The attached test case defines a getter on the window object (not its prototype) then tries to invoke it and hits the assertion in GetterSetterImp::toString. In a release build, the return value is "null" instead of the expected value "bar" (Firefox display "barbaz" in the alert).
Created attachment 13986 [details] Test case (will assert)
10:10am <othermaciej> mitzpettel: assert should presumptively be a P1, if it is catching a real problem
So this is the backtrace: It seems that a GetterSetterImp is being passed around as a JSValue for some reason. Or maybe the JSValue pointer is simply stale. Still looking. #0 0x9003ddac in kill #1 0x9010ffdf in raise #2 0x9010eb32 in abort #3 0x00548a97 in __eprintf at object.cpp:379 #4 0x0050cd72 in KJS::GetterSetterImp::toPrimitive at internal.cpp:140 #5 0x0055d9fa in KJS::JSValue::toPrimitive at value.h:362 #6 0x00524fed in KJS::add at operations.cpp:224 #7 0x00542fe4 in KJS::AddNode::evaluate at nodes.cpp:1212 #8 0x005443f6 in KJS::ArgumentListNode::evaluateList at nodes.cpp:581 #9 0x0056f3ca in KJS::ArgumentsNode::evaluateList at nodes.h:361 #10 0x00544db2 in KJS::FunctionCallResolveNode::evaluate at nodes.cpp:681 #11 0x00541f0f in KJS::ExprStatementNode::execute at nodes.cpp:1723 #12 0x0053f1f2 in KJS::SourceElementsNode::execute at nodes.cpp:2528 #13 0x00517f1c in KJS::BlockNode::execute at nodes.cpp:1699 #14 0x0053c37f in KJS::Interpreter::evaluate at interpreter.cpp:365 #15 0x01248bab in WebCore::KJSProxy::evaluate at kjs_proxy.cpp:78 #16 0x01387ae9 in WebCore::FrameLoader::executeScript at FrameLoader.cpp:712 #17 0x0101e62a in WebCore::HTMLTokenizer::scriptExecution at HTMLTokenizer.cpp:511 #18 0x01020de5 in WebCore::HTMLTokenizer::scriptHandler at HTMLTokenizer.cpp:461 #19 0x010212de in WebCore::HTMLTokenizer::parseSpecial at HTMLTokenizer.cpp:310 #20 0x01022c90 in WebCore::HTMLTokenizer::parseTag at HTMLTokenizer.cpp:1185 #21 0x01023447 in WebCore::HTMLTokenizer::write at HTMLTokenizer.cpp:1398 #22 0x0137c5ab in WebCore::FrameLoader::write at FrameLoader.cpp:927 #23 0x013871bb in WebCore::FrameLoader::endIfNotLoading at FrameLoader.cpp:963 #24 0x01387211 in WebCore::FrameLoader::end at FrameLoader.cpp:948 #25 0x0138a182 in WebCore::DocumentLoader::finishedLoading at DocumentLoader.cpp:315 #26 0x01381b7c in WebCore::FrameLoader::finishedLoading at FrameLoader.cpp:2571 #27 0x0138bf29 in WebCore::MainResourceLoader::didFinishLoading at MainResourceLoader.cpp:300 #28 0x0138d756 in WebCore::ResourceLoader::didFinishLoading at ResourceLoader.cpp:335 #29 0x0136c569 in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] at ResourceHandleMac.mm:369 #30 0x92854d74 in -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] #31 0x92852e19 in -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] #32 0x92852ab5 in _sendCallbacks #33 0x9082bf92 in CFRunLoopRunSpecific #34 0x9082bace in CFRunLoopRunInMode #35 0x92ddc8d8 in RunCurrentEventLoopInMode #36 0x92ddbfe2 in ReceiveNextEventCommon #37 0x92ddbe39 in BlockUntilNextEventMatchingListInMode #38 0x93282465 in _DPSNextEvent #39 0x93282056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] #40 0x00006f96 in ?? #41 0x9327bddb in -[NSApplication run] #42 0x9326fd2f in NSApplicationMain #43 0x0005f7de in ?? #44 0x0005f6f9 in ??
Even simpler test: <script> __defineGetter__("foo", function() { return "bar"; }); alert(foo); </script>
<rdar://problem/5183685>
Committed revision 21481.