Set numBoundArgs after setting boundArgs

https://bugs.webkit.org/show_bug.cgi?id=255540 Reviewed by Yusuke Suzuki. numBoundArgs is always zero because it is never changed after being set to zero. It is clear from the code itself that the number of arguments is meant to be set, but whoever programmed this part forgot to do so. * Source/JavaScriptCore/runtime/FunctionPrototype.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): Assign numBoundArgs to the size of the boundArgs array. Canonical link: https://commits.webkit.org/264109@main
annevk · May 16, 2023 · 81d93da · 81d93da
1 parent cb91b74
commit 81d93da
Showing 1 changed file with 11 additions and 5 deletions.
diff --git a/Source/JavaScriptCore/runtime/FunctionPrototype.cpp b/Source/JavaScriptCore/runtime/FunctionPrototype.cpp
@@ -113,12 +113,18 @@ JSC_DEFINE_HOST_FUNCTION(functionProtoFuncBind, (JSGlobalObject* globalObject, C
         return throwVMTypeError(globalObject, scope, "|this| is not a function inside Function.prototype.bind"_s);
     JSObject* target = asObject(thisValue);
 
-    JSValue boundThis = callFrame->argument(0);
-    unsigned argumentCount = callFrame->argumentCount();
-    unsigned numBoundArgs = 0;
-    ArgList boundArgs { };
-    if (argumentCount > 1)
+    JSValue boundThis;
+    ArgList boundArgs;
+    size_t numBoundArgs;
+    if (size_t argCount = callFrame->argumentCount(); argCount > 1) {
+        boundThis = callFrame->uncheckedArgument(0);
         boundArgs = ArgList(callFrame, 1);
+        numBoundArgs = argCount - 1;
+    } else {
+        boundThis = callFrame->argument(0);
+        boundArgs = ArgList();
+        numBoundArgs = 0;
+    }
 
     double length = 0;
     JSString* name = nullptr;