Branch: refs/heads/webkit-2023.2-embargoed Home: https://github.com/WebKit/WebKit Commit: 68c44009f220b31e590385b9420c86734543b1d2 https://github.com/WebKit/WebKit/commit/68c44009f220b31e590385b9420c86734543b1d2 Author: Jonathan Bedard <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023)
Changed paths: Log Message: ----------- Branch point for webkit-2023.2-embargoed Canonical link: https://commits.webkit.org/[email protected] Commit: d18363c6c4ced4892e1875799dc7cba4b6e9b834 https://github.com/WebKit/WebKit/commit/d18363c6c4ced4892e1875799dc7cba4b6e9b834 Author: Rob Buis <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/table/table-cell-crash-when-detached-state-2-expected.txt A LayoutTests/fast/table/table-cell-crash-when-detached-state-2.html M Source/WebCore/rendering/RenderLayerModelObject.cpp Log Message: ----------- Cherry-pick [email protected] (6234ec9c65b9). rdar://102808328 Do not issue repaints when in detached state https://bugs.webkit.org/show_bug.cgi?id=248773 rdar://102808328 Reviewed by Antti Koivisto. Do not issue repaints when the RenderObject is in detached state while removing render subtrees. * LayoutTests/fast/table/table-cell-crash-when-detached-state-2-expected.txt: Added. * LayoutTests/fast/table/table-cell-crash-when-detached-state-2.html: Added. * Source/WebCore/rendering/RenderLayerModelObject.cpp: (WebCore::RenderTableCell::willBeRemovedFromTree const): Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Commit: 92dee4feedbf5f6d2aef96496b09326d8a2fcfe0 https://github.com/WebKit/WebKit/commit/92dee4feedbf5f6d2aef96496b09326d8a2fcfe0 Author: Rob Buis <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/css/content/quote-display-contents-crash-expected.txt A LayoutTests/fast/css/content/quote-display-contents-crash.html M Source/WebCore/dom/Element.cpp Log Message: ----------- Cherry-pick [email protected] (312254f5776d). rdar://102807985 Check displayContentsChanged in destroyRenderTreeIfNeeded https://bugs.webkit.org/show_bug.cgi?id=248776 rdar://102807985> Reviewed by Antti Koivisto. Check displayContentsChanged in destroyRenderTreeIfNeeded since display: contents may be removed due to focus removal while removing subtrees but we still need to clean up pseudo elements. * LayoutTests/fast/css/content/quote-display-contents-crash-expected.txt: Added. * LayoutTests/fast/css/content/quote-display-contents-crash.html: Added. * Source/WebCore/dom/ContainerNode.cpp: (WebCore::destroyRenderTreeIfNeeded): * Source/WebCore/dom/Element.cpp: (WebCore::Element::resolveComputedStyle): Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Commit: 553700646910e53691d7c87dea6500265104f2cd https://github.com/WebKit/WebKit/commit/553700646910e53691d7c87dea6500265104f2cd Author: Rob Buis <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/dom/set-outer-text-on-moved-element-expected.html A LayoutTests/fast/dom/set-outer-text-on-moved-element.html M Source/WebCore/rendering/updating/RenderTreeUpdater.cpp Log Message: ----------- Cherry-pick [email protected] (c4c0ef6360b2). rdar://102808104 Verify that style update roots are for correct document https://bugs.webkit.org/show_bug.cgi?id=248775 rdar://102808104 Reviewed by Antti Koivisto. Verify that style update roots are for the correct document since we may be dealing with a pending update on an element/text node that moved to another document. * LayoutTests/fast/dom/set-outer-text-on-moved-element-expected.html: Added. * LayoutTests/fast/dom/set-outer-text-on-moved-element.html: Added. * Source/WebCore/rendering/updating/RenderTreeUpdater.cpp: (WebCore::RenderTreeUpdater::commit): Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Commit: fc9a39453ba0c1a619e3444eb2530c36a8731389 https://github.com/WebKit/WebKit/commit/fc9a39453ba0c1a619e3444eb2530c36a8731389 Author: Rob Buis <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/multicol/nested-columns-out-of-flow-crash-expected.txt A LayoutTests/fast/multicol/nested-columns-out-of-flow-crash.html M Source/WebCore/rendering/RenderObject.cpp M Source/WebCore/rendering/RenderObject.h Log Message: ----------- Cherry-pick [email protected] (3b92d70ba3ea). rdar://98438399 Do not skip fragmented flow thread descendents https://bugs.webkit.org/show_bug.cgi?id=245374 rdar://98438399 Reviewed by Alan Baradlay. Do not skip fragmented flow thread descendents in initializeFragmentedFlowStateOnInsertion since its children may have a different state based on the inserted fragmented flow thread. When a fragmented flow thread is removed there is no effect on the inner fragmented flow threads so that behaviour is unchenged. * LayoutTests/fast/multicol/nested-columns-out-of-flow-crash-expected.txt: Added. * LayoutTests/fast/multicol/nested-columns-out-of-flow-crash.html: Added. * Source/WebCore/rendering/RenderObject.cpp: (WebCore::RenderObject::setFragmentedFlowStateIncludingDescendants): (WebCore::RenderObject::initializeFragmentedFlowStateOnInsertion): * Source/WebCore/rendering/RenderObject.h: Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Commit: 02347a3a82ac055e6917df761056a5a9b77e1666 https://github.com/WebKit/WebKit/commit/02347a3a82ac055e6917df761056a5a9b77e1666 Author: Rob Buis <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash-expected.html A LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash.html M Source/WebCore/rendering/RenderLayer.cpp Log Message: ----------- Cherry-pick [email protected] (fe2f16c1dabe). rdar://104134023 Recalculate normal flow value in RenderLayer::establishesTopLayerDidChange https://bugs.webkit.org/show_bug.cgi?id=251013 Reviewed by Tim Nguyen. In RenderLayer::rebuildZOrderLists the RenderView layer makes sure the layers for dialogs/top-level elements are appended after everything else in the positive z-order list. When removing the dialog layer, dirtyPaintOrderListsOnChildChange will be called and since it is not a normal only flow everything will be handled correctly through dirtyStackingContextZOrderLists. In the test case the behaviour is the same until dirtyPaintOrderListsOnChildChange is called on the dialog layer removal. Now that layer to be removed *is* a normal only flow (the element is no longer positioned and has non visible overflow, see RenderLayer::shouldBeNormalFlowOnly). This means the positive z-order list is unchanged and the deleted layer still part of it. When the test cleanup code does a final repaint, the RenderView positive z-order list is processed as normal and when trying to access the deleted layer the UAF happens. To fix this, make sure the normal flow value is correct when adding the layer in RenderLayer::establishesTopLayerDidChange. * LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash-expected.html: Added. * LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash.html: Added. * Source/WebCore/rendering/RenderLayer.cpp: (WebCore::RenderLayer::establishesTopLayerDidChange): Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Commit: 1d078489fdd98b313694c29f43d0a6d6bd150b17 https://github.com/WebKit/WebKit/commit/1d078489fdd98b313694c29f43d0a6d6bd150b17 Author: Claudio Saavedra <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/css/content/content-on-focus-change-expected.txt A LayoutTests/fast/css/content/content-on-focus-change.html Log Message: ----------- Cherry-pick [email protected] (4c3dcd480f7e). rdar://104256993 Test display contents change on focus change https://bugs.webkit.org/show_bug.cgi?id=251014 Reviewed by Tim Nguyen. * LayoutTests/fast/css/content/content-on-focus-change-expected.txt: Added. * LayoutTests/fast/css/content/content-on-focus-change.html: Added. Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Commit: c5cf037a9b08e0daacb259461329ce915f954d42 https://github.com/WebKit/WebKit/commit/c5cf037a9b08e0daacb259461329ce915f954d42 Author: Claudio Saavedra <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal-expected.txt A LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal.html Log Message: ----------- Cherry-pick [email protected] (b7f9b7f4679b). rdar://102808942 Add test for element's display contents change on sibling removal https://bugs.webkit.org/show_bug.cgi?id=248772 Reviewed by Tim Nguyen. This was already fixed with #248776, but add the test for completeness. * LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal-expected.txt: Added. * LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal.html: Added. Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Commit: 482439c8ecdb5a274c7ca18054c1d5d4d7519cc3 https://github.com/WebKit/WebKit/commit/482439c8ecdb5a274c7ca18054c1d5d4d7519cc3 Author: Rob Buis <[email protected]> Date: 2023-02-14 (Tue, 14 Feb 2023) Changed paths: A LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash-expected.txt A LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash.html Log Message: ----------- Cherry-pick [email protected] (7d616c4d06eb). rdar://98898374 Add crash test for disconnected frame switching to eager https://bugs.webkit.org/show_bug.cgi?id=245377 Reviewed by Ryosuke Niwa. Add crash test for disconnected frame switching to eager. * LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash-expected.txt: Added. * LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash.html: Added. Canonical link: https://commits.webkit.org/[email protected] Canonical link: https://commits.webkit.org/[email protected] Commit: 010528ca060e292f06e8d630482a4cf522478f7c https://github.com/WebKit/WebKit/commit/010528ca060e292f06e8d630482a4cf522478f7c Author: Rob Buis <[email protected]> Date: 2023-02-17 (Fri, 17 Feb 2023) Changed paths: A LayoutTests/fast/scrolling/fixed-positioned-element-update-crash-expected.txt A LayoutTests/fast/scrolling/fixed-positioned-element-update-crash.html Log Message: ----------- Add crash test for bad update of fixed position scrolling node https://bugs.webkit.org/show_bug.cgi?id=245389 Reviewed by Simon Fraser. This was already fixed with #255114, but add the test for completeness. * LayoutTests/fast/scrolling/fixed-positioned-element-update-crash-expected.txt: Added. * LayoutTests/fast/scrolling/fixed-positioned-element-update-crash.html: Added. Canonical link: https://commits.webkit.org/[email protected] Commit: e7b0459eaad256590f5f8d46b5deca54c02ff7ca https://github.com/WebKit/WebKit/commit/e7b0459eaad256590f5f8d46b5deca54c02ff7ca Author: Rob Buis <[email protected]> Date: 2023-02-17 (Fri, 17 Feb 2023) Changed paths: A LayoutTests/fast/multicol/legend-in-column-outline-auto-crash-expected.txt A LayoutTests/fast/multicol/legend-in-column-outline-auto-crash.html M Source/WebCore/rendering/RenderObject.cpp Log Message: ----------- Take legend element into account in propagateRepaintToParentWithOutlineAutoIfNeeded https://bugs.webkit.org/show_bug.cgi?id=251381 rdar://104813886 Reviewed by Alan Baradlay. In change r259412 logic was introduced for spanner placeholders and a check was done to see if the previous sibling renderer is a column set. However legends are kept out of column flows and thus may also have a column set as previous sibling, in this case we don't want to enter the spanner placeholder logic. * LayoutTests/fast/multicol/legend-in-column-outline-auto-crash-expected.txt: Added. * LayoutTests/fast/multicol/legend-in-column-outline-auto-crash.html: Added. * Source/WebCore/rendering/RenderObject.cpp: (WebCore::RenderObject::propagateRepaintToParentWithOutlineAutoIfNeeded const): Canonical link: https://commits.webkit.org/[email protected] Commit: 042db6f5677eb65461d65e8e3383e5148986d73d https://github.com/WebKit/WebKit/commit/042db6f5677eb65461d65e8e3383e5148986d73d Author: Claudio Saavedra <[email protected]> Date: 2023-02-22 (Wed, 22 Feb 2023) Changed paths: A LayoutTests/fast/css/content/display-contents-on-focus-crash-expected.txt A LayoutTests/fast/css/content/display-contents-on-focus-crash.html Log Message: ----------- Add test for display contents on focus change https://bugs.webkit.org/show_bug.cgi?id=251380 Reviewed by Antti Koivisto. Already fixed by #248776, but add this test for completeness. * LayoutTests/fast/css/content/display-contents-on-focus-crash-expected.txt: Added. * LayoutTests/fast/css/content/display-contents-on-focus-crash.html: Added. Canonical link: https://commits.webkit.org/[email protected] Commit: 0a7c35b68439bad97a3090af90458761452c5551 https://github.com/WebKit/WebKit/commit/0a7c35b68439bad97a3090af90458761452c5551 Author: Rob Buis <[email protected]> Date: 2023-03-06 (Mon, 06 Mar 2023) Changed paths: A LayoutTests/fast/css-grid-layout/positioned-grid-with-large-inset-and-scrollbar-expected.txt A LayoutTests/fast/css-grid-layout/positioned-grid-with-large-inset-and-scrollbar.html M Source/WebCore/rendering/RenderBlock.cpp Log Message: ----------- Adapt OOF with specified height case in availableLogicalHeightForPercentageComputation https://bugs.webkit.org/show_bug.cgi?id=253037 Reviewed by Alan Baradlay. The computed height for OOF can result in being zero for certain insets (but never negative). In that case subtracting scrollbar sizes could result in negative values like in the test case, so clamp to zero. * LayoutTests/fast/css-grid-layout/positioned-grid-with-large-inset-and-scrollbar-expected.txt: Added. * LayoutTests/fast/css-grid-layout/positioned-grid-with-large-inset-and-scrollbar.html: Added. * Source/WebCore/rendering/RenderBlock.cpp: (WebCore::RenderBlock::availableLogicalHeightForPercentageComputation const): Canonical link: https://commits.webkit.org/[email protected] Commit: 0888aabefd69a721a7e370b5dfb5325495837525 https://github.com/WebKit/WebKit/commit/0888aabefd69a721a7e370b5dfb5325495837525 Author: Rob Buis <[email protected]> Date: 2023-03-06 (Mon, 06 Mar 2023) Changed paths: M Source/WebCore/rendering/RenderObject.cpp M Source/WebCore/rendering/RenderObject.h Log Message: ----------- Improve isInsideMulticolumnFlow lambda for top-layer elements https://bugs.webkit.org/show_bug.cgi?id=245374 Reviewed by Alan Baradlay. Improve isInsideMulticolumnFlow lambda for top-layer elements. Top-layer elements can skip many ancestors since the containing block is the RenderView. So instead of checking the fragmentedFlowRoot boundary, check the containing block fragmented flow state. * Source/WebCore/rendering/RenderObject.cpp: (WebCore::RenderObject::setFragmentedFlowStateIncludingDescendants): (WebCore::RenderObject::initializeFragmentedFlowStateOnInsertion): (WebCore::RenderObject::resetFragmentedFlowStateOnRemoval): * Source/WebCore/rendering/RenderObject.h: Canonical link: https://commits.webkit.org/[email protected] Commit: 028f984310b6e379c4765896a7f430fea4d898f2 https://github.com/WebKit/WebKit/commit/028f984310b6e379c4765896a7f430fea4d898f2 Author: Rob Buis <[email protected]> Date: 2023-03-14 (Tue, 14 Mar 2023) Changed paths: A LayoutTests/fast/multicol/crash-when-constructing-nested-columns2-expected.txt A LayoutTests/fast/multicol/crash-when-constructing-nested-columns2.html M Source/WebCore/rendering/updating/RenderTreeBuilderMultiColumn.cpp Log Message: ----------- Fix spanner reset logic https://bugs.webkit.org/show_bug.cgi?id=245374 Reviewed by Alan Baradlay. In restoreColumnSpannersForContainer we want to reset the spanners to their original position and remove the placeholders, however in some cases the attach step will call multiColumnDescendantInserted and re-insert placeholders. To fix this, prevent calling the spanner processing logic by multiColumnDescendantInserted by introducing a new flag gRestoringColumnSpannersForContainer. * LayoutTests/fast/multicol/crash-when-constructing-nested-columns2-expected.txt: Added. * LayoutTests/fast/multicol/crash-when-constructing-nested-columns2.html: Added. * Source/WebCore/rendering/updating/RenderTreeBuilderMultiColumn.cpp: (WebCore::RenderTreeBuilder::MultiColumn::restoreColumnSpannersForContainer): (WebCore::RenderTreeBuilder::MultiColumn::multiColumnDescendantInserted): (WebCore::RenderTreeBuilder::MultiColumn::processPossibleSpannerDescendant): Canonical link: https://commits.webkit.org/[email protected] Compare: https://github.com/WebKit/WebKit/compare/68c44009f220%5E...028f984310b6 To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications _______________________________________________ webkit-changes mailing list [email protected] https://lists.webkit.org/mailman/listinfo/webkit-changes
