Created attachment 405030 [details] Patch

<rdar://problem/65925490>

Comment on attachment 405030 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405030&action=review r=me with fix. > Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp:228 > + auto rejectFunction = promiseConstructor->get(&lexicalGlobalObject, vm.propertyNames->builtinNames().rejectPrivateName()); > + EXCEPTION_ASSERT(!scope.exception() || isTerminatedExecutionException(vm, scope.exception())); Are you sure that getting the property with rejectPrivateName() will never throw? I see that it can be lazily generated using promiseConstructorRejectCodeGenerator(). Can this trigger an OOME / StackOverflow? Regardless, I think you need a RETURN_IF_EXCEPTION() after this. Even if we're seeing a termination exception, we still need to bail.

Comment on attachment 405030 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405030&action=review >> Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp:228 >> + EXCEPTION_ASSERT(!scope.exception() || isTerminatedExecutionException(vm, scope.exception())); > > Are you sure that getting the property with rejectPrivateName() will never throw? I see that it can be lazily generated using promiseConstructorRejectCodeGenerator(). Can this trigger an OOME / StackOverflow? Regardless, I think you need a RETURN_IF_EXCEPTION() after this. Even if we're seeing a termination exception, we still need to bail. OK, maybe, just using RETURN_IF_EXCEPTION() is better. Changed.

Committed r264788: <https://trac.webkit.org/changeset/264788>

Re-opened since this is blocked by bug 214698