serenity icon indicating copy to clipboard operation
serenity copied to clipboard

Published 20 hours ago verified publisher icon SerenityOS

LibWeb: Clicking a javascript: link crashes with failed assertion `!vm.execution_context_stack().is_empty()`

Open cartr opened this issue 2 years ago • 1 comments

Open this URL in Browser and click the link:

data:text/html,<a href=javascript:alert(1)>Alert</a>

After the alert is displayed, the web page crashes with the following assertion error and backtrace:

==== Thread #0 (TID 48) ====
ASSERTION FAILED: !vm.execution_context_stack().is_empty()
./Userland/Libraries/LibJS/Interpreter.cpp:103

0xa954902e: [/usr/lib/libsystem.so] syscall2 +0xe (syscall.cpp:25 => syscall.cpp:24)
0x137c6ea2: [/usr/lib/libc.so] raise +0x22 (syscall.h:35 => signal.cpp:22 => signal.cpp:37)
0x137acc19: [/usr/lib/libc.so] abort +0x29 (stdlib.cpp:223)
0x137b35ac: [/usr/lib/libc.so] __assertion_failed +0x6c (assert.cpp:33)
0x3bbe147e: [/usr/lib/libjs.so.serenity] JS::Interpreter::run(JS::Script&) +0x99e (Interpreter.cpp:103)
0x1febe6bd: [/usr/lib/libweb.so.serenity] Web::DOM::Document::run_javascript(AK::StringView, AK::StringView) +0x14d (Document.cpp:936)
0x2002e324: [/usr/lib/libweb.so.serenity] Web::EventHandler::handle_mouseup(Gfx::Point<int> const&, unsigned int, unsigned int) +0xe94 (EventHandler.cpp:238)
0x2003289d: [/usr/lib/libweb.so.serenity] Web::Page::handle_mouseup(Gfx::Point<int> const&, unsigned int, unsigned int) +0x2d (Page.cpp:69)
0x7e534e1d: [/bin/WebContent] .L7234 +0x55 (ConnectionFromClient.cpp:158 => WebContentServerEndpoint.h:3176)
0xa8e57273: [/usr/lib/libipc.so.serenity] IPC::ConnectionBase::handle_messages() [clone .localalias] +0xe3 (Connection.cpp:95)
0x5a1e3c85: [/usr/lib/libcore.so.serenity] AK::Function<void ()>::CallableWrapper<Core::Object::deferred_invoke(AK::Function<void ()>)::{lambda()#1}>::call() +0x225 (Function.h:91)
0x5a1cc372: [/usr/lib/libcore.so.serenity] Core::EventLoop::pump(Core::EventLoop::WaitMode) +0x2e2 (Function.h:91)
0x5a1ccbda: [/usr/lib/libcore.so.serenity] Core::EventLoop::exec() +0x11a (EventLoop.cpp:427)
0x7e53789c: [/bin/WebContent] serenity_main(Main::Arguments) +0x35c (main.cpp:36)
0x7e516d9d: [/bin/WebContent] main +0x7d (Main.cpp:39)
0x7e516fb6: [/bin/WebContent] _entry +0x46 (crt0.cpp:43)

The problem also occurs on live webpages that include these kinds of links, such as http://www.tizag.com/javascriptT/javascriptvoid.php.

cartr avatar Jul 11 '22 08:07 cartr

This is a known issue, javascript: URL handling needs a full rework for spec compliance.

linusg avatar Jul 11 '22 09:07 linusg