[Bug 724587] Re: [Patch included] nspluginwrapper has a race condition on NPP_Destroy and may crash Flash
Launchpad Bug Tracker
724587 at bugs.launchpad.net
Wed Mar 30 17:00:47 UTC 2011
This bug was fixed in the package nspluginwrapper - 1.2.2-0ubuntu9
---------------
nspluginwrapper (1.2.2-0ubuntu9) natty; urgency=low
[ David Benjamin ]
* Fix a re-entrancy bug with delayed_calls_process and a race condition
(causing a crash) when a plugin instance is destroyed. (LP: #724587)
- add debian/patches/008_delayed_calls_process_reentrant.diff
- add debian/patches/009_npp_destroy_crash.diff
- update debian/patches/series
[ Anders Kaseorg ]
* Fix FTBFS due to configure test broken by libxt multiarch transition.
- add debian/patches/010_fix_Xt_test.diff
- update debian/patches/series
* Update Maintainer to Ubuntu Developers
<ubuntu-devel-discuss at lists.ubuntu.com>.
-- Anders Kaseorg <andersk at mit.edu> Tue, 29 Mar 2011 14:33:16 -0400
** Changed in: nspluginwrapper (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is a direct subscriber.
https://bugs.launchpad.net/bugs/724587
Title:
[Patch included] nspluginwrapper has a race condition on NPP_Destroy
and may crash Flash
Status in “nspluginwrapper” package in Ubuntu:
Fix Released
Status in “nspluginwrapper” package in Fedora:
Unknown
Bug description:
Binary package hint: nspluginwrapper
nspluginwrapper has a race condition during NPP_Destroy (called when a
tab is closed) that can crash the plugin. The race happens
particularly often when another tab has a video playing; I suspect
this is because it causes enough traffic over the IPC to delay the
processes and trigger the race.
If NPP_Destroy is called by the wrapper process at the same time the
viewer (plugin) process makes some call, then, from the plugin's
perspective, its call to NPN_InvalidateRect resulted in the plugin
instance being destroyed from under its feet. This is, of course,
nonsense, so Flash shortly crashes to let us know how silly we are
being. :-)
I've written patches for this issue here
https://github.com/davidben/nspluginwrapper/commits/master
Only the second of the two patches is strictly relevant; the other is
a separate race I came across in a previous iteration of this patch.
It detects when NPP_Destroy is being called at an unsafe point and
delays it to another message loop iteration. With the caveat that
requests can't be reordered. So, when it must, the patch lies to the
wrapper about NPP_Destroy's return values. Any delayed NPSavedData
gets discarded. That said, I've never seen Flash use this feature, and
the docs do allow the browser to discard them arbitrarily.
The relevant bug in Chromium is here:
http://code.google.com/p/chromium/issues/detail?id=53940
(To be thorough, this is on nspluginwrapper 1.2.2-0ubuntu7 on google-
chrome-beta 10.0.648.82-r75062 on Ubuntu maverick. I've also
reproduced this crash in Firefox, and a cursory look at Debian
stable's nspluginwrapper 1.3.0-1 suggests the bug is there too...)
As far as I can tell, nspluginwrapper no longer has an upstream. If
that's not the case, this patch should probably be forward.
More information about the Ubuntu-sponsors
mailing list