[webkit-changes] [WebKit/WebKit] cf8b52: Cherry-pick 252432.1045@safari-7614-branch (77446d...

Fri, 31 Mar 2023 14:50:14 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cf8b521ab2010b043f9ce89169149f479c5f02ac
      
https://github.com/WebKit/WebKit/commit/cf8b521ab2010b043f9ce89169149f479c5f02ac
  Author: Mark Lam <mark....@apple.com>
  Date:   2023-03-31 (Fri, 31 Mar 2023)

  Changed paths:
    M Source/JavaScriptCore/API/JSCallbackConstructor.h
    M Source/JavaScriptCore/API/JSCallbackFunction.h
    M Source/JavaScriptCore/API/JSClassRef.h
    M Source/JavaScriptCore/API/JSWeakObjectMapRefInternal.h
    M Source/JavaScriptCore/API/ObjCCallbackFunction.h
    M Source/JavaScriptCore/runtime/ClassInfo.h
    M Source/JavaScriptCore/runtime/Lookup.h

  Log Message:
  -----------
  Cherry-pick 252432.1045@safari-7614-branch (77446d5c727e). rdar://107473787

    [Re-land] Add additional PAC diversity for function pointers in JSC API 
data structures as we do for vtbls.
    https://bugs.webkit.org/show_bug.cgi?id=248702
    <rdar://problem/102768157>

    Reviewed by Yusuke Suzuki.

    * Source/JavaScriptCore/API/JSCallbackConstructor.h:
    * Source/JavaScriptCore/API/JSCallbackFunction.h:
    * Source/JavaScriptCore/API/JSClassRef.h:
    * Source/JavaScriptCore/API/JSWeakObjectMapRefInternal.h:
    * Source/JavaScriptCore/API/ObjCCallbackFunction.h:
    * Source/JavaScriptCore/runtime/ClassInfo.h:
    * Source/JavaScriptCore/runtime/Lookup.h:

    Canonical link: https://commits.webkit.org/252432.1045@safari-7614-branch

Canonical link: https://commits.webkit.org/262447@main


  Commit: bbd4b0ac5848fa94bbcb7c6aa87df4ab352acabf
      
https://github.com/WebKit/WebKit/commit/bbd4b0ac5848fa94bbcb7c6aa87df4ab352acabf
  Author: Ryan Reno <rr...@apple.com>
  Date:   2023-03-31 (Fri, 31 Mar 2023)

  Changed paths:
    M Source/JavaScriptCore/API/JSScript.mm
    M Source/JavaScriptCore/API/JSScriptRef.cpp
    M Source/JavaScriptCore/inspector/ScriptCallFrame.cpp
    M Source/JavaScriptCore/inspector/ScriptCallFrame.h
    M Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp
    M Source/JavaScriptCore/interpreter/StackVisitor.cpp
    M Source/JavaScriptCore/interpreter/StackVisitor.h
    M Source/JavaScriptCore/parser/SourceProvider.cpp
    M Source/JavaScriptCore/parser/SourceProvider.h
    M Source/JavaScriptCore/runtime/CachedTypes.cpp
    M Source/JavaScriptCore/runtime/ScriptExecutable.h
    M Source/WebCore/bindings/js/CachedScriptSourceProvider.h
    M Source/WebCore/bindings/js/ScriptBufferSourceProvider.h
    M Source/WebCore/bindings/js/ScriptModuleLoader.cpp
    M Source/WebCore/bindings/js/ScriptSourceCode.h
    M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
    M Source/WebCore/workers/WorkerGlobalScope.cpp
    M Source/WebCore/workers/WorkerThread.cpp

  Log Message:
  -----------
  Cherry-pick 259548.39@safari-7615-branch (c68b7da0d9b4). rdar://107474520

    Cross-Site Information Leak: CSP violation reports may contain a 
post-redirect URL
    https://bugs.webkit.org/show_bug.cgi?id=251282
    rdar://104753003

    Reviewed by Yusuke Suzuki.

    The source-file field of a CSP violation report may contain a URL which has 
sensitive data in the
    query string if it was the result of a redirect. The CSP spec in 
non-normative terms suggests
    that in the case of a redirect (such as a login flow which appends a login 
token) we should report
    violations in the resulting resource with the pre-redirect URL to avoid 
cross-site information leaks
    via the CSP reporting API.

    Source/JavaScriptCore:
      Plubming code to make pre-redirect URLs available in ScriptCallStacks.
      When a ScriptCallStack is created by the StackVisitor the ScriptCallFrame
      objects will be populated with the pre-redirect URL by consulting the 
SourceProvider. WebCore
      will conditionally set the preRedirectURL member if the resource was 
obtained via a redirected
      response.

    * Source/JavaScriptCore/API/JSScript.mm:
    (-[JSScript sourceCode]):
    * Source/JavaScriptCore/API/JSScriptRef.cpp:
    * Source/JavaScriptCore/inspector/ScriptCallFrame.cpp:
    (Inspector::ScriptCallFrame::ScriptCallFrame):
    (Inspector::ScriptCallFrame::isEqual const):
    * Source/JavaScriptCore/inspector/ScriptCallFrame.h:
    * Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp:
    (Inspector::CreateScriptCallStackFunctor::operator() const):
    * Source/JavaScriptCore/interpreter/StackVisitor.cpp:
    (JSC::StackVisitor::Frame::preRedirectURL const):
    * Source/JavaScriptCore/interpreter/StackVisitor.h:
    * Source/JavaScriptCore/parser/SourceProvider.cpp:
    (JSC::SourceProvider::SourceProvider):
    (JSC::BaseWebAssemblySourceProvider::BaseWebAssemblySourceProvider):
    * Source/JavaScriptCore/parser/SourceProvider.h:
    (JSC::SourceProvider::preRedirectURL const):
    (JSC::StringSourceProvider::StringSourceProvider):
    * Source/JavaScriptCore/runtime/CachedTypes.cpp:
    (JSC::CachedSourceProviderShape::encode):
    * Source/JavaScriptCore/runtime/ScriptExecutable.h:
    (JSC::ScriptExecutable::preRedirectURL const):

    Source/WebCore:
      This updates the constructors for ScriptSourceCode objects to pass
      null strings for the preRedirectURL parameter. In the cases where we can 
detect
      whether a redirect happened or not we pass the pre-redirect URL to the 
SourceProvider.

    * Source/WebCore/bindings/js/CachedScriptSourceProvider.h:
    (WebCore::CachedScriptSourceProvider::CachedScriptSourceProvider):
    * Source/WebCore/bindings/js/ScriptBufferSourceProvider.h:
    * Source/WebCore/bindings/js/ScriptModuleLoader.cpp:
    (WebCore::ScriptModuleLoader::notifyFinished):
    * Source/WebCore/bindings/js/ScriptSourceCode.h:
    (WebCore::ScriptSourceCode::ScriptSourceCode):
    * Source/WebCore/workers/WorkerGlobalScope.cpp:
    (WebCore::WorkerGlobalScope::importScripts):
    * Source/WebCore/workers/WorkerThread.cpp:
    (WebCore::WorkerThread::evaluateScriptIfNecessary):

    * Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
    (WebCore::ContentSecurityPolicy::reportViolation const):
      To populate the source-file field of a CSP report we consult the
      JavaScript call stack. The source URL of the frame may be the
      result of a redirect in which case we should use the pre-redirect
      URL in the report to avoid leaking potentially sensitive data in the 
post-redirect URL.

    Canonical link: https://commits.webkit.org/259548.39@safari-7615-branch

Canonical link: https://commits.webkit.org/262448@main


  Commit: faa22c0d431338ec56125e08b68ae2bf9b4e5949
      
https://github.com/WebKit/WebKit/commit/faa22c0d431338ec56125e08b68ae2bf9b4e5949
  Author: Chirag M Shah <chirag_m_s...@apple.com>
  Date:   2023-03-31 (Fri, 31 Mar 2023)

  Changed paths:
    M 
LayoutTests/imported/w3c/web-platform-tests/mathml/relations/css-styling/out-of-flow/all-mathml-containers-expected.txt
    A LayoutTests/mathml/mathmltoken-layout-crash-expected.txt
    A LayoutTests/mathml/mathmltoken-layout-crash.html
    M Source/WebCore/rendering/mathml/RenderMathMLToken.cpp

  Log Message:
  -----------
  Cherry-pick 259548.40@safari-7615-branch (bf2c7c5b03b0). rdar://107474555

    Fix layout for positioned children for RenderMathMLToken
    rdar://104598552

    Reviewed by Alan Baradlay.

    Before this change, the layout method in RenderMathMLToken (<ms>) never
    added positioned elements to the map for their container, which meant if
    the positioned children are dirty, their layout will never be triggered.
    This change fixes that by looking at direct children of
    RenderMathMLToken and adding them to their container's positioned
    elements map, so that their layout happens as expected.

    * LayoutTests/mathml/mathmltoken-layout-crash-expected.txt: Added.
    * LayoutTests/mathml/mathmltoken-layout-crash.html: Added.
    * Source/WebCore/rendering/mathml/RenderMathMLToken.cpp:
    (WebCore::RenderMathMLToken::layoutBlock):

    Canonical link: https://commits.webkit.org/259548.40@safari-7615-branch

Canonical link: https://commits.webkit.org/262449@main


  Commit: 16963d77f57d897e338a0bea9e74257fc65c88d9
      
https://github.com/WebKit/WebKit/commit/16963d77f57d897e338a0bea9e74257fc65c88d9
  Author: Michael Saboff <msab...@apple.com>
  Date:   2023-03-31 (Fri, 31 Mar 2023)

  Changed paths:
    M Source/JavaScriptCore/yarr/YarrJIT.cpp

  Log Message:
  -----------
  Cherry-pick 259548.45@safari-7615-branch (9930b53ebce1). rdar://107474607

    [JSC] RegExp.test inline is missing another stack overflow checks
    https://bugs.webkit.org/show_bug.cgi?id=251741
    rdar://104072550

    Reviewed by Mark Lam.

    Converted the ASSERT(!m_failureReason) into a check that when true will 
bail out of the inline code
    and call out to the C++ operation.  This check handles any errors while 
compiling the RegExp pattern
    into YarrJIT IR during the processing of opCompileBody().

    I also audited all of the other possible error cases that the YarrJIT might 
produce and they are already
    handled by this and the prior change.

    The current test already covers this case.

    * Source/JavaScriptCore/yarr/YarrJIT.cpp:

    Canonical link: https://commits.webkit.org/259548.45@safari-7615-branch

Canonical link: https://commits.webkit.org/262450@main


  Commit: 2f7c74050e5b28c93963c359dddc44325fe14832
      
https://github.com/WebKit/WebKit/commit/2f7c74050e5b28c93963c359dddc44325fe14832
  Author: Chris Dumez <cdu...@apple.com>
  Date:   2023-03-31 (Fri, 31 Mar 2023)

  Changed paths:
    M Source/WTF/wtf/PlatformUse.h
    M Source/WebCore/page/MemoryRelease.cpp
    M Source/WebCore/platform/audio/HRTFElevation.cpp
    M Source/WebCore/platform/audio/HRTFElevation.h

  Log Message:
  -----------
  Cherry-pick 259548.46@safari-7615-branch (a00a15e7abe0). rdar://107474676

    Fix various issues with HRTFElevation's 
getConcatenatedImpulseResponsesForSubject()
    https://bugs.webkit.org/show_bug.cgi?id=251643
    rdar://104980786

    Reviewed by Eric Carlson.

    Fix various issues with HRTFElevation's 
getConcatenatedImpulseResponsesForSubject():
    - Add a lock to synchronize access to the global HashMap of AudioBus objects
      since this may get called from different threads.
    - Make sure we call isolatedCopy() on the String key before adding it to 
the HashMap
      for thread safety.
    - Make sure we clear this global HashMap on critical memory pressure to 
free up
      memory.
    - Use smart pointers instead of raw pointers.
    - Modernize the code a bit.

    * Source/WTF/wtf/PlatformUse.h:
    * Source/WebCore/page/MemoryRelease.cpp:
    (WebCore::releaseCriticalMemory):
    * Source/WebCore/platform/audio/HRTFElevation.cpp:
    (WebCore::WTF_REQUIRES_LOCK):
    (WebCore::getConcatenatedImpulseResponsesForSubject):
    (WebCore::HRTFElevation::clearCache):
    (WebCore::HRTFElevation::calculateKernelsForAzimuthElevation):
    * Source/WebCore/platform/audio/HRTFElevation.h:

    Canonical link: https://commits.webkit.org/259548.46@safari-7615-branch

Canonical link: https://commits.webkit.org/262451@main


Compare: https://github.com/WebKit/WebKit/compare/55616cb231b6...2f7c74050e5b
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to