...
<rdar://problem/35100027>
<rdar://problem/35100031>
<rdar://problem/34005500>
Created attachment 324428 [details] Patch
Created attachment 324429 [details] Patch
Comment on attachment 324429 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=324429&action=review > Source/JavaScriptCore/ChangeLog:7 > + Can you explain what's going on? It's not obvious from anything that there isn't a bad caller here. Why is it the callee's responsibility. Etc
Is this old patch still relevant?
Per discussion with Keith, this does not appear to be actually a security bug.
Comment on attachment 324429 [details] Patch Looks like this still applies and passes tests. Presumably the purpose of this is to prevent a crash or affect some observable behavior, but there's no test case. This also makes it hard to determine why this change is necessary.
Comment on attachment 324429 [details] Patch I think we need to check the existing users of `possiblySharedBuffer()` carefully. I think there are a lot of users which expect `nullptr` as neutered status. But they are now wrong. So we should fix them too. Another question is, if neutering does not make it nullptr, can we change this signature to `Ref<ArrayBuffer> possiblySharedBuffer() const` instead? If we cannot do that, when do we get nullptr?
Comment on attachment 324429 [details] Patch This has been requesting review for more than one year. If this is still needed, please rebase and re-request review.