Bug 141380 - WebCore Plugin Widget getOwnPropertySlot is not effect free
Summary: WebCore Plugin Widget getOwnPropertySlot is not effect free
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Plug-ins (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
: 141366 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-02-08 21:14 PST by Saam Barati
Modified: 2015-08-04 09:41 PDT (History)
2 users (show)

See Also:


Attachments
stack trace (75.06 KB, text/plain)
2015-02-08 21:14 PST, Saam Barati
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Saam Barati 2015-02-08 21:14:34 PST
Created attachment 246256 [details]
stack trace

Plugin Widget will cause a Document::updateLayout call from an overridden getOwnPropertySlot.

If you look at the various renderWidgetLoadingPlugin() calls, they will update the layout of the document
while JavaScript code is already running. An overridden getOwnPropertySlot will cause a call to renderWidgetLoadingPlugin()
which causes a updateLayoutIgnorePendingStylesheets() call which then causes more JavaScript code to run.

This should not be allowed because it causes getOwnPropertySlot to not be effect-free.

Steps to reproducing:
1. Open http://gyazo.com/2bd3371d850484fe739b75b2ce8528b2
2. Open the inspector
3. Click on any JavaScript file
4. Make sure the type profiler is enabled by clicking the "T" button in the upper right.
5. Click the "Inspect" button
6. Navigate back to the gyazo page.
7. Reload the page while quickly moving your mouse over the different elements on the page causing the inspector overlay to update.

This may have to be repeated several times, but it will eventually crash.

This bug was found because the JSC's type profiler will process its log when JSC compiles new JS code. The processing
of the log will lead to a getOwnPropertySlot call, which will go down that chain of events described above, which
will lead to another call to compiling JS code, which will lead to another call of processing of the log, which is not intended
to be re-entered recursively and leads to a buffer overflow because the two stack frames are overwriting member variables in
an undesired way. See the attached stack trace.
Comment 1 Saam Barati 2015-02-09 15:20:37 PST
(In reply to comment #0)
> Created attachment 246256 [details]
> stack trace
> 
> Plugin Widget will cause a Document::updateLayout call from an overridden
> getOwnPropertySlot.
> 
> If you look at the various renderWidgetLoadingPlugin() calls, they will
> update the layout of the document
> while JavaScript code is already running. An overridden getOwnPropertySlot
> will cause a call to renderWidgetLoadingPlugin()
> which causes a updateLayoutIgnorePendingStylesheets() call which then causes
> more JavaScript code to run.
> 
> This should not be allowed because it causes getOwnPropertySlot to not be
> effect-free.
> 
> Steps to reproducing:
> 1. Open http://gyazo.com/2bd3371d850484fe739b75b2ce8528b2
> 2. Open the inspector
> 3. Click on any JavaScript file
> 4. Make sure the type profiler is enabled by clicking the "T" button in the
> upper right.
> 5. Click the "Inspect" button
> 6. Navigate back to the gyazo page.
> 7. Reload the page while quickly moving your mouse over the different
> elements on the page causing the inspector overlay to update.
> 
> This may have to be repeated several times, but it will eventually crash. 

To make this more clear, just step 7 needs to be repeated multiple times to reproduce. After refreshing enough times while hovering the mouse around in "inspect" mode, the crash should reproduce.
Comment 2 Saam Barati 2015-02-10 00:36:33 PST
*** Bug 141366 has been marked as a duplicate of this bug. ***