Closed
Bug 492980
Opened 16 years ago
Closed 16 years ago
Segmentation Fault [@ nsGlobalWindow::EnsureReflowFlushAndPaint] when referencing showModal in a ghost window
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 434035
People
(Reporter: gareth, Unassigned)
References
()
Details
(Whiteboard: [sg:dupe 434035])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
When removing a iframe from the current window, you can reference the window but the properties of the window are inaccessible such as document. This creates a ghost window which me and Eduardo Vela where developing and testing. We both discovered that showModal within the ghost window will cause a Segmentation Fault in Firefox.
Reproducible: Always
Steps to Reproduce:
1. Visit site referenced
2. Enter showModalDialog(1) in the textarea
3. Click eval in sandbox
Actual Results:
Segmentation Fault and Firefox crashes
Expected Results:
Either a error is raised that the function isn't callable or the showModalDialog appears.
This is a joint discovery by Eduardo Vela and Gareth Heyes
|
||
Comment 1•16 years ago
|
||
The expected result I think should something like when you call alert:
[Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMWindowInternal.alert]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: http://www.sirdarckcat.net/sandbox.html :: safeEval :: line 4" data: no]
or.. open()
[Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIDOMJSWindow.open]" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: http://www.sirdarckcat.net/sandbox.html :: safeEval :: line 4" data: no]
Since the window is not present.
I could *try* to explain how the sandbox works, if needed.. the objective of it was to have a SAFE way of executing arbitrary javascript code, in a webpage, without risking it to allow to access the document.cookie, etc.. something like evalInSandbox, but in the browser.. also giving it access to the objects we decide relevant.
May be a security issue, apparently a jump is made to the heap.
|
||
Comment 2•16 years ago
|
||
Crash report of Firefox3.0.10:
http://crash-stats.mozilla.com/report/index/8fe810be-39e3-40e6-ad92-940cd2090514?p=1
0 xul.dll nsGlobalWindow::EnsureReflowFlushAndPaint mozilla/dom/src/base/nsGlobalWindow.cpp:3883
1 xul.dll nsGlobalWindow::ShowModalDialog mozilla/dom/src/base/nsGlobalWindow.cpp:6074
2 xul.dll NS_InvokeByIndex_P mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
3 xul.dll XPCWrappedNative::CallMethod mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:1984
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Summary: Segmentation Fault when referencing showModal in a ghost window → Segmentation Fault [@ nsGlobalWindow::EnsureReflowFlushAndPaint] when referencing showModal in a ghost window
|
||
Comment 3•16 years ago
|
||
This is a null dref (sg:dos) based on bug 434035. Opening up...
Group: core-security
Whiteboard: [sg:dupe 434035]
|
||
Comment 4•16 years ago
|
||
I can confirm this is fixed in a Shiretoko build
You need to log in
before you can comment on or make changes to this bug.
Description
•