Changeset 260732 in webkit

Timestamp:

Apr 26, 2020 2:30:38 PM (4 years ago)

Author:

Alexey Shvayka

Message:

InternalFunction::createSubclassStructure should use newTarget's globalObject
​https://bugs.webkit.org/show_bug.cgi?id=202599

Reviewed by Yusuke Suzuki.

JSTests:

• stress/promise-proto-from-ctor-realm.js: Added.
• test262/expectations.yaml: Mark 88 test cases as passing.

LayoutTests/imported/w3c:

• web-platform-tests/WebIDL/ecmascript-binding/constructors-expected.txt:
• web-platform-tests/custom-elements/htmlconstructor/newtarget-expected.txt:
• web-platform-tests/wasm/jsapi/proto-from-ctor-realm-expected.txt:

Source/JavaScriptCore:

If "prototype" of NewTarget is not an object, built-in constructors [1] should acquire
default Prototype? from realm of NewTarget, utilizing GetFunctionRealm helper [2].
Before this change, realm of active constructor was used instead. This patch introduces
GetFunctionRealm and aligns all subclassable constructors with the spec, V8, and SpiderMonkey.

This change inlines fast paths checks of InternalFunction::createSubclassStructure() and
simplifies its signature; getFunctionRealm() is invoked in slow paths only.

While a dynamically created function uses NewTarget's realm for its default Prototype?
similar to other built-ins, its "prototype" object inherit from ObjectPrototype
of active constructor's realm [3] (just like their scope), making it retain references
to 2 different global objects. To accomodate this behavior, this change introduces
scopeGlobalObject in JSFunction.cpp methods.

Above-mentioned behavior also simplifies creation of JSGenerator and JSAsyncGenerator
instances since NewTarget's realm is irrelevant to them.

IntlCollatorConstructor::collatorStructure() and 6 similar methods are removed:
a) to impose good practice of using newTarget's globalObject;
b) with this change, each of them have 1 call site max;
c) other JSC constructors have no methods alike.

[1]: ​https://tc39.es/ecma262/#sec-map-constructor (step 2)
[2]: ​https://tc39.es/ecma262/#sec-getfunctionrealm
[3]: ​https://tc39.es/ecma262/#sec-createdynamicfunction (steps 23-25)

• dfg/DFGOperations.cpp:
• runtime/AggregateErrorConstructor.cpp:

(JSC::callAggregateErrorConstructor):
(JSC::constructAggregateErrorConstructor):

• runtime/AggregateErrorConstructor.h:
• runtime/AsyncFunctionConstructor.cpp:

(JSC::constructAsyncFunctionConstructor):

• runtime/AsyncGeneratorFunctionConstructor.cpp:

(JSC::constructAsyncGeneratorFunctionConstructor):

• runtime/BooleanConstructor.cpp:

(JSC::constructWithBooleanConstructor):

• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):
(JSC::createInternalFieldObject):

• runtime/DateConstructor.cpp:

(JSC::constructDate):

• runtime/ErrorConstructor.cpp:

(JSC::constructErrorConstructor):

• runtime/FunctionConstructor.cpp:

(JSC::constructFunctionSkippingEvalEnabledCheck):

• runtime/InternalFunction.cpp:

(JSC::InternalFunction::createSubclassStructure):
(JSC::getFunctionRealm):
(JSC::InternalFunction::createSubclassStructureSlow): Deleted.

• runtime/InternalFunction.h:

(JSC::InternalFunction::createSubclassStructure): Deleted.

• runtime/IntlCollatorConstructor.cpp:

(JSC::constructIntlCollator):
(JSC::callIntlCollator):

• runtime/IntlCollatorConstructor.h:
• runtime/IntlDateTimeFormatConstructor.cpp:

(JSC::constructIntlDateTimeFormat):
(JSC::callIntlDateTimeFormat):

• runtime/IntlDateTimeFormatConstructor.h:
• runtime/IntlNumberFormatConstructor.cpp:

(JSC::constructIntlNumberFormat):
(JSC::callIntlNumberFormat):

• runtime/IntlNumberFormatConstructor.h:
• runtime/IntlPluralRulesConstructor.cpp:

(JSC::constructIntlPluralRules):

• runtime/IntlPluralRulesConstructor.h:
• runtime/IntlRelativeTimeFormatConstructor.cpp:

(JSC::constructIntlRelativeTimeFormat):

• runtime/IntlRelativeTimeFormatConstructor.h:
• runtime/JSArrayBufferConstructor.cpp:

(JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):

• runtime/JSFunction.cpp:

(JSC::JSFunction::prototypeForConstruction):
(JSC::JSFunction::getOwnPropertySlot):

• runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructGenericTypedArrayView):

• runtime/JSGlobalObjectInlines.h:

(JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):

• runtime/MapConstructor.cpp:

(JSC::constructMap):

• runtime/NativeErrorConstructor.cpp:

(JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
(JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):

• runtime/NativeErrorConstructor.h:
• runtime/NumberConstructor.cpp:

(JSC::constructNumberConstructor):

• runtime/ObjectConstructor.cpp:

(JSC::constructObjectWithNewTarget):

• runtime/RegExpConstructor.cpp:

(JSC::getRegExpStructure):
(JSC::constructRegExp):
(JSC::esSpecRegExpCreate):

• runtime/RegExpConstructor.h:
• runtime/SetConstructor.cpp:

(JSC::constructSet):

• runtime/StringConstructor.cpp:

(JSC::constructWithStringConstructor):

• runtime/WeakMapConstructor.cpp:

(JSC::constructWeakMap):

• runtime/WeakObjectRefConstructor.cpp:

(JSC::constructWeakRef):

• runtime/WeakSetConstructor.cpp:

(JSC::constructWeakSet):

• wasm/js/WebAssemblyCompileErrorConstructor.cpp:

(JSC::constructJSWebAssemblyCompileError):

• wasm/js/WebAssemblyInstanceConstructor.cpp:

(JSC::constructJSWebAssemblyInstance):

• wasm/js/WebAssemblyLinkErrorConstructor.cpp:

(JSC::constructJSWebAssemblyLinkError):

• wasm/js/WebAssemblyModuleConstructor.cpp:

(JSC::WebAssemblyModuleConstructor::createModule):

• wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:

(JSC::constructJSWebAssemblyRuntimeError):

Source/WebCore:

Accounts for InternalFunction::createSubclassStructure() signature change and
utilizes getFunctionRealm() helper to handle cross-realm JSBoundFunction and
ProxyObject instances as NewTarget value.

Tests: web-platform-tests/WebIDL/ecmascript-binding/constructors.html

web-platform-tests/custom-elements/htmlconstructor/newtarget.html

• bindings/js/JSDOMWrapperCache.h:

(WebCore::setSubclassStructureIfNeeded):

• bindings/js/JSHTMLElementCustom.cpp:

(WebCore::constructJSHTMLElement):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/promise-proto-from-ctor-realm.js (added)
• JSTests/test262/expectations.yaml (modified) (17 diffs)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/constructors-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/custom-elements/htmlconstructor/newtarget-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/wasm/jsapi/proto-from-ctor-realm-expected.txt (modified) (2 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/AggregateErrorConstructor.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/AggregateErrorConstructor.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/AsyncFunctionConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/AsyncGeneratorFunctionConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/BooleanConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/DateConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/ErrorConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/FunctionConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/InternalFunction.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/InternalFunction.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/IntlCollatorConstructor.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/IntlCollatorConstructor.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/IntlDateTimeFormatConstructor.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/IntlDateTimeFormatConstructor.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/IntlNumberFormatConstructor.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/IntlNumberFormatConstructor.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/IntlPluralRulesConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/IntlPluralRulesConstructor.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/IntlRelativeTimeFormatConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/IntlRelativeTimeFormatConstructor.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunction.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/MapConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/NativeErrorConstructor.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/NumberConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/ObjectConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/RegExpConstructor.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/RegExpConstructor.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/SetConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/StringConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/WeakMapConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/WeakObjectRefConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/WeakSetConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/WebAssemblyCompileErrorConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/WebAssemblyLinkErrorConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/WebAssemblyModuleConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/WebAssemblyRuntimeErrorConstructor.cpp (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWrapperCache.h (modified) (1 diff)
• Source/WebCore/bindings/js/JSHTMLElementCustom.cpp (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-04-26  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        InternalFunction::createSubclassStructure should use newTarget's globalObject
+        https://bugs.webkit.org/show_bug.cgi?id=202599
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/promise-proto-from-ctor-realm.js: Added.
+        * test262/expectations.yaml: Mark 88 test cases as passing.
+
 2020-04-26  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/JSTests/test262/expectations.yaml

@@ -634 +634 @@
   default: 'Test262Error: Expected SameValue(«undefined», «[object Function]») to be true'
   strict mode: 'Test262Error: Expected SameValue(«undefined», «[object Function]») to be true'
-test/built-ins/Array/proto-from-ctor-realm-one.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«», «») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«», «») to be true'
-test/built-ins/Array/proto-from-ctor-realm-two.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«», «») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«», «») to be true'
-test/built-ins/Array/proto-from-ctor-realm-zero.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«», «») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«», «») to be true'
 test/built-ins/Array/prototype/concat/arg-length-exceeding-integer-limit.js:
   default: 'Test262Error: Expected a TypeError but got a RangeError'
@@ -709 +700 @@
   default: 'Test262Error: Length is 2**53 - 1 Expected SameValue(«4294967295», «9007199254740991») to be true'
   strict mode: 'Test262Error: Length is 2**53 - 1 Expected SameValue(«4294967295», «9007199254740991») to be true'
-test/built-ins/ArrayBuffer/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object ArrayBuffer]», «[object ArrayBuffer]») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«[object ArrayBuffer]», «[object ArrayBuffer]») to be true'
 test/built-ins/ArrayBuffer/prototype/byteLength/detached-buffer.js:
   default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
@@ -748 +736 @@
   default: 'Test262:AsyncTestFailure:Test262Error: Test262Error: Expected SameValue(«1», «0») to be true'
   strict mode: 'Test262:AsyncTestFailure:Test262Error: Test262Error: Expected SameValue(«1», «0») to be true'
-test/built-ins/AsyncFunction/proto-from-ctor-realm.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object AsyncFunction]», «[object AsyncFunction]») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object AsyncFunction]», «[object AsyncFunction]») to be true'
-test/built-ins/AsyncGeneratorFunction/proto-from-ctor-realm.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object AsyncGeneratorFunction]», «[object AsyncGeneratorFunction]») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object AsyncGeneratorFunction]», «[object AsyncGeneratorFunction]») to be true'
 test/built-ins/AsyncGeneratorPrototype/return/return-suspendedYield-promise.js:
   default: 'Test262:AsyncTestFailure:Test262Error: Test262Error: AsyncGeneratorResolve(generator, resultValue, true) Expected SameValue(«[object Promise]», «unwrapped-value») to be true'
@@ -817 +799 @@
   default: 'Test262Error: Expected SameValue(«0», «2») to be true'
   strict mode: 'Test262Error: Expected SameValue(«0», «2») to be true'
-test/built-ins/Boolean/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«false», «false») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«false», «false») to be true'
 test/built-ins/DataView/custom-proto-access-detaches-buffer.js:
   default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
@@ -829 +808 @@
   default: 'Test262Error: descriptor value should be 1'
   strict mode: 'Test262Error: descriptor value should be 1'
-test/built-ins/DataView/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object DataView]», «[object DataView]») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«[object DataView]», «[object DataView]») to be true'
 test/built-ins/DataView/prototype/byteLength/detached-buffer.js:
   default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
@@ -934 +910 @@
   default: 'Test262Error: Expected a TypeError but got a RangeError'
   strict mode: 'Test262Error: Expected a TypeError but got a RangeError'
-test/built-ins/Date/proto-from-ctor-realm-one.js:
-  default: 'Test262Error: Expected SameValue(«[object Object]», «[object Object]») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«[object Object]», «[object Object]») to be true'
-test/built-ins/Date/proto-from-ctor-realm-two.js:
-  default: 'Test262Error: Expected SameValue(«[object Object]», «[object Object]») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«[object Object]», «[object Object]») to be true'
-test/built-ins/Date/proto-from-ctor-realm-zero.js:
-  default: 'Test262Error: Expected SameValue(«[object Object]», «[object Object]») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«[object Object]», «[object Object]») to be true'
-test/built-ins/Error/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«Error», «Error») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«Error», «Error») to be true'
 test/built-ins/Function/call-bind-this-realm-undef.js:
   default: 'Test262Error: implicit undefined Expected SameValue(«[object global]», «[object Undefined]») to be true'
@@ -964 +928 @@
   default: 'Test262Error: Expected a ReferenceError but got a ReferenceError'
   strict mode: 'Test262Error: Expected a ReferenceError but got a ReferenceError'
-test/built-ins/Function/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«function () {'
-  strict mode: 'Test262Error: Expected SameValue(«function () {'
-test/built-ins/Function/prototype/bind/get-fn-realm-recursive.js:
-  default: 'Test262Error: Expected true but got false'
-  strict mode: 'Test262Error: Expected true but got false'
-test/built-ins/Function/prototype/bind/get-fn-realm.js:
-  default: 'Test262Error: Expected true but got false'
-  strict mode: 'Test262Error: Expected true but got false'
 test/built-ins/Function/prototype/bind/length-exceeds-int32.js:
   default: 'Test262Error: Expected SameValue(«0», «2147483648») to be true'
@@ -1111 +1066 @@
   default: "Test262Error: Conforms to NativeFunction Syntax: 'function a(\\u{62}, \\u0063) { \\u0062 = \\u{00063}; return b; }'.(function \\u0061(\\u{62}, \\u0063) { \\u0062 = \\u{00063}; return b; })"
   strict mode: "Test262Error: Conforms to NativeFunction Syntax: 'function a(\\u{62}, \\u0063) { \\u0062 = \\u{00063}; return b; }'.(function \\u0061(\\u{62}, \\u0063) { \\u0062 = \\u{00063}; return b; })"
-test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object GeneratorFunction]», «[object GeneratorFunction]») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«[object GeneratorFunction]», «[object GeneratorFunction]») to be true'
 test/built-ins/JSON/parse/reviver-object-non-configurable-prop-create.js:
   default: 'Test262Error: Expected SameValue(«22», «2») to be true'
   strict mode: 'Test262Error: Expected SameValue(«22», «2») to be true'
-test/built-ins/Map/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object Map]», «[object Map]») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«[object Map]», «[object Map]») to be true'
-test/built-ins/NativeErrors/EvalError/proto-from-ctor-realm.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«EvalError», «EvalError») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«EvalError», «EvalError») to be true'
-test/built-ins/NativeErrors/RangeError/proto-from-ctor-realm.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«RangeError», «RangeError») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«RangeError», «RangeError») to be true'
-test/built-ins/NativeErrors/ReferenceError/proto-from-ctor-realm.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«ReferenceError», «ReferenceError») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«ReferenceError», «ReferenceError») to be true'
-test/built-ins/NativeErrors/SyntaxError/proto-from-ctor-realm.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«SyntaxError», «SyntaxError») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«SyntaxError», «SyntaxError») to be true'
-test/built-ins/NativeErrors/TypeError/proto-from-ctor-realm.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«TypeError», «TypeError») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«TypeError», «TypeError») to be true'
-test/built-ins/NativeErrors/URIError/proto-from-ctor-realm.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«URIError», «URIError») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«URIError», «URIError») to be true'
 test/built-ins/Number/bigint-conversion.js:
   default: "TypeError: Conversion from 'BigInt' to 'number' is not allowed."
   strict mode: "TypeError: Conversion from 'BigInt' to 'number' is not allowed."
-test/built-ins/Number/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«0», «0») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«0», «0») to be true'
 test/built-ins/Object/entries/order-after-define-property.js:
   default: 'Test262Error: Expected [b, a] and [a, b] to have the same contents. '
@@ -1166 +1094 @@
   default: 'Test262Error: Expected [b, a] and [a, b] to have the same contents. '
   strict mode: 'Test262Error: Expected [b, a] and [a, b] to have the same contents. '
-test/built-ins/Object/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object Object]», «[object Object]») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«[object Object]», «[object Object]») to be true'
 test/built-ins/Object/prototype/toString/proxy-function.js:
   default: 'Test262Error: function proxy Expected SameValue(«[object Object]», «[object Function]») to be true'
@@ -1199 +1124 @@
   default: 'Test262Error: Expected SameValue(«true», «false») to be true'
   strict mode: 'Test262Error: Expected SameValue(«true», «false») to be true'
-test/built-ins/Promise/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object Promise]», «[object Promise]») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«[object Promise]», «[object Promise]») to be true'
 test/built-ins/Promise/prototype/finally/invokes-then-with-function.js:
   default: 'Test262Error: fulfillment handler is not constructor'
@@ -1253 +1175 @@
   default: 'Test262Error: Expected a TypeError but got a TypeError'
   strict mode: 'Test262Error: Expected a TypeError but got a TypeError'
-test/built-ins/Proxy/get-fn-realm-recursive.js:
-  default: 'Test262Error: Expected true but got false'
-  strict mode: 'Test262Error: Expected true but got false'
-test/built-ins/Proxy/get-fn-realm.js:
-  default: 'Test262Error: Expected true but got false'
-  strict mode: 'Test262Error: Expected true but got false'
 test/built-ins/Proxy/ownKeys/trap-is-undefined-target-is-proxy.js:
   default: 'Test262Error: Expected [length, foo, 0, Symbol()] and [Symbol(), length, foo, 0] to have the same contents. '
@@ -1658 +1574 @@
   default: 'Test262Error: `\p{XID_Start}` should match U+001CFA (`ᳺ`)'
   strict mode: 'Test262Error: `\p{XID_Start}` should match U+001CFA (`ᳺ`)'
-test/built-ins/RegExp/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«/(?:)/», «/(?:)/») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«/(?:)/», «/(?:)/») to be true'
 test/built-ins/RegExp/prototype/Symbol.match/builtin-infer-unicode.js:
   default: 'Test262Error: Expected SameValue(«�», «null») to be true'
@@ -1697 +1610 @@
   default: 'SyntaxError: Invalid regular expression: number too large in {} quantifier'
   strict mode: 'SyntaxError: Invalid regular expression: number too large in {} quantifier'
-test/built-ins/Set/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object Set]», «[object Set]») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«[object Set]», «[object Set]») to be true'
-test/built-ins/String/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«», «») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«», «») to be true'
 test/built-ins/String/prototype/replace/cstm-replace-is-null.js:
   default: 'TypeError: null is not a function'
@@ -1777 +1684 @@
   default: 'Test262Error: Expected a TypeError but got a RangeError (Testing with Float64Array.)'
   strict mode: 'Test262Error: Expected a TypeError but got a RangeError (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/buffer-arg/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object Float64ArrayPrototype]», «[object Float64ArrayPrototype]») to be true (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected SameValue(«[object Float64ArrayPrototype]», «[object Float64ArrayPrototype]») to be true (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/length-arg/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object Float64ArrayPrototype]», «[object Float64ArrayPrototype]») to be true (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected SameValue(«[object Float64ArrayPrototype]», «[object Float64ArrayPrototype]») to be true (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/no-args/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object Float64ArrayPrototype]», «[object Float64ArrayPrototype]») to be true (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected SameValue(«[object Float64ArrayPrototype]», «[object Float64ArrayPrototype]») to be true (Testing with Float64Array.)'
 test/built-ins/TypedArrayConstructors/ctors/object-arg/length-excessive-throws.js:
   default: 'Test262Error: Expected a RangeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
   strict mode: 'Test262Error: Expected a RangeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/object-arg/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object Float64ArrayPrototype]», «[object Float64ArrayPrototype]») to be true (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected SameValue(«[object Float64ArrayPrototype]», «[object Float64ArrayPrototype]») to be true (Testing with Float64Array.)'
 test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/detached-when-species-retrieved-different-type.js:
   default: 'Test262Error: TypeError thrown for detached source buffer Expected a TypeError to be thrown but no exception was thrown at all (Testing with Float64Array.)'
@@ -1819 +1714 @@
   default: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
   strict mode: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
-test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object Float64ArrayPrototype]», «[object Float64ArrayPrototype]») to be true (Testing with Float64Array.)'
-  strict mode: 'Test262Error: Expected SameValue(«[object Float64ArrayPrototype]», «[object Float64ArrayPrototype]») to be true (Testing with Float64Array.)'
 test/built-ins/TypedArrayConstructors/ctors/typedarray-arg/same-ctor-buffer-ctor-access-throws.js:
   default: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all (Testing with Float64Array.)'
@@ -1909 +1801 @@
   default: 'TypeError: TypedArray.of requires its this argument to subclass a TypedArray constructor (Testing with Float64Array.)'
   strict mode: 'TypeError: TypedArray.of requires its this argument to subclass a TypedArray constructor (Testing with Float64Array.)'
-test/built-ins/WeakMap/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object WeakMap]», «[object WeakMap]») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«[object WeakMap]», «[object WeakMap]») to be true'
-test/built-ins/WeakRef/proto-from-ctor-realm.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object WeakRef]», «[object WeakRef]») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object WeakRef]», «[object WeakRef]») to be true'
-test/built-ins/WeakSet/proto-from-ctor-realm.js:
-  default: 'Test262Error: Expected SameValue(«[object WeakSet]», «[object WeakSet]») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«[object WeakSet]», «[object WeakSet]») to be true'
 test/intl402/Collator/missing-unicode-ext-value-defaults-to-true.js:
   default: "Test262Error: \"kn-true\" is returned in locale, but shouldn't be. Expected SameValue(«7», «-1») to be true"
   strict mode: "Test262Error: \"kn-true\" is returned in locale, but shouldn't be. Expected SameValue(«7», «-1») to be true"
-test/intl402/Collator/proto-from-ctor-realm.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object Object]», «[object Object]») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object Object]», «[object Object]») to be true'
 test/intl402/Collator/usage-de.js:
   default: 'Test262Error: Expected [Ä, AE] and [AE, Ä] to have the same contents. search'
   strict mode: 'Test262Error: Expected [Ä, AE] and [AE, Ä] to have the same contents. search'
-test/intl402/DateTimeFormat/proto-from-ctor-realm.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object Object]», «[object Object]») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object Object]», «[object Object]») to be true'
 test/intl402/DateTimeFormat/prototype/resolvedOptions/hourCycle-default.js:
   default: 'Test262Error: Expected SameValue(«h24», «h23») to be true'
@@ -1975 +1852 @@
   default: 'Test262Error: Expected a RangeError to be thrown but no exception was thrown at all'
   strict mode: 'Test262Error: Expected a RangeError to be thrown but no exception was thrown at all'
-test/intl402/NumberFormat/proto-from-ctor-realm.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object Object]», «[object Object]») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object Object]», «[object Object]») to be true'
-test/intl402/PluralRules/proto-from-ctor-realm.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object Object]», «[object Object]») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object Object]», «[object Object]») to be true'
 test/intl402/RelativeTimeFormat/constructor/constructor/locales-valid.js:
   default: 'Test262Error: Grandfathered Expected a RangeError to be thrown but no exception was thrown at all'
   strict mode: 'Test262Error: Grandfathered Expected a RangeError to be thrown but no exception was thrown at all'
-test/intl402/RelativeTimeFormat/constructor/constructor/proto-from-ctor-realm.js:
-  default: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object Intl.RelativeTimeFormat]», «[object Intl.RelativeTimeFormat]») to be true'
-  strict mode: 'Test262Error: newTarget.prototype is undefined Expected SameValue(«[object Intl.RelativeTimeFormat]», «[object Intl.RelativeTimeFormat]») to be true'
 test/intl402/RelativeTimeFormat/prototype/format/pl-pl-style-long.js:
   default: 'Test262Error: Expected SameValue(«za 1000 sekund», «za 1 000 sekund») to be true'

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2020-04-26  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        InternalFunction::createSubclassStructure should use newTarget's globalObject
+        https://bugs.webkit.org/show_bug.cgi?id=202599
+
+        Reviewed by Yusuke Suzuki.
+
+        * web-platform-tests/WebIDL/ecmascript-binding/constructors-expected.txt:
+        * web-platform-tests/custom-elements/htmlconstructor/newtarget-expected.txt:
+        * web-platform-tests/wasm/jsapi/proto-from-ctor-realm-expected.txt:
+
 2020-04-25  Darin Adler  <darin@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/constructors-expected.txt

@@ -11 +11 @@
 PASS Constructor in child window with bad NewTarget from parent window 
 PASS Constructor in parent window with bad NewTarget from child window 
-FAIL Constructor in parent window with bad NewTarget from parent window that's a bound child window function assert_equals: expected object "[object DOMParserPrototype]" but got object "[object DOMParserPrototype]"
-FAIL Constructor in child window with bad NewTarget from child window that's a bound parent window function assert_equals: expected object "[object DOMParserPrototype]" but got object "[object DOMParserPrototype]"
-FAIL Constructor in parent window with bad NewTarget from parent window that's a proxy for a child window function assert_equals: expected object "[object DOMParserPrototype]" but got object "[object DOMParserPrototype]"
-FAIL Constructor in child window with bad NewTarget from child window that's a proxy for a parent window function assert_equals: expected object "[object DOMParserPrototype]" but got object "[object DOMParserPrototype]"
+PASS Constructor in parent window with bad NewTarget from parent window that's a bound child window function 
+PASS Constructor in child window with bad NewTarget from child window that's a bound parent window function 
+PASS Constructor in parent window with bad NewTarget from parent window that's a proxy for a child window function 
+PASS Constructor in child window with bad NewTarget from child window that's a proxy for a parent window function 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/custom-elements/htmlconstructor/newtarget-expected.txt

@@ -3 +3 @@
 PASS Rethrow any exceptions thrown while getting the prototype 
 PASS If prototype is not object (null), derives the fallback from NewTarget's realm (autonomous custom elements) 
-FAIL If prototype is not object (null), derives the fallback from NewTarget's GetFunctionRealm (autonomous custom elements) assert_equals: Must use the HTMLElement from the realm of NewTarget expected object "[object HTMLElementPrototype]" but got object "[object HTMLElementPrototype]"
+PASS If prototype is not object (null), derives the fallback from NewTarget's GetFunctionRealm (autonomous custom elements) 
 PASS If prototype is not object (undefined), derives the fallback from NewTarget's realm (autonomous custom elements) 
-FAIL If prototype is not object (undefined), derives the fallback from NewTarget's GetFunctionRealm (autonomous custom elements) assert_equals: Must use the HTMLElement from the realm of NewTarget expected object "[object HTMLElementPrototype]" but got object "[object HTMLElementPrototype]"
+PASS If prototype is not object (undefined), derives the fallback from NewTarget's GetFunctionRealm (autonomous custom elements) 
 PASS If prototype is not object (5), derives the fallback from NewTarget's realm (autonomous custom elements) 
-FAIL If prototype is not object (5), derives the fallback from NewTarget's GetFunctionRealm (autonomous custom elements) assert_equals: Must use the HTMLElement from the realm of NewTarget expected object "[object HTMLElementPrototype]" but got object "[object HTMLElementPrototype]"
+PASS If prototype is not object (5), derives the fallback from NewTarget's GetFunctionRealm (autonomous custom elements) 
 PASS If prototype is not object (string), derives the fallback from NewTarget's realm (autonomous custom elements) 
-FAIL If prototype is not object (string), derives the fallback from NewTarget's GetFunctionRealm (autonomous custom elements) assert_equals: Must use the HTMLElement from the realm of NewTarget expected object "[object HTMLElementPrototype]" but got object "[object HTMLElementPrototype]"
+PASS If prototype is not object (string), derives the fallback from NewTarget's GetFunctionRealm (autonomous custom elements) 
 FAIL If prototype is not object (null), derives the fallback from NewTarget's realm (customized built-in elements) promise_test: Unhandled rejection with value: object "TypeError: Reflect.construct requires the first argument be a constructor"
 FAIL If prototype is not object (null), derives the fallback from NewTarget's GetFunctionRealm (customized built-in elements) promise_test: Unhandled rejection with value: object "TypeError: Reflect.construct requires the first argument be a constructor"

trunk/LayoutTests/imported/w3c/web-platform-tests/wasm/jsapi/proto-from-ctor-realm-expected.txt

@@ -1 +1 @@
 
-FAIL WebAssembly.Module: cross-realm NewTarget with `undefined` prototype assert_true: expected true got false
-FAIL WebAssembly.Module: cross-realm NewTarget with `null` prototype assert_true: expected true got false
-FAIL WebAssembly.Module: cross-realm NewTarget with `false` prototype assert_true: expected true got false
-FAIL WebAssembly.Module: cross-realm NewTarget with `true` prototype assert_true: expected true got false
-FAIL WebAssembly.Module: cross-realm NewTarget with `0` prototype assert_true: expected true got false
-FAIL WebAssembly.Module: cross-realm NewTarget with `-1` prototype assert_true: expected true got false
-FAIL WebAssembly.Module: cross-realm NewTarget with `""` prototype assert_true: expected true got false
-FAIL WebAssembly.Module: cross-realm NewTarget with `"str"` prototype assert_true: expected true got false
-FAIL WebAssembly.Module: cross-realm NewTarget with `symbol "Symbol()"` prototype assert_true: expected true got false
-FAIL WebAssembly.Module: bound cross-realm NewTarget with `undefined` prototype assert_true: expected true got false
-FAIL WebAssembly.Module: bound bound cross-realm NewTarget with `null` prototype assert_true: expected true got false
-FAIL WebAssembly.Module: bound Proxy of cross-realm NewTarget with `false` prototype assert_true: expected true got false
-FAIL WebAssembly.Module: Proxy of cross-realm NewTarget with `true` prototype assert_true: expected true got false
-FAIL WebAssembly.Module: Proxy of Proxy of cross-realm NewTarget with `-0` prototype assert_true: expected true got false
-FAIL WebAssembly.Module: Proxy of bound cross-realm NewTarget with `NaN` prototype assert_true: expected true got false
-FAIL WebAssembly.Instance: cross-realm NewTarget with `undefined` prototype assert_true: expected true got false
-FAIL WebAssembly.Instance: cross-realm NewTarget with `null` prototype assert_true: expected true got false
-FAIL WebAssembly.Instance: cross-realm NewTarget with `false` prototype assert_true: expected true got false
-FAIL WebAssembly.Instance: cross-realm NewTarget with `true` prototype assert_true: expected true got false
-FAIL WebAssembly.Instance: cross-realm NewTarget with `0` prototype assert_true: expected true got false
-FAIL WebAssembly.Instance: cross-realm NewTarget with `-1` prototype assert_true: expected true got false
-FAIL WebAssembly.Instance: cross-realm NewTarget with `""` prototype assert_true: expected true got false
-FAIL WebAssembly.Instance: cross-realm NewTarget with `"str"` prototype assert_true: expected true got false
-FAIL WebAssembly.Instance: cross-realm NewTarget with `symbol "Symbol()"` prototype assert_true: expected true got false
-FAIL WebAssembly.Instance: bound cross-realm NewTarget with `undefined` prototype assert_true: expected true got false
-FAIL WebAssembly.Instance: bound bound cross-realm NewTarget with `null` prototype assert_true: expected true got false
-FAIL WebAssembly.Instance: bound Proxy of cross-realm NewTarget with `false` prototype assert_true: expected true got false
-FAIL WebAssembly.Instance: Proxy of cross-realm NewTarget with `true` prototype assert_true: expected true got false
-FAIL WebAssembly.Instance: Proxy of Proxy of cross-realm NewTarget with `-0` prototype assert_true: expected true got false
-FAIL WebAssembly.Instance: Proxy of bound cross-realm NewTarget with `NaN` prototype assert_true: expected true got false
+PASS WebAssembly.Module: cross-realm NewTarget with `undefined` prototype 
+PASS WebAssembly.Module: cross-realm NewTarget with `null` prototype 
+PASS WebAssembly.Module: cross-realm NewTarget with `false` prototype 
+PASS WebAssembly.Module: cross-realm NewTarget with `true` prototype 
+PASS WebAssembly.Module: cross-realm NewTarget with `0` prototype 
+PASS WebAssembly.Module: cross-realm NewTarget with `-1` prototype 
+PASS WebAssembly.Module: cross-realm NewTarget with `""` prototype 
+PASS WebAssembly.Module: cross-realm NewTarget with `"str"` prototype 
+PASS WebAssembly.Module: cross-realm NewTarget with `symbol "Symbol()"` prototype 
+PASS WebAssembly.Module: bound cross-realm NewTarget with `undefined` prototype 
+PASS WebAssembly.Module: bound bound cross-realm NewTarget with `null` prototype 
+PASS WebAssembly.Module: bound Proxy of cross-realm NewTarget with `false` prototype 
+PASS WebAssembly.Module: Proxy of cross-realm NewTarget with `true` prototype 
+PASS WebAssembly.Module: Proxy of Proxy of cross-realm NewTarget with `-0` prototype 
+PASS WebAssembly.Module: Proxy of bound cross-realm NewTarget with `NaN` prototype 
+PASS WebAssembly.Instance: cross-realm NewTarget with `undefined` prototype 
+PASS WebAssembly.Instance: cross-realm NewTarget with `null` prototype 
+PASS WebAssembly.Instance: cross-realm NewTarget with `false` prototype 
+PASS WebAssembly.Instance: cross-realm NewTarget with `true` prototype 
+PASS WebAssembly.Instance: cross-realm NewTarget with `0` prototype 
+PASS WebAssembly.Instance: cross-realm NewTarget with `-1` prototype 
+PASS WebAssembly.Instance: cross-realm NewTarget with `""` prototype 
+PASS WebAssembly.Instance: cross-realm NewTarget with `"str"` prototype 
+PASS WebAssembly.Instance: cross-realm NewTarget with `symbol "Symbol()"` prototype 
+PASS WebAssembly.Instance: bound cross-realm NewTarget with `undefined` prototype 
+PASS WebAssembly.Instance: bound bound cross-realm NewTarget with `null` prototype 
+PASS WebAssembly.Instance: bound Proxy of cross-realm NewTarget with `false` prototype 
+PASS WebAssembly.Instance: Proxy of cross-realm NewTarget with `true` prototype 
+PASS WebAssembly.Instance: Proxy of Proxy of cross-realm NewTarget with `-0` prototype 
+PASS WebAssembly.Instance: Proxy of bound cross-realm NewTarget with `NaN` prototype 
 FAIL WebAssembly.Memory: cross-realm NewTarget with `undefined` prototype assert_true: expected true got false
 FAIL WebAssembly.Memory: cross-realm NewTarget with `null` prototype assert_true: expected true got false
@@ -75 +75 @@
 FAIL WebAssembly.Global: Proxy of Proxy of cross-realm NewTarget with `-0` prototype assert_true: expected true got false
 FAIL WebAssembly.Global: Proxy of bound cross-realm NewTarget with `NaN` prototype assert_true: expected true got false
-FAIL WebAssembly.CompileError: cross-realm NewTarget with `undefined` prototype assert_true: expected true got false
-FAIL WebAssembly.CompileError: cross-realm NewTarget with `null` prototype assert_true: expected true got false
-FAIL WebAssembly.CompileError: cross-realm NewTarget with `false` prototype assert_true: expected true got false
-FAIL WebAssembly.CompileError: cross-realm NewTarget with `true` prototype assert_true: expected true got false
-FAIL WebAssembly.CompileError: cross-realm NewTarget with `0` prototype assert_true: expected true got false
-FAIL WebAssembly.CompileError: cross-realm NewTarget with `-1` prototype assert_true: expected true got false
-FAIL WebAssembly.CompileError: cross-realm NewTarget with `""` prototype assert_true: expected true got false
-FAIL WebAssembly.CompileError: cross-realm NewTarget with `"str"` prototype assert_true: expected true got false
-FAIL WebAssembly.CompileError: cross-realm NewTarget with `symbol "Symbol()"` prototype assert_true: expected true got false
-FAIL WebAssembly.CompileError: bound cross-realm NewTarget with `undefined` prototype assert_true: expected true got false
-FAIL WebAssembly.CompileError: bound bound cross-realm NewTarget with `null` prototype assert_true: expected true got false
-FAIL WebAssembly.CompileError: bound Proxy of cross-realm NewTarget with `false` prototype assert_true: expected true got false
-FAIL WebAssembly.CompileError: Proxy of cross-realm NewTarget with `true` prototype assert_true: expected true got false
-FAIL WebAssembly.CompileError: Proxy of Proxy of cross-realm NewTarget with `-0` prototype assert_true: expected true got false
-FAIL WebAssembly.CompileError: Proxy of bound cross-realm NewTarget with `NaN` prototype assert_true: expected true got false
-FAIL WebAssembly.LinkError: cross-realm NewTarget with `undefined` prototype assert_true: expected true got false
-FAIL WebAssembly.LinkError: cross-realm NewTarget with `null` prototype assert_true: expected true got false
-FAIL WebAssembly.LinkError: cross-realm NewTarget with `false` prototype assert_true: expected true got false
-FAIL WebAssembly.LinkError: cross-realm NewTarget with `true` prototype assert_true: expected true got false
-FAIL WebAssembly.LinkError: cross-realm NewTarget with `0` prototype assert_true: expected true got false
-FAIL WebAssembly.LinkError: cross-realm NewTarget with `-1` prototype assert_true: expected true got false
-FAIL WebAssembly.LinkError: cross-realm NewTarget with `""` prototype assert_true: expected true got false
-FAIL WebAssembly.LinkError: cross-realm NewTarget with `"str"` prototype assert_true: expected true got false
-FAIL WebAssembly.LinkError: cross-realm NewTarget with `symbol "Symbol()"` prototype assert_true: expected true got false
-FAIL WebAssembly.LinkError: bound cross-realm NewTarget with `undefined` prototype assert_true: expected true got false
-FAIL WebAssembly.LinkError: bound bound cross-realm NewTarget with `null` prototype assert_true: expected true got false
-FAIL WebAssembly.LinkError: bound Proxy of cross-realm NewTarget with `false` prototype assert_true: expected true got false
-FAIL WebAssembly.LinkError: Proxy of cross-realm NewTarget with `true` prototype assert_true: expected true got false
-FAIL WebAssembly.LinkError: Proxy of Proxy of cross-realm NewTarget with `-0` prototype assert_true: expected true got false
-FAIL WebAssembly.LinkError: Proxy of bound cross-realm NewTarget with `NaN` prototype assert_true: expected true got false
-FAIL WebAssembly.RuntimeError: cross-realm NewTarget with `undefined` prototype assert_true: expected true got false
-FAIL WebAssembly.RuntimeError: cross-realm NewTarget with `null` prototype assert_true: expected true got false
-FAIL WebAssembly.RuntimeError: cross-realm NewTarget with `false` prototype assert_true: expected true got false
-FAIL WebAssembly.RuntimeError: cross-realm NewTarget with `true` prototype assert_true: expected true got false
-FAIL WebAssembly.RuntimeError: cross-realm NewTarget with `0` prototype assert_true: expected true got false
-FAIL WebAssembly.RuntimeError: cross-realm NewTarget with `-1` prototype assert_true: expected true got false
-FAIL WebAssembly.RuntimeError: cross-realm NewTarget with `""` prototype assert_true: expected true got false
-FAIL WebAssembly.RuntimeError: cross-realm NewTarget with `"str"` prototype assert_true: expected true got false
-FAIL WebAssembly.RuntimeError: cross-realm NewTarget with `symbol "Symbol()"` prototype assert_true: expected true got false
-FAIL WebAssembly.RuntimeError: bound cross-realm NewTarget with `undefined` prototype assert_true: expected true got false
-FAIL WebAssembly.RuntimeError: bound bound cross-realm NewTarget with `null` prototype assert_true: expected true got false
-FAIL WebAssembly.RuntimeError: bound Proxy of cross-realm NewTarget with `false` prototype assert_true: expected true got false
-FAIL WebAssembly.RuntimeError: Proxy of cross-realm NewTarget with `true` prototype assert_true: expected true got false
-FAIL WebAssembly.RuntimeError: Proxy of Proxy of cross-realm NewTarget with `-0` prototype assert_true: expected true got false
-FAIL WebAssembly.RuntimeError: Proxy of bound cross-realm NewTarget with `NaN` prototype assert_true: expected true got false
+PASS WebAssembly.CompileError: cross-realm NewTarget with `undefined` prototype 
+PASS WebAssembly.CompileError: cross-realm NewTarget with `null` prototype 
+PASS WebAssembly.CompileError: cross-realm NewTarget with `false` prototype 
+PASS WebAssembly.CompileError: cross-realm NewTarget with `true` prototype 
+PASS WebAssembly.CompileError: cross-realm NewTarget with `0` prototype 
+PASS WebAssembly.CompileError: cross-realm NewTarget with `-1` prototype 
+PASS WebAssembly.CompileError: cross-realm NewTarget with `""` prototype 
+PASS WebAssembly.CompileError: cross-realm NewTarget with `"str"` prototype 
+PASS WebAssembly.CompileError: cross-realm NewTarget with `symbol "Symbol()"` prototype 
+PASS WebAssembly.CompileError: bound cross-realm NewTarget with `undefined` prototype 
+PASS WebAssembly.CompileError: bound bound cross-realm NewTarget with `null` prototype 
+PASS WebAssembly.CompileError: bound Proxy of cross-realm NewTarget with `false` prototype 
+PASS WebAssembly.CompileError: Proxy of cross-realm NewTarget with `true` prototype 
+PASS WebAssembly.CompileError: Proxy of Proxy of cross-realm NewTarget with `-0` prototype 
+PASS WebAssembly.CompileError: Proxy of bound cross-realm NewTarget with `NaN` prototype 
+PASS WebAssembly.LinkError: cross-realm NewTarget with `undefined` prototype 
+PASS WebAssembly.LinkError: cross-realm NewTarget with `null` prototype 
+PASS WebAssembly.LinkError: cross-realm NewTarget with `false` prototype 
+PASS WebAssembly.LinkError: cross-realm NewTarget with `true` prototype 
+PASS WebAssembly.LinkError: cross-realm NewTarget with `0` prototype 
+PASS WebAssembly.LinkError: cross-realm NewTarget with `-1` prototype 
+PASS WebAssembly.LinkError: cross-realm NewTarget with `""` prototype 
+PASS WebAssembly.LinkError: cross-realm NewTarget with `"str"` prototype 
+PASS WebAssembly.LinkError: cross-realm NewTarget with `symbol "Symbol()"` prototype 
+PASS WebAssembly.LinkError: bound cross-realm NewTarget with `undefined` prototype 
+PASS WebAssembly.LinkError: bound bound cross-realm NewTarget with `null` prototype 
+PASS WebAssembly.LinkError: bound Proxy of cross-realm NewTarget with `false` prototype 
+PASS WebAssembly.LinkError: Proxy of cross-realm NewTarget with `true` prototype 
+PASS WebAssembly.LinkError: Proxy of Proxy of cross-realm NewTarget with `-0` prototype 
+PASS WebAssembly.LinkError: Proxy of bound cross-realm NewTarget with `NaN` prototype 
+PASS WebAssembly.RuntimeError: cross-realm NewTarget with `undefined` prototype 
+PASS WebAssembly.RuntimeError: cross-realm NewTarget with `null` prototype 
+PASS WebAssembly.RuntimeError: cross-realm NewTarget with `false` prototype 
+PASS WebAssembly.RuntimeError: cross-realm NewTarget with `true` prototype 
+PASS WebAssembly.RuntimeError: cross-realm NewTarget with `0` prototype 
+PASS WebAssembly.RuntimeError: cross-realm NewTarget with `-1` prototype 
+PASS WebAssembly.RuntimeError: cross-realm NewTarget with `""` prototype 
+PASS WebAssembly.RuntimeError: cross-realm NewTarget with `"str"` prototype 
+PASS WebAssembly.RuntimeError: cross-realm NewTarget with `symbol "Symbol()"` prototype 
+PASS WebAssembly.RuntimeError: bound cross-realm NewTarget with `undefined` prototype 
+PASS WebAssembly.RuntimeError: bound bound cross-realm NewTarget with `null` prototype 
+PASS WebAssembly.RuntimeError: bound Proxy of cross-realm NewTarget with `false` prototype 
+PASS WebAssembly.RuntimeError: Proxy of cross-realm NewTarget with `true` prototype 
+PASS WebAssembly.RuntimeError: Proxy of Proxy of cross-realm NewTarget with `-0` prototype 
+PASS WebAssembly.RuntimeError: Proxy of bound cross-realm NewTarget with `NaN` prototype 
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-04-26  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        InternalFunction::createSubclassStructure should use newTarget's globalObject
+        https://bugs.webkit.org/show_bug.cgi?id=202599
+
+        Reviewed by Yusuke Suzuki.
+
+        If "prototype" of NewTarget is not an object, built-in constructors [1] should acquire
+        default [[Prototype]] from realm of NewTarget, utilizing GetFunctionRealm helper [2].
+        Before this change, realm of active constructor was used instead. This patch introduces
+        GetFunctionRealm and aligns all subclassable constructors with the spec, V8, and SpiderMonkey.
+
+        This change inlines fast paths checks of InternalFunction::createSubclassStructure() and
+        simplifies its signature; getFunctionRealm() is invoked in slow paths only.
+
+        While a dynamically created function uses NewTarget's realm for its default [[Prototype]]
+        similar to other built-ins, its "prototype" object inherit from ObjectPrototype
+        of active constructor's realm [3] (just like their scope), making it retain references
+        to 2 different global objects. To accomodate this behavior, this change introduces
+        `scopeGlobalObject` in JSFunction.cpp methods.
+
+        Above-mentioned behavior also simplifies creation of JSGenerator and JSAsyncGenerator
+        instances since NewTarget's realm is irrelevant to them.
+
+        IntlCollatorConstructor::collatorStructure() and 6 similar methods are removed:
+        a) to impose good practice of using newTarget's globalObject;
+        b) with this change, each of them have 1 call site max;
+        c) other JSC constructors have no methods alike.
+
+        [1]: https://tc39.es/ecma262/#sec-map-constructor (step 2)
+        [2]: https://tc39.es/ecma262/#sec-getfunctionrealm
+        [3]: https://tc39.es/ecma262/#sec-createdynamicfunction (steps 23-25)
+
+        * dfg/DFGOperations.cpp:
+        * runtime/AggregateErrorConstructor.cpp:
+        (JSC::callAggregateErrorConstructor):
+        (JSC::constructAggregateErrorConstructor):
+        * runtime/AggregateErrorConstructor.h:
+        * runtime/AsyncFunctionConstructor.cpp:
+        (JSC::constructAsyncFunctionConstructor):
+        * runtime/AsyncGeneratorFunctionConstructor.cpp:
+        (JSC::constructAsyncGeneratorFunctionConstructor):
+        * runtime/BooleanConstructor.cpp:
+        (JSC::constructWithBooleanConstructor):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        (JSC::createInternalFieldObject):
+        * runtime/DateConstructor.cpp:
+        (JSC::constructDate):
+        * runtime/ErrorConstructor.cpp:
+        (JSC::constructErrorConstructor):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunctionSkippingEvalEnabledCheck):
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::createSubclassStructure):
+        (JSC::getFunctionRealm):
+        (JSC::InternalFunction::createSubclassStructureSlow): Deleted.
+        * runtime/InternalFunction.h:
+        (JSC::InternalFunction::createSubclassStructure): Deleted.
+        * runtime/IntlCollatorConstructor.cpp:
+        (JSC::constructIntlCollator):
+        (JSC::callIntlCollator):
+        * runtime/IntlCollatorConstructor.h:
+        * runtime/IntlDateTimeFormatConstructor.cpp:
+        (JSC::constructIntlDateTimeFormat):
+        (JSC::callIntlDateTimeFormat):
+        * runtime/IntlDateTimeFormatConstructor.h:
+        * runtime/IntlNumberFormatConstructor.cpp:
+        (JSC::constructIntlNumberFormat):
+        (JSC::callIntlNumberFormat):
+        * runtime/IntlNumberFormatConstructor.h:
+        * runtime/IntlPluralRulesConstructor.cpp:
+        (JSC::constructIntlPluralRules):
+        * runtime/IntlPluralRulesConstructor.h:
+        * runtime/IntlRelativeTimeFormatConstructor.cpp:
+        (JSC::constructIntlRelativeTimeFormat):
+        * runtime/IntlRelativeTimeFormatConstructor.h:
+        * runtime/JSArrayBufferConstructor.cpp:
+        (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::prototypeForConstruction):
+        (JSC::JSFunction::getOwnPropertySlot):
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayView):
+        * runtime/JSGlobalObjectInlines.h:
+        (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
+        * runtime/MapConstructor.cpp:
+        (JSC::constructMap):
+        * runtime/NativeErrorConstructor.cpp:
+        (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
+        (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
+        * runtime/NativeErrorConstructor.h:
+        * runtime/NumberConstructor.cpp:
+        (JSC::constructNumberConstructor):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::constructObjectWithNewTarget):
+        * runtime/RegExpConstructor.cpp:
+        (JSC::getRegExpStructure):
+        (JSC::constructRegExp):
+        (JSC::esSpecRegExpCreate):
+        * runtime/RegExpConstructor.h:
+        * runtime/SetConstructor.cpp:
+        (JSC::constructSet):
+        * runtime/StringConstructor.cpp:
+        (JSC::constructWithStringConstructor):
+        * runtime/WeakMapConstructor.cpp:
+        (JSC::constructWeakMap):
+        * runtime/WeakObjectRefConstructor.cpp:
+        (JSC::constructWeakRef):
+        * runtime/WeakSetConstructor.cpp:
+        (JSC::constructWeakSet):
+        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
+        (JSC::constructJSWebAssemblyCompileError):
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
+        (JSC::constructJSWebAssemblyLinkError):
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        (JSC::WebAssemblyModuleConstructor::createModule):
+        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
+        (JSC::constructJSWebAssemblyRuntimeError):
+
 2020-04-26  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -345 +345 @@
     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
     auto scope = DECLARE_THROW_SCOPE(vm);
-    Structure* structure = InternalFunction::createSubclassStructure(globalObject, globalObject->promiseConstructor(), constructor, globalObject->promiseStructure());
+    Structure* structure = constructor == globalObject->promiseConstructor()
+        ? globalObject->promiseStructure()
+        : InternalFunction::createSubclassStructure(globalObject, constructor, getFunctionRealm(vm, constructor)->promiseStructure());
     RETURN_IF_EXCEPTION(scope, nullptr);
     RELEASE_AND_RETURN(scope, JSPromise::create(vm, structure));
@@ -356 +358 @@
     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
     auto scope = DECLARE_THROW_SCOPE(vm);
-    Structure* structure = InternalFunction::createSubclassStructure(globalObject, globalObject->internalPromiseConstructor(), constructor, globalObject->internalPromiseStructure());
+    Structure* structure = constructor == globalObject->internalPromiseConstructor()
+        ? globalObject->internalPromiseStructure()
+        : InternalFunction::createSubclassStructure(globalObject, constructor, getFunctionRealm(vm, constructor)->internalPromiseStructure());
     RETURN_IF_EXCEPTION(scope, nullptr);
     RELEASE_AND_RETURN(scope, JSInternalPromise::create(vm, structure));
@@ -367 +371 @@
     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
     auto scope = DECLARE_THROW_SCOPE(vm);
-    Structure* structure = InternalFunction::createSubclassStructure(globalObject, nullptr, constructor, globalObject->generatorStructure());
+    Structure* structure = InternalFunction::createSubclassStructure(globalObject, constructor, globalObject->generatorStructure());
     RETURN_IF_EXCEPTION(scope, nullptr);
     RELEASE_AND_RETURN(scope, JSGenerator::create(vm, structure));
@@ -378 +382 @@
     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
     auto scope = DECLARE_THROW_SCOPE(vm);
-    Structure* structure = InternalFunction::createSubclassStructure(globalObject, nullptr, constructor, globalObject->asyncGeneratorStructure());
+    Structure* structure = InternalFunction::createSubclassStructure(globalObject, constructor, globalObject->asyncGeneratorStructure());
     RETURN_IF_EXCEPTION(scope, nullptr);
     RELEASE_AND_RETURN(scope, JSAsyncGenerator::create(vm, structure));

trunk/Source/JavaScriptCore/runtime/AggregateErrorConstructor.cpp

@@ -64 +64 @@
     JSValue errors = callFrame->argument(0);
     JSValue message = callFrame->argument(1);
-    Structure* errorStructure = jsCast<AggregateErrorConstructor*>(callFrame->jsCallee())->errorStructure(vm);
+    Structure* errorStructure = globalObject->errorStructure(ErrorType::AggregateError);
     return JSValue::encode(AggregateError::create(globalObject, vm, errorStructure, errors, message, nullptr, TypeNothing, false));
 }
@@ -74 +74 @@
     JSValue errors = callFrame->argument(0);
     JSValue message = callFrame->argument(1);
-    JSValue newTarget = callFrame->newTarget();
-    ASSERT(newTarget.isObject());
-    Structure* baseStructure = asObject(newTarget)->globalObject(vm)->errorStructure(ErrorType::AggregateError);
-    Structure* errorStructure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), newTarget, baseStructure);
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* errorStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->errorStructure(ErrorType::AggregateError)
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->errorStructure(ErrorType::AggregateError));
+    RETURN_IF_EXCEPTION(scope, { });
     ASSERT(errorStructure);
+
     RELEASE_AND_RETURN(scope, JSValue::encode(AggregateError::create(globalObject, vm, errorStructure, errors, message, nullptr, TypeNothing, false)));
 }

trunk/Source/JavaScriptCore/runtime/AggregateErrorConstructor.h

@@ -56 +56 @@
     }
 
-    Structure* errorStructure(VM&) { return globalObject()->errorStructure(ErrorType::AggregateError); }
-
 private:
     explicit AggregateErrorConstructor(VM&, Structure*);

trunk/Source/JavaScriptCore/runtime/AsyncFunctionConstructor.cpp

@@ -46 +46 @@
 {
     ArgList args(callFrame);
-    return JSValue::encode(constructFunction(globalObject, callFrame, args, FunctionConstructionMode::Async));
+    return JSValue::encode(constructFunction(globalObject, callFrame, args, FunctionConstructionMode::Async, callFrame->newTarget()));
 }
 

trunk/Source/JavaScriptCore/runtime/AsyncGeneratorFunctionConstructor.cpp

@@ -46 +46 @@
 {
     ArgList args(callFrame);
-    return JSValue::encode(constructFunction(globalObject, callFrame, args, FunctionConstructionMode::AsyncGenerator));
+    return JSValue::encode(constructFunction(globalObject, callFrame, args, FunctionConstructionMode::AsyncGenerator, callFrame->newTarget()));
 }
 

trunk/Source/JavaScriptCore/runtime/BooleanConstructor.cpp

@@ -44 +44 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
     JSValue boolean = jsBoolean(callFrame->argument(0).toBoolean(globalObject));
-    Structure* booleanStructure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), globalObject->booleanObjectStructure());
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* booleanStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->booleanObjectStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->booleanObjectStructure());
+    RETURN_IF_EXCEPTION(scope, { });
+
     BooleanObject* obj = BooleanObject::create(vm, booleanStructure);
     obj->setInternalValue(vm, boolean);

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -284 +284 @@
     JSPromise* result = nullptr;
     if (bytecode.m_isInternalPromise) {
-        Structure* structure = InternalFunction::createSubclassStructure(globalObject, globalObject->internalPromiseConstructor(), constructorAsObject, globalObject->internalPromiseStructure());
+        Structure* structure = constructorAsObject == globalObject->internalPromiseConstructor()
+            ? globalObject->internalPromiseStructure()
+            : InternalFunction::createSubclassStructure(globalObject, constructorAsObject, getFunctionRealm(vm, constructorAsObject)->internalPromiseStructure());
         CHECK_EXCEPTION();
         result = JSInternalPromise::create(vm, structure);
     } else {
-        Structure* structure = InternalFunction::createSubclassStructure(globalObject, globalObject->promiseConstructor(), constructorAsObject, globalObject->promiseStructure());
+        Structure* structure = constructorAsObject == globalObject->promiseConstructor()
+            ? globalObject->promiseStructure()
+            : InternalFunction::createSubclassStructure(globalObject, constructorAsObject, getFunctionRealm(vm, constructorAsObject)->promiseStructure());
         CHECK_EXCEPTION();
         result = JSPromise::create(vm, structure);
@@ -321 +325 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    Structure* structure = InternalFunction::createSubclassStructure(globalObject, nullptr, constructorAsObject, baseStructure);
+    Structure* structure = InternalFunction::createSubclassStructure(globalObject, constructorAsObject, baseStructure);
     RETURN_IF_EXCEPTION(scope, nullptr);
     JSClass* result = JSClass::create(vm, structure);

trunk/Source/JavaScriptCore/runtime/DateConstructor.cpp

@@ -144 +144 @@
     RETURN_IF_EXCEPTION(scope, nullptr);
 
-    Structure* dateStructure = InternalFunction::createSubclassStructure(globalObject, globalObject->dateConstructor(), newTarget, globalObject->dateStructure());
+    Structure* dateStructure = !newTarget || newTarget == globalObject->dateConstructor()
+        ? globalObject->dateStructure()
+        : InternalFunction::createSubclassStructure(globalObject, asObject(newTarget), getFunctionRealm(vm, asObject(newTarget))->dateStructure());
     RETURN_IF_EXCEPTION(scope, nullptr);
 

trunk/Source/JavaScriptCore/runtime/ErrorConstructor.cpp

@@ -58 +58 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
     JSValue message = callFrame->argument(0);
-    Structure* errorStructure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), globalObject->errorStructure());
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* errorStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->errorStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->errorStructure());
+    RETURN_IF_EXCEPTION(scope, { });
+
     RELEASE_AND_RETURN(scope, JSValue::encode(ErrorInstance::create(globalObject, errorStructure, message, nullptr, TypeNothing, false)));
 }

trunk/Source/JavaScriptCore/runtime/FunctionConstructor.cpp

@@ -153 +153 @@
     }
 
+    bool needsSubclassStructure = newTarget && newTarget != globalObject->functionConstructor();
+    JSGlobalObject* structureGlobalObject = needsSubclassStructure ? getFunctionRealm(vm, asObject(newTarget)) : globalObject;
     Structure* structure = nullptr;
     switch (functionConstructionMode) {
     case FunctionConstructionMode::Function:
-        structure = JSFunction::selectStructureForNewFuncExp(globalObject, function);
+        structure = JSFunction::selectStructureForNewFuncExp(structureGlobalObject, function);
         break;
     case FunctionConstructionMode::Generator:
-        structure = globalObject->generatorFunctionStructure();
+        structure = structureGlobalObject->generatorFunctionStructure();
         break;
     case FunctionConstructionMode::Async:
-        structure = globalObject->asyncFunctionStructure();
+        structure = structureGlobalObject->asyncFunctionStructure();
         break;
     case FunctionConstructionMode::AsyncGenerator:
-        structure = globalObject->asyncGeneratorFunctionStructure();
-        break;
-    }
-
-    Structure* subclassStructure = InternalFunction::createSubclassStructure(globalObject, globalObject->functionConstructor(), newTarget, structure);
-    RETURN_IF_EXCEPTION(scope, nullptr);
+        structure = structureGlobalObject->asyncGeneratorFunctionStructure();
+        break;
+    }
+
+    if (needsSubclassStructure) {
+        structure = InternalFunction::createSubclassStructure(globalObject, asObject(newTarget), structure);
+        RETURN_IF_EXCEPTION(scope, nullptr);
+    }
 
     switch (functionConstructionMode) {
     case FunctionConstructionMode::Function:
-        return JSFunction::create(vm, function, globalObject->globalScope(), subclassStructure);
+        return JSFunction::create(vm, function, globalObject->globalScope(), structure);
     case FunctionConstructionMode::Generator:
-        return JSGeneratorFunction::create(vm, function, globalObject->globalScope(), subclassStructure);
+        return JSGeneratorFunction::create(vm, function, globalObject->globalScope(), structure);
     case FunctionConstructionMode::Async:
-        return JSAsyncFunction::create(vm, function, globalObject->globalScope(), subclassStructure);
+        return JSAsyncFunction::create(vm, function, globalObject->globalScope(), structure);
     case FunctionConstructionMode::AsyncGenerator:
-        return JSAsyncGeneratorFunction::create(vm, function, globalObject->globalScope(), subclassStructure);
+        return JSAsyncGeneratorFunction::create(vm, function, globalObject->globalScope(), structure);
     }
 

trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp

@@ -25 +25 @@
 
 #include "FunctionPrototype.h"
+#include "JSBoundFunction.h"
+#include "JSCInlines.h"
 #include "JSGlobalObject.h"
 #include "JSString.h"
-#include "JSCInlines.h"
+#include "ProxyObject.h"
 
 namespace JSC {
@@ -113 +115 @@
 }
 
-Structure* InternalFunction::createSubclassStructureSlow(JSGlobalObject* globalObject, JSValue newTarget, Structure* baseClass)
+Structure* InternalFunction::createSubclassStructure(JSGlobalObject* globalObject, JSObject* newTarget, Structure* baseClass)
 {
     VM& vm = globalObject->vm();
@@ -136 +138 @@
             return rareData->createInternalFunctionAllocationStructureFromBase(vm, baseGlobalObject, prototype, baseClass);
     } else {
-        JSValue prototypeValue = newTarget.get(globalObject, vm.propertyNames->prototype);
+        JSValue prototypeValue = newTarget->get(globalObject, vm.propertyNames->prototype);
         RETURN_IF_EXCEPTION(scope, nullptr);
         if (JSObject* prototype = jsDynamicCast<JSObject*>(vm, prototypeValue)) {
@@ -148 +150 @@
 }
 
+// https://tc39.es/ecma262/#sec-getfunctionrealm
+JSGlobalObject* getFunctionRealm(VM& vm, JSObject* object)
+{
+    ASSERT(object->isFunction(vm));
+
+    if (object->inherits<JSBoundFunction>(vm))
+        return getFunctionRealm(vm, jsCast<JSBoundFunction*>(object)->targetFunction());
+
+    if (object->type() == ProxyObjectType) {
+        auto* proxy = jsCast<ProxyObject*>(object);
+        // Per step 4.a, a TypeError should be thrown for revoked Proxy, yet we skip it since:
+        // a) It is barely observable anyway: "prototype" lookup in createSubclassStructure() will throw for revoked Proxy.
+        // b) Throwing getFunctionRealm() will restrict calling it inline as an argument of createSubclassStructure().
+        // c) There is ongoing discussion on removing it: https://github.com/tc39/ecma262/issues/1798.
+        if (!proxy->isRevoked())
+            return getFunctionRealm(vm, proxy->target());
+    }
+
+    return object->globalObject(vm);
+}
+
 
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/InternalFunction.h

@@ -58 +58 @@
     }
 
-    static Structure* createSubclassStructure(JSGlobalObject*, JSObject* baseCallee, JSValue newTarget, Structure*);
+    JS_EXPORT_PRIVATE static Structure* createSubclassStructure(JSGlobalObject*, JSObject* newTarget, Structure*);
 
     TaggedNativeFunction nativeFunctionFor(CodeSpecializationKind kind)
@@ -89 +89 @@
     JS_EXPORT_PRIVATE void finishCreation(VM&, const String& name, NameAdditionMode = NameAdditionMode::WithStructureTransition);
 
-    JS_EXPORT_PRIVATE static Structure* createSubclassStructureSlow(JSGlobalObject*, JSValue newTarget, Structure*);
-
     JS_EXPORT_PRIVATE static ConstructType getConstructData(JSCell*, ConstructData&);
     JS_EXPORT_PRIVATE static CallType getCallData(JSCell*, CallData&);
@@ -100 +98 @@
 };
 
-ALWAYS_INLINE Structure* InternalFunction::createSubclassStructure(JSGlobalObject* globalObject, JSObject* baseCallee, JSValue newTarget, Structure* baseClass)
-{
-    // We allow newTarget == JSValue() because the API needs to be able to create classes without having a real JS frame.
-    // Since we don't allow subclassing in the API we just treat newTarget == JSValue() as newTarget == callFrame->jsCallee()
-    if (newTarget && newTarget != baseCallee)
-        return createSubclassStructureSlow(globalObject, newTarget, baseClass);
-    return baseClass;
-}
+JS_EXPORT_PRIVATE JSGlobalObject* getFunctionRealm(VM&, JSObject*);
 
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/IntlCollatorConstructor.cpp

@@ -92 +92 @@
     // 2. Let collator be OrdinaryCreateFromConstructor(newTarget, %CollatorPrototype%).
     // 3. ReturnIfAbrupt(collator).
-    Structure* structure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), jsCast<IntlCollatorConstructor*>(callFrame->jsCallee())->collatorStructure(vm));
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->collatorStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->collatorStructure());
+    RETURN_IF_EXCEPTION(scope, { });
+
     IntlCollator* collator = IntlCollator::create(vm, structure);
     ASSERT(collator);
@@ -110 +114 @@
 
     VM& vm = globalObject->vm();
-    IntlCollatorConstructor* callee = jsCast<IntlCollatorConstructor*>(callFrame->jsCallee());
-
-    // FIXME: Collator does not get the workaround for ECMA-402 1.0 compatibility.
+    // Collator does not require the workaround for ECMA-402 1.0 compatibility.
     // https://bugs.webkit.org/show_bug.cgi?id=153679
 
     // 2. Let collator be OrdinaryCreateFromConstructor(newTarget, %CollatorPrototype%).
     // 3. ReturnIfAbrupt(collator).
-    IntlCollator* collator = IntlCollator::create(vm, callee->collatorStructure(vm));
+    IntlCollator* collator = IntlCollator::create(vm, globalObject->collatorStructure());
     ASSERT(collator);
 

trunk/Source/JavaScriptCore/runtime/IntlCollatorConstructor.h

@@ -44 +44 @@
     DECLARE_INFO;
 
-    Structure* collatorStructure(VM&) const { return globalObject()->collatorStructure(); }
-
 private:
     IntlCollatorConstructor(VM&, Structure*);

trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormatConstructor.cpp

@@ -92 +92 @@
     // 2. Let dateTimeFormat be OrdinaryCreateFromConstructor(newTarget, %DateTimeFormatPrototype%).
     // 3. ReturnIfAbrupt(dateTimeFormat).
-    Structure* structure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), jsCast<IntlDateTimeFormatConstructor*>(callFrame->jsCallee())->dateTimeFormatStructure(vm));
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->dateTimeFormatStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->dateTimeFormatStructure());
+    RETURN_IF_EXCEPTION(scope, { });
+
     IntlDateTimeFormat* dateTimeFormat = IntlDateTimeFormat::create(vm, structure);
     ASSERT(dateTimeFormat);
@@ -109 +113 @@
     // NewTarget is always undefined when called as a function.
 
-    IntlDateTimeFormatConstructor* callee = jsCast<IntlDateTimeFormatConstructor*>(callFrame->jsCallee());
-
     // FIXME: Workaround to provide compatibility with ECMA-402 1.0 call/apply patterns.
     // https://bugs.webkit.org/show_bug.cgi?id=153679
-    return JSValue::encode(constructIntlInstanceWithWorkaroundForLegacyIntlConstructor<IntlDateTimeFormat>(globalObject, callFrame->thisValue(), callee, [&] (VM& vm) {
+    return JSValue::encode(constructIntlInstanceWithWorkaroundForLegacyIntlConstructor<IntlDateTimeFormat>(globalObject, callFrame->thisValue(), callFrame->jsCallee(), [&] (VM& vm) {
         // 2. Let dateTimeFormat be OrdinaryCreateFromConstructor(newTarget, %DateTimeFormatPrototype%).
         // 3. ReturnIfAbrupt(dateTimeFormat).
-        IntlDateTimeFormat* dateTimeFormat = IntlDateTimeFormat::create(vm, callee->dateTimeFormatStructure(vm));
+        IntlDateTimeFormat* dateTimeFormat = IntlDateTimeFormat::create(vm, globalObject->dateTimeFormatStructure());
         ASSERT(dateTimeFormat);
 

trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormatConstructor.h

@@ -44 +44 @@
     DECLARE_INFO;
 
-    Structure* dateTimeFormatStructure(VM&) const { return globalObject()->dateTimeFormatStructure(); }
-
 private:
     IntlDateTimeFormatConstructor(VM&, Structure*);

trunk/Source/JavaScriptCore/runtime/IntlNumberFormatConstructor.cpp

@@ -92 +92 @@
     // 2. Let numberFormat be OrdinaryCreateFromConstructor(newTarget, %NumberFormatPrototype%).
     // 3. ReturnIfAbrupt(numberFormat).
-    Structure* structure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), jsCast<IntlNumberFormatConstructor*>(callFrame->jsCallee())->numberFormatStructure(vm));
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->numberFormatStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->numberFormatStructure());
+    RETURN_IF_EXCEPTION(scope, { });
+
     IntlNumberFormat* numberFormat = IntlNumberFormat::create(vm, structure);
     ASSERT(numberFormat);
@@ -109 +113 @@
     // NewTarget is always undefined when called as a function.
 
-    IntlNumberFormatConstructor* callee = jsCast<IntlNumberFormatConstructor*>(callFrame->jsCallee());
-
     // FIXME: Workaround to provide compatibility with ECMA-402 1.0 call/apply patterns.
     // https://bugs.webkit.org/show_bug.cgi?id=153679
-    return JSValue::encode(constructIntlInstanceWithWorkaroundForLegacyIntlConstructor<IntlNumberFormat>(globalObject, callFrame->thisValue(), callee, [&] (VM& vm) {
+    return JSValue::encode(constructIntlInstanceWithWorkaroundForLegacyIntlConstructor<IntlNumberFormat>(globalObject, callFrame->thisValue(), callFrame->jsCallee(), [&] (VM& vm) {
         // 2. Let numberFormat be OrdinaryCreateFromConstructor(newTarget, %NumberFormatPrototype%).
         // 3. ReturnIfAbrupt(numberFormat).
-        IntlNumberFormat* numberFormat = IntlNumberFormat::create(vm, callee->numberFormatStructure(vm));
+        IntlNumberFormat* numberFormat = IntlNumberFormat::create(vm, globalObject->numberFormatStructure());
         ASSERT(numberFormat);
 

trunk/Source/JavaScriptCore/runtime/IntlNumberFormatConstructor.h

@@ -44 +44 @@
     DECLARE_INFO;
 
-    Structure* numberFormatStructure(VM&) const { return globalObject()->numberFormatStructure(); }
-
 private:
     IntlNumberFormatConstructor(VM&, Structure*);

trunk/Source/JavaScriptCore/runtime/IntlPluralRulesConstructor.cpp

@@ -90 +90 @@
     // 13.2.1 Intl.PluralRules ([ locales [ , options ] ])
     // https://tc39.github.io/ecma402/#sec-intl.pluralrules
-    Structure* structure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), jsCast<IntlPluralRulesConstructor*>(callFrame->jsCallee())->pluralRulesStructure(vm));
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->pluralRulesStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->pluralRulesStructure());
+    RETURN_IF_EXCEPTION(scope, { });
+
     IntlPluralRules* pluralRules = IntlPluralRules::create(vm, structure);
     ASSERT(pluralRules);

trunk/Source/JavaScriptCore/runtime/IntlPluralRulesConstructor.h

@@ -44 +44 @@
     DECLARE_INFO;
 
-    Structure* pluralRulesStructure(VM&) const { return globalObject()->pluralRulesStructure(); }
-
 private:
     IntlPluralRulesConstructor(VM&, Structure*);

trunk/Source/JavaScriptCore/runtime/IntlRelativeTimeFormatConstructor.cpp

@@ -88 +88 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    Structure* structure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), jsCast<IntlRelativeTimeFormatConstructor*>(callFrame->jsCallee())->relativeTimeFormatStructure(vm));
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->relativeTimeFormatStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->relativeTimeFormatStructure());
+    RETURN_IF_EXCEPTION(scope, { });
+
     IntlRelativeTimeFormat* relativeTimeFormat = IntlRelativeTimeFormat::create(vm, structure);
     ASSERT(relativeTimeFormat);

trunk/Source/JavaScriptCore/runtime/IntlRelativeTimeFormatConstructor.h

@@ -43 +43 @@
     DECLARE_INFO;
 
-    Structure* relativeTimeFormatStructure(VM&) const { return globalObject()->relativeTimeFormatStructure(); }
-
 private:
     IntlRelativeTimeFormatConstructor(VM&, Structure*);

trunk/Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp

@@ -80 +80 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    JSGenericArrayBufferConstructor* constructor = jsCast<JSGenericArrayBufferConstructor*>(callFrame->jsCallee());
-
-    Structure* arrayBufferStructure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), constructor->globalObject()->arrayBufferStructure(sharingMode));
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* arrayBufferStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->arrayBufferStructure(sharingMode)
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->arrayBufferStructure(sharingMode));
     RETURN_IF_EXCEPTION(scope, { });
 

trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

@@ -175 +175 @@
     if (LIKELY(prototype.isObject()))
         return asObject(prototype);
-
-    JSGlobalObject* thisGlobalObject = this->globalObject();
-    if (!isHostOrBuiltinFunction()) {
-        // https://tc39.github.io/ecma262/#sec-generator-function-definitions-runtime-semantics-evaluatebody
-        if (isGeneratorWrapperParseMode(jsExecutable()->parseMode()))
-            return thisGlobalObject->generatorPrototype();
-
-        // https://tc39.github.io/ecma262/#sec-asyncgenerator-definitions-evaluatebody
-        if (isAsyncGeneratorWrapperParseMode(jsExecutable()->parseMode()))
-            return thisGlobalObject->asyncGeneratorPrototype();
-    }
-    return thisGlobalObject->objectPrototype();
+    if (isHostOrBuiltinFunction())
+        return this->globalObject()->objectPrototype();
+
+    JSGlobalObject* scopeGlobalObject = this->scope()->globalObject();
+    // https://tc39.github.io/ecma262/#sec-generator-function-definitions-runtime-semantics-evaluatebody
+    if (isGeneratorWrapperParseMode(jsExecutable()->parseMode()))
+        return scopeGlobalObject->generatorPrototype();
+    // https://tc39.github.io/ecma262/#sec-asyncgenerator-definitions-evaluatebody
+    if (isAsyncGeneratorWrapperParseMode(jsExecutable()->parseMode()))
+        return scopeGlobalObject->asyncGeneratorPrototype();
+    return scopeGlobalObject->objectPrototype();
 }
 
@@ -461 +460 @@
         PropertyOffset offset = thisObject->getDirectOffset(vm, propertyName, attributes);
         if (!isValidOffset(offset)) {
+            JSGlobalObject* scopeGlobalObject = thisObject->scope()->globalObject();
             JSObject* prototype = nullptr;
             if (isGeneratorWrapperParseMode(thisObject->jsExecutable()->parseMode())) {
@@ -466 +466 @@
                 // property does not have a constructor property whose value is the GeneratorFunction instance.
                 // https://tc39.github.io/ecma262/#sec-generatorfunction-instances-prototype
-                prototype = constructEmptyObject(globalObject, thisObject->globalObject()->generatorPrototype());
+                prototype = constructEmptyObject(globalObject, scopeGlobalObject->generatorPrototype());
             } else if (isAsyncGeneratorWrapperParseMode(thisObject->jsExecutable()->parseMode()))
-                prototype = constructEmptyObject(globalObject, thisObject->globalObject()->asyncGeneratorPrototype());
+                prototype = constructEmptyObject(globalObject, scopeGlobalObject->asyncGeneratorPrototype());
             else {
-                prototype = constructEmptyObject(globalObject);
+                prototype = constructEmptyObject(globalObject, scopeGlobalObject->objectPrototype());
                 prototype->putDirect(vm, vm.propertyNames->constructor, thisObject, static_cast<unsigned>(PropertyAttribute::DontEnum));
             }

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h

@@ -212 +212 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    InternalFunction* function = jsCast<InternalFunction*>(callFrame->jsCallee());
-    Structure* parentStructure = function->globalObject()->typedArrayStructure(ViewClass::TypedArrayStorageType);
-    Structure* structure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), parentStructure);
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->typedArrayStructure(ViewClass::TypedArrayStorageType)
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->typedArrayStructure(ViewClass::TypedArrayStorageType));
+    RETURN_IF_EXCEPTION(scope, { });
 
     size_t argCount = callFrame->argumentCount();

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h

@@ -102 +102 @@
 ALWAYS_INLINE Structure* JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation(JSGlobalObject* globalObject, IndexingType indexingType, JSValue newTarget) const
 {
-    return InternalFunction::createSubclassStructure(globalObject, globalObject->arrayConstructor(), newTarget, arrayStructureForIndexingTypeDuringAllocation(indexingType));
+    return !newTarget || newTarget == globalObject->arrayConstructor()
+        ? globalObject->arrayStructureForIndexingTypeDuringAllocation(indexingType)
+        : InternalFunction::createSubclassStructure(globalObject, asObject(newTarget), getFunctionRealm(globalObject->vm(), asObject(newTarget))->arrayStructureForIndexingTypeDuringAllocation(indexingType));
 }
 

trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp

@@ -68 +68 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    Structure* mapStructure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), globalObject->mapStructure());
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* mapStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->mapStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->mapStructure());
+    RETURN_IF_EXCEPTION(scope, { });
 
     JSValue iterable = callFrame->argument(0);

trunk/Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp

@@ -56 +56 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
     JSValue message = callFrame->argument(0);
-    Structure* errorStructure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), jsCast<NativeErrorConstructor*>(callFrame->jsCallee())->errorStructure(vm));
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* errorStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->errorStructure(errorType)
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->errorStructure(errorType));
+    RETURN_IF_EXCEPTION(scope, { });
     ASSERT(errorStructure);
+
     RELEASE_AND_RETURN(scope, JSValue::encode(ErrorInstance::create(globalObject, errorStructure, message, nullptr, TypeNothing, false)));
 }
@@ -65 +70 @@
 EncodedJSValue JSC_HOST_CALL NativeErrorConstructor<errorType>::callNativeErrorConstructor(JSGlobalObject* globalObject, CallFrame* callFrame)
 {
-    VM& vm = globalObject->vm();
     JSValue message = callFrame->argument(0);
-    Structure* errorStructure = jsCast<NativeErrorConstructor*>(callFrame->jsCallee())->errorStructure(vm);
+    Structure* errorStructure = globalObject->errorStructure(errorType);
     return JSValue::encode(ErrorInstance::create(globalObject, errorStructure, message, nullptr, TypeNothing, false));
 }

trunk/Source/JavaScriptCore/runtime/NativeErrorConstructor.h

@@ -60 +60 @@
         return constructor;
     }
-
-    Structure* errorStructure(VM&) { return globalObject()->errorStructure(errorType); }
 private:
     static EncodedJSValue JSC_HOST_CALL callNativeErrorConstructor(JSGlobalObject*, CallFrame*);

trunk/Source/JavaScriptCore/runtime/NumberConstructor.cpp

@@ -93 +93 @@
     double n = callFrame->argumentCount() ? callFrame->uncheckedArgument(0).toNumber(globalObject) : 0;
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
-    Structure* structure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), globalObject->numberObjectStructure());
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->numberObjectStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->numberObjectStructure());
+    RETURN_IF_EXCEPTION(scope, { });
 
     NumberObject* object = NumberObject::create(vm, structure);

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

@@ -127 +127 @@
     if (newTarget && newTarget != objectConstructor) {
         // a. Return ? OrdinaryCreateFromConstructor(NewTarget, "%ObjectPrototype%").
-        Structure* objectStructure = InternalFunction::createSubclassStructure(globalObject, objectConstructor, newTarget, globalObject->objectStructureForObjectConstructor());
+        Structure* baseStructure = getFunctionRealm(vm, asObject(newTarget))->objectStructureForObjectConstructor();
+        Structure* objectStructure = InternalFunction::createSubclassStructure(globalObject, asObject(newTarget), baseStructure);
         RETURN_IF_EXCEPTION(scope, nullptr);
         return constructEmptyObject(vm, objectStructure);

trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp

@@ -173 +173 @@
 inline Structure* getRegExpStructure(JSGlobalObject* globalObject, JSValue newTarget)
 {
-    Structure* structure = globalObject->regExpStructure();
-    if (newTarget != jsUndefined())
-        structure = InternalFunction::createSubclassStructure(globalObject, globalObject->regExpConstructor(), newTarget, structure);
-    return structure;
+    return !newTarget || newTarget == globalObject->regExpConstructor()
+        ? globalObject->regExpStructure()
+        : InternalFunction::createSubclassStructure(globalObject, asObject(newTarget), getFunctionRealm(globalObject->vm(), asObject(newTarget))->regExpStructure());
 }
 
@@ -230 +229 @@
     RETURN_IF_EXCEPTION(scope, nullptr);
 
-    if (newTarget.isUndefined() && constructAsRegexp && flagsArg.isUndefined()) {
+    if (!newTarget && constructAsRegexp && flagsArg.isUndefined()) {
         JSValue constructor = patternArg.get(globalObject, vm.propertyNames->constructor);
         RETURN_IF_EXCEPTION(scope, nullptr);
@@ -275 +274 @@
     JSValue patternArg = callFrame->argument(0);
     JSValue flagsArg = callFrame->argument(1);
-    return JSValue::encode(regExpCreate(globalObject, jsUndefined(), patternArg, flagsArg));
+    return JSValue::encode(regExpCreate(globalObject, JSValue(), patternArg, flagsArg));
 }
 

trunk/Source/JavaScriptCore/runtime/RegExpConstructor.h

@@ -56 +56 @@
 STATIC_ASSERT_ISO_SUBSPACE_SHARABLE(RegExpConstructor, InternalFunction);
 
-JSObject* constructRegExp(JSGlobalObject*, const ArgList&, JSObject* callee = nullptr, JSValue newTarget = jsUndefined());
+JSObject* constructRegExp(JSGlobalObject*, const ArgList&, JSObject* callee = nullptr, JSValue newTarget = JSValue());
 
 ALWAYS_INLINE bool isRegExp(VM& vm, JSGlobalObject* globalObject, JSValue value)

trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp

@@ -68 +68 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    Structure* setStructure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), globalObject->setStructure());
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* setStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->setStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->setStructure());
+    RETURN_IF_EXCEPTION(scope, { });
 
     JSValue iterable = callFrame->argument(0);

trunk/Source/JavaScriptCore/runtime/StringConstructor.cpp

@@ -145 +145 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    Structure* structure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), globalObject->stringObjectStructure());
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->stringObjectStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->stringObjectStructure());
+    RETURN_IF_EXCEPTION(scope, { });
 
     if (!callFrame->argumentCount())

trunk/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp

@@ -66 +66 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    Structure* weakMapStructure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), globalObject->weakMapStructure());
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* weakMapStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->weakMapStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->weakMapStructure());
+    RETURN_IF_EXCEPTION(scope, { });
+
     JSWeakMap* weakMap = JSWeakMap::create(vm, weakMapStructure);
     JSValue iterable = callFrame->argument(0);

trunk/Source/JavaScriptCore/runtime/WeakObjectRefConstructor.cpp

@@ -69 +69 @@
         return throwVMTypeError(globalObject, scope, "First argument to WeakRef should be an object"_s);
 
-    Structure* WeakObjectRefStructure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), globalObject->weakObjectRefStructure());
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
-    RELEASE_AND_RETURN(scope, JSValue::encode(JSWeakObjectRef::create(vm, WeakObjectRefStructure, callFrame->uncheckedArgument(0).getObject())));
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* weakObjectRefStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->weakObjectRefStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->weakObjectRefStructure());
+    RETURN_IF_EXCEPTION(scope, { });
+
+    RELEASE_AND_RETURN(scope, JSValue::encode(JSWeakObjectRef::create(vm, weakObjectRefStructure, callFrame->uncheckedArgument(0).getObject())));
 }
 

trunk/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp

@@ -66 +66 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    Structure* weakSetStructure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), globalObject->weakSetStructure());
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* weakSetStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->weakSetStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->weakSetStructure());
+    RETURN_IF_EXCEPTION(scope, { });
+
     JSWeakSet* weakSet = JSWeakSet::create(vm, weakSetStructure);
     JSValue iterable = callFrame->argument(0);

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyCompileErrorConstructor.cpp

@@ -50 +50 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
     JSValue message = callFrame->argument(0);
-    auto* structure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), globalObject->webAssemblyCompileErrorStructure());
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->webAssemblyCompileErrorStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->webAssemblyCompileErrorStructure());
+    RETURN_IF_EXCEPTION(scope, { });
+
     RELEASE_AND_RETURN(scope, JSValue::encode(JSWebAssemblyCompileError::create(globalObject, vm, structure, message)));
 }

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp

@@ -75 +75 @@
     if (!importArgument.isUndefined() && !importObject)
         return JSValue::encode(throwException(globalObject, scope, createTypeError(globalObject, "second argument to WebAssembly.Instance must be undefined or an Object"_s, defaultSourceAppender, runtimeTypeForValue(vm, importArgument))));
-    
-    Structure* instanceStructure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), globalObject->webAssemblyInstanceStructure());
+
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* instanceStructure = newTarget == callFrame->jsCallee()
+        ? globalObject->webAssemblyInstanceStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->webAssemblyInstanceStructure());
     RETURN_IF_EXCEPTION(scope, { });
 

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyLinkErrorConstructor.cpp

@@ -50 +50 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
     JSValue message = callFrame->argument(0);
-    auto* structure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), globalObject->webAssemblyLinkErrorStructure());
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->webAssemblyLinkErrorStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->webAssemblyLinkErrorStructure());
+    RETURN_IF_EXCEPTION(scope, { });
+
     RELEASE_AND_RETURN(scope, JSValue::encode(JSWebAssemblyLinkError::create(globalObject, vm, structure, message)));
 }

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleConstructor.cpp

@@ -182 +182 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    auto* structure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), globalObject->webAssemblyModuleStructure());
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->webAssemblyModuleStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->webAssemblyModuleStructure());
     RETURN_IF_EXCEPTION(scope, nullptr);
 

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyRuntimeErrorConstructor.cpp

@@ -52 +52 @@
     String messageString = message.isUndefined() ? String() : message.toWTFString(globalObject);
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
-    auto* structure = InternalFunction::createSubclassStructure(globalObject, callFrame->jsCallee(), callFrame->newTarget(), globalObject->webAssemblyRuntimeErrorStructure());
-    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+
+    JSObject* newTarget = asObject(callFrame->newTarget());
+    Structure* structure = newTarget == callFrame->jsCallee()
+        ? globalObject->webAssemblyRuntimeErrorStructure()
+        : InternalFunction::createSubclassStructure(globalObject, newTarget, getFunctionRealm(vm, newTarget)->webAssemblyRuntimeErrorStructure());
+    RETURN_IF_EXCEPTION(scope, { });
+
     return JSValue::encode(JSWebAssemblyRuntimeError::create(globalObject, vm, structure, WTFMove(messageString)));
 }

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-04-26  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        InternalFunction::createSubclassStructure should use newTarget's globalObject
+        https://bugs.webkit.org/show_bug.cgi?id=202599
+
+        Reviewed by Yusuke Suzuki.
+
+        Accounts for InternalFunction::createSubclassStructure() signature change and
+        utilizes getFunctionRealm() helper to handle cross-realm JSBoundFunction and
+        ProxyObject instances as NewTarget value.
+
+        Tests: web-platform-tests/WebIDL/ecmascript-binding/constructors.html
+               web-platform-tests/custom-elements/htmlconstructor/newtarget.html
+
+        * bindings/js/JSDOMWrapperCache.h:
+        (WebCore::setSubclassStructureIfNeeded):
+        * bindings/js/JSHTMLElementCustom.cpp:
+        (WebCore::constructJSHTMLElement):
+
 2020-04-26  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/WebCore/bindings/js/JSDOMWrapperCache.h

@@ -214 +214 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    auto* newTargetGlobalObject = JSC::jsCast<JSDOMGlobalObject*>(newTarget->globalObject(vm));
+    auto* newTargetGlobalObject = JSC::jsCast<JSDOMGlobalObject*>(JSC::getFunctionRealm(vm, newTarget));
     auto* baseStructure = getDOMStructure<WrapperClass>(vm, *newTargetGlobalObject);
-    auto* subclassStructure = JSC::InternalFunction::createSubclassStructure(lexicalGlobalObject, constructor, newTarget, baseStructure);
+    auto* subclassStructure = JSC::InternalFunction::createSubclassStructure(lexicalGlobalObject, newTarget, baseStructure);
     RETURN_IF_EXCEPTION(scope, void());
     jsObject->setStructure(vm, subclassStructure);

trunk/Source/WebCore/bindings/js/JSHTMLElementCustom.cpp

@@ -55 +55 @@
     ASSERT(context->isDocument());
 
-    JSValue newTargetValue = callFrame.thisValue();
-    auto* newTarget = newTargetValue.getObject();
-    auto* newTargetGlobalObject = jsCast<JSDOMGlobalObject*>(newTarget->globalObject(vm));
+    auto* newTarget = callFrame.newTarget().getObject();
+    auto* newTargetGlobalObject = jsCast<JSDOMGlobalObject*>(getFunctionRealm(vm, newTarget));
     JSValue htmlElementConstructorValue = JSHTMLElement::getConstructor(vm, newTargetGlobalObject);
-    if (newTargetValue == htmlElementConstructorValue)
+    if (newTarget == htmlElementConstructorValue)
         return throwVMTypeError(lexicalGlobalObject, scope, "new.target is not a valid custom element constructor"_s);
 
@@ -78 +77 @@
     if (!elementInterface->isUpgradingElement()) {
         Structure* baseStructure = getDOMStructure<JSHTMLElement>(vm, *newTargetGlobalObject);
-        auto* newElementStructure = InternalFunction::createSubclassStructure(lexicalGlobalObject, jsConstructor, newTargetValue, baseStructure);
-        RETURN_IF_EXCEPTION(scope, encodedJSValue());
+        auto* newElementStructure = InternalFunction::createSubclassStructure(lexicalGlobalObject, newTarget, baseStructure);
+        RETURN_IF_EXCEPTION(scope, { });
 
         Ref<HTMLElement> element = HTMLElement::create(elementInterface->name(), document);