Closed Bug 674223 Opened 13 years ago Closed 13 years ago

"ASSERTION: pluginInstanceOwner already registered as a listener" and crash

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(firefox6- wontfix)

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox6 - wontfix

People

(Reporter: jruderman, Assigned: jaas)

References

Details

(4 keywords, Whiteboard: [sg:critical])

Crash Data

Attachments

(2 files)

testcase (eventually causes a crash)
389 bytes, text/html
Details
stack traces
17.96 KB, text/plain
Details 
(Mac OS X 10.6.8, "QuickTime Plug-in 7.6.6".)

1. Apply the patch in bug 90268.
2. Make a 32-bit debug build (so QuickTime will work).
3. Load the testcase.

Result: ###!!! ASSERTION: pluginInstanceOwner already registered as a listener: '!sCARefreshListeners->Contains(aPluginInstance)', file dom/plugins/base/nsPluginInstanceOwner.cpp, line 1408

4. Quit the browser.

Result: Exploitable-looking crash [@ @0x55555555 | nsTimerImpl::Fire]
Attached file stack traces 

    
    

    
  
Too late for 6, I think, but tracking for newer releases.

Josh, this sounds very related to what you're already working on, plugin ownership stuff that is. Can you have a look? Maybe you've already fixed this in your branch...?
Assignee: nobody → joshmoz

          status-firefox6:
          --- → wontfix

          status-firefox7:
          --- → affected

          status-firefox8:
          --- → affected

          tracking-firefox6:
          --- → -

          tracking-firefox7:
          --- → +

          tracking-firefox8:
          --- → +

    
    

    
  
Jesse's report makes it look like this only happens with my patch for bug 90268 applied. I've made a lot of changes to the patch since July 26th, when this was filed, and I can no longer reproduce.

Jesse - if you're able to repro again please re-open this. Thanks!
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME

    
  
Group: core-security → core-security-release
Group: core-security-release

    
  
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.