[runtime] Fix ES6 9.2.1 [[Call]] when encountering a classConstructor.

src/ia32/builtins-ia32.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #if V8_TARGET_ARCH_IA32
 
 #include "src/code-factory.h"
 #include "src/codegen.h"
 #include "src/deoptimizer.h"
 #include "src/full-codegen/full-codegen.h"
@@ skipping 1488 matching lines @@
   __ push(ecx);
 }
 
 
 // static
 void Builtins::Generate_CallFunction(MacroAssembler* masm) {
   // ----------- S t a t e -------------
   //  -- eax : the number of arguments (not including the receiver)
   //  -- edi : the function to call (checked to be a JSFunction)
   // -----------------------------------
+  // See ES6 section 9.2.1 [[Call]] ( thisArgument, argumentsList)
 
   Label convert, convert_global_proxy, convert_to_object, done_convert;
   __ AssertFunction(edi);
-  // TODO(bmeurer): Throw a TypeError if function's [[FunctionKind]] internal
-  // slot is "classConstructor".
+  __ mov(edx, FieldOperand(edi, JSFunction::kSharedFunctionInfoOffset));
+
+  {
+    Label non_class_constructor;
+    // Check whether the current function is a classConstructor This only works
+    // since kClassConstructor is more than 1 bit away from the byte boundary in
+    // CompilerHints (note that compiler_hints is stored as smi on 32bit
+    // architectures)
+    STATIC_ASSERT((FunctionKind::kClassConstructor << kSmiTagSize) <
+                  (1 << kBitsPerByte));
+    __ test_b(FieldOperand(edx, SharedFunctionInfo::kFunctionKindByteOffset),
+              FunctionKind::kClassConstructor << kSmiTagSize);
+    __ j(zero, &non_class_constructor, Label::kNear);
+    // Step: 2, If we call a classConstructor Function throw a TypeError.
+    {
+      FrameScope frame(masm, StackFrame::INTERNAL);
+      __ CallRuntime(Runtime::kThrowConstructorNonCallableError, 0);
+    }
+    __ bind(&non_class_constructor);
+  }
+
   // Enter the context of the function; ToObject has to run in the function
   // context, and we also need to take the global proxy from the function
   // context in case of conversion.
-  // See ES6 section 9.2.1 [[Call]] ( thisArgument, argumentsList)
   STATIC_ASSERT(SharedFunctionInfo::kNativeByteOffset ==
                 SharedFunctionInfo::kStrictModeByteOffset);
   __ mov(esi, FieldOperand(edi, JSFunction::kContextOffset));
-  __ mov(edx, FieldOperand(edi, JSFunction::kSharedFunctionInfoOffset));
   // We need to convert the receiver for non-native sloppy mode functions.
   __ test_b(FieldOperand(edx, SharedFunctionInfo::kNativeByteOffset),
             (1 << SharedFunctionInfo::kNativeBitWithinByte) |
                 (1 << SharedFunctionInfo::kStrictModeBitWithinByte));
   __ j(not_zero, &done_convert);
   {
     __ mov(ecx, Operand(esp, eax, times_pointer_size, kPointerSize));
 
     // ----------- S t a t e -------------
     //  -- eax : the number of arguments (not including the receiver)
@@ skipping 366 matching lines @@
 
   __ bind(&ok);
   __ ret(0);
 }
 
 #undef __
 }  // namespace internal
 }  // namespace v8
 
 #endif  // V8_TARGET_ARCH_IA32