js/dom/dfg-custom-getter-throw.html and js/dom/dfg-custom-getter-throw-inlined.html have started hitting assertions after http://trac.webkit.org/changeset/161051 ASSERTION FAILED: exec == topCallFrame || exec == exec->lexicalGlobalObject()->globalExec() || exec == exec->vmEntryGlobalObject()->globalExec() /Volumes/Data/slave/mavericks-debug/build/Source/JavaScriptCore/runtime/VM.cpp(634) : JSC::JSValue JSC::VM::throwException(JSC::ExecState *, JSC::JSValue) 1 0x10da505b0 WTFCrash 2 0x10d9f14af JSC::VM::throwException(JSC::ExecState*, JSC::JSValue) 3 0x10f6cb39f WebCore::setDOMException(JSC::ExecState*, int) 4 0x10fbe6119 WebCore::JSXMLHttpRequest::responseText(JSC::ExecState*) const 5 0x10fbe0d3f WebCore::jsXMLHttpRequestResponseText(JSC::ExecState*, long long, long long, JSC::PropertyName) 6 0x3ed880e68ffa http://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK2%20(Tests)/r161053%20(1201)/results.html
Looks like this is a fairly recent regression in JSC. I certainly did not encounter it at r158715, and reverting the WebCore code change in r161051 confirms that the assertion failure exists without the patch.
Created attachment 219979 [details] The version of js/dom/dfg-custom-getter-throw.html that reproduces the assertion failure
<rdar://problem/15723849>
Committed r161059: <http://trac.webkit.org/changeset/161059>
Sorry, didn't mean to close this bug.
Testing with a recent build (r165197), I don't see this issue manifest anymore. There also have been numerous changes and bug fixes in the area of exception handling and stack management since the time this bug was filed. Those changes appear to have resolved the issue. There doesn't seem to be anything left to do for this bug. Will close.
Mark, did you unskip the skipped tests?
(In reply to comment #7) > Mark, did you unskip the skipped tests? They were already unskipped. See https://bugs.webkit.org/show_bug.cgi?id=126219#c4.