Closed Bug 827082 Opened 12 years ago Closed 12 years ago

IonMonkey: "Assertion failure: target->isNativeConstructor(),"

Tracking

()

Status:

VERIFIED FIXED

Milestone:

mozilla20

People

(Reporter: gkw, Assigned: h4writer)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(2 files)

stack 12 years ago Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) 6.29 KB, text/plain		Details
Fix 12 years ago Hannes Verschore [:h4writer] 838 bytes, patch	evilpie : review+	Details \| Diff \| Splinter Review

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

12 years ago

Attached file stack — Details

new [].sort()

asserts js debug shell on m-c changeset 20d1a5916ef6 with -ion-eager at Assertion failure: target->isNativeConstructor(),

This is flooding the fuzzer boxes, setting [fuzzblocker].

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   117618:67e44e98555c
user:        Hannes Verschore
date:        Fri Jan 04 17:11:32 2013 +0100
summary:     Bug 825705: Creating this on caller-side shouldn't query prototype for unknown objects, r=jandem

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Updated

•

12 years ago

Flags: needinfo?(hv1989)

Hannes Verschore [:h4writer]

Assignee

Comment 1

•

12 years ago

Attached patch Fix — Details — Splinter Review

Something went wrong when copying that code and in this case "CreateThis" should return NULL instead of asserting. This patch should fix it. Trivial patch, but nobody is online to get a quick r+

Assignee: general → hv1989

Attachment #698411 - Flags: review?(jdemooij)

Flags: needinfo?(hv1989)

Tom S [:evilpie]

Comment 2

•

12 years ago

Comment on attachment 698411 [details] [diff] [review]
Fix

We should never call a native non-constructor function with new. This should always result in an error. So returning NULL seems fine.

Attachment #698411 - Flags: review?(jdemooij) → review?(evilpies)

Tom S [:evilpie]

Updated

•

12 years ago

Attachment #698411 - Flags: review?(evilpies) → review+

Hannes Verschore [:h4writer]

Assignee

Comment 3

•

12 years ago

Thanks Tom :D.
https://hg.mozilla.org/integration/mozilla-inbound/rev/9968445e534

Hannes Verschore [:h4writer]

Assignee

Updated

•

12 years ago

Flags: in-testsuite+

Phil Ringnalda (:philor)

Comment 4

•

12 years ago

https://hg.mozilla.org/mozilla-central/rev/9968445e5343

Status: NEW → RESOLVED

Closed: 12 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla20

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 5

•

11 years ago

Testcases have been landed by virtue of being marked in-testsuite+ -> VERIFIED as well.

Status: RESOLVED → VERIFIED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

IonMonkey: "Assertion failure: target->isNativeConstructor(),"

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: gkw, Assigned: h4writer)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Updated

Comment 1

Comment 2

Updated

Comment 3

Updated

Comment 4

Comment 5

Attachment

General

Description

File Name

Content Type