Function.prototype strikes again: -- Function.prototype.__defineSetter__('prototype', function() { }); for(var i=0; i<20; i++) { new Function.prototype(); } -- Asserts with -j: Assertion failure: slot < capacity, at ../jsobj.h:658

This does not crash in a release build, but the assert seems a bit scary. Please remove the security-sensitive flag if it's harmless.

The first bad revision is: changeset: 54760:caa8bfd6f9b1 user: Brendan Eich <brendan@mozilla.org> date: Sun Oct 03 22:46:39 2010 -0700 summary: Per ECMA-262, no .prototype for built-in functions and Function.prototype (445319, r=Waldo). In revisions before this it throws TypeError: can't redefine non-configurable property 'prototype'

Here's a version with defineProperty instead of __defineSetter__. -- Object.defineProperty(Function.prototype, "prototype", {set:function(){}}); for(var i=0; i<20; i++) { new Function.prototype(); }

Jason, still sick here, need your brain: js_CreateThisFromTrace looks wrong on a couple of counts: * Unlike js_CreateThis, it does not get ctor.prototype using the full, resolving, prototype search, including calling a getter. * If it did, or even as is (due to the later conditioanl js_SetClassPrototype call), it might deep bail. But the jstracer.cpp code that emits LIR to call js_CreateThisFromTrace does not prepare. /be

Please keep this hidden.

This seems to be 64-bit only.

What ho, this seems to be a simple case of a slotless shape.

Comment on attachment 510435 [details] [diff] [review] fix I don't think that's correct. ES5 requires that we actually call the .prototype getter in this case. I think the answer is to refuse to record if the function doesn't have its own permanent .prototype property. I'm done with watchpoints for now, touch wood, so I can fix this tomorrow morning.

The interpreter creates |this| in JSOP_NEW. The tracer creates |this| in record_EnterFrame, which isn't called until the new frame has already been pushed and cx->regs->pc is pointing to the first instruction of the callee. Therefore the whole of record_EnterFrame, and the code that creates |this| in particular MUST NOT bail out to the interpreter. If it does, nobody will create |this|.

It turned out to be straightforward to move the CreateThis code from TR::record_EnterFrame to TR::interpretedFunctionCall.

Comment on attachment 511490 [details] [diff] [review] v1 Thanks for getting rid of the constructing-jsnative-non-ctor case.

Comment on attachment 511490 [details] [diff] [review] v1 >+ /* >+ * ECMA (15.3.5.2) says that a user-defined function's .prototype property >+ * is non-configurable, non-enumerable, and (initially) writable. 13.2 is the relevant clause, and it says "18. Call the [[DefineOwnProperty]] internal method of F with arguments "prototype", Property Descriptor {[[Value]]: proto, { [[Writable]]: true, [[Enumerable]]: false, [[Configurable]]: false}, and false." 15.3.5.2 restates this: "This property has the attribute { [[Writable]]: true, [[Enumerable]]: false, [[Configurable]]: false }." Configurable being false equates to JSPROP_PERMANENT being clear, not set. >... Hence >+ * JSPROP_PERMANENT below. By contrast, the built-in constructors, such as >+ * Object (15.2.3.1) and Function (15.3.3.1), have non-writable >+ * .prototype properties. Those are eagerly defined, with attributes >+ * JSPROP_PERMANENT | JSPROP_READONLY, in js_InitClass. >+ */ >+ if (!js_SetClassPrototype(cx, obj, proto, JSPROP_PERMANENT)) Please file and fix. /be

Urgh, pre-caffeine. Ignore comment 15 (I was thrown by the change from ES3 to Enumerable, and the whole Dont vs. Do change :-P). /be

Comment on attachment 512553 [details] [diff] [review] warning fixes Thanks!

cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/432915db49a8

Warning fixes as followup push: http://hg.mozilla.org/tracemonkey/rev/b7066265d596 cdlearybot take note! /be

(In reply to comment #20) > Warning fixes as followup push: > > http://hg.mozilla.org/tracemonkey/rev/b7066265d596 > > cdlearybot take note! Reopening (keeping fixed-in-tracemonkey on whiteboard) till this gets done, lest everyone forgets.

cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/b7066265d596

Bug in removed tracer code, setting in-testsuite- flag.