Closed
Bug 1171537
Opened 9 years ago
Closed 9 years ago
[e10s] Content process crash doing window.open into a new window from data: document
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla41
People
(Reporter: bzbarsky, Assigned: mconley)
References
Details
Attachments
(1 file)
Testcase: data:text/html,<span onclick="window.open('', '', 'width=170,height=170')">Click me</span> In e10s mode, load this in a tab, click the text, get this on stdout/stderr: [Parent 59578] WARNING: NS_ENSURE_SUCCESS(rv, false) failed with result 0x804B000A: file /Users/bzbarsky/mozilla/inbound/mozilla/dom/ipc/TabParent.cpp, line 702 IPDL protocol error: Handler for CreateWindow returned error code ###!!! [Parent][DispatchSyncMessage] Error: (msgtype=0x20000C,name=PBrowser::Msg_CreateWindow) Processing error: message was deserialized, but the handler returned false (indicating failure) ###!!! [Parent][MessageChannel] Error: (msgtype=0x20007B,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv and then the content process is killed off.
Comment 1•9 years ago
|
||
As an additional piece of data, using data:text/html,<span onclick="window.open('http://twitter.com', '', 'width=170,height=170')">Click me</span> or data:text/html,<span onclick="window.open('about:blank', '', 'width=170,height=170')">Click me</span> both work just fine.
Updated•9 years ago
|
Flags: needinfo?(mconley)
Assignee | ||
Comment 2•9 years ago
|
||
What's happening here is that IPC is tearing down the content process because the parent returns false due to the URI not being valid. Non-empty strings that are not valid URIs get filtered out in nsGlobalWindow::SecurityCheckURL (called from nsGlobalWindow::OpenInternal). Empty strings get a pass, though. So with e10s, the empty string gets passed all the way up to RecvCreateWindow, where we attempt to parse it, fail, and return false (and thus explode). In the non-e10s case, we seem to just pass nullptr to OpenWindow2 in the empty string case. We should probably do the same thing in the event of an empty string being passed up to RecvCreateWindow. Nomming because this is an easily reproducible crash.
tracking-e10s:
--- → ?
Flags: needinfo?(mconley)
Updated•9 years ago
|
Assignee: nobody → mconley
Assignee | ||
Comment 3•9 years ago
|
||
Bug 1171537 - Allow URIs to be the empty string in TabParent::RecvCreateWindow. r=?
Attachment #8617694 -
Flags: review?(wmccloskey)
Comment on attachment 8617694 [details] MozReview Request: Bug 1171537 - Allow URIs to be the empty string in TabParent::RecvCreateWindow. r=? https://reviewboard.mozilla.org/r/10681/#review9467 Ship It!
Attachment #8617694 -
Flags: review?(wmccloskey) → review+
https://hg.mozilla.org/mozilla-central/rev/7c28bef40970
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•