RESOLVED FIXED 189855
JSRopeString::resolveRope() wrongly assumes that tryGetValue() passes it a valid ExecState. 
https://bugs.webkit.org/show_bug.cgi?id=189855
Summary JSRopeString::resolveRope() wrongly assumes that tryGetValue() passes it a va...
Mark Lam
Reported 2018-09-21 13:35:15 PDT
<rdar://problem/44680181>
Attachments
proposed patch. (5.62 KB, patch)
2018-09-21 13:45 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2018-09-21 13:45:22 PDT
Created attachment 350418 [details] proposed patch.
Mark Lam
Comment 2 2018-09-21 15:52:40 PDT
Comment on attachment 350418 [details] proposed patch. Thanks for the review. Landing now.
WebKit Commit Bot
Comment 3 2018-09-21 16:18:24 PDT
Comment on attachment 350418 [details] proposed patch. Clearing flags on attachment: 350418 Committed r236369: <https://trac.webkit.org/changeset/236369>
WebKit Commit Bot
Comment 4 2018-09-21 16:18:26 PDT
All reviewed patches have been landed. Closing bug.
Yusuke Suzuki
Comment 5 2018-09-22 04:58:01 PDT
Oops, thank you for fixing it!!!
Alexey Proskuryakov
Comment 6 2018-09-22 15:17:19 PDT
*** Bug 189830 has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
Comment 7 2018-09-22 15:20:05 PDT
Comment on attachment 350418 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=350418&action=review > Source/JavaScriptCore/ChangeLog:3 > + JSRopeString::resolveRope() wrongly assumes that tryGetValue() passes it a valid ExecState. What's the test coverage for this fix? Per Dawei's comment in bug 189558, Speedometer started to crash, but did regression tests crash too? It would be less than ideal if a performance test remained our only defense.
Note You need to log in before you can comment on or make changes to this bug.