JSString::value() can throw an exception if the JS string is a rope and value() needs to resolve the rope but encounters an OutOfMemory error. If value() is not able to resolve the rope, it will return a null string (in addition to throwing the exception). If StringPrototype functions do not check for exceptions after calling JSString::value(), they may eventually use the returned null string and crash the VM. The fix is to add all the necessary exception checks, and do the appropriate handling if needed.
<rdar://problem/24662137>
Created attachment 271568 [details] proposed patch.
Thanks for the review. Landed in r196721: <http://trac.webkit.org/r196721>.