Branch: refs/heads/webkitglib/2.40
Home: https://github.com/WebKit/WebKit
Commit: 7093bcb6d649597962c82fd0e9a92d329ba8fb48
https://github.com/WebKit/WebKit/commit/7093bcb6d649597962c82fd0e9a92d329ba8fb48
Author: Carlos Alberto Lopez Perez <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M Source/cmake/BubblewrapSandboxChecks.cmake
M Tools/yocto/targets.conf
Log Message:
-----------
Cherry-pick 264244@main (a84036c6d1d6).
https://bugs.webkit.org/show_bug.cgi?id=251835
[WPE][GTK][CMake] The path to bwrap and xdg-dbus-proxy should not be
auto-detected when cross-compiling
https://bugs.webkit.org/show_bug.cgi?id=256679
Reviewed by Adrian Perez de Castro.
When enabling -DENABLE_BUBBLEWRAP_SANDBOX=ON is needed to define to the
build
the paths (full-paths) to the bwrap and xdg-dbus-proxy binaries.
The current CMake code is auto-detecting those paths by calling the CMake
function find_program(): so it is defining the paths to those programs with
the values from the host system.
But when cross-compiling that is wrong because the target binaries end with
the
values for the paths from the host system which don't necessary have to
match
the values from the target system.
I can't see how it will be possible to auto-detect the value that this
programs
will have in the target system from the host system, so the only sane way of
dealing with this seems to be to give an error at configure time and ask for
those paths to be defined manually.
This patch changes the code to only try to auto-detect those binaries when
no
cross-compiling.
Also update the default build parameters for the cross-building of targets
with cross-toolchain-helper to define the right paths that those targets
will
have at run-time.
* Source/cmake/BubblewrapSandboxChecks.cmake:
* Tools/yocto/targets.conf:
Canonical link: https://commits.webkit.org/264244@main
Commit: 8e4517d1d5e1ee00e8e410f27796b1cba50dc5f0
https://github.com/WebKit/WebKit/commit/8e4517d1d5e1ee00e8e410f27796b1cba50dc5f0
Author: Patrick Griffis <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M Source/WTF/wtf/glib/Sandbox.cpp
M Source/WTF/wtf/glib/Sandbox.h
M Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp
Log Message:
-----------
Cherry-pick 264196@main (4c39f3875728).
https://bugs.webkit.org/show_bug.cgi?id=256917
[GLib] Re-enable bwrap sandbox in containers when supported
https://bugs.webkit.org/show_bug.cgi?id=256917
Reviewed by Michael Catanzaro.
This detects if bwrap actually works inside of a container instead
of always disabling it.
* Source/WTF/wtf/glib/Sandbox.cpp:
(WTF::isInsideUnsupportedContainer):
(WTF::isInsideContainer): Deleted.
* Source/WTF/wtf/glib/Sandbox.h:
* Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp:
(WebKit::ProcessLauncher::launchProcess):
Canonical link: https://commits.webkit.org/264196@main
Commit: 521133306268084f6a6d9367b7a1cf4d15b1fd6a
https://github.com/WebKit/WebKit/commit/521133306268084f6a6d9367b7a1cf4d15b1fd6a
Author: Chirag M Shah <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A LayoutTests/fullscreen/element-clear-during-fullscreen-crash-expected.txt
A LayoutTests/fullscreen/element-clear-during-fullscreen-crash.html
M Source/WebKit/WebProcess/FullScreen/WebFullScreenManager.cpp
Log Message:
-----------
Cherry-pick 259548.352@safari-7615-branch (9f301d9e042e).
https://bugs.webkit.org/show_bug.cgi?id=253129
Bail out early if m_element is deleted
https://bugs.webkit.org/show_bug.cgi?id=253129
rdar://104290899
Reviewed by Jer Noble.
A call to WebFullScreenManager::willEnterFullScreen() can end up calling
WebFullScreenManager::clearElement() which can happen when location.hash
is changed. This clears the m_element which is then later used in
willEnterFullScreen(). This change bails out early if this happens and
cleans up the state-machine.
*
LayoutTests/fullscreen/element-clear-during-fullscreen-crash-expected.txt:
Added.
* LayoutTests/fullscreen/element-clear-during-fullscreen-crash.html: Added.
* Source/WebKit/WebProcess/FullScreen/WebFullScreenManager.cpp:
(WebKit::WebFullScreenManager::willEnterFullScreen):
Canonical link: https://commits.webkit.org/259548.352@safari-7615-branch
Commit: ffc8ffc4b0d337d53425b2806d6e66012bcad21a
https://github.com/WebKit/WebKit/commit/ffc8ffc4b0d337d53425b2806d6e66012bcad21a
Author: Chirag M Shah <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A LayoutTests/fast/html/element-moving-to-new-document-crash-expected.txt
A LayoutTests/fast/html/element-moving-to-new-document-crash.html
M Source/WebCore/dom/Element.cpp
M Source/WebCore/dom/UserActionElementSet.cpp
M Source/WebCore/dom/UserActionElementSet.h
Log Message:
-----------
Cherry-pick 259548.353@safari-7615-branch (b82284c1f8c5).
https://bugs.webkit.org/show_bug.cgi?id=253012
Clear UserActionElement state for the node when it is moved from the
Document to a different one
https://bugs.webkit.org/show_bug.cgi?id=253012
rdar://105876245
Reviewed by Ryosuke Niwa.
Before this change, when an element was moved from oldDocument to
newDocument, and we had UserActionElementSet state for it, we never
cleared that. This meant that the element was still marked to have this
state, which the newDocument doesn't know about. This change fixes
that.
* LayoutTests/fast/html/element-moving-to-new-document-crash-expected.txt:
Added.
* LayoutTests/fast/html/element-moving-to-new-document-crash.html: Added.
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::removedFromAncestor):
* Source/WebCore/dom/UserActionElementSet.cpp:
(WebCore::UserActionElementSet::clear):
* Source/WebCore/dom/UserActionElementSet.h:
(WebCore::UserActionElementSet::clearAllForElement):
Canonical link: https://commits.webkit.org/259548.353@safari-7615-branch
Commit: 368c41d71d0bdcd39dc779760cbbcc8a21610ba6
https://github.com/WebKit/WebKit/commit/368c41d71d0bdcd39dc779760cbbcc8a21610ba6
Author: Arunsundar Kannan <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A
LayoutTests/fast/css-grid-layout/gridmatrix-columnSize-failure-expected.txt
A LayoutTests/fast/css-grid-layout/gridmatrix-columnSize-failure.html
M Source/WebCore/rendering/Grid.cpp
M Source/WebCore/rendering/Grid.h
Log Message:
-----------
Cherry-pick 259548.376@safari-7615-branch (189d480c5fbd).
https://bugs.webkit.org/show_bug.cgi?id=253127
Assertion failure in GridIterator ASSERT(m_grid.numTracks(ForColumns))
https://bugs.webkit.org/show_bug.cgi?id=253127
rdar://105548703
Reviewed by Matt Woodrow.
The grid matrix for a subgrid of an element in the row-axis has one row
with no columns, which are then lazily created as needed. An assertion in
GridIterator constructor fails as column size is zero. This change additionally
checks the maximum Columns ivar of the grid class to assert only for valid
cases.
* Source/WebCore/rendering/Grid.cpp:
(WebCore::Grid::gridItemSpanIgnoringCollapsedTracks const):
(WebCore::GridIterator::GridIterator):
(WebCore::GridIterator::nextGridItem):
(WebCore::GridIterator::isEmptyAreaEnough const):
(WebCore::GridIterator::nextEmptyGridArea):
* Source/WebCore/rendering/Grid.h:
Canonical link: https://commits.webkit.org/259548.376@safari-7615-branch
Commit: efc442b8bbbcb10b37b2aec1314f4697df8efc0b
https://github.com/WebKit/WebKit/commit/efc442b8bbbcb10b37b2aec1314f4697df8efc0b
Author: Yusuke Suzuki <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A
JSTests/stress/ftl-bound-check-for-enumerator-next-update-index-and-mode.js
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
Cherry-pick 259548.377@safari-7615-branch (25a414a61f3e).
https://bugs.webkit.org/show_bug.cgi?id=252801
FTL missing bound check of for-in loop
https://bugs.webkit.org/show_bug.cgi?id=252801
rdar://105820083
Reviewed by Michael Saboff.
EnumeratorNextUpdateIndexAndMode for IndexedMode uses HasIndexProperty
internally. But
this node does not do bound check when ArrayMode is inBounds in FTL since
FTL SSALowering
phase extracts this bound check as a separate CheckInBounds node. But
EnumeratorNextUpdateIndexAndMode,
we cannot do that since EnumeratorNextUpdateIndexAndMode's index is
incremented internally. Thus,
we need to do bound check inside EnumeratorNextUpdateIndexAndMode when it
is not done in HasIndexProperty's
code.
*
JSTests/stress/ftl-bound-check-for-enumerator-next-update-index-and-mode.js:
Added.
(shouldBe):
(opt):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Canonical link: https://commits.webkit.org/259548.377@safari-7615-branch
Commit: b1691f21891aec9f24f4b3c43f139d31a0ef564e
https://github.com/WebKit/WebKit/commit/b1691f21891aec9f24f4b3c43f139d31a0ef564e
Author: Michael Saboff <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A JSTests/stress/regexp-lookbehind-greedy-backreference.js
M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
Log Message:
-----------
Cherry-pick 259548.378@safari-7615-branch (3d135908241d).
https://bugs.webkit.org/show_bug.cgi?id=253466
ASAN_BUS | Yarr::Interpreter::matchDisjunction;
Yarr::Interpreter::backtrackParentheses; Yarr::Interpreter::matchDisjunction
https://bugs.webkit.org/show_bug.cgi?id=253466
rdar://105669717
Reviewed by Yusuke Suzuki.
When backtracking, i.e. unmatching a greedy backreference in a lookbehind,
the unmatch requires moving the input pointer
forward. THis means we need to do a checkInput() instead of a rewind() in
this case.
* JSTests/stress/regexp-lookbehind-greedy-backreference.js: Added.
(arrayToString):
(dumpValue):
(compareArray):
(testRegExp):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::backtrackBackReference):
Canonical link: https://commits.webkit.org/259548.378@safari-7615-branch
Commit: 4d3e2508cb2d773e2f8175b89f8dc803c4d4f502
https://github.com/WebKit/WebKit/commit/4d3e2508cb2d773e2f8175b89f8dc803c4d4f502
Author: Youenn Fablet <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/common/resize.c
M
Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/common/resize.h
M
Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/encoder_utils.c
Log Message:
-----------
Cherry-pick 259548.381@safari-7615-branch (1de648970cbf).
https://bugs.webkit.org/show_bug.cgi?id=253498
av1/encoder/encoder_utils.c & a/av1/common/resize: Stack-buffer-overflow in
aom_scaled_2d_ssse3
https://bugs.webkit.org/show_bug.cgi?id=253498
rdar://106063201
Reviewed by Eric Carlson.
Cherry-pick upstream change from
https://aomedia.googlesource.com/aom/+/6318378f833b2a0d8e67fb3d12bcdc4e1c26b0e6%5E%21/#F2.
*
Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/common/resize.c:
(av1_realloc_and_scale_if_required):
*
Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/common/resize.h:
*
Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/encoder_utils.c:
(av1_scale_references):
Canonical link: https://commits.webkit.org/259548.381@safari-7615-branch
Commit: a4cd16417868c048617d90e6581295901557ae04
https://github.com/WebKit/WebKit/commit/a4cd16417868c048617d90e6581295901557ae04
Author: Youenn Fablet <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/webrtc/api/stats/rtc_stats_report.h
M Source/ThirdParty/libwebrtc/Source/webrtc/pc/rtc_stats_collector.cc
M
Source/ThirdParty/libwebrtc/Source/webrtc/pc/rtc_stats_collector_unittest.cc
M
Source/ThirdParty/libwebrtc/Source/webrtc/pc/test/fake_peer_connection_for_stats.h
M Source/ThirdParty/libwebrtc/Source/webrtc/stats/rtc_stats_report.cc
Log Message:
-----------
Cherry-pick 259548.382@safari-7615-branch (adde9296b1b1).
https://bugs.webkit.org/show_bug.cgi?id=253510
[WebRTC] heap-use-after-free : webrtc::`anonymous
namespace'::ProduceRemoteInboundRtpStreamStatsFromReportBlockData
https://bugs.webkit.org/show_bug.cgi?id=253510
rdar://106063452
Reviewed by Eric Carlson.
We first cherry-pick libwebrc b2be392c708c975ff5a81d8cd4dba588752a8dad to
remove duplicate RTCCodec entries.
We then apply da6297dc53cb2eaae7b1c5381652de9d707a7d48.
* Source/ThirdParty/libwebrtc/Source/webrtc/api/stats/rtc_stats_report.h:
* Source/ThirdParty/libwebrtc/Source/webrtc/pc/rtc_stats_collector.cc:
*
Source/ThirdParty/libwebrtc/Source/webrtc/pc/rtc_stats_collector_unittest.cc:
*
Source/ThirdParty/libwebrtc/Source/webrtc/pc/test/fake_peer_connection_for_stats.h:
(webrtc::FakePeerConnectionForStats::AddVoiceChannel):
(webrtc::FakePeerConnectionForStats::AddVideoChannel):
(webrtc::FakePeerConnectionForStats::GetOrCreateFirstTransceiverOfType):
(webrtc::FakePeerConnectionForStats::CreateTransceiverOfType):
* Source/ThirdParty/libwebrtc/Source/webrtc/stats/rtc_stats_report.cc:
Canonical link: https://commits.webkit.org/259548.382@safari-7615-branch
Commit: 35cf9b0a952ba49214860a32724fb0921267b5c4
https://github.com/WebKit/WebKit/commit/35cf9b0a952ba49214860a32724fb0921267b5c4
Author: Youenn Fablet <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/arm/neon/av1_fwd_txfm2d_neon.c
Log Message:
-----------
Cherry-pick 259548.383@safari-7615-branch (4b0ac875e7fa).
https://bugs.webkit.org/show_bug.cgi?id=253512
ASan global-buffer-overflow READ in com.apple.WebKit.WebContent.Development
at libwebrtc.dylib: av1_lowbd_fwd_txfm2d_8x8_neon
https://bugs.webkit.org/show_bug.cgi?id=253512
rdar://105650593
Reviewed by Eric Carlson.
Cherry-pick from upstream the corresponding fix
(582d2fd1e9b6a212cb7d30bcf63d3c1e78aa8fca).
Remove the call to vld1_s8, which reads 8 bytes while only 3 bytes are
available, even though only 2 are used.
*
Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/arm/neon/av1_fwd_txfm2d_neon.c:
(av1_lowbd_fwd_txfm2d_4x8_neon):
(av1_lowbd_fwd_txfm2d_4x16_neon):
(av1_lowbd_fwd_txfm2d_8x4_neon):
(av1_lowbd_fwd_txfm2d_8x8_neon):
(av1_lowbd_fwd_txfm2d_8x16_neon):
(av1_lowbd_fwd_txfm2d_8x32_neon):
(av1_lowbd_fwd_txfm2d_16x4_neon):
(av1_lowbd_fwd_txfm2d_16x8_neon):
(av1_lowbd_fwd_txfm2d_16x16_neon):
(av1_lowbd_fwd_txfm2d_16x32_neon):
(av1_lowbd_fwd_txfm2d_32x8_neon):
(av1_lowbd_fwd_txfm2d_32x16_neon):
Canonical link: https://commits.webkit.org/259548.383@safari-7615-branch
Commit: 0cec5348b8c1c0aa060db188331632bd9a79887e
https://github.com/WebKit/WebKit/commit/0cec5348b8c1c0aa060db188331632bd9a79887e
Author: Chirag M Shah <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M Source/WebCore/loader/HistoryController.cpp
Log Message:
-----------
Cherry-pick 259548.385@safari-7615-branch (4bf0507391a9).
https://bugs.webkit.org/show_bug.cgi?id=253465
DocumentLoader might be null when calling
HistoryController::updateCurrentItem (
https://bugs.webkit.org/show_bug.cgi?id=253465
rdar://106276228
Reviewed by Ryosuke Niwa.
FrameLoader::transitionToCommitted can set the documentLoader to nullptr
before it calls HistoryController::updateCurrentItem(), in which case we
crash. This change makes it so that we bail our early in that case.
* Source/WebCore/loader/HistoryController.cpp:
(WebCore::FrameLoader::HistoryController::updateCurrentItem):
Canonical link: https://commits.webkit.org/259548.385@safari-7615-branch
Commit: 5e0bf0de8b3141c72da3e2f124a2617e66cb975a
https://github.com/WebKit/WebKit/commit/5e0bf0de8b3141c72da3e2f124a2617e66cb975a
Author: Chirag M Shah <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A
LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash-expected.txt
A LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash.html
M Source/WebCore/platform/graphics/filters/FEConvolveMatrix.cpp
M
Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.cpp
M
Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.h
M Source/WebCore/svg/SVGFEConvolveMatrixElement.cpp
M Source/WebCore/svg/SVGFEConvolveMatrixElement.h
Log Message:
-----------
Cherry-pick 259548.425@safari-7615-branch (499c0bf6a8a9).
https://bugs.webkit.org/show_bug.cgi?id=253721
Fix buffer overflow in FEConvolveMatrixSoftwareApplier
https://bugs.webkit.org/show_bug.cgi?id=253721
rdar://97909186
Reviewed by Said Abou-Hallawa.
This change fixes a buffer overflow issue in the
FEConvolveMatrixSoftwareApplier code which happens when dealing with the
interior area and setting the destination pixels. This happens because
when the targetX/targetY doesn't fit in the convolution kernel, we don't
clip it, and that ends up moving the pixel offset by more than what is
needed. This change fixes that by making sure that when the SVG
attribute changes, we detect the invalid offset and rebuild the filter.
*
LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash-expected.txt:
Added.
*
LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash.html:
Added.
* Source/WebCore/platform/graphics/filters/FEConvolveMatrix.cpp:
(WebCore::FEConvolveMatrix::FEConvolveMatrix):
*
Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.cpp:
(WebCore::FEConvolveMatrixSoftwareApplier::FEConvolveMatrixSoftwareApplier):
*
Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.h:
* Source/WebCore/svg/SVGFEConvolveMatrixElement.cpp:
(WebCore::SVGFEConvolveMatrixElement::isValidTargetXOffset const):
(WebCore::SVGFEConvolveMatrixElement::isValidTargetYOffset const):
(WebCore::SVGFEConvolveMatrixElement::svgAttributeChanged):
(WebCore::SVGFEConvolveMatrixElement::createFilterEffect const):
* Source/WebCore/svg/SVGFEConvolveMatrixElement.h:
Canonical link: https://commits.webkit.org/259548.425@safari-7615-branch
Commit: 060439bb0c3c86d60703f96cadd131586562d9f9
https://github.com/WebKit/WebKit/commit/060439bb0c3c86d60703f96cadd131586562d9f9
Author: David Degazio <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A JSTests/stress/loop-osr-with-inlined-create-rest.js
Log Message:
-----------
Cherry-pick 259548.426@safari-7615-branch (dde3cbd34027).
https://bugs.webkit.org/show_bug.cgi?id=253902
Add stress test for liveness-based interference analysis across loop OSR
https://bugs.webkit.org/show_bug.cgi?id=253902
rdar://105671759
Reviewed by Yusuke Suzuki.
Adds a stress test that breaks without
https://bugs.webkit.org/show_bug.cgi?id=252798,
to ensure we don't regress this behavior in the future.
* JSTests/stress/loop-osr-with-inlined-create-rest.js: Added.
(bar):
(foo):
Canonical link: https://commits.webkit.org/259548.426@safari-7615-branch
Commit: dd2442009ab1632a4e4bb72d8e5519ac2d7cae1e
https://github.com/WebKit/WebKit/commit/dd2442009ab1632a4e4bb72d8e5519ac2d7cae1e
Author: David Kilzer <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A LayoutTests/fast/xsl/xslt-node-set-empty-expected.txt
A LayoutTests/fast/xsl/xslt-node-set-empty.html
M Source/WebCore/xml/SoftLinkLibxslt.cpp
M Source/WebCore/xml/SoftLinkLibxslt.h
M Source/WebCore/xml/XSLTExtensions.cpp
Log Message:
-----------
Cherry-pick 259548.430@safari-7615-branch (06af3d226e2b).
https://bugs.webkit.org/show_bug.cgi?id=253857
XSLTProcessor fails when xsl calls exsl:node-set() on empty variable
https://bugs.webkit.org/show_bug.cgi?id=253857
<rdar://103622929>
Reviewed by Alex Christensen.
Merge fix for Chromium Issue 689977:
https://chromium.googlesource.com/chromium/src.git/+/99ead7d1564d35a70799b7ee4c3821053fb3985c
Tests:
fast/xsl/exslt-node-set.xml
fast/xsl/xslt-node-set-empty.html
* LayoutTests/fast/xsl/xslt-node-set-empty-expected.txt: Add.
* LayoutTests/fast/xsl/xslt-node-set-empty.html: Add.
* Source/WebCore/xml/SoftLinkLibxslt.cpp:
* Source/WebCore/xml/SoftLinkLibxslt.h:
- Add soft-linking for newly called libxslt functions.
* Source/WebCore/xml/XSLTExtensions.cpp:
(xsltTransformErrorTrampoline): Add.
- Provide workaround for soft-linking xsltTransformError()
with varargs.
(WebCore::exsltNodeSetFunction):
- Update to match logic in libxslt v1.1.35.
Canonical link: https://commits.webkit.org/259548.430@safari-7615-branch
Commit: 943103cd102caf61b509b0259d8fa04b5a6f2d39
https://github.com/WebKit/WebKit/commit/943103cd102caf61b509b0259d8fa04b5a6f2d39
Author: Arunsundar Kannan <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A
LayoutTests/fast/css-grid-layout/GridtrackSizing-overflowon-mutating-grid-columns-expected.txt
A
LayoutTests/fast/css-grid-layout/GridtrackSizing-overflowon-mutating-grid-columns.html
M Source/WebCore/rendering/RenderGrid.cpp
Log Message:
-----------
Cherry-pick 259548.434@safari-7615-branch (54a21b4db4fa).
https://bugs.webkit.org/show_bug.cgi?id=253916.
Web content process crashes when mutating grid-template-columns of subgrid
parent grid.
https://bugs.webkit.org/show_bug.cgi?id=253916.
rdar://106458581.
Reviewed by Matt Woodrow.
After grid-template-column of the subgrid's parent grid mutates,
needsItemsPlacement flag is not set for the subgrid's currentgrid. As a result,
gridTracks for subgrids->curretGrid() don't undergo resizing, resulting in a
OOB in copyUsedTrackSizesForSubgrid().This changes sets needsItemPlacement flag
as needed.
*
LayoutTests/fast/css-grid-layout/GridtrackSizing-overflowon-mutating-grid-columns-expected.txt:
Added.
*
LayoutTests/fast/css-grid-layout/GridtrackSizing-overflowon-mutating-grid-columns.html:
Added.
* Source/WebCore/rendering/RenderGrid.cpp:
(WebCore::RenderGrid::placeItemsOnGrid):
Canonical link: https://commits.webkit.org/259548.434@safari-7615-branch
Commit: 90026387617aae13ccf5cbb3065973d393483692
https://github.com/WebKit/WebKit/commit/90026387617aae13ccf5cbb3065973d393483692
Author: Rob Buis <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A
LayoutTests/fast/scrolling/fixed-positioned-element-update-crash-expected.txt
A LayoutTests/fast/scrolling/fixed-positioned-element-update-crash.html
Log Message:
-----------
Cherry-pick [email protected] (010528ca060e).
https://bugs.webkit.org/show_bug.cgi?id=245389
Add crash test for bad update of fixed position scrolling node
https://bugs.webkit.org/show_bug.cgi?id=245389
Reviewed by Simon Fraser.
This was already fixed with #255114, but add the test for completeness.
*
LayoutTests/fast/scrolling/fixed-positioned-element-update-crash-expected.txt:
Added.
* LayoutTests/fast/scrolling/fixed-positioned-element-update-crash.html:
Added.
Canonical link: https://commits.webkit.org/[email protected]
Commit: 8bd10c409af45c7c39921f2be5014c4edb0cd6b1
https://github.com/WebKit/WebKit/commit/8bd10c409af45c7c39921f2be5014c4edb0cd6b1
Author: Rob Buis <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A LayoutTests/fast/multicol/legend-in-column-outline-auto-crash-expected.txt
A LayoutTests/fast/multicol/legend-in-column-outline-auto-crash.html
M Source/WebCore/rendering/RenderObject.cpp
Log Message:
-----------
Cherry-pick [email protected] (e7b0459eaad2).
https://bugs.webkit.org/show_bug.cgi?id=251381
Take legend element into account in
propagateRepaintToParentWithOutlineAutoIfNeeded
https://bugs.webkit.org/show_bug.cgi?id=251381
rdar://104813886
Reviewed by Alan Baradlay.
In change r259412 logic was introduced for spanner placeholders and a check
was done
to see if the previous sibling renderer is a column set. However legends
are kept out of
column flows and thus may also have a column set as previous sibling, in
this case we
don't want to enter the spanner placeholder logic.
*
LayoutTests/fast/multicol/legend-in-column-outline-auto-crash-expected.txt:
Added.
* LayoutTests/fast/multicol/legend-in-column-outline-auto-crash.html: Added.
* Source/WebCore/rendering/RenderObject.cpp:
(WebCore::RenderObject::propagateRepaintToParentWithOutlineAutoIfNeeded
const):
Canonical link: https://commits.webkit.org/[email protected]
Commit: 4c373f354b8f5a7198339f97d61be50edfb56ef7
https://github.com/WebKit/WebKit/commit/4c373f354b8f5a7198339f97d61be50edfb56ef7
Author: Claudio Saavedra <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A LayoutTests/fast/css/content/display-contents-on-focus-crash-expected.txt
A LayoutTests/fast/css/content/display-contents-on-focus-crash.html
Log Message:
-----------
Cherry-pick [email protected] (042db6f5677e).
https://bugs.webkit.org/show_bug.cgi?id=251380
Add test for display contents on focus change
https://bugs.webkit.org/show_bug.cgi?id=251380
Reviewed by Antti Koivisto.
Already fixed by #248776, but add this test for
completeness.
*
LayoutTests/fast/css/content/display-contents-on-focus-crash-expected.txt:
Added.
* LayoutTests/fast/css/content/display-contents-on-focus-crash.html: Added.
Canonical link: https://commits.webkit.org/[email protected]
Commit: 69b675e69a7ab404f8730aad1d486da523408339
https://github.com/WebKit/WebKit/commit/69b675e69a7ab404f8730aad1d486da523408339
Author: Youenn Fablet <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/ratectrl.c
M
Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/ratectrl.h
Log Message:
-----------
Cherry-pick 259548.439@safari-7615-branch (4a5ecd489674). rdar://106645234
OSS: [WebRTC] Heap-buffer-overflow in av1_get_one_pass_rt_params - Heap
Buffer Overflow in AV1 Video Encoder
rdar://106645234
Reviewed by Eric Carlson.
Cherry-picking of
https://aomedia.googlesource.com/aom/+/bee1caded272127a6d6b70ac79479083d183d5d0%5E%21/#F0.
I had to manually apply the patch since it does not apply cleanly.
*
Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/ratectrl.c:
(av1_rc_postencode_update):
(av1_rc_postencode_update_drop_frame):
(av1_get_one_pass_rt_params):
*
Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/ratectrl.h:
Canonical link: https://commits.webkit.org/259548.439@safari-7615-branch
Commit: be07dcb2fd2e3b6f6cc2d60170acb3433f868b3b
https://github.com/WebKit/WebKit/commit/be07dcb2fd2e3b6f6cc2d60170acb3433f868b3b
Author: Youenn Fablet <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/http/wpt/webcodecs/resources/green.png
A LayoutTests/http/wpt/webcodecs/resources/image.py
A LayoutTests/http/wpt/webcodecs/webcodecs-crossOrigin.sub-expected.txt
A LayoutTests/http/wpt/webcodecs/webcodecs-crossOrigin.sub.html
M
LayoutTests/imported/w3c/web-platform-tests/webcodecs/videoFrame-canvasImageSource-expected.txt
M Source/WebCore/Modules/webcodecs/WebCodecsVideoFrame.cpp
M Source/WebCore/css/CSSImageValue.h
M Source/WebCore/css/typedom/CSSStyleImageValue.h
M Source/WebCore/html/HTMLImageElement.cpp
M Source/WebCore/html/HTMLImageElement.h
M Source/WebCore/html/canvas/CanvasRenderingContext.cpp
Log Message:
-----------
Cherry-pick 259548.440@safari-7615-branch (2ef6b76e1902).
https://bugs.webkit.org/show_bug.cgi?id=253129
VideoFrame constructor should throw on tainted input
https://bugs.webkit.org/show_bug.cgi?id=253828
rdar://problem/106643249
Reviewed by Jean-Yves Avenard.
Add a CORS check in VideoFrame constructor code paths.
Covered by added tests.
* LayoutTests/TestExpectations:
* LayoutTests/http/wpt/webcodecs/green.png: Added.
* LayoutTests/http/wpt/webcodecs/image.py: Added.
(main):
* LayoutTests/http/wpt/webcodecs/webcodecs-crossOrigin.sub-expected.txt:
Added.
* LayoutTests/http/wpt/webcodecs/webcodecs-crossOrigin.sub.html: Added.
*
LayoutTests/imported/w3c/web-platform-tests/webcodecs/videoFrame-canvasImageSource-crossOrigin.sub-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/webcodecs/videoFrame-canvasImageSource-crossOrigin.sub.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/webcodecs/videoFrame-canvasImageSource-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/webcodecs/videoFrame-canvasImageSource.html:
* Source/WebCore/Modules/webcodecs/WebCodecsVideoFrame.cpp:
(WebCore::isCachedImageTaintsOrigin):
(WebCore::checkImageUsability):
(WebCore::WebCodecsVideoFrame::create):
* Source/WebCore/css/CSSImageValue.h:
* Source/WebCore/css/typedom/CSSStyleImageValue.h:
Canonical link: https://commits.webkit.org/259548.440@safari-7615-branch
Commit: f5993c61372729c437bbf9cf243413dde587946b
https://github.com/WebKit/WebKit/commit/f5993c61372729c437bbf9cf243413dde587946b
Author: Rob Buis <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A
LayoutTests/fast/css-grid-layout/positioned-grid-with-large-inset-and-scrollbar-expected.txt
A
LayoutTests/fast/css-grid-layout/positioned-grid-with-large-inset-and-scrollbar.html
M Source/WebCore/rendering/RenderBlock.cpp
Log Message:
-----------
Cherry-pick [email protected] (0a7c35b68439).
https://bugs.webkit.org/show_bug.cgi?id=253037
Adapt OOF with specified height case in
availableLogicalHeightForPercentageComputation
https://bugs.webkit.org/show_bug.cgi?id=253037
Reviewed by Alan Baradlay.
The computed height for OOF can result in being zero for certain insets
(but never negative).
In that case subtracting scrollbar sizes could result in negative values
like in the test case, so
clamp to zero.
*
LayoutTests/fast/css-grid-layout/positioned-grid-with-large-inset-and-scrollbar-expected.txt:
Added.
*
LayoutTests/fast/css-grid-layout/positioned-grid-with-large-inset-and-scrollbar.html:
Added.
* Source/WebCore/rendering/RenderBlock.cpp:
(WebCore::RenderBlock::availableLogicalHeightForPercentageComputation
const):
Canonical link: https://commits.webkit.org/[email protected]
Commit: cc7ce9c57bc6c6ad68c41bfa47e8c29f61b9d172
https://github.com/WebKit/WebKit/commit/cc7ce9c57bc6c6ad68c41bfa47e8c29f61b9d172
Author: Rob Buis <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M Source/WebCore/rendering/RenderObject.cpp
M Source/WebCore/rendering/RenderObject.h
Log Message:
-----------
Cherry-pick [email protected] (0888aabefd69).
https://bugs.webkit.org/show_bug.cgi?id=245374
Improve isInsideMulticolumnFlow lambda for top-layer elements
https://bugs.webkit.org/show_bug.cgi?id=245374
Reviewed by Alan Baradlay.
Improve isInsideMulticolumnFlow lambda for top-layer elements.
Top-layer elements can skip many ancestors since the containing
block is the RenderView. So instead of checking the fragmentedFlowRoot
boundary, check the containing block fragmented flow state.
* Source/WebCore/rendering/RenderObject.cpp:
(WebCore::RenderObject::setFragmentedFlowStateIncludingDescendants):
(WebCore::RenderObject::initializeFragmentedFlowStateOnInsertion):
(WebCore::RenderObject::resetFragmentedFlowStateOnRemoval):
* Source/WebCore/rendering/RenderObject.h:
Canonical link: https://commits.webkit.org/[email protected]
Commit: cbdc482f614b250a2b20368b9768148e57db22ec
https://github.com/WebKit/WebKit/commit/cbdc482f614b250a2b20368b9768148e57db22ec
Author: Mark Lam <[email protected]>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M Source/JavaScriptCore/assembler/AbortReason.h
M Source/JavaScriptCore/interpreter/Interpreter.cpp
M Source/JavaScriptCore/jit/ExecutableAllocator.cpp
M Source/JavaScriptCore/llint/LLIntData.cpp
M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
M Source/JavaScriptCore/runtime/JSCConfig.h
M Source/JavaScriptCore/runtime/VM.cpp
M Source/WTF/wtf/Assertions.h
M Source/WTF/wtf/WTFConfig.h
M
Source/WebKit/GPUProcess/EntryPoint/Cocoa/XPCService/GPUServiceEntryPoint.mm
Log Message:
-----------
Cherry-pick 259548.460@safari-7615-branch (2396d8a6e829).
https://bugs.webkit.org/show_bug.cgi?id=253129
Forbid JS execution in the GPU Process.
https://bugs.webkit.org/show_bug.cgi?id=254101
rdar://106869810
Reviewed by Yusuke Suzuki and Justin Michaud.
The GPU Process does not need to execute any JS code. We should enforce
this invariant.
* Source/JavaScriptCore/assembler/AbortReason.h:
* Source/JavaScriptCore/interpreter/Interpreter.cpp
(JSC::Interpreter::Interpreter):
* Source/JavaScriptCore/jit/ExecutableAllocator.cpp:
(JSC::ExecutableAllocator::initialize):
* Source/JavaScriptCore/llint/LLIntData.cpp:
(JSC::LLInt::neuterOpcodeMaps):
(JSC::LLInt::initialize):
* Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:
(JSC::LLInt::llint_check_vm_entry_permission):
* Source/JavaScriptCore/runtime/JSCConfig.h:
* Source/JavaScriptCore/runtime/VM.cpp:
(JSC::VM::VM):
* Source/WTF/wtf/Assertions.h:
* Source/WTF/wtf/WTFConfig.h:
*
Source/WebKit/GPUProcess/EntryPoint/Cocoa/XPCService/GPUServiceEntryPoint.mm:
(GPU_SERVICE_INITIALIZER):
Canonical link: https://commits.webkit.org/259548.460@safari-7615-branch
Compare: https://github.com/WebKit/WebKit/compare/c1567e86b6b9...cbdc482f614b
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
