Bug 58610

Summary: CSP should block string arguments to setTimeout and setInterval unless options eval-script
Product: WebKit Reporter: Adam Barth <abarth>
Component: New BugsAssignee: Adam Barth <abarth>
Status: RESOLVED FIXED    
Severity: Normal CC: aroben, commit-queue, eric, pnormand
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Other   
OS: OS X 10.5   
Bug Depends on:    
Bug Blocks: 53572    
Attachments:
Description Flags
Patch
none
Patch for landing none

Description Adam Barth 2011-04-14 17:27:55 PDT
CSP should block string arguments to setTimeout and setInterval unless options eval-script
Comment 1 Adam Barth 2011-04-14 17:29:59 PDT
Created attachment 89697 [details]
Patch
Comment 2 Eric Seidel (no email) 2011-04-14 20:33:47 PDT
Comment on attachment 89697 [details]
Patch

OK.
Comment 3 Adam Barth 2011-04-15 00:39:44 PDT
Comment on attachment 89697 [details]
Patch

Clearing flags on attachment: 89697

Committed r83954: <http://trac.webkit.org/changeset/83954>
Comment 4 Adam Barth 2011-04-15 00:39:48 PDT
All reviewed patches have been landed.  Closing bug.
Comment 5 Philippe Normand 2011-04-15 02:07:49 PDT
I think this patch broke fast/dom/Window/timer-null-script-execution-context.html		
 on GTK:

http://webkit-bots.igalia.com/amd64/svn_83958.core-when_1302857706-_-who_DumpRenderTree-_-why_11.trace.html

Thread 1 (Thread 5107):
#0  0x00002b40f4742876 in WTF::RefPtr<WebCore::ContentSecurityPolicy>::get (this=0x13d8) at ../../Source/JavaScriptCore/wtf/RefPtr.h:60
#1  0x00002b40f4742146 in WebCore::Document::contentSecurityPolicy (this=0x0) at ../../Source/WebCore/dom/Document.h:1106
#2  0x00002b40f4741479 in WebCore::JSDOMWindow::setTimeout (this=0x2b41488259d0, exec=0x2b4148012130) at ../../Source/WebCore/bindings/js/JSDOMWindowCustom.cpp:735
#3  0x00002b40f5224e70 in WebCore::jsDOMWindowPrototypeFunctionSetTimeout (exec=0x2b4148012130) at DerivedSources/WebCore/JSDOMWindow.cpp:9692
#4  0x00002b40f54f2975 in JSC::Interpreter::executeCall (this=0x15a0db0, callFrame=0x2b41480120b0, function=0x2b414bd3b210, callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:872
#5  0x00002b40f557f77c in JSC::call (exec=0x2b41480120b0, functionObject=..., callType=JSC::CallTypeHost, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:38
#6  0x00002b40f55908b5 in JSC::functionProtoFuncCall (exec=0x2b41480120b0) at ../../Source/JavaScriptCore/runtime/FunctionPrototype.cpp:146
#7  0x00002b41080001e8 in ?? ()
#8  0x00007ffff87ea2b0 in ?? ()
#9  0x00002b410805b52e in ?? ()
#10 0x00007ffff87ea240 in ?? ()
#11 0x00002b414bd3b210 in ?? ()
#12 0x0000000004167800 in ?? ()
#13 0x00002b4100000001 in ?? ()
#14 0x00002b414882f3a0 in ?? ()
#15 0x00007ffff87ea260 in ?? ()
#16 0x00007ffff87ea270 in ?? ()
#17 0x00002b40f45fa03d in JSC::JSValue::decode (ptr=0x2b40f94f4170) at ../../Source/JavaScriptCore/runtime/JSValueInlineMethods.h:369
#18 0x00002b40f54f5779 in JSC::JITCode::execute (this=0x2b414bcdcb68, registerFile=0x15a0dc8, callFrame=0x2b4148012038, globalData=0xfc6050) at ../../Source/JavaScriptCore/jit/JITCode.h:77
#19 0x00002b40f54f2723 in JSC::Interpreter::executeCall (this=0x15a0db0, callFrame=0x2b4148826bd8, function=0x2b414bcfb710, callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:844
#20 0x00002b40f557f77c in JSC::call (exec=0x2b4148826bd8, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/JavaScriptCore/runtime/CallData.cpp:38
#21 0x00002b40f471fc6b in WebCore::JSMainThreadExecState::call (exec=0x2b4148826bd8, functionObject=..., callType=JSC::CallTypeJS, callData=..., thisValue=..., args=...) at ../../Source/WebCore/bindings/js/JSMainThreadExecState.h:48
#22 0x00002b40f4784b46 in WebCore::ScheduledAction::executeFunctionInContext (this=0x43c7f90, globalObject=0x2b4148826b50, thisValue=..., context=0x4130500) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:109
#23 0x00002b40f4784d3b in WebCore::ScheduledAction::execute (this=0x43c7f90, document=0x4130320) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:131
#24 0x00002b40f4784902 in WebCore::ScheduledAction::execute (this=0x43c7f90, context=0x4130500) at ../../Source/WebCore/bindings/js/ScheduledAction.cpp:79
#25 0x00002b40f4cd62fd in WebCore::DOMTimer::fired (this=0x43c7fd0) at ../../Source/WebCore/page/DOMTimer.cpp:148
#26 0x00002b40f4e06160 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0xfcdbb0) at ../../Source/WebCore/platform/ThreadTimers.cpp:112
#27 0x00002b40f4e06097 in WebCore::ThreadTimers::sharedTimerFired () at ../../Source/WebCore/platform/ThreadTimers.cpp:90
#28 0x00002b40f45b485a in WebCore::timeout_cb () at ../../Source/WebCore/platform/gtk/SharedTimerGtk.cpp:49
#29 0x00002b40f9253dbb in g_timeout_dispatch (source=0x41d8650, callback=0x2b4148012130, user_data=0x2b4148012130) at /tmp/buildd/glib2.0-2.27.91/./glib/gmain.c:3877
#30 0x00002b40f9253362 in g_main_dispatch (context=0xffff000000000002) at /tmp/buildd/glib2.0-2.27.91/./glib/gmain.c:2440
#31 g_main_context_dispatch (context=0xffff000000000002) at /tmp/buildd/glib2.0-2.27.91/./glib/gmain.c:3013
#32 0x00002b40f9257a28 in g_main_context_iterate (context=0xf27a30, block=<value optimized out>, dispatch=<value optimized out>, self=<value optimized out>) at /tmp/buildd/glib2.0-2.27.91/./glib/gmain.c:3091
#33 0x00002b40f9257f35 in g_main_loop_run (loop=0x4121c90) at /tmp/buildd/glib2.0-2.27.91/./glib/gmain.c:3299
#34 0x00002b40f71c6657 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#35 0x0000000000421360 in runTest (testPathOrURL=...) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:702
#36 0x00000000004209fd in runTestingServerLoop () at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:494
#37 0x0000000000422cbf in main (argc=2, argv=0x7ffff87eb438) at ../../Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:1179
Comment 6 Philippe Normand 2011-04-15 02:08:30 PDT
Forgot a bit:

Program terminated with signal 11, Segmentation fault.
#0  0x00002b40f4742876 in WTF::RefPtr<WebCore::ContentSecurityPolicy>::get (this=0x13d8) at ../../Source/JavaScriptCore/wtf/RefPtr.h:60
60	        T* get() const { return m_ptr; }
Comment 8 Adam Roben (:aroben) 2011-04-15 06:14:02 PDT
I rolled this out in r83963 to stop the crashing on the bots.
Comment 9 Adam Barth 2011-04-15 11:02:02 PDT
(In reply to comment #8)
> I rolled this out in r83963 to stop the crashing on the bots.

Thanks!  Sorry I went to sleep.  :(
Comment 10 Adam Barth 2011-04-15 13:51:31 PDT
Created attachment 89847 [details]
Patch for landing
Comment 11 WebKit Commit Bot 2011-04-15 19:33:31 PDT
Comment on attachment 89847 [details]
Patch for landing

Clearing flags on attachment: 89847

Committed r84073: <http://trac.webkit.org/changeset/84073>
Comment 12 WebKit Commit Bot 2011-04-15 19:33:37 PDT
All reviewed patches have been landed.  Closing bug.