Closed Bug 402937 Opened 15 years ago Closed 15 years ago

[FIX]nsObjectFrame::Instantiate can reenter itself

Categories

(Core Graveyard :: Plug-ins, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

Details

Attachments

(1 file)

Relevant stack is attachment 287509 [details].  The highlight is:

#2  0x17bd9943 in nsObjectFrame::Instantiate (this=0x25638b0, aMimeType=0x3ed242b8 "application/x-shockwave-flash", aURI=0x3ed0d7e0) at /Users/jruderman/trunk/mozilla/layout/generic/nsObjectFrame.cpp:1433
#3  0x17d93c8b in nsObjectLoadingContent::Instantiate (this=0x3ed241fc, aFrame=0x25638dc, aMIMEType=@0x3ed24238, aURI=0x3ed0d7e0) at /Users/jruderman/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:1548
#4  0x17d945d6 in nsObjectLoadingContent::EnsureInstantiation (this=0x3ed241fc, aInstance=0xbfffcb14) at /Users/jruderman/trunk/mozilla/content/base/src/nsObjectLoadingContent.cpp:703
#5  0x17f6cf4d in nsHTMLPluginObjElementSH::GetPluginInstance (this=0x3e749230, wrapper=0x3ed00c80, _result=0xbfffcb14) at /Users/jruderman/trunk/mozilla/dom/src/base/nsDOMClassInfo.cpp:8623
#6  0x17f757b5 in nsHTMLPluginObjElementSH::PostCreate (this=0x3e749230, wrapper=0x3ed00c80, cx=0x2fab73c0, obj=0x3ddf6be0) at /Users/jruderman/trunk/mozilla/dom/src/base/nsDOMClassInfo.cpp:8663
....
Calling JS-implemented content policy, so JS-wrap the node
....
#17 0x3df4228d in NS_CheckContentLoadPolicy (contentType=5, contentLocation=0x3ed0d7e0, originPrincipal=0x3ed0d380, context=0x3ed24250, mimeType=@0xbfffd88c, extra=0x0, decision=0xbfffd856, policyService=0x0, aSecMan=0x0) at ../../../../dist/include/content/nsContentPolicyUtils.h:223
#18 0x3df1fe47 in nsPluginHostImpl::InstantiateEmbeddedPlugin (this=0x3de006c0, aMimeType=0x3ed242b8 "application/x-shockwave-flash", aURL=0x3ed0d7e0, aOwner=0x3ed25d20) at /Users/jruderman/trunk/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3492
#19 0x17bd5163 in nsObjectFrame::InstantiatePlugin (this=0x25638b0, aPluginHost=0x3de006c4, aMimeType=0x3ed242b8 "application/x-shockwave-flash", aURI=0x3ed0d7e0) at /Users/jruderman/trunk/mozilla/layout/generic/nsObjectFrame.cpp:793
#20 0x17bd9a77 in nsObjectFrame::Instantiate (this=0x25638b0, aMimeType=0x3ed242b8 "application/x-shockwave-flash", aURI=0x3ed0d7e0) at /Users/jruderman/trunk/mozilla/layout/generic/nsObjectFrame.cpp:1445

I think we need to guard against this...  Christian, do you think you can give this a stab?
Flags: blocking1.9?
Oh, the reason I think we block on this is that the code doesn't deal at all well with reentry.  For example, it causes leaks, as in bug 401393.
I don't think this is a blocker as we don't know of anything really bad that's caused by this yet. I'd love to see a fix though... assigning to biesi for now.
Assignee: nobody → cbiesinger
Flags: wanted1.9+
Flags: blocking1.9?
Flags: blocking1.9-
OS: Mac OS X → All
Hardware: PC → All
Well, I just haven't had a chance to look through the code to see whether it fails in some cases.  I would be pretty surprised if it doesn't, frankly.
Sure, but the question is whether something goes bad enough that it's worth blocking the release for :)
Attached patch FixSplinter Review
Preventing reentry is easier than reading the plugin code... ;)
Assignee: cbiesinger → bzbarsky
Status: NEW → ASSIGNED
Attachment #288273 - Flags: superreview?(jst)
Attachment #288273 - Flags: review?(cbiesinger)
Attachment #288273 - Flags: superreview?(jst) → superreview+
Summary: nsObjectFrame::Instantiate can reenter itself → [FIX]nsObjectFrame::Instantiate can reenter itself
Attachment #288273 - Flags: review?(cbiesinger) → review+
Comment on attachment 288273 [details] [diff] [review]
Fix

Safety fix to prevent reentering a function that doesn't expect to be reentered.
Attachment #288273 - Flags: approval1.9?
Attachment #288273 - Flags: approval1.9? → approval1.9+
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.