Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 22d6f99cb96bb3352c1427625695ab65552a66dc
https://github.com/WebKit/WebKit/commit/22d6f99cb96bb3352c1427625695ab65552a66dc
Author: Tyler Wilcock <[email protected]>
Date: 2023-12-15 (Fri, 15 Dec 2023)
Changed paths:
M Source/WebCore/accessibility/cocoa/AccessibilityObjectCocoa.mm
Log Message:
-----------
AX: Nullptr deref of AXObjectCache in AccessibilityObject::contentForRange
rdar://117556782
Reviewed by Chris Fleizach.
* Source/WebCore/accessibility/cocoa/AccessibilityObjectCocoa.mm:
(WebCore::AccessibilityObject::contentForRange const):
Null-check AXObjectCache before using it to prevent a rare crash.
Originally-landed-as: 267815.468@safari-7617-branch (4fce5d70c3d6).
rdar://119595439
Canonical link: https://commits.webkit.org/272130@main
Commit: df2939e8f62ae389a76393cca9dfd2daddb85d53
https://github.com/WebKit/WebKit/commit/df2939e8f62ae389a76393cca9dfd2daddb85d53
Author: Mark Lam <[email protected]>
Date: 2023-12-15 (Fri, 15 Dec 2023)
Changed paths:
A LayoutTests/fast/dom/deserialize-array-bufffer-view-fail-expected.txt
A LayoutTests/fast/dom/deserialize-array-bufffer-view-fail.html
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
The deserializer should fail properly if it cannot materialize
ArrayBufferViews.
https://bugs.webkit.org/show_bug.cgi?id=263794
rdar://117572216
Reviewed by Sihui Liu and Keith Miller.
* LayoutTests/fast/dom/deserialize-array-bufffer-view-fail-expected.txt: Added.
* LayoutTests/fast/dom/deserialize-array-bufffer-view-fail.html: Added.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::readArrayBufferViewImpl):
Originally-landed-as: 267815.459@safari-7617-branch (ce6d953127cf).
rdar://119595755
Canonical link: https://commits.webkit.org/272131@main
Commit: 56cd7079354bb20f8dd577299ccbd39d1b462466
https://github.com/WebKit/WebKit/commit/56cd7079354bb20f8dd577299ccbd39d1b462466
Author: Abigail Fox <[email protected]>
Date: 2023-12-15 (Fri, 15 Dec 2023)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Source/WebKit/UIProcess/WebProcessPool.cpp
Log Message:
-----------
Added allowsFirstPartyForCookies check
https://bugs.webkit.org/show_bug.cgi?id=258161
rdar://106997645
Reviewed by Alex Christensen.
Added a message check to validate that the process is allowed to add first
parties for cookies before allowing a call to addAllowedFirstPartyForCookies.
Adding this message check exposed a scenario where a service worker web
process could be spawned in a bad state without any allowed first parties.
An addAllowedFirstPartyForCookies call was added to prevent this bad state.
This error was caught by
http/tests/cookies/same-site/fetch-in-cross-origin-service-worker.html
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::establishSWContextConnection):
* Source/WebKit/UIProcess/WebProcessPool.cpp:
(WebKit::WebProcessPool::establishRemoteWorkerContextConnectionToNetworkProcess):
Originally-landed-as: 267815.439@safari-7617-branch (33927ceba2d6).
rdar://119596170
Canonical link: https://commits.webkit.org/272132@main
Commit: fae7e4a1b9722c14512c35b546acd903e7299e92
https://github.com/WebKit/WebKit/commit/fae7e4a1b9722c14512c35b546acd903e7299e92
Author: Mark Lam <[email protected]>
Date: 2023-12-15 (Fri, 15 Dec 2023)
Changed paths:
A JSTests/stress/int52rep-multiplication-with-overflow.js
M Source/JavaScriptCore/assembler/MacroAssemblerARM64.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Log Message:
-----------
Int52Rep speculationCheck failed in DFG optimizations for the ArithMul
operation.
https://bugs.webkit.org/show_bug.cgi?id=263707
rdar://117415514
Reviewed by Keith Miller.
The DFG ArithMul Int52Rep speculationCheck was using the binary form of the
branchMul64
emitter to check for overflow of the multiplication. The ARM64 version of this
binary
form branchMul64 has a bug: it's re-using one of the src registers as the dest
register.
The underlying ARM64 implementation of branchMul64 needs to execute 2
instructions:
mul and smulh. Both of these instructions need to operate on the 2 source
operands of
the multiplication. By making the dest register same as the src1 register, the
mul
instruction which comes fist and computes dest, would trash src1.
Subsequently, smulh
is computed with a corrupted src1 value.
The fix is simple:
1. Change the DFG ArithMul to use the ternary form of branchMul64. It will
just do the
right thing, and in fact, eliminates an unnecessary move instruction on
ARM64.
2. Remove the ARM64 binary form of branchMul64. It is now no longer used.
3. For robustness, change the ternary form of branchMul64 to also be resilient
against
the scenario where dest equals either src1 or src2. This is achieved by
computing
smulh first, which stores its result into a scratch register. Only after
that, do
we compute mul, which is now free to set dest and potentially overwrite src1
or src2.
* JSTests/stress/int52rep-multiplication-with-overflow.js: Added.
(foo):
* Source/JavaScriptCore/assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::branchMul64):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
Originally-landed-as: 267815.438@safari-7617-branch (20a302272ec6).
rdar://119596279
Canonical link: https://commits.webkit.org/272133@main
Commit: 1325b97c04cdb848f8ba167b6c7595dcd5ef0cc7
https://github.com/WebKit/WebKit/commit/1325b97c04cdb848f8ba167b6c7595dcd5ef0cc7
Author: Nisha Jain <[email protected]>
Date: 2023-12-15 (Fri, 15 Dec 2023)
Changed paths:
A
LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector-expected.txt
A LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector.html
M Source/WTF/wtf/URLParser.cpp
Log Message:
-----------
[cf9aab29ad0894e2] heap-use-after-free | WTF::URLParser::parse;
WTF::URLParser::URLParser; WTF::URL::URL
https://bugs.webkit.org/show_bug.cgi?id=263682
rdar://116995567.
Reviewed by David Kilzer and Chris Dumez.
Modified WTF::URLParser::parse API so there is no invalid pointer reference to
'm_asciiBuffer' by 'StringView' after reallocation which results in invalid
'urlScheme'.
*
LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector-expected.txt:
Added user expected test result.
* LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector.html:
Added test case which causes reallocation of buffer.
* Source/WTF/wtf/URLParser.cpp: Modified below API
(WTF::URLParser::parse): Modified order of function calls so no invalid
reference to buffer is made after reallocation resulting in invalid 'urlScheme'.
Originally-landed-as: 267815.437@safari-7617-branch (e5674422c86e).
rdar://119596267
Canonical link: https://commits.webkit.org/272134@main
Compare: https://github.com/WebKit/WebKit/compare/93de6d37c114...1325b97c04cd
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
