Bug 141380

Summary:

WebCore Plugin Widget getOwnPropertySlot is not effect free

Product:

WebKit

Reporter:

Saam Barati <saam>

Component:

Plug-ins

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED WONTFIX

Severity:

Normal

CC:

ap, bburg, saam

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
stack trace	none

Description Saam Barati 2015-02-08 21:14:34 PST

Created attachment 246256 [details]
stack trace

Plugin Widget will cause a Document::updateLayout call from an overridden getOwnPropertySlot.

If you look at the various renderWidgetLoadingPlugin() calls, they will update the layout of the document
while JavaScript code is already running. An overridden getOwnPropertySlot will cause a call to renderWidgetLoadingPlugin()
which causes a updateLayoutIgnorePendingStylesheets() call which then causes more JavaScript code to run.

This should not be allowed because it causes getOwnPropertySlot to not be effect-free.

Steps to reproducing:
1. Open http://gyazo.com/2bd3371d850484fe739b75b2ce8528b2
2. Open the inspector
3. Click on any JavaScript file
4. Make sure the type profiler is enabled by clicking the "T" button in the upper right.
5. Click the "Inspect" button
6. Navigate back to the gyazo page.
7. Reload the page while quickly moving your mouse over the different elements on the page causing the inspector overlay to update.

This may have to be repeated several times, but it will eventually crash.

This bug was found because the JSC's type profiler will process its log when JSC compiles new JS code. The processing
of the log will lead to a getOwnPropertySlot call, which will go down that chain of events described above, which
will lead to another call to compiling JS code, which will lead to another call of processing of the log, which is not intended
to be re-entered recursively and leads to a buffer overflow because the two stack frames are overwriting member variables in
an undesired way. See the attached stack trace.

Comment 1 Saam Barati 2015-02-09 15:20:37 PST

(In reply to comment #0)
> Created attachment 246256 [details]
> stack trace
> 
> Plugin Widget will cause a Document::updateLayout call from an overridden
> getOwnPropertySlot.
> 
> If you look at the various renderWidgetLoadingPlugin() calls, they will
> update the layout of the document
> while JavaScript code is already running. An overridden getOwnPropertySlot
> will cause a call to renderWidgetLoadingPlugin()
> which causes a updateLayoutIgnorePendingStylesheets() call which then causes
> more JavaScript code to run.
> 
> This should not be allowed because it causes getOwnPropertySlot to not be
> effect-free.
> 
> Steps to reproducing:
> 1. Open http://gyazo.com/2bd3371d850484fe739b75b2ce8528b2
> 2. Open the inspector
> 3. Click on any JavaScript file
> 4. Make sure the type profiler is enabled by clicking the "T" button in the
> upper right.
> 5. Click the "Inspect" button
> 6. Navigate back to the gyazo page.
> 7. Reload the page while quickly moving your mouse over the different
> elements on the page causing the inspector overlay to update.
> 
> This may have to be repeated several times, but it will eventually crash. 

To make this more clear, just step 7 needs to be repeated multiple times to reproduce. After refreshing enough times while hovering the mouse around in "inspect" mode, the crash should reproduce.

Comment 2 Saam Barati 2015-02-10 00:36:33 PST

*** Bug 141366 has been marked as a duplicate of this bug. ***

Comment 3 Alexey Proskuryakov 2022-07-01 11:35:52 PDT

Mass closing plug-in bugs, as plug-in support has been removed from WebKit.

Please comment and/or reopen if this still affects WebKit in some way.