x = Set; eval("function y()(Iterator)", this); x.__iterator__ = y; new Iterator(x) asserts js debug shell on m-c changeset 90828ac18dcf without any CLI arguments at Assertion failure: !args.rval().isPrimitive() && callee != &args.rval().toObject(),

autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 84993:6a5e20a0f741 user: Jason Orendorff date: Fri Jan 20 06:11:43 2012 -0600 summary: Bug 697479 - Implement Map and Set builtins for JS. r=jimb.

I can reproduce this. Slightly reduced test case: function y()(Iterator) Set.__iterator__ = y; new Iterator(Set)

Testcases in comment 0 and comment 2 still assert with http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012-08-09-mozilla-central-debug/jsshell-mac64.zip

Oh, that assertion. It's just bogus. This is I guess the 4th constructor we've found that can return itself. If we find any more, I say just remove the assertion.

Comment on attachment 659726 [details] [diff] [review] v1 Review of attachment 659726 [details] [diff] [review]: ----------------------------------------------------------------- Looks great; just one comment suggestion. ::: js/src/jscntxtinlines.h @@ +423,5 @@ > * (new Object(Object)) returns the callee. > */ > JS_ASSERT_IF(native != FunctionProxyClass.construct && > native != js::CallOrConstructBoundFunction && > + native != js::IteratorConstructor && The comment seems to have a brief entry for each whitelist entry; could you add one for this case as well?

Commented. https://hg.mozilla.org/integration/mozilla-inbound/rev/3091da11f7ab

jorendorff, do you mind asking for approval on aurora 17 branch (which is going to be an ESR)? It will help with fuzzing on that future ESR branch. Thank you!

Comment on attachment 659726 [details] [diff] [review] v1 [Approval Request Comment] Bug caused by (feature/regressing bug #): extremely ancient User impact if declined: This patch makes fuzzing easier on Aurora. The only user impact of declining it would be less security testing. Testing completed (on m-c, etc.): on m-c. Risk to taking this patch (and alternatives if risky): Very very very low (the patch just renames a function and changes a DEBUG-only assertion). String or UUID changes made by this patch: None.

Comment on attachment 659726 [details] [diff] [review] v1 [Triage Comment] The third very swayed us. Approving for Aurora 17 in support of testing.

Verified the fix by running the test from bug description on Spidermonkey built from the latest mozilla-beta (ae08e43155c3) source: no assertion occurs. OS: Mac OS X 10.7.5

Verified the fix by running the test in the description, after building the JavaScript Engine from the latest mozilla-beta (7e190731240e) and no assertions occur. OS used: Mac OS X 10.7.5

Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929