Comment 5 for bug 504406

Friedrich Weber (fredreichbier) wrote :

Hi there,

I could reproduce this exact bug in a 64bit environment, too. Seems like `JSObjectIsFunction` is called on a `jsResult` that is a `JSObjectRef` instance, but only a `JSValueRef` instance. A quick check if `jsResult` is a `JSObjectRef` (via `JSValueIsObject`) fixes it for me. I pushed a fix to my branch:

However, it's strange that this code works under 32bit. My guess is that the virtual table of `JSValue` contains a function pointer without arguments and with a boolean return value at the position of `isFunction` (which is called by `JSObjectIsFunction`) in JSObject on 32bit, so a wrong function returning a correct result (`false`) is called for `isFunction`. Maybe the virtual table layout is a bit different on 64bit and contains a crappy function pointer at this address.
As said, that's only a guess, and it works with the patch above.