452960 - TM: "Assertion failure: !JSVAL_IS_PRIMITIVE(v)" with |new|

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jesse Ruderman]

js -j a.js
Assertion failure: !JSVAL_IS_PRIMITIVE(v), at jsbuiltins.cpp:471

a.js:
var f = function(){};
f.prototype = false;
for (let j=0;j<5;++j) { new f; }

Only happens when I feed a.js to ./js as a file, not when I paste its contents into the interactive shell.

Tracemonkey branch.

Comment 1

[Andreas Gal :gal]

We die on an assert in FastNewObject that says prototype must be object, which it here clearly isn't. As far as I can tell prototype becomes Object() in this case, but I can't figure out how to get a handle to Object() in FastNewObject.

Comment 2

[Andreas Gal :gal]

Attachment: Use Object as prototype if the prototype of the constructor is primitive.

Comment 3

[Blake Kaplan (:mrbkap) (inactive)]

Comment on attachment 338981 [details] [diff] [review]
Use Object as prototype if the prototype of the constructor is primitive.

>diff -r ce9daaee1980 js/src/jsbuiltins.cpp
>+    if (JSVAL_IS_PRIMITIVE(v)) {
>+        if (!js_GetClassPrototype(cx, JSVAL_TO_OBJECT(ctor->fslots[JSSLOT_PARENT]), 
>+                                  INT_TO_JSID(JSProto_Object), &proto))
>+            return NULL;
>+    } else 
>+        proto = JSVAL_TO_OBJECT(v);

Add lots of curly braces here and r=me.

Comment 4

[Andreas Gal :gal]

http://hg.mozilla.org/tracemonkey/rev/504ac87ae2bf

Comment 5

[Bob Clary [:bc] (inactive)]

/cvsroot/mozilla/js/tests/js1_7/regress/regress-452960.js,v  <--  regress-452960.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/70cc42a6572b