If the UTF16 data in a String contains a high surrogate as its last character, and convertUTF16ToUTF8 (JavaScriptCore/wtf/unicode/UTF8.cpp) thereby returns sourceExhausted, the following assert in WTFString.cpp (~line 666) will fail: ASSERT((characters + 1) == (characters + length)); It looks to me like this assertion should be: ASSERT((characters + 1) == (this->characters() + length)); Patch coming. I've tried to provoke this crash by sending down invalid String inputs from JavaScript to a couple of DOM entry points, but the only way I've been able to get String::utf8() called on arbitrary JavaScript string inputs is via WebGL APIs.
Created attachment 61085 [details] Patch From the ChangeLog: Fixed assertion when sourceExhausted is returned from convertUTF16ToUTF8.
Comment on attachment 61085 [details] Patch Awesome :)
Committed r63016: <http://trac.webkit.org/changeset/63016>