Branch: refs/heads/webkitglib/2.42
Home: https://github.com/WebKit/WebKit
Commit: 6094b6c0b3c2a00d3d26d9ed1b4ba7f834f0a9a8
https://github.com/WebKit/WebKit/commit/6094b6c0b3c2a00d3d26d9ed1b4ba7f834f0a9a8
Author: Dan Robson <dtr_bugzi...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt
A LayoutTests/storage/indexeddb/abort-index-rename-crash.html
M Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryIndex.h
M Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h
Log Message:
-----------
Cherry-pick 64bcd93cbc55. <bug>
jsc_fuz/wktr: heap-use-after-free in
WebCore::IDBServer::MemoryObjectStore::takeIndexByIdentifier(unsigned long
long) MemoryObjectStore.cpp:128.
https://bugs.webkit.org/show_bug.cgi?id=264180.
rdar://117463447.
Reviewed by Sihui Liu.
MemoryIndex now keeps WeakPtr to MemoryObjectStore 'm_objectStore' and
checks it's validity before using it. Also RefPtr conversion from WekPtr using
get() API as applicable.
* LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt:
Added the test expected file.
* LayoutTests/storage/indexeddb/abort-index-rename-crash.html: Added the
test case.
*
Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp:
Checks the validity of MemoryObjectStore pointer before using.
(WebCore::IDBServer::MemoryBackingStoreTransaction::objectStoreDeleted):
(WebCore::IDBServer::MemoryBackingStoreTransaction::indexRenamed):
(WebCore::IDBServer::MemoryBackingStoreTransaction::abort):
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp: Changed direct
reference to WeakPtr. Also used RefPtr conversion using get() API as applicable.
(WebCore::IDBServer::MemoryIndex::objectStoreCleared):
(WebCore::IDBServer::MemoryIndex::clearIndexValueStore):
(WebCore::IDBServer::MemoryIndex::replaceIndexValueStore):
(WebCore::IDBServer::MemoryIndex::getResultForKeyRange const):
(WebCore::IDBServer::MemoryIndex::getAllRecords const):
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.h: Changed direct
reference to WeakPtr.
(WebCore::IDBServer::MemoryIndex::objectStore):
* Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp: Used
RefPtr conversion using get() API for MemoryIndex based MemoryObjectStore
object.
(WebCore::IDBServer::MemoryIndexCursor::currentData):
* Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h:
Canonical link: https://commits.webkit.org/267815.545@safari-7617-branch
Identifier: 267815.546@safari-7617.1.17.10-branch
Canonical link: https://commits.webkit.org/266719.149@webkitglib/2.42
Commit: f4cbd6103a089eb7886b4aec53aa788111adfeb8
https://github.com/WebKit/WebKit/commit/f4cbd6103a089eb7886b4aec53aa788111adfeb8
Author: Dan Robson <dtr_bugzi...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/fast/multicol/last-set-crash-expected.txt
A LayoutTests/fast/multicol/last-set-crash.html
M Source/WebCore/rendering/RenderMultiColumnFlow.cpp
M Source/WebCore/rendering/RenderMultiColumnFlow.h
Log Message:
-----------
Cherry-pick f524a15d0633. https://bugs.webkit.org/show_bug.cgi?id=264327
WTFCrashWithSecurityImplication in
WebCore::RenderFragmentedFlow::removeLineFragmentInfo()
https://bugs.webkit.org/show_bug.cgi?id=264327
rdar://114559559
Reviewed by Alan Baradlay.
* LayoutTests/TestExpectations:
Skip test on debug due to some assertion failures.
* LayoutTests/fast/multicol/last-set-crash-expected.txt: Added.
* LayoutTests/fast/multicol/last-set-crash.html: Added.
* Source/WebCore/rendering/RenderMultiColumnFlow.cpp:
(WebCore::RenderMultiColumnFlow::fragmentAtBlockOffset const):
Tree mutations may have made m_lastSetWorkedOn cache invalid by moving the
multicolumn set under a different multicolumn flow.
Check for this.
* Source/WebCore/rendering/RenderMultiColumnFlow.h:
Also make it use WeakPtr.
Canonical link: https://commits.webkit.org/267815.546@safari-7617-branch
Identifier: 267815.547@safari-7617.1.17.10-branch
Canonical link: https://commits.webkit.org/266719.150@webkitglib/2.42
Commit: 257bccb2532b64ea1b40023299c29053f891188b
https://github.com/WebKit/WebKit/commit/257bccb2532b64ea1b40023299c29053f891188b
Author: Myah Cobbs <mco...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/loader/SubresourceLoader.cpp
M Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp
M Source/WebCore/loader/cache/CachedCSSStyleSheet.h
Log Message:
-----------
Cherry-pick 4c3430842100. https://bugs.webkit.org/show_bug.cgi?id=264979
Crash under PAL::newTextCodec(PAL::TextEncoding const&)
https://bugs.webkit.org/show_bug.cgi?id=264979
rdar://118267012
Reviewed by Brent Fulgham.
There is evidence for crashes in the wild that the CachedCSSStyleSheet or
the TextResourceDecoder are being used after getting freed. To prevent this,
protect both these objects in the code path identified by the crashes.
This is a speculative fix but it should be very safe.
* Source/WebCore/loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::didFinishLoading):
* Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp:
(WebCore::CachedCSSStyleSheet::finishLoading):
(WebCore::CachedCSSStyleSheet::protectedDecoder const):
* Source/WebCore/loader/cache/CachedCSSStyleSheet.h:
Canonical link: https://commits.webkit.org/267815.575@safari-7617-branch
Identifier: 267815.574@safari-7617.1.17.10-branch
Canonical link: https://commits.webkit.org/266719.151@webkitglib/2.42
Commit: 4f7b838e35687405c6ee4b8176347b52cc72323e
https://github.com/WebKit/WebKit/commit/4f7b838e35687405c6ee4b8176347b52cc72323e
Author: Scott Marcy <msc...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/css/font-size-adjust-invalid-value-type-expected.txt
A LayoutTests/fast/css/font-size-adjust-invalid-value-type.html
M Source/WebCore/style/StyleBuilderConverter.h
Log Message:
-----------
Cherry-pick 267815.526@safari-7617-branch (92043c608a1c). <bug>
rdar://115842409 (jsc_fuz/wktr: ASSERTION FAILED: is<Target>(source)
&WTF::downcast(Source &) [Target = WebCore::CSSValuePair, Source = const
WebCore::CSSValue] at StyleBuilderConverter.h:1632)
Checked for an unexpected CSS type for 'font-size-adjust' and returns a
default value instead of crashing.
Reviewed by anttijk.
This prevents a crash on downcasting when an unexpected `CSSValue` subclass
is provided.
Combined changes:
* LayoutTests/fast/css/font-size-adjust-invalid-value-type-expected.txt:
Added.
* LayoutTests/fast/css/font-size-adjust-invalid-value-type.html: Added.
* Source/WebCore/style/StyleBuilderConverter.h:
(WebCore::Style::BuilderConverter::convertFontSizeAdjust):
Canonical link: https://commits.webkit.org/267815.526@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.152@webkitglib/2.42
Commit: 096cb1a99a8077cf6491a660b3c88c78061eba6c
https://github.com/WebKit/WebKit/commit/096cb1a99a8077cf6491a660b3c88c78061eba6c
Author: Chris Dumez <cdu...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/Modules/cache/WorkerCacheStorageConnection.cpp
M Source/WebCore/Modules/permissions/Permissions.cpp
M Source/WebCore/Modules/storage/WorkerStorageConnection.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletMessagingProxy.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletThread.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletThread.h
M Source/WebCore/Modules/websockets/WebSocket.cpp
M Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp
M Source/WebCore/dom/BroadcastChannel.cpp
M Source/WebCore/dom/ScriptExecutionContext.cpp
M Source/WebCore/loader/WorkerThreadableLoader.cpp
M Source/WebCore/loader/WorkerThreadableLoader.h
M Source/WebCore/loader/cache/MemoryCache.cpp
M Source/WebCore/page/WorkerNavigator.cpp
M Source/WebCore/workers/WorkerGlobalScope.cpp
M Source/WebCore/workers/WorkerMessagingProxy.cpp
M Source/WebCore/workers/WorkerNotificationClient.cpp
M Source/WebCore/workers/WorkerOrWorkletThread.h
M Source/WebCore/workers/WorkerThread.cpp
M Source/WebCore/workers/WorkerThread.h
M Source/WebCore/workers/service/context/ServiceWorkerThreadProxy.cpp
M Source/WebCore/workers/shared/context/SharedWorkerThreadProxy.cpp
Log Message:
-----------
Cherry-pick 267815.537@safari-7617-branch (4cae7c8ab138).
https://bugs.webkit.org/show_bug.cgi?id=264327
Crash under WebCore::createMainThreadConnection(WebCore::WorkerGlobalScope&)
https://bugs.webkit.org/show_bug.cgi?id=264222
rdar://117727810
Reviewed by Darin Adler.
We're crashing when calling `createCacheStorageConnection()` on the
WorkerLoaderProxy which
we got from the WorkerThread. I believe the WorkerLoaderProxy reference
returned by the
WorkerThread is stale, which is possible since it keeps C++ references to
its proxies.
To address the issue, I updated WorkerThread to keep raw pointers to its
proxies instead of
C++ references. I am also adding a clearProxies() function to clear those
raw pointers once
the proxies get destroyed. Finally, I added null checks are proxy use sites
now that we null
them out.
In the future, we should convert this raw pointers into CheckedPtrs.
* Source/WebCore/Modules/badge/WorkerBadgeProxy.h:
* Source/WebCore/Modules/cache/WorkerCacheStorageConnection.cpp:
(WebCore::createMainThreadConnection):
* Source/WebCore/Modules/permissions/Permissions.cpp:
(WebCore::Permissions::query):
* Source/WebCore/Modules/storage/WorkerStorageConnection.cpp:
(WebCore::WorkerStorageConnection::getPersisted):
(WebCore::WorkerStorageConnection::getEstimate):
(WebCore::WorkerStorageConnection::fileSystemGetDirectory):
* Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp:
(WebCore::AudioWorkletGlobalScope::registerProcessor):
* Source/WebCore/Modules/webaudio/AudioWorkletMessagingProxy.cpp:
(WebCore::AudioWorkletMessagingProxy::~AudioWorkletMessagingProxy):
* Source/WebCore/Modules/webaudio/AudioWorkletThread.cpp:
(WebCore::AudioWorkletThread::clearProxies):
(WebCore::AudioWorkletThread::workerLoaderProxy):
(WebCore::AudioWorkletThread::messagingProxy):
* Source/WebCore/Modules/webaudio/AudioWorkletThread.h:
(WebCore::AudioWorkletThread::messagingProxy): Deleted.
* Source/WebCore/Modules/websockets/WebSocket.cpp:
(WebCore::WebSocket::connect):
* Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp:
(WebCore::WorkerThreadableWebSocketChannel::Bridge::Bridge):
(WebCore::WorkerThreadableWebSocketChannel::Bridge::mainThreadInitialize):
* Source/WebCore/dom/BroadcastChannel.cpp:
(WebCore::BroadcastChannel::MainThreadBridge::ensureOnMainThread):
* Source/WebCore/dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::postTaskToResponsibleDocument):
* Source/WebCore/loader/WorkerThreadableLoader.cpp:
(WebCore::WorkerThreadableLoader::WorkerThreadableLoader):
* Source/WebCore/loader/cache/MemoryCache.cpp:
(WebCore::MemoryCache::removeRequestFromSessionCaches):
* Source/WebCore/page/WorkerNavigator.cpp:
(WebCore::WorkerNavigator::setAppBadge):
* Source/WebCore/workers/WorkerDebuggerProxy.h:
* Source/WebCore/workers/WorkerGlobalScope.cpp:
(WebCore::WorkerGlobalScope::~WorkerGlobalScope):
(WebCore::WorkerGlobalScope::createRTCDataChannelRemoteHandlerConnection):
(WebCore::WorkerGlobalScope::close):
(WebCore::WorkerGlobalScope::logExceptionToConsole):
(WebCore::WorkerGlobalScope::wrapCryptoKey):
(WebCore::WorkerGlobalScope::unwrapCryptoKey):
(WebCore::WorkerGlobalScope::reportErrorToWorkerObject):
* Source/WebCore/workers/WorkerLoaderProxy.h:
* Source/WebCore/workers/WorkerMessagingProxy.cpp:
(WebCore::WorkerMessagingProxy::WorkerMessagingProxy):
(WebCore::WorkerMessagingProxy::~WorkerMessagingProxy):
(WebCore::WorkerMessagingProxy::workerGlobalScopeDestroyedInternal):
* Source/WebCore/workers/WorkerNotificationClient.cpp:
(WebCore::WorkerNotificationClient::postToMainThread):
* Source/WebCore/workers/WorkerOrWorkletThread.h:
* Source/WebCore/workers/WorkerReportingProxy.h:
* Source/WebCore/workers/WorkerThread.cpp:
(WebCore::WorkerThread::workerBadgeProxy const):
(WebCore::WorkerThread::workerDebuggerProxy const):
(WebCore::WorkerThread::workerLoaderProxy):
(WebCore::WorkerThread::workerReportingProxy const):
(WebCore::WorkerThread::clearProxies):
* Source/WebCore/workers/WorkerThread.h:
(WebCore::WorkerThread::workerBadgeProxy const): Deleted.
(WebCore::WorkerThread::workerReportingProxy const): Deleted.
* Source/WebCore/workers/service/context/ServiceWorkerThreadProxy.cpp:
(WebCore::ServiceWorkerThreadProxy::~ServiceWorkerThreadProxy):
* Source/WebCore/workers/shared/context/SharedWorkerThreadProxy.cpp:
(WebCore::SharedWorkerThreadProxy::~SharedWorkerThreadProxy):
Canonical link: https://commits.webkit.org/267815.537@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.153@webkitglib/2.42
Commit: 438c6a95c2a744c268928d9d0bc7c287b5282f03
https://github.com/WebKit/WebKit/commit/438c6a95c2a744c268928d9d0bc7c287b5282f03
Author: Yijia Huang <yijia_hu...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A JSTests/stress/re-enter-resolve-rope-string.js
M Source/JavaScriptCore/heap/Heap.h
M Source/JavaScriptCore/runtime/JSString.cpp
M Source/JavaScriptCore/runtime/JSStringInlines.h
Log Message:
-----------
Cherry-pick 267815.494@safari-7617-branch (43754f3837df).
https://bugs.webkit.org/show_bug.cgi?id=264016
[JSC] Fix reportExtraMemoryAllocated uses when resolving rope strings
https://bugs.webkit.org/show_bug.cgi?id=264016
rdar://117639567
Reviewed by Yusuke Suzuki.
Heap::reportExtraMemoryAllocated may trigger JSRopeString::resolveRope.
If this API needs to be used when resolving a rope string, then we should
make sure to call this API after the rope string is completely resolved.
* Source/JavaScriptCore/heap/Heap.h:
* Source/JavaScriptCore/runtime/JSString.cpp:
(JSC::JSRopeString::resolveRopeToAtomString const):
(JSC::JSRopeString::resolveRopeWithFunction const):
* Source/JavaScriptCore/runtime/JSStringInlines.h:
(JSC::jsAtomString):
Canonical link: https://commits.webkit.org/267815.494@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.154@webkitglib/2.42
Commit: fe115c9617a3e7a6efda73be56df8227ca6ccd81
https://github.com/WebKit/WebKit/commit/fe115c9617a3e7a6efda73be56df8227ca6ccd81
Author: BJ Burg <bb...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/html/HTMLMediaElement.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewSuspendAllMediaPlayback.mm
Log Message:
-----------
Cherry-pick 267815.495@safari-7617-branch (64b3c403419f). rdar://116595009
Element fullscreen requests should be ignored while media is suspended.
rdar://116595009
Reviewed by Jer Noble.
It is undesirable to allow entering element fullscreen while media is
suspended.
Check for this condition and bail out if needed.
* Source/WebCore/html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::enterFullscreen):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewSuspendAllMediaPlayback.mm:
(TEST): Added test case.
Canonical link: https://commits.webkit.org/267815.495@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.155@webkitglib/2.42
Commit: 822396cfcbaf931e1641268488fb5db838a38874
https://github.com/WebKit/WebKit/commit/822396cfcbaf931e1641268488fb5db838a38874
Author: Erica Li <ler...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A
LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists-expected.txt
A LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists.html
A
LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists.html
M Source/WebCore/css/CSSStyleSheet.cpp
M Source/WebCore/css/StyleSheetContents.cpp
M Source/WebCore/css/StyleSheetContents.h
Log Message:
-----------
Cherry-pick 267815.506@safari-7617-branch (40098636b478).
https://bugs.webkit.org/show_bug.cgi?id=263950
jsc_fuz/wktr: ASSERT_WITH_SECURITY_IMPLICATION(position <= size()); in
CSSStyleSheet::insertRule(...) CSSStyleSheet.cpp:365
https://bugs.webkit.org/show_bug.cgi?id=263950
rdar://117469266
Reviewed by Antti Koivisto and Darin Adler.
Based on specification, we should return early and throw InvalidStateError
exception when attempting to delete @namespace rule, and list contains anything
other than @import or @namespace rules.
*
LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists-expected.txt:
Added.
* LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists.html:
Added.
* Source/WebCore/css/CSSStyleSheet.cpp:
(WebCore::CSSStyleSheet::deleteRule):
* Source/WebCore/css/StyleSheetContents.cpp:
(WebCore::StyleSheetContents::wrapperDeleteRule):
* Source/WebCore/css/StyleSheetContents.h:
Canonical link: https://commits.webkit.org/267815.506@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.156@webkitglib/2.42
Commit: 89e825a1a3816eea5888d2ed93021a1ce824338b
https://github.com/WebKit/WebKit/commit/89e825a1a3816eea5888d2ed93021a1ce824338b
Author: Matthieu Dubet <m_du...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/css/insertrule-namespace-after-layer-expected.txt
A LayoutTests/fast/css/insertrule-namespace-after-layer.html
M Source/WebCore/css/StyleSheetContents.cpp
Log Message:
-----------
Cherry-pick 267815.351@safari-7617-branch (cf04124d9563). rdar://117071899
[CSS] Don't crash when trying to insert namespace rule after layer rule
rdar://117071899
Reviewed by Antti Koivisto.
By spec, namespace rule can't be inserted after a layer rule.
https://drafts.csswg.org/css-namespaces/#syntax
* LayoutTests/fast/css/insertrule-namespace-after-layer-expected.txt: Added.
* LayoutTests/fast/css/insertrule-namespace-after-layer.html: Added.
* Source/WebCore/css/StyleSheetContents.cpp:
(WebCore::StyleSheetContents::wrapperInsertRule):
Canonical link: https://commits.webkit.org/267815.351@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.157@webkitglib/2.42
Commit: b2c3e847699cdb662778d557fcea5130ba700997
https://github.com/WebKit/WebKit/commit/b2c3e847699cdb662778d557fcea5130ba700997
Author: Alexey Shvayka <ashva...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A JSTests/stress/double-inlined-call-argument.js
A JSTests/stress/regress-116397731.js
M Source/JavaScriptCore/dfg/DFGVariableAccessData.cpp
Log Message:
-----------
Cherry-pick 267815.352@safari-7617-branch (11987a2c00bf).
https://bugs.webkit.org/show_bug.cgi?id=263090
[JSC] DFG might force a local to be double even if we store non-numeric
values into it
https://bugs.webkit.org/show_bug.cgi?id=263090
<rdar://116397731>
Reviewed by Keith Miller.
This changes fixes tallyVotesForShouldUseDoubleFormat() to set
NotUsingDoubleFormat if the variable
is no longer predicted to hold only doubles.
* JSTests/stress/double-inlined-call-argument.js: Added.
* JSTests/stress/regress-116397731.js: Added.
* Source/JavaScriptCore/dfg/DFGVariableAccessData.cpp:
(JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
Canonical link: https://commits.webkit.org/267815.352@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.158@webkitglib/2.42
Commit: d29dc914ce786b79336123e043629884713f07a0
https://github.com/WebKit/WebKit/commit/d29dc914ce786b79336123e043629884713f07a0
Author: David Degazio <d_dega...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A JSTests/stress/ClassInfo-across-structure-transition.js
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
Cherry-pick 267815.353@safari-7617-branch (20234c667f25).
https://bugs.webkit.org/show_bug.cgi?id=263356
Load compact ClassInfo from structure correctly in FTL
https://bugs.webkit.org/show_bug.cgi?id=263356
rdar://115494572
Reviewed by Mark Lam.
Currently, FTL assumes loading the m_classInfo from a structure is a
loadPtr on all platforms - this is not the case, since ClassInfo is
represented as a 32-bit CompactPtr<ClassInfo> on platforms with 36-bit
addresses. As a result, when loading the ClassInfo in some FTL nodes, it
results in a junk value with the lower bits being the unshifted ClassInfo
address, and the upper bits being taken erroneously from
m_transitionPropertyName. This patch introduces a new loadCompactPtr()
helper to FTLLowerDFGToB3 that correctly loads and shifts compact pointer
fields, which in current FTL is just Structure.m_classInfo.
* JSTests/stress/ClassInfo-across-structure-transition.js: Added.
(calling):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
(JSC::FTL::DFG::LowerDFGToB3::compileFunctionToString):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Canonical link: https://commits.webkit.org/267815.353@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.159@webkitglib/2.42
Commit: a939442717bd849ddf6db1fd0c30b12a6cce29d9
https://github.com/WebKit/WebKit/commit/a939442717bd849ddf6db1fd0c30b12a6cce29d9
Author: Chris Dumez <cdu...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash-expected.txt
A LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash.html
M Source/WebCore/html/HTMLPlugInImageElement.cpp
Log Message:
-----------
Cherry-pick 267815.354@safari-7617-branch (c34793cc5793).
https://bugs.webkit.org/show_bug.cgi?id=263204
Assertion hit under Document::dispatchPagehideEvent()
https://bugs.webkit.org/show_bug.cgi?id=263204
rdar://116715579
Reviewed by Ryosuke Niwa.
Delay the load if we're not allowed to run script right now. Scheduling a
load will
cancel / stop any pending load, which may cause events to be fired and
script to run.
The synchronous code path is kept when we're allowed to run script to avoid
breaking
tests such as:
-
imported/w3c/web-platform-tests/css/css-writing-modes/abs-pos-non-replaced-icb-vlr-*.xht
-
imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/sandbox_004.htm
- imported/blink/svg/dom/viewspec-*.html
- fast/css/acid2.html
* LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash-expected.txt:
Added.
* LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash.html: Added.
* Source/WebCore/html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::requestObject):
Canonical link: https://commits.webkit.org/267815.354@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.160@webkitglib/2.42
Commit: c3ca39cb1c6b232e58a26118dc3f0f5ee1be720d
https://github.com/WebKit/WebKit/commit/c3ca39cb1c6b232e58a26118dc3f0f5ee1be720d
Author: Keith Miller <keith_mil...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A JSTests/stress/array-iterator-to-this.js
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp
Log Message:
-----------
Cherry-pick 267815.357@safari-7617-branch (ae764a813e03).
https://bugs.webkit.org/show_bug.cgi?id=263408
Array iterator creation intrinsics need ToThis
https://bugs.webkit.org/show_bug.cgi?id=263408
rdar://113898245
Reviewed by Yusuke Suzuki.
Currently, we don't ToThis the 'this' value when we intrinsicify
the various Array iterator creation functions, which we should.
This patch also changes `clobbersExitState` to say exit state
is not clobbered if a node only writes to `HeapObjectCount`.
Our previous behavior was overly conservative, which caused
assertion failures as the `ToObject` following the `ToThis`
would get converted to a `Check(Object)` when exit was invalid.
* JSTests/stress/array-iterator-to-this.js: Added.
(opt):
(main):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
Canonical link: https://commits.webkit.org/267815.357@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.161@webkitglib/2.42
Commit: 53cf2a653d4c7697ed51a628fc06d01056217cd3
https://github.com/WebKit/WebKit/commit/53cf2a653d4c7697ed51a628fc06d01056217cd3
Author: Chris Dumez <cdu...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WTF/wtf/Ref.h
M Source/WTF/wtf/RefPtr.h
M Source/WTF/wtf/TypeCasts.h
M Source/WebCore/html/shadow/DateTimeEditElement.cpp
M Source/WebCore/html/shadow/DateTimeFieldElement.cpp
M Source/WebCore/html/shadow/DetailsMarkerControl.cpp
M Source/WebCore/html/shadow/ProgressShadowElement.cpp
M Source/WebCore/html/shadow/SliderThumbElement.cpp
M Source/WebCore/html/shadow/TextControlInnerElements.cpp
Log Message:
-----------
Cherry-pick 267815.359@safari-7617-branch (1f4ca4f6b608).
https://bugs.webkit.org/show_bug.cgi?id=264327
[Hardening] Introduce checkedDowncast<>() and use it in a few places where
the type is not obvious
https://bugs.webkit.org/show_bug.cgi?id=263463
rdar://117247122
Reviewed by Darin Adler and Ryosuke Niwa.
Introduce checkedDowncast<>() and use it in a few places where the type is
not
obvious (no earlier is<>() check).
checkedDowncast<>() is just like downcast<>() but its internal type check
is a
RELEASE_ASSERT() instead of a debug ASSERT().
In the future, we may want to promote using either dynamicDowncast<>() or
checkedDowncast<>() and maybe phasing out downcast<>() (in which case we
could
rename checkedDowncast<>() to downcast()).
* Source/WTF/wtf/Ref.h:
(WTF::checkedDowncast):
* Source/WTF/wtf/RefPtr.h:
(WTF::checkedDowncast):
* Source/WTF/wtf/TypeCasts.h:
(WTF::checkedDowncast):
* Source/WebCore/html/shadow/DateTimeEditElement.cpp:
(WebCore::DateTimeEditElement::fieldsWrapperElement const):
* Source/WebCore/html/shadow/DateTimeFieldElement.cpp:
(WebCore::DateTimeFieldElement::updateVisibleValue):
* Source/WebCore/html/shadow/DetailsMarkerControl.cpp:
(WebCore::DetailsMarkerControl::rendererIsNeeded):
* Source/WebCore/html/shadow/ProgressShadowElement.cpp:
(WebCore::ProgressShadowElement::progressElement const):
* Source/WebCore/html/shadow/SliderThumbElement.cpp:
(WebCore::RenderSliderContainer::computeLogicalHeight const):
(WebCore::RenderSliderContainer::layout):
(WebCore::SliderThumbElement::hostInput const):
* Source/WebCore/html/shadow/TextControlInnerElements.cpp:
(WebCore::isStrongPasswordTextField):
(WebCore::TextControlInnerTextElement::renderer const):
(WebCore::TextControlInnerTextElement::resolveCustomStyle):
(WebCore::TextControlPlaceholderElement::resolveCustomStyle):
(WebCore::SearchFieldResultsButtonElement::defaultEventHandler):
(WebCore::SearchFieldCancelButtonElement::resolveCustomStyle):
(WebCore::SearchFieldCancelButtonElement::defaultEventHandler):
(WebCore::SearchFieldCancelButtonElement::willRespondToMouseClickEventsWithEditability
const):
Canonical link: https://commits.webkit.org/267815.359@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.162@webkitglib/2.42
Commit: bd2159f999b3eef57cae44dfb9fd084dca1c58f0
https://github.com/WebKit/WebKit/commit/bd2159f999b3eef57cae44dfb9fd084dca1c58f0
Author: Ryan Haddad <ryanhad...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WTF/wtf/PlatformHave.h
Log Message:
-----------
Cherry-pick 267815.395@safari-7617-branch (975762e3dd0f).
https://bugs.webkit.org/show_bug.cgi?id=264327
Add definition for HAVE_UI_TEXT_SELECTION_DISPLAY_INTERACTION
rdar://117378587
Rubber-stamped by Wenson Hsieh.
The fix in webkit.org/b/263266 to "Suppress excessive logging due to
calling into
`-[UITextInteractionAssistant selectionView]` in API tests" does not work
on the
safari-7617-branch because we lack the definition for
HAVE_UI_TEXT_SELECTION_DISPLAY_INTERACTION.
* Source/WTF/wtf/PlatformHave.h:
Canonical link: https://commits.webkit.org/267815.395@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.163@webkitglib/2.42
Commit: fe28561a92b5fe197ecdfcc09e2b005eaa3efd00
https://github.com/WebKit/WebKit/commit/fe28561a92b5fe197ecdfcc09e2b005eaa3efd00
Author: Erica Li <ler...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A
LayoutTests/streams/writable-stream-create-within-multiple-workers-crash-expected.txt
A
LayoutTests/streams/writable-stream-create-within-multiple-workers-crash.html
M Source/WebCore/bindings/js/InternalWritableStream.cpp
M Tools/DumpRenderTree/mac/DumpRenderTree.mm
Log Message:
-----------
Cherry-pick 267815.398@safari-7617-branch (f11c81a103a8).
https://bugs.webkit.org/show_bug.cgi\?id\=262865
jsc_fuz/wktr: null ptr deref in WebCore::invokeWritableStreamFunction(...)
(InternalWritableStream.cpp:49)
https://bugs.webkit.org/show_bug.cgi\?id\=262865
rdar://116465595
Reviewed by Mark Lam.
Return early when worker is terminated while trying to get function from
globalObject.
Set useDollarVM in test option initialization for cases when useDollarVM
will be reset before injectInternalsObject is called in DRT.
*
LayoutTests/streams/writable-stream-create-within-multiple-workers-crash-expected.txt:
Added.
*
LayoutTests/streams/writable-stream-create-within-multiple-workers-crash.html:
Added.
* Source/WebCore/bindings/js/InternalWritableStream.cpp:
(WebCore::invokeWritableStreamFunction):
* Tools/DumpRenderTree/mac/DumpRenderTree.mm:
(testOptionsForTest):
Canonical link: https://commits.webkit.org/267815.398@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.164@webkitglib/2.42
Commit: 2577bb4e4338a256cf165d6ed93e03be10eae9c1
https://github.com/WebKit/WebKit/commit/2577bb4e4338a256cf165d6ed93e03be10eae9c1
Author: Antti Koivisto <an...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M
LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/canvas-as-container-005-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/canvas-as-container-006-expected.txt
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/Element.cpp
Log Message:
-----------
Cherry-pick 267786@main (514d0acadd36).
https://bugs.webkit.org/show_bug.cgi?id=253936
canvas-as-container-005.html & canvas-as-container-006.html fail
https://bugs.webkit.org/show_bug.cgi?id=253936
rdar://106739131
Reviewed by Alan Baradlay.
When resolving computed style in a non-rendered subtree we fail to take
container queries into account.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/canvas-as-container-005-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/canvas-as-container-006-expected.txt:
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::styleForElementIgnoringPendingStylesheets):
Take care to have updated document style if it is not clean and we are
resolving the root element.
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::resolveComputedStyle):
- Ensure the style scope is flushed so stylesheet data is current.
- Don't bail out when encountering display:none subtree, the ancestors may
still affect its style.
- Fall back to a full style update if we encounter a query container with
invalid style in the ancestor chain.
Canonical link: https://commits.webkit.org/267786@main
Canonical link: https://commits.webkit.org/266719.165@webkitglib/2.42
Commit: 09edd3d273d8dc93c82b3e72349f5f1fe4692461
https://github.com/WebKit/WebKit/commit/09edd3d273d8dc93c82b3e72349f5f1fe4692461
Author: Antti Koivisto <an...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/css/container-style-editability-crash-expected.txt
A LayoutTests/fast/css/container-style-editability-crash.html
M
LayoutTests/platform/ios-wk2/fast/dom/focus-dialog-blur-input-type-change-crash-expected.txt
M Source/WebCore/dom/Element.cpp
M Source/WebCore/dom/Element.h
Log Message:
-----------
Cherry-pick 267815.436@safari-7617-branch (699e9669a530).
https://bugs.webkit.org/show_bug.cgi?id=263522
REGRESSION(267786@main): Crash under RenderBlock::isSelectionRoot() with
query container
https://bugs.webkit.org/show_bug.cgi?id=263522
rdar://115777188
Reviewed by Alan Baradlay.
* LayoutTests/fast/css/container-style-editability-crash-expected.txt:
Added.
* LayoutTests/fast/css/container-style-editability-crash.html: Added.
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::resolveComputedStyle):
(WebCore::Element::computedStyleForEditability):
Avoid triggering style resolution when computing editability.
* Source/WebCore/dom/Element.h:
Canonical link: https://commits.webkit.org/267815.436@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.166@webkitglib/2.42
Commit: 9075aaae5674dbf96a57dd63742261407859fca2
https://github.com/WebKit/WebKit/commit/9075aaae5674dbf96a57dd63742261407859fca2
Author: nishajain61 <nisha_j...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A
LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector-expected.txt
A LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector.html
M Source/WTF/wtf/URLParser.cpp
Log Message:
-----------
Cherry-pick 267815.437@safari-7617-branch (e5674422c86e).
https://bugs.webkit.org/show_bug.cgi?id=263682
[cf9aab29ad0894e2] heap-use-after-free | WTF::URLParser::parse;
WTF::URLParser::URLParser; WTF::URL::URL
https://bugs.webkit.org/show_bug.cgi?id=263682
rdar://116995567.
Reviewed by David Kilzer and Chris Dumez.
Modified WTF::URLParser::parse API so there is no invalid pointer reference
to 'm_asciiBuffer' by 'StringView' after reallocation which results in invalid
'urlScheme'.
*
LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector-expected.txt:
Added user expected test result.
*
LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector.html:
Added test case which causes reallocation of buffer.
* Source/WTF/wtf/URLParser.cpp: Modified below API
(WTF::URLParser::parse): Modified order of function calls so no invalid
reference to buffer is made after reallocation resulting in invalid 'urlScheme'.
Canonical link: https://commits.webkit.org/267815.437@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.167@webkitglib/2.42
Commit: 0cd7221a47f5c5c21517c2a380fa6b271828bc14
https://github.com/WebKit/WebKit/commit/0cd7221a47f5c5c21517c2a380fa6b271828bc14
Author: Mark Lam <mark....@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A JSTests/stress/int52rep-multiplication-with-overflow.js
M Source/JavaScriptCore/assembler/MacroAssemblerARM64.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Log Message:
-----------
Cherry-pick 267815.438@safari-7617-branch (20a302272ec6).
https://bugs.webkit.org/show_bug.cgi?id=263707
Int52Rep speculationCheck failed in DFG optimizations for the ArithMul
operation.
https://bugs.webkit.org/show_bug.cgi?id=263707
rdar://117415514
Reviewed by Keith Miller.
The DFG ArithMul Int52Rep speculationCheck was using the binary form of the
branchMul64
emitter to check for overflow of the multiplication. The ARM64 version of
this binary
form branchMul64 has a bug: it's re-using one of the src registers as the
dest register.
The underlying ARM64 implementation of branchMul64 needs to execute 2
instructions:
mul and smulh. Both of these instructions need to operate on the 2 source
operands of
the multiplication. By making the dest register same as the src1 register,
the mul
instruction which comes fist and computes dest, would trash src1.
Subsequently, smulh
is computed with a corrupted src1 value.
The fix is simple:
1. Change the DFG ArithMul to use the ternary form of branchMul64. It will
just do the
right thing, and in fact, eliminates an unnecessary move instruction on
ARM64.
2. Remove the ARM64 binary form of branchMul64. It is now no longer used.
3. For robustness, change the ternary form of branchMul64 to also be
resilient against
the scenario where dest equals either src1 or src2. This is achieved by
computing
smulh first, which stores its result into a scratch register. Only
after that, do
we compute mul, which is now free to set dest and potentially overwrite
src1 or src2.
* JSTests/stress/int52rep-multiplication-with-overflow.js: Added.
(foo):
* Source/JavaScriptCore/assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::branchMul64):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
Canonical link: https://commits.webkit.org/267815.438@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.168@webkitglib/2.42
Commit: 04d78254390dd5a1aac265a3f0d915cd80081745
https://github.com/WebKit/WebKit/commit/04d78254390dd5a1aac265a3f0d915cd80081745
Author: Abigail Fox <abigail_...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Source/WebKit/UIProcess/WebProcessPool.cpp
Log Message:
-----------
Cherry-pick 267815.439@safari-7617-branch (33927ceba2d6).
https://bugs.webkit.org/show_bug.cgi?id=258161
Added allowsFirstPartyForCookies check
https://bugs.webkit.org/show_bug.cgi?id=258161
rdar://106997645
Reviewed by Alex Christensen.
Added a message check to validate that the process is allowed to add first
parties for cookies before allowing a call to
addAllowedFirstPartyForCookies.
Adding this message check exposed a scenario where a service worker web
process could be spawned in a bad state without any allowed first parties.
An addAllowedFirstPartyForCookies call was added to prevent this bad state.
This error was caught by
http/tests/cookies/same-site/fetch-in-cross-origin-service-worker.html
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::establishSWContextConnection):
* Source/WebKit/UIProcess/WebProcessPool.cpp:
(WebKit::WebProcessPool::establishRemoteWorkerContextConnectionToNetworkProcess):
Canonical link: https://commits.webkit.org/267815.439@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.169@webkitglib/2.42
Commit: c11fb1e8ef5df9fb422984b7eeab2c5e93d32238
https://github.com/WebKit/WebKit/commit/c11fb1e8ef5df9fb422984b7eeab2c5e93d32238
Author: Aditya Keerthi <akeer...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/PAL/pal/spi/cocoa/FoundationSPI.h
M Source/WebCore/PAL/pal/spi/mac/NSPasteboardSPI.h
M Source/WebCore/platform/Pasteboard.cpp
M Source/WebCore/platform/Pasteboard.h
M Source/WebCore/platform/PlatformPasteboard.h
M Source/WebCore/platform/ios/PlatformPasteboardIOS.mm
M Source/WebCore/platform/mac/PasteboardMac.mm
M Source/WebCore/platform/mac/PlatformPasteboardMac.mm
M Source/WebKit/Scripts/webkit/messages.py
M Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm
M Source/WebKit/UIProcess/WebPasteboardProxy.h
M Source/WebKit/UIProcess/WebPasteboardProxy.messages.in
M Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp
M Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm
M Tools/WebKitTestRunner/mac/WebKitTestRunnerPasteboard.mm
Log Message:
-----------
Cherry-pick 267815.441@safari-7617-branch (d4645ae84721).
https://bugs.webkit.org/show_bug.cgi?id=263622
[CoreIPC] The pasteboard may perform image conversion in UIProcess
https://bugs.webkit.org/show_bug.cgi?id=263622
rdar://98996437
Reviewed by Wenson Hsieh.
When reading data from the pasteboard, image conversion may be performed
when using `NSTIFFPboardType` as the requested type. This is a system
feature,
where a PNG can be written to the pasteboard, and a TIFF can be read out.
However, this is undesirable from a WebKit perspective, as it allows for
arbitrary image conversion across the process boundary.
Fix by ensuring that the UI process always returns the original data, and
perform the image conversion in the Web process.
* Source/WebCore/PAL/pal/spi/cocoa/FoundationSPI.h:
* Source/WebCore/PAL/pal/spi/mac/NSPasteboardSPI.h:
Declare an internal `NSPasteboard` method to obtain the unconverted data.
* Source/WebCore/platform/Pasteboard.cpp:
* Source/WebCore/platform/Pasteboard.h:
(WebCore::Pasteboard::bufferConvertedToPasteboardType):
* Source/WebCore/platform/PlatformPasteboard.h:
* Source/WebCore/platform/ios/PlatformPasteboardIOS.mm:
(WebCore::PlatformPasteboard::bufferForType const):
* Source/WebCore/platform/mac/PasteboardMac.mm:
(WebCore::Pasteboard::bufferConvertedToPasteboardType):
Perform the conversion to TIFF using CoreGraphics in the Web process.
* Source/WebCore/platform/mac/PlatformPasteboardMac.mm:
(WebCore::PlatformPasteboard::bufferForType const):
When requesting `NSTIFFPboardType`, and an image source is available on the
pasteboard, return the original data and the original type, rather than
performing image conversion.
(WebCore::PlatformPasteboard::readBuffer const):
* Source/WebKit/Scripts/webkit/messages.py:
(headers_for_type):
* Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
(WebKit::WebPasteboardProxy::getPasteboardBufferForType):
* Source/WebKit/UIProcess/WebPasteboardProxy.h:
* Source/WebKit/UIProcess/WebPasteboardProxy.messages.in:
* Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp:
(WebKit::WebPlatformStrategies::bufferForType):
* Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm:
(WebPlatformStrategies::bufferForType):
* Tools/WebKitTestRunner/mac/WebKitTestRunnerPasteboard.mm:
(-[LocalPasteboard _dataWithoutConversionForType:securityScoped:]):
Override `_dataWithoutConversionForType:securityScoped:` since the custom
subclass used for testing does not account for pasteboard generation and
simply overrides `dataForType:`.
Without this implementation, the change would result in a call to the base
class and crash in `CFPasteboardGetGenerationCount`.
Canonical link: https://commits.webkit.org/267815.441@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.170@webkitglib/2.42
Commit: f44dbee955b52c4787e2352845a5e5f0d6c7b509
https://github.com/WebKit/WebKit/commit/f44dbee955b52c4787e2352845a5e5f0d6c7b509
Author: Youenn Fablet <youe...@gmail.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_ratectrl.c
M
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_svc_layercontext.c
Log Message:
-----------
Cherry-pick 267815.443@safari-7617-branch (0528644ffe6b). rdar://117146735
Potential 'overflow' issue commited to upstream libvpx as
e4db6c3aacb3fbcbb939f132915234988f8617c1
rdar://117146735
Reviewed by Eric Carlson.
We cherry-pick the changes of
https://github.com/webmproject/libvpx/commit/e4db6c3aacb3fbcbb939f132915234988f8617c1,
except for the test part which does not apply cleanly.
*
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_ratectrl.c:
(vp9_rc_update_framerate):
*
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_svc_layercontext.c:
(vp9_update_layer_context_change_config):
(vp9_update_temporal_layer_framerate):
(vp9_update_spatial_layer_framerate):
Canonical link: https://commits.webkit.org/267815.443@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.171@webkitglib/2.42
Commit: 7ddf412f70c899f9a70549d64bb0536ea2b003e2
https://github.com/WebKit/WebKit/commit/7ddf412f70c899f9a70549d64bb0536ea2b003e2
Author: Youenn Fablet <youe...@gmail.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/webrtc/processIceTransportStateChange-gc-expected.txt
A LayoutTests/webrtc/processIceTransportStateChange-gc.html
M Source/WebCore/Modules/mediastream/RTCDtlsTransport.cpp
M Source/WebCore/Modules/mediastream/RTCIceTransport.cpp
M Source/WebCore/Modules/mediastream/RTCIceTransport.h
Log Message:
-----------
Cherry-pick 267815.446@safari-7617-branch (8be2b8b167a1). rdar://117526483
Use-after-free in RTCPeerConnection::processIceTransportStateChange
rdar://117526483
Reviewed by Jean-Yves Avenard.
RTCIceTransport is calling
RTCPeerConnection::processIceTransportStateChange without protecting its
RTCPeerConnection.
processIceTransportStateChange can trigger JS execution so we need to
protect the RTCPeerConnection.
Make RTCIceTransport do so, and update RTCIceTransport connection getter to
return a RefPtr instead of a raw pointer.
* LayoutTests/webrtc/processIceTransportStateChange-gc-expected.txt: Added.
* LayoutTests/webrtc/processIceTransportStateChange-gc.html: Added.
* Source/WebCore/Modules/mediastream/RTCDtlsTransport.cpp:
(WebCore::RTCDtlsTransport::onStateChanged):
* Source/WebCore/Modules/mediastream/RTCIceTransport.cpp:
(WebCore::RTCIceTransport::onStateChanged):
* Source/WebCore/Modules/mediastream/RTCIceTransport.h:
(WebCore::RTCIceTransport::connection const):
Canonical link: https://commits.webkit.org/267815.446@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.172@webkitglib/2.42
Commit: ac8dad388db6575c658c39bd3485220dc3e2d037
https://github.com/WebKit/WebKit/commit/ac8dad388db6575c658c39bd3485220dc3e2d037
Author: Mark Lam <mark....@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/dom/deserialize-array-bufffer-view-fail-expected.txt
A LayoutTests/fast/dom/deserialize-array-bufffer-view-fail.html
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 267815.459@safari-7617-branch (ce6d953127cf).
https://bugs.webkit.org/show_bug.cgi?id=263794
The deserializer should fail properly if it cannot materialize
ArrayBufferViews.
https://bugs.webkit.org/show_bug.cgi?id=263794
rdar://117572216
Reviewed by Sihui Liu and Keith Miller.
* LayoutTests/fast/dom/deserialize-array-bufffer-view-fail-expected.txt:
Added.
* LayoutTests/fast/dom/deserialize-array-bufffer-view-fail.html: Added.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::readArrayBufferViewImpl):
Canonical link: https://commits.webkit.org/267815.459@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.173@webkitglib/2.42
Commit: 40a5e9743276f1a08f123ea7b8770049c81e8fe3
https://github.com/WebKit/WebKit/commit/40a5e9743276f1a08f123ea7b8770049c81e8fe3
Author: Tyler Wilcock <tyle...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/accessibility/cocoa/AccessibilityObjectCocoa.mm
Log Message:
-----------
Cherry-pick 267815.468@safari-7617-branch (4fce5d70c3d6). rdar://117556782
AX: Nullptr deref of AXObjectCache in AccessibilityObject::contentForRange
rdar://117556782
Reviewed by Chris Fleizach.
* Source/WebCore/accessibility/cocoa/AccessibilityObjectCocoa.mm:
(WebCore::AccessibilityObject::contentForRange const):
Null-check AXObjectCache before using it to prevent a rare crash.
Canonical link: https://commits.webkit.org/267815.468@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.174@webkitglib/2.42
Commit: db46056004ae04cf73577c49890a7d3c195bff7b
https://github.com/WebKit/WebKit/commit/db46056004ae04cf73577c49890a7d3c195bff7b
Author: Tyler Wilcock <tyle...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/accessibility/AccessibilityNodeObject.cpp
Log Message:
-----------
Cherry-pick 267815.479@safari-7617-branch (bb2e66a677f1). rdar://117640053
AccessibilityNodeObject::determineAccessibilityRoleFromNode needs to
null-check node before using it
rdar://117640053
Reviewed by Chris Fleizach and Ryosuke Niwa.
It's possible for AccessibilityNodeObject::m_node (which is a WeakPtr)
to get destroyed in the middle of determineAccessibilityRoleFromNode,
meaning subsequent node()->foo accesses will cause a nullptr deref.
Use a RefPtr to keep the node alive until the end of this function, so
that after we null-check it once we know it's valid until we exit.
* Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
(WebCore::AccessibilityNodeObject::determineAccessibilityRoleFromNode
const):
Canonical link: https://commits.webkit.org/267815.479@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.175@webkitglib/2.42
Commit: 03ed5c15b877b82fce5a3457c55c71a27d43377c
https://github.com/WebKit/WebKit/commit/03ed5c15b877b82fce5a3457c55c71a27d43377c
Author: Matthew Finkel <sys...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A
LayoutTests/http/tests/security/isolate-geolocation-watch-id-per-document-expected.txt
A
LayoutTests/http/tests/security/isolate-geolocation-watch-id-per-document.html
A LayoutTests/http/tests/security/resources/popup-watchid.html
Log Message:
-----------
Cherry-pick 267815.490@safari-7617-branch (837e69390e41).
https://bugs.webkit.org/show_bug.cgi?id=263277
Add test for Geolocation WatchID
https://bugs.webkit.org/show_bug.cgi?id=263277
rdar://8731258
Reviewed by David Kilzer.
Add a test that confirms the Geolocation WatchID is unique per document.
*
LayoutTests/http/tests/security/isolate-geolocation-watch-id-per-document-expected.txt:
Added.
*
LayoutTests/http/tests/security/isolate-geolocation-watch-id-per-document.html:
Added.
* LayoutTests/http/tests/security/resources/popup-watchid.html: Added.
Canonical link: https://commits.webkit.org/267815.490@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.176@webkitglib/2.42
Commit: 26d33963becb513d830c2540d4ea8322eb35a3bf
https://github.com/WebKit/WebKit/commit/26d33963becb513d830c2540d4ea8322eb35a3bf
Author: Chris Dumez <cdu...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/platform/encryptedmedia/clearkey/CDMClearKey.cpp
Log Message:
-----------
Cherry-pick 267815.314@safari-7617-branch (80d2fe008437).
https://bugs.webkit.org/show_bug.cgi?id=263254
Fix bad capture by reference in CDMInstanceSessionClearKey::loadSession()
https://bugs.webkit.org/show_bug.cgi?id=263254
rdar://117061886
Reviewed by Brent Fulgham.
Fix bad capture by reference in an asynchronous callback in
CDMInstanceSessionClearKey::loadSession().
* Source/WebCore/platform/encryptedmedia/clearkey/CDMClearKey.cpp:
(WebCore::CDMInstanceSessionClearKey::loadSession):
Canonical link: https://commits.webkit.org/267815.314@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.177@webkitglib/2.42
Commit: af483cdbdc8ee9644a91b79678aadd6808db16e4
https://github.com/WebKit/WebKit/commit/af483cdbdc8ee9644a91b79678aadd6808db16e4
Author: Andy Estes <aes...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fullscreen/fullscreen-cancel-after-request-crash-expected.txt
A LayoutTests/fullscreen/fullscreen-cancel-after-request-crash.html
M Source/WebCore/dom/FullscreenManager.cpp
Log Message:
-----------
Cherry-pick 267815.332@safari-7617-branch (dc44d44d42fd).
https://bugs.webkit.org/show_bug.cgi?id=263140
Use-after-free in FullscreenManager::requestFullscreenForElement
https://bugs.webkit.org/show_bug.cgi?id=263140
rdar://116736343
Reviewed by Chris Dumez.
Calling DeferredPromise::reject from the failedPreflights lambda in
FullscreenManager::requestFullscreenForElement may cause the Document that
owns the
FullscreenManager to be deallocated, resulting in a use-after-free when the
document is accessed
again after rejecting the promise. Resolved this by keeping a Ref to
m_document for the lifetime of
the failedPreflights lambda.
Added a layout test.
*
LayoutTests/fullscreen/fullscreen-cancel-after-request-crash-expected.txt:
Added.
* LayoutTests/fullscreen/fullscreen-cancel-after-request-crash.html: Added.
* Source/WebCore/dom/FullscreenManager.cpp:
(WebCore::FullscreenManager::requestFullscreenForElement):
Canonical link: https://commits.webkit.org/267815.332@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.178@webkitglib/2.42
Commit: a909b207e0dd795c67fe674b244d90a3f5484f7f
https://github.com/WebKit/WebKit/commit/a909b207e0dd795c67fe674b244d90a3f5484f7f
Author: Alan Baradlay <za...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/fast/text/zero-height-first-line-assert-expected.txt
A LayoutTests/fast/text/zero-height-first-line-assert.html
M
Source/WebCore/layout/formattingContexts/inline/invalidation/InlineInvalidation.cpp
M
Source/WebCore/layout/integration/inline/LayoutIntegrationInlineContentBuilder.cpp
Log Message:
-----------
Cherry-pick 267815.333@safari-7617-branch (c1a2b21f2532).
https://bugs.webkit.org/show_bug.cgi?id=263222
[IFC] Demote partial invalidation to full damage when computed damage
extent is inconsistent
https://bugs.webkit.org/show_bug.cgi?id=263222
<rdar://117017324>
Reviewed by Antti Koivisto.
Fall back to full layout when we computed inconsistent damage extent.
(It could happen when previous layouts produced corrupt line content e.g.
line with no boxes other than the root inline box).
* LayoutTests/fast/text/zero-height-first-line-assert-expected.txt: Added.
* LayoutTests/fast/text/zero-height-first-line-assert.html: Added.
*
Source/WebCore/layout/formattingContexts/inline/invalidation/InlineInvalidation.cpp:
(WebCore::Layout::leadingContentDisplayForLineIndex):
(WebCore::Layout::InlineInvalidation::updateInlineDamage):
*
Source/WebCore/layout/integration/inline/LayoutIntegrationInlineContentBuilder.cpp:
(WebCore::LayoutIntegration::InlineContentBuilder::build const):
Canonical link: https://commits.webkit.org/267815.333@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.179@webkitglib/2.42
Commit: b2414972d8326b7d4a8b84bcf0ee1ffaacceab96
https://github.com/WebKit/WebKit/commit/b2414972d8326b7d4a8b84bcf0ee1ffaacceab96
Author: Michael Saboff <msab...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A JSTests/stress/arrow-function-captured-arguments-aliased.js
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
M Source/JavaScriptCore/runtime/GetPutInfo.h
M Source/JavaScriptCore/runtime/ScopedArguments.h
M Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp
M Source/JavaScriptCore/runtime/ScopedArgumentsTable.h
M Source/JavaScriptCore/runtime/SymbolTable.cpp
M Source/JavaScriptCore/runtime/SymbolTable.h
Log Message:
-----------
Cherry-pick 267815.345@safari-7617-branch (99b8814b73d1).
https://bugs.webkit.org/show_bug.cgi?id=261934
Scoped Arguements needs to alias between named and unnamed accesses and
across nested scopes
https://bugs.webkit.org/show_bug.cgi?id=261934
rdar://114925088
Reviewed by Yusuke Suzuki.
Fixed issue where an access to a named argument and a seperate access via
its argument[i] counterpart weren't recognized throughout
all JIT tiers as accesses to the same scoped value. The DFG bytecode
parser can unknowingly constant fold the read access.
Added aliasing via the SymbolTable and its ScopedArgumentsTable for both
types of accesses of such values.
related objects
Added watchpoints for scoped arguments, and shared the watchpoint from the
SymbolTableEntry for the named parameter with the
ScopedArgument entry for the matching index. Tagged op_put_to_scope
bytecodes with a new ScopedArgumentInitialization
initialization type in GetPutInfo to signify this shared watchpoint case.
Since currently all tiers write to scoped arguments
via ScopedArguments::setIndexQuickly(), that is where we fire its
watchpoint.
Added a new test.
* JSTests/stress/arrow-function-captured-arguments-aliased.js: New test.
(createOptAll):
(createOpt500):
(createOpt2000):
(createOpt5000):
(main):
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/runtime/GetPutInfo.h:
(JSC::initializationModeName):
(JSC::isInitialization):
* Source/JavaScriptCore/runtime/ScopedArguments.h:
* Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp:
(JSC::ScopedArgumentsTable::tryCreate):
(JSC::ScopedArgumentsTable::tryClone):
(JSC::ScopedArgumentsTable::trySetLength):
(JSC::ScopedArgumentsTable::trySetWatchpointSet):
* Source/JavaScriptCore/runtime/ScopedArgumentsTable.h:
* Source/JavaScriptCore/runtime/SymbolTable.h:
Canonical link: https://commits.webkit.org/267815.345@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.180@webkitglib/2.42
Commit: 9446aed9a716340695e403a8e44e36ba75a81131
https://github.com/WebKit/WebKit/commit/9446aed9a716340695e403a8e44e36ba75a81131
Author: Mark Lam <mark....@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/JavaScriptCore/heap/PreciseAllocation.cpp
M Source/JavaScriptCore/heap/PreciseAllocation.h
Log Message:
-----------
Cherry-pick 267815.112@safari-7617-branch (6ea412c32f09).
https://bugs.webkit.org/show_bug.cgi?id=262011
Adjust PreciseAllocation alignment offset to also factor in cache line
alignment requirements.
https://bugs.webkit.org/show_bug.cgi?id=262011
rdar://115959633
Reviewed by Keith Miller.
We should ensure that the JSObject header word and its butterfly are always
in the same cache line.
See radar for details.
All JSObjects are either allocated out of a MarkedBlock or as a
PreciseAllocation. All MarkedBlock
allocations are aligned on 16 byte boundaries (the MarkedBlock::atomSize).
This means that it’s
impossible to get this condition with a MarkedBlock allocated object.
For PreciseAllocations, each allocation is preceded by a PreciseAllocation
header (which is currently
96 bytes in size), and a 8 to 16 byte padding depending on what is need to
get the resultant object
start address to start on an odd 8 byte boundary (i.e. but 3 is set). With
PreciseAllocations,
depending on the size of the allocation and what memory slot the allocation
comes from, there is a
way to get the JSObject header and butterfly to span across a cache line
boundary.
This patch prevents this by dynamically adjusting the alignment padding at
the start of the
PreciseAllocation to ensure that the start address of the JSObject always
lands at a spot where the
header and butterfly does not span a cache line boundary.
* Source/JavaScriptCore/heap/PreciseAllocation.cpp:
(JSC::dataCacheLineSize):
(JSC::isAlignedForPreciseAllocation):
(JSC::isCacheAlignedForPreciseAllocation):
(JSC::PreciseAllocation::tryCreate):
(JSC::PreciseAllocation::tryReallocate):
(JSC::PreciseAllocation::tryCreateForLowerTier):
(JSC::PreciseAllocation::reuseForLowerTier):
(JSC::PreciseAllocation::PreciseAllocation):
* Source/JavaScriptCore/heap/PreciseAllocation.h:
(JSC::PreciseAllocation::headerSize):
(JSC::PreciseAllocation::basePointer const):
Canonical link: https://commits.webkit.org/267815.112@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.181@webkitglib/2.42
Commit: 3af62222ff09de7879c7bf1c98fa38d33237e390
https://github.com/WebKit/WebKit/commit/3af62222ff09de7879c7bf1c98fa38d33237e390
Author: nishajain61 <nisha_j...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/text/crash-letter-spacing-infinite-expected.html
A LayoutTests/fast/text/crash-letter-spacing-infinite.html
A LayoutTests/fast/text/crash-word-spacing-infinite-expected.html
A LayoutTests/fast/text/crash-word-spacing-infinite.html
M Source/WebCore/platform/graphics/FontCascade.h
Log Message:
-----------
Cherry-pick 267815.115@safari-7617-branch (935e894057d7).
https://bugs.webkit.org/show_bug.cgi?id=264327
rdar://115423166 (jsc_fuz/wktr:
ASSERT_WITH_SECURITY_IMPLICATION(widthForLargestKnownToFit <= maxWidth); in
WebCore::truncateString(...))
rdar://115423166
Reviewed by Myles C. Maxfield.
letterSpacing API needs to be able to handle NaN value
Signed-off-by: nishajain61 <nisha_j...@apple.com>
Canonical link: https://commits.webkit.org/267815.115@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.182@webkitglib/2.42
Commit: a7a75cad4a5dacb2844d56f8192007db61012237
https://github.com/WebKit/WebKit/commit/a7a75cad4a5dacb2844d56f8192007db61012237
Author: Yusuke Suzuki <ysuz...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/JavaScriptCore/b3/B3ReduceStrength.cpp
M Source/JavaScriptCore/b3/testb3.h
M Source/JavaScriptCore/b3/testb3_1.cpp
M Source/JavaScriptCore/b3/testb3_5.cpp
Log Message:
-----------
Cherry-pick 267815.118@safari-7617-branch (3e7f362d98b7).
https://bugs.webkit.org/show_bug.cgi?id=262224
[JSC] Wrong B3 range analysis on 64-bit values
https://bugs.webkit.org/show_bug.cgi?id=262224
rdar://115897433
Reviewed by Mark Lam.
This patch fixes B3's range analysis. When using 64bit value, we should use
INT64_MIN / INT64_MAX instead of INT_MIN / INT_MAX.
We use std::numeric_limits to make it work. We also adjust `+ 1` check to
avoid potential UB.
* Source/JavaScriptCore/b3/B3ReduceStrength.cpp:
* Source/JavaScriptCore/b3/testb3.h:
* Source/JavaScriptCore/b3/testb3_1.cpp:
(run):
* Source/JavaScriptCore/b3/testb3_5.cpp:
(testCheckAdd64Range):
Canonical link: https://commits.webkit.org/267815.118@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.183@webkitglib/2.42
Commit: 154565ddd36b09250d50134b968afc9f735d0dcc
https://github.com/WebKit/WebKit/commit/154565ddd36b09250d50134b968afc9f735d0dcc
Author: Yusuke Suzuki <ysuz...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/JavaScriptCore/runtime/ArrayBufferView.h
M Source/JavaScriptCore/runtime/DataView.cpp
M Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h
M Source/JavaScriptCore/runtime/JSDataView.cpp
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
Log Message:
-----------
Cherry-pick 267815.120@safari-7617-branch (ac9f4e07603c).
https://bugs.webkit.org/show_bug.cgi?id=262338
[JSC] Add extra hardening about incorrectly configured shared growable
typed array view
https://bugs.webkit.org/show_bug.cgi?id=262338
rdar://116168654
Reviewed by Mark Lam.
This is adding extra hardening against wrongly configured shared growable
typed array view materialization from SerializedScriptValue.
This pattern must not happen from normal execution. This happens only when
the current process gets a bug which can emit arbitrary serialized
data. And since SharedArrayBuffer cannot be sent to the other process, this
issue is confined in the current process. Given that the attacker
is already getting a way to create arbitrary serialized data, probably this
does not add much additionally, but just adding hardening for now
as an extra safety.
* Source/JavaScriptCore/runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::verifySubRangeLength):
* Source/JavaScriptCore/runtime/DataView.cpp:
(JSC::DataView::wrappedAs):
* Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::tryCreate):
(JSC::GenericTypedArrayView<Adaptor>::wrappedAs):
* Source/JavaScriptCore/runtime/JSDataView.cpp:
(JSC::JSDataView::create):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::create):
Canonical link: https://commits.webkit.org/267815.120@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.184@webkitglib/2.42
Commit: 985fc350636c2ea3ee35146185bde8651f7c6eb8
https://github.com/WebKit/WebKit/commit/985fc350636c2ea3ee35146185bde8651f7c6eb8
Author: David Kilzer <ddkil...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/dom/DocumentFragment.h
M Source/WebCore/dom/Node.h
M Source/WebCore/dom/XMLDocument.cpp
M Source/WebCore/dom/XMLDocument.h
M Source/WebCore/testing/js/WebCoreTestSupport.cpp
M Source/WebCore/testing/js/WebCoreTestSupport.h
Log Message:
-----------
Cherry-pick 267815.149@safari-7617-branch (9bc754a9deaf).
https://bugs.webkit.org/show_bug.cgi?id=264327
Add test function for WebCore::DocumentFragment::parseXML
https://bugs.webkit.org/show_bug.cgi?id=262426
<rdar://116267317>
Reviewed by Darin Adler.
* Source/WebCore/dom/DocumentFragment.h:
(WebCore::DocumentFragment::parseXML):
- Export method for WebCoreTestSupport.
* Source/WebCore/dom/Node.h:
(WebCore::Node::eventTargetInterface):
- Drive-by fix to comment.
* Source/WebCore/dom/XMLDocument.cpp:
(WebCore::XMLDocument::createXHTML): Add.
- Move implementation into source file.
* Source/WebCore/dom/XMLDocument.h:
(WebCore::XMLDocument::createXHTML):
- Change to exported method declaration.
* Source/WebCore/testing/js/WebCoreTestSupport.cpp:
(WebCoreTestSupport::testDocumentFragmentParseXML): Add.
- Add test method.
* Source/WebCore/testing/js/WebCoreTestSupport.h:
(WebCoreTestSupport::testDocumentFragmentParseXML): Add.
Canonical link: https://commits.webkit.org/267815.149@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.185@webkitglib/2.42
Commit: 4355f5aa8130f4b02f414c296e763c18c37bcb93
https://github.com/WebKit/WebKit/commit/4355f5aa8130f4b02f414c296e763c18c37bcb93
Author: nishajain61 <nisha_j...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/cssom/crash-font-family-invalid-expected.html
A LayoutTests/cssom/crash-font-family-invalid.html
M Source/WebCore/style/StyleBuilderCustom.h
Log Message:
-----------
Cherry-pick 267815.169@safari-7617-branch (6834321e777d).
https://bugs.webkit.org/show_bug.cgi?id=262487
jsc_fuz/wktr: segfault with .attributeStyleMap.set('font-family', new
CSSKeywordValue('x'))
https://bugs.webkit.org/show_bug.cgi?id=262487
rdar://115283280
Reviewed by Chris Dumez.
Invalid CSS value for CSS "Font-family" property has to be handled by
returning instead of causing ASSERT.
Test: cssom/crash-font-family-invalid.html
* Source/WebCore/style/StyleBuilderCustom.h:
(BuilderCustom::applyValueFontFamily) : Replaced 'ASSERT' with 'return'
while handling "Font-family" property.
* LayoutTests/cssom/crash-font-family-invalid-expected.html: Added test
case expected file.
* LayoutTests/cssom/crash-font-family-invalid.html: Added test case.
Canonical link: https://commits.webkit.org/267815.169@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.186@webkitglib/2.42
Commit: b3c358d4525aec3be45a32e22c25b2c71fc1f3b4
https://github.com/WebKit/WebKit/commit/b3c358d4525aec3be45a32e22c25b2c71fc1f3b4
Author: Mark Lam <mark....@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M LayoutTests/fast/storage/serialized-script-value.html
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 267815.202@safari-7617-branch (401705903095).
https://bugs.webkit.org/show_bug.cgi?id=262616
An Array index in CloneSerializer and CloneDeserializer can be confused for
NonIndexPropertiesTag.
https://bugs.webkit.org/show_bug.cgi?id=262616
rdar://116034413
Reviewed by Keith Miller, Sihui Liu and Chris Dumez.
CloneSerializer and CloneDeserializer were previously using
NonIndexPropertiesTag as the terminator of
the indexed property section of an Array. However, NonIndexPropertiesTag's
encoding is 0xFFFFFFFD,
which is less than MAX_ARRAY_INDEX (0xFFFFFFFE) i.e. an index of 0xFFFFFFFD
can be confused for the
NonIndexPropertiesTag, resulting type confusion.
This patch changes the structure of a serialized Array to always terminate
its indexed property section
with a TerminatorTag (0xFFFFFFFF) first before looking for either a
NonIndexPropertiesTag or another
TerminatorTag. The presence of a NonIndexPropertiesTag after the 1st
TerminatorTag indicates the
presence of a non-indexed properties section. The presense of a
TerminatorTag immediately after the
1st TerminatorTag indicates that the non-indexed properties section is
empty.
Also updated the comment describing the shape of a serialized Array, and
rebased a test.
* LayoutTests/fast/storage/serialized-script-value.html:
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::deserialize):
Canonical link: https://commits.webkit.org/267815.202@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.187@webkitglib/2.42
Commit: b80ac5cb701ae61a6c75adbbd2609b5e49c80ee7
https://github.com/WebKit/WebKit/commit/b80ac5cb701ae61a6c75adbbd2609b5e49c80ee7
Author: Justin Michaud <justin_mich...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A JSTests/wasm/stress/bbq-parallel-move.js
M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
Log Message:
-----------
Cherry-pick 267815.223@safari-7617-branch (3c476842d24c).
https://bugs.webkit.org/show_bug.cgi?id=262222
BBQJIT if conditions are very wrong
https://bugs.webkit.org/show_bug.cgi?id=262222
rdar://problem/116145012
Reviewed by Keith Miller.
BBQJIT if conditions are very wrong. By random chance, the condition value
happens to be allocated in nonPreservedNonArgumentGPR1, but if you use
more than 8 registers, we end up just reading a completely random value.
Let's not do that.
We also add some extra debugging assertions for parallel move. These
shouldn't ever actually
be hit, but they help us avoid a potential problem in the future if we
make BBQ register allocation smarter.
Finally, we allow allocating eax on x86, and fix some bugs surrounding
if/else as a result.
* JSTests/wasm/stress/bbq-parallel-move.js: Added.
(from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.func.log_value.import.string_appeared_here.string_appeared_here.param.i32.func.export.string_appeared_here.param.p0.i32.param.p1.i32.param.p2.i32.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.result.i32.local.p0.then.local.p2.local.p0.i32.const.0.else.i32.const.0.local.p2.call.f.func.f.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.pl.i32.call.log_value.local.pl.async
test.):
(from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.func.log_value.import.string_appeared_here.string_appeared_here.param.i32.func.export.string_appeared_here.param.p0.i32.param.p1.i32.param.p2.i32.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.result.i32.local.p0.then.local.p2.local.p0.i32.const.0.else.i32.const.0.local.p2.call.f.func.f.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.pl.i32.call.log_value.local.pl.async
test):
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJIT::ControlData::ControlData):
(JSC::Wasm::BBQJIT::addIf):
(JSC::Wasm::BBQJIT::emitIndirectCall):
(JSC::Wasm::BBQJIT::emitShuffle):
Canonical link: https://commits.webkit.org/267815.223@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.188@webkitglib/2.42
Commit: cb664fb1a65f24cddcdcc95f2509767fb23f73f6
https://github.com/WebKit/WebKit/commit/cb664fb1a65f24cddcdcc95f2509767fb23f73f6
Author: Erica Li <ler...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A
LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event-expected.txt
A LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event.html
M Source/WebCore/loader/FrameLoader.cpp
Log Message:
-----------
Cherry-pick 267815.226@safari-7617-branch (20bb95c77d7c).
https://bugs.webkit.org/show_bug.cgi\?id\=262292
rdar://110000099 (jsc_fuz/wktr: invalid message
WebPasteboardProxy_GetPasteboardChangeCount)
https://bugs.webkit.org/show_bug.cgi\?id\=262292
rdar://110000099
Reviewed by Wenson Hsieh.
Disable copy paste for beforeunload event.
*
LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event-expected.txt:
Added.
*
LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event.html:
Added.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::ForbidCopyPasteScope::ForbidCopyPasteScope):
(WebCore::ForbidCopyPasteScope::~ForbidCopyPasteScope):
(WebCore::FrameLoader::dispatchBeforeUnloadEvent):
Canonical link: https://commits.webkit.org/267815.226@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.189@webkitglib/2.42
Commit: d8661f82488c8202db34f543c5c5a8c2093ac107
https://github.com/WebKit/WebKit/commit/d8661f82488c8202db34f543c5c5a8c2093ac107
Author: Mark Lam <mark....@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/JavaScriptCore/assembler/AssemblerBuffer.h
M Source/WTF/wtf/PtrTag.h
Log Message:
-----------
Cherry-pick 267815.228@safari-7617-branch (4eda4ebd52c1).
https://bugs.webkit.org/show_bug.cgi?id=262938
ARM64EHash should be using the PAC DA key instead of DB.
https://bugs.webkit.org/show_bug.cgi?id=262938
rdar://116679398
Reviewed by Justin Michaud.
Currently, it uses the PAC DB key. However, the PAC DB key is already used
by for the
PACCage for protecting TypedArray vector pointers. Using the PAC DA key
instead would
ensure that there is no collision between the "namespace"s of PACCage
pointers and
ARM64EHash intermediate values.
* Source/JavaScriptCore/assembler/AssemblerBuffer.h:
(JSC::ARM64EHash::nextValue):
(JSC::ARM64EHash::currentHash):
(JSC::ARM64EHash::setUpdatedHash):
* Source/WTF/wtf/PtrTag.h:
(WTF::untagInt):
(WTF::tagInt):
Canonical link: https://commits.webkit.org/267815.228@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.190@webkitglib/2.42
Commit: 3f264123d1e8aea85d25a73816ca24adba8a5c91
https://github.com/WebKit/WebKit/commit/3f264123d1e8aea85d25a73816ca24adba8a5c91
Author: Chris Dumez <cdu...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 267815.245@safari-7617-branch (bf21fed44b35).
https://bugs.webkit.org/show_bug.cgi?id=262921
CloneDeserializer::readTerminal() should fail decoding if tag is not
exposed to current JS context
https://bugs.webkit.org/show_bug.cgi?id=262921
rdar://115756703
Reviewed by Mark Lam.
In 265678@main, I added a check to make sure the type getting deserialized
was exposed to the
current JS context (e.g. audio worklet contexts don't have access to many
of the types that
Window context do). I added an early return when detecting this but failed
to call `fail()`
to explicitly fail decoding.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::readTerminal):
Canonical link: https://commits.webkit.org/267815.245@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.191@webkitglib/2.42
Commit: 4a95479db48214e9e166461405ca13c1c731e92a
https://github.com/WebKit/WebKit/commit/4a95479db48214e9e166461405ca13c1c731e92a
Author: Chris Dumez <cdu...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A
LayoutTests/http/wpt/web-locks/lock-name-length-restriction.https-expected.txt
A LayoutTests/http/wpt/web-locks/lock-name-length-restriction.https.html
M Source/WebCore/Headers.cmake
M Source/WebCore/Modules/web-locks/WebLock.h
M Source/WebCore/Modules/web-locks/WebLockManager.cpp
M Source/WebCore/WebCore.xcodeproj/project.pbxproj
M Source/WebKit/UIProcess/WebLockRegistryProxy.cpp
Log Message:
-----------
Cherry-pick 267815.246@safari-7617-branch (85aba6be5983).
https://bugs.webkit.org/show_bug.cgi?id=262920
Restrict the length of requested web locks names
https://bugs.webkit.org/show_bug.cgi?id=262920
rdar://116189077
Reviewed by Brent Fulgham.
Restrict the length of requested web locks names to prevent abuse.
*
LayoutTests/http/wpt/web-locks/lock-name-length-restriction.https-expected.txt:
Added.
* LayoutTests/http/wpt/web-locks/lock-name-length-restriction.https.html:
Added.
* Source/WebCore/Headers.cmake:
* Source/WebCore/Modules/web-locks/WebLock.h:
* Source/WebCore/Modules/web-locks/WebLockManager.cpp:
(WebCore::WebLockManager::request):
* Source/WebCore/WebCore.xcodeproj/project.pbxproj:
* Source/WebKit/UIProcess/WebLockRegistryProxy.cpp:
(WebKit::WebLockRegistryProxy::requestLock):
Canonical link: https://commits.webkit.org/267815.246@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.192@webkitglib/2.42
Commit: 94ceb11f89b2460f63a91d05f6f8410a0a6aac3b
https://github.com/WebKit/WebKit/commit/94ceb11f89b2460f63a91d05f6f8410a0a6aac3b
Author: Matt Woodrow <mattwood...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/canvas/offscreen-giant-expected.html
A LayoutTests/fast/canvas/offscreen-giant.html
M LayoutTests/platform/mac-monterey/TestExpectations
M
Source/WebCore/platform/graphics/ca/cocoa/GraphicsLayerAsyncContentsDisplayDelegateCocoa.mm
M Source/WebKit/Platform/SharedMemory.h
M Source/WebKit/Shared/RemoteLayerTree/CGDisplayList.h
M Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.h
M Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.mm
M Source/WebKit/Shared/ShareableBitmap.h
M Source/WebKit/WebProcess/WebPage/RemoteLayerTree/GraphicsLayerCARemote.mm
M Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.h
M Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.mm
Log Message:
-----------
Cherry-pick 267815.262@safari-7617-branch (8ac19464ff91).
https://bugs.webkit.org/show_bug.cgi?id=264327
jsc_fuz/wktr: null ptr deref in
WebCore::GraphicsLayerAsyncContentsDisplayDelegateCocoa::tryCopyToLayer(WebCore::ImageBuffer&)
https://bugs.webkit.org/show_bug.cgi?id=262640
<rdar://115497296>
Reviewed by Kimmo Kinnunen.
This adds support for setDelegatedContents on a PlatformCALayerRemote
having a generic ImageBufferBackendHandle (which includes
shared memory), instead of only MachSendRight.
Adds an explicit copy constructor to SharedMemoryHandle, UnixFileDescriptor
and CGDisplayList to match MachSendRight and make
this possible.
Also switches Protection::ReadWrite to Protection::ReadOnly for the
RemoteLayerBackingStore callers, since we were already using
this for tryCopyToLayer, and we need the ::map() call in the UI process to
not try ask for extra permissions.
* Source/WTF/wtf/unix/UnixFileDescriptor.h:
(WTF::UnixFileDescriptor::UnixFileDescriptor):
* Source/WebKit/Platform/SharedMemory.h:
* Source/WebKit/Shared/RemoteLayerTree/CGDisplayList.h:
* Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.h:
* Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.mm:
(WebKit::RemoteLayerBackingStore::encode const):
(WebKit::RemoteLayerBackingStore::setDelegatedContents):
(WebKit::RemoteLayerBackingStoreProperties::layerContentsBufferFromBackendHandle):
* Source/WebKit/Shared/ShareableBitmap.h:
* Source/WebKit/WebProcess/WebPage/RemoteLayerTree/GraphicsLayerCARemote.mm:
* Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.h:
* Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.mm:
(WebKit::PlatformCALayerRemote::setDelegatedContents):
(WebKit::PlatformCALayerRemote::setRemoteDelegatedContents):
Canonical link: https://commits.webkit.org/267815.262@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.193@webkitglib/2.42
Commit: 639298fab982cd8666b7c516316edfc50f402b36
https://github.com/WebKit/WebKit/commit/639298fab982cd8666b7c516316edfc50f402b36
Author: Youenn Fablet <youe...@gmail.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/http/wpt/webcodecs/videoFrame-rect-expected.txt
A LayoutTests/http/wpt/webcodecs/videoFrame-rect.html
M Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp
Log Message:
-----------
Cherry-pick 267815.265@safari-7617-branch (aa715fb68472).
https://bugs.webkit.org/show_bug.cgi?id=262955
jsc_fuz/wktr: heap-buffer-overflow in
WebCore::WebCodecsVideoFrame::copyTo(...) WebCodecsVideoFrame.cpp:488
https://bugs.webkit.org/show_bug.cgi?id=262955
rdar://115835656
Reviewed by Eric Carlson.
We add a check that x and y are positive or zero.
Otherwise, we might still pass the check that the total width or height is
below the codedWidth/codedHeight, while it is not.
* LayoutTests/http/wpt/webcodecs/videoFrame-rect-expected.txt: Added.
* LayoutTests/http/wpt/webcodecs/videoFrame-rect.html: Added.
* Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp:
(WebCore::parseVisibleRect):
Canonical link: https://commits.webkit.org/267815.265@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.194@webkitglib/2.42
Commit: 937ce54230a1cfc9d6cdffdaec3f2bc273c29e4b
https://github.com/WebKit/WebKit/commit/937ce54230a1cfc9d6cdffdaec3f2bc273c29e4b
Author: Chris Dumez <cdu...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A
LayoutTests/fast/events/document-destruction-during-event-firing-crash-expected.txt
A
LayoutTests/fast/events/document-destruction-during-event-firing-crash.html
M Source/WebCore/dom/EventTarget.cpp
Log Message:
-----------
Cherry-pick 267815.272@safari-7617-branch (fc0cce085a99).
https://bugs.webkit.org/show_bug.cgi?id=263029
Use-after-free crash under EventTarget::innerInvokeEventListeners()
https://bugs.webkit.org/show_bug.cgi?id=263029
rdar://116802026
Reviewed by Ryosuke Niwa.
Make sure we keep the script execution context alive by holding it in a
Ref<>.
*
LayoutTests/fast/events/document-destruction-during-event-firing-crash-expected.txt:
Added.
*
LayoutTests/fast/events/document-destruction-during-event-firing-crash.html:
Added.
* Source/WebCore/dom/EventTarget.cpp:
(WebCore::EventTarget::innerInvokeEventListeners):
Canonical link: https://commits.webkit.org/267815.272@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.195@webkitglib/2.42
Commit: 423f54d638409d111534c668988202516b8b4e25
https://github.com/WebKit/WebKit/commit/423f54d638409d111534c668988202516b8b4e25
Author: Nicole Rosario <nicole_rosa...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/css/create-columns-onload-crash-expected.txt
A LayoutTests/fast/css/create-columns-onload-crash.html
M Source/WebCore/style/StyleBuilderConverter.h
Log Message:
-----------
Cherry-pick 267815.304@safari-7617-branch (395cb173896a). rdar://115107618
jsc_fuz/wktr: ASSERTION FAILED: is<Target>(source) downcast(Source &)
[Target = WebCore::CSSFunctionValue, Source = const WebCore::CSSValue]
rdar://115107618
Reviewed by Chris Dumez.
Downcast was attempted before ensuring type is correct, so added a
typecheck before downcast
* Source/WebCore/style/StyleBuilderConverter.h:
(WebCore::Style::BuilderConverter::createGridTrackSize): added typecheck
before downcast
Canonical link: https://commits.webkit.org/267815.304@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.196@webkitglib/2.42
Commit: 533055aea23269e8f723e7fb9437d8f618155ddb
https://github.com/WebKit/WebKit/commit/533055aea23269e8f723e7fb9437d8f618155ddb
Author: Sihui Liu <sihui_...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M LayoutTests/fast/storage/serialized-script-value.html
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 267815.465@safari-7617-branch (9a56d2bb940b). rdar://117020274
J414s/23C25: 1Password extension does not work and keeps trying to open a
blank new tab (Unhandled Promise Rejection: AbortError: IDBTransaction will
abort due to uncaught exception in an event handler)
rdar://117020274
Reviewed by Mark Lam.
We updated serialization format of SerializedScriptValue in
rdar://117020274, but we didn't change the version number.
This makes serialized values with old format stored in IndexedDB databases
no longer readable, as we are looking for the
new format during deserialization.
* LayoutTests/fast/storage/serialized-script-value.html:
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::deserialize):
Canonical link: https://commits.webkit.org/267815.465@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.197@webkitglib/2.42
Commit: f6cf3189dfe989c4031be838c76fa31a517d1864
https://github.com/WebKit/WebKit/commit/f6cf3189dfe989c4031be838c76fa31a517d1864
Author: Said Abou-Hallawa <s...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/svg/custom/pattern-nested-reference-expected.txt
A LayoutTests/svg/custom/pattern-nested-reference.html
M Source/WebCore/rendering/svg/RenderSVGResource.cpp
M Source/WebCore/rendering/svg/RenderSVGResource.h
M Source/WebCore/rendering/svg/RenderSVGResourceClipper.cpp
M Source/WebCore/rendering/svg/RenderSVGResourceClipper.h
M Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp
M Source/WebCore/rendering/svg/RenderSVGResourceContainer.h
M Source/WebCore/rendering/svg/RenderSVGResourceFilter.cpp
M Source/WebCore/rendering/svg/RenderSVGResourceFilter.h
M Source/WebCore/rendering/svg/RenderSVGResourceGradient.cpp
M Source/WebCore/rendering/svg/RenderSVGResourceGradient.h
M Source/WebCore/rendering/svg/RenderSVGResourceMarker.cpp
M Source/WebCore/rendering/svg/RenderSVGResourceMarker.h
M Source/WebCore/rendering/svg/RenderSVGResourceMasker.cpp
M Source/WebCore/rendering/svg/RenderSVGResourceMasker.h
M Source/WebCore/rendering/svg/RenderSVGResourcePattern.cpp
M Source/WebCore/rendering/svg/RenderSVGResourcePattern.h
M Source/WebCore/rendering/svg/RenderSVGResourceSolidColor.h
Log Message:
-----------
Cherry-pick 267815.402@safari-7617-branch (46e35d6223f3).
https://bugs.webkit.org/show_bug.cgi?id=263349
Deeply nested SVG patterns can take log time to invalidate the target
element
https://bugs.webkit.org/show_bug.cgi?id=263349
(rdar://116532387)
Reviewed by Simon Fraser.
The resource's clients invalidation does not take account the visited
renderers.
With nested SVG resources this invalidation can have an exponential
complexity.
This leads to DoS since loading the SVG or modifying its resources can take
minutes to finish.
Skipping the visited renderers while invalidating the resource's clients
should
fix this problem. The complexity of the invalidation will be linear in this
case.
* LayoutTests/svg/custom/pattern-nested-reference-expected.txt: Added.
* LayoutTests/svg/custom/pattern-nested-reference.html: Added.
* Source/WebCore/rendering/svg/RenderSVGResource.cpp:
(WebCore::RenderSVGResource::removeAllClientsFromCache):
(WebCore::removeFromCacheAndInvalidateDependencies):
(WebCore::RenderSVGResource::markForLayoutAndParentResourceInvalidation):
(WebCore::RenderSVGResource::markForLayoutAndParentResourceInvalidationIfNeeded):
* Source/WebCore/rendering/svg/RenderSVGResource.h:
* Source/WebCore/rendering/svg/RenderSVGResourceClipper.cpp:
(WebCore::RenderSVGResourceClipper::removeAllClientsFromCacheIfNeeded):
(WebCore::RenderSVGResourceClipper::removeAllClientsFromCache): Deleted.
* Source/WebCore/rendering/svg/RenderSVGResourceClipper.h:
* Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp:
(WebCore::RenderSVGResourceContainer::markAllClientsForInvalidation):
(WebCore::RenderSVGResourceContainer::markAllClientsForInvalidationIfNeeded):
* Source/WebCore/rendering/svg/RenderSVGResourceContainer.h:
* Source/WebCore/rendering/svg/RenderSVGResourceFilter.cpp:
(WebCore::RenderSVGResourceFilter::removeAllClientsFromCacheIfNeeded):
(WebCore::RenderSVGResourceFilter::removeAllClientsFromCache): Deleted.
* Source/WebCore/rendering/svg/RenderSVGResourceFilter.h:
* Source/WebCore/rendering/svg/RenderSVGResourceGradient.cpp:
(WebCore::RenderSVGResourceGradient::removeAllClientsFromCacheIfNeeded):
(WebCore::RenderSVGResourceGradient::removeAllClientsFromCache): Deleted.
* Source/WebCore/rendering/svg/RenderSVGResourceGradient.h:
* Source/WebCore/rendering/svg/RenderSVGResourceMarker.cpp:
(WebCore::RenderSVGResourceMarker::removeAllClientsFromCacheIfNeeded):
(WebCore::RenderSVGResourceMarker::removeAllClientsFromCache): Deleted.
* Source/WebCore/rendering/svg/RenderSVGResourceMarker.h:
* Source/WebCore/rendering/svg/RenderSVGResourceMasker.cpp:
(WebCore::RenderSVGResourceMasker::removeAllClientsFromCacheIfNeeded):
(WebCore::RenderSVGResourceMasker::removeAllClientsFromCache): Deleted.
* Source/WebCore/rendering/svg/RenderSVGResourceMasker.h:
* Source/WebCore/rendering/svg/RenderSVGResourcePattern.cpp:
(WebCore::RenderSVGResourcePattern::removeAllClientsFromCacheIfNeeded):
(WebCore::RenderSVGResourcePattern::removeAllClientsFromCache): Deleted.
* Source/WebCore/rendering/svg/RenderSVGResourcePattern.h:
* Source/WebCore/rendering/svg/RenderSVGResourceSolidColor.h:
Canonical link: https://commits.webkit.org/267815.402@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.198@webkitglib/2.42
Commit: 1c967d31b0908ee24ea4f0977fff00980448c675
https://github.com/WebKit/WebKit/commit/1c967d31b0908ee24ea4f0977fff00980448c675
Author: Dan Glastonbury <d...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp
Log Message:
-----------
Cherry-pick 267815.442@safari-7617-branch (d4e4706162ed). rdar://117540199
[ANGLE] Clear pending program linking in Context::onDestroy
rdar://117540199
Reviewed by Kimmo Kinnunen.
Cherry pick upstream ANGLE fix which clears the pending link earlier to
avoid
UAF.
Tested with ASAN build of
/Volumes/WebKit/OpenSource/WebKitBuild/Debug/TestWebKitAPI
--gtest_filter=GraphicsContextGLCocoaTest.TwoLinks
* Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp:
(gl::Context::onDestroy):
Canonical link: https://commits.webkit.org/267815.442@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.199@webkitglib/2.42
Commit: 5a108bdc41182b6c991585cd9544580712f65eeb
https://github.com/WebKit/WebKit/commit/5a108bdc41182b6c991585cd9544580712f65eeb
Author: Vitor Roriz <vitor.ro...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA-expected.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA-ref.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA.html
M LayoutTests/platform/mac/fast/text/softbank-emoji-expected.txt
M LayoutTests/platform/wpe/fast/text/softbank-emoji-expected.txt
M Source/WebCore/css/CSSFontSelector.cpp
M Source/WebCore/platform/graphics/FontCascadeFonts.cpp
M Source/WebCore/platform/graphics/FontRanges.cpp
M Source/WebCore/platform/graphics/FontRanges.h
M Source/WebCore/platform/graphics/coretext/FontCascadeCoreText.cpp
M Source/WebCore/platform/text/CharacterProperties.h
Log Message:
-----------
Cherry-pick 267815.424@safari-7617-branch (8c7be2b8800b).
https://bugs.webkit.org/show_bug.cgi?id=255629
Font fallback should ignore generic families for codepoints in PUA
https://bugs.webkit.org/show_bug.cgi?id=263261
rdar://115901340
Reviewed by Cameron McCormack.
According to spec:
https://drafts.csswg.org/css-fonts-4/#char-handling-issues
"If a given character is a Private-Use Area Unicode codepoint, user agents
must only match font families named in the font-family list that are not
generic families. If none of the families named in the font-family list contain
a glyph for that codepoint, user agents must display some form of missing glyph
symbol for that character rather than attempting installed font fallback for
that codepoint."
We are currently not ignoring generic font families for font fallback when
a code point is in the private-use area (PUA).
This patch changes that. Now FontRanges has a flag to signal that the Font
represented by the FontRanges
object came from a generic family. That way, we can skip it during font
fallback when finding
the glyph data for a codepoint that is in the private-user area.
After attempting all user-specified font-families, if we couldn't find a
font that can represent such codepoint,
we then use the .notdef glyph (glyph 0) and the last resource font of
WebKit for it.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA-expected.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA-ref.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA.html:
Added.
* LayoutTests/platform/mac/fast/text/softbank-emoji-expected.txt:
* LayoutTests/platform/wpe/fast/text/softbank-emoji-expected.txt:
* Source/WebCore/css/CSSFontSelector.cpp:
(WebCore::CSSFontSelector::fontRangesForFamily):
* Source/WebCore/platform/graphics/FontCascadeFonts.cpp:
(WebCore::realizeNextFallback):
(WebCore::FontCascadeFonts::glyphDataForVariant):
(WebCore::FontCascadeFonts::glyphDataForCharacter):
* Source/WebCore/platform/graphics/FontRanges.cpp:
(WebCore::FontRanges::FontRanges):
(WebCore::FontRanges::glyphDataForCharacter const):
* Source/WebCore/platform/graphics/FontRanges.h:
(WebCore::FontRanges::isGeneric const):
* Source/WebCore/platform/graphics/WidthIterator.cpp:
(WebCore::WidthIterator::advanceInternal):
* Source/WebCore/platform/graphics/coretext/FontCascadeCoreText.cpp:
(WebCore::FontCascade::fontForCombiningCharacterSequence const):
* Source/WebCore/platform/text/CharacterProperties.h:
(WebCore::isPrivateUseAreaCharacter):
Canonical link: https://commits.webkit.org/267815.424@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.200@webkitglib/2.42
Commit: 055822103c0b2ab090e030756a819e01b6fa1d6e
https://github.com/WebKit/WebKit/commit/055822103c0b2ab090e030756a819e01b6fa1d6e
Author: Russell Epstein <repst...@apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fonts/font-cache-memory-pressure-crash-expected.txt
A LayoutTests/fonts/font-cache-memory-pressure-crash.html
M Source/WebCore/platform/graphics/FontCascadeFonts.cpp
Log Message:
-----------
Cherry-pick 267815.570@safari-7617.1.17.10-branch (0276f2cb8a40).
https://bugs.webkit.org/show_bug.cgi?id=264737
Cherry-pick a595ddd8348d. rdar://117805319
Adding last resort font to System Font fallback set for PUA characters
https://bugs.webkit.org/show_bug.cgi?id=264737
rdar://117805319
Reviewed by Brent Fulgham.
Until now, when we are purging inactive font data, we would just clear
the glyph page cache if we had to purge system fallback font.
This means that we consider glyph page cache would only point to
fonts from system fonts fallback.
When we are handling unicode's in the Private-User-Area (PUA) block,
we shouldn't fallback to system fonts searching for a font that can
render
it, per spec: https://www.w3.org/TR/css-fonts-4/#char-handling-issues
Instead, we render the glyph 0 with the last resort font. However, this
font is just added to the custom font cache, and its font pointer in the
Glyph Page cache is not cleared during memory pressure.
We should add this font to the system font fallback set, to make sure
that the associated font pointer is removed from the glyph page cache
during memory pressure.
* LayoutTests/fonts/font-cache-memory-pressure-crash.html: Added.
* Source/WebCore/platform/graphics/FontCascadeFonts.cpp:
(WebCore::FontCascadeFonts::glyphDataForVariant):
* LayoutTests/fonts/font-cache-memory-pressure-crash-expected.txt:
Added.
Canonical link: https://commits.webkit.org/267815.567@safari-7617-branch
Canonical link:
https://commits.webkit.org/267815.570@safari-7617.1.17.10-branch
Canonical link: https://commits.webkit.org/266719.201@webkitglib/2.42
Compare: https://github.com/WebKit/WebKit/compare/7f8b31e40740...055822103c0b
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
