Assertion failure: fun->isBoundFunction(), at jsfun.cpp:807 or Crash [@ js::CallOrConstructBoundFunction]

RESOLVED FIXED in mozilla15

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: evilpie)

Tracking

(Blocks: 1 bug, {assertion, crash, testcase})

Trunk
mozilla15
All
Linux
assertion, crash, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following test crashes on mozilla-central revision 281574985410 (no options required):


function C(a, b) {}
var f = C.bind(null, 2);
g = clone(f, this);
a_squared = g(2);


The test uses the shell-only function "clone", however, in the browser, functions are cloned the same way for event handlers I believe. The crash does not look security-sensitive (probably null-deref).
(Assignee)

Comment 1

5 years ago
So I would like to work on this, but I am not sure what we want here. Do we want to allow cloning of bound-functions at all? If yes what about the bound arguments and the this parameter, do we need to clone/wrap them in some way, too?
This bug has been around since (and probably even before) March 2011 on rev http://hg.mozilla.org/mozilla-central/rev/d796fb18f555
I could be wrong about this, but the event-handler cloning is for XBL, and for event handlers declared in XBL code.  Those are not bound functions of the sort at issue here (which I believe can only be created by Function.prototype.bind).

If we set that aside, I think this may just be a matter of requiring clone() to not clone bound functions, and it wouldn't be anything more than a shell bug.  But maybe I'm missing something.
(Assignee)

Comment 4

5 years ago
Created attachment 621656 [details] [diff] [review]
disallow cloning of bound functions

Thank you very much for this analysis Jeff.
This makes this bug indeed very easy, I am just checking for bound functions in JS_CloneFunctionObject. I like this more then doing it in "clone", because it makes the API safer to use.
Assignee: general → evilpies
Status: NEW → ASSIGNED
Attachment #621656 - Flags: review?(luke)

Updated

5 years ago
Attachment #621656 - Flags: review?(luke) → review+
(Assignee)

Comment 5

5 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/49ce375916e8
https://hg.mozilla.org/mozilla-central/rev/49ce375916e8
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
(Reporter)

Comment 7

4 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug751139.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.