Bug 204971

Summary: Object.prototype.isPrototypeOf() should check if the passed in value is a non-object first.
Product: WebKit Reporter: yaohouyou
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, fpizlo, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
proposed patch. saam: review+

yaohouyou
Reported 2019-12-06 19:20:19 PST
According to the ES standard(From ES3 to ES 10), when the argument "thisArg" of Function.prototype.call(thisArg, ...args) is undefined or null, the argument "thisArg" should be replaced with the global object, and then Object.prototype.isPrototypeOf will called which return false. However, JSC throws TypeError. So I suspect it is a bug of javascriptCore. The references of ES10 are as follows: http://www.ecma-international.org/ecma-262/10.0/index.html#sec-function.prototype.call http://www.ecma-international.org/ecma-262/10.0/index.html#sec-object.prototype.isprototypeof Version:b96bf75 https://github.com/WebKit/webkit/commit/b96bf7590bc090fa8161cff1189255ca3319c94b Build steps: Tools/Scripts/build-webkit --debug --jsc-only -j Testcase: var NISLFuzzingFunc = function() { var a = Object.prototype.isPrototypeOf.call(null); print(a); }; NISLFuzzingFunc(); Execution steps: webkit/WebKitBuild/Debug/bin/jsc testcase.js Output: Exception: TypeError: null is not an object (evaluating 'Object.prototype.isPrototypeOf.call(null)') isPrototypeOf@[native code] NISLFuzzingFunc@testcase.js:2:48 global code@testcase.js:5:16 Expected output: flase
Attachments
proposed patch. (3.43 KB, patch)
2019-12-07 14:22 PST, Mark Lam 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2019-12-07 13:18:50 PST
<rdar://problem/57730080>
Mark Lam
Comment 2 2019-12-07 13:54:04 PST
Thanks for reporting this issue. Investigating now.
Mark Lam
Comment 3 2019-12-07 14:22:20 PST
Created attachment 385107 [details] proposed patch.
Mark Lam
Comment 4 2019-12-07 14:58:25 PST
Thanks for the review. Landed in r253264: <http://trac.webkit.org/r253264>.
Note You need to log in before you can comment on or make changes to this bug.