[Webkit-unassigned] [Bug 141380] New: WebCore Plugin Widget getOwnPropertySlot is not effect free

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Feb 8 21:14:34 PST 2015 

https://bugs.webkit.org/show_bug.cgi?id=141380

            Bug ID: 141380
           Summary: WebCore Plugin Widget getOwnPropertySlot is not effect
                    free
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Plug-ins
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: saambarati1 at gmail.com
                CC: saambarati1 at gmail.com

Created attachment 246256
  --> https://bugs.webkit.org/attachment.cgi?id=246256&action=review
stack trace

Plugin Widget will cause a Document::updateLayout call from an overridden getOwnPropertySlot.

If you look at the various renderWidgetLoadingPlugin() calls, they will update the layout of the document
while JavaScript code is already running. An overridden getOwnPropertySlot will cause a call to renderWidgetLoadingPlugin()
which causes a updateLayoutIgnorePendingStylesheets() call which then causes more JavaScript code to run.

This should not be allowed because it causes getOwnPropertySlot to not be effect-free.

Steps to reproducing:
1. Open http://gyazo.com/2bd3371d850484fe739b75b2ce8528b2
2. Open the inspector
3. Click on any JavaScript file
4. Make sure the type profiler is enabled by clicking the "T" button in the upper right.
5. Click the "Inspect" button
6. Navigate back to the gyazo page.
7. Reload the page while quickly moving your mouse over the different elements on the page causing the inspector overlay to update.

This may have to be repeated several times, but it will eventually crash.

This bug was found because the JSC's type profiler will process its log when JSC compiles new JS code. The processing
of the log will lead to a getOwnPropertySlot call, which will go down that chain of events described above, which
will lead to another call to compiling JS code, which will lead to another call of processing of the log, which is not intended
to be re-entered recursively and leads to a buffer overflow because the two stack frames are overwriting member variables in
an undesired way. See the attached stack trace.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150209/cb5c33b3/attachment-0002.html>

More information about the webkit-unassigned mailing list