From 84dea9a8f7649fb2d3c0bda6f5bba3b8150bc099 Mon Sep 17 00:00:00 2001
From: Shu-yu Guo <shu@rfrn.org>
Date: Wed, 6 May 2015 15:55:26 -0700
Subject: [PATCH] Bug 1161362 - When initializing a trivial script, also
 initialize its call object shape to the empty shape. (r=jimb)

---
 .../tests/debug/Environment-Function-prototype.js |  7 +++++++
 js/src/jsscript.cpp                               | 15 +++++++++++++++
 js/src/jsscript.h                                 |  3 +++
 3 files changed, 25 insertions(+)
 create mode 100644 js/src/jit-test/tests/debug/Environment-Function-prototype.js

diff --git a/js/src/jit-test/tests/debug/Environment-Function-prototype.js b/js/src/jit-test/tests/debug/Environment-Function-prototype.js
new file mode 100644
index 00000000000..9ba64a26cfb
--- /dev/null
+++ b/js/src/jit-test/tests/debug/Environment-Function-prototype.js
@@ -0,0 +1,7 @@
+// Don't crash when getting the Debugger.Environment of a frame inside
+// Function.prototype.
+
+var g = newGlobal();
+var dbg = new Debugger(g);
+dbg.onEnterFrame = function (frame) { frame.environment; };
+g.Function.prototype();
diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
index 2e11e1238c8..781b2f52ddc 100644
--- a/js/src/jsscript.cpp
+++ b/js/src/jsscript.cpp
@@ -190,6 +190,18 @@ Bindings::initWithTemporaryStorage(ExclusiveContext* cx, InternalBindingsHandle
     return true;
 }
 
+bool
+Bindings::initTrivial(ExclusiveContext* cx)
+{
+    Shape* shape = EmptyShape::getInitialShape(cx, &CallObject::class_, TaggedProto(nullptr),
+                                               CallObject::RESERVED_SLOTS,
+                                               BaseShape::QUALIFIED_VAROBJ | BaseShape::DELEGATE);
+    if (!shape)
+        return false;
+    callObjShape_.init(shape);
+    return true;
+}
+
 uint8_t*
 Bindings::switchToScriptStorage(Binding* newBindingArray)
 {
@@ -2556,6 +2568,9 @@ JSScript::partiallyInit(ExclusiveContext* cx, HandleScript script, uint32_t ncon
 /* static */ bool
 JSScript::fullyInitTrivial(ExclusiveContext* cx, Handle<JSScript*> script)
 {
+    if (!script->bindings.initTrivial(cx))
+        return false;
+
     if (!partiallyInit(cx, script, 0, 0, 0, 0, 0, 0, 0))
         return false;
 
diff --git a/js/src/jsscript.h b/js/src/jsscript.h
index 73d0476af2b..b3cdf1a05ff 100644
--- a/js/src/jsscript.h
+++ b/js/src/jsscript.h
@@ -252,6 +252,9 @@ class Bindings
                                          uint32_t numUnaliasedVars, uint32_t numUnaliasedBodyLevelLexicals,
                                          Binding* bindingArray);
 
+    // Initialize a trivial Bindings with no slots and an empty callObjShape.
+    bool initTrivial(ExclusiveContext* cx);
+
     // CompileScript parses and compiles one statement at a time, but the result
     // is one Script object.  There will be no vars or bindings, because those
     // go on the global, but there may be block-scoped locals, and the number of