Closed Bug 621420 Opened 13 years ago Closed 13 years ago

"Assertion failure: !vp->isPrimitive() && callee != &vp[0].toObject()"

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 202019

People

(Reporter: jruderman, Assigned: adrake)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(1 file)

new (''.toLowerCase.bind());

Assertion failure: !vp->isPrimitive() && callee != &vp[0].toObject(), 
at jscntxtinlines.h:720
The first bad revision is:
changeset:   32b049250e03
user:        David Anderson
date:        Mon Oct 04 14:13:33 2010 -0700
summary:     ICs for scripted new (bug 589398, r=luke,dmandelin).
Blocks: 589398
Keywords: regression
Attached patch Patch v0Splinter Review
In InvokeConstructor, if a non-fast constructor returns a primitive object, the return value is forced to the 'this' that was handed to the constructor. Unfortunately, native string operations reassign 'this' to a string (which is primitive), causing the return value if they are used as a constructor to still be primitive. This propagates up through the native constructor for a bound function, which then triggers the assert.

Prior versions simply set the return value to the object created directly, and ignored the (possibly reassigned) 'this'. I don't believe there are any cases where 'this' is legitimately assigned to a totally different object in a constructor, so this patch simply restores the old behavior.

Also included in this patch is a regression test for the test suite.
Assignee: general → adrake
Status: NEW → ASSIGNED
(In reply to comment #2)

Nice detective-ing.

> In InvokeConstructor, if a non-fast constructor returns a primitive object, the

I think you mean non-constructor native?  If so, then I believe the problem you noted will go away with bug 202019 (which is r+'d and waiting to land).
Depends on: 202019
Yep, that fixes this issue too. Thanks for the heads up!
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: