[Webkit-unassigned] [Bug 204971] New: A possible bug about Function.prototype.call
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 6 19:20:19 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=204971
Bug ID: 204971
Summary: A possible bug about Function.prototype.call
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: yaohouyou at stumail.nwu.edu.cn
According to the ES standard(From ES3 to ES 10), when the argument "thisArg" of Function.prototype.call(thisArg, ...args) is undefined or null, the argument "thisArg" should be replaced with the global object, and then Object.prototype.isPrototypeOf will called which return false. However, JSC throws TypeError. So I suspect it is a bug of javascriptCore.
The references of ES10 are as follows:
http://www.ecma-international.org/ecma-262/10.0/index.html#sec-function.prototype.call
http://www.ecma-international.org/ecma-262/10.0/index.html#sec-object.prototype.isprototypeof
Version:b96bf75
https://github.com/WebKit/webkit/commit/b96bf7590bc090fa8161cff1189255ca3319c94b
Build steps:
Tools/Scripts/build-webkit --debug --jsc-only -j
Testcase:
var NISLFuzzingFunc = function() {
var a = Object.prototype.isPrototypeOf.call(null);
print(a);
};
NISLFuzzingFunc();
Execution steps:
webkit/WebKitBuild/Debug/bin/jsc testcase.js
Output:
Exception: TypeError: null is not an object (evaluating 'Object.prototype.isPrototypeOf.call(null)')
isPrototypeOf@[native code]
NISLFuzzingFunc at testcase.js:2:48
global code at testcase.js:5:16
Expected output:
flase
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191207/45386e2f/attachment.htm>
More information about the webkit-unassigned
mailing list