Closed Bug 560213 Opened 11 years ago Closed 11 years ago
[OOPP] heap corruption when scripting a crashed plugin
When we try to create a PPluginIdentifier for a dead plugin, we double-delete a PluginIdentifierParent which leads to odd Firefox crashes and heap corruption. This was found as part of bug 559943, and also bug 558647 comment #5. The bug is in PluginModuleParent::GetIdentifierForNPIdentifier when SendPPluginIdentifierConstructor fails: IPDL owns the actor and will delete it, the calling code shouldn't.
This bug is probably responsible for most of the crashes [@ operator new(unsigned int) | <lots of frames here>] in 3.6.3plugin1.
blocking1.9.2: --- → ?
11 years ago
Attachment #439921 - Flags: review?(bent.mozilla) → review+
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
No-risk patch, with tests.
Comment on attachment 439921 [details] [diff] [review] Don't double-delete, rev. 1 a=LegNeato for 18.104.22.168
Attachment #439921 - Flags: approval22.214.171.124? → approval126.96.36.199+
Is there a repro case for verifying this fix?
Not really. It relied on the hang from bug 559943, which we also fixed. But it does come with an automated test, which I think is sufficient.
All right. Marking it as verified for 1.9.2 since the test is currently passing. :-)
You need to log in before you can comment on or make changes to this bug.