We are seeing a crash within Safari's Javascript core using Silverlight to invoke window.open. This repros with a crash within 1-2 clicks in Safari 2.x, it also repros on newer 3.x safaris but at a much lower frequency. Repro attached and should repro against Silverlight Beta 2 for the Mac (http://www.microsoft.com/silverlight/resources/install.aspx) Looks like the javascript engine is deferencing bad memory, the basic scenario is we get a native reference to a script object which we get back from safari, and are passing it back into the javascript core for purposes of object identity, specifically we are seeing a crash when we pass back a resulting window from a call to window.open to javascript which is simply trying to do reference equality. Replacing equality with a tostring on the object also crashes, so it looks like the window reference we pass back is corrupt somehow and crashes the javascript engine when its accessed in any way. 1. Silverlight code calls window.open in javascript gets back a native handle. 2. We pass that handle back into javascript trying to execute in javascript: function ref_equality(o1, o2) { return o1 == o2; } This causes the crash stack below(on both Safari 2.x and 3.x... Crash log: Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000008 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x943ff478 KJS::equal(KJS::ExecState*, KJS::JSValue*, KJS::JSValue*) + 360 1 com.apple.JavaScriptCore 0x943ff2fa KJS::EqualNode::evaluate(KJS::ExecState*) + 218 2 com.apple.JavaScriptCore 0x943f807e KJS::GroupNode::evaluate(KJS::ExecState*) + 14 3 com.apple.JavaScriptCore 0x94404f45 KJS::ReturnNode::execute(KJS::ExecState*) + 133 4 com.apple.JavaScriptCore 0x943f6e0b KJS::SourceElementsNode::execute(KJS::ExecState*) + 139 5 com.apple.JavaScriptCore 0x943f6601 KJS::BlockNode::execute(KJS::ExecState*) + 49 6 com.apple.JavaScriptCore 0x9440257c KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 28 7 com.apple.JavaScriptCore 0x94401f8f KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 559 8 com.apple.JavaScriptCore 0x9442d127 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 135 9 com.apple.JavaScriptCore 0x9443e02c _NPN_Invoke + 396 10 ...microsoft.SilverlightPlugin 0x1695ef7b NPWrapper::InvokeObjectMethod(NPObject*, void*, _NPVariant const*, unsigned int, _NPVariant*) + 101 (NPWrapper.cpp:140) 11 com.apple.JavaScriptCore 0x9443deea _NPN_Invoke + 74 12 ...microsoft.SilverlightPlugin 0x1694b9aa CNPBrowser::InvokeNPMethod(NPObject*, wchar_t const*, _NPVariant const*, int, _NPVariant*) + 742 (NPBrowser.cpp:2754) 13 ...microsoft.SilverlightPlugin 0x1695388f CNPBrowser::ReferenceEquals(void const*, void const*) + 169 (NPBrowser.cpp:1036) 14 ...microsoft.SilverlightPlugin 0x163c431d DOM_ReferenceEquals + 405 (PALDOM.cpp:16)