[Webkit-unassigned] [Bug 49606] New: instanceof should only get the prototype property if the RHS operand implements HasInstance
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 16 11:14:09 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=49606
Summary: instanceof should only get the prototype property if
the RHS operand implements HasInstance
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Mac OS X 10.5
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: barraclough at apple.com
test case: javascript: ({} instanceof { get prototype(){ alert("Error!"); } })
The bug here is that we read the prototype from the RHS argument using a regular op_get_by_id before op_instanceof has checked that this is an object implementing HasInstance. This incorrect behaviour gives rise to further unnecessary complexity in the code base, since we have additional logic (implemented using the GetByIdExceptionInfo data structures on CodeBlock) to convert not an object errors from the get_by_id into invalid parameter errors. Having fixed this bug this code is all redundant, since in these cases the get_by_id will never have been reached. (op_construct had a similar error, but this is fixed since we moved this object creation to inside the constructor function.)
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list