Ensure that v8 arrays are always converted to object vars when allowed.

content/renderer/pepper/v8_var_converter.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/pepper/v8_var_converter.h"
 
 #include <map>
 #include <stack>
 #include <string>
 
@@ skipping 137 matching lines @@
           &host_buffer->webkit_buffer(), context->Global(), isolate);
       break;
     }
     case PP_VARTYPE_ARRAY:
       *result = v8::Array::New(isolate);
       break;
     case PP_VARTYPE_DICTIONARY:
       *result = v8::Object::New(isolate);
       break;
     case PP_VARTYPE_OBJECT: {
-      DCHECK(object_vars_allowed == V8VarConverter::kAllowObjectVars);
+      // If object vars are disallowed, we should never be passed an object var
+      // to convert. Also, we should never expect to convert an object var which
+      // is nested inside an array or dictionary.
+      if (object_vars_allowed == V8VarConverter::kDisallowObjectVars ||
+          visited_ids->size() != 0) {
+        NOTREACHED();
+        result->Clear();
+        return false;
+      }
       scoped_refptr<V8ObjectVar> v8_object_var = V8ObjectVar::FromPPVar(var);
       if (!v8_object_var.get()) {
         NOTREACHED();
         result->Clear();
         return false;
       }
       *result = v8_object_var->GetHandle();
       break;
     }
     case PP_VARTYPE_RESOURCE:
@@ skipping 49 matching lines @@
     *result = PP_MakeNull();
   } else if (val->IsBoolean() || val->IsBooleanObject()) {
     *result = PP_MakeBool(PP_FromBool(val->ToBoolean()->Value()));
   } else if (val->IsInt32()) {
     *result = PP_MakeInt32(val->ToInt32()->Value());
   } else if (val->IsNumber() || val->IsNumberObject()) {
     *result = PP_MakeDouble(val->ToNumber()->Value());
   } else if (val->IsString() || val->IsStringObject()) {
     v8::String::Utf8Value utf8(val->ToString());
     *result = StringVar::StringToPPVar(std::string(*utf8, utf8.length()));
-  } else if (val->IsArray()) {
-    *result = (new ArrayVar())->GetPPVar();
   } else if (val->IsObject()) {
+    // For any other v8 objects, the conversion happens as follows:
+    // 1) If the object is an array buffer, return an ArrayBufferVar.
+    // 2) If object vars are allowed, return the object wrapped as a
+    //    V8ObjectVar. This is to maintain backward compatibility with
+    //    synchronous scripting in Flash.
+    // 3) If the object is an array, return an ArrayVar.
+    // 4) If the object can be converted to a resource, return the ResourceVar.
+    // 5) Otherwise return a DictionaryVar.
     scoped_ptr<blink::WebArrayBuffer> web_array_buffer(
         blink::WebArrayBufferConverter::createFromV8Value(val, isolate));
     if (web_array_buffer.get()) {
       scoped_refptr<HostArrayBufferVar> buffer_var(
           new HostArrayBufferVar(*web_array_buffer));
       *result = buffer_var->GetPPVar();
     } else if (object_vars_allowed == V8VarConverter::kAllowObjectVars) {
       v8::Handle<v8::Object> object = val->ToObject();
       *result = content::HostGlobals::Get()->
           host_var_tracker()->V8ObjectVarForV8Object(instance, object);
+    } else if (val->IsArray()) {
+      *result = (new ArrayVar())->GetPPVar();
     } else {
       bool was_resource;
       if (!resource_converter->FromV8Value(
               val->ToObject(), context, result, &was_resource))
         return false;
       if (!was_resource) {
         *result = (new DictionaryVar())->GetPPVar();
       }
     }
   } else {
@@ skipping 344 matching lines @@
             std::string(*name_utf8, name_utf8.length()), child_var);
         DCHECK(success);
       }
     }
   }
   *result_var = root;
   return true;
 }
 
 }  // namespace content