String coercion triggers an exciting assertion, when i futz with the this object: (this % (this.__proto__ = Math)) + "" Produces: ASSERTION FAILED: conditionSet.hasOneSlotBaseCondition() /Volumes/Untitled/WebKit/WebKit/Source/JavaScriptCore/runtime/StructureRareData.cpp(129) : void JSC::StructureRareData::setObjectToStringValue(JSC::ExecState *, JSC::VM &, JSC::Structure *, JSC::JSString *, JSC::PropertySlot) 1 0x1041686fd WTFCrash 2 0x103fccbd4 JSC::StructureRareData::setObjectToStringValue(JSC::ExecState*, JSC::VM&, JSC::Structure*, JSC::JSString*, JSC::PropertySlot) 3 0x103e1a70d JSC::Structure::setObjectToStringValue(JSC::ExecState*, JSC::VM&, JSC::JSString*, JSC::PropertySlot) 4 0x103e1a3eb JSC::objectProtoFuncToString(JSC::ExecState*)::$_0::operator()(bool, JSC::PropertySlot&) const 5 0x103e1a1bf std::__1::result_of<JSC::objectProtoFuncToString(JSC::ExecState*)::$_0 (bool, JSC::PropertySlot&)>::type JSC::JSObject::getPropertySlot<JSC::objectProtoFuncToString(JSC::ExecState*)::$_0>(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, JSC::objectProtoFuncToString(JSC::ExecState*)::$_0) const 6 0x103e19fcd std::__1::result_of<JSC::objectProtoFuncToString(JSC::ExecState*)::$_0 (bool, JSC::PropertySlot&)>::type JSC::JSObject::getPropertySlot<JSC::objectProtoFuncToString(JSC::ExecState*)::$_0>(JSC::ExecState*, JSC::PropertyName, JSC::objectProtoFuncToString(JSC::ExecState*)::$_0) const 7 0x103e18a6d JSC::objectProtoFuncToString(JSC::ExecState*) 8 0x103d9643a vmEntryToNative ...