Branch: refs/heads/webkit-2023.2-embargoed Home: https://github.com/WebKit/WebKit Commit: 68c44009f220b31e590385b9420c86734543b1d2 https://github.com/WebKit/WebKit/commit/68c44009f220b31e590385b9420c86734543b1d2 Author: Jonathan Bedard <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023)
Changed paths: Log Message: ----------- Branch point for webkit-2023.2-embargoed Canonical link: https://commits.webkit.org/[email protected] Commit: d18363c6c4ced4892e1875799dc7cba4b6e9b834 https://github.com/WebKit/WebKit/commit/d18363c6c4ced4892e1875799dc7cba4b6e9b834 Author: Rob Buis <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/table/table-cell-crash-when-detached-state-2-expected.txt A LayoutTests/fast/table/table-cell-crash-when-detached-state-2.html M Source/WebCore/rendering/RenderLayerModelObject.cpp Log Message: ----------- Cherry-pick [email protected] (6234ec9c65b9). rdar://102808328 Do not issue repaints when in detached state https://bugs.webkit.org/show_bug.cgi?id=248773 rdar://102808328 Reviewed by Antti Koivisto. Do not issue repaints when the RenderObject is in detached state while removing render subtrees. * LayoutTests/fast/table/table-cell-crash-when-detached-state-2-expected.txt: Added. * LayoutTests/fast/table/table-cell-crash-when-detached-state-2.html: Added. * Source/WebCore/rendering/RenderLayerModelObject.cpp: (WebCore::RenderTableCell::willBeRemovedFromTree const): Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Commit: 92dee4feedbf5f6d2aef96496b09326d8a2fcfe0 https://github.com/WebKit/WebKit/commit/92dee4feedbf5f6d2aef96496b09326d8a2fcfe0 Author: Rob Buis <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/css/content/quote-display-contents-crash-expected.txt A LayoutTests/fast/css/content/quote-display-contents-crash.html M Source/WebCore/dom/Element.cpp Log Message: ----------- Cherry-pick [email protected] (312254f5776d). rdar://102807985 Check displayContentsChanged in destroyRenderTreeIfNeeded https://bugs.webkit.org/show_bug.cgi?id=248776 rdar://102807985> Reviewed by Antti Koivisto. Check displayContentsChanged in destroyRenderTreeIfNeeded since display: contents may be removed due to focus removal while removing subtrees but we still need to clean up pseudo elements. * LayoutTests/fast/css/content/quote-display-contents-crash-expected.txt: Added. * LayoutTests/fast/css/content/quote-display-contents-crash.html: Added. * Source/WebCore/dom/ContainerNode.cpp: (WebCore::destroyRenderTreeIfNeeded): * Source/WebCore/dom/Element.cpp: (WebCore::Element::resolveComputedStyle): Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Commit: 553700646910e53691d7c87dea6500265104f2cd https://github.com/WebKit/WebKit/commit/553700646910e53691d7c87dea6500265104f2cd Author: Rob Buis <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/dom/set-outer-text-on-moved-element-expected.html A LayoutTests/fast/dom/set-outer-text-on-moved-element.html M Source/WebCore/rendering/updating/RenderTreeUpdater.cpp Log Message: ----------- Cherry-pick [email protected] (c4c0ef6360b2). rdar://102808104 Verify that style update roots are for correct document https://bugs.webkit.org/show_bug.cgi?id=248775 rdar://102808104 Reviewed by Antti Koivisto. Verify that style update roots are for the correct document since we may be dealing with a pending update on an element/text node that moved to another document. * LayoutTests/fast/dom/set-outer-text-on-moved-element-expected.html: Added. * LayoutTests/fast/dom/set-outer-text-on-moved-element.html: Added. * Source/WebCore/rendering/updating/RenderTreeUpdater.cpp: (WebCore::RenderTreeUpdater::commit): Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Commit: fc9a39453ba0c1a619e3444eb2530c36a8731389 https://github.com/WebKit/WebKit/commit/fc9a39453ba0c1a619e3444eb2530c36a8731389 Author: Rob Buis <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/multicol/nested-columns-out-of-flow-crash-expected.txt A LayoutTests/fast/multicol/nested-columns-out-of-flow-crash.html M Source/WebCore/rendering/RenderObject.cpp M Source/WebCore/rendering/RenderObject.h Log Message: ----------- Cherry-pick [email protected] (3b92d70ba3ea). rdar://98438399 Do not skip fragmented flow thread descendents https://bugs.webkit.org/show_bug.cgi?id=245374 rdar://98438399 Reviewed by Alan Baradlay. Do not skip fragmented flow thread descendents in initializeFragmentedFlowStateOnInsertion since its children may have a different state based on the inserted fragmented flow thread. When a fragmented flow thread is removed there is no effect on the inner fragmented flow threads so that behaviour is unchenged. * LayoutTests/fast/multicol/nested-columns-out-of-flow-crash-expected.txt: Added. * LayoutTests/fast/multicol/nested-columns-out-of-flow-crash.html: Added. * Source/WebCore/rendering/RenderObject.cpp: (WebCore::RenderObject::setFragmentedFlowStateIncludingDescendants): (WebCore::RenderObject::initializeFragmentedFlowStateOnInsertion): * Source/WebCore/rendering/RenderObject.h: Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Commit: 02347a3a82ac055e6917df761056a5a9b77e1666 https://github.com/WebKit/WebKit/commit/02347a3a82ac055e6917df761056a5a9b77e1666 Author: Rob Buis <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash-expected.html A LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash.html M Source/WebCore/rendering/RenderLayer.cpp Log Message: ----------- Cherry-pick [email protected] (fe2f16c1dabe). rdar://104134023 Recalculate normal flow value in RenderLayer::establishesTopLayerDidChange https://bugs.webkit.org/show_bug.cgi?id=251013 Reviewed by Tim Nguyen. In RenderLayer::rebuildZOrderLists the RenderView layer makes sure the layers for dialogs/top-level elements are appended after everything else in the positive z-order list. When removing the dialog layer, dirtyPaintOrderListsOnChildChange will be called and since it is not a normal only flow everything will be handled correctly through dirtyStackingContextZOrderLists. In the test case the behaviour is the same until dirtyPaintOrderListsOnChildChange is called on the dialog layer removal. Now that layer to be removed *is* a normal only flow (the element is no longer positioned and has non visible overflow, see RenderLayer::shouldBeNormalFlowOnly). This means the positive z-order list is unchanged and the deleted layer still part of it. When the test cleanup code does a final repaint, the RenderView positive z-order list is processed as normal and when trying to access the deleted layer the UAF happens. To fix this, make sure the normal flow value is correct when adding the layer in RenderLayer::establishesTopLayerDidChange. * LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash-expected.html: Added. * LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash.html: Added. * Source/WebCore/rendering/RenderLayer.cpp: (WebCore::RenderLayer::establishesTopLayerDidChange): Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Commit: 1d078489fdd98b313694c29f43d0a6d6bd150b17 https://github.com/WebKit/WebKit/commit/1d078489fdd98b313694c29f43d0a6d6bd150b17 Author: Claudio Saavedra <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/css/content/content-on-focus-change-expected.txt A LayoutTests/fast/css/content/content-on-focus-change.html Log Message: ----------- Cherry-pick [email protected] (4c3dcd480f7e). rdar://104256993 Test display contents change on focus change https://bugs.webkit.org/show_bug.cgi?id=251014 Reviewed by Tim Nguyen. * LayoutTests/fast/css/content/content-on-focus-change-expected.txt: Added. * LayoutTests/fast/css/content/content-on-focus-change.html: Added. Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Commit: c5cf037a9b08e0daacb259461329ce915f954d42 https://github.com/WebKit/WebKit/commit/c5cf037a9b08e0daacb259461329ce915f954d42 Author: Claudio Saavedra <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal-expected.txt A LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal.html Log Message: ----------- Cherry-pick [email protected] (b7f9b7f4679b). rdar://102808942 Add test for element's display contents change on sibling removal https://bugs.webkit.org/show_bug.cgi?id=248772 Reviewed by Tim Nguyen. This was already fixed with #248776, but add the test for completeness. * LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal-expected.txt: Added. * LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal.html: Added. Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Commit: 482439c8ecdb5a274c7ca18054c1d5d4d7519cc3 https://github.com/WebKit/WebKit/commit/482439c8ecdb5a274c7ca18054c1d5d4d7519cc3 Author: Rob Buis <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash-expected.txt A LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash.html Log Message: ----------- Cherry-pick [email protected] (7d616c4d06eb). rdar://98898374 Add crash test for disconnected frame switching to eager https://bugs.webkit.org/show_bug.cgi?id=245377 Reviewed by Ryosuke Niwa. Add crash test for disconnected frame switching to eager. * LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash-expected.txt: Added. * LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash.html: Added. Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Compare: https://github.com/WebKit/WebKit/compare/68c44009f220%5E...482439c8ecdb _______________________________________________ webkit-changes mailing list [email protected] https://lists.webkit.org/mailman/listinfo/webkit-changes
