Running uBlock on some sites causes Shockwave Flash to stop responding

[Jabbath]

I noticed this on addictinggames.com; when you open any game with ublock enabled, Shockwave Flash will stop responding and the page will freeze. Tested on Chrome 37.0.2062.102 m.

[gorhill]

I tried two games at random, and they worked fine (default filter lists). With which game you systematically reproduce the bug? What filter lists do you have enabled?

[gorhill]

Ok I can reproduce if I disable "Click-to-play". So there is an invisible plug-in in there doing something nasty. Until then, I suggest you use "Click-to-play", which is a good idea in general security- and privacy-wise.

[gorhill]

Weird. ABP and uBlock blocks exactly the same content, yet with uBlock the game doesn't download. After ABP has blocked exactly what uBlock has blocked, ABP shows this extra information (i.e. which doesn't appear for uBlock) in the dev console of the web page:

INFO: com.spilgames.api.connection::Connection - Connection version 1.3.1 instantiated. VM16428:1
INFO: com.spilgames.api.core.js::JSBridge - Found flash object with id "SpilJSBridge[578]" among elements. VM16429:1
INFO: com.spilgames.api.core.js::JSBridge - JS returns: [object HTMLEmbedElement] VM16430:1
INFO: com.spilgames.api.core.js::JSBridge - document.getElementById('SpilJSBridge[578]') VM16431:1
INFO: com.spilgames.api.connection::Connection - Connecting... VM16432:1
INFO: com.spilgames.api.connection::Connection - Used FlashVars: [object FlashVars siteID=0, channelID=0, itemID=0, itemType=1, userName=, userHash=, useDraft=true, serviceDomain=null] VM16433:1
2WARN: BusinessLogicInternalAPI - [op_contains] element can't be null. VM16434:1
INFO: com.spilgames.api.connection::Connection - Game at host 'www.addictinggames.com' is NOT allowed to make use of services. VM16436:1
INFO: com.spilgames.api.connection::Connection - Not allowed to make use of services, game is running outside of SpilGames network. VM16437:1
5ERROR: com.spilgames.api.components::LanguageManager - Failed to get localized string value for key 'text_id' from bundle 'SpilGames_Game' VM16440:1
POST http://core.mochibot.com/my/core.swf net::ERR_NAME_NOT_RESOLVED core.mochibot.com/my/core.swf:1

There seems to be a timing thing going on, as if I step through JS code with uBlock, the game will download.

[gorhill]

Amazing bug... Merely accessing the tagName property of a node in contentscript-end.js causes what appears to be a deadlock. It seems a browser bug might have been uncovered.

[gorhill]

Alright, using a minimalist extension, I confirm there is a deadlock problem in the browser. Merely just reading a property on a node in the DOM from within the mutation observer causes systematically the deadlock when blocking the file http://140cc.v.fwmrm.net/crossdomain.xml on that page.

ABP doesn't suffer this problem because it works differently (I don't think it uses a mutation observer).

Minimalist extension:

manifest.json:

{
    "manifest_version": 2,
    "name": "dead-lock",
    "version": "1",
    "description": "Small extension to reproduce dead-lock bug",
    "author": "Raymond Hill",
    "background": {
        "scripts": ["background.js"]
    },
    "content_scripts": [
    {
        "matches": ["http://*/*"],
        "js": ["contentscript.js"],
        "run_at": "document_end",
        "all_frames": true
        }
    ],
    "permissions": [
        "webRequest",
        "webRequestBlocking",
        "http://*/*"
    ]
}

contentscript.js:

(function() {
    var mutationObservedHandler = function(mutations) {
        var iMutation = mutations.length;
        var nodeList, iNode, node;
        while ( iMutation-- ) {
            nodeList = mutations[iMutation].addedNodes;
            if ( !nodeList ) {
                continue;
            }
            iNode = nodeList.length;
            while ( iNode-- ) {
                node = nodeList[iNode];
                if ( typeof node.querySelectorAll !== 'function' ) {
                    continue;
                }
                console.log(node.tagName);
            }
        }
    };

    var observer = new MutationObserver(mutationObservedHandler);
    observer.observe(document.body, {
        attributes: false,
        childList: true,
        characterData: false,
        subtree: true
    });
})();

background.js:

chrome.webRequest.onBeforeRequest.addListener(
    function(details) {
        if ( details.url.indexOf('140cc.v.fwmrm.net') !== -1 ) {
            return { cancel: true };
        }
    },
    {
        "urls": [
            "http://*/*",
        ],
    },
    [ "blocking" ]
);

Settings:

• Flash PPAPI enabled
• Plug-ins set to "Run automatically" in browser Settings. Load extension in browser, go to http://www.addictinggames.com/action-games/stickman-downhill-game.jsp, refresh page = dead-lock. If we comment out console.log(node.tagName); in contentscript.js, no dead-lock.

[kikaxa]

I tried your test extension and got no deadlock.
I have no flash, opera 25/chromium 38.0.2121.3

[gorhill]

You need flash PPAPI for the deadlock to occur, and click-to-play must be off.

[gorhill]

Filed with Chromium devs: https://code.google.com/p/chromium/issues/detail?id=412786

[gorhill]

I have a fix for this one, but it's slightly "hacky". Since there seems to be a deadlock situation when accessing elements from within the mutation observer callback, I tried to delegate to another callback asynchronously, and this fixes the problem. I supposed I will have to accept this bit of hacky code until the root of the problem, the unexpceted deadlock, is fixed by the Chromium devs.

[gorhill]

It's not hacky, the fix leads to a benefit which I actually meant to investigate a while ago, which is the coalescing of mutation events, which allows to minimize overhead of handling changes in the web pages.