See bug 567577 comment 9 and bug 567577 comment 10.
I *think* we either need to add a tvr for the noted default-return object in js_InvokeConstructor or figure out whether __noSuchMethod__ functionality can ever be invoked in a constructing situation. The latter is probably hard, and the former is probably easy, which suggests probably the former is what we should do.
This also shows up in JS_New on trunk (but conservative stack scanning saves us) and in fun_applyConstructor (Narcissus-only, so I think we don't care), but neither of these cases needs a change.
Cc'ing mrbkap who was involved in bug 453462, and gal who took over at some point.
this is still biting on branches, even if we get a conservative scanner on trunk, right?
The patch in bug 567577 fixes this, I think.
(In reply to comment #4)
> The patch in bug 567577 fixes this, I think.
"Can we get a little more confidence than 'I Think'?" -- Damon Sicore
Waldo filed it. Waldo should decide. As far as I understand the bug report scanning the stack will find this root, so this is safe now. Waldo?
Comment 4 is correct with respect to trunk, even with conservative stack scanning turned off. We may not want to apply the patch there to branches exactly as is, however, as it does force clamping, which would be a web-visible change. Just adding the AutoObjectRooter (JSAutoTempValueRooter on branches) should be enough for branches, without compatibility concerns.
Waldo, could you please get a branch patch going?
Any news on the branch patch?
Created attachment 460709 [details] [diff] [review]
Comment on attachment 460709 [details] [diff] [review]
a=LegNeato for 184.108.40.206 and 220.127.116.11. Please land on mozilla-1.9.2 default and mozilla-1.9.1 default.
Created attachment 471885 [details] [diff] [review]
Patch for 1.9.0