No issue - Correct handling of async (arrow) functions declared inside constructors

Based on https://bugzilla.mozilla.org/show_bug.cgi?id=1462353, but since we still support
legacy generators, this only corrects the handling and leaves the newTarget plumbing
intact.

js/src/vm/GeneratorObject.cpp

@@ -23,6 +23,7 @@ GeneratorObject::create(JSContext* cx, AbstractFramePtr frame)
     MOZ_ASSERT(frame.script()->isStarGenerator() || frame.script()->isLegacyGenerator() ||
                frame.script()->isAsync());
     MOZ_ASSERT(frame.script()->nfixed() == 0);
+    MOZ_ASSERT_IF(frame.isConstructing(), frame.script()->isLegacyGenerator());
 
     Rooted<GlobalObject*> global(cx, cx->global());
     RootedNativeObject obj(cx);
@@ -52,7 +53,10 @@ GeneratorObject::create(JSContext* cx, AbstractFramePtr frame)
 
     GeneratorObject* genObj = &obj->as<GeneratorObject>();
     genObj->setCallee(*frame.callee());
-    genObj->setNewTarget(frame.newTarget());
+    if (frame.script()->isLegacyGenerator()) {
+        // Only legacy generators can be called with |new|
+        genObj->setNewTarget(frame.newTarget());
+    }
     genObj->setEnvironmentChain(*frame.environmentChain());
     if (frame.script()->needsArgsObj())
         genObj->setArgsObj(frame.argsObj());

js/src/vm/Stack-inl.h

@@ -345,7 +345,14 @@ InterpreterStack::resumeGeneratorCallFrame(JSContext* cx, InterpreterRegs& regs,
 
     LifoAlloc::Mark mark = allocator_.mark();
 
-    MaybeConstruct constructing = MaybeConstruct(newTarget.isObject());
+    MaybeConstruct constructing = NO_CONSTRUCT;
+    // (Async) generators and async functions are never constructors, legacy generators may be
+    if (callee->isLegacyGenerator()) {
+        constructing = MaybeConstruct(newTarget.isObject());
+        MOZ_ASSERT_IF(constructing, callee->isConstructor());
+    } else {
+        MOZ_ASSERT(!callee->isConstructor());
+    }
 
     // Include callee, |this|, and maybe |new.target|
     unsigned nformal = callee->nargs();
@@ -667,6 +674,18 @@ AbstractFramePtr::unsetIsDebuggee()
         asRematerializedFrame()->unsetIsDebuggee();
 }
 
+inline bool
+AbstractFramePtr::isConstructing() const
+{
+    if (isInterpreterFrame())
+        return asInterpreterFrame()->isConstructing();
+    if (isBaselineFrame())
+        return asBaselineFrame()->isConstructing();
+    if (isRematerializedFrame())
+        return asRematerializedFrame()->isConstructing();
+    MOZ_CRASH("Unexpected frame");
+}
+
 inline bool
 AbstractFramePtr::hasArgs() const {
     return isFunctionFrame();

js/src/vm/Stack.h

@@ -228,6 +228,7 @@ class AbstractFramePtr
     inline Value calleev() const;
     inline Value& thisArgument() const;
 
+    inline bool isConstructing() const;
     inline Value newTarget() const;
 
     inline bool debuggerNeedsCheckPrimitiveReturn() const;