Changeset 77333 in webkit

Timestamp:

Feb 1, 2011 4:22:52 PM (13 years ago)

Author:

commit-queue@webkit.org

Message:

2011-02-01 chris reiss <​christopher.reiss@nokia.com>

Reviewed by Adam Barth.

Self-replicating code makes Safari hang and eventually crash
​https://bugs.webkit.org/show_bug.cgi?id=15123

• fast/dom/Document/document-close-iframe-load-expected.txt: Added.
• fast/dom/Document/document-close-iframe-load.html: Added.
• fast/dom/Document/document-close-nested-iframe-load-expected.txt: Added.
• fast/dom/Document/document-close-nested-iframe-load.html: Added.
• fast/dom/Document/document-write-recursion-expected.txt: Added.
• fast/dom/Document/document-write-recursion.html: Added.

2011-02-01 chris reiss <​christopher.reiss@nokia.com>

Reviewed by Adam Barth.

Self-replicating code makes Safari hang and eventually crash
​https://bugs.webkit.org/show_bug.cgi?id=15123

Here we are replicating the Firefox safeguard against
recursive document.write( ) 's.

See ​https://bug197052.bugzilla.mozilla.org/attachment.cgi?id=293907 in bug
​https://bugzilla.mozilla.org/show_bug.cgi?id=197052 . Firefox does two things -

a) imposes a recursion limit of 20 on document.write( ) and
b) once that limit is passed, panics all the way the call stack (rather than just returning one level.)

To see why this is necessary, consider the script :

<script>

var t = document.body.innerHTML;
document.write(t);

</script>

This will create a tree both broad and deep as the script keeps appending itself to the text. If
we just return one level after the recursion limit is reached, we still allow millions of copies to
duplicate (and execute).

The recursion is fortunately depth-first, so as soon as we cross this limit, we panic up the callstack
to prevent this situation. (IE apparently does the same thing, with a lower recursion limit.)

Test: fast/dom/Document/document-write-recursion.html
Test: fast/dom/Document/document-close-iframe-load.html
Test: fast/dom/Document/document-close-nested-iframe-load.html

• dom/Document.cpp: (WebCore::Document::Document): (WebCore::Document::write):
• dom/Document.h:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/Document/document-close-iframe-load-expected.txt (added)
• LayoutTests/fast/dom/Document/document-close-iframe-load.html (added)
• LayoutTests/fast/dom/Document/document-close-nested-iframe-load-expected.txt (added)
• LayoutTests/fast/dom/Document/document-close-nested-iframe-load.html (added)
• LayoutTests/fast/dom/Document/document-write-recursion-expected.txt (added)
• LayoutTests/fast/dom/Document/document-write-recursion.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/Document.cpp (modified) (4 diffs)
• Source/WebCore/dom/Document.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-02-01  chris reiss  <christopher.reiss@nokia.com>
+
+        Reviewed by Adam Barth.
+
+        Self-replicating code makes Safari hang and eventually crash
+        https://bugs.webkit.org/show_bug.cgi?id=15123
+
+        * fast/dom/Document/document-close-iframe-load-expected.txt: Added.
+        * fast/dom/Document/document-close-iframe-load.html: Added.
+        * fast/dom/Document/document-close-nested-iframe-load-expected.txt: Added.
+        * fast/dom/Document/document-close-nested-iframe-load.html: Added.
+        * fast/dom/Document/document-write-recursion-expected.txt: Added.
+        * fast/dom/Document/document-write-recursion.html: Added.
+
 2011-02-01  Dimitri Glazkov  <dglazkov@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-02-01  chris reiss  <christopher.reiss@nokia.com>
+
+        Reviewed by Adam Barth.
+
+        Self-replicating code makes Safari hang and eventually crash
+        https://bugs.webkit.org/show_bug.cgi?id=15123
+
+       
+        Here we are replicating the Firefox safeguard against
+        recursive document.write( ) 's.
+
+        See  https://bug197052.bugzilla.mozilla.org/attachment.cgi?id=293907 in bug 
+        https://bugzilla.mozilla.org/show_bug.cgi?id=197052 .   Firefox does two things - 
+            a) imposes a recursion limit of 20 on document.write( ) and
+            b) once that limit is passed, panics all the way the call stack (rather than just returning one level.)
+        To see why this is necessary, consider the script : 
+
+        <script>
+           var t = document.body.innerHTML;
+           document.write(t);
+        </script> 
+
+        This will create a tree both broad and deep as the script keeps appending itself to the text.   If
+        we just return one level after the recursion limit is reached, we still allow millions of copies to 
+        duplicate (and execute).   
+
+        The recursion is fortunately depth-first, so as soon as we cross this limit, we panic up the callstack
+        to prevent this situation.    (IE apparently does the same thing, with a lower recursion limit.) 
+
+        Test: fast/dom/Document/document-write-recursion.html        
+        Test: fast/dom/Document/document-close-iframe-load.html
+        Test: fast/dom/Document/document-close-nested-iframe-load.html
+
+
+        * dom/Document.cpp:
+        (WebCore::Document::Document):
+        (WebCore::Document::write):
+        * dom/Document.h:
+
 2011-02-01  Johnny Ding  <jnd@chromium.org>
 

trunk/Source/WebCore/dom/Document.cpp

@@ -103 +103 @@
 #include "MutationEvent.h"
 #include "NameNodeList.h"
+#include "NestingLevelIncrementer.h"
 #include "NodeFilter.h"
 #include "NodeIterator.h"
@@ -222 +223 @@
 // #define INSTRUMENT_LAYOUT_SCHEDULING 1
 
+static const unsigned cMaxWriteRecursionDepth = 21;
+
 // This amount of time must have elapsed before we will even consider scheduling a layout without a delay.
 // FIXME: For faster machines this value can really be lowered to 200.  250 is adequate, but a little high
@@ -425 +428 @@
     , m_directionSetOnDocumentElement(false)
     , m_writingModeSetOnDocumentElement(false)
+    , m_writeRecursionIsTooDeep(false)
+    , m_writeRecursionDepth(0)
 #if ENABLE(REQUEST_ANIMATION_FRAME)
     , m_nextRequestAnimationFrameCallbackId(0)
@@ -2167 +2172 @@
 void Document::write(const SegmentedString& text, Document* ownerDocument)
 {
+    NestingLevelIncrementer nestingLevelIncrementer(m_writeRecursionDepth);
+
+    m_writeRecursionIsTooDeep = (m_writeRecursionDepth > 1) && m_writeRecursionIsTooDeep;
+    m_writeRecursionIsTooDeep = (m_writeRecursionDepth > cMaxWriteRecursionDepth) || m_writeRecursionIsTooDeep;
+
+    if (m_writeRecursionIsTooDeep)
+       return;
+
 #ifdef INSTRUMENT_LAYOUT_SCHEDULING
     if (!ownerElement())

trunk/Source/WebCore/dom/Document.h

@@ -1383 +1383 @@
     DocumentTiming m_documentTiming;
     RefPtr<MediaQueryMatcher> m_mediaQueryMatcher;
+    bool m_writeRecursionIsTooDeep;
+    unsigned m_writeRecursionDepth;
 
 #if ENABLE(REQUEST_ANIMATION_FRAME)