I just now installed the latest version of WebKit Nightly Version 6.0.2 (8536.26.17, 537+). It crashes the browser as a whole when visiting the SES test page at http://google-caja.googlecode.com/svn/trunk/src/com/google/caja/ses/explicit.html . The immediately previous version does fine on that page. Safari Version 6.0.2 (8536.26.17) also does fine on that page. Since the entire browser crashes, I have no idea what on that page is causing the problem. I also cannot tell for sure that the component at issue is JSC, though I expect it is. Feel free to reclassify. I'm classifying this as Critical/P1 not because I expect you think SES is that important, but because this is a browser-crashing bug.
0 com.apple.JavaScriptCore 0x0000000108f91ad5 JSC::JSCell::toPrimitive(JSC::ExecState*, JSC::PreferredPrimitiveType) const + 21 1 com.apple.JavaScriptCore 0x0000000108f928d6 JSC::JSValue::toStringSlowCase(JSC::ExecState*) const + 886 2 com.apple.JavaScriptCore 0x0000000108dfc049 JSC::createNotAnObjectError(JSC::ExecState*, JSC::JSValue) + 57 3 com.apple.JavaScriptCore 0x0000000108df9854 JSC::JSValue::synthesizePrototype(JSC::ExecState*) const + 132 4 com.apple.JavaScriptCore 0x0000000108e55795 JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 53 5 com.apple.JavaScriptCore 0x0000000108de0910 cti_op_get_by_id_generic + 80
<rdar://problem/13489189>
That test page works fine in Safari Version 14.1 (16611.1.21.161.3). Should this be closed?
Thank you for the update! For some reason, this got fixed as bug 113236 without a mention here. *** This bug has been marked as a duplicate of bug 113236 ***