Closed Bug 674223 Opened 10 years ago Closed 10 years ago

"ASSERTION: pluginInstanceOwner already registered as a listener" and crash

Categories

(Core :: Plug-ins, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox6 - wontfix

People

(Reporter: jruderman, Assigned: jaas)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [sg:critical])

Crash Data

Attachments

(2 files)

(Mac OS X 10.6.8, "QuickTime Plug-in 7.6.6".)

1. Apply the patch in bug 90268.
2. Make a 32-bit debug build (so QuickTime will work).
3. Load the testcase.

Result: ###!!! ASSERTION: pluginInstanceOwner already registered as a listener: '!sCARefreshListeners->Contains(aPluginInstance)', file dom/plugins/base/nsPluginInstanceOwner.cpp, line 1408

4. Quit the browser.

Result: Exploitable-looking crash [@ @0x55555555 | nsTimerImpl::Fire]
Attached file stack traces
Too late for 6, I think, but tracking for newer releases.

Josh, this sounds very related to what you're already working on, plugin ownership stuff that is. Can you have a look? Maybe you've already fixed this in your branch...?
Assignee: nobody → joshmoz
Jesse's report makes it look like this only happens with my patch for bug 90268 applied. I've made a lot of changes to the patch since July 26th, when this was filed, and I can no longer reproduce.

Jesse - if you're able to repro again please re-open this. Thanks!
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.