Closed Bug 402937 Opened 15 years ago Closed 15 years ago
Object Frame::Instantiate can reenter itself
Relevant stack is attachment 287509 [details]. The highlight is: #2 0x17bd9943 in nsObjectFrame::Instantiate (this=0x25638b0, aMimeType=0x3ed242b8 "application/x-shockwave-flash", aURI=0x3ed0d7e0) at /Users/jruderman/trunk/mozilla/layout/generic/nsObjectFrame.cpp:1433 #3 0x17d93c8b in nsObjectLoadingContent::Instantiate (this=0x3ed241fc, aFrame=0x25638dc, aMIMEType=@0x3ed24238, aURI=0x3ed0d7e0) at /Users/jruderman/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:1548 #4 0x17d945d6 in nsObjectLoadingContent::EnsureInstantiation (this=0x3ed241fc, aInstance=0xbfffcb14) at /Users/jruderman/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:703 #5 0x17f6cf4d in nsHTMLPluginObjElementSH::GetPluginInstance (this=0x3e749230, wrapper=0x3ed00c80, _result=0xbfffcb14) at /Users/jruderman/trunk/mozilla/dom/src/base/nsDOMClassInfo.cpp:8623 #6 0x17f757b5 in nsHTMLPluginObjElementSH::PostCreate (this=0x3e749230, wrapper=0x3ed00c80, cx=0x2fab73c0, obj=0x3ddf6be0) at /Users/jruderman/trunk/mozilla/dom/src/base/nsDOMClassInfo.cpp:8663 .... Calling JS-implemented content policy, so JS-wrap the node .... #17 0x3df4228d in NS_CheckContentLoadPolicy (contentType=5, contentLocation=0x3ed0d7e0, originPrincipal=0x3ed0d380, context=0x3ed24250, mimeType=@0xbfffd88c, extra=0x0, decision=0xbfffd856, policyService=0x0, aSecMan=0x0) at ../../../../dist/include/content/nsContentPolicyUtils.h:223 #18 0x3df1fe47 in nsPluginHostImpl::InstantiateEmbeddedPlugin (this=0x3de006c0, aMimeType=0x3ed242b8 "application/x-shockwave-flash", aURL=0x3ed0d7e0, aOwner=0x3ed25d20) at /Users/jruderman/trunk/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3492 #19 0x17bd5163 in nsObjectFrame::InstantiatePlugin (this=0x25638b0, aPluginHost=0x3de006c4, aMimeType=0x3ed242b8 "application/x-shockwave-flash", aURI=0x3ed0d7e0) at /Users/jruderman/trunk/mozilla/layout/generic/nsObjectFrame.cpp:793 #20 0x17bd9a77 in nsObjectFrame::Instantiate (this=0x25638b0, aMimeType=0x3ed242b8 "application/x-shockwave-flash", aURI=0x3ed0d7e0) at /Users/jruderman/trunk/mozilla/layout/generic/nsObjectFrame.cpp:1445 I think we need to guard against this... Christian, do you think you can give this a stab?
Oh, the reason I think we block on this is that the code doesn't deal at all well with reentry. For example, it causes leaks, as in bug 401393.
I don't think this is a blocker as we don't know of anything really bad that's caused by this yet. I'd love to see a fix though... assigning to biesi for now.
Assignee: nobody → cbiesinger
OS: Mac OS X → All
Hardware: PC → All
Well, I just haven't had a chance to look through the code to see whether it fails in some cases. I would be pretty surprised if it doesn't, frankly.
Sure, but the question is whether something goes bad enough that it's worth blocking the release for :)
Preventing reentry is easier than reading the plugin code... ;)
Attachment #288273 - Flags: superreview?(jst) → superreview+
Summary: nsObjectFrame::Instantiate can reenter itself → [FIX]nsObjectFrame::Instantiate can reenter itself
15 years ago
Attachment #288273 - Flags: review?(cbiesinger) → review+
Comment on attachment 288273 [details] [diff] [review] Fix Safety fix to prevent reentering a function that doesn't expect to be reentered.
Attachment #288273 - Flags: approval1.9?
Attachment #288273 - Flags: approval1.9? → approval1.9+
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.