Bug 178712

Summary: SizesAttributeParser::SizesAttributeParser triggers layout
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: CSSAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, buildbot, commit-queue, koivisto, rniwa, simon.fraser, webkit-bug-importer, yoav, youennf, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=169465
Attachments:
Description Flags
Reverts r213711
none
Archive of layout-test-results from ews105 for mac-elcapitan-wk2
none
Patch for landing none

Description Ryosuke Niwa 2017-10-23 23:01:37 PDT 
SizesAttributeParser::SizesAttributeParser triggers layout but this function is called inside Node::insertedIntoAncestor.
This is dangerous because updating layout could end up running arbitrary scripts.
Comment 1 Radar WebKit Bug Importer 2017-10-23 23:02:32 PDT 
<rdar://problem/35143533>
Comment 2 Ryosuke Niwa 2017-10-24 00:14:32 PDT 
Created attachment 324655 [details]
Reverts r213711
Comment 3 Antti Koivisto 2017-10-24 00:15:55 PDT 
Comment on attachment 324655 [details]
Reverts r213711

r=me
Comment 4 Ryosuke Niwa 2017-10-24 00:45:37 PDT 
Waiting for EWS...
Comment 5 Build Bot 2017-10-24 00:50:09 PDT 
Comment on attachment 324655 [details]
Reverts r213711

Attachment 324655 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/4967867

Number of test failures exceeded the failure limit.
Comment 6 Build Bot 2017-10-24 00:50:11 PDT 
Created attachment 324658 [details]
Archive of layout-test-results from ews105 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews105  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6
Comment 7 Ryosuke Niwa 2017-10-24 01:19:28 PDT 
Somehow CSP is badly broken on mac-wk2.... that sound scary but I don't think it's anything to do with this patch.

Regressions: Unexpected text-only failures (30)
  http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html [ Failure ]
  http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html [ Failure ]
  http/tests/security/contentSecurityPolicy/same-origin-plugin-document-blocked-in-child-window.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-loads-with-img-src.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-in-iframe.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-none-inline-event.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-none.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-redirect.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-self-blocked-01.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-self-blocked-02.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-self-blocked-03.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-self.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html [ Failure ]
  http/tests/security/contentSecurityPolicy/source-list-parsing-01.html [ Failure ]
  http/tests/security/contentSecurityPolicy/source-list-parsing-02.html [ Failure ]
  http/tests/security/contentSecurityPolicy/source-list-parsing-03.html [ Failure ]
  http/tests/security/xssAuditor/link-onclick-control-char.html [ Failure ]
  http/tests/security/xssAuditor/link-onclick-entities.html [ Failure ]
  http/tests/security/xssAuditor/link-onclick-null-char.html [ Failure ]
  http/tests/security/xssAuditor/link-onclick.html [ Failure ]
  http/tests/security/xssAuditor/open-iframe-src-01.html [ Failure ]
  http/tests/security/xssAuditor/open-iframe-src-02.html [ Failure ]
  http/tests/websocket/tests/hybi/httponly-cookie.pl [ Failure ]
  http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html [ Failure ]
  http/tests/xmlhttprequest/access-control-and-redirects-async.html [ Failure ]
  http/tests/xmlhttprequest/access-control-and-redirects.html [ Failure ]
  http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header-data-url.html [ Failure ]
  http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header.html [ Failure ]
  http/tests/xmlhttprequest/access-control-basic-allow-async.html [ Failure ]
  http/tests/xmlhttprequest/workers/referer.html [ Failure ]
Comment 8 Ryosuke Niwa 2017-10-24 01:28:11 PDT 
Created attachment 324659 [details]
Patch for landing
Comment 9 Ryosuke Niwa 2017-10-24 01:28:31 PDT 
Comment on attachment 324659 [details]
Patch for landing

Wait for EWS first.
Comment 10 WebKit Commit Bot 2017-10-24 10:24:43 PDT 
Comment on attachment 324659 [details]
Patch for landing

Clearing flags on attachment: 324659

Committed r223895: <https://trac.webkit.org/changeset/223895>
Comment 11 WebKit Commit Bot 2017-10-24 10:24:45 PDT 
All reviewed patches have been landed.  Closing bug.