Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 8a1997806028a9b1490488a6503a238dca0239ff
https://github.com/WebKit/WebKit/commit/8a1997806028a9b1490488a6503a238dca0239ff
Author: Alexey Shvayka <[email protected]>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
A LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt
A LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html
M Source/JavaScriptCore/bytecode/PropertyCondition.cpp
Log Message:
-----------
[JSC] PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint()
should take non-reified static properties into account
https://bugs.webkit.org/show_bug.cgi?id=255952
<rdar://108334411>
Reviewed by Yusuke Suzuki.
Currently, PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() is
not checking the
structure's non-reified static properties against the condition. This can lead
to incorrect analysis
of side effects: AbsenceOfSetEffect condition with a non-reified static setter
is considered pure
even though a setter with arbitrary code can be invoked.
This patch fixes AbsenceOfSetEffect validity check for structures with
non-reified static properties
while takes extra care to make the fix as precise as possible to avoid
unnecessary slowdowns.
* LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt: Added.
* LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html: Added.
* Source/JavaScriptCore/bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
Originally-landed-as: 259548.775@safari-7615-branch (ffe32d106cb2).
rdar://113160398
Canonical link: https://commits.webkit.org/266582@main
Commit: e4c0a68634713df2f29808131c7dca900a3dc7e7
https://github.com/WebKit/WebKit/commit/e4c0a68634713df2f29808131c7dca900a3dc7e7
Author: Youenn Fablet <[email protected]>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
M LayoutTests/platform/mac-wk1/TestExpectations
M Source/WebCore/platform/cocoa/SharedVideoFrameInfo.h
M Source/WebCore/platform/cocoa/SharedVideoFrameInfo.mm
Log Message:
-----------
[GPUP][CoreIPC] Integer overflow in SharedVideoFrameInfo::storageSize leading
to OOB read
rdar://107023292
Reviewed by Eric Carlson.
Compute with safeMultitply/safeAdd the total size of the frame.
If there is an overflow, we now fail the decoding of SharedVideoFrameInfo.
We store the size of the frame in SharedVideoFrameInfo to not recompute it a
second time.
Covered by provided IPC test.
* LayoutTests/ipc/shared-video-frame-size-expected.txt: Added.
* LayoutTests/ipc/shared-video-frame-size.html: Added.
* LayoutTests/platform/mac-wk1/TestExpectations:
* Source/WebCore/platform/cocoa/SharedVideoFrameInfo.h:
* Source/WebCore/platform/cocoa/SharedVideoFrameInfo.mm:
(WebCore::SharedVideoFrameInfo::storageSize const):
(WebCore::SharedVideoFrameInfo::decode):
Originally-landed-as: 259548.590@safari-7615-branch (dd4ad7b0b286).
rdar://113166244
Canonical link: https://commits.webkit.org/266583@main
Commit: 549d44e287b72e8ef61a07b54494990d8528307e
https://github.com/WebKit/WebKit/commit/549d44e287b72e8ef61a07b54494990d8528307e
Author: Chirag M Shah <[email protected]>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/fullscreen/exit-full-screen-video-crash-expected.txt
A LayoutTests/fullscreen/exit-full-screen-video-crash.html
A
LayoutTests/platform/gtk/fullscreen/exit-full-screen-video-crash-expected.txt
M Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm
Log Message:
-----------
Fix crash when HTMLMediaElement::exitFullscreen is called on a video
element which is not currently full screen
https://bugs.webkit.org/show_bug.cgi?id=255970
rdar://108489504
Reviewed by Jer Noble.
This change fixes an issue where exitFullScreen is called on video, but
the current full screen element is div, due to which we end up
scheduling the webkitendfullscreenEvent event for video, which trips
over an assertion.
* LayoutTests/fullscreen/exit-full-screen-video-crash-expected.txt: Added.
* LayoutTests/fullscreen/exit-full-screen-video-crash.html: Added.
* Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm:
(WebKit::VideoFullscreenManager::exitVideoFullscreenForVideoElement):
(WebKit::VideoFullscreenManager::exitVideoFullscreenToModeWithoutAnimation):
Originally-landed-as: 259548.703@safari-7615-branch (0ffc79d64999).
rdar://113167859
Canonical link: https://commits.webkit.org/266584@main
Commit: 067d7d9bd14860f25f32e8334c8c6b0898b08979
https://github.com/WebKit/WebKit/commit/067d7d9bd14860f25f32e8334c8c6b0898b08979
Author: Arunsundar Kannan <[email protected]>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
A
LayoutTests/fast/css/style-builder-apply-value-content-type-confusion-expected.txt
A LayoutTests/fast/css/style-builder-apply-value-content-type-confusion.html
Log Message:
-----------
Fix type confusion in BuilderConverter::applyValueContent.
https://bugs.webkit.org/show_bug.cgi?id=255955.
rdar://108499561.
Reviewed by Antti Koivisto.
This change fixes applyValueContent so that it can deal with single
values instead of expecting a list of values towards the end.
*
LayoutTests/fast/css/style-builder-apply-value-content-type-confusion-expected.txt:
Added.
* LayoutTests/fast/css/style-builder-apply-value-content-type-confusion.html:
Added.
* Source/WebCore/style/StyleBuilderCustom.h:
(WebCore::Style::BuilderCustom::applyValueContent):
Originally-landed-as: 259548.730@safari-7615-branch (c123784dc828).
rdar://113168576
Canonical link: https://commits.webkit.org/266585@main
Commit: 6e63c9facca092bb4e3d0ab86014b6767925c6b8
https://github.com/WebKit/WebKit/commit/6e63c9facca092bb4e3d0ab86014b6767925c6b8
Author: Arunsundar Kannan <[email protected]>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
M Source/WebCore/page/LocalDOMWindow.h
Log Message:
-----------
Handle potential overflow of gamepadEventListenerCount.
https://bugs.webkit.org/show_bug.cgi?id=256205.
rdar://80838189.
Reviewed by Ryosuke Niwa.
m_gamepadEventListenerCount can overflow if addEventListener() is called
UINT_MAX+1 times.
Once the window is freed, we will be left with a dangling pointer in the
GamepadManager.
This change adds a flag to check for overflow and keep the behavior same in the
event of overflow..
* Source/WebCore/page/DOMWindow.cpp:
(WebCore::DOMWindow::~DOMWindow):
(WebCore::DOMWindow::incrementGamepadEventListenerCount):
(WebCore::DOMWindow::decrementGamepadEventListenerCount):
* Source/WebCore/page/DOMWindow.h:
Originally-landed-as: 259548.729@safari-7615-branch (5cc2ead4986a).
rdar://113169820
Canonical link: https://commits.webkit.org/266586@main
Compare: https://github.com/WebKit/WebKit/compare/a41543cba4bf...6e63c9facca0
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
