[JSC] jsSubstring should resolve rope before calling JSRopeString::create
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGOperations.cpp
index 7fb246e..4cfac1d 100644 (file)
@@ -2168,7 +2168,7 @@ JSCell* JIT_OPERATION operationStringSubstr(ExecState* exec, JSCell* cell, int32
 
     auto string = jsCast<JSString*>(cell)->value(exec);
     RETURN_IF_EXCEPTION(scope, nullptr);
-    return jsSubstring(exec, string, from, span);
+    return jsSubstring(&vm, string, from, span);
 }
 
 JSCell* JIT_OPERATION operationStringSlice(ExecState* exec, JSCell* cell, int32_t start, int32_t end)
@@ -2181,8 +2181,7 @@ JSCell* JIT_OPERATION operationStringSlice(ExecState* exec, JSCell* cell, int32_
     RETURN_IF_EXCEPTION(scope, nullptr);
     static_assert(static_cast<uint64_t>(JSString::MaxLength) <= static_cast<uint64_t>(std::numeric_limits<int32_t>::max()), "");
 
-    scope.release();
-    return stringSlice(exec, WTFMove(string), start, end);
+    return stringSlice(vm, WTFMove(string), start, end);
 }
 
 JSString* JIT_OPERATION operationToLowerCase(ExecState* exec, JSString* string, uint32_t failingIndex)