698247 - Null dereference with bad channel implementing URI in nsHTMLDocument::StartDocumentLoad

Status: RESOLVED WONTFIX

(Core :: DOM: Core & HTML, defect, P5)

Description

[Alex Vincent [:WeirdAl]]

I wrote a buggy nsIChannel implementation, which returned a null URI calling GetURI.  Mozilla crashed later on this line:

uri->GetScheme(scheme);

I have a patch for that but no active test.  My test at the time involved a JS-implemented channel.

Comment 1

[Alex Vincent [:WeirdAl]]

Attachment: patch without testcase

Comment 2

[Boris Zbarsky [:bzbarsky]]

I would rather crash here than press on with a bogus channel impl and end up with a security hole or something...

Comment 3

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Yeah, I think I agree with bz. Is there a particular reason you want to change this?

Comment 4

[Alex Vincent [:WeirdAl]]

Oh, just a lovely little theory that I've held as an article of faith, which says JavaScript should never be able to cause a crash accidentally.

What would you say to a patch which forced a crash at the actual point (NS_RUNTIMEABORT), instead of some 70 lines later?

Comment 5

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Given that we want to move towards implementing more stuff in JS, I don't think we can keep saying that JS should never be able to crash the browser.

Comment 6

[Firefox Bug Husbandry Bot]

https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.

Comment 7

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

I'm going to close this as WONTFIX since I think this is working as designed. I don't think it's a goal that JS should never be able to cause crashes given how much internal stuff we implement in JS