[Webkit-unassigned] [Bug 141380] New: WebCore Plugin Widget getOwnPropertySlot is not effect free
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Feb 8 21:14:34 PST 2015
https://bugs.webkit.org/show_bug.cgi?id=141380
Bug ID: 141380
Summary: WebCore Plugin Widget getOwnPropertySlot is not effect
free
Classification: Unclassified
Product: WebKit
Version: 528+ (Nightly build)
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Plug-ins
Assignee: webkit-unassigned at lists.webkit.org
Reporter: saambarati1 at gmail.com
CC: saambarati1 at gmail.com
Created attachment 246256
--> https://bugs.webkit.org/attachment.cgi?id=246256&action=review
stack trace
Plugin Widget will cause a Document::updateLayout call from an overridden getOwnPropertySlot.
If you look at the various renderWidgetLoadingPlugin() calls, they will update the layout of the document
while JavaScript code is already running. An overridden getOwnPropertySlot will cause a call to renderWidgetLoadingPlugin()
which causes a updateLayoutIgnorePendingStylesheets() call which then causes more JavaScript code to run.
This should not be allowed because it causes getOwnPropertySlot to not be effect-free.
Steps to reproducing:
1. Open http://gyazo.com/2bd3371d850484fe739b75b2ce8528b2
2. Open the inspector
3. Click on any JavaScript file
4. Make sure the type profiler is enabled by clicking the "T" button in the upper right.
5. Click the "Inspect" button
6. Navigate back to the gyazo page.
7. Reload the page while quickly moving your mouse over the different elements on the page causing the inspector overlay to update.
This may have to be repeated several times, but it will eventually crash.
This bug was found because the JSC's type profiler will process its log when JSC compiles new JS code. The processing
of the log will lead to a getOwnPropertySlot call, which will go down that chain of events described above, which
will lead to another call to compiling JS code, which will lead to another call of processing of the log, which is not intended
to be re-entered recursively and leads to a buffer overflow because the two stack frames are overwriting member variables in
an undesired way. See the attached stack trace.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150209/cb5c33b3/attachment-0002.html>
More information about the webkit-unassigned
mailing list