Closed
Bug 1459562
Opened 6 years ago
Closed 6 years ago
Opening a blob URL image in a new window makes firefox to crash
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla62
Tracking | Status | |
---|---|---|
firefox62 | --- | verified |
People
(Reporter: baku, Assigned: baku)
Details
Attachments
(2 files)
6.19 KB,
application/zip
|
Details | |
1.68 KB,
patch
|
nika
:
review+
|
Details | Diff | Splinter Review |
STR: 1. A simple page creating a blob URL, containing an image, and displaying that URL using a <img> element. 2. right click on the image. 3. click on "view image", keeping 'SHIFT' key pressed. Expected results: a new window must appear, showing the blob URL image. Actual results: a new process is spawn and it crashes immediately saying: [Child 15762, Main Thread] WARNING: This content process hasn't received the permissions for http://localhost:8000 yet: file /home/baku/Sources/m/blob/src/extensions/cookie/nsPermissionManager.cpp, line 3406 Assertion failure: PermissionAvailable(prin, aType), at /home/baku/Sources/m/blob/src/extensions/cookie/nsPermissionManager.cpp:2342
Assignee | ||
Comment 1•6 years ago
|
||
Nika, you have worked on permissions. Could it be related? Do you mind to investigate?
Flags: needinfo?(nika)
Assignee | ||
Comment 2•6 years ago
|
||
Here the file I used to reproduce this issue.
Updated•6 years ago
|
Priority: -- → P2
Comment 3•6 years ago
|
||
(In reply to Andrea Marchesini [:baku] from comment #1) > Nika, you have worked on permissions. Could it be related? Do you mind to > investigate? Hmm, it sounds like permissions aren't sent down with blob requests? I presume that a blob URI has a principal associated with it. When we send the data into a content process, we'll need to TransmitPermissionsForPrincipal for that principal, e.g. https://searchfox.org/mozilla-central/rev/a85db9e29eb3f022dbaf8b9a6390ecbacf51e7dd/dom/ipc/ContentParent.cpp#5363-5364. I'm guessing that the load doesn't go through that AboutToLoad codepath, which is why the permissions aren't being transmitted right now.
Flags: needinfo?(nika)
Assignee | ||
Comment 4•6 years ago
|
||
Well, this is not what happens when we load blob URIs. In this case, the channel doesn't run on the parent process: https://searchfox.org/mozilla-central/rev/00dd116638001772fe354b081353b73f1cad405d/dom/file/nsHostObjectProtocolHandler.cpp#904-907,962-967 nsHostObjectProtocolHandler::NewChannel2 uses NS_NewInputStreamChannelInternal and this channel doesn't interact with the parent process at all. We should transmit the permissions when the blobURLs are broadcasted. I'm not particularly happy about blobURLs broadcasting, but, the solution I have in mind would require a big refactoring of how principal::CheckMayLoad() works, and the removal of nsIURIWithPrincipal. This is not going to happen soon.
Assignee | ||
Comment 5•6 years ago
|
||
Here a fix.
Assignee: nobody → amarchesini
Attachment #8976068 -
Flags: review?(nika)
Comment 6•6 years ago
|
||
Comment on attachment 8976068 [details] [diff] [review] blobURLs.patch Review of attachment 8976068 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/ipc/ContentParent.cpp @@ +2452,5 @@ > } > + > + for (const BlobURLRegistrationData& registration : registrations) { > + rv = TransmitPermissionsForPrincipal(registration.principal()); > + Unused << NS_WARN_IF(NS_FAILED(rv)); Please do this only if you're actually calling SendInitBlobURLs. Also, please do it first. It might be a good idea to add a bulk transmitting option to TransmitPermissionsForPrincipal, but we can look into that later if this shows up as an issue. @@ +5140,5 @@ > } > > Unused << cp->SendBlobURLRegistration(uri, ipcBlob, principal); > + > + rv = cp->TransmitPermissionsForPrincipal(principal); Please transmit the permissions before you send the registration. I think that this right now will cause a race condition if something tries to perform a load after the registration is added, but before the permissions are transmitted.
Attachment #8976068 -
Flags: review?(nika) → review+
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1ea614928f8b Transmit the permissions of the owning principal together with the blobURL when broadcasted to content processes, r=nika
Comment 8•6 years ago
|
||
Backed out for build bustages on ContentParent.cpp For Linux, the bustage was : "..../nsError.h:34:77: error: cannot convert 'mozilla::DebugOnly<nsresult>' to 'nsresult' for argument '1' to 'uint32_t NS_FAILED_impl(nsresult)'" Backout link: https://hg.mozilla.org/integration/mozilla-inbound/rev/786865568ed76134a3f9724956949e5d48f34210 Push link: https://hg.mozilla.org/integration/mozilla-inbound/rev/1ea614928f8b0f959aa09ef4674118d27d1e317e Log link: https://treeherder.mozilla.org/logviewer.html#?job_id=178952087&repo=mozilla-inbound&lineNumber=24915 Linux log link: https://treeherder.mozilla.org/logviewer.html#?job_id=178952087&repo=mozilla-inbound&lineNumber=24915
Flags: needinfo?(amarchesini)
Assignee | ||
Updated•6 years ago
|
Flags: needinfo?(amarchesini)
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/2908cc9102b0 Transmit the permissions of the owning principal together with the blobURL when broadcasted to content processes, r=nika
Comment 10•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/2908cc9102b0
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox62:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Updated•6 years ago
|
Flags: qe-verify+
Comment 11•6 years ago
|
||
I haven’t managed to reproduce this issue using the test case from comment 2 and the steps from bug’s description (using localhost:8000) on Ubuntu 16.04 (both x64 and x32 bits) and Windows 10 x64 with Firefox 61.0a1 (2018-05-07). For me, no crash or error occurs, the blob URL image is displayed successfully in a new window. Is maybe something else that I missed or misinterpreted?
Flags: needinfo?(amarchesini)
Assignee | ||
Comment 12•6 years ago
|
||
This happens when the new window is loads the blobURL on a new process. That assertion is triggered only on debug builds.
Flags: needinfo?(amarchesini)
Comment 13•6 years ago
|
||
Thank you for your prompt reply! I’ve manage to reproduce the crash with Firefox 61.0a1 (20180507085552) debug build under Ubuntu 16.04 x64. This bug is fixed on debug build 62.0b9 (20180713154019) under Ubuntu 16.04 x64, Windows 10 x64 and macOS 10.13.
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•