Bug 1161362 - When initializing a trivial script, also initialize its call object shape to the empty shape. (r=jimb)

js/src/jit-test/tests/debug/Environment-Function-prototype.js

@@ -0,0 +1,7 @@
+// Don't crash when getting the Debugger.Environment of a frame inside
+// Function.prototype.
+
+var g = newGlobal();
+var dbg = new Debugger(g);
+dbg.onEnterFrame = function (frame) { frame.environment; };
+g.Function.prototype();

js/src/jsscript.cpp

@@ -190,6 +190,18 @@ Bindings::initWithTemporaryStorage(ExclusiveContext* cx, InternalBindingsHandle
     return true;
 }
 
+bool
+Bindings::initTrivial(ExclusiveContext* cx)
+{
+    Shape* shape = EmptyShape::getInitialShape(cx, &CallObject::class_, TaggedProto(nullptr),
+                                               CallObject::RESERVED_SLOTS,
+                                               BaseShape::QUALIFIED_VAROBJ | BaseShape::DELEGATE);
+    if (!shape)
+        return false;
+    callObjShape_.init(shape);
+    return true;
+}
+
 uint8_t*
 Bindings::switchToScriptStorage(Binding* newBindingArray)
 {
@@ -2556,6 +2568,9 @@ JSScript::partiallyInit(ExclusiveContext* cx, HandleScript script, uint32_t ncon
 /* static */ bool
 JSScript::fullyInitTrivial(ExclusiveContext* cx, Handle<JSScript*> script)
 {
+    if (!script->bindings.initTrivial(cx))
+        return false;
+
     if (!partiallyInit(cx, script, 0, 0, 0, 0, 0, 0, 0))
         return false;
 

js/src/jsscript.h

@@ -252,6 +252,9 @@ class Bindings
                                          uint32_t numUnaliasedVars, uint32_t numUnaliasedBodyLevelLexicals,
                                          Binding* bindingArray);
 
+    // Initialize a trivial Bindings with no slots and an empty callObjShape.
+    bool initTrivial(ExclusiveContext* cx);
+
     // CompileScript parses and compiles one statement at a time, but the result
     // is one Script object.  There will be no vars or bindings, because those
     // go on the global, but there may be block-scoped locals, and the number of