Super User

Stack Exchange network consists of 171 Q&A communities includingStack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Sign uporlog into customize your list.

Start here for a quick overview of the site

Detailed answers to any questions you might have

Discuss the workings and policies of this site

Learn more about Stack Overflow the company

Learn more about hiring developers or posting ads with us

Super User is a question and answer site for computer enthusiasts and power users. Join them; it only takes a minute:

When this link () is clicked in Google Chrome, Chrome breaks and closes all tabs and instances.

But, in some cases I only need to hover over the link, and the tab crashes.

What happens when I hover over this link? I mean, what does Chrome do when a link is hovered over?

Heres a great Tom Scott video that talks about what he thinks is happening in /watch?v=0fw5Cyh21TE

This bug was fixed inChrome 45.0.2454.101. It was still present inChrome 45.0.2454.99.

fixed in Chrome 45.0.2454.101 (at least on Mac OS 10.10.5 Chrome is still crashing).

The crash is due to a recently discovered bug inChrome- and otherWebKit browsers(!)* – specifically related to either%%30%30,%0%30or%%300as part of the URL, which internally all end up representing the same symbol:null. You can read more about the bughere.

Its not a bug that affect most links, so you dont generally have to worry about hovering over links.

* OtherWebKit browsersinclude Safari, Opera, Steam Browser, Midori, S60 (Symbian), Blackberry Browser and Playstation 3s browser -but notFirefox, Internet Explorer or Edge.

Edit: This bug has now been fixed inChrome 45.0.2454.101asDeltikpoints out.

The problem is related to theURL canonicalizer, which runs as soon as you hover over a link – possibly for displaying the link in the status bar of the browser, and forprefetchingthe webpage so it loads faster once clicked.

As for the role of the URL canonicalizer:

When a URL is written inHTML, it may be written in a form such as/homeor../../home, but browsers need to translate this URL to something with a protocol and a domain too, like. Furthermore the URL may containURL Escapesthat need to betranslated, and theseescapesarepercent encoded, like%%30%30. (A more exhaustive list of URL escapeshere).

The functionality handling thisURL translationis whats ending up crashing, because it receives input the developers did not expect/handle.

Heresa summary of the code change that fixed the problem:

Correctly handle problematic nested escapes in URL paths.

Specifically, if unescaping in the input leads to the output URL containing a new escaped sequence, e.g. converting the input %%30%30 to %00, escape the leading % as %25 to ensure the output sequence is not treated as a new valid escape sequence.

This ensures that canonicalizing the same URL a second time wont make changes to it, which is important for avoiding crashes and other bugs in a variety of places in both debug and release builds.

For clarity, no issue with FireFox or IE 11

Considering Opera is based on the Chrome engine that is not shocking that it also crashes. Which is the reason having multiple rendering engines is a good thing.

? I mean, when I hover a link, theres no search, so why it crashes?

Its not yet clear whats causing the bug, but some think its related to the

, which apparently starts running as soon as you hover over a link, maybe for displaying the link in the status bar of the browser? I cant give you a certain answer, however when a URL is written in HTML, it may be written in a form such as

, but browsers need to translate this URL to something with a protocol and a domain too, like

, so maybe the functionality handling that is whats ending up crashing, because it receives unexpected input?

@JfersonBueno When you hover over a link, Chrome displays it in the lower left corner. This requires some processing, including the translation of specially encoded characters. This processing is buggy, and causes the entire program to crash.

When you hover over a link, Chrome displays it in the lower left corner. This requires some processing, including the translation of specially encoded characters.

However, from your post and comment I think you are more concerned about whether Chrome connects to the link in the background.It does, so do other modern browsers(FirefoxOpera). You may want to disable prefetching in Chromes preferences, or installuBlock Originto get more privacy settings.

I wanted to give some further clarification on what exactly happens here.

Basically, %30 is an URL-encoded 0, and %00 is a URL-encoded NULL (which is displayed in binary as 0000 0000). So if you have a URL that has a nested encoded character that will decode to NULL, the bug occurs.

Chrome does the following when canonicalizing a URL (source: :

An input string http: //a.com/%%30%30 is unescaped to considered a valid GURL.

This GURL is eventually sent to GURLToDatabaseURL(), which calls ReplaceComponents() on it to strip the username and password.

ReplaceComponents() re-canonicalizes the URL.

Canonicalization of the path hits the %00 sequence, unescapes, sees this is a 0 char which is invalid in URLs, leaves it escaped, but marks the resulting URL as invalid.

Once we return back to GURLToDatabaseURL(), it calls .spec() on the new URL, expecting it to be valid, since the input URL was guaranteed to be valid and we merely removed the username and password. This DCHECKs.

So the URL is first considered valid, but after removing certain private data, its invalidated. However, after that data is removed, the function that called that particular code expects a valid URL.

Part of the reason why this URL is considered invalid is because NULL is used in a number of older software and languages to indicate the end of a string (because its basically 8 zeroes in a line, which is easy to detect for a computer).

By posting your answer, you agree to theprivacy policyandterms of service.

How does dividend work in an index fund?

As a soloist, should I face the audience or the conductor during long tutti sections?

Is it true getting a USA passport card at a different time than your passport is better/safer?

How bad is IPv4 address exhaustion really?

Are we living in a simulation? The evidence

What character is the MS-DOS cursor?

Is using new in the constructor always bad?

The Knight never lies, the knave always lies, and the spies either lies or tells the truth

How to deal with [male] friends mocking me about my life choices

What makes the thorium-229 nuclear transition special?

Role of IQ in attainment of stream entry

Why do native speakers say Come on in rather than Come in?

Kickstart Kimchi with sourdough starter

Difference of cohomologous Khler forms

Is it poor etiquette to ask fellow backpackers where they have been/where they are going?

What can I as a teenager do about my insanely strict parents?

How do I respond to a professors email refusing my recommendation request?

Why does traceroute display many ip addresses for the same hop?

What is the purpose of the Identify spell?

site design / logo 2018 Stack Exchange Inc; user contributions licensed undercc by-sa 3.0withattribution required.rev 2018.2.2.28744