[Webkit-unassigned] [Bug 145605] Function.prototype.bind: Bound functions must use the [[Prototype]] of their target function instead of Function.prototype
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 10 16:21:07 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=145605
Geoffrey Garen <ggaren at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #260962|review? |review-
Flags| |
--- Comment #27 from Geoffrey Garen <ggaren at apple.com> ---
Comment on attachment 260962
--> https://bugs.webkit.org/attachment.cgi?id=260962
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=260962&action=review
> Source/JavaScriptCore/runtime/JSBoundFunction.cpp:81
> + JSValue targetPrototype = targetFunction->prototype();
> + bool hasDefaultPrototype = &targetPrototype == (JSValue *)globalObject->functionPrototype();
This is wrong. You're taking the address of a value on the stack, which will never be equal to the address of a value on the heap.
You should notice in testing that the hasDefaultPrototype condition never holds true.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150910/a5e87a4f/attachment.html>
More information about the webkit-unassigned
mailing list