Open
Bug 1508510
Opened 6 years ago
Updated 1 month ago
Calling r.abort() in a payment event handler cause IPDL errors, killing the child process
Categories
(Core :: DOM: Web Payments, defect, P3)
Tracking
()
NEW
People
(Reporter: pauljt, Unassigned)
Details
(Whiteboard: dom-lws-bugdash-triage)
Attachments
(3 files)
1.55 KB,
text/plain
|
Details | |
1.52 KB,
patch
|
baku
:
review+
|
Details | Diff | Splinter Review |
2.77 KB,
patch
|
baku
:
review+
|
Details | Diff | Splinter Review |
Hard to explain this since I only vaguely understand it but here goes: Payment Request handlers can take a promise instead of a function. Passing a function _call_ to a function which calls r.abort() AND also returns a value (like "error") causes the tab to crash. See p[1] which just does:
function badHandler(r) {
r.abort();
return { error: "" }
}
function crash() {
let request = new PaymentRequest(method, details, options);
request.onshippingoptionchange = ev => ev.updateWith(badHandler(request));
request.show()
}
This results in the "Gah. Your tab just crashed." message. I'm not sure if its IPC related or not, but attached is the console logs from ASAN nightly.
I don't know if this is a security related crash or not (i think not, given that its just a tab crash), but this API isn't enabled yet so I don't see the need to restrict it.
[1] https://misuse.co/t/pay/paycrash.html
Reporter | ||
Updated•6 years ago
|
Component: Security: Review Requests → DOM: Web Payments
Product: Firefox → Core
Version: unspecified → 65 Branch
Reporter | ||
Comment 1•6 years ago
|
||
If it helps I think we are hitting this line:
https://searchfox.org/mozilla-central/source/__GENERATED__/ipc/ipdl/PPaymentRequestParent.cpp#240
Reporter | ||
Comment 2•6 years ago
|
||
I think I figured this out. I think request.abort() results ultimately ends up removing the payment request from PaymentRequestService->mRequestQueue at [1]. Then, the child sends the PaymentUpdateActionRequest (as a result of event.updateWith()) this line [2] in PaymentRequestParent fails .
PPaymentRequestParent::OnMessageReceived[3] then passes a MsgProcessingError up to MessageChannel.cpp[4], which then calls ContentParent::ProcessingError[5], which does KillHard(aReason).
[1] https://searchfox.org/mozilla-central/rev/b03a62c3c82316e733a3b09622c1cb7e59f64cc3/dom/payments/PaymentRequestService.cpp#411
[2] https://searchfox.org/mozilla-central/rev/b03a62c3c82316e733a3b09622c1cb7e59f64cc3/dom/payments/ipc/PaymentRequestParent.cpp#83
[3] https://searchfox.org/mozilla-central/source/__GENERATED__/ipc/ipdl/PPaymentRequestParent.cpp#202
[4] https://searchfox.org/mozilla-central/rev/b03a62c3c82316e733a3b09622c1cb7e59f64cc3/ipc/glue/MessageChannel.cpp#2591
[5] https://searchfox.org/mozilla-central/rev/b03a62c3c82316e733a3b09622c1cb7e59f64cc3/dom/ipc/ContentParent.cpp#1657
Updated•6 years ago
|
Priority: -- → P3
Comment 3•6 years ago
|
||
Yaron, can you leave the triage of this component to Eden/Marcos since we have a system for it: https://wiki.mozilla.org/Firefox/Features/Web_Payments/DOM
Flags: needinfo?(ytausky)
Comment 4•6 years ago
|
||
Sure, I'll remove you from my triage query. Sorry for the interruption. :-)
Flags: needinfo?(ytausky)
Reporter | ||
Comment 5•6 years ago
|
||
Dunno why bugzilla clipped the links above. The first link is
https://searchfox.org/mozilla-central/source/dom/payments/PaymentRequestService.cpp#411
or permalink:
https://searchfox.org/mozilla-central/rev/b03a62c3c82316e733a3b09622c1cb7e59f64cc3/dom/payments/PaymentRequestService.cpp#411
Comment 6•6 years ago
|
||
Sorry for the garbled links! Will be fixed tomorrow.
Comment 7•6 years ago
|
||
Ignoring the merchant update, while the PaymentRequest is aborting.
Assignee: nobody → echuang
Attachment #9031198 -
Flags: review?(amarchesini)
Comment 8•6 years ago
|
||
Attachment #9031199 -
Flags: review?(amarchesini)
Updated•6 years ago
|
Attachment #9031198 -
Flags: review?(amarchesini) → review+
Updated•6 years ago
|
Attachment #9031199 -
Flags: review?(amarchesini) → review+
Comment 9•6 years ago
|
||
There are some r+ patches which didn't land and no activity in this bug for 2 weeks.
:edenchuang, could you have a look please?
Flags: needinfo?(echuang)
Updated•5 years ago
|
Flags: needinfo?(echuang)
Updated•5 years ago
|
Assignee: echuang → nobody
Reporter | ||
Comment 10•5 years ago
|
||
Just a thought - is this IPC mechansim exposed even though the API isn't enabled?
Flags: needinfo?(echuang)
Comment 11•5 years ago
|
||
Unfortunately, yes. But the PayementRequest API is the only one entry point for this IPC.
Flags: needinfo?(echuang)
Updated•2 years ago
|
Severity: normal → S3
Updated•1 month ago
|
Severity: S3 → S4
Whiteboard: dom-lws-bugdash-triage
You need to log in
before you can comment on or make changes to this bug.
Description
•