Closed
Bug 552512
Opened 14 years ago
Closed 7 years ago
Windowless plugins can blow up the world during painting
Categories
(Core Graveyard :: Plug-ins, defect)
Core Graveyard
Plug-ins
Tracking
(blocking2.0 -)
RESOLVED
INCOMPLETE
Tracking | Status | |
---|---|---|
blocking2.0 | --- | - |
People
(Reporter: roc, Unassigned)
References
Details
Attachments
(2 files, 1 obsolete file)
7.48 KB,
patch
|
MatsPalmgren_bugz
:
review-
ted
:
feedback-
|
Details | Diff | Splinter Review |
11.17 KB,
patch
|
jaas
:
review+
|
Details | Diff | Splinter Review |
During painting of windowless plugins, we call synchronously into plugin code. Plugins can respond to this by calling NPN_Evaluate to run arbitrary JS in the page. This will often cause us to crash in exciting ways. I don't have any actual examples of pages that do this, but I've heard they exist (via Webkit folks) and I suspect they might explain some of the crashes in painting we've been seeing. Asynchronous painting would solve this, because we would not call into plugin code synchronously while painting, so we would not need to process NPN_Evaluate requests during painting. Another option would be semi-synchronous painting. The idea is that we would paint synchronously but capture the rendered plugin contents into a buffer. In fact I guess we already are doing that with OOPP, since native graphics contexts can't be shared across processes, right? OK, then if during painting something bad happens, like the plugin does an NPN_Evaluate, we simply tell the browser that painting is done and give it the last plugin image buffer to paint. Then in the plugin process, we wait for the browser to asynchronously process the NPN_Evaluate, finish "painting", and tell the browser that now we're really ready to paint. The browser invalidates the plugin area and either we do it all over again or we arrange for the browser to just use the last buffer this time. Maybe asynchronous painting is actually just as easy as semi-synchronous, though.
Reporter | ||
Comment 1•14 years ago
|
||
Actually what would be very helpful as a first step would be to add code to detect NPN_Evaluate during painting and log it with the URL so that it gets recorded in Breakpad if there's a subsequent crash (URL not for the public server of course). Ted, can we do that?
Comment 2•14 years ago
|
||
We can do that, but need socorro changes to make it private which might take a bit. I'll prepare a patch to completely disable npruntime for testing purposes.
Reporter | ||
Comment 3•14 years ago
|
||
As a first step we could just say that there was an NPN_Evaluate during painting. That seems harmless. Where does the breakpad API for this live?
Comment 4•14 years ago
|
||
http://mxr.mozilla.org/mozilla-central/source/xpcom/system/nsICrashReporter.idl#103
Reporter | ||
Comment 5•14 years ago
|
||
Hmm, could I just set the URL field?
Comment 6•14 years ago
|
||
Perhaps, yeah. It would be overwritten by session-restore at the next navigation, but if we're crashing basically immediately in painting the URL would at least be more accurate.
Reporter | ||
Comment 7•14 years ago
|
||
can I call annotateCrashReport to add a key/value pair, or does that require Socorro changes? Also, I realized that because Silverlight likes to call into JS on every paint, asynchronous painting is really the only thing that's going to work with Silverlight if we want to prevent it from calling Evaluate during painting.
Comment 8•14 years ago
|
||
New key/value pairs won't be saved by Socorro without changes. You can use the "URL" key and it will go into the existing field, which is already non-public. (As bsmedberg says, the existing hooks will overwrite it, but that's probably ok.)
Reporter | ||
Comment 9•14 years ago
|
||
Assignee: nobody → roc
Attachment #432700 -
Flags: review?(matspal)
Attachment #432700 -
Flags: feedback?(ted.mielczarek)
Reporter | ||
Comment 10•14 years ago
|
||
Hmm. How hard will it be to get the new field saved by Socorro? Should I use appendAppNotesToCrashReport instead?
Reporter | ||
Comment 11•14 years ago
|
||
This adds an automated test that changes the DOM during plugin painting. We obviously can't check this in until we have a fix for this bug.
Attachment #432701 -
Flags: review?(joshmoz)
Comment 12•14 years ago
|
||
(In reply to comment #10) > Hmm. How hard will it be to get the new field saved by Socorro? Should I use > appendAppNotesToCrashReport instead? It's a bit of a pain, it requires DB schema changes, which are kind of complicated by the partitioning of the DB. If you use appendAppNotes, it will show up in the "Notes" field, but every time you call that it will append the data to whatever data we already have in that field. (So if you call it more than once, you'll get repeated data.)
Reporter | ||
Comment 13•14 years ago
|
||
Yes, repeated data would be bad. I suppose I could use a global variable to ensure that the data is only written once. Should I do that? Is there any chance we can make changes so that adding data like this is easier? Maybe some kind of scratch field that would give us a clue to the cause of a crash that happens "soon"?
Comment 14•14 years ago
|
||
Comment on attachment 432700 [details] [diff] [review] Add DOMChangeDuringPluginPaint annotation to crash reports In nsCSSFrameConstructor.cpp: > nsIXBLService * nsCSSFrameConstructor::gXBLService = nsnull; > +PRUint32 nsCSSFrameConstructor::gDOMGeneration = 0; FYI, static members have "static storage duration" and are zero-intialized before any intializer runs, and thus the above initializers are redundant. In nsObjectFrame.cpp: > +#include "nsICrashReporter.h" Wrap this include with #ifdef MOZ_CRASHREPORTER > +#ifdef MOZ_CRASHREPORTER > + if (mDOMGeneration != nsCSSFrameConstructor::GetDOMGeneration()) Would it be useful to have an assertion for that? (also when MOZ_CRASHREPORTER is undefined) > nsObjectFrame::PaintPlugin(... > { > + AutoDOMChangeObserver observer(this); Running this destructor on exit from PaintPlugin will make this code more crash prone, is that your intention? (specifically accessing 'mFrame' which might be destroyed) If so, I think we need to do it differently since what you have looks like an unsafe crash.
Attachment #432700 -
Flags: review?(matspal) → review-
Reporter | ||
Comment 15•14 years ago
|
||
(In reply to comment #14) > (From update of attachment 432700 [details] [diff] [review]) > In nsCSSFrameConstructor.cpp: > > nsIXBLService * nsCSSFrameConstructor::gXBLService = nsnull; > > +PRUint32 nsCSSFrameConstructor::gDOMGeneration = 0; > > FYI, static members have "static storage duration" and are > zero-intialized before any intializer runs, and thus the > above initializers are redundant. Yes, but I think it's easier to read that way. > In nsObjectFrame.cpp: > > +#include "nsICrashReporter.h" > > Wrap this include with #ifdef MOZ_CRASHREPORTER OK > > +#ifdef MOZ_CRASHREPORTER > > + if (mDOMGeneration != nsCSSFrameConstructor::GetDOMGeneration()) > > Would it be useful to have an assertion for that? > (also when MOZ_CRASHREPORTER is undefined) Yes, I suppose so. > > nsObjectFrame::PaintPlugin(... > > { > > + AutoDOMChangeObserver observer(this); > > Running this destructor on exit from PaintPlugin will make this code > more crash prone, is that your intention? > (specifically accessing 'mFrame' which might be destroyed) > > If so, I think we need to do it differently since what you have > looks like an unsafe crash. Good catch. I think I'll stuff the URI in an nsCOMPtr in the constructor.
Comment 16•14 years ago
|
||
(In reply to comment #13) > Is there any chance we can make changes so that adding data like this is > easier? Maybe some kind of scratch field that would give us a clue to the cause > of a crash that happens "soon"? I'm open to suggestions, what would you like? We could have an auto stack class that annotates a value, and removes it from the destructor. Would that work?
Reporter | ||
Comment 17•14 years ago
|
||
That wouldn't work here since the crash will occur "later" when the relevant stuff is not on the stack. What I'm thinking of is some kind of "Danger" field. When something really bad happens, we just store a note in the Danger field. If that's the last really bad thing to happen before the crash, then we'll know and be able to study those correlations.
Comment 18•14 years ago
|
||
Seems like that doesn't do you much good unless you have more than one dangerous place. Even then, you'd wind up with plenty of crashes that went through a dangerous area and crashed in some other way, but with the "Danger" annotation. My only other suggestion would be to annotate your "Danger" field + a timestamp, and then during processing we could subtract the time of the crash, so you would get "number of seconds since we added the Danger annotation".
Updated•14 years ago
|
Attachment #432700 -
Flags: feedback?(ted.mielczarek) → feedback-
Comment 19•14 years ago
|
||
Comment on attachment 432700 [details] [diff] [review] Add DOMChangeDuringPluginPaint annotation to crash reports I don't think we want the DOMChangeDuringPluginPaint annotation as discussed above. The URL annotation seems fine, it's certainly not going to make things worse.
Reporter | ||
Comment 20•14 years ago
|
||
(In reply to comment #18) > Seems like that doesn't do you much good unless you have more than one > dangerous place. Yes, the idea is to provide a field that's an extension point since Socorro is apparently hard to extend. I think this could be generally useful, there are lots of places (many of the places we have assertions, for example!) where such a note could be a useful guide. > My only other suggestion would be to annotate your "Danger" field + a > timestamp, and then during processing we could subtract the time of the crash, > so you would get "number of seconds since we added the Danger annotation". That would work. > The URL annotation seems fine, it's certainly not going to make things worse. Yeah, but the note about DOM change during paint is what I really want here. If I produce a patch that uses the Danger field plus a timestamp, will that be OK?
Comment 21•14 years ago
|
||
Comment on attachment 432701 [details] [diff] [review] test Are you sure you want your test to modify the DOM after the paint? Might it be more evil to do it right before actually painting?
Reporter | ||
Comment 22•14 years ago
|
||
The paintscript script is run *during* painting. That's maximally evil.
Reporter | ||
Comment 23•14 years ago
|
||
OK, I see what you mean now thanks to IRC discussion. Yes, we should move the notifyPaint calls to before the actual platform painting code in the test plugin.
Attachment #432701 -
Flags: review?(joshmoz)
Reporter | ||
Comment 24•14 years ago
|
||
With that change
Attachment #432701 -
Attachment is obsolete: true
Attachment #433380 -
Flags: review?(joshmoz)
Attachment #433380 -
Flags: review?(joshmoz) → review+
Comment 27•14 years ago
|
||
sounds like this is the fix for #2 top crash on 4.0b4. nominating
blocking2.0: --- → ?
Comment 28•14 years ago
|
||
the #2-3 crash in 4.0b4 has the signature: nsIFrame::GetOffsetToCrossDoc(nsIFrame const*) and is tracked in Bug 588591 http://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&date=2010-09-01%2008%3A00%3A00&signature=nsIFrame%3A%3AGetOffsetToCrossDoc%28nsIFrame%20const*%29&version=Firefox%3A4.0b4 That's slightly different than the signature/stack for the #2-3 top crashe we have been seeing in 3.6.x nsIFrame::GetOffsetTo(nsIFrame const*) http://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&date=2010-09-01%2008%3A00%3A00&signature=nsIFrame%3A%3AGetOffsetTo%28nsIFrame%20const*%29&version=Firefox%3A3.6.9 same bug with code paths changed around in 4.0bx, or is this regression?
Comment 30•14 years ago
|
||
#5 top crash in b5 Bug 593301 - Crash [@ nsPluginInstanceOwner::Paint(tagRECT const&, HDC__*) ] is this planned to land on b6? needs to be blocking final or before.
Reporter | ||
Comment 31•14 years ago
|
||
No, async plugin painting will not land for Windows for beta6.
Comment 32•14 years ago
|
||
Blocking, but last I heard bsmedberg was working on this, should this be reassigned, or is the ongoing work being tracked elsewhere (should this be duped)?
blocking2.0: ? → betaN+
Reporter | ||
Comment 33•14 years ago
|
||
Bugs 596451 and 598425 track the work to make OOP windowless plugin painting asynchronous on Windows and Mac respectively. Some extra work would be required to make in-process windowless plugin painting asynchronous.
Assignee: nobody → nobody
Comment 34•14 years ago
|
||
Not a regression, but better on Windows with async, and will be better on mac soon.
blocking2.0: betaN+ → -
Comment 35•7 years ago
|
||
Resolving old bugs which are likely not relevant any more, since NPAPI plugins are deprecated.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•