WebKitTestRunner does not proceed after loading this: <script> onload = () => { let e = document.createElement('embed'); e.src = 'x'; }; </script> <rdar://75879762>
Seems like this is an impediment to fuzz testing, not a bug that itself has security impact, right?
(In reply to Darin Adler from comment #1) > Seems like this is an impediment to fuzz testing, not a bug that itself has > security impact, right? Yeah, I guess there is no need to keep this under security component.
The problem is that the load never finishes, so WTR keeps waiting for the final message from injected bundle that happens when the page is loaded. When the src attribute is changed, HTMLPlugInImageElement::updateImageLoaderWithNewURLSoon() is called. That calls HTMLPlugInImageElement::scheduleUpdateForAfterStyleResolution() that increases the document load event delay count and queues a style post resolution callback. The document load event delay count is decreased in HTMLPlugInImageElement::updateAfterStyleResolution), called by the style post resolution callback. But the callback is never called because the embed element is not in tree, and it's never added, keeping the document load event delay unbalanced. I think we should not call scheduleUpdateForAfterStyleResolution() when the element is not in render tree, since we know Node::invalidateStyle() will return early and style post resolution callbacks will not be called. If the element is added to the tree eventually, scheduleUpdateForAfterStyleResolution() will be called by didRecalcStyle, so the image will be loaded.
Created attachment 426669 [details] Patch
Comment on attachment 426669 [details] Patch Thanks!
Committed r276582 (237018@main): <https://commits.webkit.org/237018@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 426669 [details].