Bug 273819

Summary:	Update implementation of TT enforcement for document.write/writeln
Product:	WebKit	Reporter:	Luke Warlow <lwarlow>
Component:	DOM	Assignee:	Luke Warlow <lwarlow>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	darbinyan, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	Safari 17
Hardware:	Unspecified
OS:	Unspecified
See Also:	https://github.com/web-platform-tests/wpt/pull/46141
Bug Depends on:	274567
Bug Blocks:	266630

Luke Warlow

Reported 2024-05-07 05:04:55 PDT

See https://github.com/w3c/trusted-types/issues/510

Attachments
Add attachment proposed patch, testcase, etc.

Luke Warlow

Comment 1 2024-05-07 08:23:58 PDT

Pull request: https://github.com/WebKit/WebKit/pull/28238

EWS

Comment 2 2024-05-08 03:53:06 PDT

Committed 278501@main (e84b70e7fa81): <https://commits.webkit.org/278501@main> Reviewed commits have been landed. Closing PR #28238 and removing active labels.

Radar WebKit Bug Importer

Comment 3 2024-05-08 03:54:16 PDT

<rdar://problem/127728959>

Marta Darbinyan

Comment 4 2024-05-22 17:10:13 PDT

This change causes crashes when running WK1 layout tests under ASan on Sonoma.

Marta Darbinyan

Comment 5 2024-05-22 17:11:26 PDT

Will share a backtrace later.

Marta Darbinyan

Comment 6 2024-05-23 09:22:38 PDT

This change was reverted. Backtrace: ==37330==ERROR: AddressSanitizer: heap-use-after-free on address 0x00011879d524 at pc 0x000139c6a764 bp 0x00016d4984c0 sp 0x00016d4984b8 READ of size 1 at 0x00011879d524 thread T0 #0 0x139c6a760 in WebCore::SegmentedString::appendSubstring(WebCore::SegmentedString::Substring&&)+0x594 (WebCore:arm64e+0x71ea760) #1 0x132af60bc in WebCore::SegmentedString::append(WebCore::SegmentedString const&)+0xf8 (WebCore:arm64e+0x760bc) #2 0x13850c3b8 in WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString&&)+0x470 (WebCore:arm64e+0x5a8c3b8) #3 0x137913e74 in WebCore::Document::write(WebCore::Document*, WebCore::SegmentedString&&)+0x208 (WebCore:arm64e+0x4e93e74) #4 0x1379145d8 in WebCore::Document::write(WebCore::Document*, WTF::FixedVector<std::__1::variant<WTF::RefPtr<WebCore::TrustedHTML, WTF::RawPtrTraits<WebCore::TrustedHTML>, WTF::DefaultRefDerefTraits<WebCore::TrustedHTML>>, WTF::String>>&&)+0x484 (WebCore:arm64e+0x4e945d8) #5 0x133df9828 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsDocumentPrototypeFunction_writeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsDocumentPrototypeFunction_writeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()&&)+0x198 (WebCore:arm64e+0x1379828) #6 0x133df8978 in WebCore::jsDocumentPrototypeFunction_writeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)+0x25c (WebCore:arm64e+0x1378978) #7 0x133de7ad8 in WebCore::jsDocumentPrototypeFunction_write(JSC::JSGlobalObject*, JSC::CallFrame*)+0xe4 (WebCore:arm64e+0x1367ad8) #8 0x14013c140 (<unknown module>)

Luke Warlow

Comment 7 2024-05-24 05:20:14 PDT

Do you happen to have an example test that's crashing with that change to help me debug the cause? I've tried doing a local ASAN release build, with the change applied, and running the fast and WPT tests and so far none of them have crashed.

Luke Warlow

Comment 8 2024-05-24 15:43:45 PDT

Pull request: https://github.com/WebKit/WebKit/pull/29091

Marta Darbinyan

Comment 9 2024-05-28 14:44:37 PDT

Hi Luke, here is an example of the test that crashed on Asan builds that should help you debug. The command to reproduce: run-webkit-tests --release http/tests/inspector/network/resource-response-inspector-override.html

EWS

Comment 10 2024-06-11 03:42:32 PDT

Committed 279904@main (cfe83d0fa5bc): <https://commits.webkit.org/279904@main> Reviewed commits have been landed. Closing PR #29091 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.