Closed Bug 595923 Opened 9 years ago Closed 9 years ago

"Assertion failure: isObjectOrNull(),"

Categories

(Core :: JavaScript Engine, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: luke)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

x = Proxy.createFunction((function () {}), Uint16Array, wrap)
new(wrap(x))

asserts js debug shell on TM changeset f5e128da7b5f without -m or -j at Assertion failure: isObjectOrNull(),
blocking2.0: --- → ?
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   52720:66c8ad02543b
user:        Luke Wagner
date:        Mon Aug 16 12:35:04 2010 -0700
summary:     Bug 581263 - remove slow natives (r=waldo,mrbkap)

(As one bisects back in time, the testcase used to assert at Assertion failure: !vp->isPrimitive(), )
Blocks: 581263
Attached patch patchSplinter Review
Ah, proxies again.
Assignee: general → lw
Status: NEW → ASSIGNED
Attachment #475378 - Flags: review?(brendan)
Comment on attachment 475378 [details] [diff] [review]
patch

>diff --git a/js/src/jsapi.cpp b/js/src/jsapi.cpp
>--- a/js/src/jsapi.cpp
>+++ b/js/src/jsapi.cpp
>@@ -4863,17 +4863,19 @@ JS_New(JSContext *cx, JSObject *ctor, ui
>     if (!cx->stack().pushInvokeArgs(cx, argc, &args))
>         return NULL;
> 
>     args.callee().setObject(*ctor);
>     args.thisv().setNull();
>     memcpy(args.argv(), argv, argc * sizeof(jsval));
> 
>     bool ok = InvokeConstructor(cx, args);
>-    JSObject *obj = ok ? args.rval().toObjectOrNull() : NULL;
>+    JSObject *obj = ok && args.rval().isObject()

Prevailing style parenthesizes any non-unary-or-tighter condition, after K&R.

>+                    ? &args.rval().toObject()
>+                    : NULL;
> 
>     LAST_FRAME_CHECKS(cx, ok);
>     return obj;

We're gonna need new API some fine day for value types (AKA universal proxies).

/be
Attachment #475378 - Flags: review?(brendan) → review+
http://hg.mozilla.org/tracemonkey/rev/7ff2764d0390
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/7ff2764d0390
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
blocking2.0: ? → betaN+
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.