RESOLVED FIXED 221375
WebKitTestRunner can get stuck stuck on onload = () => document.createElement('embed'); 
https://bugs.webkit.org/show_bug.cgi?id=221375
Summary WebKitTestRunner can get stuck stuck on onload = () => document.createElement...
Ryosuke Niwa
Reported 2021-02-03 18:52:17 PST
WebKitTestRunner get stuck on this: <script> onload = () => document.createElement('embed'); </script> the results are the same for the object and applet tags. Steps To Reproduce: DYLD_FRAMEWORK_PATH=<WEBKIT_PATH>/WebKitBuild/Debug <WEBKIT_PATH>/WebKitBuild/Debug/WebKitTestRunner repro_407.html Results: WebKitTestRunner gets stuck, waiting forever. For the slightly modified test case: <script> onload = () => { testRunner.waitUntilDone(); testRunner.notifyDone(); $vm.print('before'); document.createElement('embed'); $vm.print('after'); throw new Error(`an error`); } </script> <rdar://problem/69554695>
Attachments
Patch (2.01 KB, patch)
2021-02-08 07:51 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (5.07 KB, patch)
2021-02-09 08:51 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (5.22 KB, patch)
2021-02-10 00:21 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (2.55 KB, patch)
2021-02-10 08:04 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (2.55 KB, patch)
2021-02-10 08:55 PST, Rob Buis 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Rob Buis
Comment 1 2021-02-08 07:51:45 PST
Created attachment 419592 [details] Patch
Alex Christensen
Comment 2 2021-02-08 09:31:38 PST
Comment on attachment 419592 [details] Patch Definitely needs a test. I don't think this is the right fix, because if it were we would need to do this at all call sites of incrementLoadEventDelayCount and we don't.
Rob Buis
Comment 3 2021-02-09 08:51:40 PST
Created attachment 419728 [details] Patch
Rob Buis
Comment 4 2021-02-09 12:49:03 PST
(In reply to Alex Christensen from comment #2) > Comment on attachment 419592 [details] > Patch > > Definitely needs a test. > I don't think this is the right fix, because if it were we would need to do > this at all call sites of incrementLoadEventDelayCount and we don't. No test at the time since I was not sure if it is a security issue. I am now more convinced it is not a security issue, so I added a test in the new patch.
Alex Christensen
Comment 5 2021-02-09 12:53:36 PST
Comment on attachment 419728 [details] Patch This isn't obviously wrong like the first one was, but I don't know why finishCreating was there in the first place, or what the consequences of this can be.
Rob Buis
Comment 6 2021-02-09 13:11:28 PST
(In reply to Alex Christensen from comment #5) > Comment on attachment 419728 [details] > Patch > > This isn't obviously wrong like the first one was, but I don't know why > finishCreating was there in the first place, or what the consequences of > this can be. The relevant change seems to be https://bugs.webkit.org/show_bug.cgi?id=130653. AFAICS that change moved scheduling to an earlier point in time, i.e. element creation instead of children parsing to be finished or src to be set. Not sure why that change in behaviour (if I have read that code right) would be needed, maybe Darin remembers? The scheduling is done even though the embed element may never be appended to the document, like in the test case in this bug.
Ryosuke Niwa
Comment 7 2021-02-09 19:32:08 PST
Comment on attachment 419728 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=419728&action=review This looks right. We call scheduleUpdateForAfterStyleResolution() whenever we parse an attribute so it should be safe to remove the call in the constructor. > LayoutTests/plugins/embed-creation-crash-expected.txt:1 > +This test should not crash. You mean this shouldn't hang?
Rob Buis
Comment 8 2021-02-10 00:19:11 PST
Comment on attachment 419728 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=419728&action=review >> LayoutTests/plugins/embed-creation-crash-expected.txt:1 >> +This test should not crash. > > You mean this shouldn't hang? Good point, will fix before landing.
Rob Buis
Comment 9 2021-02-10 00:21:19 PST
Created attachment 419818 [details] Patch
EWS
Comment 10 2021-02-10 01:13:47 PST
Committed r272640: <https://commits.webkit.org/r272640> All reviewed patches have been landed. Closing bug and clearing flags on attachment 419818 [details].
Ryosuke Niwa
Comment 11 2021-02-10 03:31:41 PST
(In reply to Rob Buis from comment #8) > Comment on attachment 419728 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=419728&action=review > > >> LayoutTests/plugins/embed-creation-crash-expected.txt:1 > >> +This test should not crash. > > > > You mean this shouldn't hang? > > Good point, will fix before landing. You forgot to rename the file name LOL. rs=me on the rename from -crash to -hang.
Rob Buis
Comment 12 2021-02-10 08:04:44 PST
Reopening to attach new patch.
Rob Buis
Comment 13 2021-02-10 08:04:49 PST
Created attachment 419846 [details] Patch
Rob Buis
Comment 14 2021-02-10 08:55:55 PST
Created attachment 419852 [details] Patch
EWS
Comment 15 2021-02-10 12:31:58 PST
Committed r272676: <https://commits.webkit.org/r272676> All reviewed patches have been landed. Closing bug and clearing flags on attachment 419852 [details].
Note You need to log in before you can comment on or make changes to this bug.