According to the ES standard(From ES3 to ES 10), when the argument "thisArg" of Function.prototype.call(thisArg, ...args) is undefined or null, the argument "thisArg" should be replaced with the global object, and then Object.prototype.isPrototypeOf will called which return false. However, JSC throws TypeError. So I suspect it is a bug of javascriptCore. The references of ES10 are as follows: http://www.ecma-international.org/ecma-262/10.0/index.html#sec-function.prototype.call http://www.ecma-international.org/ecma-262/10.0/index.html#sec-object.prototype.isprototypeof Version:b96bf75 https://github.com/WebKit/webkit/commit/b96bf7590bc090fa8161cff1189255ca3319c94b Build steps: Tools/Scripts/build-webkit --debug --jsc-only -j Testcase: var NISLFuzzingFunc = function() { var a = Object.prototype.isPrototypeOf.call(null); print(a); }; NISLFuzzingFunc(); Execution steps: webkit/WebKitBuild/Debug/bin/jsc testcase.js Output: Exception: TypeError: null is not an object (evaluating 'Object.prototype.isPrototypeOf.call(null)') isPrototypeOf@[native code] NISLFuzzingFunc@testcase.js:2:48 global code@testcase.js:5:16 Expected output: flase