GDB output: 0xb74fd659 in KJS::JSObject::getPropertySlot (this=0x0, exec=0xbfcce144, propertyName=@0x80f76c8, slot=@0xbfccdef8) at ../../../JavaScriptCore/kjs/object.h:554 554 if (object->getOwnPropertySlot(exec, propertyName, slot)) (gdb) l 549 // since this is function very hot in variable lookup 550 inline bool JSObject::getPropertySlot(ExecState *exec, const Identifier& propertyName, PropertySlot& slot) 551 { 552 JSObject *object = this; 553 while (true) { 554 if (object->getOwnPropertySlot(exec, propertyName, slot)) 555 return true; 556 557 JSValue *proto = object->_proto; 558 if (!proto->isObject()) (gdb) p object $1 = (class KJS::JSObject *) 0x0 (gdb)

Called from here: (gdb) l ../../../JavaScriptCore/kjs/nodes.cpp:398 393 394 PropertySlot slot; 395 do { 396 JSObject *o = *iter; 397 398 if (o->getPropertySlot(exec, ident, slot)) 399 return slot.getValue(exec, o, ident); 400 401 ++iter; 402 } while (iter != end); Stack Trace: #0 0xb74c3659 in KJS::JSObject::getPropertySlot (this=0x0, exec=0xbf9b2624, propertyName=@0x8105278, slot=@0xbf9b23d8) at ../../../JavaScriptCore/kjs/object.h:554 #1 0xb74bd082 in KJS::ResolveNode::evaluate (this=0x8105270, exec=0xbf9b2624) at ../../../JavaScriptCore/kjs/nodes.cpp:398 #2 0xb74c0edc in KJS::AssignDotNode::evaluate (this=0x81913a0, exec=0xbf9b2624) at ../../../JavaScriptCore/kjs/nodes.cpp:1481 #3 0xb74b9783 in KJS::ExprStatementNode::execute (this=0x81913c0, exec=0xbf9b2624) at ../../../JavaScriptCore/kjs/nodes.cpp:1764 #4 0xb74b63cd in KJS::SourceElementsNode::execute (this=0x81913d8, exec=0xbf9b2624) at ../../../JavaScriptCore/kjs/nodes.cpp:2563 #5 0xb74b47f6 in KJS::BlockNode::execute (this=0x8192f20, exec=0xbf9b2624) at ../../../JavaScriptCore/kjs/nodes.cpp:1740 #6 0xb74a902e in KJS::Interpreter::evaluate (this=0x818bc80, sourceURL=@0xbf9b270c, startingLineNumber=0, code=0x818ba40, codeLength=118, thisV=0xb5460000) at ../../../JavaScriptCore/kjs/interpreter.cpp:369 #7 0xb751923f in WebCore::KJSProxy::evaluate (this=0x80dfa98, filename=@0xbf9b27c4, baseLine=0, str=@0xbf9b27c0) at ../../../WebCore/bindings/js/kjs_proxy.cpp:85 #8 0xb771bb5c in WebCore::FrameLoader::executeScript (this=0x8089ed8, URL=@0xbf9b27c4, baseLine=0, script=@0xbf9b27c0) at ../../../WebCore/loader/FrameLoader.cpp:749 #9 0xb76eaacd in WebCore::HTMLTokenizer::scriptExecution (this=0x80d7eb0, str=@0xbf9b28e8, state= {static EntityShift = 4, m_bits = 0}, scriptURL=@0xbf9b2918, baseLine=0) at ../../../WebCore/html/HTMLTokenizer.cpp:520 #10 0xb76ebac5 in WebCore::HTMLTokenizer::scriptHandler (this=0x80d7eb0, state= {static EntityShift = 4, m_bits = 0}) at ../../../WebCore/html/HTMLTokenizer.cpp:470 #11 0xb76ec13a in WebCore::HTMLTokenizer::parseSpecial (this=0x80d7eb0, src=@0x80d83b4, state= {static EntityShift = 4, m_bits = 128}) at ../../../WebCore/html/HTMLTokenizer.cpp:319 #12 0xb76ee0dd in WebCore::HTMLTokenizer::parseTag (this=0x80d7eb0, src=@0x80d83b4, state= {static EntityShift = 4, m_bits = 128}) at ../../../WebCore/html/HTMLTokenizer.cpp:1231 #13 0xb76eeb4b in WebCore::HTMLTokenizer::write (this=0x80d7eb0, str=@0xbf9b2c40, appendData=true) at ../../../WebCore/html/HTMLTokenizer.cpp:1449 #14 0xb77140b4 in WebCore::FrameLoader::write (this=0x8089ed8, str=0x8176fa0 "<html><head><meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\"><title>Google</title><style>body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#3366cc}.q{color:#00c}.ts td{padding:0}."..., len=3466, flush=false) at ../../../WebCore/loader/FrameLoader.cpp:977

I cannot reproduce this at all in the Mac port. If you can isolate what the JavaScript is doing to trigger the crash, it may make the cause more evident.

Somehow the problem disappeared.