Closed
Bug 1497219
Opened 6 years ago
Closed 6 years ago
Crash in mozilla::dom::PaymentRequest::Show
Categories
(Core :: DOM: Web Payments, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla66
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox63 | --- | unaffected |
firefox64 | --- | disabled |
firefox65 | --- | disabled |
firefox66 | --- | fixed |
People
(Reporter: marcia, Assigned: edenchuang)
References
Details
(Keywords: crash, Whiteboard: [webpayments-reserve])
Crash Data
Attachments
(2 files, 3 obsolete files)
(deleted),
patch
|
edenchuang
:
review+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
edenchuang
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-58f7bb00-bc2b-4aff-9e42-47f400181008.
=============================================================
Seen while looking at Mac nightly crash stats - although only crash so far, I thought it was interesting to file since I don't see many Web Payments crashes.
Top 10 frames of crashing thread:
0 XUL mozilla::dom::PaymentRequest::Show xpcom/base/nsCOMPtr.h:919
1 XUL mozilla::dom::PaymentRequest_Binding::show_promiseWrapper dom/bindings/PaymentRequestBinding.cpp:3181
2 XUL bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises> dom/bindings/BindingUtils.cpp:3315
3 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:461
4 XUL js::ForwardingProxyHandler::call const js/src/vm/Interpreter.cpp:626
5 XUL js::CrossCompartmentWrapper::call const js/src/proxy/CrossCompartmentWrapper.cpp:355
6 XUL js::Proxy::call js/src/proxy/Proxy.cpp:560
7 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:528
8 XUL Interpret js/src/vm/Interpreter.cpp:613
9 XUL js::RunScript js/src/vm/Interpreter.cpp:440
=============================================================
Updated•6 years ago
|
Priority: -- → P2
Assignee | ||
Comment 2•6 years ago
|
||
The root cause is accessing the deleted PaymentRequest object.
So JS code cannot find the binding PaymentRequest, then it gets crash.
Assignee: nobody → echuang
Status: NEW → ASSIGNED
Flags: needinfo?(echuang)
Assignee | ||
Comment 3•6 years ago
|
||
In the current design, payment method response data is passed between processes through a simple nsString. It means a special encoder/decoder is needed for special response data, ex. BasicCardResponse, to serialize/deserialize into/from the nsString. However, when a token splitter, ':', ';' and '@', is used in response data, it makes the encoder/decoder can not work normally. It is hard to define a suitable token splitter set for the encoder/decoder. So instead of using an error-prone encoder/decoder, this patch defines a new IPC structure for response data.
Attachment #9018296 -
Flags: review?(amarchesini)
Comment 4•6 years ago
|
||
Comment on attachment 9018296 [details] [diff] [review]
Define a new IPC structure for response data
Review of attachment 9018296 [details] [diff] [review]:
-----------------------------------------------------------------
much better! Thanks.
::: dom/payments/PaymentRequestManager.cpp
@@ +661,5 @@
> switch (response.status()) {
> case nsIPaymentActionResponse::PAYMENT_ACCEPTED: {
> rejectedReason = NS_OK;
> + NS_ENSURE_SUCCESS(ConvertResponseData(aRequest->GetOwner(),
> + response.data(),
indentation
Attachment #9018296 -
Flags: review?(amarchesini) → review+
Assignee | ||
Comment 5•6 years ago
|
||
Attachment #9018296 -
Attachment is obsolete: true
Attachment #9018977 -
Flags: review+
Assignee | ||
Updated•6 years ago
|
Priority: P2 → P1
Updated•6 years ago
|
Whiteboard: [webpayments-reserve]
Updated•6 years ago
|
Flags: qe-verify-
Assignee | ||
Comment 7•6 years ago
|
||
Attachment #9018977 -
Attachment is obsolete: true
Attachment #9028586 -
Flags: review?(amarchesini)
Comment 8•6 years ago
|
||
Comment on attachment 9028586 [details] [diff] [review]
Reject PaymentRequest actions when its owner global object is null by navigating to other pages.
Review of attachment 9028586 [details] [diff] [review]:
-----------------------------------------------------------------
::: dom/payments/PaymentRequest.cpp
@@ +730,2 @@
> nsCOMPtr<nsPIDOMWindowInner> win = do_QueryInterface(global);
> + if (!win) {
This cannot happen.
Attachment #9028586 -
Flags: review?(amarchesini) → review+
Assignee | ||
Comment 9•6 years ago
|
||
Update patch according to reviewer's comment.
Update patch with new C++ coding style change.
Attachment #9028586 -
Attachment is obsolete: true
Attachment #9031423 -
Flags: review+
Assignee | ||
Comment 10•6 years ago
|
||
Attachment #9031424 -
Flags: review+
Assignee | ||
Updated•6 years ago
|
Keywords: checkin-needed
Comment 11•6 years ago
|
||
Pushed by ccoroiu@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2738bb9f6d54
Rejecting PaymentRequest::API calls when the PaymentRequest is not in fully active document. r=baku
https://hg.mozilla.org/integration/mozilla-inbound/rev/7ba89c2d426d
Mochitest for PaymentRequest in not fully active document. r=baku
Keywords: checkin-needed
Comment 12•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/2738bb9f6d54
https://hg.mozilla.org/mozilla-central/rev/7ba89c2d426d
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox66:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Updated•6 years ago
|
status-firefox65:
--- → ?
Updated•6 years ago
|
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•