Bug 1236519 - Ensure JSFunction::isDerivedClassConstructor properly handles lazy self-hosted functions. r=till a=bustage

js/src/jsfun.cpp

@@ -1294,6 +1294,30 @@ JSFunction::infallibleIsDefaultClassConstructor(JSContext* cx) const
     return isDefault;
 }
 
+bool
+JSFunction::isDerivedClassConstructor()
+{
+    bool derived;
+    if (isInterpretedLazy()) {
+        // There is only one plausible lazy self-hosted derived
+        // constructor.
+        if (isSelfHostedBuiltin()) {
+            JSAtom* name = &getExtendedSlot(LAZY_FUNCTION_NAME_SLOT).toString()->asAtom();
+
+            // This function is called from places without access to a
+            // JSContext. Trace some plumbing to get what we want.
+            derived = name == compartment()->runtimeFromAnyThread()->
+                              commonNames->DefaultDerivedClassConstructor;
+        } else {
+            derived = lazyScript()->isDerivedClassConstructor();
+        }
+    } else {
+        derived = nonLazyScript()->isDerivedClassConstructor();
+    }
+    MOZ_ASSERT_IF(derived, isClassConstructor());
+    return derived;
+}
+
 bool
 JSFunction::getLength(JSContext* cx, uint16_t* length)
 {

js/src/jsfun.h

@@ -538,15 +538,7 @@ class JSFunction : public js::NativeObject
         u.n.jitinfo = data;
     }
 
-    bool isDerivedClassConstructor() {
-        bool derived;
-        if (isInterpretedLazy())
-            derived = lazyScript()->isDerivedClassConstructor();
-        else
-            derived = nonLazyScript()->isDerivedClassConstructor();
-        MOZ_ASSERT_IF(derived, isClassConstructor());
-        return derived;
-    }
+    bool isDerivedClassConstructor();
 
     static unsigned offsetOfNativeOrScript() {
         static_assert(offsetof(U, n.native) == offsetof(U, i.s.script_),