9.2.3 [[Construct]] ( argumentsList, newTarget)
Execution of step 5: The caller execution context is still the current execution context when OrdinaryCreateFromConstructor is called, that means the intrinsic %ObjectPrototype% from the caller realm will be used if .prototype is not an object.
Is this the correct choice? Not all browser implementations show that behaviour.
IE11, Firefox 36: Report "false, true"
Chrome 39: Reports "true, false"
Test case:
---
<!doctype html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
</head>
<body>
<iframe id="iframe"></iframe>
<script type="text/javascript">
(function(){
"use strict";
var global = window;
var otherGlobal = document.getElementById("iframe").contentWindow;
var f = otherGlobal.eval("(function f(){})");
f.prototype = null;
var o = new f();
var proto = Object.getPrototypeOf(o);
alert([
proto === global.Object.prototype,
proto === otherGlobal.Object.prototype,
]);
})();
</script>
</body>
</html>
---
No, that's not what 9.2.3 says. Note that it passes the string name of the intrinsic it wants. OrdinaryCreateFromConstructor passes that string to GetPrototypeFromConstructor that, if necessary, fetches the named intrinsic from the real of the constructor.
Prior editions of ES were not specific about what Realm should be used in this case. However, the currently spec'ed behavior (the IE11/FF behavior) clearly seems right. The constructor should be in control of what it instantiates.
It looks to me like a V8/Chrome bug should be reported on this.
(In reply to Allen Wirfs-Brock from comment #1)
> No, that's not what 9.2.3 says.
Ah yes, I forgot about the special casing in GetPrototypeFromConstructor.