Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6614c15b1135b37a3352259f49a9cb3968eb7030
https://github.com/WebKit/WebKit/commit/6614c15b1135b37a3352259f49a9cb3968eb7030
Author: Frédéric Wang <[email protected]>
Date: 2024-11-04 (Mon, 04 Nov 2024)
Changed paths:
A LayoutTests/platform/glib/svg/stroke/nan-stroke-width-crash-expected.txt
A LayoutTests/platform/ios/svg/stroke/nan-stroke-width-crash-expected.txt
A LayoutTests/platform/mac/svg/stroke/nan-stroke-width-crash-expected.txt
A LayoutTests/svg/stroke/nan-stroke-width-crash.html
M Source/WebCore/rendering/svg/RenderSVGShape.cpp
M Source/WebCore/rendering/svg/legacy/LegacyRenderSVGShape.cpp
Log Message:
-----------
Interpret NaN values in (Legacy)RenderSVGShape::strokeWidth() as 0.
https://bugs.webkit.org/show_bug.cgi?id=276898
rdar://126635831
Reviewed by Simon Fraser.
* LayoutTests/platform/gtk/svg/stroke/nan-stroke-width-crash-expected.txt:
Added.
* LayoutTests/svg/stroke/nan-stroke-width-crash.html: Added.
* Source/WebCore/rendering/svg/RenderSVGShape.cpp:
(WebCore::RenderSVGShape::strokeWidth const): Map NaN values to 0.
* Source/WebCore/rendering/svg/legacy/LegacyRenderSVGShape.cpp:
(WebCore::LegacyRenderSVGShape::strokeWidth const): Ditto.
Originally-landed-as: [email protected] (c044da77e2dd).
rdar://138937000
Canonical link: https://commits.webkit.org/286089@main
Commit: 1629ea3d89935ede90e6cb3e047c97ed2f48f771
https://github.com/WebKit/WebKit/commit/1629ea3d89935ede90e6cb3e047c97ed2f48f771
Author: Chris Dumez <[email protected]>
Date: 2024-11-04 (Mon, 04 Nov 2024)
Changed paths:
M Source/WebKit/Platform/IPC/Decoder.cpp
Log Message:
-----------
Do more validation of IPC::Decoder's destinationID
https://bugs.webkit.org/show_bug.cgi?id=279574
rdar://135525328
Reviewed by Darin Adler.
Do more validation of IPC::Decoder's destinationID. We have to keep allowing 0
since it is a valid destinationID. However, we can reject -1 which is the
HashTable's deleted value.
This is important since we sometimes constructor ObjectIdentifiers from the
decoder's destinationID and these ObjectIdentifiers may be used to look up
in a HashMap.
283525@main also added more validation of the raw identifier when constructing
an ObjectIdentifier which will further protect us.
* Source/WebKit/Platform/IPC/Decoder.cpp:
Originally-landed-as: 280938.329@safari-7619-branch (ba52e5dc13c9).
rdar://138935690
Canonical link: https://commits.webkit.org/286090@main
Commit: a99f704817f8f852af488d95b968058b9dc6ad25
https://github.com/WebKit/WebKit/commit/a99f704817f8f852af488d95b968058b9dc6ad25
Author: Youenn Fablet <[email protected]>
Date: 2024-11-04 (Mon, 04 Nov 2024)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/third_party/libyuv/source/scale.cc
M
Source/ThirdParty/libwebrtc/Source/third_party/libyuv/unit_test/scale_test.cc
Log Message:
-----------
Potential 'segmentation fault' issue commited to upstream libwebrtc (libyuv)
rdar://135934122
Reviewed by Chris Dumez.
Cherry-picking of 4620f1705822fd6ab99939f43ce63099bd3d9ae0.
* Source/ThirdParty/libwebrtc/Source/third_party/libyuv/source/scale.cc:
* Source/ThirdParty/libwebrtc/Source/third_party/libyuv/unit_test/scale_test.cc:
Originally-landed-as: 280938.333@safari-7619-branch (97f10bf9519a).
rdar://138936093
Canonical link: https://commits.webkit.org/286091@main
Commit: c57d22824dfd92cd4bdcc5821db1f2c093c94669
https://github.com/WebKit/WebKit/commit/c57d22824dfd92cd4bdcc5821db1f2c093c94669
Author: Yusuke Suzuki <[email protected]>
Date: 2024-11-04 (Mon, 04 Nov 2024)
Changed paths:
M Source/JavaScriptCore/wasm/WasmIRGeneratorHelpers.h
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
Log Message:
-----------
[JSC] Catch entering stack map computation in OMG is wrong for CallRef
https://bugs.webkit.org/show_bug.cgi?id=279480
rdar://133868556
Reviewed by David Degazio.
preparePatchpointForExceptions was assuming that we are appending stack
map generation constraints at the end of the sequence in Patchpoint.
But this is wrong for CallRef since we append a value after we set up
these stack map constraints. As a result, generated stack map is
offsetted by 2 in CallRef, using wrong values. This patch makes these
computation more robust: saving the current params offset and children
offset and use it later. This makes it possible to put stack map
generation whenever we would like to do.
* Source/JavaScriptCore/wasm/WasmIRGeneratorHelpers.h:
(JSC::Wasm::PatchpointExceptionHandle::PatchpointExceptionHandle):
(JSC::Wasm::PatchpointExceptionHandle::generate const):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::preparePatchpointForExceptions):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp:
(JSC::Wasm::OMGIRGenerator::preparePatchpointForExceptions):
Originally-landed-as: 280938.323@safari-7619-branch (8898391fae62).
rdar://138935529
Canonical link: https://commits.webkit.org/286092@main
Commit: 0bed2d44743951a79af3185194e72792125aac91
https://github.com/WebKit/WebKit/commit/0bed2d44743951a79af3185194e72792125aac91
Author: Tadeu Zagallo <[email protected]>
Date: 2024-11-04 (Mon, 04 Nov 2024)
Changed paths:
M Source/ThirdParty/ANGLE/src/compiler/translator/Types.h
M Source/ThirdParty/ANGLE/src/compiler/translator/msl/EmitMetal.cpp
M Source/ThirdParty/ANGLE/src/compiler/translator/msl/ProgramPrelude.cpp
Log Message:
-----------
[ANGLE] Avoid undefined behavior in arithmetic operations
https://bugs.webkit.org/show_bug.cgi
rdar://116020685
Reviewed by Kimmo Kinnunen.
Avoid undefined behavior in the following operations:
- division by zero
- modulo by zero
- binary shifts of negative numbers or that exceed bit width
- integer overflow in addition, subtraction and multiplication.
- floating-point to integral conversions
* Source/ThirdParty/ANGLE/src/compiler/translator/msl/EmitMetal.cpp:
(GetOperatorString):
(IsSymbolicOperator):
(GenMetalTraverser::visitBinary):
* Source/ThirdParty/ANGLE/src/compiler/translator/msl/ProgramPrelude.cpp:
Originally-landed-as: 280938.322@safari-7619-branch (a7afa8f04641).
rdar://138935307
Canonical link: https://commits.webkit.org/286093@main
Compare: https://github.com/WebKit/WebKit/compare/e60ed769901b...0bed2d447439
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
