copyPathRemovingDots() in KURL.cpp is unprepared to deal with URLs that don't start with a slash, but KURL::init() may pass non-hierarchical base URLs to it.
Created attachment 12633 [details] proposed fix
*** Bug 10431 has been marked as a duplicate of this bug. ***
Maybe the right thing to do for non-hierarchical URLs is to append the relative URL to the scheme instead of the whole URL. Appending to a javascript: URL in particular could have weird consequences and is likely not desired. What do other browsrs do in such cases?
Comment on attachment 12633 [details] proposed fix It looks like Firefox just renders the URL invalid in such case, and doesn't try to load from it. Maybe this is what we should do for invalid base URLs, too? A more thorough test has uncovered another related issue which I'm going to investigate now - javascript URLs shouldn't be treated as relative.
Created attachment 12670 [details] proposed fix So, it looks like such URLs are treated as invalid by Firefox. Please note that the code for invalid base URLs was only executed for empty ones, because non-empty invalid base URLs were dealt with at the beginning of KURL::init(). There are still some issues with handling "javascript:" URLs (see comments in the test case), but those are outside KURL, and have bugs of their own filed.
Comment on attachment 12670 [details] proposed fix r=me
Committed revision 19159.