Last Comment Bug 751139 - Assertion failure: fun->isBoundFunction(), at jsfun.cpp:807 or Crash [@ js::CallOrConstructBoundFunction]
: Assertion failure: fun->isBoundFunction(), at jsfun.cpp:807 or Crash [@ js::C...
Status: RESOLVED FIXED
js-triage-needed
: assertion, crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All Linux
: -- critical (vote)
: mozilla15
Assigned To: Tom Schuster [:evilpie]
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2012-05-02 06:16 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:02 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
disallow cloning of bound functions (1.58 KB, patch)
2012-05-07 10:32 PDT, Tom Schuster [:evilpie]
luke: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-05-02 06:16:23 PDT
The following test crashes on mozilla-central revision 281574985410 (no options required):


function C(a, b) {}
var f = C.bind(null, 2);
g = clone(f, this);
a_squared = g(2);


The test uses the shell-only function "clone", however, in the browser, functions are cloned the same way for event handlers I believe. The crash does not look security-sensitive (probably null-deref).
Comment 1 Tom Schuster [:evilpie] 2012-05-03 11:22:40 PDT
So I would like to work on this, but I am not sure what we want here. Do we want to allow cloning of bound-functions at all? If yes what about the bound arguments and the this parameter, do we need to clone/wrap them in some way, too?
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2012-05-03 11:50:05 PDT
This bug has been around since (and probably even before) March 2011 on rev http://hg.mozilla.org/mozilla-central/rev/d796fb18f555
Comment 3 Jeff Walden [:Waldo] (remove +bmo to email) 2012-05-07 10:01:13 PDT
I could be wrong about this, but the event-handler cloning is for XBL, and for event handlers declared in XBL code.  Those are not bound functions of the sort at issue here (which I believe can only be created by Function.prototype.bind).

If we set that aside, I think this may just be a matter of requiring clone() to not clone bound functions, and it wouldn't be anything more than a shell bug.  But maybe I'm missing something.
Comment 4 Tom Schuster [:evilpie] 2012-05-07 10:32:45 PDT
Created attachment 621656 [details] [diff] [review]
disallow cloning of bound functions

Thank you very much for this analysis Jeff.
This makes this bug indeed very easy, I am just checking for bound functions in JS_CloneFunctionObject. I like this more then doing it in "clone", because it makes the API safer to use.
Comment 6 Matt Brubeck (:mbrubeck) 2012-05-12 08:56:46 PDT
https://hg.mozilla.org/mozilla-central/rev/49ce375916e8
Comment 7 Christian Holler (:decoder) 2013-01-14 08:02:40 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug751139.js.

Note You need to log in before you can comment on or make changes to this bug.