When there is an exception currently the code tries to get the string of the exception via JSValueToStringCopy to pass back, but this cases a crash inside JavaScriptCore, so change it to simply return false and not set the return value with the exception string.
Created attachment 151968 [details] patch
For the curious, here is the BT for the crash #0 isString (this=0x0) at /home/bmeyer/git/qnx/webkit/Source/JavaScriptCore/runtime/JSCell.cpp:215 #1 JSC::JSCell::toPrimitive (this=0x0, exec=0x82bfcb0, preferredType=JSC::PreferString) at /home/bmeyer/git/qnx/webkit/Source/JavaScriptCore/runtime/JSCell.cpp:138 #2 0xbb3139be in JSC::JSValue::toStringSlowCase (this=0x7bc1c84, exec=0x82bfcb0) at /home/bmeyer/git/qnx/webkit/Source/JavaScriptCore/runtime/JSValue.cpp:279 #3 0xbb291d36 in toString (exec=0x82bfcb0, this=0x7bc1c84) at /home/bmeyer/git/qnx/webkit/Source/JavaScriptCore/runtime/JSString.h:495 #4 JSValueToStringCopy (ctx=0x82bfcb0, value=0x0, exception=0x0) at /home/bmeyer/git/qnx/webkit/Source/JavaScriptCore/API/JSValueRef.cpp:296 #5 0xb9db1d8e in BlackBerry::WebKit::WebPage::executeJavaScriptFunction (this=0x81e6e90, function=..., args=..., returnType=@0x7bc1d5c: BlackBerry::WebKit::JSException, returnValue=...)
Comment on attachment 151968 [details] patch Clearing flags on attachment: 151968 Committed r122476: <http://trac.webkit.org/changeset/122476>
All reviewed patches have been landed. Closing bug.