180769 – Crash inside ImageLoader::updateFromElement()

Bug 180769 - Crash inside ImageLoader::updateFromElement()

Summary: Crash inside ImageLoader::updateFromElement()

Status:	REOPENED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ryosuke Niwa

URL:
Keywords:	InRadar

Depends on:	180729 180855
Blocks:
	Show dependency tree / graph

Reported:	2017-12-13 14:38 PST by Ryosuke Niwa
Modified:	2022-02-09 10:13 PST (History)
CC List:	7 users (show)

See Also:

Attachments
Fixes the crash (19.25 KB, patch) 2017-12-13 14:50 PST, Ryosuke Niwa	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2017-12-13 14:38:22 PST

Because ImageLoader::updateFromElement() can send a sync IPC with the following stack trace and execute arbitrary scripts while waiting for the response, it's not safe to call this function where NoEventDispatchAssertion is present.

3 WebKit: IPC::Connection::SyncMessageState::dispatchMessages(IPC::Connection*)
  3 WebKit: IPC::Connection::waitForSyncReply(unsigned long long, WTF::Seconds, WTF::OptionSet<IPC::SendSyncOption>)
    3 WebKit: IPC::Connection::sendSyncMessage(unsigned long long, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >, WTF::Seconds, WTF::OptionSet<IPC::SendSyncOption>)
      3 WebKit: bool IPC::Connection::sendSync<Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue>(Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue&&, Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue::Reply&&, unsigned long long, WTF::Seconds, WTF::OptionSet<IPC::SendSyncOption>)
        3 WebKit: WebKit::WebPlatformStrategies::cookieRequestHeaderFieldValue(WebCore::SessionID, WebCore::URL const&, WebCore::URL const&)
          3 WebCore: WebCore::verifyVaryingRequestHeaders(WTF::Vector<std::__1::pair<WTF::String, WTF::String>, 0ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::ResourceRequest const&, WebCore::SessionID)
            3 WebCore: WebCore::CachedResource::varyHeaderValuesMatch(WebCore::ResourceRequest const&)
              3 WebCore: WebCore::CachedResourceLoader::determineRevalidationPolicy(WebCore::CachedResource::Type, WebCore::CachedResourceRequest&, WebCore::CachedResource*, WebCore::CachedResourceLoader::ForPreload, WebCore::CachedResourceLoader::DeferOption) const
                3 WebCore: WebCore::CachedResourceLoader::requestResource(WebCore::CachedResource::Type, WebCore::CachedResourceRequest&&, WebCore::CachedResourceLoader::ForPreload, WebCore::CachedResourceLoader::DeferOption)
                  3 WebCore: WebCore::CachedResourceLoader::requestImage(WebCore::CachedResourceRequest&&)
                    3 WebCore: WebCore::ImageLoader::updateFromElement()

Comment 1 Ryosuke Niwa 2017-12-13 14:38:42 PST

<rdar://problem/35278782>

Comment 2 Ryosuke Niwa 2017-12-13 14:50:42 PST

Created attachment 329262 [details]
Fixes the crash

Comment 3 WebKit Commit Bot 2017-12-13 16:05:46 PST

Comment on attachment 329262 [details]
Fixes the crash

Clearing flags on attachment: 329262

Committed r225878: <https://trac.webkit.org/changeset/225878>

Comment 4 WebKit Commit Bot 2017-12-13 16:05:48 PST

All reviewed patches have been landed.  Closing bug.

Comment 5 WebKit Commit Bot 2017-12-14 17:36:17 PST

Re-opened since this is blocked by bug 180855