decodeObject can return { nullptr }, which is a valid object but doesn't have a value. decodeArrayInternal checks that an object is returned but not that a value can be resolved.
<rdar://problem/74599877>
Filed this as security but I'm pretty sure it isn't.
Created attachment 425223 [details] Patch
Comment on attachment 425223 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425223&action=review > LayoutTests/ipc/decode-object-array-crash.html:13 > +</script> Can we spit out PASS here like this? document.write('PASS') so that we can be sure that the code ran 'til completion instead of exiting early due to syntax error, etc...
Created attachment 425238 [details] Patch
Comment on attachment 425238 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425238&action=review > LayoutTests/ipc/decode-object-array-crash.html:13 > + document.write('PASS') oh, put this after if!
Comment on attachment 425238 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425238&action=review > LayoutTests/ipc/decode-object-array-crash.html:4 > +Test passes if it does not crash. Also, please wrap this in <p>~</p>
Created attachment 425248 [details] Patch
commit-queue failed to commit attachment 425248 [details] to WebKit repository. To retry, please set cq+ flag again.
Comment on attachment 425248 [details] Patch Clearing flags on attachment: 425248 Committed r275501 (236158@main): <https://commits.webkit.org/236158@main>
All reviewed patches have been landed. Closing bug.