emptyShapes is usually NULL and when it's not is a malloc'd sparse array that has two empty shapes, only one of which is really used? Removing this would make bug 638015 a lot easier & faster. Right now to get the empty shape we'd have to inline: 0: guard on obj.shape 1: load obj.slots[proto_slot] 2: load (1).emptyShapes 3: guard (2) not NULL 4: load *((1) + 0) 5: guard (4).clasp == js_ObjectClass 6: load *((1) + X) 7: guard (6) not NULL Ideally we could just stick proto + emptyShape directly onto the closure object itself, and reduce this to: 0: load callee.ctor_prototype 1: guard (0) not NULL 2: load callee.ctor_emptyShape 3: guard (2) not NULL Getting rid of the shape guard is most important since then there would be no need to handle polymorphism.

Hmm, once created the empty shapes on an object don't go away and don't change. So an identity guard on the value from obj.slots[proto_slot] would eliminate the need for 2-7. Not disputing the desire to get rid of emptyShapes, but I think the reason for doing so is more for object evisceration than scripted-new path simplification. Where do the empty shapes get stored for objects not created by scripted new?

Constructors can be polymorphic, I would like to not have identity/shape guards so we can despecialize patterns like in v8-raytrace.