Bug 599446 - Weaken bug-finding assert in CallJSNativeConstructor (r=brendan,a=sayrer)

2024-09-13 09:24:08 -07:00 · 2010-09-24 12:54:13 -07:00 · 2010-09-24 12:54:13 -07:00 · 7a7f4e847c
commit 7a7f4e847c
parent 494d094e3a
2 changed files with 18 additions and 2 deletions
--- a/js/src/jscntxtinlines.h
+++ b/js/src/jscntxtinlines.h
@ -671,13 +671,17 @@ CallJSNativeConstructor(JSContext *cx, js::Native native, uintN argc, js::Value
     * Native constructors must return non-primitive values on success.
     * Although it is legal, if a constructor returns the callee, there is a
     * 99.9999% chance it is a bug. If any valid code actually wants the
-     * constructor to return the callee, this can be removed.
+     * constructor to return the callee, the assertion can be removed or
+     * (another) conjunct can be added to the antecedent.
     *
     * Proxies are exceptions to both rules: they can return primitives and
     * they allow content to return the callee.
+     *
+     * (new Object(Object)) returns the callee.
     */
    extern JSBool proxy_Construct(JSContext *, uintN, Value *);
-    JS_ASSERT_IF(native != proxy_Construct,
+    JS_ASSERT_IF(native != proxy_Construct &&
+                 callee->getFunctionPrivate()->u.n.clasp != &js_ObjectClass,
                 !vp->isPrimitive() && callee != &vp[0].toObject());

    return true;
--- a/js/src/trace-test/tests/basic/testObjectConstructorReturningObject.js
+++ b/js/src/trace-test/tests/basic/testObjectConstructorReturningObject.js
@ -0,0 +1,12 @@
+for (var i = 0; i < HOTLOOP+4; ++i) {
+    var o;
+
+    o = new Object(Object);
+    assertEq(o, Object);
+
+    (function () {
+        x = constructor
+    })();
+    o = new(x)(x);
+    assertEq(o, Object);
+}