The Root related functionCreateElement(), functionGetElement() and functionSetElementRoot() currently do not protect against bad values. In some cases, fuzzer code will cause crashes in this code. Their jsCast() calls should be replaced with jsDynamicCast() and appropriate checks.
Created attachment 273438 [details] Patch
Committed r197862: <http://trac.webkit.org/changeset/197862>
<rdar://problem/24291166>