621939 - Assertion failure: FUN_FLAT_CLOSURE(callee_fun)

Status: RESOLVED DUPLICATE of bug 592202

(Core :: JavaScript Engine, defect)

Description

[Jan de Mooij [:jandem]]

This snippet:
---
function f() {
    var x = "";
    setThrowHook("x = ''");
    function g() {
        x();
    }
    g();
}
f();
---
Asserts with ./js -d:
Assertion failure: FUN_FLAT_CLOSURE(callee_fun), at ../jsfun.cpp:1169

This crashes in a release build. I think this is debug-mode only; but I'll mark this security sensitive just to be safe.

Comment 1

[Johnny Stenback (:jst)]

Waldo, you marked this a security bug, do you have a sense of severity here?

Comment 2

[Jeff Walden [:Waldo]]

I mostly marked it for comment 0 saying it had intended to.  :-)

But even just my look at it suggests yes.  Basically you're punning a function object that's not a flat closure, with some number of reserved slots, into something else.  The problem is the assignment inside the setThrowHook code (I have no idea what this method is, but clearly it's something eval-like that we don't recognize as being eval-like), which essentially can overwrite any slot of that function this way, I think.  And that probably throws off type expectations, and now you're punning values, and that's usually a recipe for complete failure if you try hard enough.

Comment 4

[Brendan Eich [:brendan]]

Waldo: setThrowHook is just a shell helper useful when a test role-plays a real debugger. It ends up calling JS_EvaluateUCInStackFrame, which indeed forces the Call object for a non-flat closure (for g, a hoisted inner function declaration) to be created.

The rest is bug 592202. There's no punning going on.

/be