The comments for js::Bindings::extensibleParents explain why this is necessary.
AssertValidPropertyCacheHit should have been catching this bug, but for
reasons I don't understand, it is restricted from checking this case. This
patch extends it to assert when the bug is detected.
I've gathered the infallible parts of the initialization for Call objects
and cloned block objects into their own functions.
Without this patch, JSObject::setMap takes a const js::Shape *, which is
kind of misleading. The object will not actually treat the shape as const
(it does a const_cast). At all but one call site, setMap's argument is not
a const shape --- and in fact, many call sites are installing empty shapes
whose role in life is to be extended.
The only place where a const js::Shape appears is in setSharedNonNativeMap,
which is doing something unusual. The const cast should be there.
Changing js::Bindings::lastShape to return a non-const shape is then
natural, and cleans up the definition of initCall coming in the next patch.
