Closed Bug 1171537 Opened 9 years ago Closed 9 years ago

[e10s] Content process crash doing window.open into a new window from data: document

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla41
Tracking Flags:
Tracking Status
e10s m7+ ---
firefox41 --- fixed

People

(Reporter: bzbarsky, Assigned: mconley)

References

Details

Attachments

(1 file)

MozReview Request: Bug 1171537 - Allow URIs to be the empty string in TabParent::RecvCreateWindow. r=?
(deleted), text/x-review-board-request
billm
: review+
Details 
Testcase:

  data:text/html,<span onclick="window.open('', '', 'width=170,height=170')">Click me</span>

In e10s mode, load this in a tab, click the text, get this on stdout/stderr:

[Parent 59578] WARNING: NS_ENSURE_SUCCESS(rv, false) failed with result 0x804B000A: file /Users/bzbarsky/mozilla/inbound/mozilla/dom/ipc/TabParent.cpp, line 702
IPDL protocol error: Handler for CreateWindow returned error code

###!!! [Parent][DispatchSyncMessage] Error: (msgtype=0x20000C,name=PBrowser::Msg_CreateWindow) Processing error: message was deserialized, but the handler returned false (indicating failure)

###!!! [Parent][MessageChannel] Error: (msgtype=0x20007B,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv

and then the content process is killed off.
As an additional piece of data, using
  data:text/html,<span onclick="window.open('http://twitter.com', '', 'width=170,height=170')">Click me</span>
or
  data:text/html,<span onclick="window.open('about:blank', '', 'width=170,height=170')">Click me</span>
both work just fine.
Flags: needinfo?(mconley)
What's happening here is that IPC is tearing down the content process because the parent returns false due to the URI not being valid. Non-empty strings that are not valid URIs get filtered out in nsGlobalWindow::SecurityCheckURL (called from nsGlobalWindow::OpenInternal). Empty strings get a pass, though. So with e10s, the empty string gets passed all the way up to RecvCreateWindow, where we attempt to parse it, fail, and return false (and thus explode).

In the non-e10s case, we seem to just pass nullptr to OpenWindow2 in the empty string case. We should probably do the same thing in the event of an empty string being passed up to RecvCreateWindow.

Nomming because this is an easily reproducible crash.
tracking-e10s: --- → ?
Flags: needinfo?(mconley)
Assignee: nobody → mconley
tracking-e10s: ?m7+
Bug 1171537 - Allow URIs to be the empty string in TabParent::RecvCreateWindow. r=?
Attachment #8617694 - Flags: review?(wmccloskey)
Comment on attachment 8617694 [details]
MozReview Request: Bug 1171537 - Allow URIs to be the empty string in TabParent::RecvCreateWindow. r=?

https://reviewboard.mozilla.org/r/10681/#review9467

Ship It!
Attachment #8617694 - Flags: review?(wmccloskey) → review+
https://hg.mozilla.org/mozilla-central/rev/7c28bef40970
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox41: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Depends on: 1196706
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: