~ScriptObject isn't safe

RESOLVED WONTFIX

Status

P3
normal
RESOLVED WONTFIX
9 years ago
3 days ago

People

(Reporter: treilly, Unassigned)

Tracking

unspecified
Q1 12 - Brannan
x86
Mac OS X
Bug Flags:
flashplayer-injection -
flashplayer-qrb +
flashplayer-bug +

Details

(Reporter)

Description

9 years ago
This function assumes vtable and vtable->traits are still around which isn't valid.  I've never seen this in practice but I'm pretty sure it could happen easily at shutdown if you have lots of ScriptObject's bigger than their vtable/traits objects lingering (we finalize in size order).

We have no mechanism to finalize ScriptObjects before other objects and no mechanism to keep vtable's/trait's around until all ScriptObjects are finalized but something like that is needed.  Or we have to store the data needed to destroy properly in the ScriptObject (bad space trade off).

Comment 1

9 years ago
It's been like this in one way or another pretty much forever, so we must be pretty lucky...

Comment 2

9 years ago
One more reason to fix finalization semantics.

Updated

9 years ago
Flags: flashplayer-qrb+
Priority: -- → P3
Target Milestone: --- → flash10.2
(Reporter)

Comment 3

9 years ago
I'm going to attempt to exploit this, if it can be made to crash we might think about fixing it sooner than later.

Updated

8 years ago
Flags: flashplayer-bug+

Updated

8 years ago
Target Milestone: Q3 11 - Serrano → Q1 12 - Brannan

Updated

8 years ago
Flags: flashplayer-injection-
Status: NEW → RESOLVED
Last Resolved: 3 days ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.