 2017/01/19 16:45:44]

I think no need to count this case it should be very rare.

+    UseCounter::count(document,
+                      UseCounter::DocumentCreateElement2ndArgStringHandling);
   }
 
   return emptyString();