Skip stack trace formatting in case the global object is already dead.

src/heap.cc

Index: src/heap.cc
diff --git a/src/heap.cc b/src/heap.cc
index c10c43081251de80763f9af2e15c9a6aa2c92fac..5f8cc052f776ba976e1a1c9d5b08c12893a92c84 100644
--- a/src/heap.cc
+++ b/src/heap.cc
@@ -7291,6 +7291,7 @@ void ErrorObjectList::UpdateReferences() {
 
 // Unforwarded objects in new space are dead and removed from the list.
 void ErrorObjectList::UpdateReferencesInNewSpace(Heap* heap) {
+  if (list_.is_empty()) return;
   if (!nested_) {
     int write_index = 0;
     for (int i = 0; i < list_.length(); i++) {
@@ -7318,7 +7319,13 @@ void ErrorObjectList::DeferredFormatStackTrace(Isolate* isolate) {
   // If formatting the stack trace causes a GC, this method will be
   // recursively called.  In that case, skip the recursive call, since
   // the loop modifies the list while iterating over it.
-  if (nested_ || isolate->has_pending_exception()) return;
+  if (nested_ || list_.is_empty() || isolate->has_pending_exception()) return;
+  // In rare cases some error objects are still alive even though the global
+  // object provided by the embedder (WebKit) has already been collected.
+  // Those error objects are going to die soon afterwards.  Stop right here.
+  if (isolate->context() == NULL) return;
+  if (!isolate->global_proxy()->GetPrototype()->IsJSGlobalProxy()) return;

[Michael Starzinger, 2013/01/16 13:35:53]

That is quite a hack that is going on here. I think a better approach would be
for %GetDataProperty to actually check  whether the receiver is a JSGlobalProxy,
skip to the JSGlobalObject and if that is not present return undefined (as it's
implementing safe semantics that should gracefully fail).

+
   nested_ = true;
   HandleScope scope(isolate);
   Handle<String> stack_key = isolate->factory()->stack_symbol();