Closed Bug 560213 Opened 11 years ago Closed 11 years ago

[OOPP] heap corruption when scripting a crashed plugin

Categories

(Core :: Plug-ins, defect)

x86
Windows 7
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
blocking1.9.2 --- .4+
status1.9.2 --- .4-fixed

People

(Reporter: benjamin, Assigned: benjamin)

References

Details

(Keywords: verified1.9.2)

Attachments

(2 files)

When we try to create a PPluginIdentifier for a dead plugin, we double-delete a PluginIdentifierParent which leads to odd Firefox crashes and heap corruption. This was found as part of bug 559943, and also bug 558647 comment #5.

The bug is in PluginModuleParent::GetIdentifierForNPIdentifier when SendPPluginIdentifierConstructor fails: IPDL owns the actor and will delete it, the calling code shouldn't.
This bug is probably responsible for most of the crashes [@ operator new(unsigned int) | <lots of frames here>] in 3.6.3plugin1.
blocking1.9.2: --- → ?
Attached patch TestSplinter Review
Attachment #439921 - Flags: review?(bent.mozilla)
blocking1.9.2: ? → .4+
Attachment #439921 - Flags: review?(bent.mozilla) → review+
http://hg.mozilla.org/mozilla-central/rev/81d503e824a1
http://hg.mozilla.org/mozilla-central/rev/84921f0eb658
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Attachment #439921 - Flags: approval1.9.2.4?
No-risk patch, with tests.
Flags: in-testsuite+
Comment on attachment 439921 [details] [diff] [review]
Don't double-delete, rev. 1

a=LegNeato for 1.9.2.4
Attachment #439921 - Flags: approval1.9.2.4? → approval1.9.2.4+
Is there a repro case for verifying this fix?
Not really. It relied on the hang from bug 559943, which we also fixed. But it does come with an automated test, which I think is sufficient.
All right. Marking it as verified for 1.9.2 since the test is currently passing. :-)
Keywords: verified1.9.2
You need to log in before you can comment on or make changes to this bug.