Closed Bug 751139 Opened 12 years ago Closed 12 years ago

Assertion failure: fun->isBoundFunction(), at jsfun.cpp:807 or Crash [@ js::CallOrConstructBoundFunction]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla15

People

(Reporter: decoder, Assigned: evilpie)

Details

(Keywords: assertion, crash, testcase, Whiteboard: js-triage-needed)

Crash Data

Attachments

(1 file)

disallow cloning of bound functions
1.58 KB, patch
luke
: review+
Details | Diff | Splinter Review 
The following test crashes on mozilla-central revision 281574985410 (no options required):


function C(a, b) {}
var f = C.bind(null, 2);
g = clone(f, this);
a_squared = g(2);


The test uses the shell-only function "clone", however, in the browser, functions are cloned the same way for event handlers I believe. The crash does not look security-sensitive (probably null-deref).
So I would like to work on this, but I am not sure what we want here. Do we want to allow cloning of bound-functions at all? If yes what about the bound arguments and the this parameter, do we need to clone/wrap them in some way, too?
This bug has been around since (and probably even before) March 2011 on rev http://hg.mozilla.org/mozilla-central/rev/d796fb18f555
I could be wrong about this, but the event-handler cloning is for XBL, and for event handlers declared in XBL code.  Those are not bound functions of the sort at issue here (which I believe can only be created by Function.prototype.bind).

If we set that aside, I think this may just be a matter of requiring clone() to not clone bound functions, and it wouldn't be anything more than a shell bug.  But maybe I'm missing something.
Thank you very much for this analysis Jeff.
This makes this bug indeed very easy, I am just checking for bound functions in JS_CloneFunctionObject. I like this more then doing it in "clone", because it makes the API safer to use.
Assignee: general → evilpies
Status: NEW → ASSIGNED
Attachment #621656 - Flags: review?(luke)
Attachment #621656 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/49ce375916e8
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug751139.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: