Fix a renderer crashing bug with NPObject method references.

http://www.corp.google.com/~michaeln/flash_crash/crash.html

Review URL: http://codereview.chromium.org/10763

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@5516 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 7 insertions, 3 deletions

diff --git a/webkit/port/bindings/v8/v8_npobject.cpp b/webkit/port/bindings/v8/v8_npobject.cpp
index 48335ac..060f982 100644
--- a/webkit/port/bindings/v8/v8_npobject.cpp
+++ b/webkit/port/bindings/v8/v8_npobject.cpp
@@ -56,8 +56,8 @@ static v8::Handle<v8::Value> NPObjectInvokeImpl(
 
   // These three types are subtypes of HTMLPlugInElement.
   if (V8HTMLAppletElement::HasInstance(args.Holder()) ||
-    V8HTMLEmbedElement::HasInstance(args.Holder()) ||
-    V8HTMLObjectElement::HasInstance(args.Holder())) {
+      V8HTMLEmbedElement::HasInstance(args.Holder()) ||
+      V8HTMLObjectElement::HasInstance(args.Holder())) {
     // The holder object is a subtype of HTMLPlugInElement.
     HTMLPlugInElement* imp =
         V8Proxy::DOMWrapperToNode<HTMLPlugInElement>(args.Holder());
@@ -68,7 +68,11 @@ static v8::Handle<v8::Value> NPObjectInvokeImpl(
   } else {
     // The holder object is not a subtype of HTMLPlugInElement, it
     // must be an NPObject which has three internal fields.
-    ASSERT(args.Holder()->InternalFieldCount() == 3);
+    if (args.Holder()->InternalFieldCount() != 3) {
+      V8Proxy::ThrowError(V8Proxy::REFERENCE_ERROR,
+                          "NPMethod called on non-NPObject");
+      return v8::Undefined();
+    }
     npobject = V8Proxy::ToNativeObject<NPObject>(
         V8ClassIndex::NPOBJECT, args.Holder());
   }