Bug 141380

Summary: WebCore Plugin Widget getOwnPropertySlot is not effect free
Product: WebKit Reporter: Saam Barati <saam>
Component: Plug-insAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WONTFIX    
Severity: Normal CC: ap, bburg, saam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
stack trace none

Saam Barati
Reported 2015-02-08 21:14:34 PST
Created attachment 246256 [details] stack trace Plugin Widget will cause a Document::updateLayout call from an overridden getOwnPropertySlot. If you look at the various renderWidgetLoadingPlugin() calls, they will update the layout of the document while JavaScript code is already running. An overridden getOwnPropertySlot will cause a call to renderWidgetLoadingPlugin() which causes a updateLayoutIgnorePendingStylesheets() call which then causes more JavaScript code to run. This should not be allowed because it causes getOwnPropertySlot to not be effect-free. Steps to reproducing: 1. Open http://gyazo.com/2bd3371d850484fe739b75b2ce8528b2 2. Open the inspector 3. Click on any JavaScript file 4. Make sure the type profiler is enabled by clicking the "T" button in the upper right. 5. Click the "Inspect" button 6. Navigate back to the gyazo page. 7. Reload the page while quickly moving your mouse over the different elements on the page causing the inspector overlay to update. This may have to be repeated several times, but it will eventually crash. This bug was found because the JSC's type profiler will process its log when JSC compiles new JS code. The processing of the log will lead to a getOwnPropertySlot call, which will go down that chain of events described above, which will lead to another call to compiling JS code, which will lead to another call of processing of the log, which is not intended to be re-entered recursively and leads to a buffer overflow because the two stack frames are overwriting member variables in an undesired way. See the attached stack trace.
Attachments
stack trace (75.06 KB, text/plain)
2015-02-08 21:14 PST, Saam Barati 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2015-02-09 15:20:37 PST
(In reply to comment #0) > Created attachment 246256 [details] > stack trace > > Plugin Widget will cause a Document::updateLayout call from an overridden > getOwnPropertySlot. > > If you look at the various renderWidgetLoadingPlugin() calls, they will > update the layout of the document > while JavaScript code is already running. An overridden getOwnPropertySlot > will cause a call to renderWidgetLoadingPlugin() > which causes a updateLayoutIgnorePendingStylesheets() call which then causes > more JavaScript code to run. > > This should not be allowed because it causes getOwnPropertySlot to not be > effect-free. > > Steps to reproducing: > 1. Open http://gyazo.com/2bd3371d850484fe739b75b2ce8528b2 > 2. Open the inspector > 3. Click on any JavaScript file > 4. Make sure the type profiler is enabled by clicking the "T" button in the > upper right. > 5. Click the "Inspect" button > 6. Navigate back to the gyazo page. > 7. Reload the page while quickly moving your mouse over the different > elements on the page causing the inspector overlay to update. > > This may have to be repeated several times, but it will eventually crash. To make this more clear, just step 7 needs to be repeated multiple times to reproduce. After refreshing enough times while hovering the mouse around in "inspect" mode, the crash should reproduce.
Saam Barati
Comment 2 2015-02-10 00:36:33 PST
*** Bug 141366 has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
Comment 3 2022-07-01 11:35:52 PDT
Mass closing plug-in bugs, as plug-in support has been removed from WebKit. Please comment and/or reopen if this still affects WebKit in some way.
Note You need to log in before you can comment on or make changes to this bug.