firefox >= 53 crashes when used with conkeror and following <a href="#"> links

RESOLVED WONTFIX

Status

()

Core
DOM
RESOLVED WONTFIX
4 months ago
3 months ago

People

(Reporter: parkouss, Unassigned)

Tracking

({addon-compat, crash, regression})

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 months ago
conkeror is a browser built on top of firefox: http://conkeror.org/

I basically starts mine with the following script:

#!/bin/sh
export XUL_APP_FILE=/home/jp/dev/conkeror/application.ini
exec firefox "$@"

As the title explain, starting with firefox 53 conkeror users experience crashes when cliking on specifics links. The following web page can be used to create the segfault, just by clicking on the first link:

<body>
  Starting in Firefox 53, Conkeror will crash when links like this are clicked:
  <a href="#" target="foo">crashes</a>
  This link does not crash:
  <a href="#" target="foo" rel="noopener" >doesn't crash<a>
</body>

Note that I tried a build on m-c (356738:23fe0b76a018, Fri May 05 08:05:06 2017 -0700) and it is broken here too.

There is a conkeror bug with some information: http://bugs.conkeror.org/issue514 (there is a conkeror patch in there for using conkeror with the nightly releases of firefox, as well as a stack trace of the segfault)



Using mozregression, I am able to narrow down to the following changesets:


https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=944cb0fd05526894fcd90fbe7d1e625ee53cd73d&tochange=1b170b39ed6bdbde366233ab84594bdaaa960a5a

on mozilla-central, which leads me to:

https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=3f15ff10cb267d4289655b2e3cf0a0dee48e7c0b&tochange=2a31079dae258444321138690fa68de6b3ddf06a

on mozilla-inbound.



I am not sure I opened the bug in the right component, so please move it if it's wrong.

It would be really nice to every conkeror users if someone could look into this bug!

Comment 1

4 months ago
Creator of the original issue on the Conkeror bug tracker. Just a couple points to highlight that might help get this resolved:

We think this is related to this open bug that manifests in Firefox itself, though apparently not as predictably: https://bugzilla.mozilla.org/show_bug.cgi?id=1334086

The title of this issue is not great. There's nothing special about the href="#" part of a link. See the example crashing and non-crashing links for the relevant difference. It's the presence of something like target="foo" (without something like rel="noopener") that causes the crash when a link is clicked.

Here's a backtrace:

Thread 1 "firefox" received signal SIGSEGV, Segmentation fault.
nsGlobalWindow::SetOpenerWindow (this=0x7fffbeb27400, aOpener=0x7fffc8da9820, 
    aOriginalOpener=<optimized out>)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/dom/base/nsGlobalWindow.cpp:3193
3193	/build/firefox-4Fdt0Z/firefox-53.0+build6/dom/base/nsGlobalWindow.cpp: No such file or directory.
(gdb) where
#0  nsGlobalWindow::SetOpenerWindow (this=0x7fffbeb27400, aOpener=0x7fffc8da9820, 
    aOriginalOpener=<optimized out>)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/dom/base/nsGlobalWindow.cpp:3193
#1  0x00007fffea0a0728 in nsWindowWatcher::ReadyOpenedDocShellItem (aOpenedItem=<optimized out>, 
    aParent=0x7fffc8da9820, aWindowIsNew=<optimized out>, aForceNoOpener=aForceNoOpener@entry=false, 
    aOpenedWindow=aOpenedWindow@entry=0x7fffffff67f0)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/toolkit/components/windowwatcher/nsWindowWatcher.cpp:2140
#2  0x00007fffea0a16f5 in nsWindowWatcher::OpenWindowInternal (this=this@entry=0x7fffdc432a40, 
    aParent=aParent@entry=0x7fffc8da9820, aUrl=<optimized out>, aName=<optimized out>, 
    aFeatures=<optimized out>, aCalledFromJS=<optimized out>, aDialog=false, aNavigate=true, aArgv=0x0, 
    aIsPopupSpam=false, aForceNoOpener=false, aLoadInfo=0x0, aResult=0x7fffffff67f0)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/toolkit/components/windowwatcher/nsWindowWatcher.cpp:1054
#3  0x00007fffea0a26b3 in nsWindowWatcher::OpenWindow2 (this=0x7fffdc432a40, aParent=0x7fffc8da9820, 
    aUrl=<optimized out>, aName=<optimized out>, aFeatures=<optimized out>, 
    aCalledFromScript=<optimized out>, aDialog=false, aNavigate=true, aArguments=0x0, 
    aIsPopupSpam=false, aForceNoOpener=false, aLoadInfo=0x0, aResult=0x7fffffff67f0)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/toolkit/components/windowwatcher/nsWindowWatcher.cpp:445
#4  0x00007fffe8f444ca in nsGlobalWindow::OpenInternal (this=this@entry=0x7fffc8da9800, aUrl=..., 
    aName=..., aOptions=..., aDialog=aDialog@entry=false, aContentModal=aContentModal@entry=false, 
    aCalledNoScript=false, aDoJSFixups=true, aNavigate=true, argv=0x0, aExtraArgument=0x0, 
    aLoadInfo=0x0, aForceNoOpener=false, aReturn=0x7fffffff69c0)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/dom/base/nsGlobalWindow.cpp:12354
#5  0x00007fffe8f44820 in nsGlobalWindow::OpenJS (this=this@entry=0x7fffc8da9800, aUrl=..., aName=..., 
    aOptions=..., _retval=<optimized out>)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/dom/base/nsGlobalWindow.cpp:8317
#6  0x00007fffe8f448a1 in nsGlobalWindow::OpenOuter (this=0x7fffc8da9800, aUrl=..., aName=..., 
    aOptions=..., aError=...)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/dom/base/nsGlobalWindow.cpp:8270
#7  0x00007fffe8f4496c in nsGlobalWindow::Open (this=this@entry=0x7fffc8d43000, aUrl=..., aName=..., 
    aOptions=..., aError=...)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/dom/base/nsGlobalWindow.cpp:8279
#8  0x00007fffe92c9ca6 in mozilla::dom::WindowBinding::open (cx=0x7fffe4448000, self=0x7fffc8d43000, 
    args=..., obj=...)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/obj-x86_64-linux-gnu/dom/bindings/WindowBinding.cpp:2421
#9  0x00007fffe92c3fc0 in mozilla::dom::WindowBinding::genericMethod (cx=cx@entry=0x7fffe4448000, 
    argc=<optimized out>, vp=<optimized out>)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/obj-x86_64-linux-gnu/dom/bindings/WindowBinding.cpp:15502
#10 0x00007fffea677afc in js::CallJSNative (args=..., native=<optimized out>, cx=0x7fffe4448000)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/jscntxtinlines.h:239
#11 js::InternalCallOrConstruct (cx=cx@entry=0x7fffe4448000, args=..., 
    construct=construct@entry=js::NO_CONSTRUCT)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:460
#12 0x00007fffea678572 in InternalCall (args=..., cx=0x7fffe4448000)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:505
#13 js::Call (cx=cx@entry=0x7fffe4448000, fval=..., fval@entry=..., thisv=..., args=..., rval=...)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:524
#14 0x00007fffea976aa7 in js::Wrapper::call (
    this=this@entry=0x7fffec253be0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7fffe4448000, 
    proxy=..., proxy@entry=..., args=...)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/proxy/Wrapper.cpp:165
#15 0x00007fffea968c11 in js::CrossCompartmentWrapper::call (
    this=0x7fffec253be0 <js::CrossCompartmentWrapper::singleton>, cx=0x7fffe4448000, wrapper=..., 
    args=...) at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/proxy/CrossCompartmentWrapper.cpp:333
#16 0x00007fffea971b4c in js::Proxy::call (args=..., proxy=..., cx=0x7fffe4448000)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/proxy/Proxy.cpp:421
#17 js::proxy_Call (cx=cx@entry=0x7fffe4448000, argc=<optimized out>, vp=<optimized out>)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/proxy/Proxy.cpp:662
#18 0x00007fffea677cd2 in js::CallJSNative (args=..., 
    native=0x7fffea971a70 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, cx=0x7fffe4448000)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/jscntxtinlines.h:239
#19 js::InternalCallOrConstruct (cx=0x7fffe4448000, args=..., construct=js::NO_CONSTRUCT)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:448
#20 0x00007fffea669713 in js::CallFromStack (args=..., cx=<optimized out>)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:511
#21 Interpret (cx=0x7fffe4448000, state=...)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:2989
#22 0x00007fffea6777c4 in js::RunScript (cx=cx@entry=0x7fffe4448000, state=...)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:406
#23 0x00007fffea677bdb in js::InternalCallOrConstruct (cx=cx@entry=0x7fffe4448000, args=..., 
    construct=construct@entry=js::NO_CONSTRUCT)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:478
#24 0x00007fffea678572 in InternalCall (args=..., cx=0x7fffe4448000)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:505
#25 js::Call (cx=cx@entry=0x7fffe4448000, fval=..., fval@entry=..., thisv=..., args=..., rval=...)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:524
#26 0x00007fffea90fd79 in js::fun_call (cx=cx@entry=0x7fffe4448000, argc=<optimized out>, 
    vp=0x7fffde363298) at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/jsfun.cpp:1174
#27 0x00007fffea677afc in js::CallJSNative (args=..., native=<optimized out>, cx=0x7fffe4448000)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/jscntxtinlines.h:239
#28 js::InternalCallOrConstruct (cx=0x7fffe4448000, args=..., construct=<optimized out>)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:460
#29 0x00007fffea669713 in js::CallFromStack (args=..., cx=<optimized out>)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:511
#30 Interpret (cx=0x7fffe4448000, state=...)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:2989
#31 0x00007fffea6777c4 in js::RunScript (cx=cx@entry=0x7fffe4448000, state=...)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:406
#32 0x00007fffea677bdb in js::InternalCallOrConstruct (cx=cx@entry=0x7fffe4448000, args=..., 
    construct=construct@entry=js::NO_CONSTRUCT)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:478
#33 0x00007fffea6784c5 in InternalCall (args=..., cx=0x7fffe4448000)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:505
#34 js::CallFromStack (cx=cx@entry=0x1, args=...)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/vm/Interpreter.cpp:511
#35 0x00007fffeac7957b in js::jit::DoCallFallback (cx=0x1, frame=0x7fffffff8418, stub_=0x7fffbda9c1a0, 
    argc=1, vp=0x7fffffff8358, res=...)
    at /build/firefox-4Fdt0Z/firefox-53.0+build6/js/src/jit/BaselineIC.cpp:4067
Component: Extension Compatibility → Untriaged

Updated

3 months ago
Blocks: 1303196
Has Regression Range: --- → yes
Component: Untriaged → DOM
Flags: needinfo?(michael)
Keywords: addon-compat, crash, regression
Product: Firefox → Core
The changes which added the TabGroup and DocGroup types (bug 1303196) required changes to the Firefox frontend to ensure that the opener property is set correctly on xul:browser objects before the documents inside them are created. The conkeror interface will need to make changes to adapt to this new requirement. 

You can look at bug 1316104 for the changes which Seamonkey had to make to stop crashing when opening new windows in this way. bug 1316104 comment 34 is probably a good starting place (where I describe the changes which will need to happen in the Seamonkey UI).
Status: NEW → RESOLVED
Last Resolved: 3 months ago
Flags: needinfo?(michael)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.