JSString::value() can throw an exception if the JS string is a rope and value() needs to resolve the rope but encounters an OutOfMemory error. If value() is not able to resolve the rope, it will return a null string (in addition to throwing the exception). If StringPrototype functions do not check for exceptions after calling JSString::value(), they may eventually use the returned null string and crash the VM.
The fix is to add all the necessary exception checks, and do the appropriate handling if needed.
Created attachment 271568 [details]
Thanks for the review. Landed in r196721: <http://trac.webkit.org/r196721>.