Closed
Bug 402937
Opened 17 years ago
Closed 17 years ago
[FIX]nsObjectFrame::Instantiate can reenter itself
Categories
(Core Graveyard :: Plug-ins, defect)
Core Graveyard
Plug-ins
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
Details
Attachments
(1 file)
4.20 KB,
patch
|
Biesinger
:
review+
jst
:
superreview+
damons
:
approval1.9+
|
Details | Diff | Splinter Review |
Relevant stack is attachment 287509 [details]. The highlight is:
#2 0x17bd9943 in nsObjectFrame::Instantiate (this=0x25638b0, aMimeType=0x3ed242b8 "application/x-shockwave-flash", aURI=0x3ed0d7e0) at /Users/jruderman/trunk/mozilla/layout/generic/nsObjectFrame.cpp:1433
#3 0x17d93c8b in nsObjectLoadingContent::Instantiate (this=0x3ed241fc, aFrame=0x25638dc, aMIMEType=@0x3ed24238, aURI=0x3ed0d7e0) at /Users/jruderman/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:1548
#4 0x17d945d6 in nsObjectLoadingContent::EnsureInstantiation (this=0x3ed241fc, aInstance=0xbfffcb14) at /Users/jruderman/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:703
#5 0x17f6cf4d in nsHTMLPluginObjElementSH::GetPluginInstance (this=0x3e749230, wrapper=0x3ed00c80, _result=0xbfffcb14) at /Users/jruderman/trunk/mozilla/dom/src/base/nsDOMClassInfo.cpp:8623
#6 0x17f757b5 in nsHTMLPluginObjElementSH::PostCreate (this=0x3e749230, wrapper=0x3ed00c80, cx=0x2fab73c0, obj=0x3ddf6be0) at /Users/jruderman/trunk/mozilla/dom/src/base/nsDOMClassInfo.cpp:8663
....
Calling JS-implemented content policy, so JS-wrap the node
....
#17 0x3df4228d in NS_CheckContentLoadPolicy (contentType=5, contentLocation=0x3ed0d7e0, originPrincipal=0x3ed0d380, context=0x3ed24250, mimeType=@0xbfffd88c, extra=0x0, decision=0xbfffd856, policyService=0x0, aSecMan=0x0) at ../../../../dist/include/content/nsContentPolicyUtils.h:223
#18 0x3df1fe47 in nsPluginHostImpl::InstantiateEmbeddedPlugin (this=0x3de006c0, aMimeType=0x3ed242b8 "application/x-shockwave-flash", aURL=0x3ed0d7e0, aOwner=0x3ed25d20) at /Users/jruderman/trunk/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3492
#19 0x17bd5163 in nsObjectFrame::InstantiatePlugin (this=0x25638b0, aPluginHost=0x3de006c4, aMimeType=0x3ed242b8 "application/x-shockwave-flash", aURI=0x3ed0d7e0) at /Users/jruderman/trunk/mozilla/layout/generic/nsObjectFrame.cpp:793
#20 0x17bd9a77 in nsObjectFrame::Instantiate (this=0x25638b0, aMimeType=0x3ed242b8 "application/x-shockwave-flash", aURI=0x3ed0d7e0) at /Users/jruderman/trunk/mozilla/layout/generic/nsObjectFrame.cpp:1445
I think we need to guard against this... Christian, do you think you can give this a stab?
Flags: blocking1.9?
![]() |
Assignee | |
Comment 1•17 years ago
|
||
Oh, the reason I think we block on this is that the code doesn't deal at all well with reentry. For example, it causes leaks, as in bug 401393.
Comment 2•17 years ago
|
||
I don't think this is a blocker as we don't know of anything really bad that's caused by this yet. I'd love to see a fix though... assigning to biesi for now.
Assignee: nobody → cbiesinger
Flags: wanted1.9+
Flags: blocking1.9?
Flags: blocking1.9-
OS: Mac OS X → All
Hardware: PC → All
![]() |
Assignee | |
Comment 3•17 years ago
|
||
Well, I just haven't had a chance to look through the code to see whether it fails in some cases. I would be pretty surprised if it doesn't, frankly.
Comment 4•17 years ago
|
||
Sure, but the question is whether something goes bad enough that it's worth blocking the release for :)
![]() |
Assignee | |
Comment 5•17 years ago
|
||
Preventing reentry is easier than reading the plugin code... ;)
Assignee: cbiesinger → bzbarsky
Status: NEW → ASSIGNED
Attachment #288273 -
Flags: superreview?(jst)
Attachment #288273 -
Flags: review?(cbiesinger)
Updated•17 years ago
|
Attachment #288273 -
Flags: superreview?(jst) → superreview+
![]() |
Assignee | |
Updated•17 years ago
|
Summary: nsObjectFrame::Instantiate can reenter itself → [FIX]nsObjectFrame::Instantiate can reenter itself
Updated•17 years ago
|
Attachment #288273 -
Flags: review?(cbiesinger) → review+
![]() |
Assignee | |
Comment 6•17 years ago
|
||
Comment on attachment 288273 [details] [diff] [review]
Fix
Safety fix to prevent reentering a function that doesn't expect to be reentered.
Attachment #288273 -
Flags: approval1.9?
Updated•17 years ago
|
Attachment #288273 -
Flags: approval1.9? → approval1.9+
![]() |
Assignee | |
Comment 7•17 years ago
|
||
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: in-testsuite?
Updated•3 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•