A few objects aren't being safely protected from GC in all cases
Created attachment 156168 [details] Patch
Committed r124510: <http://trac.webkit.org/changeset/124510>
Comment on attachment 156168 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=156168&action=review > Source/WebCore/bindings/js/JSDictionary.h:51 > + , m_initializerObject(exec->globalData(), initializerObject) exec is being used here without null-check. The issue is that exec may be 0, for example when the default constructor for Dictionary is called. This leads to crashes (See Bug 93096). > Source/WebCore/bindings/js/JSDictionary.h:68 > bool isValid() const { return m_exec && m_initializerObject; } This function also hints that both m_exec and m_initializerObject may be NULL.