Closed
Bug 1323983
Opened 8 years ago
Closed 7 years ago
A pointer lock request paired with a window.close() from an opened popup window crashes the browser
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla53
People
(Reporter: jujjyl, Assigned: xidorn)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Attachments
(4 files)
STR: 1. Visit http://clb.demon.fi/bugs/window_open_pointer_lock_crash/main.html 2. Allow the popup to open. 3. Click on the black canvas. Observed: The tab will crash. Crash reports: Current stable Firefox: https://crash-stats.mozilla.com/report/index/d59992cb-08d0-4512-b490-543c92161216 FF Nightly: https://crash-stats.mozilla.com/report/index/d59992cb-08d0-4512-b490-543c92161216 https://crash-stats.mozilla.com/report/index/5cf9cd2c-154c-4f45-a73b-fe2312161216
Reporter | ||
Comment 2•8 years ago
|
||
I err on making crash bugs security bugs, better than the alternative. If it is concluded otherwise, feel free to drop the label.
Flags: needinfo?(jujjyl)
Updated•8 years ago
|
Group: core-security
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(xidorn+moz)
Assignee | ||
Comment 3•8 years ago
|
||
Hmm... It actually affects both e10s and non-e10s. On non-e10s, although it would not crash, the window would still lock the pointer and user has no way to release it.
Assignee | ||
Updated•7 years ago
|
Blocks: pointer-lock
Flags: needinfo?(xidorn+moz)
Assignee | ||
Comment 4•7 years ago
|
||
A simplified testcase. Steps to reproduce: 1. click the "Open New Windows" button 2. in the newly opened page, click "Request PointerLock and Close" Expected result: The page is closed, and everything else works as normal. Actual restul: On e10s window, the content process would crash. On non-e10s window, the window would continue locking the pointer, and there is no way to escape from that until closing that window. Note: if "window.close()" is called synchronously after "requestPointerLock()", e10s window would still crash, but non-e10s window would work just fine.
Assignee | ||
Updated•7 years ago
|
Component: DOM: Content Processes → DOM
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Comment 8•7 years ago
|
||
The issue for non-e10s is that, when the window is closed via script, the document has already detached from the presshell, and thus nsDocument::SetPointerLock fails to find the event state manager and corresponding widget to unlock the pointer. Part 1 changes EventStateManager::SetPointerLock() to be a static method, so that we can reset the state in ESM even if we cannot get an ESM instance. The issue for e10s is that, when we unlock the pointer, ESM asks the widget to move the mouse back to its pre-lock position. It does so via SynthesizeNativeMouseMove, which PuppetWidget redirects to the chrome process. These all works fine. The issue is that after the chrome process completes this mouse move, it sends a response to the child process, but at that point the window has died, and thus the content process doesn't find a receiver of the response, and thus crashes. The reason why chrome process needs to send a response back is that, the API of synthesizing native mouse move supports attaching an observer, which would be notified when the move is done. However, in the case of unlocking pointer, we don't actually need to know that, so no observer is attached, so the response isn't really necessary. So in part 2, I make the chrome process not send the response if there is no observer at all.
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → xidorn+moz
Assignee | ||
Comment 9•7 years ago
|
||
And, there could still be some... minor issues remaining, e.g. the warning popup. But those are not as bad as the current situation. To completely fix those issues, we may want to fix bug 1255338 which is non-trivial...
Comment 10•7 years ago
|
||
mozreview-review |
Comment on attachment 8819765 [details] Bug 1323983 part 1 - Ensure to release the pointer even if the document has been detached. https://reviewboard.mozilla.org/r/99410/#review99826
Attachment #8819765 -
Flags: review?(bugs) → review+
Comment 11•7 years ago
|
||
mozreview-review |
Comment on attachment 8819766 [details] Bug 1323983 part 2 - Avoid sending response for native synthesis if there is no observer. https://reviewboard.mozilla.org/r/99412/#review99828 The crash is about the assertion MOZ_ASSERT(aObserverId == 0, "We should always find a saved observer for nonzero IDs"); ? So, not a crash in debug builds, right?
Attachment #8819766 -
Flags: review?(bugs) → review+
Comment 12•7 years ago
|
||
mozreview-review |
Comment on attachment 8819767 [details] Bug 1323983 part 3 - Add test for closing window while holding pointerlock. https://reviewboard.mozilla.org/r/99414/#review99830 ::: dom/tests/mochitest/pointerlock/test_pointerlock-autoclose.html:13 (Diff revision 1) > + <link rel="stylesheet" href="/tests/SimpleTest/test.css"> > +</head> > +<body> > + <button onclick="document.body.requestPointerLock()">Lock Pointer</button> > + <script> > + SimpleTest.waitForExplicitFinish(); Don't you want to call SimpleTest.waitForExplicitFinish(); only when you don't have opener. ::: dom/tests/mochitest/pointerlock/test_pointerlock-autoclose.html:23 (Diff revision 1) > + } else { > + document.addEventListener("pointerlockchange", function() { > + opener.is(document.pointerLockElement, document.body, > + "Check we have locked the pointer"); > + window.close(); > + setTimeout(function() { Trying to remember if this is racy. What if the timeouts for the closed window are suspended already before the timeout would run. Perhaps call opener.setTimeout("SimpleTest.finish()", 0);
Attachment #8819767 -
Flags: review?(bugs) → review+
Assignee | ||
Comment 13•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8819766 [details] Bug 1323983 part 2 - Avoid sending response for native synthesis if there is no observer. https://reviewboard.mozilla.org/r/99412/#review99828 No, it is not about that. This assertion is unrelated. The crash is "Route error: message sent to unknown actor ID". See bp-5cf9cd2c-154c-4f45-a73b-fe2312161216.
Assignee | ||
Comment 14•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8819767 [details] Bug 1323983 part 3 - Add test for closing window while holding pointerlock. https://reviewboard.mozilla.org/r/99414/#review99830 > Don't you want to call SimpleTest.waitForExplicitFinish(); only when you don't have opener. Good catch. > Trying to remember if this is racy. What if the timeouts for the closed window are suspended already before the timeout would run. > Perhaps call opener.setTimeout("SimpleTest.finish()", 0); Probably just add a new function and a global variable so that the opener can close the window.
Comment 15•7 years ago
|
||
(In reply to Xidorn Quan [:xidorn] (UTC+10) from comment #13) > No, it is not about that. This assertion is unrelated. The crash is "Route > error: message sent to unknown actor ID". See > bp-5cf9cd2c-154c-4f45-a73b-fe2312161216. Hmm, now I'm lost. What actor is not there?
Assignee | ||
Comment 16•7 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #15) > (In reply to Xidorn Quan [:xidorn] (UTC+10) from comment #13) > > > No, it is not about that. This assertion is unrelated. The crash is "Route > > error: message sent to unknown actor ID". See > > bp-5cf9cd2c-154c-4f45-a73b-fe2312161216. > Hmm, now I'm lost. What actor is not there? I'm not familiar with e10s's IPC... My guess is the target document?
Comment 17•7 years ago
|
||
Documents don't have ipc actors.
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment 21•7 years ago
|
||
Pushed by xquan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8f01cf080e69 part 1 - Ensure to release the pointer even if the document has been detached. r=smaug https://hg.mozilla.org/integration/autoland/rev/f3290b0f20cc part 2 - Avoid sending response for native synthesis if there is no observer. r=smaug https://hg.mozilla.org/integration/autoland/rev/8f9298b5935f part 3 - Add test for closing window while holding pointerlock. r=smaug
Comment 22•7 years ago
|
||
Sorry had to back this out for test_pointerlock-autoclose.html test timed out, i.e., https://treeherder.mozilla.org/logviewer.html#?job_id=8161735&repo=autoland#L46849
Flags: needinfo?(xidorn+moz)
Comment 23•7 years ago
|
||
Backout by ihsiao@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4dd995379ca7 Backed out changeset 8f9298b5935f for test_pointerlock-autoclose.html timed out https://hg.mozilla.org/integration/autoland/rev/4e18a255b586 Backed out changeset f3290b0f20cc https://hg.mozilla.org/integration/autoland/rev/dd43bc709e8d Backed out changeset 8f01cf080e69
Assignee | ||
Comment 24•7 years ago
|
||
Ah, Win8 only, which is not enabled on try by default... ok
Comment hidden (mozreview-request) |
Assignee | ||
Comment 26•7 years ago
|
||
Ah, this time it's Linux opt... It seems the real click is tricky after a whole of pointerlock tests... I guess things would be better if the new test can be run before the old tests. I tried to do that in mochitest.ini but it seems the order in that file is not respected. Probably the test run by the order of their names?
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Comment 30•7 years ago
|
||
Looks like there would still be some intermittent... https://treeherder.mozilla.org/#/jobs?repo=try&revision=cb11654ab78f2b48d0ff2ceb55e40824320ab364
Assignee | ||
Comment 31•7 years ago
|
||
Looks pretty good now: https://treeherder.mozilla.org/#/jobs?repo=try&revision=b22ae9f37bd2f01e5261928335459bb38cf106a5
Flags: needinfo?(xidorn+moz)
Comment hidden (mozreview-request) |
Comment 33•7 years ago
|
||
Pushed by xquan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c818000827de part 1 - Ensure to release the pointer even if the document has been detached. r=smaug https://hg.mozilla.org/integration/autoland/rev/d80ab1b76771 part 2 - Avoid sending response for native synthesis if there is no observer. r=smaug https://hg.mozilla.org/integration/autoland/rev/b67517ef132a part 3 - Add test for closing window while holding pointerlock. r=smaug
Comment 34•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c818000827de https://hg.mozilla.org/mozilla-central/rev/d80ab1b76771 https://hg.mozilla.org/mozilla-central/rev/b67517ef132a
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox53:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment 35•7 years ago
|
||
Should we consider taking this on 52 as well? If so, please nominate accordingly :)
status-firefox50:
--- → wontfix
status-firefox51:
--- → wontfix
status-firefox52:
--- → affected
Flags: needinfo?(xidorn+moz)
Flags: in-testsuite+
Assignee | ||
Comment 36•7 years ago
|
||
Comment on attachment 8819765 [details] Bug 1323983 part 1 - Ensure to release the pointer even if the document has been detached. Approval Request Comment [Feature/Bug causing the regression]: PointerLock API, may not be a regression [User impact if declined]: Browser may crash by malicious page [Is this code covered by automated tests?]: A test was added with the patch. [Has the fix been verified in Nightly?]: Yes. [Needs manual test from QE? If yes, steps to reproduce]: No, automated test should be enough. [List of other uplifts needed for the feature/fix]: n/a [Is the change risky?]: Should not be risky. [Why is the change risky/not risky?]: Only affects PointerLock API which has been well covered by automated tests. [String changes made/needed]: n/a This is for all three patches to Firefox 52.
Flags: needinfo?(xidorn+moz)
Attachment #8819765 -
Flags: approval-mozilla-aurora?
Comment 37•7 years ago
|
||
Comment on attachment 8819765 [details] Bug 1323983 part 1 - Ensure to release the pointer even if the document has been detached. pointer lock fixes, beta52+
Attachment #8819765 -
Flags: approval-mozilla-aurora? → approval-mozilla-beta+
Comment 38•7 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/0ad60446529f https://hg.mozilla.org/releases/mozilla-beta/rev/f0bf4bedc314 https://hg.mozilla.org/releases/mozilla-beta/rev/7aecd5d82d04
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•