Bug 178712

Summary: SizesAttributeParser::SizesAttributeParser triggers layout
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: CSSAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, buildbot, commit-queue, koivisto, rniwa, simon.fraser, webkit-bug-importer, yoav, youennf, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=169465
Attachments:
Description Flags
Reverts r213711
none
Archive of layout-test-results from ews105 for mac-elcapitan-wk2
none
Patch for landing none

Ryosuke Niwa
Reported 2017-10-23 23:01:37 PDT
SizesAttributeParser::SizesAttributeParser triggers layout but this function is called inside Node::insertedIntoAncestor. This is dangerous because updating layout could end up running arbitrary scripts.
Attachments
Reverts r213711 (1.91 KB, patch)
2017-10-24 00:14 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews105 for mac-elcapitan-wk2 (1.50 MB, application/zip)
2017-10-24 00:50 PDT, Build Bot 		no flags
Details
Patch for landing (2.95 KB, patch)
2017-10-24 01:28 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2017-10-23 23:02:32 PDT
<rdar://problem/35143533>
Ryosuke Niwa
Comment 2 2017-10-24 00:14:32 PDT
Created attachment 324655 [details] Reverts r213711
Antti Koivisto
Comment 3 2017-10-24 00:15:55 PDT
Comment on attachment 324655 [details] Reverts r213711 r=me
Ryosuke Niwa
Comment 4 2017-10-24 00:45:37 PDT
Waiting for EWS...
Build Bot
Comment 5 2017-10-24 00:50:09 PDT
Comment on attachment 324655 [details] Reverts r213711 Attachment 324655 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/4967867 Number of test failures exceeded the failure limit.
Build Bot
Comment 6 2017-10-24 00:50:11 PDT
Created attachment 324658 [details] Archive of layout-test-results from ews105 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews105 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Ryosuke Niwa
Comment 7 2017-10-24 01:19:28 PDT
Somehow CSP is badly broken on mac-wk2.... that sound scary but I don't think it's anything to do with this patch. Regressions: Unexpected text-only failures (30) http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html [ Failure ] http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html [ Failure ] http/tests/security/contentSecurityPolicy/same-origin-plugin-document-blocked-in-child-window.html [ Failure ] http/tests/security/contentSecurityPolicy/script-loads-with-img-src.html [ Failure ] http/tests/security/contentSecurityPolicy/script-src-in-iframe.html [ Failure ] http/tests/security/contentSecurityPolicy/script-src-none-inline-event.html [ Failure ] http/tests/security/contentSecurityPolicy/script-src-none.html [ Failure ] http/tests/security/contentSecurityPolicy/script-src-redirect.html [ Failure ] http/tests/security/contentSecurityPolicy/script-src-self-blocked-01.html [ Failure ] http/tests/security/contentSecurityPolicy/script-src-self-blocked-02.html [ Failure ] http/tests/security/contentSecurityPolicy/script-src-self-blocked-03.html [ Failure ] http/tests/security/contentSecurityPolicy/script-src-self.html [ Failure ] http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html [ Failure ] http/tests/security/contentSecurityPolicy/source-list-parsing-01.html [ Failure ] http/tests/security/contentSecurityPolicy/source-list-parsing-02.html [ Failure ] http/tests/security/contentSecurityPolicy/source-list-parsing-03.html [ Failure ] http/tests/security/xssAuditor/link-onclick-control-char.html [ Failure ] http/tests/security/xssAuditor/link-onclick-entities.html [ Failure ] http/tests/security/xssAuditor/link-onclick-null-char.html [ Failure ] http/tests/security/xssAuditor/link-onclick.html [ Failure ] http/tests/security/xssAuditor/open-iframe-src-01.html [ Failure ] http/tests/security/xssAuditor/open-iframe-src-02.html [ Failure ] http/tests/websocket/tests/hybi/httponly-cookie.pl [ Failure ] http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html [ Failure ] http/tests/xmlhttprequest/access-control-and-redirects-async.html [ Failure ] http/tests/xmlhttprequest/access-control-and-redirects.html [ Failure ] http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header-data-url.html [ Failure ] http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header.html [ Failure ] http/tests/xmlhttprequest/access-control-basic-allow-async.html [ Failure ] http/tests/xmlhttprequest/workers/referer.html [ Failure ]
Ryosuke Niwa
Comment 8 2017-10-24 01:28:11 PDT
Created attachment 324659 [details] Patch for landing
Ryosuke Niwa
Comment 9 2017-10-24 01:28:31 PDT
Comment on attachment 324659 [details] Patch for landing Wait for EWS first.
WebKit Commit Bot
Comment 10 2017-10-24 10:24:43 PDT
Comment on attachment 324659 [details] Patch for landing Clearing flags on attachment: 324659 Committed r223895: <https://trac.webkit.org/changeset/223895>
WebKit Commit Bot
Comment 11 2017-10-24 10:24:45 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.