Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 294263160d19f7909f691abbed510e6506a6d4ee
https://github.com/WebKit/WebKit/commit/294263160d19f7909f691abbed510e6506a6d4ee
Author: Chris Dumez <[email protected]>
Date: 2023-12-15 (Fri, 15 Dec 2023)
Changed paths:
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
CloneDeserializer::readTerminal() should fail decoding if tag is not exposed
to current JS context
https://bugs.webkit.org/show_bug.cgi?id=262921
rdar://115756703
Reviewed by Mark Lam.
In 265678@main, I added a check to make sure the type getting deserialized was
exposed to the
current JS context (e.g. audio worklet contexts don't have access to many of
the types that
Window context do). I added an early return when detecting this but failed to
call `fail()`
to explicitly fail decoding.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::readTerminal):
Originally-landed-as: 267815.245@safari-7617-branch (bf21fed44b35).
rdar://119577123
Canonical link: https://commits.webkit.org/272136@main
Commit: 0fa1c15c77c2df1f269442704135c8f416d3ab64
https://github.com/WebKit/WebKit/commit/0fa1c15c77c2df1f269442704135c8f416d3ab64
Author: Rob Buis <[email protected]>
Date: 2023-12-15 (Fri, 15 Dec 2023)
Changed paths:
A LayoutTests/fast/css/content-visibility-crash-expected.txt
A LayoutTests/fast/css/content-visibility-crash.html
M Source/WebCore/dom/ContentVisibilityDocumentState.cpp
Log Message:
-----------
Check m_elementViewportProximities lookup
https://bugs.webkit.org/show_bug.cgi?id=262061
rdar://115978526
Reviewed by Tim Nguyen.
It is possible a lookup in m_elementViewportProximities fails
to find an element, in that case do not use the iterator and
treat the viewport proximity as "far".
* LayoutTests/fast/css/content-visibility-crash-expected.txt: Added.
* LayoutTests/fast/css/content-visibility-crash.html: Added.
* Source/WebCore/dom/ContentVisibilityDocumentState.cpp:
(WebCore::ContentVisibilityDocumentState::checkRelevancyOfContentVisibilityElement
const):
Originally-landed-as: [email protected] (334d4db2351c).
rdar://119566027
Canonical link: https://commits.webkit.org/272137@main
Commit: 637470b5995fdf7e04b974ad1935b8f7da312f75
https://github.com/WebKit/WebKit/commit/637470b5995fdf7e04b974ad1935b8f7da312f75
Author: Matt Woodrow <[email protected]>
Date: 2023-12-15 (Fri, 15 Dec 2023)
Changed paths:
M Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.mm
Log Message:
-----------
REGRESSION: OOB read in RemoteLayerTreeDrawingAreaProxy::commitLayerTree
https://bugs.webkit.org/show_bug.cgi?id=262977
<rdar://116651090>
Reviewed by Tim Horton and Chris Dumez.
Post-commit callbacks can run arbitrary code, including code that results in
the drawing
area being removed. It's not ref-counted, so we can't prevent its destruction
if we recurse
into code that destroys it.
Instead, use a WeakPtr to |this| to check if destruction happens, and avoid
doing
any futher work.
* Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.mm:
(WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTreeTransaction):
Originally-landed-as: 267815.273@safari-7617-branch (5257e528b2d7).
rdar://119564982
Canonical link: https://commits.webkit.org/272138@main
Commit: d385faf9aa709767d45073b35f385a9566e236a8
https://github.com/WebKit/WebKit/commit/d385faf9aa709767d45073b35f385a9566e236a8
Author: Nicole Rosario <[email protected]>
Date: 2023-12-15 (Fri, 15 Dec 2023)
Changed paths:
A LayoutTests/fast/css/create-columns-onload-crash-expected.txt
A LayoutTests/fast/css/create-columns-onload-crash.html
M Source/WebCore/style/StyleBuilderConverter.h
Log Message:
-----------
jsc_fuz/wktr: ASSERTION FAILED: is<Target>(source) downcast(Source &) [Target
= WebCore::CSSFunctionValue, Source = const WebCore::CSSValue]
rdar://115107618
Reviewed by Chris Dumez.
Downcast was attempted before ensuring type is correct, so added a typecheck
before downcast
* Source/WebCore/style/StyleBuilderConverter.h:
(WebCore::Style::BuilderConverter::createGridTrackSize): added typecheck before
downcast
Originally-landed-as: 267815.304@safari-7617-branch (395cb173896a).
rdar://119564042
Canonical link: https://commits.webkit.org/272139@main
Compare: https://github.com/WebKit/WebKit/compare/4629f05354c3...d385faf9aa70
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
