Branch: refs/heads/webkitglib/2.44
Home: https://github.com/WebKit/WebKit
Commit: 127c061152a06f045188e7cdbd1715a0884a29e1
https://github.com/WebKit/WebKit/commit/127c061152a06f045188e7cdbd1715a0884a29e1
Author: Nitin Mahendru <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
M Tools/TestWebKitAPI/Tests/WebCore/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 272448.946@safari-7618-branch (110ae765d426).
https://bugs.webkit.org/show_bug.cgi?id=272530
CloneDeserializer readTerminal crash
rdar://126132442
https://bugs.webkit.org/show_bug.cgi?id=272530
Reviewed by Alex Christensen.
Limiting the the depth for serializing/deserializing recursive objects like:
var array = [[[[[....................]]]]]... 2000 times
* Tools/TestWebKitAPI/Tests/WebCore/SerializedScriptValue.cpp:
(TestWebKitAPI::TEST):
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneBase::CloneBase):
(WebCore::CloneBase::isSafeToRecurse):
(WebCore::CloneDeserializer::readArrayBufferViewImpl):
(WebCore::CloneDeserializer::readArrayBufferView):
(WebCore::CloneDeserializer::readTerminal):
Canonical link: https://commits.webkit.org/274313.329@webkitglib/2.44
Commit: c4c067615638587b793b01829338318089b88eb2
https://github.com/WebKit/WebKit/commit/c4c067615638587b793b01829338318089b88eb2
Author: Nisha Jain <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
A
LayoutTests/fast/css/font-size-adjust-from-style-invalid-value-expected.txt
A LayoutTests/fast/css/font-size-adjust-from-style-invalid-value.html
M Source/WebCore/css/ComputedStyleExtractor.cpp
Log Message:
-----------
Cherry-pick 272448.951@safari-7618-branch (5e92cb84fde1).
https://bugs.webkit.org/show_bug.cgi?id=272821
WebCore::fontSizeAdjustFromStyle;
WebCore::ComputedStyleExtractor::valueForPropertyInStyle;
WebCore::ComputedStyleExtractor::propertyValue
https://bugs.webkit.org/show_bug.cgi?id=272821
rdar://126112927
Reviewed by Sihui Liu and Darin Adler.
Crash happens in fontSizeAdjustFromStyle API due to invalid 'value' (float:NaN).
Added check to validate the 'value'.
* LayoutTests/fast/css/font-size-adjust-from-style-invalid-value-expected.txt:
Added.
* LayoutTests/fast/css/font-size-adjust-from-style-invalid-value.html: Added.
* Source/WebCore/css/ComputedStyleExtractor.cpp:
(WebCore::fontSizeAdjustFromStyle):
Canonical link: https://commits.webkit.org/274313.330@webkitglib/2.44
Commit: 53cd328d9c5442feceda87f683b2d35d468e5d16
https://github.com/WebKit/WebKit/commit/53cd328d9c5442feceda87f683b2d35d468e5d16
Author: Nisha Jain <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
M Source/JavaScriptCore/yarr/YarrPattern.cpp
M Tools/TestWebKitAPI/Tests/WebCore/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 272448.957@safari-7618-branch (aee8743b069b).
https://bugs.webkit.org/show_bug.cgi?id=272932
Fuzz blocker for WebCore-SerializedScriptValue-Deserialize-fuzzer in
readTerminal() | Yarr::CharacterClassConstructor::unicodeOpSorted
https://bugs.webkit.org/show_bug.cgi?id=272932
rdar://126631719
Reviewed by Yusuke Suzuki.
During deserialization of IDBValueToJSValue based on RegExpTag,
the YarrParser crashes as unsorted list is passed to unicodeOpSorted API.
To fix this issue sorted list is created and check is made before addChar API
call.
* Source/JavaScriptCore/yarr/YarrPattern.cpp:
(JSC::Yarr::CharacterClassConstructor::putCharNonUnion):
* Tools/TestWebKitAPI/Tests/WebCore/SerializedScriptValue.cpp:
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/274313.331@webkitglib/2.44
Commit: b951404ea74ae432312a83138f5c8945a0d09e1b
https://github.com/WebKit/WebKit/commit/b951404ea74ae432312a83138f5c8945a0d09e1b
Author: Jean-Yves Avenard <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
A
LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt
A
LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html
M Source/WebCore/platform/audio/MultiChannelResampler.cpp
M Source/WebCore/platform/audio/MultiChannelResampler.h
Log Message:
-----------
Cherry-pick 272448.960@safari-7618-branch (b7ccdb65258e).
https://bugs.webkit.org/show_bug.cgi?id=273176
Always copy all audio channels to the AudioBus to guarantee data lifetime.
https://bugs.webkit.org/show_bug.cgi?id=273176
rdar://125166710
Reviewed by Chris Dumez.
Following 275262@main, a task is dispatched on the audio render thread.
This task dispatch takes a reference to the source and destination AudioBus
however when a MultiChannelResampler is in use, the source AudioBus may
contain a raw pointer to the resampled's AudioArray and the lifetime of
this object may be shorter than the AudioBus.
In 232182@main, a speed and memory optimisation was added by passed-in buffer
as memory for the first channel in the AudioBus.
We revert this change for now and copy all channels' data to the AudioBus.
Added test.
*
LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt:
Added.
* LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html:
Added.
* Source/WebCore/platform/audio/MultiChannelResampler.cpp:
(WebCore::MultiChannelResampler::MultiChannelResampler):
(WebCore::MultiChannelResampler::provideInputForChannel):
* Source/WebCore/platform/audio/MultiChannelResampler.h:
Canonical link: https://commits.webkit.org/274313.332@webkitglib/2.44
Commit: 252a12240acc5fa8abd4b7774b621fefabd1deaa
https://github.com/WebKit/WebKit/commit/252a12240acc5fa8abd4b7774b621fefabd1deaa
Author: Nisha Jain <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
M Tools/TestWebKitAPI/Tests/WebCore/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 272448.964@safari-7618-branch (d3e1795539b0).
https://bugs.webkit.org/show_bug.cgi?id=272692
"Fuzz blocker for WebCore-SerializedScriptValue-Deserialize-fuzzer in
readTerminal() | case RegExpTag"
https://bugs.webkit.org/show_bug.cgi?id=272692
rdar://126142587
Reviewed by Chris Dumez.
During deserialization of IDBValueToJSValue based on RegExpTag, pointer to
regExp is returned as NULL which causes ASSERT.
In order to avoid this issue for Release build checking the validity of reFlags.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::readTerminal):
Canonical link: https://commits.webkit.org/274313.333@webkitglib/2.44
Commit: 8fea9e31e8ce1e7b5027c5dacf5537a558637283
https://github.com/WebKit/WebKit/commit/8fea9e31e8ce1e7b5027c5dacf5537a558637283
Author: Erica Li <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
A LayoutTests/editing/undo/redo-reapply-edit-command-crash-expected.txt
A LayoutTests/editing/undo/redo-reapply-edit-command-crash.html
M Source/WebCore/editing/CompositeEditCommand.cpp
M Source/WebCore/editing/Editor.cpp
Log Message:
-----------
Cherry-pick 272448.968@safari-7618-branch (39a32d378220).
https://bugs.webkit.org/show_bug.cgi?id=273237
heap-use-after-free | WebCore::EditCommandComposition::reapply
rdar://126683181
https://bugs.webkit.org/show_bug.cgi?id=273237
Reviewed by Ryosuke Niwa.
Close TypingCommand when about to undo any command to avoid mutate
m_commands of TypingCommand (during undo & redo).
Make iteration for m_commands safe in EditCommandComposition::reapply
when more commands appended and its capacity needs to expand.
* LayoutTests/editing/undo/redo-reapply-edit-command-crash-expected.txt: Added.
* LayoutTests/editing/undo/redo-reapply-edit-command-crash.html: Added.
* Source/WebCore/editing/CompositeEditCommand.cpp:
(WebCore::EditCommandComposition::reapply):
(WebCore::EditCommandComposition::getNodesInCommand):
* Source/WebCore/editing/Editor.cpp:
(WebCore::Editor::willUnapplyEditing const):
Canonical link: https://commits.webkit.org/274313.334@webkitglib/2.44
Commit: f2a4dac50101f5ff7916983eee4d6ed9257cf7ff
https://github.com/WebKit/WebKit/commit/f2a4dac50101f5ff7916983eee4d6ed9257cf7ff
Author: Chris Dumez <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
M Source/WebCore/Modules/webaudio/AudioNode.cpp
M Source/WebCore/Modules/webaudio/AudioNode.h
M Source/WebCore/Modules/webaudio/BaseAudioContext.cpp
M Source/WebCore/Modules/webaudio/BaseAudioContext.h
Log Message:
-----------
Cherry-pick 272448.979@safari-7618-branch (b49f3d76dad1).
https://bugs.webkit.org/show_bug.cgi?id=273628
AudioNodes can sometimes get destroyed even when a RefPtr is held
https://bugs.webkit.org/show_bug.cgi?id=273628
rdar://127240775
Reviewed by Ryosuke Niwa.
AudioNodes can sometimes get destroyed even when a RefPtr is held.
When an AudioNode's ref-count reaches 0, we mark it for deletion, so that
the BaseAudioContext will eventually destroy it. During this time, someone
might still ref it but the node would remain marked for deletion and could
get deleted despite the extra ref. When a Node gets ref'd we now unmark it
for deletion until its ref-count reaches 0 again.
* Source/WebCore/Modules/webaudio/AudioNode.cpp:
(WebCore::AudioNode::incrementConnectionCount):
(WebCore::AudioNode::unmarkNodeForDeletionIfNecessary):
(WebCore::AudioNode::ref):
* Source/WebCore/Modules/webaudio/AudioNode.h:
* Source/WebCore/Modules/webaudio/BaseAudioContext.cpp:
(WebCore::BaseAudioContext::unmarkForDeletion):
* Source/WebCore/Modules/webaudio/BaseAudioContext.h:
Canonical link: https://commits.webkit.org/274313.335@webkitglib/2.44
Commit: 132d769d205e1724060a57e7a56a9dd424ccb33b
https://github.com/WebKit/WebKit/commit/132d769d205e1724060a57e7a56a9dd424ccb33b
Author: Aditya Keerthi <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
A LayoutTests/fast/css/container-query-listbox-expected.html
A LayoutTests/fast/css/container-query-listbox.html
A
LayoutTests/fast/forms/select-multiple-changed-with-containment-crash-expected.txt
A LayoutTests/fast/forms/select-multiple-changed-with-containment-crash.html
M LayoutTests/platform/ios/TestExpectations
M Source/WebCore/rendering/RenderListBox.cpp
M Source/WebCore/rendering/RenderMenuList.cpp
Log Message:
-----------
Cherry-pick 272448.982@safari-7618-branch (c4b6c7757697).
https://bugs.webkit.org/show_bug.cgi?id=272882
heap-use-after-free | WebCore::RenderMenuList::setTextFromOption;
WebCore::HTMLSelectElement::selectOption; WebCore::Element::didAddAttribute
https://bugs.webkit.org/show_bug.cgi?id=272882
rdar://126279123
Reviewed by Antti Koivisto.
On macOS, `<select>` and `<select multiple>` use `RenderMenuList` and
`RenderMenuList` as their respective renderers. Consequently, whenever the
`multiple` attribute is added, `invalidateStyleAndRenderersForSubtree` is
called and the `RenderMenuList` is marked for destruction.
Additionally, for interoperability, the selected index must be updated when the
`multiple` attribute is added or removed. This update will also trigger an
update on the renderer, in this case, via `RenderMenuList::updateFromElement`.
At this point, the element is `<select multiple>`, but still has a
`RenderMenuList`.
Eventually, the update gets into `RenderMenuList::setTextFromOption`, which
calls `computedStyle()` on an `<option>` element. Following 267786@main, when
using containment, this triggers a render tree update, as
`Document::resolveStyle`
is called, and `resolver.hasUnresolvedQueryContainers()` is true. The
`RenderMenuList` is then destroyed, as it was previously invalidated, while
inside one of its own methods. Use-after-free is then encountered due to
attempted
member variable access.
To fix, take a similar approach as the crash fix in 272334@main and elide a full
style update when a query container with invalid style is encountered.
`fast/css/container-query-listbox.html` has been added to ensure <option>
styling continues to work with container queries. Finally, adopt `CheckedPtr` as
a hardening measure.
Alternatives considered:
1. Call `updateStyleIfNeeded()` in `HTMLSelectElement` prior to entering the
renderer. This approach was rejected as there are too many entry points, and
it would be fragile to new entry points.
2. Pass `<option>` style down from `HTMLSelectElement` into the renderer. Again,
there are too many entry points (including outside of the element).
Additionally,
it is not sufficient to store a single style (for the selected option), as
every
`<option>` participates in width determination.
3. Use `existingComputedStyle()` instead of `computedStyle()`. This resulted in
paint time regressions where the existing computed style was empty.
* LayoutTests/fast/css/container-query-listbox-expected.html: Added.
* LayoutTests/fast/css/container-query-listbox.html: Added.
*
LayoutTests/fast/forms/select-multiple-changed-with-containment-crash-expected.txt:
Added.
* LayoutTests/fast/forms/select-multiple-changed-with-containment-crash.html:
Added.
* LayoutTests/platform/ios/TestExpectations:
* Source/WebCore/html/HTMLSelectElement.cpp:
(WebCore::HTMLSelectElement::optionSelectedByUser):
(WebCore::HTMLSelectElement::selectOption):
* Source/WebCore/rendering/RenderListBox.cpp:
(WebCore::RenderListBox::paintItemForeground):
(WebCore::RenderListBox::paintItemBackground):
* Source/WebCore/rendering/RenderMenuList.cpp:
(RenderMenuList::updateOptionsWidth):
(RenderMenuList::setTextFromOption):
(RenderMenuList::itemStyle const):
(RenderMenuList::getItemBackgroundColor const):
Canonical link: https://commits.webkit.org/274313.336@webkitglib/2.44
Commit: 613d762bf93962acbbe1b2de66385c4400215f78
https://github.com/WebKit/WebKit/commit/613d762bf93962acbbe1b2de66385c4400215f78
Author: Frédéric Wang <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
A
LayoutTests/fast/scrolling/scroll-into-view-on-composited-scrollable-overflow-layer-crash-expected.txt
A
LayoutTests/fast/scrolling/scroll-into-view-on-composited-scrollable-overflow-layer-crash.html
M Source/WebCore/rendering/RenderLayerCompositor.cpp
Log Message:
-----------
Cherry-pick [email protected] (9a7d6e22efa6).
https://bugs.webkit.org/show_bug.cgi?id=272972
Check whether overflowLayer is composited in appendOverflowLayerNodeID
https://bugs.webkit.org/show_bug.cgi?id=272972
Reviewed by Simon Fraser.
The call to appendOverflowLayerNodeID is conditioned on
hasCompositedScrollableOverflow() but as explained in r243908 that does
not guarantee that the layer is composited. Add a null-check in addition
to the debug ASSERT(overflowLayer.isComposited()), making this
consistent with updateScrollingNodeForScrollingProxyRole and
setupScrollProxyRelatedOverflowScrollingNode.
A non-regression test is added. In MiniBrowser, it is crashing without
the null-check, and it is still failing related debug ASSERTIONs. So far
it has always run normally in WebKitTestRunner though.
*
LayoutTests/fast/scrolling/scroll-into-view-on-composited-scrollable-overflow-layer-crash-expected.txt:
Added.
*
LayoutTests/fast/scrolling/scroll-into-view-on-composited-scrollable-overflow-layer-crash.html:
Added.
* Source/WebCore/rendering/RenderLayerCompositor.cpp:
(WebCore::collectStationaryLayerRelatedOverflowNodes): Add a null-check and
tweak log error.
Canonical link: https://commits.webkit.org/[email protected]
Canonical link: https://commits.webkit.org/274313.337@webkitglib/2.44
Commit: 8fea90deef09aeea7e94eb5d5aa0a044a675d0a0
https://github.com/WebKit/WebKit/commit/8fea90deef09aeea7e94eb5d5aa0a044a675d0a0
Author: Nisha Jain <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
M Tools/TestWebKitAPI/Tests/WebCore/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 272448.988@safari-7618-branch (d4a726f1404c).
https://bugs.webkit.org/show_bug.cgi?id=272707
"Fuzz blocker for WebCore-SerializedScriptValue-Deserialize-fuzzer in
readTerminal() | case ImageDataTag"
https://bugs.webkit.org/show_bug.cgi?id=272707
rdar://126132273
Reviewed by Chris Dumez.
ASSERT gets triggered due to overflow of 'IntSize().area()' during
deserialization of IDBValueToJSValue based on 'ImageDataTag'.
To avoid this crash added overflow check for 'IntSize().area() * 4' value.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::readTerminal):
* Tools/TestWebKitAPI/Tests/WebCore/SerializedScriptValue.cpp:
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/274313.338@webkitglib/2.44
Commit: f285a310751f9c6de00dfd0163364c9c293d3198
https://github.com/WebKit/WebKit/commit/f285a310751f9c6de00dfd0163364c9c293d3198
Author: Tyler Wilcock <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
M Source/WebCore/accessibility/AccessibilityObject.cpp
M Source/WebCore/accessibility/AccessibilityObject.h
M Source/WebCore/accessibility/cocoa/AccessibilityObjectCocoa.mm
M Source/WebCore/accessibility/ios/AccessibilityObjectIOS.mm
M Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp
M Source/WebCore/accessibility/mac/AccessibilityObjectMac.mm
M Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.h
Log Message:
-----------
Cherry-pick 272448.996@safari-7618-branch (50eaa40540f2). rdar://127694319
In AXIsolatedTree::resolveAppends(), m_unresolvedPendingAppends can be added to
while being iterated, potentially causing memory safety issues
rdar://127694319
Reviewed by Andres Gonzalez.
Avoid this using std::exchange to put the HashMap on the stack before iterating
over it. Anything subsequently added
to m_unresolvedPendingAppends will be processed in the next go-around of
resolveAppends().
This patch also fixes several nullptr crashes found by ASAN in various tests.
* Source/WebCore/accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::anchorElementForNode):
* Source/WebCore/accessibility/AccessibilityObject.h:
* Source/WebCore/accessibility/cocoa/AccessibilityObjectCocoa.mm:
(WebCore::AccessibilityObject::contentForRange const):
* Source/WebCore/accessibility/ios/AccessibilityObjectIOS.mm:
(WebCore::attributedStringCreate):
* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:
(WebCore::AXIsolatedTree::resolveAppends):
* Source/WebCore/accessibility/mac/AccessibilityObjectMac.mm:
(WebCore::attributedStringSetHeadingLevel):
(WebCore::attributedStringSetBlockquoteLevel):
(WebCore::attributedStringSetExpandedText):
(WebCore::shouldHaveAnySpellCheckAttribute):
(WebCore::attributedStringCreate):
* Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.h:
Canonical link: https://commits.webkit.org/274313.339@webkitglib/2.44
Commit: f53e9338165048d61e913238a7e8088117e78095
https://github.com/WebKit/WebKit/commit/f53e9338165048d61e913238a7e8088117e78095
Author: Alexey Shvayka <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
A JSTests/stress/regress-125602977.js
M Source/JavaScriptCore/runtime/CommonSlowPaths.h
Log Message:
-----------
Cherry-pick 272448.1012@safari-7618-branch (283802946dcc).
https://bugs.webkit.org/show_bug.cgi?id=273580
[JSC] putDirectWithReify() should not cache putting `prototype` to a JSFunction
https://bugs.webkit.org/show_bug.cgi?id=273580
<rdar://125602977>
Reviewed by Yusuke Suzuki.
Before this change, putDirectWithReify() used for direct op_put_by_id could
still cache putting of
`prototype` properties. Leveraging the cache, one could put a configurable
`prototype` property onto
a JSFunction with mayHaveNonReifiedPrototype() returning true. And because of
configurability, it could
have been turned into a GetterSetter and leaked via getDirect() in
JSFunction::getOwnPropertySlot(),
breaking the method's assumption that the `prototype` a JSFunction with thruthy
mayHaveNonReifiedPrototype()
must be a value.
This change prevents put slot from being cached, and clears FunctionRareData
like it's done in other
methods that put `prototype` property.
* JSTests/stress/regress-125602977.js: Added.
* Source/JavaScriptCore/runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::putDirectWithReify):
(JSC::CommonSlowPaths::putDirectAccessorWithReify):
Canonical link: https://commits.webkit.org/274313.340@webkitglib/2.44
Commit: 9d7ec80f78039e6646fcfc455ab4c05aa393f34c
https://github.com/WebKit/WebKit/commit/9d7ec80f78039e6646fcfc455ab4c05aa393f34c
Author: Kimmo Kinnunen <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
Log Message:
-----------
Cherry-pick ANGLE. https://bugs.webkit.org/show_bug.cgi?id=274165
https://bugs.webkit.org/show_bug.cgi?id=274165
rdar://127764804
Reviewed by Dan Glastonbury.
Cherry-pick ANGLE upstream commit 1bb1ee061fe0bce322fb93b447a72e72c993a1f2:
GL: Sync unpack state for glCompressedTexSubImage3D
Unpack state is supposed to be ignored for compressed tex image calls
but some drivers use it anyways and read incorrect data.
Texture3DTestES3.PixelUnpackStateTexSubImage covers this case.
Bug: chromium:337766133
Change-Id: Ic11a056113b1850bd5b4d6840527164a12849a22
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5498735
Commit-Queue: Shahbaz Youssefi <[email protected]>
Reviewed-by: Shahbaz Youssefi <[email protected]>
Canonical link: https://commits.webkit.org/274313.341@webkitglib/2.44
Commit: 5086d3e6dcdc75da81c0eab8cd9318cff13e63f8
https://github.com/WebKit/WebKit/commit/5086d3e6dcdc75da81c0eab8cd9318cff13e63f8
Author: Youenn Fablet <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
M LayoutTests/http/wpt/webcodecs/videoFrame-rect-expected.txt
M LayoutTests/http/wpt/webcodecs/videoFrame-rect.html
M Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp
Log Message:
-----------
Cherry-pick 272448.1035@safari-7618-branch (9c4e3c807b79). rdar://127438135
WebCodecs VideoFrame Out-Of-Bounds Read
rdar://127438135
Reviewed by Jean-Yves Avenard.
When passing a NaN, our size error checks would be bypassed as comparing with
NaN returns false.
We add finite checks to x, y, width and height and add a corresponding test.
* LayoutTests/http/wpt/webcodecs/videoFrame-rect-expected.txt:
* LayoutTests/http/wpt/webcodecs/videoFrame-rect.html:
* Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp:
(WebCore::parseVisibleRect):
Canonical link: https://commits.webkit.org/274313.342@webkitglib/2.44
Commit: 1ec12f29699bc07bc3d8dcbd7ef22b99a2caf02c
https://github.com/WebKit/WebKit/commit/1ec12f29699bc07bc3d8dcbd7ef22b99a2caf02c
Author: Dan Hecht <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
A JSTests/stress/regress-119545295.js
M Source/JavaScriptCore/runtime/InternalFunction.cpp
Log Message:
-----------
Cherry-pick 272448.1052@safari-7618-branch (d4c5d33ae803).
https://bugs.webkit.org/show_bug.cgi?id=274870
[JSC] JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation may allow
creation of an undecided array with a Proxy object in the prototype chain
https://bugs.webkit.org/show_bug.cgi?id=274870
rdar://119545295
Reviewed by Keith Miller.
When constructing an array along this particular path, newTarget.prototype could
have a getter that induces a bad time. We need to check for this case and handle
it explicitly since the array isn't yet fully constructed and thus won't be
handled
by the having a bad time machinery.
* JSTests/stress/regress-119545295.js: Added.
(main.const.new_target):
* Source/JavaScriptCore/runtime/InternalFunction.cpp:
(JSC::InternalFunction::createSubclassStructure):
Canonical link: https://commits.webkit.org/274313.343@webkitglib/2.44
Commit: 6740c767a6bcb8b8031a3acca19b17cfd4de503e
https://github.com/WebKit/WebKit/commit/6740c767a6bcb8b8031a3acca19b17cfd4de503e
Author: Jer Noble <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
M Source/WebCore/platform/audio/PlatformMediaSessionManager.cpp
M Source/WebCore/platform/audio/PlatformMediaSessionManager.h
M Source/WebCore/platform/audio/cocoa/MediaSessionManagerCocoa.mm
Log Message:
-----------
Cherry-pick 272448.1079@safari-7618-branch (2131bc756e54).
https://bugs.webkit.org/show_bug.cgi?id=275117
Add support for CancellableTasks to PlatformMediaSessionManager
https://bugs.webkit.org/show_bug.cgi?id=275117
rdar://127612016
Reviewed by Andy Estes.
Pass a CancellableTask into callOnMainThread() rather than a raw Function,
to allow the task to be cancelled before executing.
* Source/WebCore/platform/audio/PlatformMediaSessionManager.cpp:
(WebCore::PlatformMediaSessionManager::~PlatformMediaSessionManager):
(WebCore::PlatformMediaSessionManager::sessionCanProduceAudioChanged):
(WebCore::PlatformMediaSessionManager::scheduleUpdateSessionState):
(WebCore::PlatformMediaSessionManager::enqueueTaskOnMainThread):
* Source/WebCore/platform/audio/PlatformMediaSessionManager.h:
* Source/WebCore/platform/audio/cocoa/MediaSessionManagerCocoa.mm:
(WebCore::MediaSessionManagerCocoa::scheduleSessionStatusUpdate):
(WebCore::MediaSessionManagerCocoa::sessionWillEndPlayback):
Canonical link: https://commits.webkit.org/274313.344@webkitglib/2.44
Commit: e83e4c7460972898dc06a5f5ab36eed7c6b101b5
https://github.com/WebKit/WebKit/commit/e83e4c7460972898dc06a5f5ab36eed7c6b101b5
Author: Jer Noble <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
A LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt
A LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html
M Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
Log Message:
-----------
Cherry-pick [email protected] (64c9479d6f29).
https://bugs.webkit.org/show_bug.cgi?id=275273
Add check in AudioBufferSourceNode::renderFromBuffer() when detune is set to
large negative value
https://bugs.webkit.org/show_bug.cgi?id=275273
rdar://125617842
Reviewed by Eric Carlson.
* LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt: Added.
* LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html: Added.
* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
(WebCore::AudioBufferSourceNode::renderFromBuffer):
Canonical link: https://commits.webkit.org/274313.345@webkitglib/2.44
Commit: 23ff0b0b8918da63aab3db594c456cc20d25c912
https://github.com/WebKit/WebKit/commit/23ff0b0b8918da63aab3db594c456cc20d25c912
Author: Nisha Jain <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
M Source/JavaScriptCore/runtime/ArgList.cpp
M Source/JavaScriptCore/runtime/ArgList.h
M Tools/TestWebKitAPI/Tests/WebCore/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 272448.1081@safari-7618-branch (402db5ae0c62).
https://bugs.webkit.org/show_bug.cgi?id=275262
ASAN_BUS | WebCore::CloneDeserializer::readTerminal;
WebCore::CloneDeserializer::deserialize;
WebCore::SerializedScriptValue::deserialize
https://bugs.webkit.org/show_bug.cgi?id=275262
rdar://129348869
Reviewed by Yusuke Suzuki.
Signed comparison in MarkedVector (JSC) class.
Changed Signed class objects to Unsigned types.
* Source/JavaScriptCore/runtime/ArgList.cpp:
(JSC::ArgList::getSlice const):
(JSC::MarkedVectorBase::markLists):
(JSC::MarkedVectorBase::expandCapacity):
* Source/JavaScriptCore/runtime/ArgList.h:
(JSC::MarkedVector::at const):
(JSC::ArgList::ArgList):
(JSC::ArgList::at const):
* Tools/TestWebKitAPI/Tests/WebCore/SerializedScriptValue.cpp:
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/274313.346@webkitglib/2.44
Commit: 2fe5ae29a5f6434ef456afe9673a4f400ec63848
https://github.com/WebKit/WebKit/commit/2fe5ae29a5f6434ef456afe9673a4f400ec63848
Author: Jean-Yves Avenard <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
A
LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt
A LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html
M Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
Log Message:
-----------
Cherry-pick [email protected] (ff52ff7cb64e).
https://bugs.webkit.org/show_bug.cgi?id=275431
HeapBufferOverflow in computeSampleUsingLinearInterpolation
https://bugs.webkit.org/show_bug.cgi?id=275431
rdar://125617812
Reviewed by Youenn Fablet.
Add boundary check.
This is a copy of blink code for that same function.
https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc;l=336-341
*
LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt:
Added.
* LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html:
Added.
* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
(WebCore::AudioBufferSourceNode::renderFromBuffer):
Canonical link: https://commits.webkit.org/274313.347@webkitglib/2.44
Commit: 73dc1ecbd8780df78f4c364ed23769ee082d435b
https://github.com/WebKit/WebKit/commit/73dc1ecbd8780df78f4c364ed23769ee082d435b
Author: Matthew Finkel <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
A
LayoutTests/http/tests/local/blob/resolve-response-with-custom-then-expected.txt
A LayoutTests/http/tests/local/blob/resolve-response-with-custom-then.html
M Source/WebCore/Modules/fetch/FetchBodyOwner.cpp
M Source/WebCore/Modules/fetch/FetchBodyOwner.h
Log Message:
-----------
Cherry-pick [email protected] (2ba62228e7b8).
https://bugs.webkit.org/show_bug.cgi?id=275122
Extend the lifetime of the Fetch body owner
https://bugs.webkit.org/show_bug.cgi?id=275122
rdar://128250783
Reviewed by Youenn Fablet and Simon Fraser.
This patch extends the lifetime of the FetchBodyOwner while we resolve the
body. In some cases, the body can be prematurely freed if its only reference
is held by a JavaScript object.
*
LayoutTests/http/tests/local/blob/resolve-response-with-custom-then-expected.txt:
Added.
* LayoutTests/http/tests/local/blob/resolve-response-with-custom-then.html:
Added.
* Source/WebCore/Modules/fetch/FetchBodyOwner.cpp:
(WebCore::FetchBodyOwner::blobLoadingSucceeded):
(WebCore::FetchBodyOwner::BlobLoader::didSucceed):
* Source/WebCore/Modules/fetch/FetchBodyOwner.h:
Canonical link: https://commits.webkit.org/274313.348@webkitglib/2.44
Commit: 52c9fb4d203a7e9e28df98b5b36d708914539cc6
https://github.com/WebKit/WebKit/commit/52c9fb4d203a7e9e28df98b5b36d708914539cc6
Author: Sammy Gill <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
A LayoutTests/fast/css/grid-template-rule-no-crash-expected.txt
A LayoutTests/fast/css/grid-template-rule-no-crash.html
M Source/WebCore/css/ShorthandSerializer.cpp
Log Message:
-----------
Cherry-pick [email protected] (32cdb1b7a376).
https://bugs.webkit.org/show_bug.cgi?id=275863
Bad downcast in ShorthandSerializer::serializeGridTemplate
https://bugs.webkit.org/show_bug.cgi?id=275863
rdar://121949510
Reviewed by Brent Fulgham and Tim Nguyen.
When attempting to parse the more complex version of the grid-template syntax,
the ShorthandSerializer assumes that the value for the grid-template-rows
longhand
will be a CSSValueList. This may not be true as demonstrated in the testcase
which
ends up returning a CSSSubgridValue for the longhand value.
Instead of just blindly downcasting, let's replace the erroneous
isLonghandValueNone(rowsIndex) with !rowTrackSizes->isValueList() to make sure
we return
a null string if the value of grid-template-rows is not a CSSValueList and as a
result
cannot be expressed in the shorthand, which is similar to what we do for the
grid-template-columns case. Also rephrase the comment to just say this instead
of the
lengthy and confusing description.
* LayoutTests/fast/css/grid-template-rule-no-crash-expected.txt: Added.
* LayoutTests/fast/css/grid-template-rule-no-crash.html: Added.
* Source/WebCore/css/ShorthandSerializer.cpp:
(WebCore::ShorthandSerializer::serializeGridTemplate const):
Canonical link: https://commits.webkit.org/274313.349@webkitglib/2.44
Commit: 02707ba2b9719874e64199365f3d975da708890a
https://github.com/WebKit/WebKit/commit/02707ba2b9719874e64199365f3d975da708890a
Author: Erica Li <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
A
LayoutTests/fast/scrolling/scrollIntoView-destroy-renderer-for-meter-element-crash-expected.txt
A
LayoutTests/fast/scrolling/scrollIntoView-destroy-renderer-for-meter-element-crash.html
M Source/WebCore/dom/Element.cpp
M Source/WebCore/dom/TreeScope.cpp
Log Message:
-----------
Cherry-pick [email protected] (a7082f8505ae).
https://bugs.webkit.org/show_bug.cgi?id=275944
ASAN_ILL | WebCore::RenderMeter::~RenderMeter;
https://bugs.webkit.org/show_bug.cgi?id=275944
rdar://126113504
Reviewed by Alan Baradlay.
The test case produces a crash case where the checkedPtr renderer within
Element::scrollIntoView
will be destroryed, even we called updateLayoutIgnorePendingStylesheets right
before it.
During LocalFrameView::scrollRectToVisible, layout is triggered because:
1. pre-layout: willDoLayout() -> adjustScrollbarsForLayout() turns the
vertical scrollbar to be on
2. during/after layout the scrollbar is updated ONLY when content size has
changed: LocalFrameView::setContentsSize
3. when content size is unchanged the vertical scrollbar remains on,
4. LocalFrameView::scrollRectToVisible -> updateScrollbars checked the
scrollbar has changed,
decided to trigger layout with updateContentsSize().
The fix is to make renderer as WeakPtr instead of CheckedPtr.
This patch also fixes build failuer for CHECKED_POINTER_DEBUG in SU branch.
*
LayoutTests/fast/scrolling/scrollIntoView-destroy-renderer-for-meter-element-crash-expected.txt:
Added.
*
LayoutTests/fast/scrolling/scrollIntoView-destroy-renderer-for-meter-element-crash.html:
Added.
* Source/WebCore/dom/Element.cpp:
(WebCore::listBoxElementScrollIntoView):
(WebCore::Element::scrollIntoView):
* Source/WebCore/dom/TreeScope.cpp:
(WebCore::TreeScope::registerCheckedPtr const): Deleted.
(WebCore::TreeScope::copyCheckedPtr const): Deleted.
(WebCore::TreeScope::moveCheckedPtr const): Deleted.
(WebCore::TreeScope::unregisterCheckedPtr const): Deleted.
Canonical link: https://commits.webkit.org/274313.350@webkitglib/2.44
Commit: 87c46a238282de274fcdd2fab99a820c43090c6f
https://github.com/WebKit/WebKit/commit/87c46a238282de274fcdd2fab99a820c43090c6f
Author: Daniel Liu <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
A JSTests/wasm/stress/funcref-types.js
M Source/JavaScriptCore/wasm/WasmFunctionParser.h
Log Message:
-----------
Cherry-pick 5b25ef6f6add. https://bugs.webkit.org/show_bug.cgi?id=276097
ref.as_non_null does not validate argument type
https://bugs.webkit.org/show_bug.cgi?id=276097
rdar://130746587
Reviewed by Yusuke Suzuki.
The function parser does not ensure ref.as_not_null takes in the correct type;
this may lead to issues downstream because of incorrect validation.
* Source/JavaScriptCore/wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
Canonical link: https://commits.webkit.org/272448.1102@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.351@webkitglib/2.44
Commit: 86e3310cac6f15fb9e405929bc8b65f390c4c43f
https://github.com/WebKit/WebKit/commit/86e3310cac6f15fb9e405929bc8b65f390c4c43f
Author: Michael Saboff <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
A JSTests/stress/regexp-backreference-backtrack-interpreter.js
M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
Log Message:
-----------
Cherry-pick 51993233d76f. https://bugs.webkit.org/show_bug.cgi?id=276154
Crash in JavaScriptCore: JSC::Yarr::Interpreter<unsigned
char>::matchDisjunction()
rdar://115244009
https://bugs.webkit.org/show_bug.cgi?id=276154
Reviewed by Yusuke Suzuki.
When processing back references, if the referenced capture was empty then the
back reference succeeds without comparing
the characters at the back reference atom with the captured characters. This
was handled with early exits in the
function matchBackReference(), before setting match info like the start
position, match size or match count. This
info is used when backtracking or when matching more in the case of a
non-greedy quantified back reference.
The fix is to move the setting the initial match information before we do any
checks for an empty match or a match comparing
characters. Also added code to properly handle duplicate named capture groups
in the function backtrackBackReference().
Added a new regression test.
* JSTests/stress/regexp-backreference-backtrack-interpreter.js: Added.
(arrayToString):
(objectToString):
(dumpValue):
(compareArray):
(compareGroups):
(testRegExp):
(testRegExpSyntaxError):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::matchBackReference):
(JSC::Yarr::Interpreter::backtrackBackReference):
Canonical link: https://commits.webkit.org/272448.1104@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.352@webkitglib/2.44
Commit: 4c92a994eda7830b3568bcf7fe3442ece46c645b
https://github.com/WebKit/WebKit/commit/4c92a994eda7830b3568bcf7fe3442ece46c645b
Author: Youenn Fablet <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
M Source/WebCore/Modules/webaudio/AudioDestinationNode.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp
M Source/WebCore/workers/WorkerThread.cpp
Log Message:
-----------
Cherry-pick f98cf4e20b37. <bug>
heap-use-after-free | WebCore::WorkerOrWorkletThread::destroyWorkerGlobalScope;
WebCore::WorkerOrWorkletThread::workerOrWorkletThread; WTF::Thread::entryPoint)
rdar://131127484
Reviewed by Ryosuke Niwa.
AudioWorkletGlobalScope is RefCounted so it is unsafe to ref/unref it from
various threads.
Before this patch, AudioDestinationNode::renderQuantum may either be called
from the audio worklet thread (expected) or the audio rendering thread at init
time (unexpected).
This is done to call AudioWorkletGlobalScope::handlePreRenderTasks, which is a
no-op if called in another thread than the worklet thread.
To fix the issue, if we are not in the context thread, we do not ref
AudioWorkletGlobalScope in AudioDestinationNode::renderQuantum.
AudioWorkletGlobalScope::handlePreRenderTasks will then no longer be called in
another thread than the worklet thread.
We update AudioWorkletGlobalScope::handlePreRenderTasks accordingly.
* Source/WebCore/Modules/webaudio/AudioDestinationNode.cpp:
(WebCore::AudioDestinationNode::renderQuantum):
* Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp:
(WebCore::AudioWorkletGlobalScope::handlePreRenderTasks):
* Source/WebCore/workers/WorkerThread.cpp:
(WebCore::WorkerThread::globalScope):
Canonical link: https://commits.webkit.org/272448.1107@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.353@webkitglib/2.44
Commit: 87b2180872e47702cc373da4bd94f0799522130b
https://github.com/WebKit/WebKit/commit/87b2180872e47702cc373da4bd94f0799522130b
Author: Chris Dumez <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
M Source/WebCore/platform/SharedBuffer.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/LoadAlternateHTMLString.mm
M Tools/TestWebKitAPI/cocoa/HTTPServer.h
M Tools/TestWebKitAPI/cocoa/HTTPServer.mm
Log Message:
-----------
Cherry-pick 0d4ba4017ef3. https://bugs.webkit.org/show_bug.cgi?id=276381
Integer truncation in FragmentedSharedBuffer::tryCreateArrayBuffer can lead to
a buffer overflow
https://bugs.webkit.org/show_bug.cgi?id=276381
rdar://131369305
Reviewed by Alex Christensen.
Make sure the size fits in an `unsigned` type before casting it.
Including an API test that Alex Christensen wrote.
* Source/WebCore/platform/SharedBuffer.cpp:
(WebCore::FragmentedSharedBuffer::tryCreateArrayBuffer const):
Canonical link: https://commits.webkit.org/272448.1109@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.354@webkitglib/2.44
Commit: ab3a877c56cf7249703241b4e682134dac35f9ac
https://github.com/WebKit/WebKit/commit/ab3a877c56cf7249703241b4e682134dac35f9ac
Author: Alex Christensen <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
A LayoutTests/security/decode-buffer-size-expected.txt
A LayoutTests/security/decode-buffer-size.html
M Source/WebCore/PAL/pal/text/TextCodecLatin1.cpp
M Source/WebCore/PAL/pal/text/TextCodecUTF8.cpp
Log Message:
-----------
Cherry-pick dfa712ddc5a1. <bug>
Integer truncation in TextCodecUTF8::decode leading to OOB writes
rdar://130946877
Reviewed by Darin Adler.
If the length plus the length of the previously attempted partial UTF-8 sequence
is greater than can fit into an unsigned, we will truncate the length and write
the long length, which isn't ideal.
The Latin-1 codec appears to have a similar issue but it doesn't keep state, so
I think it's unreachable. To make it more clear in code inspection that it is
unreachable, I added a check to be extra safe.
* LayoutTests/security/decode-buffer-size-expected.txt: Added.
* LayoutTests/security/decode-buffer-size.html: Added.
* Source/WebCore/PAL/pal/text/TextCodecLatin1.cpp:
(PAL::TextCodecLatin1::decode):
* Source/WebCore/PAL/pal/text/TextCodecUTF8.cpp:
(PAL::TextCodecUTF8::decode):
Canonical link: https://commits.webkit.org/272448.1108@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.355@webkitglib/2.44
Commit: 4959eac8290bf1d87e19025d3862c4926ccb39fe
https://github.com/WebKit/WebKit/commit/4959eac8290bf1d87e19025d3862c4926ccb39fe
Author: Scott Marcy <[email protected]>
Date: 2024-07-31 (Wed, 31 Jul 2024)
Changed paths:
M
Source/ThirdParty/ANGLE/src/compiler/translator/tree_ops/msl/SeparateCompoundExpressions.cpp
Log Message:
-----------
Cherry-pick 5a66ef38bf19. <bug>
Fix array OOB due to a bug in comma expression processing.
https://bugs.webkit.org/show_bug.cgi?id=xxxxx
rdar://128873925
Reviewed by Dan Glastonbury.
A pre-pass of the ANGLE compiler separates compound expressions into single
expressions with temporary values. (i.e. x=A+B+C can become tmp1 = b+C,
x=A+tmp1;). When creating a temporary variable, we previously would copy
the entire type. However, the type constructor also lead to copying
qualifiers, such as 'uniform' and 'interface block' markers: Qualifiers
that can belong to an original type, but shouldn't ever be applied to
temporary variables. (Fix and explanation by Kyle Piddington.)
*
Source/ThirdParty/ANGLE/src/compiler/translator/tree_ops/msl/SeparateCompoundExpressions.cpp:
(sh::Separator::pushBinding):
Canonical link: https://commits.webkit.org/272448.1110@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.356@webkitglib/2.44
Compare: https://github.com/WebKit/WebKit/compare/875fd605bd85...4959eac8290b
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
