[Bug 724587] [NEW] [Patch included] nspluginwrapper has a race condition on NPP_Destroy and may crash Flash

Launchpad Bug Tracker 724587 at bugs.launchpad.net
Tue Mar 29 18:38:44 UTC 2011 

You have been subscribed to a public bug by Anders Kaseorg (anders-kaseorg):

Binary package hint: nspluginwrapper

nspluginwrapper has a race condition during NPP_Destroy (called when a
tab is closed) that can crash the plugin. The race happens particularly
often when another tab has a video playing; I suspect this is because it
causes enough traffic over the IPC to delay the processes and trigger
the race.

If NPP_Destroy is called by the wrapper process at the same time the
viewer (plugin) process makes some call, then, from the plugin's
perspective, its call to NPN_InvalidateRect resulted in the plugin
instance being destroyed from under its feet. This is, of course,
nonsense, so Flash shortly crashes to let us know how silly we are
being. :-)

I've written patches for this issue here
https://github.com/davidben/nspluginwrapper/commits/master

Only the second of the two patches is strictly relevant; the other is a
separate race I came across in a previous iteration of this patch. It
detects when NPP_Destroy is being called at an unsafe point and delays
it to another message loop iteration. With the caveat that requests
can't be reordered. So, when it must, the patch lies to the wrapper
about NPP_Destroy's return values. Any delayed NPSavedData gets
discarded. That said, I've never seen Flash use this feature, and the
docs do allow the browser to discard them arbitrarily.

The relevant bug in Chromium is here:
http://code.google.com/p/chromium/issues/detail?id=53940

(To be thorough, this is on nspluginwrapper 1.2.2-0ubuntu7 on google-
chrome-beta 10.0.648.82-r75062 on Ubuntu maverick. I've also reproduced
this crash in Firefox, and a cursory look at Debian stable's
nspluginwrapper 1.3.0-1 suggests the bug is there too...)

As far as I can tell, nspluginwrapper no longer has an upstream. If
that's not the case, this patch should probably be forward.

** Affects: nspluginwrapper (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: nspluginwrapper (Fedora)
     Importance: Unknown
         Status: Unknown


** Tags: patch
-- 
[Patch included] nspluginwrapper has a race condition on NPP_Destroy and may crash Flash
https://bugs.launchpad.net/bugs/724587
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is a direct subscriber.

More information about the Ubuntu-sponsors mailing list