RESOLVED FIXED 83545
Stack overflow in CSS parser caused by recursive stylesheet import 
https://bugs.webkit.org/show_bug.cgi?id=83545
Summary Stack overflow in CSS parser caused by recursive stylesheet import
David Barr
Reported 2012-04-09 20:59:04 PDT
This stack overflow was identified by cluster-fuzz, minimal repro below: <base href="http://www.image-in-nation.com/"><link href="templates/Imagination.css" rel="stylesheet"> Note that the first line of that style-sheet is: @import url("/template/Imagination.css"); and that http://www.image-in-nation.com/template/Imagination.css redirects to http://www.image-in-nation.com/templates/Imagination.css See http://crbug.com/122606 for the initial report.
Attachments
Patch (1.47 KB, patch)
2012-04-09 21:57 PDT, David Barr 		no flags
DetailsFormatted DiffDiff
Patch (3.55 KB, patch)
2012-04-10 17:27 PDT, David Barr 		no flags
DetailsFormatted DiffDiff
Patch (3.49 KB, patch)
2012-04-10 17:42 PDT, David Barr 		no flags
DetailsFormatted DiffDiff
Patch (3.56 KB, patch)
2012-04-15 17:25 PDT, David Barr 		no flags
DetailsFormatted DiffDiff
Patch (3.57 KB, patch)
2012-04-15 17:42 PDT, David Barr 		no flags
DetailsFormatted DiffDiff
Patch (3.56 KB, patch)
2012-04-15 18:23 PDT, David Barr 		no flags
DetailsFormatted DiffDiff
Patch for landing (3.54 KB, patch)
2012-04-15 20:21 PDT, David Barr 		no flags
DetailsFormatted DiffDiff
Show Obsolete (6) View All Add attachment proposed patch, testcase, etc.
David Barr
Comment 1 2012-04-09 21:57:19 PDT
Created attachment 136396 [details] Patch
Alexander Pavlov (apavlov)
Comment 2 2012-04-10 09:27:44 PDT
Comment on attachment 136396 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=136396&action=review > Source/WebCore/ChangeLog:8 > + No new tests - checkpointing a simple fix. It would be a good idea to add a new test (which should be easy thanks to a few crashing cases we have at hand), especially given that the correct behavior was regressed some time ago.
Alexey Proskuryakov
Comment 3 2012-04-10 13:02:40 PDT
Comment on attachment 136396 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=136396&action=review Not sure what "checkpointing" means in this context, but this is clearly the kind of fix that needs regression tests. > Source/WebCore/css/CSSImportRule.cpp:141 > // FIXME: This is wrong if the finalURL was updated via document::updateBaseURL. Is this FIXME still accurate?
David Barr
Comment 4 2012-04-10 17:27:54 PDT
Created attachment 136581 [details] Patch
Darin Adler
Comment 5 2012-04-10 17:40:16 PDT
Comment on attachment 136581 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=136581&action=review > Source/WebCore/css/CSSImportRule.cpp:-141 > - // FIXME: This is wrong if the finalURL was updated via document::updateBaseURL. This FIXME doesn’t seem to be for the bug you’re fixing, so please don’t remove it.
David Barr
Comment 6 2012-04-10 17:42:53 PDT
Created attachment 136585 [details] Patch
David Barr
Comment 7 2012-04-10 18:30:59 PDT
(In reply to comment #5) > > Source/WebCore/css/CSSImportRule.cpp:-141 > > - // FIXME: This is wrong if the finalURL was updated via document::updateBaseURL. > > This FIXME doesn’t seem to be for the bug you’re fixing, so please don’t remove it. The FIXME was added in http://trac.webkit.org/changeset/53607 I thought it might have been addressed as a side-effect of the change. I refrained from removing it in the updated patch. Adam, does the comment still apply after this change?
Adam Barth
Comment 8 2012-04-10 19:44:43 PDT
I'm not sure.
David Barr
Comment 9 2012-04-10 20:00:40 PDT
Given the lack of assuredness that this change addresses the FIXME, let's leave it there.
Eric Seidel (no email)
Comment 10 2012-04-11 00:34:14 PDT
Comment on attachment 136585 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=136585&action=review > Source/WebCore/css/CSSImportRule.cpp:141 > // FIXME: This is wrong if the finalURL was updated via document::updateBaseURL. Do we need to test this FIXME As well? With a <base> tag? > Source/WebCore/css/CSSImportRule.cpp:142 > + if (absHref == sheet->finalURL().string() || absHref == sheet->href()) Is href() always absolute? // Note that href is the URL that started the redirect chain that led to // this style sheet. This property probably isn't useful for much except // the JavaScript binding (which needs to use this value for security). const String& href() const { return m_originalURL; } How do we do other redirect recursion checks? Do we keep redirect chains cached somewhere at the network layer?
David Barr
Comment 11 2012-04-11 21:13:30 PDT
(In reply to comment #10) > (From update of attachment 136585 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=136585&action=review > > > Source/WebCore/css/CSSImportRule.cpp:141 > > // FIXME: This is wrong if the finalURL was updated via document::updateBaseURL. > > Do we need to test this FIXME As well? With a <base> tag? Sure, but if so, that's another bug. > > Source/WebCore/css/CSSImportRule.cpp:142 > > + if (absHref == sheet->finalURL().string() || absHref == sheet->href()) > > Is href() always absolute? By my reading of the code, yes. Prior to the introduction of putativeBaseURL(), the comparison used to be just against href(). Now, putativeBaseURL() is known as finalURL(). > // Note that href is the URL that started the redirect chain that led to > // this style sheet. This property probably isn't useful for much except > // the JavaScript binding (which needs to use this value for security). > const String& href() const { return m_originalURL; } > > How do we do other redirect recursion checks? Do we keep redirect chains cached somewhere at the network layer? Strictly speaking, this is not a redirect recursion bug. The problem is that redirects break our stylesheet-import cycle detection.
Ryosuke Niwa
Comment 12 2012-04-15 17:08:25 PDT
Comment on attachment 136585 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=136585&action=review I think this patch is a progression and landable as is although there are cases where this patch won't adequately address. e.g. say we have <link href="redirection1.css"> then redirection1.css would redirect us to redirection2.css then again to actual.css. we can then encounter <link href="redirection2.css">, which then redirect again to actual.css. But fixing this bug in general requires making http requests, etc... so it should probably be fixed in a separate patch. > LayoutTests/http/tests/css/css-imports-redirect-cycle.html:1 > +<script> Do we really want to use quirks mode?
David Barr
Comment 13 2012-04-15 17:25:27 PDT
Created attachment 137255 [details] Patch
David Barr
Comment 14 2012-04-15 17:27:18 PDT
Comment on attachment 137255 [details] Patch Addressed comment about quirks mode in test case.
WebKit Review Bot
Comment 15 2012-04-15 17:30:13 PDT
Comment on attachment 137255 [details] Patch Attachment 137255 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/12409697
Build Bot
Comment 16 2012-04-15 17:41:32 PDT
Comment on attachment 137255 [details] Patch Attachment 137255 [details] did not pass mac-ews (mac): Output: http://queues.webkit.org/results/12405915
David Barr
Comment 17 2012-04-15 17:42:55 PDT
Created attachment 137257 [details] Patch
David Barr
Comment 18 2012-04-15 17:43:58 PDT
Comment on attachment 137257 [details] Patch Accounted for interface change in StyleSheetInternal, href() => originalURL().
David Barr
Comment 19 2012-04-15 18:23:55 PDT
Created attachment 137260 [details] Patch
David Barr
Comment 20 2012-04-15 18:26:47 PDT
Comment on attachment 137260 [details] Patch Discovered that cr-linux can be flaky with tests that are missing blank pixel results. Amended patch to exclude pixel results.
David Barr
Comment 21 2012-04-15 20:21:24 PDT
Created attachment 137268 [details] Patch for landing
David Barr
Comment 22 2012-04-16 19:07:44 PDT
The flakiness in xmlhttprequest-unsafe-redirect.html seems unrelated to my patch, StyleRuleImport:: requestStyleSheet() shouldn't be on the code path at all for that test, AFAICT.
noel gordon
Comment 24 2012-04-16 23:19:23 PDT
Debugging sucks, testing is better. Your new test passes in those trys, as does xmlhttprequest-unsafe-redirect.html.
WebKit Review Bot
Comment 25 2012-04-16 23:27:08 PDT
Comment on attachment 137268 [details] Patch for landing Clearing flags on attachment: 137268 Committed r114350: <http://trac.webkit.org/changeset/114350>
WebKit Review Bot
Comment 26 2012-04-16 23:27:15 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.