JavaScriptCore calls toNumber w/o checking for an exception toNumber calls toPrimative, which calls .toString or .valueOf, both of which could be overriden to throw (or have other side effects. For example the following code should only show one alert, but I'm guessing (by code inspection) it shows 2 in webkit: var myObject = new Object; myObject.__proto__ = { valueOf: function() { alert("foo"); throw "foobar"; } } var bar = myObject + myObject; alert("Not reached."); (assuming I got my js right above...) I've not tested other browsers, so this is really a speculative bug.
Ha! Funny, right after I filed this, I wrote up bug 15879 which actually fixes this issue partially (at least for MultNode. :)
A bunch of this just got fixed when bug 15879 landed as r27589. I'm certain there are still examples of this which can be seen using some js.
I am aware of no cases where we don't do the correctly (and i made some fairly large and chunky tests for these types of things for squirrelfish)