Closed Bug 489251 Opened 16 years ago Closed 16 years ago

Crash on shutdown after touching window.java or window.packages

Tracking

(Not tracked)

Status:

RESOLVED FIXED

Milestone:

mozilla1.9.1

People

(Reporter: mrbkap, Assigned: jst)

Details

(Keywords: fixed1.9.1, regression)

Attachments

(1 file)

Fix for the crash. 16 years ago Johnny Stenback (:jst) 1.30 KB, patch	mrbkap : review+ mrbkap : superreview+	Details \| Diff \| Splinter Review

Blake Kaplan (:mrbkap) (inactive)

Reporter

Description

•

16 years ago

During startup, Venkman has a line that touches "java" in the global scope. This causes nsGlobalWindow to instantiate an nsDummyJavaPluginOwner. This owner ends up being used-after-free (addref'd even). jst is on the case. It looks like a missing call to nsIPluginInstancePeer2::InvalidateOwner.

Johnny Stenback (:jst)

Assignee

Comment 1

•

16 years ago

This crash can be triggered by typing javascript:alert(java); in the URL bar and then quitting. Patch coming up to fix the crash, but there's more problems here, like us never properly tearing down the dummy java plugin, leaking every instance of it etc, but that's a different bug (which I'll file).

Assignee: nobody → jst

Summary: Crash on shutdown after opening Venkman → Crash on shutdown after touching window.java or window.packages

Johnny Stenback (:jst)

Assignee

Comment 2

•

16 years ago

We need to block on this, it's trivial to reproduce, and likely exploitable if someone tries hard enough. This is most likely a regression from bug 475646.

Flags: blocking1.9.1+

Keywords: regression

Johnny Stenback (:jst)

Assignee

Comment 3

•

16 years ago

Attached patch Fix for the crash. — Details — Splinter Review

Attachment #373971 - Flags: superreview?(mrbkap)

Attachment #373971 - Flags: review?(mrbkap)

Johnny Stenback (:jst)

Assignee

Updated

•

16 years ago

Priority: -- → P2

Target Milestone: --- → mozilla1.9.1

Blake Kaplan (:mrbkap) (inactive)

Reporter

Updated

•

16 years ago

Attachment #373971 - Flags: superreview?(mrbkap)

Attachment #373971 - Flags: superreview+

Attachment #373971 - Flags: review?(mrbkap)

Attachment #373971 - Flags: review+

Johnny Stenback (:jst)

Assignee

Comment 4

•

16 years ago

Fixed on trunk and branch. http://hg.mozilla.org/mozilla-central/rev/869fd52a1854 http://hg.mozilla.org/releases/mozilla-1.9.1/rev/cacd3241686c

Status: NEW → RESOLVED

Closed: 16 years ago

Keywords: fixed1.9.1

OS: Linux → All

Hardware: x86 → All

Resolution: --- → FIXED

Daniel Veditz [:dveditz]

Updated

•

12 years ago

Group: core-security

BMO Automation

Updated

•

3 years ago

Product: Core → Core Graveyard

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Crash on shutdown after touching window.java or window.packages

Categories

(Core Graveyard :: Plug-ins, defect, P2)

Tracking

(Not tracked)

People

(Reporter: mrbkap, Assigned: jst)

References

Details

(Keywords: fixed1.9.1, regression)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Updated

Updated

Comment 4

Updated

Updated

Attachment

General

Description

File Name

Content Type