runtime: Function.prototype.call.bind(fn) returns receiver instead of result for builtin-prototype receivers (gates verifyProperty)

[proggeramlug]

Summary

Function.prototype.call.bind(fn)(receiver, ...args) — the "uncurry-this" idiom —
returns the wrong value ([object Object], i.e. the receiver itself) instead of
invoking fn with that receiver, when the receiver is a builtin prototype
object such as Object.prototype or Error.prototype. Plain objects,
Array.prototype, and Math work correctly.

This idiom is the backbone of test262's propertyHelper.js
(__hasOwnProperty = Function.prototype.call.bind(Object.prototype.hasOwnProperty)),
so it gates verifyProperty for every test whose subject is Object.prototype /
Error.prototype / other affected prototypes — a large cross-category blocker.

Repro

var bc = Function.prototype.call.bind(Object.prototype.hasOwnProperty);

bc({a:1}, "a");                 // Node: true   Perry: true
bc(Array.prototype, "push");    // Node: true   Perry: true
bc(Math, "abs");                // Node: true   Perry: true
bc(Object.prototype, "toString"); // Node: true   Perry: [object Object]  <-- BUG
bc(Error.prototype, "message");   // Node: true   Perry: [object Object]  <-- BUG

Narrowing — the direct form works; only the .call.bind indirection breaks, and
only for these receivers:

Object.prototype.hasOwnProperty.call(Object.prototype, "toString"); // true (ok)
var bc = Function.prototype.call.bind(Object.prototype.hasOwnProperty);
var r = bc(Object.prototype, "toString");
typeof r;  // Node: "boolean"   Perry: "object"  (r === Object.prototype)

So the bound-call machinery, when the eventual receiver IS a builtin prototype,
returns the receiver instead of the method's result — it appears to confuse the
this/return slot in the Function.prototype.call.bind(method) → invoke path for
that receiver class.

Impact

• Blocks verifyProperty-based test262 cases on Object.prototype /
  Error.prototype (e.g. all built-ins/Error/prototype/* and
  built-ins/NativeErrors/* descriptor tests — ~57 NativeErrors+Error cases stay
  red even though the underlying getOwnPropertyDescriptor / delete /
  hasOwnProperty operations are all individually correct and Node-identical).
• Likely affects other categories that subject Object.prototype to verifyProperty.

Note

A companion branch (fix-error-descriptors, unpushed) makes Error instance +
prototype getOwnPropertyDescriptor / getOwnPropertyNames / delete fully
Node-identical, but those gains are unobservable through test262 until this
dispatch bug is fixed. Recommend fixing this first, then that work lands the
Error cluster.

---

Filed from the parity-fix loop. Root cause localized to the Function.prototype.call.bind(method) invoke path for builtin-prototype receivers.

[proggeramlug]

Companion work-in-progress branch (correct, but blocked by this issue): fix-error-descriptors — pushed, not merged. Adds Node-identical Error instance+prototype getOwnPropertyDescriptor / getOwnPropertyNames / delete.

[andrewtdiz]

I am taking this as the next focused runtime dispatch cut.

Scope for this PR: make the Function.prototype.call.bind(method) uncurry-this path invoke builtin prototype receivers and return the method result, matching the direct .call behavior. I will keep this focused on the bound-call/receiver dispatch bug that gates verifyProperty, with Error descriptor shape changes left to the separate branch noted above.

[andrewtdiz]

Opened draft PR #4279 for this bound-call dispatch cut.

Root cause: Function.prototype.call.bind(Object.prototype.hasOwnProperty) eventually invokes the installed Object.prototype.hasOwnProperty thunk with IMPLICIT_THIS set to the receiver. That thunk re-entered js_native_call_method(this, "hasOwnProperty", ...); for Object.prototype and Error.prototype, the dynamic method tower found the receiver's own hasOwnProperty method and recursed until the depth guard returned an object.

Scope:

• route the Object.prototype.hasOwnProperty thunk directly through js_object_has_own
• add a focused globals parity fixture for the uncurried/bound-call shape on plain objects, Array.prototype, Math, Object.prototype, and Error.prototype
• leave Error descriptor shape work to the separate branch mentioned above

Validation:

• no-auto globals --filter function-call-bind-builtin-prototypes: 1 pass / 0 parity fail / 0 compile fail
• no-auto globals --filter builtin-constructor-own-name-length: 1 pass / 0 parity fail / 0 compile fail
• cargo check -p perry-runtime
• cargo fmt --all -- --check
• git diff --check
• ./scripts/check_file_size.sh

[proggeramlug]

Resolved by #4279 (merged). Verified: #4279 alone takes built-ins/NativeErrors+Error from 57 → 35 failures. The companion fix-error-descriptors branch turned out to be redundant — measured identical failure set (35) with and without it, 0 additional fixes, 0 regressions — so it's being abandoned (not shipping redundant code). Perry's pre-existing Error descriptor handling was sufficient once #4279 unblocked verifyProperty.