273819 2024-05-07 05:04:55 -0700 Update implementation of TT enforcement for document.write/writeln 2024-06-11 03:42:34 -0700 1 1 1 Unclassified WebKit DOM Safari 17 Unspecified Unspecified RESOLVED FIXED https://github.com/web-platform-tests/wpt/pull/46141 InRadar P2 Normal --- 274567 266630 1 lwarlow lwarlow darbinyan webkit-bug-importer oldest_to_newest 2033705 0 lwarlow 2024-05-07 05:04:55 -0700 See https://github.com/w3c/trusted-types/issues/510 2033733 1 lwarlow 2024-05-07 08:23:58 -0700 Pull request: https://github.com/WebKit/WebKit/pull/28238 2033971 2 ews-feeder 2024-05-08 03:53:06 -0700 Committed 278501@main (e84b70e7fa81): <https://commits.webkit.org/278501@main> Reviewed commits have been landed. Closing PR #28238 and removing active labels. 2033972 3 webkit-bug-importer 2024-05-08 03:54:16 -0700 <rdar://problem/127728959> 2037187 4 darbinyan 2024-05-22 17:10:13 -0700 This change causes crashes when running WK1 layout tests under ASan on Sonoma. 2037189 5 darbinyan 2024-05-22 17:11:26 -0700 Will share a backtrace later. 2037343 6 darbinyan 2024-05-23 09:22:38 -0700 This change was reverted. Backtrace: ==37330==ERROR: AddressSanitizer: heap-use-after-free on address 0x00011879d524 at pc 0x000139c6a764 bp 0x00016d4984c0 sp 0x00016d4984b8 READ of size 1 at 0x00011879d524 thread T0 #0 0x139c6a760 in WebCore::SegmentedString::appendSubstring(WebCore::SegmentedString::Substring&&)+0x594 (WebCore:arm64e+0x71ea760) #1 0x132af60bc in WebCore::SegmentedString::append(WebCore::SegmentedString const&)+0xf8 (WebCore:arm64e+0x760bc) #2 0x13850c3b8 in WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString&&)+0x470 (WebCore:arm64e+0x5a8c3b8) #3 0x137913e74 in WebCore::Document::write(WebCore::Document*, WebCore::SegmentedString&&)+0x208 (WebCore:arm64e+0x4e93e74) #4 0x1379145d8 in WebCore::Document::write(WebCore::Document*, WTF::FixedVector<std::__1::variant<WTF::RefPtr<WebCore::TrustedHTML, WTF::RawPtrTraits<WebCore::TrustedHTML>, WTF::DefaultRefDerefTraits<WebCore::TrustedHTML>>, WTF::String>>&&)+0x484 (WebCore:arm64e+0x4e945d8) #5 0x133df9828 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsDocumentPrototypeFunction_writeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsDocumentPrototypeFunction_writeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()&&)+0x198 (WebCore:arm64e+0x1379828) #6 0x133df8978 in WebCore::jsDocumentPrototypeFunction_writeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)+0x25c (WebCore:arm64e+0x1378978) #7 0x133de7ad8 in WebCore::jsDocumentPrototypeFunction_write(JSC::JSGlobalObject*, JSC::CallFrame*)+0xe4 (WebCore:arm64e+0x1367ad8) #8 0x14013c140 (<unknown module>) 2037601 7 lwarlow 2024-05-24 05:20:14 -0700 Do you happen to have an example test that's crashing with that change to help me debug the cause? I've tried doing a local ASAN release build, with the change applied, and running the fast and WPT tests and so far none of them have crashed. 2037788 8 lwarlow 2024-05-24 15:43:45 -0700 Pull request: https://github.com/WebKit/WebKit/pull/29091 2038290 9 darbinyan 2024-05-28 14:44:37 -0700 Hi Luke, here is an example of the test that crashed on Asan builds that should help you debug. The command to reproduce: run-webkit-tests --release http/tests/inspector/network/resource-response-inspector-override.html 2040766 10 ews-feeder 2024-06-11 03:42:32 -0700 Committed 279904@main (cfe83d0fa5bc): <https://commits.webkit.org/279904@main> Reviewed commits have been landed. Closing PR #29091 and removing active labels.