Open
Bug 672797
Opened 14 years ago
Updated 3 years ago
window.close() closes the whole window, not just the tab, when up against C recursion limit
Categories
(Core :: DOM: Core & HTML, defect, P5)
Core
DOM: Core & HTML
Tracking
()
NEW
People
(Reporter: vulnerable.zappa, Unassigned)
References
Details
(Whiteboard: [sg:dos])
Attachments
(2 files)
This script produce many strange behaviours
depend on what you comment in __bx array
For example :
If you comment 'showModalDialog'
and run script ,modalDialog will be open,close this modalDialog
and wait for another modalDialog (2).
When new modalDialog will be opened
click right mouse button on urlbar of this modalDialog ,
firefox will crash by "memmory coruption"
If you comment 'openDialog'
script will close browser when calling this.close();
after return form "FindAndCall" function
In others sytuations script can corrupt "dialogbox" like prompt,confirm,alert
(this windows will be showed without strings)
|
||
Comment 2•14 years ago
|
||
Here is a reduced testcase to reproduce the close behaviour bug.
You should probably open a new bug for the showModalDialog crash bug.
I thing all this behaviours is a result of the same bug ;]
but ok i send "showModalDialog" as difrent bug
Summary: Firefox 5.1 ([showModalDialog() crash] && [openDialog && this.close() closing browser]) → Firefox 5.1 (window.close() closing browser)
I can't reproduce on FF5, Win XP with the reduced testcase. It opens a new tab (redirected window) if I allow it in the popup blocker. It then shows an error, because the file whatever.html does not exist. That is correct. It should then close automatically? The whole browser? Doesn't happen for me. It just stays there.
Is that the only tab/window you have open? Or does it also close other tabs and that is the problem?
Crash Signature: Firefox 5.1 ([showModalDialog() crash] && [openDialog && this.close() closing browser])
Summary: Firefox 5.1 (window.close() closing browser) → Firefox 5.0.1 (window.close() closing browser)
Target Milestone: Firefox 5 → ---
Version: unspecified → 5 Branch
Strange
I test it couple of minutes ago
in a fresh installation of firefox without any extensions (4 check if is depend on extensions)
and all variats of repro closing whole browser
independently of how many tabs,windows is opened
You can also use data: pseudourl as argument of window.open
result is the same (browser will be closed)
Ah ok, with no extensions and built-in pop-up blocker disabled I can reproduce it with Nightly8 on linux on the testcase in comment 2. If I enable pop-up blocker, the window is blocked. It can be allowed in the menu of the infobar. Then the window (tab) is opened but not closed. As comment 5.
Status: UNCONFIRMED → NEW
Component: General → DOM: Core & HTML
Ever confirmed: true
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → general
Hardware: x86 → All
Version: 5 Branch → Trunk
(In reply to comment #3)
> I thing all this behaviours is a result of the same bug ;]
> but ok i send "showModalDialog" as difrent bug
Can you post the bug number you created for that?
|
Reporter | |
Comment 10•14 years ago
|
||
|
||
Comment 11•14 years ago
|
||
There is no crash log from this because the browser exits gracefully as if it is intentionally shut down.
Summary: Firefox 5.0.1 (window.close() closing browser) → window.close() closes the whole browser not just the tab
|
||
Updated•14 years ago
|
Assignee: nobody → choudharypranay
|
||
Comment 12•14 years ago
|
||
BTW - from my local testing, this closes the *current browser window*, not the whole browser. If you have multiple Firefox windows open, then only the window that has the testcase's tab will end up closing.
(still a bug, just clarifying the current behavior)
I can reproduce this in current nightly, and as far back (at least) as Firefox 3.0. So, not a recent regression.
Mozilla/5.0 (X11; Linux x86_64; rv:8.0a1) Gecko/20110816 Firefox/8.0a1
Summary: window.close() closes the whole browser not just the tab → window.close() closes the whole window, not just the tab
|
|
||
Updated•14 years ago
|
Assignee: choudharypranay → nobody
|
|
||
Comment 13•14 years ago
|
||
Here's the relevant code that's being called by window.close: http://mxr.mozilla.org/mozilla-central/source/dom/base/nsGlobalWindow.cpp#6368 (nsGlobalWindow::Close)
Keywords: dev-doc-needed
|
||
Updated•13 years ago
|
Whiteboard: [sg:dos]
|
|
||
Updated•13 years ago
|
Keywords: dev-doc-needed
|
||
Comment 15•13 years ago
|
||
I actually looked into this a while ago, but haven't had a chance to write a patch (and it looks like I'm not going to have a chance to write it for a little bit). Here's what I found.
A bit of background: Normally, window.close works by firing a DOMWindowClose event at the window. This event bubbles up where it is eventually handled by tabbrowser.xml, stops the event from bubbling, and runs logic to determine whether we should close a single tab or the
entire window. If tabbrowser.xml doesn't stop the event, it bubbles up to the window and we close the window (note that the window knows nothing about tabs, so it won't warn if there are tabs open).
Now, the testcase here fills up the C stack by recursing through eval and then calls window.close(). The event that we fire at ourselves is sync, and as we look for event handlers, we have to compile XBL. However, we're already so close to the end of the C stack that the compilation fails and we never compile the event handler for the DOMWindowClose event in tabbrowser.xml. This causes us to not handle the event at the proper level, closing the window instead of the tab.
For the JS stack, we have a two limits for how much space content is allowed to take up vs. chrome. Luke suggested that we add a similar split limit for the C stack as well and that seems like the right way to go for me as well.
|
|
||
Updated•13 years ago
|
Assignee: mrbkap → nobody
|
||
Comment 16•13 years ago
|
||
Like we discussed in bug 732665? That would fix a lot of my fuzz bugs as well :)
Depends on: 732665
Summary: window.close() closes the whole window, not just the tab → window.close() closes the whole window, not just the tab, when up against C recursion limit
|
||
Comment 17•7 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046
Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5.
If you have questions, please contact :mdaly.
Priority: -- → P5
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•