[webkit-changes] [WebKit/WebKit] 96f558: WASM unreachable code validation is broken

Thu, 16 May 2024 12:54:44 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 96f558b446153e1417a8df780d22e338091d86a6
      
https://github.com/WebKit/WebKit/commit/96f558b446153e1417a8df780d22e338091d86a6
  Author: Mikhail R. Gadelha <[email protected]>
  Date:   2024-05-16 (Thu, 16 May 2024)

  Changed paths:
    A JSTests/wasm/stress/wasm-unreachable-br-block.js
    M Source/JavaScriptCore/wasm/WasmFunctionParser.h

  Log Message:
  -----------
  WASM unreachable code validation is broken
https://bugs.webkit.org/show_bug.cgi?id=265425
rdar://103288466

Reviewed by Keith Miller.

This patch fixes an assertion failure in the unreachable code parser
when the target of a br instruction is a block that was not added into
the control stack.

The code that checks the br target now takes into account the number of
unreachable blocks, if the br instruction is also unreachable. This is
similar to the solution employed by parseDelegateTarget and should
support cases when block, if, try, and loop were not added to the control
stack.

* JSTests/wasm/stress/wasm-unreachable-br-block.js: Added.
(async test):
* Source/JavaScriptCore/wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseBranchTarget):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):

Originally-landed-as: [email protected] (ab8e4a4470bb). 
rdar://128090590
Canonical link: https://commits.webkit.org/278882@main


  Commit: 72485b3a40e30c94b4394e7bac01af3159debbd6
      
https://github.com/WebKit/WebKit/commit/72485b3a40e30c94b4394e7bac01af3159debbd6
  Author: Žan Doberšek <[email protected]>
  Date:   2024-05-16 (Thu, 16 May 2024)

  Changed paths:
    A LayoutTests/fast/css/repeating-conic-gradient-small-range-expected.txt
    A LayoutTests/fast/css/repeating-conic-gradient-small-range.html
    A LayoutTests/fast/css/repeating-linear-gradient-small-range-expected.txt
    A LayoutTests/fast/css/repeating-linear-gradient-small-range.html
    A LayoutTests/fast/css/repeating-radial-gradient-small-range-expected.txt
    A LayoutTests/fast/css/repeating-radial-gradient-small-range.html
    M LayoutTests/platform/glib/TestExpectations
    M Source/WebCore/rendering/style/StyleGradientImage.cpp

  Log Message:
  -----------
  ASAN_ILL | WTF::Vector::expandCapacity; WTF::Vector::expandCapacity; 
WebCore::StyleGradientImage::computeStops
https://bugs.webkit.org/show_bug.cgi?id=264639
rdar://114069174

Reviewed by Antti Koivisto.

When working with repeating gradients, more care should be put into limiting the
amount of stops that can be additionally generated. If the original gradient
range is already too small, the extra stops are not generated. Once the number
of additional stops is calculated, the generation proceeds only if that number
is below some reasonable limit. That generation is also improved slightly by
creating a separate Vector of gradient stops that then simply replaces the
original one.

* LayoutTests/fast/css/repeating-conic-gradient-small-range-expected.txt: Added.
* LayoutTests/fast/css/repeating-conic-gradient-small-range.html: Added.
* LayoutTests/fast/css/repeating-linear-gradient-small-range-expected.txt: 
Added.
* LayoutTests/fast/css/repeating-linear-gradient-small-range.html: Added.
* LayoutTests/fast/css/repeating-radial-gradient-small-range-expected.txt: 
Added.
* LayoutTests/fast/css/repeating-radial-gradient-small-range.html: Added.
* LayoutTests/platform/glib/TestExpectations:
* Source/WebCore/rendering/style/StyleGradientImage.cpp:
(WebCore::StyleGradientImage::computeStops const):

Originally-landed-as: [email protected] (efd994a148b6). 
rdar://128090422
Canonical link: https://commits.webkit.org/278883@main


  Commit: 3f5fc52ff3ea57f51b2a004ea0e47542b13ad1ae
      
https://github.com/WebKit/WebKit/commit/3f5fc52ff3ea57f51b2a004ea0e47542b13ad1ae
  Author: Rob Buis <[email protected]>
  Date:   2024-05-16 (Thu, 16 May 2024)

  Changed paths:
    A 
LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash-expected.txt
    A 
LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash.html
    M Source/WebCore/html/HTMLPlugInImageElement.cpp

  Log Message:
  -----------
  HTMLPlugInImageElement: verify that element is in same document before 
requesting a load
https://bugs.webkit.org/show_bug.cgi?id=268769
rdar://121960561

Reviewed by Ryosuke Niwa.

The testcase shows a scenario where a plugin is set up to start loading the 
plugin contents
from an event loop, however before the event loop is started the rest of the 
script will run, which
moves the plugin to a different document, thus hitting an ASSERT in 
WebFrame::createSubframe when the load
is performed. Protect against this by returning early when this situation is 
detected in the event loop.

* 
LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash-expected.txt:
 Added.
* 
LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash.html:
 Added.
* Source/WebCore/html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::requestObject):

Originally-landed-as: [email protected] (f81d56c47751). 
rdar://128089895
Canonical link: https://commits.webkit.org/278884@main


Compare: https://github.com/WebKit/WebKit/compare/26dd802ebb28...3f5fc52ff3ea

To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to