Closed
Bug 858034
Opened 11 years ago
Closed 11 years ago
navigator.getDeviceStorage('') crashes on platforms device storage isn't supported on
Categories
(Core :: DOM: Device Interfaces, defect)
Tracking
()
RESOLVED
FIXED
mozilla23
People
(Reporter: sergi, Assigned: dhylands)
References
()
Details
(5 keywords, Whiteboard: [native-crash][A4A])
Crash Data
Attachments
(1 file)
|
2.23 KB,
patch
|
bent.mozilla
:
review+
|
Details | Diff | Splinter Review |
Opening the web console and writing the following crashes the browser:
navigator.getDeviceStorage('')
It doesn't matter what parameter is passed to the method as long as there is one.
|
||
Comment 1•11 years ago
|
||
What is your crash report ID (from about:crashes)?
Component: General → DOM
Flags: needinfo?(sergi.mansilla)
Product: Firefox → Core
|
Reporter | |
Comment 2•11 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #1) > What is your crash report ID (from about:crashes)? 4B708448-1451-47A2-87B3-3A0272A12E9F
Flags: needinfo?(sergi.mansilla)
|
|
||
Comment 3•11 years ago
|
||
Can you please submit your crash report (by clicking on it) and send me the report ID/URL of the crash on crash-stats?
Flags: needinfo?(sergi.mansilla)
|
|
Reporter | |
Comment 4•11 years ago
|
||
Sure, that's the same crash with a different ID: https://crash-stats.mozilla.com/report/index/bp-698e1a88-3f10-4a07-910a-652c22130404
Flags: needinfo?(sergi.mansilla)
|
|
||
Comment 5•11 years ago
|
||
Thanks. This is a null-pointer crash, so not exploitable.
|
||
Updated•11 years ago
|
Assignee: mounir → doug.turner
|
||
Updated•11 years ago
|
Severity: major → critical
Crash Signature: [@ mozilla::dom::Navigator::GetDeviceStorage(nsAString_internal const&, nsIDOMDeviceStorage**)]
Keywords: regression
|
||
Comment 6•11 years ago
|
||
Looks to me like device.storage.enabled being false leads to an automatic null-deref crash here, right?
|
||
Comment 7•11 years ago
|
||
bp-d70df2f5-0fa3-4fbc-bbe9-4e02b2130404 Easy to reproduce in Fennec on m-c Visit: http://mozqa.com/webapi-permissions-tests/, and install the 'Packaged App Test Case 1'
|
||
Updated•11 years ago
|
Keywords: reproducible
|
|
||
Updated•11 years ago
|
Summary: navigator.getDeviceStorage('') crashes Firefox → navigator.getDeviceStorage('') crashes on platforms device storage isn't supported on
|
|
||
Updated•11 years ago
|
OS: Mac OS X → All
Hardware: x86_64 → All
|
|
||
Comment 8•11 years ago
|
||
Here's a simple STR: 1. Go to http://jds2501.github.com/webapi-permissions-tests/webapi_permissions_test.html in the browser 2. Select any the device storage tests Result - Firefox crashes.
|
|
||
Updated•11 years ago
|
OS: Mac OS X → All
Hardware: x86_64 → All
Component: DOM → DOM: Device Interfaces
|
|
||
Comment 9•11 years ago
|
||
Doug says apparently we can delegate this to Dave Hylands.
Assignee: doug.turner → dhylands
|
Assignee | |
Comment 10•11 years ago
|
||
I think that the problem is caused in Navigator.cpp
It currently has:
if (!Preferences::GetBool("device.storage.enabled", false)) {
return NS_OK;
}
and should have:
if (!Preferences::GetBool("device.storage.enabled", false)) {
*_retval = nullptr;
return NS_OK;
}|
|
||
Comment 11•11 years ago
|
||
No. The problem is that the caller checks the rv and bails if failure, then dereferences the pointer, which is null because the callee didn't set it to anything and it was already null. As in, we either need to return a failure when disabled or we need to null-check in the caller.
|
|
||
Updated•11 years ago
|
Whiteboard: [native-crash]
|
|
Assignee | |
Comment 12•11 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #11) > No. The problem is that the caller checks the rv and bails if failure, then > dereferences the pointer, which is null because the callee didn't set it to > anything and it was already null. > > As in, we either need to return a failure when disabled or we need to > null-check in the caller. Ahhh - right - I get it. Yeah - it should return an error if its not going to return a proper object.
|
|
Assignee | |
Comment 13•11 years ago
|
||
Add back the check in getDeviceStorage to see if its enabled or not. Also make sure that the return value is always initialized.
|
|
Assignee | |
Comment 14•11 years ago
|
||
Comment on attachment 733459 [details] [diff] [review] Make getDeviceStorage check if its enabled or not. I was able to reproduce on my unagi/FirefoxOS by disabling device storage.
Attachment #733459 -
Flags: review?(bent.mozilla)
|
||
Updated•11 years ago
|
Attachment #733459 -
Flags: review?(bent.mozilla) → review+
|
|
Assignee | |
Comment 15•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4170679cb85a
|
|
||
Updated•11 years ago
|
Whiteboard: [native-crash] → [native-crash][A4A]
|
||
Comment 17•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4170679cb85a
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
|
|
||
Comment 18•11 years ago
|
||
Dave - Can you nominate this for Aurora uplift? We have packaged apps on FxAndroid enabled on Fx22, so we are seeing this crash on Fx22 as well.
Flags: needinfo?(dhylands)
|
|
Assignee | |
Comment 19•11 years ago
|
||
This bug was caused by bug 838038, which as far as I can tell wasn't uplifted, so nothing else should be required.
Flags: needinfo?(dhylands)
|
|
Assignee | |
Comment 20•11 years ago
|
||
I tested:
navigator.getDeviceStorage('');
on Firefox Aurora 22.0a2 (2013-04-08) and it seemed to work fine (i.e. returned null).
You need to log in
before you can comment on or make changes to this bug.
Description
•