Closed Bug 841916 Opened 12 years ago Closed 12 years ago

ABORT: IPDL error [PPluginScriptableObjectChild]: "Error deserializing 'Variant'"

Categories

(Core Graveyard :: Plug-ins, defect, P2)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86_64
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Assigned: gfritzsche)

References

Details

(Keywords: assertion, sec-moderate, testcase)

Attachments

(3 files)

testcase (takes about a minute)
474 bytes, text/html
Details
stack
5.04 KB, text/plain
Details
extra-evil testcase (takes about a minute)
692 bytes, text/html
Details
###!!! ABORT: IPDL error [PPluginScriptableObjectChild]: "Error deserializing 'Variant'". abort()ing as a result.: file PPluginScriptableObjectChild.cpp, line 1252 ###!!! ASSERTION: Cannot call AnnotateCrashReport in child processes from non-main thread.: 'Error', file toolkit/crashreporter/nsExceptionHandler.cpp, line 1490 I have the "Java Plugin" shim that comes with Mac OS X 10.8, but not Java. So the plugin is just trying to draw a "Missing Java" thing, repeatedly.
Attached file stack
Probably the same as bug 839750, but this has a testcase.
Blocks: 839750
(In reply to Jesse Ruderman from comment #0) > Created attachment 714597 [details] > testcase (takes about a minute) Did you use any specific build config? It's been running here for >15 minutes without incidents, so there must be timing or functional differences.
QA Contact: georg.fritzsche
Assignee: nobody → georg.fritzsche
QA Contact: georg.fritzsche
I can reproduce with this one in a non-optimized, local debug build.
Priority: -- → P2
Weird, with both opt & non-opt debug build i'm only sometimes/intermittently hitting bug 841914: ###!!! [Parent][AsyncChannel] Error: Route error: message sent to unknown actor ID ###!!! [Parent][RPCChannel] Error: Route error: message sent to unknown actor ID ###!!! ASSERTION: Bad type!: 'actor->Type() == Proxy', file /Users/georg/moz/mozilla-central-2/dom/plugins/ipc/PluginScriptableObjectChild.cpp, line 63
Ok, i actually hit this once now on the non-opt debug build, but it's far from reproducible for me :(
If you want to fix bug 841914 first, that's ok with me :)
Georg, can you suggest a security rating here?
(In reply to Al Billings [:abillings] from comment #9) > Georg, can you suggest a security rating here? Going over the severity rating description in the wiki i'd think sec-low to sec-moderate: Apparently a Java bug leading to a bad state in the plugin-container which should be rather hard to use in a controlled exploit. But i am familiar with the security approaches here, so please take that with a grain of salt.
I will call it a "sec-moderate" as it doesn't seem like a low but I could be wrong.
Keywords: sec-moderate
(In reply to Georg Fritzsche [:gfritzsche] from comment #7) > Ok, i actually hit this once now on the non-opt debug build, but it's far > from reproducible for me :( This is weird: While the testcase still reproduces "often", it sometimes switches to the assertion from bug 841914 for multiple consecutive runs. Trying to add tracing seems to change the timing too much and it doesn't reproduce anymore. There is a new trace on bug 845735 though which reproduces intermittently on try; maybe this helps out here too.
Blocks: 849613
Jesse, as i understood it you were triggering this and bug 841914 consistently. Would you mind re-checking if they still occur with bug 831768 having landed?
WFM. (I let each testcase run for a few minutes, using a Tinderbox build built from 126563fd3ba1.)
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
(In reply to Jesse Ruderman from comment #14) > WFM. Cool, thanks Jesse :)
Depends on: 831768
No longer blocks: 839750
Group: core-security → core-security-release
Group: core-security-release
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: