RESOLVED FIXED Bug 273819
Update implementation of TT enforcement for document.write/writeln 
https://bugs.webkit.org/show_bug.cgi?id=273819
Summary Update implementation of TT enforcement for document.write/writeln
Luke Warlow
Reported 2024-05-07 05:04:55 PDT
See https://github.com/w3c/trusted-types/issues/510
Attachments
Add attachment proposed patch, testcase, etc.
Luke Warlow
Comment 1 2024-05-07 08:23:58 PDT
Pull request: https://github.com/WebKit/WebKit/pull/28238
EWS
Comment 2 2024-05-08 03:53:06 PDT
Committed 278501@main (e84b70e7fa81): <https://commits.webkit.org/278501@main> Reviewed commits have been landed. Closing PR #28238 and removing active labels.
Radar WebKit Bug Importer
Comment 3 2024-05-08 03:54:16 PDT
<rdar://problem/127728959>
Marta Darbinyan
Comment 4 2024-05-22 17:10:13 PDT
This change causes crashes when running WK1 layout tests under ASan on Sonoma.
Marta Darbinyan
Comment 5 2024-05-22 17:11:26 PDT
Will share a backtrace later.
Marta Darbinyan
Comment 6 2024-05-23 09:22:38 PDT
This change was reverted. Backtrace: ==37330==ERROR: AddressSanitizer: heap-use-after-free on address 0x00011879d524 at pc 0x000139c6a764 bp 0x00016d4984c0 sp 0x00016d4984b8 READ of size 1 at 0x00011879d524 thread T0 #0 0x139c6a760 in WebCore::SegmentedString::appendSubstring(WebCore::SegmentedString::Substring&&)+0x594 (WebCore:arm64e+0x71ea760) #1 0x132af60bc in WebCore::SegmentedString::append(WebCore::SegmentedString const&)+0xf8 (WebCore:arm64e+0x760bc) #2 0x13850c3b8 in WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString&&)+0x470 (WebCore:arm64e+0x5a8c3b8) #3 0x137913e74 in WebCore::Document::write(WebCore::Document*, WebCore::SegmentedString&&)+0x208 (WebCore:arm64e+0x4e93e74) #4 0x1379145d8 in WebCore::Document::write(WebCore::Document*, WTF::FixedVector<std::__1::variant<WTF::RefPtr<WebCore::TrustedHTML, WTF::RawPtrTraits<WebCore::TrustedHTML>, WTF::DefaultRefDerefTraits<WebCore::TrustedHTML>>, WTF::String>>&&)+0x484 (WebCore:arm64e+0x4e945d8) #5 0x133df9828 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsDocumentPrototypeFunction_writeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsDocumentPrototypeFunction_writeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()&&)+0x198 (WebCore:arm64e+0x1379828) #6 0x133df8978 in WebCore::jsDocumentPrototypeFunction_writeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)+0x25c (WebCore:arm64e+0x1378978) #7 0x133de7ad8 in WebCore::jsDocumentPrototypeFunction_write(JSC::JSGlobalObject*, JSC::CallFrame*)+0xe4 (WebCore:arm64e+0x1367ad8) #8 0x14013c140 (<unknown module>)
Luke Warlow
Comment 7 2024-05-24 05:20:14 PDT
Do you happen to have an example test that's crashing with that change to help me debug the cause? I've tried doing a local ASAN release build, with the change applied, and running the fast and WPT tests and so far none of them have crashed.
Luke Warlow
Comment 8 2024-05-24 15:43:45 PDT
Pull request: https://github.com/WebKit/WebKit/pull/29091
Marta Darbinyan
Comment 9 2024-05-28 14:44:37 PDT
Hi Luke, here is an example of the test that crashed on Asan builds that should help you debug. The command to reproduce: run-webkit-tests --release http/tests/inspector/network/resource-response-inspector-override.html
EWS
Comment 10 2024-06-11 03:42:32 PDT
Committed 279904@main (cfe83d0fa5bc): <https://commits.webkit.org/279904@main> Reviewed commits have been landed. Closing PR #29091 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.