1257349 - Don't mutate the [[Prototype]] when creating bound functions from Function subclass instances

Status: RESOLVED INVALID

(Core :: JavaScript Engine, defect)

Description

[Till Schneidereit [:till]]

Bound functions are created in self-hosted code, but some finishing touches happen in an intrinsic. Among those is ascertaining that the function has the right [[Prototype]]. That's almost always the case by default: both the target and the bound function are Function instances and have Function.prototype as their [[Prototype]].

Except when they don't. Specifically, when the target has a different [[Prototype]], which happens for instances of Function subclasses. Those are truly weird beasts anyway and somewhat unlikely to be used much, so I punted on them and just used SetPrototype. However, at some point some framework will enter the stage and use this for something that happens thousands of times per frame, so at some point we should fix this.

We could do so by creating a new JSFunction instance with the same script and environment, but a different [[Prototype]]. I think. I didn't try it, but don't see why it wouldn't work.

Comment 1

[Jan de Mooij [:jandem]]

Bug 1483869 mostly fixed this, except for the JIT-optimized bound function allocation path where we default to Function.prototype for the template object.

Mutating a prototype no longer kills performance though, after the TI removal, so I think we can just close this.