Bug 760904 - Force |this| to be Magic(JS_IS_CONSTRUCTING) when constructing cross-compartment DataViews. r=luke

--HG--
extra : rebase_source : f0d6a04d462758a4b10342512503327fe7bb03d2

js/src/jstypedarray.cpp

@@ -2300,6 +2300,9 @@ DataViewObject::class_constructor(JSContext *cx, unsigned argc, Value *vp)
         argv[argc + 2].setObject(*proto);
         argv[0].setUndefined(); // We want to use a different callee (avoid an assertion)
 
+        // Appease 'thisv' assertion in CrossCompartmentWrapper::nativeCall
+        argv[1].setMagic(JS_IS_CONSTRUCTING);
+
         CallArgs proxyArgs = CallArgsFromVp(argc + 1, argv.begin());
         if (!Proxy::nativeCall(cx, bufobj, &DataViewClass, constructWithProto, proxyArgs))
             return false;

js/src/tests/js1_8_5/extensions/dataview.js

@@ -1631,6 +1631,14 @@ function test() {
     assertEq(av.getUint8(4), 100);
     assertEq(Object.getPrototypeOf(av), DataView.prototype);
 
+    // Bug 760904: call another compartment's constructor with an ArrayBuffer
+    // from this compartment, both as a constructor and as a regular call. (The
+    // latter is what was broken in that bug.)
+    var alien_constructor = alien.DataView;
+    var local_buffer = (new Int8Array(3)).buffer;
+    var foreign_exchange_student_1 = alien_constructor(local_buffer);
+    var foreign_exchange_student_2 = new alien_constructor(local_buffer);
+
     reportCompare(0, 0, 'done.');
     exitFunc ('test');
 }