[Webkit-unassigned] [Bug 180769] New: Crash inside ImageLoader::updateFromElement()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 13 14:38:22 PST 2017 

https://bugs.webkit.org/show_bug.cgi?id=180769

            Bug ID: 180769
           Summary: Crash inside ImageLoader::updateFromElement()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: HTML DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rniwa at webkit.org
                CC: cdumez at apple.com

Because ImageLoader::updateFromElement() can send a sync IPC with the following stack trace and execute arbitrary scripts while waiting for the response, it's not safe to call this function where NoEventDispatchAssertion is present.

3 WebKit: IPC::Connection::SyncMessageState::dispatchMessages(IPC::Connection*)
  3 WebKit: IPC::Connection::waitForSyncReply(unsigned long long, WTF::Seconds, WTF::OptionSet<IPC::SendSyncOption>)
    3 WebKit: IPC::Connection::sendSyncMessage(unsigned long long, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >, WTF::Seconds, WTF::OptionSet<IPC::SendSyncOption>)
      3 WebKit: bool IPC::Connection::sendSync<Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue>(Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue&&, Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue::Reply&&, unsigned long long, WTF::Seconds, WTF::OptionSet<IPC::SendSyncOption>)
        3 WebKit: WebKit::WebPlatformStrategies::cookieRequestHeaderFieldValue(WebCore::SessionID, WebCore::URL const&, WebCore::URL const&)
          3 WebCore: WebCore::verifyVaryingRequestHeaders(WTF::Vector<std::__1::pair<WTF::String, WTF::String>, 0ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::ResourceRequest const&, WebCore::SessionID)
            3 WebCore: WebCore::CachedResource::varyHeaderValuesMatch(WebCore::ResourceRequest const&)
              3 WebCore: WebCore::CachedResourceLoader::determineRevalidationPolicy(WebCore::CachedResource::Type, WebCore::CachedResourceRequest&, WebCore::CachedResource*, WebCore::CachedResourceLoader::ForPreload, WebCore::CachedResourceLoader::DeferOption) const
                3 WebCore: WebCore::CachedResourceLoader::requestResource(WebCore::CachedResource::Type, WebCore::CachedResourceRequest&&, WebCore::CachedResourceLoader::ForPreload, WebCore::CachedResourceLoader::DeferOption)
                  3 WebCore: WebCore::CachedResourceLoader::requestImage(WebCore::CachedResourceRequest&&)
                    3 WebCore: WebCore::ImageLoader::updateFromElement()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171213/4c8d6303/attachment-0001.html>

More information about the webkit-unassigned mailing list