621420 - "Assertion failure: !vp->isPrimitive() && callee != &vp[0].toObject()"

Status: RESOLVED DUPLICATE of bug 202019

(Core :: JavaScript Engine, defect)

Description

[Jesse Ruderman]

new (''.toLowerCase.bind());

Assertion failure: !vp->isPrimitive() && callee != &vp[0].toObject(), 
at jscntxtinlines.h:720

Comment 1

[Jesse Ruderman]

The first bad revision is:
changeset:   32b049250e03
user:        David Anderson
date:        Mon Oct 04 14:13:33 2010 -0700
summary:     ICs for scripted new (bug 589398, r=luke,dmandelin).

Comment 2

[Andrew Drake [:adrake]]

Attachment: Patch v0

In InvokeConstructor, if a non-fast constructor returns a primitive object, the return value is forced to the 'this' that was handed to the constructor. Unfortunately, native string operations reassign 'this' to a string (which is primitive), causing the return value if they are used as a constructor to still be primitive. This propagates up through the native constructor for a bound function, which then triggers the assert.

Prior versions simply set the return value to the object created directly, and ignored the (possibly reassigned) 'this'. I don't believe there are any cases where 'this' is legitimately assigned to a totally different object in a constructor, so this patch simply restores the old behavior.

Also included in this patch is a regression test for the test suite.

Comment 3

[Luke Wagner [:luke]]

(In reply to comment #2)

Nice detective-ing.

> In InvokeConstructor, if a non-fast constructor returns a primitive object, the

I think you mean non-constructor native?  If so, then I believe the problem you noted will go away with bug 202019 (which is r+'d and waiting to land).

Comment 4

[Andrew Drake [:adrake]]

Yep, that fixes this issue too. Thanks for the heads up!