Bug 180769 - Crash inside ImageLoader::updateFromElement()
Summary: Crash inside ImageLoader::updateFromElement()
Status: REOPENED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Ryosuke Niwa
URL:
Keywords: InRadar
Depends on: 180729 180855
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-13 14:38 PST by Ryosuke Niwa
Modified: 2017-12-14 17:36 PST (History)
6 users (show)

See Also:


Attachments
Fixes the crash (19.25 KB, patch)
2017-12-13 14:50 PST, Ryosuke Niwa
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2017-12-13 14:38:22 PST
Because ImageLoader::updateFromElement() can send a sync IPC with the following stack trace and execute arbitrary scripts while waiting for the response, it's not safe to call this function where NoEventDispatchAssertion is present.

3 WebKit: IPC::Connection::SyncMessageState::dispatchMessages(IPC::Connection*)
  3 WebKit: IPC::Connection::waitForSyncReply(unsigned long long, WTF::Seconds, WTF::OptionSet<IPC::SendSyncOption>)
    3 WebKit: IPC::Connection::sendSyncMessage(unsigned long long, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >, WTF::Seconds, WTF::OptionSet<IPC::SendSyncOption>)
      3 WebKit: bool IPC::Connection::sendSync<Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue>(Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue&&, Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue::Reply&&, unsigned long long, WTF::Seconds, WTF::OptionSet<IPC::SendSyncOption>)
        3 WebKit: WebKit::WebPlatformStrategies::cookieRequestHeaderFieldValue(WebCore::SessionID, WebCore::URL const&, WebCore::URL const&)
          3 WebCore: WebCore::verifyVaryingRequestHeaders(WTF::Vector<std::__1::pair<WTF::String, WTF::String>, 0ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::ResourceRequest const&, WebCore::SessionID)
            3 WebCore: WebCore::CachedResource::varyHeaderValuesMatch(WebCore::ResourceRequest const&)
              3 WebCore: WebCore::CachedResourceLoader::determineRevalidationPolicy(WebCore::CachedResource::Type, WebCore::CachedResourceRequest&, WebCore::CachedResource*, WebCore::CachedResourceLoader::ForPreload, WebCore::CachedResourceLoader::DeferOption) const
                3 WebCore: WebCore::CachedResourceLoader::requestResource(WebCore::CachedResource::Type, WebCore::CachedResourceRequest&&, WebCore::CachedResourceLoader::ForPreload, WebCore::CachedResourceLoader::DeferOption)
                  3 WebCore: WebCore::CachedResourceLoader::requestImage(WebCore::CachedResourceRequest&&)
                    3 WebCore: WebCore::ImageLoader::updateFromElement()
Comment 1 Ryosuke Niwa 2017-12-13 14:38:42 PST
<rdar://problem/35278782>
Comment 2 Ryosuke Niwa 2017-12-13 14:50:42 PST
Created attachment 329262 [details]
Fixes the crash
Comment 3 WebKit Commit Bot 2017-12-13 16:05:46 PST
Comment on attachment 329262 [details]
Fixes the crash

Clearing flags on attachment: 329262

Committed r225878: <https://trac.webkit.org/changeset/225878>
Comment 4 WebKit Commit Bot 2017-12-13 16:05:48 PST
All reviewed patches have been landed.  Closing bug.
Comment 5 WebKit Commit Bot 2017-12-14 17:36:17 PST
Re-opened since this is blocked by bug 180855