Closed
Bug 1508510
Opened 7 years ago
Closed 7 months ago
Calling r.abort() in a payment event handler cause IPDL errors, killing the child process
Categories
(Core :: DOM: Web Payments, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 1971459
People
(Reporter: pauljt, Unassigned)
Details
(Whiteboard: dom-lws-bugdash-triage)
Attachments
(3 files)
|
1.55 KB,
text/plain
|
Details | |
|
1.52 KB,
patch
|
baku
:
review+
|
Details | Diff | Splinter Review |
|
2.77 KB,
patch
|
baku
:
review+
|
Details | Diff | Splinter Review |
Hard to explain this since I only vaguely understand it but here goes: Payment Request handlers can take a promise instead of a function. Passing a function _call_ to a function which calls r.abort() AND also returns a value (like "error") causes the tab to crash. See p[1] which just does:
function badHandler(r) {
r.abort();
return { error: "" }
}
function crash() {
let request = new PaymentRequest(method, details, options);
request.onshippingoptionchange = ev => ev.updateWith(badHandler(request));
request.show()
}
This results in the "Gah. Your tab just crashed." message. I'm not sure if its IPC related or not, but attached is the console logs from ASAN nightly.
I don't know if this is a security related crash or not (i think not, given that its just a tab crash), but this API isn't enabled yet so I don't see the need to restrict it.
[1] https://misuse.co/t/pay/paycrash.html
|
Reporter | |
Updated•7 years ago
|
Component: Security: Review Requests → DOM: Web Payments
Product: Firefox → Core
Version: unspecified → 65 Branch
|
|
Reporter | |
Comment 1•7 years ago
|
||
If it helps I think we are hitting this line:
https://searchfox.org/mozilla-central/source/__GENERATED__/ipc/ipdl/PPaymentRequestParent.cpp#240
|
|
Reporter | |
Comment 2•7 years ago
|
||
I think I figured this out. I think request.abort() results ultimately ends up removing the payment request from PaymentRequestService->mRequestQueue at [1]. Then, the child sends the PaymentUpdateActionRequest (as a result of event.updateWith()) this line [2] in PaymentRequestParent fails .
PPaymentRequestParent::OnMessageReceived[3] then passes a MsgProcessingError up to MessageChannel.cpp[4], which then calls ContentParent::ProcessingError[5], which does KillHard(aReason).
[1] https://searchfox.org/mozilla-central/rev/b03a62c3c82316e733a3b09622c1cb7e59f64cc3/dom/payments/PaymentRequestService.cpp#411
[2] https://searchfox.org/mozilla-central/rev/b03a62c3c82316e733a3b09622c1cb7e59f64cc3/dom/payments/ipc/PaymentRequestParent.cpp#83
[3] https://searchfox.org/mozilla-central/source/__GENERATED__/ipc/ipdl/PPaymentRequestParent.cpp#202
[4] https://searchfox.org/mozilla-central/rev/b03a62c3c82316e733a3b09622c1cb7e59f64cc3/ipc/glue/MessageChannel.cpp#2591
[5] https://searchfox.org/mozilla-central/rev/b03a62c3c82316e733a3b09622c1cb7e59f64cc3/dom/ipc/ContentParent.cpp#1657
|
|
||
Updated•7 years ago
|
Priority: -- → P3
|
||
Comment 3•7 years ago
|
||
Yaron, can you leave the triage of this component to Eden/Marcos since we have a system for it: https://wiki.mozilla.org/Firefox/Features/Web_Payments/DOM
Flags: needinfo?(ytausky)
|
|
||
Comment 4•7 years ago
|
||
Sure, I'll remove you from my triage query. Sorry for the interruption. :-)
Flags: needinfo?(ytausky)
|
|
Reporter | |
Comment 5•7 years ago
|
||
Dunno why bugzilla clipped the links above. The first link is
https://searchfox.org/mozilla-central/source/dom/payments/PaymentRequestService.cpp#411
or permalink:
https://searchfox.org/mozilla-central/rev/b03a62c3c82316e733a3b09622c1cb7e59f64cc3/dom/payments/PaymentRequestService.cpp#411
|
||
Comment 6•7 years ago
|
||
Sorry for the garbled links! Will be fixed tomorrow.
|
||
Comment 7•7 years ago
|
||
Ignoring the merchant update, while the PaymentRequest is aborting.
Assignee: nobody → echuang
Attachment #9031198 -
Flags: review?(amarchesini)
|
|
||
Comment 8•7 years ago
|
||
Attachment #9031199 -
Flags: review?(amarchesini)
|
||
Updated•7 years ago
|
Attachment #9031198 -
Flags: review?(amarchesini) → review+
|
|
||
Updated•7 years ago
|
Attachment #9031199 -
Flags: review?(amarchesini) → review+
|
||
Comment 9•6 years ago
|
||
There are some r+ patches which didn't land and no activity in this bug for 2 weeks.
:edenchuang, could you have a look please?
Flags: needinfo?(echuang)
|
|
||
Updated•6 years ago
|
Flags: needinfo?(echuang)
|
|
||
Updated•6 years ago
|
Assignee: echuang → nobody
|
|
Reporter | |
Comment 10•6 years ago
|
||
Just a thought - is this IPC mechansim exposed even though the API isn't enabled?
Flags: needinfo?(echuang)
|
|
||
Comment 11•6 years ago
|
||
Unfortunately, yes. But the PayementRequest API is the only one entry point for this IPC.
Flags: needinfo?(echuang)
|
||
Updated•3 years ago
|
Severity: normal → S3
|
||
Updated•1 year ago
|
Severity: S3 → S4
Whiteboard: dom-lws-bugdash-triage
|
|
||
Comment 12•7 months ago
|
||
PaymentRequest API implementation will be updated, which includes its IPC implementation. We suppose this will be fixed in the implementation update.
You need to log in
before you can comment on or make changes to this bug.
Description
•