On Version 5.0.5 (5533.21.1, r87697), in a squarefree shell (but consistent with other behavior I've seen), I type in: function foo(){} Object.freeze(foo); Object.freeze(foo.prototype); I then get a beach ball for a short while only over that Safari, and then that Safari crashes. For the sake of isolating this, I tried rebooting and launching a fresh Safari. Same symptoms.
Could you please attach a crash log <http://www.webkit.org/quality/crashlogs.html>?
Created attachment 95514 [details] Crash log attached as requested After WebKit nightly crashed, I did not get a CrashReporter window. So I followed the instructions at http://www.webkit.org/quality/crashlogs.html as requested to find the attached crash log.
Created attachment 95527 [details] Patch
Comment on attachment 95527 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=95527&action=review r=me > Source/JavaScriptCore/runtime/JSFunction.cpp:193 > + createPrototypeProperty(globalData, scope()->globalObject.get(), this); It's kind of a shame that "no new properties" actually means "create a lot of properties right now, and none later". In the future, I think it would be nice to still allow host objects to lazily instantiate their properties, even though we forbid user extension of the object. > Source/JavaScriptCore/runtime/JSObject.cpp:520 > + if (isExtensible()) > + preventExtensions(globalData); > setStructure(globalData, Structure::sealTransition(globalData, m_structure.get())); > } > > void JSObject::freeze(JSGlobalData& globalData) > { > + if (isExtensible()) > + preventExtensions(globalData); Instead of checking isExtensible() (which preventExtensions already does for us), I think we should check isSealed() and isFrozen() in each function, respectively, and skip the whole operation if it's been done already.
Committed r87826: <http://trac.webkit.org/changeset/87826>
Revision r87826 cherry-picked into qtwebkit-2.2 with commit 638ed3d <http://gitorious.org/webkit/qtwebkit/commit/638ed3d>