From ba55aaa53b26c5aed9d4b3f07a0ba795d33d6c91 Mon Sep 17 00:00:00 2001
From: Jeremy Rose <jeremya@chromium.org>
Date: Wed, 16 Sep 2020 12:25:49 -0700
Subject: [PATCH] fix: check for destroyed webcontents in converter (#25431)

---
 shell/common/gin_converters/content_converter.cc         | 6 ++++++
 .../crash-cases/webview-attach-destroyed/index.js        | 9 +++++++++
 2 files changed, 15 insertions(+)
 create mode 100644 spec-main/fixtures/crash-cases/webview-attach-destroyed/index.js

diff --git a/shell/common/gin_converters/content_converter.cc b/shell/common/gin_converters/content_converter.cc
index 489ad9ad8295..e580381badb8 100644
--- a/shell/common/gin_converters/content_converter.cc
+++ b/shell/common/gin_converters/content_converter.cc
@@ -237,6 +237,12 @@ v8::Local<v8::Value> Converter<content::WebContents*>::ToV8(
 bool Converter<content::WebContents*>::FromV8(v8::Isolate* isolate,
                                               v8::Local<v8::Value> val,
                                               content::WebContents** out) {
+  if (!val->IsObject())
+    return false;
+  // gin's unwrapping converter doesn't expect the pointer inside to ever be
+  // nullptr, so we check here first before attempting to unwrap.
+  if (gin_helper::Destroyable::IsDestroyed(val.As<v8::Object>()))
+    return false;
   electron::api::WebContents* web_contents = nullptr;
   if (!gin::ConvertFromV8(isolate, val, &web_contents) || !web_contents)
     return false;
diff --git a/spec-main/fixtures/crash-cases/webview-attach-destroyed/index.js b/spec-main/fixtures/crash-cases/webview-attach-destroyed/index.js
new file mode 100644
index 000000000000..ea6ee7c8b8a8
--- /dev/null
+++ b/spec-main/fixtures/crash-cases/webview-attach-destroyed/index.js
@@ -0,0 +1,9 @@
+const { app, BrowserWindow } = require('electron');
+
+app.whenReady().then(() => {
+  const w = new BrowserWindow({ show: false, webPreferences: { webviewTag: true } });
+  w.loadURL('data:text/html,<webview src="data:text/html,hi"></webview>');
+  app.on('web-contents-created', () => {
+    w.close();
+  });
+});