223791 2021-03-26 03:18:40 -0700 embed element with the src attribute set prevents WebKitTestRunner from exiting 2021-04-26 01:21:44 -0700 1 1 1 Unclassified WebKit Tools / Tests WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 rniwa webkit-unassigned ap bfulgham cdumez cgarcia changseok darin esprehn+autocc ews-watchlist fred.wang gpoo gyuyoung.kim product-security rbuis svillar webkit-bug-importer oldest_to_newest 1744132 0 rniwa 2021-03-26 03:18:40 -0700 WebKitTestRunner does not proceed after loading this: <script> onload = () => { let e = document.createElement('embed'); e.src = 'x'; }; </script> <rdar://75879762> 1744231 1 darin 2021-03-26 10:27:17 -0700 Seems like this is an impediment to fuzz testing, not a bug that itself has security impact, right? 1744480 2 rniwa 2021-03-27 03:50:02 -0700 (In reply to Darin Adler from comment #1) > Seems like this is an impediment to fuzz testing, not a bug that itself has > security impact, right? Yeah, I guess there is no need to keep this under security component. 1752688 3 cgarcia 2021-04-21 03:13:50 -0700 The problem is that the load never finishes, so WTR keeps waiting for the final message from injected bundle that happens when the page is loaded. When the src attribute is changed, HTMLPlugInImageElement::updateImageLoaderWithNewURLSoon() is called. That calls HTMLPlugInImageElement::scheduleUpdateForAfterStyleResolution() that increases the document load event delay count and queues a style post resolution callback. The document load event delay count is decreased in HTMLPlugInImageElement::updateAfterStyleResolution), called by the style post resolution callback. But the callback is never called because the embed element is not in tree, and it's never added, keeping the document load event delay unbalanced. I think we should not call scheduleUpdateForAfterStyleResolution() when the element is not in render tree, since we know Node::invalidateStyle() will return early and style post resolution callbacks will not be called. If the element is added to the tree eventually, scheduleUpdateForAfterStyleResolution() will be called by didRecalcStyle, so the image will be loaded. 1752698 4 426669 cgarcia 2021-04-21 04:07:37 -0700 Created attachment 426669 Patch 1753830 5 426669 rniwa 2021-04-23 23:10:09 -0700 Comment on attachment 426669 Patch Thanks! 1754127 6 ews-feeder 2021-04-26 01:21:40 -0700 Committed r276582 (237018@main): <https://commits.webkit.org/237018@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 426669. 426669 2021-04-21 04:07:37 -0700 2021-04-26 01:21:42 -0700 Patch wk-embed-image-onload-src-change.diff text/plain 3912 cgarcia ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCA2OGI3OTI1MzIwNjguLmFkYzE0ZWU4ZmVkZCAxMDA2NDQKLS0tIGEvTGF5b3V0VGVz dHMvQ2hhbmdlTG9nCisrKyBiL0xheW91dFRlc3RzL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1IEBA CisyMDIxLTA0LTIxICBDYXJsb3MgR2FyY2lhIENhbXBvcyAgPGNnYXJjaWFAaWdhbGlhLmNvbT4K KworICAgICAgICBlbWJlZCBlbGVtZW50IHdpdGggdGhlIHNyYyBhdHRyaWJ1dGUgc2V0IHByZXZl bnRzIFdlYktpdFRlc3RSdW5uZXIgZnJvbSBleGl0aW5nCisgICAgICAgIGh0dHBzOi8vYnVncy53 ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMjM3OTEKKworICAgICAgICBSZXZpZXdlZCBieSBO T0JPRFkgKE9PUFMhKS4KKworICAgICAgICBBZGQgbmV3IHRlc3QuCisKKyAgICAgICAgKiBmYXN0 L2ltYWdlcy9lbWJlZC1pbWFnZS1vbmxvYWQtc3JjLWNoYW5nZS1leHBlY3RlZC50eHQ6IEFkZGVk LgorICAgICAgICAqIGZhc3QvaW1hZ2VzL2VtYmVkLWltYWdlLW9ubG9hZC1zcmMtY2hhbmdlLmh0 bWw6IEFkZGVkLgorCiAyMDIxLTA0LTIwICBJYW4gR2lsYmVydCAgPGlhbmdAYXBwbGUuY29tPgog CiAgICAgICAgIENyYXNoIGluIENvbXBvc2l0ZUVkaXRDb21tYW5kOjppbnNlcnROb2RlQXQKZGlm ZiAtLWdpdCBhL0xheW91dFRlc3RzL2Zhc3QvaW1hZ2VzL2VtYmVkLWltYWdlLW9ubG9hZC1zcmMt Y2hhbmdlLWV4cGVjdGVkLnR4dCBiL0xheW91dFRlc3RzL2Zhc3QvaW1hZ2VzL2VtYmVkLWltYWdl LW9ubG9hZC1zcmMtY2hhbmdlLWV4cGVjdGVkLnR4dApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRl eCAwMDAwMDAwMDAwMDAuLjdlZjIyZTlhNDMxYQotLS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRl c3RzL2Zhc3QvaW1hZ2VzL2VtYmVkLWltYWdlLW9ubG9hZC1zcmMtY2hhbmdlLWV4cGVjdGVkLnR4 dApAQCAtMCwwICsxIEBACitQQVNTCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9mYXN0L2ltYWdl cy9lbWJlZC1pbWFnZS1vbmxvYWQtc3JjLWNoYW5nZS5odG1sIGIvTGF5b3V0VGVzdHMvZmFzdC9p bWFnZXMvZW1iZWQtaW1hZ2Utb25sb2FkLXNyYy1jaGFuZ2UuaHRtbApuZXcgZmlsZSBtb2RlIDEw MDY0NAppbmRleCAwMDAwMDAwMDAwMDAuLjliZTZmMzQ4YzI4MAotLS0gL2Rldi9udWxsCisrKyBi L0xheW91dFRlc3RzL2Zhc3QvaW1hZ2VzL2VtYmVkLWltYWdlLW9ubG9hZC1zcmMtY2hhbmdlLmh0 bWwKQEAgLTAsMCArMSw5IEBACis8c2NyaXB0Pgorb25sb2FkID0gKCkgPT4geworICAgIGxldCBl ID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnZW1iZWQnKTsKKyAgICBlLnNyYyA9ICd4JzsKK30K K2lmICh3aW5kb3cudGVzdFJ1bm5lcikKKyAgICB0ZXN0UnVubmVyLmR1bXBBc1RleHQoKQorPC9z Y3JpcHQ+CitQQVNTCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cgYi9Tb3Vy Y2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZjNkNTUyMThjZTg2Li5kOTBiYjk3ZTg3ZDQgMTAw NjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZworKysgYi9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cKQEAgLTEsMyArMSwyNyBAQAorMjAyMS0wNC0yMSAgQ2FybG9zIEdhcmNpYSBDYW1w b3MgIDxjZ2FyY2lhQGlnYWxpYS5jb20+CisKKyAgICAgICAgZW1iZWQgZWxlbWVudCB3aXRoIHRo ZSBzcmMgYXR0cmlidXRlIHNldCBwcmV2ZW50cyBXZWJLaXRUZXN0UnVubmVyIGZyb20gZXhpdGlu ZworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjIzNzkx CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGhlIHBy b2JsZW0gaXMgdGhhdCB0aGUgbG9hZCBuZXZlciBmaW5pc2hlcywgc28gV1RSIGtlZXBzIHdhaXRp bmcgZm9yIHRoZSBmaW5hbCBtZXNzYWdlIGZyb20gaW5qZWN0ZWQgYnVuZGxlCisgICAgICAgIHRo YXQgaGFwcGVucyB3aGVuIHRoZSBwYWdlIGlzIGxvYWRlZC4gV2hlbiB0aGUgc3JjIGF0dHJpYnV0 ZSBpcyBjaGFuZ2VkLAorICAgICAgICBIVE1MUGx1Z0luSW1hZ2VFbGVtZW50Ojp1cGRhdGVJbWFn ZUxvYWRlcldpdGhOZXdVUkxTb29uKCkgaXMgY2FsbGVkLiBUaGF0IGNhbGxzCisgICAgICAgIEhU TUxQbHVnSW5JbWFnZUVsZW1lbnQ6OnNjaGVkdWxlVXBkYXRlRm9yQWZ0ZXJTdHlsZVJlc29sdXRp b24oKSB0aGF0IGluY3JlYXNlcyB0aGUgZG9jdW1lbnQgbG9hZCBldmVudCBkZWxheQorICAgICAg ICBjb3VudCBhbmQgcXVldWVzIGEgc3R5bGUgcG9zdCByZXNvbHV0aW9uIGNhbGxiYWNrLiBUaGUg ZG9jdW1lbnQgbG9hZCBldmVudCBkZWxheSBjb3VudCBpcyBkZWNyZWFzZWQgaW4KKyAgICAgICAg SFRNTFBsdWdJbkltYWdlRWxlbWVudDo6dXBkYXRlQWZ0ZXJTdHlsZVJlc29sdXRpb24oKSwgY2Fs bGVkIGJ5IHRoZSBzdHlsZSBwb3N0IHJlc29sdXRpb24gY2FsbGJhY2suIEJ1dCB0aGUKKyAgICAg ICAgY2FsbGJhY2sgaXMgbmV2ZXIgY2FsbGVkIGJlY2F1c2UgdGhlIGVtYmVkIGVsZW1lbnQgaXMg bm90IGluIHRyZWUsIGFuZCBpdCdzIG5ldmVyIGFkZGVkLCBrZWVwaW5nIHRoZSBkb2N1bWVudAor ICAgICAgICBsb2FkIGV2ZW50IGRlbGF5IHVuYmFsYW5jZWQuIFdlIHNob3VsZCBub3QgY2FsbCBz Y2hlZHVsZVVwZGF0ZUZvckFmdGVyU3R5bGVSZXNvbHV0aW9uKCkgd2hlbiB0aGUgZWxlbWVudAor ICAgICAgICBpcyBub3QgaW4gcmVuZGVyIHRyZWUsIHNpbmNlIHdlIGtub3cgTm9kZTo6aW52YWxp ZGF0ZVN0eWxlKCkgd2lsbCByZXR1cm4gZWFybHkgYW5kIHN0eWxlIHBvc3QgcmVzb2x1dGlvbgor ICAgICAgICBjYWxsYmFja3Mgd2lsbCBub3QgYmUgY2FsbGVkLiBJZiB0aGUgZWxlbWVudCBpcyBh ZGRlZCB0byB0aGUgdHJlZSBldmVudHVhbGx5LAorICAgICAgICBzY2hlZHVsZVVwZGF0ZUZvckFm dGVyU3R5bGVSZXNvbHV0aW9uKCkgd2lsbCBiZSBjYWxsZWQgYnkgZGlkUmVjYWxjU3R5bGUsIHNv IHRoZSBpbWFnZSB3aWxsIGJlIGxvYWRlZC4KKworICAgICAgICBUZXN0OiBmYXN0L2ltYWdlcy9l bWJlZC1pbWFnZS1vbmxvYWQtc3JjLWNoYW5nZS5odG1sCisKKyAgICAgICAgKiBodG1sL0hUTUxQ bHVnSW5JbWFnZUVsZW1lbnQuY3BwOgorICAgICAgICAoV2ViQ29yZTo6SFRNTFBsdWdJbkltYWdl RWxlbWVudDo6dXBkYXRlSW1hZ2VMb2FkZXJXaXRoTmV3VVJMU29vbik6CisKIDIwMjEtMDQtMjEg IFRpbSBIb3J0b24gIDx0aW1vdGh5X2hvcnRvbkBhcHBsZS5jb20+CiAKICAgICAgICAgTG9uZy1w cmVzc2luZyBhIGRhdGEgZGV0ZWN0b3JzIGxpbmsgY2F1c2VzIHRoZSBsaW5rIHRvIGJlIGZvbGxv d2VkCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9odG1sL0hUTUxQbHVnSW5JbWFnZUVsZW1l bnQuY3BwIGIvU291cmNlL1dlYkNvcmUvaHRtbC9IVE1MUGx1Z0luSW1hZ2VFbGVtZW50LmNwcApp bmRleCA2YzliOWZhZDA2YWQuLmQ0NjliZDIyYzA1MiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNv cmUvaHRtbC9IVE1MUGx1Z0luSW1hZ2VFbGVtZW50LmNwcAorKysgYi9Tb3VyY2UvV2ViQ29yZS9o dG1sL0hUTUxQbHVnSW5JbWFnZUVsZW1lbnQuY3BwCkBAIC0zMjgsNyArMzI4LDggQEAgdm9pZCBI VE1MUGx1Z0luSW1hZ2VFbGVtZW50Ojp1cGRhdGVJbWFnZUxvYWRlcldpdGhOZXdVUkxTb29uKCkK ICAgICAgICAgcmV0dXJuOwogCiAgICAgbV9uZWVkc0ltYWdlUmVsb2FkID0gdHJ1ZTsKLSAgICBz Y2hlZHVsZVVwZGF0ZUZvckFmdGVyU3R5bGVSZXNvbHV0aW9uKCk7CisgICAgaWYgKGluUmVuZGVy ZWREb2N1bWVudCgpKQorICAgICAgICBzY2hlZHVsZVVwZGF0ZUZvckFmdGVyU3R5bGVSZXNvbHV0 aW9uKCk7CiAgICAgaW52YWxpZGF0ZVN0eWxlKCk7CiB9CiAK