non-string model values cause crashes in v8::Value::toString

[ajklein]

example test case that crashes (due to not having the proper v8::Context available):

<!DOCTYPE html>
<body>
<script>
if (window.testRunner) {
    testRunner.waitUntilDone();
    testRunner.dumpAsText();
    setTimeout(function() { testRunner.notifyDone() }, 1000);
}
document.body.model = [{key: 1}, {key: 2}, {key: 3}];
</script>
<div>Below, there should be a list of three items.</div>
<ol>
  <template iterate>
    <li>{{key}}
  </template>
</ol>
</body>

Fix is likely to pass a ScriptState to ScriptValue::toString and actually make use of it.

[ajklein]

Fixed in c2a0ad21d4