Bug 273819 - Update implementation of TT enforcement for document.write/writeln
Summary: Update implementation of TT enforcement for document.write/writeln
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: Safari 17
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Luke Warlow
URL:
Keywords: InRadar
Depends on: 274567
Blocks: 266630
  Show dependency treegraph
 
Reported: 2024-05-07 05:04 PDT by Luke Warlow
Modified: 2024-06-11 03:42 PDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Warlow 2024-05-07 05:04:55 PDT 
See https://github.com/w3c/trusted-types/issues/510
Comment 1 Luke Warlow 2024-05-07 08:23:58 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/28238
Comment 2 EWS 2024-05-08 03:53:06 PDT 
Committed 278501@main (e84b70e7fa81): <https://commits.webkit.org/278501@main>

Reviewed commits have been landed. Closing PR #28238 and removing active labels.
Comment 3 Radar WebKit Bug Importer 2024-05-08 03:54:16 PDT 
<rdar://problem/127728959>
Comment 4 Marta Darbinyan 2024-05-22 17:10:13 PDT 
This change causes crashes when running WK1 layout tests under ASan on Sonoma.
Comment 5 Marta Darbinyan 2024-05-22 17:11:26 PDT 
Will share a backtrace later.
Comment 6 Marta Darbinyan 2024-05-23 09:22:38 PDT 
This change was reverted.

Backtrace:

==37330==ERROR: AddressSanitizer: heap-use-after-free on address 0x00011879d524 at pc 0x000139c6a764 bp 0x00016d4984c0 sp 0x00016d4984b8
READ of size 1 at 0x00011879d524 thread T0
    #0 0x139c6a760 in WebCore::SegmentedString::appendSubstring(WebCore::SegmentedString::Substring&&)+0x594 (WebCore:arm64e+0x71ea760)
    #1 0x132af60bc in WebCore::SegmentedString::append(WebCore::SegmentedString const&)+0xf8 (WebCore:arm64e+0x760bc)
    #2 0x13850c3b8 in WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString&&)+0x470 (WebCore:arm64e+0x5a8c3b8)
    #3 0x137913e74 in WebCore::Document::write(WebCore::Document*, WebCore::SegmentedString&&)+0x208 (WebCore:arm64e+0x4e93e74)
    #4 0x1379145d8 in WebCore::Document::write(WebCore::Document*, WTF::FixedVector<std::__1::variant<WTF::RefPtr<WebCore::TrustedHTML, WTF::RawPtrTraits<WebCore::TrustedHTML>, WTF::DefaultRefDerefTraits<WebCore::TrustedHTML>>, WTF::String>>&&)+0x484 (WebCore:arm64e+0x4e945d8)
    #5 0x133df9828 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsDocumentPrototypeFunction_writeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsDocumentPrototypeFunction_writeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()&&)+0x198 (WebCore:arm64e+0x1379828)
    #6 0x133df8978 in WebCore::jsDocumentPrototypeFunction_writeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)+0x25c (WebCore:arm64e+0x1378978)
    #7 0x133de7ad8 in WebCore::jsDocumentPrototypeFunction_write(JSC::JSGlobalObject*, JSC::CallFrame*)+0xe4 (WebCore:arm64e+0x1367ad8)
    #8 0x14013c140  (<unknown module>)
Comment 7 Luke Warlow 2024-05-24 05:20:14 PDT 
Do you happen to have an example test that's crashing with that change to help me debug the cause?

I've tried doing a local ASAN release build, with the change applied, and running the fast and WPT tests and so far none of them have crashed.
Comment 8 Luke Warlow 2024-05-24 15:43:45 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/29091
Comment 9 Marta Darbinyan 2024-05-28 14:44:37 PDT 
Hi Luke, here is an example of the test that crashed on Asan builds that should help you debug. 

The command to reproduce: 
run-webkit-tests --release http/tests/inspector/network/resource-response-inspector-override.html
Comment 10 EWS 2024-06-11 03:42:32 PDT 
Committed 279904@main (cfe83d0fa5bc): <https://commits.webkit.org/279904@main>

Reviewed commits have been landed. Closing PR #29091 and removing active labels.