Bug 178712 - SizesAttributeParser::SizesAttributeParser triggers layout
Summary: SizesAttributeParser::SizesAttributeParser triggers layout
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Ryosuke Niwa
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-10-23 23:01 PDT by Ryosuke Niwa
Modified: 2017-10-24 10:24 PDT (History)
10 users (show)

See Also:

Attachments
Reverts r213711 (1.91 KB, patch)
2017-10-24 00:14 PDT, Ryosuke Niwa 		no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews105 for mac-elcapitan-wk2 (1.50 MB, application/zip)
2017-10-24 00:50 PDT, Build Bot 		no flags Details
Patch for landing (2.95 KB, patch)
2017-10-24 01:28 PDT, Ryosuke Niwa 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2017-10-23 23:01:37 PDT 
SizesAttributeParser::SizesAttributeParser triggers layout but this function is called inside Node::insertedIntoAncestor.
This is dangerous because updating layout could end up running arbitrary scripts.
Comment 1 Radar WebKit Bug Importer 2017-10-23 23:02:32 PDT 
<rdar://problem/35143533>
Comment 2 Ryosuke Niwa 2017-10-24 00:14:32 PDT 
Created attachment 324655 [details]
Reverts r213711
Comment 3 Antti Koivisto 2017-10-24 00:15:55 PDT 
Comment on attachment 324655 [details]
Reverts r213711

r=me
Comment 4 Ryosuke Niwa 2017-10-24 00:45:37 PDT 
Waiting for EWS...
Comment 5 Build Bot 2017-10-24 00:50:09 PDT 
Comment on attachment 324655 [details]
Reverts r213711

Attachment 324655 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/4967867

Number of test failures exceeded the failure limit.
Comment 6 Build Bot 2017-10-24 00:50:11 PDT 
Created attachment 324658 [details]
Archive of layout-test-results from ews105 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews105  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6
Comment 7 Ryosuke Niwa 2017-10-24 01:19:28 PDT 
Somehow CSP is badly broken on mac-wk2.... that sound scary but I don't think it's anything to do with this patch.

Regressions: Unexpected text-only failures (30)
  http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html [ Failure ]
  http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html [ Failure ]
  http/tests/security/contentSecurityPolicy/same-origin-plugin-document-blocked-in-child-window.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-loads-with-img-src.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-in-iframe.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-none-inline-event.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-none.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-redirect.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-self-blocked-01.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-self-blocked-02.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-self-blocked-03.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-self.html [ Failure ]
  http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html [ Failure ]
  http/tests/security/contentSecurityPolicy/source-list-parsing-01.html [ Failure ]
  http/tests/security/contentSecurityPolicy/source-list-parsing-02.html [ Failure ]
  http/tests/security/contentSecurityPolicy/source-list-parsing-03.html [ Failure ]
  http/tests/security/xssAuditor/link-onclick-control-char.html [ Failure ]
  http/tests/security/xssAuditor/link-onclick-entities.html [ Failure ]
  http/tests/security/xssAuditor/link-onclick-null-char.html [ Failure ]
  http/tests/security/xssAuditor/link-onclick.html [ Failure ]
  http/tests/security/xssAuditor/open-iframe-src-01.html [ Failure ]
  http/tests/security/xssAuditor/open-iframe-src-02.html [ Failure ]
  http/tests/websocket/tests/hybi/httponly-cookie.pl [ Failure ]
  http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html [ Failure ]
  http/tests/xmlhttprequest/access-control-and-redirects-async.html [ Failure ]
  http/tests/xmlhttprequest/access-control-and-redirects.html [ Failure ]
  http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header-data-url.html [ Failure ]
  http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header.html [ Failure ]
  http/tests/xmlhttprequest/access-control-basic-allow-async.html [ Failure ]
  http/tests/xmlhttprequest/workers/referer.html [ Failure ]
Comment 8 Ryosuke Niwa 2017-10-24 01:28:11 PDT 
Created attachment 324659 [details]
Patch for landing
Comment 9 Ryosuke Niwa 2017-10-24 01:28:31 PDT 
Comment on attachment 324659 [details]
Patch for landing

Wait for EWS first.
Comment 10 WebKit Commit Bot 2017-10-24 10:24:43 PDT 
Comment on attachment 324659 [details]
Patch for landing

Clearing flags on attachment: 324659

Committed r223895: <https://trac.webkit.org/changeset/223895>
Comment 11 WebKit Commit Bot 2017-10-24 10:24:45 PDT 
All reviewed patches have been landed.  Closing bug.