Just run the attached test case: ** (jsarray:27866): DEBUG: TypeError: Result of expression 'a.push' [undefined] is not a function. Note that the eval in the context of the WebView does not produce any console messages. By changing the order of evaluation it is possible to let the error happen in the context of the WebView and the context created with the JSC API is working fine. This does affect a lot of other standard methods from at least `Array' and `String'.
Created attachment 22608 [details] Test case
This doesn't look gtk-related, but as mentioned in bug 20107, I tried and could not reproduce this on Mac OS X, so at least part of debugging this should be done on a system where this does happen.
Alexey, this issue doesn't look like gtk-related. I faced same problem and checked several differences between mac and gtk. And finally I turned JSC_MULTIPLE_THREADS on, and this issue was not happend. Would you turn this flag off in mac?
I investigated more and found that if I allocated private hash tables in JSGlobalData(JavaScriptCore/kjs/JSGlobalData.cpp), this issue wouldn't happen. But I don't know why this code could affect the problem.
Thank you for your analysis - I can now see the problem. When JSC_MULTIPLE_THREADS is not enabled, we are using static hash tables, but per-GlobalData identifier table. Since the hash tables reference identifiers, this makes no sense.
Created attachment 24341 [details] proposed fix I don't remember why I made this conditional - probably there was no good reason.
Comment on attachment 24341 [details] proposed fix r=me
Fixed in <http://trac.webkit.org/changeset/37586>.