Closed Bug 1335524 Opened 7 years ago Closed 7 years ago

Calling URL.createObjectURL on a file from webkitGetAsEntry crashes

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1332003

People

(Reporter: nika, Unassigned)

Details

Attachments

(1 file)

repro.html
620 bytes, text/html
Details
Attached file repro.html 
In a debug build, the assertion is hit here:
http://searchfox.org/mozilla-central/rev/4e0c5c460318fb9ef7d92b129ac095ce04bc4795/dom/file/ipc/Blob.cpp#824-827

In a release build, an error is produced which kills the parent process.

STR:
Open the attached repro.html document
Drag a folder containing at least one file onto the red drop area

Expected Result:
Nothing happens

Actual Result:
The browser crashes
Olli, IIRC you implemented the webkitGetAsEntry API, do you know what might be going on here?
Flags: needinfo?(bugs)
baku has been looking into IPC blob handling recently.

But let me build a debug build to get stack trace.
Flags: needinfo?(bugs) → needinfo?(amarchesini)
Probably a dup of bug 1332003
Group: dom-core-security
I should also mention that this is an e10s-only failure.
part 1 in bug 1332003 seems to fix this locally. Or at least the crash.
Worth to test createObjectURL handling some more though.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(amarchesini)
Resolution: --- → DUPLICATE
Yes, the bug is fixed by moving the blob creation on the parent side.
I tested how the blobURL is created and it's fine. Maybe we can add this test as mochitest.
Component: DOM → DOM: Core & HTML
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: