Branch: refs/heads/webkitglib/2.44
Home: https://github.com/WebKit/WebKit
Commit: fb9cb17cdb0d6281e68ef1709762d985c04130f2
https://github.com/WebKit/WebKit/commit/fb9cb17cdb0d6281e68ef1709762d985c04130f2
Author: Mark Lam <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/JavaScriptCore/Scripts/process-entitlements.sh
M Source/JavaScriptCore/jit/ExecutableAllocator.cpp
M Source/WebKit/Scripts/process-entitlements.sh
Log Message:
-----------
Cherry-pick 272448.472@safari-7618-branch (7fdb5ce499c7).
https://bugs.webkit.org/show_bug.cgi?id=267886
Clean up some JSC entitlements.
https://bugs.webkit.org/show_bug.cgi?id=267886
rdar://121395716
Reviewed by Justin Michaud, Per Arne Vollan, and Alexey Shvaika.
* Source/JavaScriptCore/Scripts/process-entitlements.sh:
* Source/JavaScriptCore/jit/ExecutableAllocator.cpp:
(JSC::isJITEnabled):
(JSC::ExecutableAllocator::disableJIT):
* Source/WebKit/Scripts/process-entitlements.sh:
Canonical link: https://commits.webkit.org/272448.472@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.45@webkitglib/2.44
Commit: 3ee62b21bc6bd6e65a60587d6417bf50ccd5852a
https://github.com/WebKit/WebKit/commit/3ee62b21bc6bd6e65a60587d6417bf50ccd5852a
Author: Jean-Yves Avenard <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp
Log Message:
-----------
Cherry-pick 272448.473@safari-7618-branch (00b3f3ccf06e).
https://bugs.webkit.org/show_bug.cgi?id=268731
Block "setMediaOverridesForTesting" media IPC endpoints when not testing
and instead reset values
https://bugs.webkit.org/show_bug.cgi?id=268731
rdar://122218365
Reviewed by Youenn Fablet.
The fix in https://commits.webkit.org/272448.445@safari-7618-branch was
insufficient as
the setMediaOverridesForTesting IPC endpoints is also used to reset the
flags to their default.
So rather than disabling the IPC endpoints altogether we restrict its use
to only reset
the default values (which are all unset).
* Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp:
(WebKit::GPUConnectionToWebProcess::setMediaOverridesForTesting):
* Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in:
Canonical link: https://commits.webkit.org/272448.473@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.46@webkitglib/2.44
Commit: 891762765dc6693bf3fd623ab9ad8647d7c5a9c5
https://github.com/WebKit/WebKit/commit/891762765dc6693bf3fd623ab9ad8647d7c5a9c5
Author: Mark Lam <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WTF/wtf/PlatformUse.h
Log Message:
-----------
Cherry-pick 272448.493@safari-7618-branch (3b4b355b9810).
https://bugs.webkit.org/show_bug.cgi?id=268788
Clean up JIT permissions configuration.
https://bugs.webkit.org/show_bug.cgi?id=268788
rdar://122141946
Reviewed by Alexey Shvayka.
* Source/WTF/wtf/PlatformUse.h:
Canonical link: https://commits.webkit.org/272448.493@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.47@webkitglib/2.44
Commit: e5cffbd4257d094055971bb9dbdd213874440645
https://github.com/WebKit/WebKit/commit/e5cffbd4257d094055971bb9dbdd213874440645
Author: Mark Lam <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/JavaScriptCore/Scripts/process-entitlements.sh
M Source/WebKit/Scripts/process-entitlements.sh
Log Message:
-----------
Cherry-pick 272448.494@safari-7618-branch (0ebcda9ff537).
https://bugs.webkit.org/show_bug.cgi?id=268792
Refine application of new JIT entitlement for build fix.
https://bugs.webkit.org/show_bug.cgi?id=268792
rdar://122352736
Reviewed by Tim Horton.
* Source/JavaScriptCore/Scripts/process-entitlements.sh:
* Source/WebKit/Scripts/process-entitlements.sh:
Canonical link: https://commits.webkit.org/272448.494@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.48@webkitglib/2.44
Commit: cf0035a96f0d01e4072f57e30cf4c473853156fe
https://github.com/WebKit/WebKit/commit/cf0035a96f0d01e4072f57e30cf4c473853156fe
Author: Matthew Finkel <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A
LayoutTests/http/tests/security/file-system-access-via-dataTransfer-expected.txt
A LayoutTests/http/tests/security/file-system-access-via-dataTransfer.html
M Source/WebCore/Modules/entriesapi/DOMFileSystem.cpp
Log Message:
-----------
Cherry-pick 272448.2@safari-7618-branch (18fd76f8a016).
https://bugs.webkit.org/show_bug.cgi?id=266703
Ensure Filesystem root path is not empty
https://bugs.webkit.org/show_bug.cgi?id=266703
rdar://119813501
Reviewed by Chris Dumez.
When the root path is empty, then the file's name can define an arbitrary
filesystem path. This change ensures that the path is non-empty, therefore
the
virtual filesystem must be defined under a directory that the user selected.
*
LayoutTests/http/tests/security/file-system-access-via-dataTransfer-expected.txt:
Added.
* LayoutTests/http/tests/security/file-system-access-via-dataTransfer.html:
Added.
* Source/WebCore/Modules/entriesapi/DOMFileSystem.cpp:
(WebCore::DOMFileSystem::getEntry):
(WebCore::DOMFileSystem::getFile):
Canonical link: https://commits.webkit.org/272448.2@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.49@webkitglib/2.44
Commit: 9969ea40eb0fdedaaaab54af56a4dc5832787884
https://github.com/WebKit/WebKit/commit/9969ea40eb0fdedaaaab54af56a4dc5832787884
Author: Michael Saboff <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A JSTests/stress/arrow-function-captured-arguments-aliased.js
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
M Source/JavaScriptCore/runtime/GetPutInfo.h
M Source/JavaScriptCore/runtime/ScopedArguments.cpp
M Source/JavaScriptCore/runtime/ScopedArguments.h
M Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp
M Source/JavaScriptCore/runtime/ScopedArgumentsTable.h
M Source/JavaScriptCore/runtime/SymbolTable.h
Log Message:
-----------
Cherry-pick 272448.5@safari-7618-branch (97894699773c).
https://bugs.webkit.org/show_bug.cgi?id=261934
Scoped Arguments needs to alias between named and unnamed accesses and
across nested scopes
https://bugs.webkit.org/show_bug.cgi?id=261934
rdar://114925088
rdar://117838992
Reviewed by Yusuke Suzuki.
Fixed issue where an access to a named argument and a seperate access via
its argument[i] counterpart weren't recognized throughout
all JIT tiers as accesses to the same scoped value. The DFG bytecode
parser can unknowingly constant fold the read access.
Added aliasing via the SymbolTable and its ScopedArgumentsTable for both
types of accesses of such values.
related objects
Added watchpoints for scoped arguments, and shared the watchpoint from the
SymbolTableEntry for the named parameter with the
ScopedArgument entry for the matching index. Tagged op_put_to_scope
bytecodes with a new ScopedArgumentInitialization
initialization type in GetPutInfo to signify this shared watchpoint case.
Since currently all tiers write to scoped arguments
via ScopedArguments::setIndexQuickly(), that is where we fire its
watchpoint.
Added a new test.
* JSTests/stress/arrow-function-captured-arguments-aliased.js: Added.
(createOptAll):
(createOpt500):
(createOpt2000):
(createOpt5000):
(main):
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/runtime/GetPutInfo.h:
(JSC::initializationModeName):
(JSC::isInitialization):
* Source/JavaScriptCore/runtime/ScopedArguments.cpp:
(JSC::ScopedArguments::unmapArgument):
* Source/JavaScriptCore/runtime/ScopedArguments.h:
* Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp:
(JSC::ScopedArgumentsTable::tryCreate):
(JSC::ScopedArgumentsTable::tryClone):
(JSC::ScopedArgumentsTable::trySetLength):
(JSC::ScopedArgumentsTable::trySetWatchpointSet):
* Source/JavaScriptCore/runtime/ScopedArgumentsTable.h:
* Source/JavaScriptCore/runtime/SymbolTable.cpp:
(JSC::SymbolTable::cloneScopePart):
* Source/JavaScriptCore/runtime/SymbolTable.h:
Canonical link: https://commits.webkit.org/272448.5@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.50@webkitglib/2.44
Commit: 9d294ccb0b0197e090e8f196affc5409c77e7b1d
https://github.com/WebKit/WebKit/commit/9d294ccb0b0197e090e8f196affc5409c77e7b1d
Author: Yusuke Suzuki <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A JSTests/stress/attribute-custom-accessor.js
M Source/JavaScriptCore/bytecode/PropertyCondition.cpp
Log Message:
-----------
Cherry-pick 272448.6@safari-7618-branch (24d1c08b9dfa).
https://bugs.webkit.org/show_bug.cgi?id=266695
[JSC] PropertyCondition::isValidValueForAttributes should handle custom
accessor and custom value
https://bugs.webkit.org/show_bug.cgi?id=266695
rdar://119854137
Reviewed by Mark Lam.
PropertyCondition::isValidValueForAttributes only handled accessors and
values. And it
didn't handle custom accessor / custom values. This patch changes it so
that we can
check custom accessor / custom value cases correctly.
* JSTests/stress/attribute-custom-accessor.js: Added.
(async asyncSleep):
(setHasBeenDictionary):
(watchToJSONForReplacements):
(async watchLastMatchForReplacements.getLastMatch):
(async watchLastMatchForReplacements):
(const.target.toJSON):
(opt):
(async main):
* Source/JavaScriptCore/bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isValidValueForAttributes):
Canonical link: https://commits.webkit.org/272448.6@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.51@webkitglib/2.44
Commit: f25f53fda80ea5dc14dc099221db8acffd3a32cc
https://github.com/WebKit/WebKit/commit/f25f53fda80ea5dc14dc099221db8acffd3a32cc
Author: Youenn Fablet <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/test/encode_api_test.cc
M
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/encoder/encodeframe.c
Log Message:
-----------
Cherry-pick 272448.9@safari-7618-branch (965fd49504ed). rdar://119595026
Potential 'overflow' issue commited to upstream libwebrtc
rdar://119595026
Reviewed by Jean-Yves Avenard.
Cherry-picking of
https://github.com/webmproject/libvpx/commit/193b1511956f1732a8d54041a26ca9633a92abf9
*
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/test/encode_api_test.cc:
*
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/encoder/encodeframe.c:
(encode_mb_row):
Canonical link: https://commits.webkit.org/272448.9@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.52@webkitglib/2.44
Commit: 2c491b0134f2115d102dd85b7c6d2be859fee121
https://github.com/WebKit/WebKit/commit/2c491b0134f2115d102dd85b7c6d2be859fee121
Author: Youenn Fablet <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M
LayoutTests/http/tests/blink/sendbeacon/beacon-cross-origin.https-expected.txt
M
LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-expected.txt
M
LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https.html
M
LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-expected.txt
M
LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https.html
M
LayoutTests/http/tests/navigation/ping-attribute/resources/secure-anchor-cross-origin.html
M
LayoutTests/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-expected.txt
A
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe-expected.txt
A
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe.html
M
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt
M
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt
A
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe-expected.txt
A
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https-expected.txt
A
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https.html
M
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt
M
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt
A
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-beacon.html
M
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html
M
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html
M
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html
A
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-ping.html
M
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html
M
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html
M
LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt
R
LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt
R
LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt
R
LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt
M LayoutTests/platform/ios/TestExpectations
M LayoutTests/platform/mac-wk1/TestExpectations
M
LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt
M
LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt
M
LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt
M Source/WebCore/loader/cache/CachedResourceLoader.cpp
Log Message:
-----------
Cherry-pick 272448.10@safari-7618-branch (b856378e0a55). rdar://116054889
Plaintext Ping requests not blocked by mixed-content checks (262117)
rdar://116054889
Reviewed by Alex Christensen.
Enforce mixed content checks for beacons and poings, like we do for regular
xhr/fetch.
This aligns the behavior with Chrome and Firefox.
We have to change some tests so that preloads kick in deterministically.
Preloads might not kick in if an early JS resource is already in the cache.
We therefore clear the memory cache to ensure
dump-securitypolicyviolation-and-notify-done.js gets fetched again, which will
trigger both preload and resource load.
Otherwise, we will get only one CONSOLE MESSAGE for the actual blocked load.
We also have to change some tests so that they use HTTPS and not HTTP.
*
LayoutTests/http/tests/blink/sendbeacon/beacon-cross-origin.https-expected.txt:
*
LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-expected.txt:
*
LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https.html:
*
LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-expected.txt:
*
LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https.html:
*
LayoutTests/http/tests/navigation/ping-attribute/resources/secure-anchor-cross-origin.html:
*
LayoutTests/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-expected.txt:
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe-expected.txt:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe.html:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt:
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt:
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe-expected.txt:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https-expected.txt:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https.html:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt:
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt:
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-beacon.html:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html:
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html:
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html:
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-ping.html:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html:
*
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html:
*
LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt:
*
LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt:
Removed.
*
LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt:
Removed.
*
LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt:
Removed.
* LayoutTests/platform/ios/TestExpectations:
* LayoutTests/platform/mac-wk1/TestExpectations:
*
LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt:
*
LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt:
*
LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt:
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::checkInsecureContent const):
Canonical link: https://commits.webkit.org/272448.10@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.53@webkitglib/2.44
Commit: a430b08533483b9996110a1c926b7b28f0e7289d
https://github.com/WebKit/WebKit/commit/a430b08533483b9996110a1c926b7b28f0e7289d
Author: Alan Baradlay <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/fast/ruby/ruby-base-content-should-not-wrap-expected.html
A LayoutTests/fast/ruby/ruby-base-content-should-not-wrap.html
M Source/WebCore/layout/formattingContexts/inline/InlineFormattingUtils.cpp
Log Message:
-----------
Cherry-pick 2c41110b8852. https://bugs.webkit.org/show_bug.cgi?id=269235
[IFC][Ruby] Ruby base content may wrap even when style says no
https://bugs.webkit.org/show_bug.cgi?id=269235
<rdar://122811940>
Reviewed by Antti Koivisto.
There's no soft wrap opportunity between 2 adjacent non-whitespace
characters when style says nowrap.
* LayoutTests/fast/ruby/ruby-base-content-should-not-wrap-expected.html:
Added.
* LayoutTests/fast/ruby/ruby-base-content-should-not-wrap.html: Added.
* Source/WebCore/layout/formattingContexts/inline/InlineFormattingUtils.cpp:
(WebCore::Layout::isAtSoftWrapOpportunity):
Canonical link: https://commits.webkit.org/272448.537@safari-7618-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/274313.54@webkitglib/2.44
Commit: 88dc13476135a2e67d641ed3e8d2fb2d968f8a52
https://github.com/WebKit/WebKit/commit/88dc13476135a2e67d641ed3e8d2fb2d968f8a52
Author: Justin Michaud <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/JavaScriptCore/Scripts/process-entitlements.sh
Log Message:
-----------
Cherry-pick 8179ae2db1bf. <bug>
Clean up JSC shell entitlements to fix RAMificaton.
rdar://122826926
Reviewed by Yusuke Suzuki.
In https://commits.webkit.org/272448.472@safari-7618-branch, we switched
to the new allow-jit entitlement. This broke RAMiciation runs because
the JSC binary doesn't have the
com.apple.developer.web-browser-engine.webcontent
entitlement. This patch adds it.
* Source/JavaScriptCore/Scripts/process-entitlements.sh:
Canonical link: https://commits.webkit.org/272448.538@safari-7618-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/274313.55@webkitglib/2.44
Commit: b44ec3533719afd748f0d3d60ab5fd8965641f29
https://github.com/WebKit/WebKit/commit/b44ec3533719afd748f0d3d60ab5fd8965641f29
Author: Chris Dumez <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A
LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https-expected.html
A
LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html
A
LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html.headers
A
LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https-expected.html
A
LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html
A
LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html.headers
A LayoutTests/http/wpt/content-security-policy/resources/dummy.js
M Source/WebCore/html/parser/HTMLConstructionSite.cpp
Log Message:
-----------
Cherry-pick 272448.25@safari-7618-branch (d43f7eafe9c4).
https://bugs.webkit.org/show_bug.cgi?id=267241
Bug in the HTML parser makes it possible to bypass `nonce` attribute hiding
https://bugs.webkit.org/show_bug.cgi?id=267241
rdar://120056084
Reviewed by Ryosuke Niwa.
Per the HTML specification [1], the `nonce` attribute is supposed to get
hidden by
the user agent once the element gets connected to the document. This means
that we
remove the `nonce` attribute and store its value in an internal field.
The intention is that elements only expose their nonce via their `nonce`
property
to scripts, and not to side-channels like CSS attribute selectors.
The HTML specification [2] also says that when encountering a duplicate
<body> or
<html> tag, we should merge the attributes from the duplicate element to
the original
once. When this happened, we could move the `nonce` attribute from a
duplicate <body>
/ <html> to the original element and it would not get hidden since the
original element
is already connected to the document.
To address the issue, we now add special handling for the `nonce` attribute
upon merging:
1. We discard the duplicate element's `nonce` attribute if the original
element [[nonce]]
internal field is already set (meaning the element already has a nonce).
2. If the original element doesn't have a `nonce` we do merge the attribute
and then call
the logic to hide the `nonce` right away.
[1]
https://html.spec.whatwg.org/multipage/urls-and-fetching.html#nonce-attributes:include-2
[2] https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-inbody
*
LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https-expected.html:
Added.
*
LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html:
Added.
*
LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html.headers:
Added.
*
LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https-expected.html:
Added.
*
LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html:
Added.
*
LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html.headers:
Added.
* LayoutTests/http/wpt/content-security-policy/resources/dummy.js: Added.
Add test coverage.
* Source/WebCore/html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
Canonical link: https://commits.webkit.org/272448.25@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.56@webkitglib/2.44
Commit: 2b28f8e04865b48b808be6cda2245138de93cc5f
https://github.com/WebKit/WebKit/commit/2b28f8e04865b48b808be6cda2245138de93cc5f
Author: Alan Baradlay <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A
LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break-expected.txt
A
LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break.html
M Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp
Log Message:
-----------
Cherry-pick 272448.26@safari-7618-branch (6eed83460548).
https://bugs.webkit.org/show_bug.cgi?id=267270
Out-of-flow line break box does not initiate render layer
https://bugs.webkit.org/show_bug.cgi?id=267270
rdar://120662818
Reviewed by Antti Koivisto.
1. Let's not assume that an out-of-flow box is a type of RenderBox (e.g.
line break)
2. Not all out-of-flow positioned boxes trigger layers.
*
LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break-expected.txt:
Added.
*
LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break.html:
Added.
* Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp:
(WebCore::LayoutIntegration::LineLayout::shiftLinesBy):
Canonical link: https://commits.webkit.org/272448.26@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.57@webkitglib/2.44
Commit: dafa1ea85b17155cf5596631f6315bd0e7df872c
https://github.com/WebKit/WebKit/commit/dafa1ea85b17155cf5596631f6315bd0e7df872c
Author: Alan Baradlay <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/fast/text/out-of-flow-line-break-crash-expected.txt
A LayoutTests/fast/text/out-of-flow-line-break-crash.html
M Source/WebCore/layout/formattingContexts/inline/InlineItemsBuilder.cpp
M
Source/WebCore/layout/formattingContexts/inline/TextOnlySimpleLineBuilder.cpp
Log Message:
-----------
Cherry-pick 272448.28@safari-7618-branch (2658caa71663).
https://bugs.webkit.org/show_bug.cgi?id=267268
[IFC] Do not treat out-of-flow line break as text content
https://bugs.webkit.org/show_bug.cgi?id=267268
rdar://120662940
Reviewed by Antti Koivisto.
Out-of-flow line break is not eligible for simplified (text-only) line
building.
* LayoutTests/fast/text/out-of-flow-line-break-crash-expected.txt: Added.
* LayoutTests/fast/text/out-of-flow-line-break-crash.html: Added.
* Source/WebCore/layout/formattingContexts/inline/InlineItemsBuilder.cpp:
(WebCore::Layout::isTextOrLineBreak):
*
Source/WebCore/layout/formattingContexts/inline/TextOnlySimpleLineBuilder.cpp:
(WebCore::Layout::TextOnlySimpleLineBuilder::placeNonWrappingInlineTextContent):
Canonical link: https://commits.webkit.org/272448.28@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.58@webkitglib/2.44
Commit: f5995f4872fef3f5f501d0ac9e113610971b99ba
https://github.com/WebKit/WebKit/commit/f5995f4872fef3f5f501d0ac9e113610971b99ba
Author: Yijia Huang <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 272448.74@safari-7618-branch (7bd07231e704).
https://bugs.webkit.org/show_bug.cgi?id=267036
Should crash when deserializing JSArray object containing named property
length
https://bugs.webkit.org/show_bug.cgi?id=267036
rdar://120410983
Reviewed by Sihui Liu and Mark Lam.
`length` is treated as a special property in JSArray. There shouldn't
be any named property `length` in JSArray. So, should crash when
deserializing JSArray object containing named property `length`.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::objectStartVisitMember):
(WebCore::CloneDeserializer::objectEndVisitMember):
(WebCore::CloneDeserializer::deserialize):
Canonical link: https://commits.webkit.org/272448.74@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.59@webkitglib/2.44
Commit: 9f83080fb196b4cce89d943f759743521fd61ffe
https://github.com/WebKit/WebKit/commit/9f83080fb196b4cce89d943f759743521fd61ffe
Author: Erica Li <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A
LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash-expected.txt
A LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash.html
M
LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt
M Source/WebCore/rendering/RenderInline.cpp
Log Message:
-----------
Cherry-pick 272448.75@safari-7618-branch (2534e02e1983).
https://bugs.webkit.org/show_bug.cgi?id=266567.
ASAN_SEGV | Hard null deref
|LayoutIntegration::BoxTree::layoutBoxForRenderer;
LayoutIntegration::LineLayout::enclosingBorderBoxRectFor;
WebCore::RenderInline::linesBoundingBox.
https://bugs.webkit.org/show_bug.cgi?id=266567.
rdar://114586645.
Reviewed by Alan Baradlay.
similar to 107979394, apply handling for repainting a freshly inserted
sticky inline box.
*
LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash-expected.txt:
Added.
*
LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash.html:
Added.
*
LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt:
re-baseline for rdar://119187070.
* Source/WebCore/rendering/RenderInline.cpp:
(WebCore::RenderInline::linesBoundingBox const):
Canonical link: https://commits.webkit.org/272448.75@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.60@webkitglib/2.44
Commit: b99816d88b90129cb7300a41a6a8c3884f93035f
https://github.com/WebKit/WebKit/commit/b99816d88b90129cb7300a41a6a8c3884f93035f
Author: Alan Baradlay <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A
LayoutTests/fast/dynamic/move-inline-level-element-between-blocks-crash-expected.txt
A
LayoutTests/fast/dynamic/move-inline-level-element-between-blocks-crash.html
M Source/WebCore/layout/integration/LayoutIntegrationBoxTree.cpp
M Source/WebCore/layout/integration/LayoutIntegrationBoxTree.h
M Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp
M Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.h
M Source/WebCore/rendering/RenderBlockFlow.cpp
Log Message:
-----------
Cherry-pick 272448.98@safari-7618-branch (77a82bb2bcde).
https://bugs.webkit.org/show_bug.cgi?id=267141
Do not repaint newly moved inline box
https://bugs.webkit.org/show_bug.cgi?id=267141
rdar://120555470
Reviewed by Antti Koivisto.
1. Repaint needs uptodate geometry information to compute the damaged area
2. Whenever we invalidate the line layout path, we lose all geometry
information so a full repaint is being issued on the very first invalidation.
(note that there may be multiple mutations happening the same time)
This patch ensures that such repaints are _not_ issued on newly inserted
content.
Since we don't keep track of whether a particular renderer has already
issued repaint, moving renders between blocks could
potentially be repainted twice; initially when they get detached and later
when they get inserted at their new position.
Repaint issued at this later stage most likely results in incorrectly
computed damage area as all relevant geometries are
relative to the former block -and in some cases it may even trigger crashes
as we don't find associated layout/display boxes in
the new block.
*
LayoutTests/fast/dynamic/move-inline-level-element-between-blocks-crash-expected.txt:
Added.
*
LayoutTests/fast/dynamic/move-inline-level-element-between-blocks-crash.html:
Added.
* Source/WebCore/layout/integration/LayoutIntegrationBoxTree.cpp:
(WebCore::LayoutIntegration::BoxTree::contains const):
* Source/WebCore/layout/integration/LayoutIntegrationBoxTree.h:
* Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp:
(WebCore::LayoutIntegration::LineLayout::contains const):
* Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.h:
* Source/WebCore/rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::invalidateLineLayoutPath):
Canonical link: https://commits.webkit.org/272448.98@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.61@webkitglib/2.44
Commit: f5909af7891338f7e7227d52235bc26cdf7d2ec5
https://github.com/WebKit/WebKit/commit/f5909af7891338f7e7227d52235bc26cdf7d2ec5
Author: Ryan Reno <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A
LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part-expected.txt
A
LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part.py
A
LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part-expected.txt
A
LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part.py
M Source/WebCore/loader/DocumentLoader.cpp
M Source/WebCore/loader/DocumentLoader.h
Log Message:
-----------
Cherry-pick 272448.100@safari-7618-branch (7f3ac60a98fc).
https://bugs.webkit.org/show_bug.cgi?id=264811
Content-Type x-mixed-replace can be abused to bypass CSP
https://bugs.webkit.org/show_bug.cgi?id=264811
rdar://118394343
Reviewed by John Wilander and Brent Fulgham.
When replacing the document in a multipart/x-mixed-replace response, the
DocumentLoader would reset its CSP every time a new response was received.
This change makes the CSP persistent across document replacements when
loading multipart content. Now the CSP can only become more restrictive
as new parts are received.
*
LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part-expected.txt:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part.py:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part-expected.txt:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part.py:
Added.
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::shouldClearContentSecurityPolicyForResponse
const):
(WebCore::DocumentLoader::responseReceived):
* Source/WebCore/loader/DocumentLoader.h:
Canonical link: https://commits.webkit.org/272448.100@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.62@webkitglib/2.44
Commit: 2790c9e1e613162a1124c8b991644b5cd210ce64
https://github.com/WebKit/WebKit/commit/2790c9e1e613162a1124c8b991644b5cd210ce64
Author: Yijia Huang <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/JavaScriptCore/runtime/CommonSlowPaths.h
M Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp
M Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
M Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp
M Source/JavaScriptCore/runtime/JSFunction.cpp
M Source/JavaScriptCore/runtime/JSFunction.h
M Source/JavaScriptCore/runtime/JSFunctionInlines.h
Log Message:
-----------
Cherry-pick 272448.101@safari-7618-branch (70ca9c1f54a0).
https://bugs.webkit.org/show_bug.cgi?id=267380
[JSC] setHasModifiedLengthForBoundOrNonHostFunction and
setHasModifiedNameForBoundOrNonHostFunction shouldn't be called if it fails to
reify the property
https://bugs.webkit.org/show_bug.cgi?id=267380
rdar://118761737
Reviewed by Yusuke Suzuki.
setHasModifiedLengthForBoundOrNonHostFunction and
setHasModifiedNameForBoundOrNonHostFunction
can be called if JSFunction::put() fails to reify the property. This case
may
cause inconsistency between the AI and the runtime environment.
* Source/JavaScriptCore/runtime/JSFunction.cpp:
(JSC::JSFunction::put):
Canonical link: https://commits.webkit.org/272448.101@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.63@webkitglib/2.44
Commit: b1cf6ce13e4fbb277bf1314c1adf0dc85c210385
https://github.com/WebKit/WebKit/commit/b1cf6ce13e4fbb277bf1314c1adf0dc85c210385
Author: Alan Baradlay <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A
LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child-expected.txt
A LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child.html
M Source/WebCore/rendering/RenderBlockFlow.cpp
Log Message:
-----------
Cherry-pick 272448.102@safari-7618-branch (6d2f579ca0ad).
https://bugs.webkit.org/show_bug.cgi?id=267487
Invalidate existing inline layout content when simplified out-of-flow is
sufficient
https://bugs.webkit.org/show_bug.cgi?id=267487
rdar://120496542
Reviewed by Antti Koivisto.
Do not leave stale inline content around.
*
LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child-expected.txt:
Added.
*
LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child.html:
Added.
* Source/WebCore/rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::layoutModernLines):
Canonical link: https://commits.webkit.org/272448.102@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.64@webkitglib/2.44
Commit: a625ceb2c781e8515667fc874986a364109006d5
https://github.com/WebKit/WebKit/commit/a625ceb2c781e8515667fc874986a364109006d5
Author: Alexey Shvayka <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A JSTests/stress/regress-120777816.js
M Source/JavaScriptCore/builtins/ProxyHelpers.js
M Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h
M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
M Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/runtime/ProxyObject.cpp
Log Message:
-----------
Cherry-pick 272448.103@safari-7618-branch (e3a75800fe85).
https://bugs.webkit.org/show_bug.cgi?id=267425
[JSC] get_by_id_with_this + ProxyObject can leak JSScope objects
https://bugs.webkit.org/show_bug.cgi?id=267425
<rdar://120777816>
Reviewed by Yusuke Suzuki and Justin Michaud.
According to the spec [1], `var base = { foo }; with (base) foo();` should
be called with `this`
value of `base`, which is why FunctionCallResolveNode moves resolved scope
to thisRegister().
That is arguably a bad design, and there is an effort [2] to abolish using
JSScope as `this` value.
When `this` value is accessed by JS code, it's being sanitized via ToThis
(JSScope replaced with
`undefined`), yet not in case of `super.property` access calling into
ProxyObject `get` trap,
which passes raw `this` value as receiver parameter, leaking JSScope to be
exploited.
For performance reasons, we can't call toThis() whenever
`get_by_id_with_this` is used, so this
change introduces @toThis() intrinsic specifically for ProxyObject IC
helpers, tweaks DFG to respect
`m_srcDst`, and also fixes baseline code.
Inlineability of ProxyObject IC helpers was verified to remain unaffected
(`performProxyObjectGet`
is smaller then 120 while other helpers were already exceeding inline size
limit).
[1]: https://tc39.es/ecma262/#sec-evaluatecall (step 1.b.iii)
[2]: https://bugs.webkit.org/show_bug.cgi?id=225397
* JSTests/stress/regress-120777816.js: Added.
* Source/JavaScriptCore/builtins/ProxyHelpers.js:
(linkTimeConstant.performProxyObjectGet):
(linkTimeConstant.performProxyObjectGetByVal):
(linkTimeConstant.performProxyObjectSetSloppy):
(linkTimeConstant.performProxyObjectSetStrict):
* Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h:
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitToThis):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitToThis):
* Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:
(JSC::BytecodeIntrinsicNode::emit_intrinsic_toThis):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::getThis): Deleted.
(JSC::DFG::ByteCodeParser::setThis): Deleted.
* Source/JavaScriptCore/runtime/ProxyObject.cpp:
(JSC::performProxyGet):
(JSC::ProxyObject::performPut):
Canonical link: https://commits.webkit.org/272448.103@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.65@webkitglib/2.44
Commit: 73ee7cb37f540201ba8010e704f0774932527989
https://github.com/WebKit/WebKit/commit/73ee7cb37f540201ba8010e704f0774932527989
Author: Erica Li <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A
LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash-expected.txt
A LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash.html
M
LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt
M Source/WebCore/rendering/RenderTable.cpp
Log Message:
-----------
Cherry-pick 272448.104@safari-7618-branch (8737c0374652).
https://bugs.webkit.org/show_bug.cgi?id=267198
ASAN_ILL | WebCore::RenderTableSection::layoutRows;
WebCore::RenderTable::simplifiedNormalFlowLayout;
WebCore::RenderBlock::simplifiedLayout.
https://bugs.webkit.org/show_bug.cgi?id=267198
rdar://113940614
Reviewed by Alan Baradlay.
Always setChildNeedsLayout for sections to make sure normalChildNeedsLayout
is flagged,
as for pagination we need to run a full layout on child table sections even
when the initial change,
otherwise requires simplified layout only.
*
LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash-expected.txt:
Added.
* LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash.html:
Added.
*
LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt:
re-baseline again, adding end of line back.
* Source/WebCore/rendering/RenderTable.cpp:
(WebCore::RenderTable::markForPaginationRelayoutIfNeeded):
Canonical link: https://commits.webkit.org/272448.104@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.66@webkitglib/2.44
Commit: 1e60cb5df0cafe5d9b9a457267f1166f3a504f70
https://github.com/WebKit/WebKit/commit/1e60cb5df0cafe5d9b9a457267f1166f3a504f70
Author: Nisha Jain <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/dom/html/document-renderobject-null-crash-expected.txt
A LayoutTests/dom/html/document-renderobject-null-crash.html
M Source/WebCore/dom/Document.cpp
Log Message:
-----------
Cherry-pick 272448.251@safari-7618-branch (9baf7178103b).
https://bugs.webkit.org/show_bug.cgi?id=267297
"NULL Object : Crash under WebCore::RenderObject::~RenderObject;
WebCore::RenderText::~RenderText; WebCore::RenderTreeBuilder::destroy"
https://bugs.webkit.org/show_bug.cgi?id=267297
rdar://119186861.
Reviewed by Alan Baradlay.
Document::caretPositionFromPoint API is using CheckPtr to get RenderObject
even though the Object is already destroyed. In order to make sure
CheckedPtr
is valid the render needs to be destroyed earlier not after. Using
updateLayoutIgnorePendingStylesheets API for uptodate renderer tree.
* LayoutTests/dom/html/document-renderobject-null-crash-expected.txt: Added
test expected file.
* LayoutTests/dom/html/document-renderobject-null-crash.html: Added test
case.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::caretPositionFromPoint): Added
updateLayoutIgnorePendingStylesheets to get updated renderer tree before using
CheckedPtr.
Canonical link: https://commits.webkit.org/272448.251@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.67@webkitglib/2.44
Commit: 8240207120d88887aeae9aaa8b76dac2c4ad67e4
https://github.com/WebKit/WebKit/commit/8240207120d88887aeae9aaa8b76dac2c4ad67e4
Author: Nisha Jain <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/fast/rendering/render-compositor-null-layer-crash-expected.txt
A LayoutTests/fast/rendering/render-compositor-null-layer-crash.html
M Source/WebCore/rendering/RenderLayerCompositor.cpp
Log Message:
-----------
Cherry-pick 272448.252@safari-7618-branch (a7977801dff3).
https://bugs.webkit.org/show_bug.cgi?id=265820
NULL pointer : crash under
RenderLayerCompositor::scrollableAreaForScrollingNodeID()
https://bugs.webkit.org/show_bug.cgi?id=265820
rdar://118424482.
Reviewed by Simon Fraser.
Null RenderLayer pointer in
RenderLayerCompositor::scrollableAreaForScrollingNodeID().
As the RenderLayerCompositor has a HashMap which provides a WeakPtr to
RenderLayer but the validity
of this object is not checked before using.
*
LayoutTests/fast/rendering/render-compositor-null-layer-crash-expected.txt:
Added test expected file.
* LayoutTests/fast/rendering/render-compositor-null-layer-crash.html: Added
test case.
* Source/WebCore/rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::scrollableAreaForScrollingNodeID const):
Checked validity of WeakPtr to RenderLayer before accessing it.
Canonical link: https://commits.webkit.org/272448.252@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.68@webkitglib/2.44
Commit: bb20f3e1ac357080e8ac2cd801ceeff7f68e11af
https://github.com/WebKit/WebKit/commit/bb20f3e1ac357080e8ac2cd801ceeff7f68e11af
Author: Ryosuke Niwa <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/fast/images/image-document-event-handler-crash-expected.txt
A LayoutTests/fast/images/image-document-event-handler-crash.html
M Source/WebCore/html/ImageDocument.cpp
Log Message:
-----------
Cherry-pick 272448.253@safari-7618-branch (b417dff04acd).
https://bugs.webkit.org/show_bug.cgi?id=267739
Crash in ImageEventListener::handleEvent
https://bugs.webkit.org/show_bug.cgi?id=267739
rdar://118761846
Reviewed by Chris Dumez.
Use WeakPtr instead of a raw reference.
* LayoutTests/fast/images/image-document-event-handler-crash-expected.txt:
Added.
* LayoutTests/fast/images/image-document-event-handler-crash.html: Added.
* Source/WebCore/html/ImageDocument.cpp:
(WebCore::ImageEventListener::handleEvent):
Canonical link: https://commits.webkit.org/272448.253@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.69@webkitglib/2.44
Commit: b1e590214277ea78d34055992c3f2c2c956f0af5
https://github.com/WebKit/WebKit/commit/b1e590214277ea78d34055992c3f2c2c956f0af5
Author: Yijia Huang <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M JSTests/stress/intl-collator.js
M JSTests/stress/intl-datetimeformat.js
M JSTests/stress/intl-numberformat.js
M Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp
M Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
M Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp
Log Message:
-----------
Cherry-pick 272448.254@safari-7618-branch (5173338bb6f1).
https://bugs.webkit.org/show_bug.cgi?id=267725
[JSC] Use dynamic cast in intlCollatorFuncCompare,
intlDateTimeFormatFuncFormatDateTime, and intlNumberFormatFuncFormat
https://bugs.webkit.org/show_bug.cgi?id=267725
rdar://121029647
Reviewed by Yusuke Suzuki and Mark Lam.
We should ensure `thisValue` is the desired object. So, should use dynamic
cast instead in intlCollatorFuncCompare,
intlDateTimeFormatFuncFormatDateTime,
and intlNumberFormatFuncFormat.
* Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
Canonical link: https://commits.webkit.org/272448.254@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.70@webkitglib/2.44
Commit: 0b776b9a8f1653fa8eaef4babe8d427f946e7c20
https://github.com/WebKit/WebKit/commit/0b776b9a8f1653fa8eaef4babe8d427f946e7c20
Author: Nisha Jain <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebCore/html/HTMLPlugInImageElement.cpp
Log Message:
-----------
Cherry-pick 272448.257@safari-7618-branch (23c6a88ad691).
https://bugs.webkit.org/show_bug.cgi?id=267656
"ASAN_SEGV | WebCore::Style::resolveForDocument;
WebCore::Document::styleForElementIgnoringPendingStylesheets;
WebCore::Element::resolveComputedStyle"
https://bugs.webkit.org/show_bug.cgi?id=267656
rdar://119187152.
Reviewed by Ryosuke Niwa.
Need to prevent attempt to load a disconnected plugin.
Not adding a new test case as could not make a reliable reproduction of
this issue.
* Source/WebCore/html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::requestObject):
Canonical link: https://commits.webkit.org/272448.257@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.71@webkitglib/2.44
Commit: 26a621673d19d5f2221d17da80b75959cf9cf497
https://github.com/WebKit/WebKit/commit/26a621673d19d5f2221d17da80b75959cf9cf497
Author: Scott Marcy <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/ipc/invalid-message-to-addTrackBuffer-expected.txt
A LayoutTests/ipc/invalid-message-to-addTrackBuffer.html
M Source/WebKit/GPUProcess/media/RemoteSourceBufferProxy.cpp
Log Message:
-----------
Cherry-pick 272448.259@safari-7618-branch (60f8c4667d7a). <bug>
rdar://119489615 ([CoreIPC] SEGV in
WebKit::RemoteSourceBufferProxy::addTrackBuffer)
Checks that the TrackPrivateRemoteIdentifier argument for the IPC call
RemoteSourceBufferProxy::addTrackBuffer() is valid and invalidates the IPC
message if not.
Reviewed by David Kilzer.
If the TrackPrivateRemoteIdentifier value is not a known value, the IPC
message will be marked as invalid, which is supposed
to crash the content process thereby thwarting any attempted attack through
this mechanism.
* LayoutTests/TestExpectations:
* LayoutTests/ipc/invalid-message-to-addTrackBuffer-expected.txt: Added.
* LayoutTests/ipc/invalid-message-to-addTrackBuffer.html: Added.
* Source/WebKit/GPUProcess/media/RemoteSourceBufferProxy.cpp:
(WebKit::RemoteSourceBufferProxy::addTrackBuffer):
Canonical link: https://commits.webkit.org/272448.259@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.72@webkitglib/2.44
Commit: 864a655d7dc8dbb9543814087db2298a962d2e8e
https://github.com/WebKit/WebKit/commit/864a655d7dc8dbb9543814087db2298a962d2e8e
Author: Yijia Huang <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A JSTests/stress/error-instance.js
M Source/JavaScriptCore/runtime/ErrorInstance.cpp
Log Message:
-----------
Cherry-pick 272448.260@safari-7618-branch (ade92866440e).
https://bugs.webkit.org/show_bug.cgi?id=267785
[JSC] Fix Re-entrancy in ErrorInstance::computeErrorInfo
https://bugs.webkit.org/show_bug.cgi?id=267785
rdar://121098660
Reviewed by Yusuke Suzuki.
ErrorInstance::computeErrorInfo computes stack trace string, which may
trigger GC and re-enter to this function with the same ErrorInstance
while computing the stack string. We should defer GC after stacking trace
string is materialized.
* JSTests/stress/error-instance.js: Added.
(main.const.error):
(main):
* Source/JavaScriptCore/runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::computeErrorInfo):
Canonical link: https://commits.webkit.org/272448.260@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.73@webkitglib/2.44
Commit: ce8fd1fe3d066a1e34e4f8da170f2490b39f2594
https://github.com/WebKit/WebKit/commit/ce8fd1fe3d066a1e34e4f8da170f2490b39f2594
Author: Michael Saboff <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M JSTests/stress/arrow-function-captured-arguments-aliased.js
M Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp
Log Message:
-----------
Cherry-pick 272448.339@safari-7618-branch (66df5c618c1c).
https://bugs.webkit.org/show_bug.cgi?id=267946
ASSERTION FAILED: watchpoints (./runtime/ScopedArgumentsTable.cpp(130))
rdar://121446658
https://bugs.webkit.org/show_bug.cgi?id=267946
Reviewed by Alexey Shvayka.
Insatead of using an ASSERT that we have a valid WatchpointSet in
ScopedArgumentsTable::trySetWatchpointSet(), we can just
exit early if the passed in WatchpointSet is null. This can happen if the
JIT is not enabled.
Updated the test to run both with and wothout the JIT.
* JSTests/stress/arrow-function-captured-arguments-aliased.js:
* Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp:
(JSC::ScopedArgumentsTable::trySetWatchpointSet):
Canonical link: https://commits.webkit.org/272448.339@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.74@webkitglib/2.44
Commit: c5b3362395f1cf0ecd6996bdd43642b54bf84437
https://github.com/WebKit/WebKit/commit/c5b3362395f1cf0ecd6996bdd43642b54bf84437
Author: Mark Lam <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A
LayoutTests/js/structuredClone/structured-clone-of-CachedString-in-map-expected.txt
A
LayoutTests/js/structuredClone/structured-clone-of-CachedString-in-map.html
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 272448.347@safari-7618-branch (5546b2ee36b5).
https://bugs.webkit.org/show_bug.cgi?id=267971
CachedString::m_jsString is not protected from GC in CloneDeserializer.
https://bugs.webkit.org/show_bug.cgi?id=267971
rdar://120531481
Reviewed by Chris Dumez.
The fix is simply to protect it with the m_keepAliveBuffer. Also moved the
m_keepAliveBuffer from
CloneSerializer to CloneBase. Previously, I thought that only the
serializer needs it. Now, we
have a case where the deserializer does too.
*
LayoutTests/js/structuredClone/structured-clone-of-CachedString-in-map-expected.txt:
Added.
*
LayoutTests/js/structuredClone/structured-clone-of-CachedString-in-map.html:
Added.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::CachedString::jsString):
(WebCore::CloneDeserializer::readTerminal):
Canonical link: https://commits.webkit.org/272448.347@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.75@webkitglib/2.44
Commit: 611720ecf676648f33d2db5faf1aed2f4155f1ed
https://github.com/WebKit/WebKit/commit/611720ecf676648f33d2db5faf1aed2f4155f1ed
Author: Chris Dumez <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebCore/html/HTMLPlugInImageElement.cpp
Log Message:
-----------
Cherry-pick 272448.355@safari-7618-branch (99b063d917a4).
https://bugs.webkit.org/show_bug.cgi?id=268010
Regression(267815.354@safari-7617-branch) ASSERTION FAILED:
ownerElement.document().frame() in the tests
https://bugs.webkit.org/show_bug.cgi?id=268010
rdar://121528243
Reviewed by Ryosuke Niwa and Geoffrey Garen.
In 267815.354@safari-7617-branch, we updated
HTMLPlugInImageElement::requestObject()
to call SubframeLoader::requestObject() asynchronously. Previously, when we
called
SubframeLoader::requestObject() the frame owner element's document would
still be
connected (i.e. have a frame) and it was enforced by an assertion both in
HTMLPlugInImageElement::requestObject() and SubframeLoader::requestObject().
After my change in 267815.354@safari-7617-branch, the assertion in
SubframeLoader::requestObject() would sometimes fail as this code now runs
asynchronously and the state of the DOM tree may have changed in between.
To address the issue, check if the document still have a frame when the
async
lambda runs and return early if it doesn't. There is no point in loading a
subframe
in a document that was detached.
* Source/WebCore/html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::requestObject):
Canonical link: https://commits.webkit.org/272448.355@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.76@webkitglib/2.44
Commit: 1d059ea33da3b6e09f2aaa035cd35cb21f2b1295
https://github.com/WebKit/WebKit/commit/1d059ea33da3b6e09f2aaa035cd35cb21f2b1295
Author: Chris Dumez <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebCore/editing/TextManipulationController.cpp
Log Message:
-----------
Cherry-pick 272448.385@safari-7618-branch (2d3dc03ecbbc).
https://bugs.webkit.org/show_bug.cgi?id=268235
Bad cast in TextManipulationController::scheduleObservationUpdate()
https://bugs.webkit.org/show_bug.cgi?id=268235
rdar://121646850
Reviewed by Wenson Hsieh.
Convert the downcast<>() into a dynamicDowncast<>() since the common
ancestor
is not guaranteed to be an Element.
I have not been able to reproduce but it is happening in the wild.
* Source/WebCore/editing/TextManipulationController.cpp:
(WebCore::TextManipulationController::scheduleObservationUpdate):
Canonical link: https://commits.webkit.org/272448.385@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.77@webkitglib/2.44
Commit: acab2b845a2a15319f042989387a8ce81210d828
https://github.com/WebKit/WebKit/commit/acab2b845a2a15319f042989387a8ce81210d828
Author: Chris Dumez <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebKit/UIProcess/API/Cocoa/WKProcessPool.mm
M Source/WebKit/UIProcess/API/Cocoa/WKProcessPoolPrivate.h
M Source/WebKit/UIProcess/WebProcessPool.cpp
M Source/WebKit/UIProcess/WebProcessPool.h
M Source/WebKit/UIProcess/WebProcessProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.h
M Source/WebKit/WebProcess/Storage/WebSWContextManagerConnection.cpp
M
Source/WebKit/WebProcess/Storage/WebSharedWorkerContextManagerConnection.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.h
M Tools/TestWebKitAPI/Tests/WebKitCocoa/ServiceWorkerBasic.mm
Log Message:
-----------
Cherry-pick 272448.386@safari-7618-branch (dd435ec50671).
https://bugs.webkit.org/show_bug.cgi?id=268183
Remote worker processes may not obey the lockdown mode setting
https://bugs.webkit.org/show_bug.cgi?id=268183
rdar://121617300
Reviewed by Youenn Fablet.
Make sure we carry over the requesting process' lockdown mode state to the
newly created process when we decide to launch a remote worker process.
Also make sure that the settings that are meant to be disabled in lockdown
mode also get disabled in the remote worker contexts, not just in
page/window
contexts.
* Source/WebKit/UIProcess/API/Cocoa/WKProcessPool.mm:
(-[WKProcessPool _isJITDisabledInAllServiceWorkerProcesses:]):
* Source/WebKit/UIProcess/API/Cocoa/WKProcessPoolPrivate.h:
* Source/WebKit/UIProcess/WebProcessPool.cpp:
(WebKit::WebProcessPool::establishRemoteWorkerContextConnectionToNetworkProcess):
(WebKit::WebProcessPool::isJITDisabledInAllServiceWorkerProcesses const):
* Source/WebKit/UIProcess/WebProcessPool.h:
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::createForRemoteWorkers):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/ServiceWorkerBasic.mm:
Canonical link: https://commits.webkit.org/272448.386@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.78@webkitglib/2.44
Commit: e1ea49a668e7a70d67acc791449bb72464685b1e
https://github.com/WebKit/WebKit/commit/e1ea49a668e7a70d67acc791449bb72464685b1e
Author: Erica Li <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/media/audio-remove-playback-crash-expected.txt
A LayoutTests/media/audio-remove-playback-crash.html
M Source/WebCore/dom/Document.cpp
Log Message:
-----------
Cherry-pick 272448.387@safari-7618-branch (303478e273bd). rdar://120661908
ASAN_ILL | WebCore::Document::removePlaybackTargetPickerClient.
rdar://120661908
Reviewed by Chris Dumez.
Unable to ref the page from removePlaybackTargetPickerClient as it may have
started destruction.
* LayoutTests/media/audio-remove-playback-crash-expected.txt: Added.
* LayoutTests/media/audio-remove-playback-crash.html: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::removePlaybackTargetPickerClient):
Canonical link: https://commits.webkit.org/272448.387@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.79@webkitglib/2.44
Commit: 9987ecf027f9022e0c1fd87e388c419d454c1cce
https://github.com/WebKit/WebKit/commit/9987ecf027f9022e0c1fd87e388c419d454c1cce
Author: Abrar Rahman Protyasha <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.h
M Source/WebKit/UIProcess/mac/WebViewImpl.h
M Source/WebKit/UIProcess/mac/WebViewImpl.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/UIDelegate.mm
Log Message:
-----------
Cherry-pick 272448.388@safari-7618-branch (7047e8e918da).
https://bugs.webkit.org/show_bug.cgi?id=268198
[macOS] Pointer Lock should disengage when client windows present a sheet
https://bugs.webkit.org/show_bug.cgi?id=268198
rdar://121694233
Reviewed by Aditya Keerthi.
The Pointer Lock API is susceptible to abuse by nefarious webpages since
they can (programmatically or otherwise) make client windows show alerts
or permission granting sheets while pointer lock is engaged. Since our
current implementation of pointer lock stays engaged even when the
client window presents a sheet, it leaves the user in a compromised
state where they both don't know the location of the mouse cursor and
don't have a way to exit the pointer lock state (since the client window
where pointer lock is engaged is no longer focused or the key window).
This patch addresses this vulnerability by registering observers for the
NSWindowWillBeginSheetNotification notification on the WebView's current
window, and then requesting for pointer lock to be disengaged whenever
we receive a notification that said window will begin presenting a
sheet.
Test case added in WebKit.ClientDisplaysAlertSheetWhilePointerLockActive
that asserts we successfully exit pointer lock when a client window
presents an alert sheet. It also tests that we can successfully re-enter
pointer lock afterwards.
* Source/WebKit/UIProcess/WebPageProxy.h:
* Source/WebKit/UIProcess/mac/WebViewImpl.h:
* Source/WebKit/UIProcess/mac/WebViewImpl.mm:
(-[WKWindowVisibilityObserver startObserving:]):
(-[WKWindowVisibilityObserver stopObserving:]):
(-[WKWindowVisibilityObserver _windowWillBeginSheet:]):
(WebKit::WebViewImpl::windowWillBeginSheet):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/UIDelegate.mm:
(-[PointerLockDelegate resetState]):
(-[PointerLockDelegate waitForPointerLockEngaged]):
(-[PointerLockDelegate waitForPointerLockLost]):
(-[PointerLockDelegate _webViewDidRequestPointerLock:completionHandler:]):
(-[PointerLockDelegate _webViewDidLosePointerLock:]):
Canonical link: https://commits.webkit.org/272448.388@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.80@webkitglib/2.44
Commit: 7d5bbe94e557e1ffcecfc5ecd460267c1b016f90
https://github.com/WebKit/WebKit/commit/7d5bbe94e557e1ffcecfc5ecd460267c1b016f90
Author: Chris Dumez <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebCore/loader/cache/CachedResourceLoader.cpp
Log Message:
-----------
Cherry-pick 272448.421@safari-7618-branch (25c11453b693).
https://bugs.webkit.org/show_bug.cgi?id=268405
Bad cast under CachedResourceLoader::preload()
https://bugs.webkit.org/show_bug.cgi?id=268405
rdar://121745788
Reviewed by Brent Fulgham.
In CachedResourceLoader::preload() we were calling requestResource(type)
to get a resource. Then if the type we requested was `FontResource`, we
assumed the the CachedResource returned was a CachedFont and would cast
to that type. However, this cast ends up being incorrect in some cases.
I suspect this could happen when requesting resources with the same URL
but different types.
To address the issue, we now check the actual type of the returned
CachedResource before casting it.
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::preload):
Canonical link: https://commits.webkit.org/272448.421@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.81@webkitglib/2.44
Commit: 115cca02ae77bcbe20aa97eb6de694d7c9d3c085
https://github.com/WebKit/WebKit/commit/115cca02ae77bcbe20aa97eb6de694d7c9d3c085
Author: Michael Saboff <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/JavaScriptCore/runtime/ScopedArguments.h
M Source/JavaScriptCore/runtime/SymbolTable.cpp
M Source/JavaScriptCore/runtime/SymbolTable.h
Log Message:
-----------
Cherry-pick 272448.422@safari-7618-branch (5bc92c9d5253).
https://bugs.webkit.org/show_bug.cgi?id=268409
REGRESSION: JavaScriptCore: JSC::ScopedArguments::setIndexQuickly
https://bugs.webkit.org/show_bug.cgi?id=268409
rdar://121748005
Reviewed by Yusuke Suzuki.
A code inspection of the symbol table and scoped arguments code revealed
that SymbolTable::cloneScopePart() doesn't
properly copy the ScopedArgumentsTable from the source. Since
ScopedArguments point to the WatchpointSets in the
related SymbolTable, we need to create new WatchpointSets in the cloned
SymbolTable and have the ScopedArguments
point to the related new WatchpointSets.
This is a speculative fix.
* Source/JavaScriptCore/runtime/ScopedArguments.h:
* Source/JavaScriptCore/runtime/SymbolTable.cpp:
(JSC::SymbolTable::cloneScopePart):
(JSC::SymbolTable::hasScopedWatchpointSet):
* Source/JavaScriptCore/runtime/SymbolTable.h:
Canonical link: https://commits.webkit.org/272448.422@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.82@webkitglib/2.44
Commit: d6e2b3f0c562260d3aebb8c49e754d27e985ec17
https://github.com/WebKit/WebKit/commit/d6e2b3f0c562260d3aebb8c49e754d27e985ec17
Author: Yijia Huang <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/JavaScriptCore/runtime/ErrorInstance.cpp
Log Message:
-----------
Cherry-pick 272448.442@safari-7618-branch (58204e87a044).
https://bugs.webkit.org/show_bug.cgi?id=268489
[JSC] Use DeferGCForAWhile instead of DeferGC in computeErrorInfo
https://bugs.webkit.org/show_bug.cgi?id=268489
rdar://121906810
Reviewed by Mark Lam, Yusuke Suzuki and Justin Michaud.
ErrorInstance::computeErrorInfo can be called from GC's Heap::runEndPhase.
In the case, we should use DeferGCForAWhile instead of DeferGC since it
can trigger another GC in its destruction.
* Source/JavaScriptCore/runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::computeErrorInfo):
Canonical link: https://commits.webkit.org/272448.442@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.83@webkitglib/2.44
Commit: c625381d9c851c3ee66647e2d68efabbdef49059
https://github.com/WebKit/WebKit/commit/c625381d9c851c3ee66647e2d68efabbdef49059
Author: Jean-Yves Avenard <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in
Log Message:
-----------
Cherry-pick 272448.445@safari-7618-branch (b60b2da0516d). rdar://107918233
Block "setMediaOverridesForTesting" media IPC endpoints when not testing
rdar://107918233
Reviewed by Youenn Fablet.
This is a continuation of 260935@main, adding the
setMediaOverridesForTesting to the list
of blocked IPC endpoints.
All involved tests already contains the required keywords.
* Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in:
Canonical link: https://commits.webkit.org/272448.445@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.84@webkitglib/2.44
Commit: c41c2ae9b94315bba45c4c3cdce6fc0e33f213ea
https://github.com/WebKit/WebKit/commit/c41c2ae9b94315bba45c4c3cdce6fc0e33f213ea
Author: Justin Michaud <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WTF/wtf/PlatformUse.h
Log Message:
-----------
Cherry-pick 272448.444@safari-7618-branch (323a4029633e).
https://bugs.webkit.org/show_bug.cgi?id=268467
Disable new JIT API until build issues are resolved
rdar://122018269
https://bugs.webkit.org/show_bug.cgi?id=268467
Reviewed by Mark Lam.
* Source/WTF/wtf/PlatformUse.h:
Canonical link: https://commits.webkit.org/272448.444@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.85@webkitglib/2.44
Commit: 3cf2b08d49dd72c6e5e43807940a1fe5c25c8905
https://github.com/WebKit/WebKit/commit/3cf2b08d49dd72c6e5e43807940a1fe5c25c8905
Author: Alan Baradlay <[email protected]>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebCore/rendering/RenderInline.cpp
Log Message:
-----------
Cherry-pick 272448.456@safari-7618-branch (66b364de9dfc).
https://bugs.webkit.org/show_bug.cgi?id=268525
Inline box may not be present in the enclosing formatting context
https://bugs.webkit.org/show_bug.cgi?id=268525
rdar://119921061
Reviewed by Antti Koivisto.
Speculative fix when the (potentially damaged) inline box is not present in
the enclosing formatting context.
This may happen when RenderInline::linesBoundingBox is called on a dirty
tree after moving an inline box (<span>)
from a block to an other (but before clearing the tree by running layout).
* Source/WebCore/rendering/RenderInline.cpp:
(WebCore::RenderInline::linesBoundingBox const):
Canonical link: https://commits.webkit.org/272448.456@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.86@webkitglib/2.44
Compare: https://github.com/WebKit/WebKit/compare/5eb5ab62f15a...3cf2b08d49dd
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
