[Webkit-unassigned] [Bug 221652] New: Custom elements become HTMLUnknownElement in the upgrading step and cause CFI derived error since r266269

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Feb 9 21:43:44 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=221652

            Bug ID: 221652
           Summary: Custom elements become HTMLUnknownElement in the
                    upgrading step and cause CFI derived error since
                    r266269
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore JavaScript
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: tomoki.imai at sony.com
                CC: rniwa at webkit.org
            Blocks: 148695

Created attachment 419815

  --> https://bugs.webkit.org/attachment.cgi?id=419815&action=review

Testcase html

We found that r266269 causes CFI derived error while upgrading an element.

In "construct" in upgrading step, the custom element state is "failed".
https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/bindings/js/JSCustomElementInterface.cpp?rev=272579#L210
(Note: In the latest spec, it's "precustomized". https://github.com/whatwg/html/pull/5909)

"construct" creates the JSWrapper inside and it results HTMLUnknownElement because "isCustomElementUpgradeCandidate" returns false.
(createJSHTMLWrapper is located at DerivedSources/WebCore/JSHTMLElementWrapperFactory.cpp)
- https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/dom/Node.h?rev=272579#L230
- https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/bindings/js/JSHTMLElementCustom.cpp?rev=272579#L95

Unfortunately, "element" is HTMLElement and not HTMLUnknownElement, so casting it to HTMLUnknownElement causes the CFI error.

Note:
- We didn't see the CFI error before r266269, because it was "custom" state and "isCustomElementUpgradeCandidate" returns true. It results casting to HTMLElement not HTMLUnknownElement.
- This seems to be always happened when we create custom element in innerHTML.
- I believe this error doesn't cause the actual issue because the wrapper object is not cached and HTMLUnknownElement doesn't have any additional variable to HTMLElement

I attached testcase, which is simplified version of the one in r236376.
My way to detect the failure is to attach debugger and open the html with MiniBrowser or build webkit with CFI support and see WebProcess detect error.
Unfortunately, I couldn't find a way to detect this issue in JS layer.


Referenced Bugs:

https://bugs.webkit.org/show_bug.cgi?id=148695
[Bug 148695] Implement v1 shadow DOM API
-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210210/c178c155/attachment.htm>

More information about the webkit-unassigned mailing list