Last Comment Bug 751139 - Assertion failure: fun->isBoundFunction(), at jsfun.cpp:807 or Crash [@ js::CallOrConstructBoundFunction]
: Assertion failure: fun->isBoundFunction(), at jsfun.cpp:807 or Crash [@ js::C...
: assertion, crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All Linux
-- critical (vote)
: mozilla15
Assigned To: Tom Schuster [:evilpie]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2012-05-02 06:16 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:02 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

disallow cloning of bound functions (1.58 KB, patch)
2012-05-07 10:32 PDT, Tom Schuster [:evilpie]
luke: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-05-02 06:16:23 PDT
The following test crashes on mozilla-central revision 281574985410 (no options required):

function C(a, b) {}
var f = C.bind(null, 2);
g = clone(f, this);
a_squared = g(2);

The test uses the shell-only function "clone", however, in the browser, functions are cloned the same way for event handlers I believe. The crash does not look security-sensitive (probably null-deref).
Comment 1 User image Tom Schuster [:evilpie] 2012-05-03 11:22:40 PDT
So I would like to work on this, but I am not sure what we want here. Do we want to allow cloning of bound-functions at all? If yes what about the bound arguments and the this parameter, do we need to clone/wrap them in some way, too?
Comment 2 User image Gary Kwong [:gkw] [:nth10sd] 2012-05-03 11:50:05 PDT
This bug has been around since (and probably even before) March 2011 on rev
Comment 3 User image Jeff Walden [:Waldo] (remove +bmo to email) 2012-05-07 10:01:13 PDT
I could be wrong about this, but the event-handler cloning is for XBL, and for event handlers declared in XBL code.  Those are not bound functions of the sort at issue here (which I believe can only be created by Function.prototype.bind).

If we set that aside, I think this may just be a matter of requiring clone() to not clone bound functions, and it wouldn't be anything more than a shell bug.  But maybe I'm missing something.
Comment 4 User image Tom Schuster [:evilpie] 2012-05-07 10:32:45 PDT
Created attachment 621656 [details] [diff] [review]
disallow cloning of bound functions

Thank you very much for this analysis Jeff.
This makes this bug indeed very easy, I am just checking for bound functions in JS_CloneFunctionObject. I like this more then doing it in "clone", because it makes the API safer to use.
Comment 6 User image Matt Brubeck (:mbrubeck) 2012-05-12 08:56:46 PDT
Comment 7 User image Christian Holler (:decoder) 2013-01-14 08:02:40 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug751139.js.

Note You need to log in before you can comment on or make changes to this bug.