Branch: refs/heads/webkitglib/2.46
Home: https://github.com/WebKit/WebKit
Commit: f62bee2d7053e57b1fe7a2f3ed3651d7dd124ebb
https://github.com/WebKit/WebKit/commit/f62bee2d7053e57b1fe7a2f3ed3651d7dd124ebb
Author: Youenn Fablet <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A LayoutTests/http/tests/media/hls/range-request-cross-origin-expected.txt
A LayoutTests/http/tests/media/hls/range-request-cross-origin-worker.js
A LayoutTests/http/tests/media/hls/range-request-cross-origin.html
A
LayoutTests/http/tests/media/resources/hls/range-request-playlist-cross-origin.m3u8
A
LayoutTests/http/tests/media/resources/hls/range-request-playlists/stream-cross-origin.m3u8
A LayoutTests/http/wpt/resources/test.mp4
A LayoutTests/http/wpt/service-workers/media-range-request-expected.txt
A LayoutTests/http/wpt/service-workers/media-range-request-worker.js
A LayoutTests/http/wpt/service-workers/media-range-request.html
M Source/WebCore/loader/MediaResourceLoader.cpp
M Source/WebCore/loader/MediaResourceLoader.h
Log Message:
-----------
Cherry-pick 283286.128@safari-7620-branch (24ac271f7d48).
https://bugs.webkit.org/show_bug.cgi?id=276861
CVE-2022-31736 - Leaking size of cross-origin resources by using Range Requests
and Service Workers
rdar://135680688
https://bugs.webkit.org/show_bug.cgi?id=276861
Reviewed by Jer Noble.
We want to restrict byte range responses of a single URL served from multiple
origins.
While https://html.spec.whatwg.org/multipage/media.html#verify-a-media-response
fixes this, it is not adapted for HLS content which can load different range
requests from different origins for the same media element.
Instead, we implement a check dedicated to checking successive range request
media loads to the same URL.
We store, per URL, whether these loads are served with service worker content
or opaque response content.
We restrict the checks so that validation can only fail if at least one of the
load is served by a serviced worker, which should reduce any potential compat
issue.
If they are served with both service worker and opaque response content, they
need to all be same origin.
This allows the following cases to load properly:
- All loads are served with content that is visible to the service worker
(same-origin, synthetic or CORS enabled).
- All loads are coming from the same origin.
This does not allow mixing content that is visible to the service worker and
loads that are opaque.
We add a test exercising the failing case.
We also add an HLS test doing range requests from different origins as part of
the same media element streaming, all served by service worker.
* LayoutTests/http/tests/media/hls/range-request-cross-origin-expected.txt:
Added.
* LayoutTests/http/tests/media/hls/range-request-cross-origin-worker.js: Added.
* LayoutTests/http/tests/media/hls/range-request-cross-origin.html: Added.
*
LayoutTests/http/tests/media/resources/hls/range-request-playlist-cross-origin.m3u8:
Added.
*
LayoutTests/http/tests/media/resources/hls/range-request-playlists/stream-cross-origin.m3u8:
Added.
* LayoutTests/http/wpt/resources/test.mp4: Added.
* LayoutTests/http/wpt/service-workers/media-range-request-expected.txt: Added.
* LayoutTests/http/wpt/service-workers/media-range-request-worker.js: Added.
(self.onfetch.event.event.request.url.includes):
(self.onfetch.event.videoRequestCount.shouldUseSyntheticResponse.event.respondWith.new.Response.new.Uint8Array):
* LayoutTests/http/wpt/service-workers/media-range-request.html: Added.
* Source/WebCore/loader/MediaResourceLoader.cpp:
(WebCore::MediaResourceLoader::verifyMediaResponse):
(WebCore::MediaResource::responseReceived):
* Source/WebCore/loader/MediaResourceLoader.h:
Canonical link: https://commits.webkit.org/282416.338@webkitglib/2.46
Commit: 69487aefa8c1d6fbae7e3edbd290c331264e8e13
https://github.com/WebKit/WebKit/commit/69487aefa8c1d6fbae7e3edbd290c331264e8e13
Author: David Kilzer <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WTF/wtf/URL.h
M Source/WTF/wtf/URLParser.h
M Source/WebKit/WebProcess/Plugins/PDF/UnifiedPDF/UnifiedPDFPlugin.mm
Log Message:
-----------
Cherry-pick 283286.184@safari-7620-branch (227f601688f4).
https://bugs.webkit.org/show_bug.cgi?id=280805
[WTF] Add LIFETIME_BOUND to URL.h and URLParser.h methods
<https://bugs.webkit.org/show_bug.cgi?id=280805>
<rdar://137177574>
Reviewed by Darin Adler.
* Source/WTF/wtf/URL.h:
* Source/WTF/wtf/URLParser.h:
- Add LIFETIME_BOUND attributes to methods that return pointers or
references to inner data.
* Source/WebKit/WebProcess/Plugins/PDF/UnifiedPDF/UnifiedPDFPlugin.mm:
(WebKit::UnifiedPDFPlugin::revealFragmentIfNeeded):
- WTF::URL::fragmentIdentifier() returns a StringView, so we must keep
the URL object alive to fix the use-after-free. Remove unneeded
`fragment` variable in favor of `fragmentView`.
Canonical link: https://commits.webkit.org/282416.339@webkitglib/2.46
Commit: edaed5b8f04dccb50513e2fc7e724e9f67a14e21
https://github.com/WebKit/WebKit/commit/edaed5b8f04dccb50513e2fc7e724e9f67a14e21
Author: David Kilzer <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/JavaScriptCore/tools/VMInspector.cpp
M Source/WTF/wtf/text/CString.h
M Source/WTF/wtf/text/StringConcatenate.h
M Source/WTF/wtf/text/TextStream.cpp
M Source/WTF/wtf/text/TextStream.h
M Source/WebCore/platform/graphics/BitmapImage.h
M Source/WebCore/platform/graphics/BitmapImageSource.cpp
M Source/WebCore/platform/graphics/BitmapImageSource.h
M Source/WebCore/platform/graphics/ImageFrameAnimator.cpp
M Source/WebCore/platform/graphics/ImageFrameAnimator.h
M Source/WebCore/platform/graphics/ImageFrameWorkQueue.cpp
Log Message:
-----------
Cherry-pick 283286.185@safari-7620-branch (fb73615833e6).
https://bugs.webkit.org/show_bug.cgi?id=280809
[WTF] Add LIFETIME_BOUND to CString.h methods
<https://bugs.webkit.org/show_bug.cgi?id=280809>
<rdar://137179585>
Reviewed by Darin Adler.
* Source/JavaScriptCore/tools/VMInspector.cpp:
(JSC::VMInspector::dumpRegisters):
- Fix use-after-free by storing CString on the stack instead of the
const char* pointer.
* Source/WTF/wtf/text/CString.h:
- Add LIFETIME_BOUND attributes to methods that return pointers or
references to inner data.
* Source/WTF/wtf/text/StringConcatenate.h:
(WTF::StringTypeAdapter<CString, void>): Add.
* Source/WTF/wtf/text/TextStream.cpp:
(WTF::TextStream::operator<<): Add.
* Source/WTF/wtf/text/TextStream.h:
(WTF::TextStream::operator<<): Add.
- Add support for CString objects.
* Source/WebCore/platform/graphics/BitmapImage.h:
(WebCore::BitmapImage::sourceUTF8 const):
* Source/WebCore/platform/graphics/BitmapImageSource.cpp:
(WebCore::BitmapImageSource::destroyDecodedData):
(WebCore::BitmapImageSource::stopDecodingWorkQueue):
(WebCore::BitmapImageSource::decode):
(WebCore::BitmapImageSource::imageFrameDecodeAtIndexHasFinished):
(WebCore::BitmapImageSource::requestNativeImageAtIndex):
(WebCore::BitmapImageSource::requestNativeImageAtIndexIfNeeded):
(WebCore::BitmapImageSource::nativeImageAtIndexCacheIfNeeded):
(WebCore::BitmapImageSource::sourceUTF8 const):
* Source/WebCore/platform/graphics/BitmapImageSource.h:
(WebCore::BitmapImageSource::sourceUTF8 const):
* Source/WebCore/platform/graphics/ImageFrameAnimator.cpp:
(WebCore::ImageFrameAnimator::startAnimation):
(WebCore::ImageFrameAnimator::advanceAnimation):
(WebCore::ImageFrameAnimator::sourceUTF8 const):
* Source/WebCore/platform/graphics/ImageFrameAnimator.h:
(WebCore::ImageFrameAnimator::sourceUTF8 const):
* Source/WebCore/platform/graphics/ImageFrameWorkQueue.cpp:
(WebCore::ImageFrameWorkQueue::start):
(WebCore::ImageFrameWorkQueue::stop):
- Change return type of sourceUTF8() methods to CString to keep the
string alive until it's needed for logging. This fixes the
use-after-free in the original BitmapImage::sourceUTF8() method.
- Add call to CString::data() when logging.
Canonical link: https://commits.webkit.org/282416.340@webkitglib/2.46
Commit: 554089784c827c2385bfed3ea2f51faf6c077e40
https://github.com/WebKit/WebKit/commit/554089784c827c2385bfed3ea2f51faf6c077e40
Author: David Kilzer <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WTF/wtf/Vector.h
M Source/WebCore/Modules/mediastream/RTCRtpSFrameTransformer.cpp
M Source/WebCore/Modules/mediastream/SFrameUtils.cpp
M Source/WebCore/Modules/mediastream/SFrameUtils.h
Log Message:
-----------
Cherry-pick 283286.203@safari-7620-branch (dbe14535006e).
https://bugs.webkit.org/show_bug.cgi?id=280802
[WTF] Add LIFETIME_BOUND to Vector.h methods
<https://bugs.webkit.org/show_bug.cgi?id=280802>
<rdar://137175142>
Reviewed by Darin Adler.
Change SFrameCompatibilityPrefixBuffer into a Vector<uint8_t>.
* Source/WTF/wtf/Vector.h:
- Add LIFETIME_BOUND attributes to methods in Vector.h that return
pointers or references to inner data.
* Source/WebCore/Modules/mediastream/RTCRtpSFrameTransformer.cpp:
(WebCore::RTCRtpSFrameTransformer::encryptFrame):
- Extract std::span from SFrameCompatibilityPrefixBuffer, which is now a
std::variant.
- Switch to use size() methods on std::span.
- Switch to use memcpySpan() instead of memcpy().
* Source/WebCore/Modules/mediastream/SFrameUtils.cpp:
(WebCore::computeH264PrefixBuffer):
(WebCore::computeVP8PrefixBuffer):
- Update return expressions for std::variant construction.
* Source/WebCore/Modules/mediastream/SFrameUtils.h:
(WebCore::SFrameCompatibilityPrefixBuffer):
- Replace struct SFrameCompatibilityPrefixBuffer with std::variant.
Canonical link: https://commits.webkit.org/282416.341@webkitglib/2.46
Commit: c25dc9a58614c576862adb97a3a52074a4a501ce
https://github.com/WebKit/WebKit/commit/c25dc9a58614c576862adb97a3a52074a4a501ce
Author: Kimmo Kinnunen <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WebCore/platform/graphics/Region.cpp
M Source/WebCore/platform/graphics/Region.h
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
M Tools/TestWebKitAPI/CMakeLists.txt
M Tools/TestWebKitAPI/Test.h
M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
A Tools/TestWebKitAPI/Tests/WebCore/RegionTests.cpp
Log Message:
-----------
Cherry-pick 283286.236@safari-7620-branch (c5f45c2aa95e).
https://bugs.webkit.org/show_bug.cgi?id=281040
Add more validation to Region IPC decoding
https://bugs.webkit.org/show_bug.cgi?id=281040
rdar://136142756
Reviewed by Antti Koivisto.
Region::Shape algorithm is sensitive to the array structure. Validate
the data correctly.
Instead of encoding the bounds and the Shape data, just encode the
shape data. It fully defines the Region.
Use <=> in place of nextY - Y in order to avoid signed integer wrapping
and ensuring that the algorithm works correctly with negative Ys.
* Source/WebCore/platform/graphics/Region.cpp:
(WebCore::Region::rects const):
(WebCore::Region::Shape::Shape):
(WebCore::operator<<):
(WebCore::Region::Shape::shapeOperation):
(WebCore::segmentsForSpanSegmentIndices):
(WebCore::Region::Shape::isValidShape):
(WebCore::m_spans): Deleted.
(WebCore::Region::Shape::appendSegment): Deleted.
(WebCore::Region::Shape::dump const): Deleted.
(WebCore::Region::dump const): Deleted.
(WebCore::Region::Shape::isValid const): Deleted.
* Source/WebCore/platform/graphics/Region.h:
(WebCore::Region::Shape::createForTesting):
(WebCore::Region::Shape::dataForTesting const):
(WebCore::Region::createForTesting):
(WebCore::Region::dataForTesting const):
(WebCore::Region::Region):
(WebCore::Region::data const):
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
* Tools/TestWebKitAPI/CMakeLists.txt:
* Tools/TestWebKitAPI/Test.h:
(WTF::operator<<):
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WebCore/RegionTests.cpp: Added.
(convertToString):
(convertToTrimmedString):
(WebCore::operator<<):
(TestWebKitAPI::TEST(r, ShapeEmptyIsRepresentable)):
(TestWebKitAPI::TEST(RegionTests, ShapeEmptyIsEmpty)):
(TestWebKitAPI::TEST(RegionTests, IsValidShapeFalse)):
(TestWebKitAPI::TEST(RegionTests, UniteTests1)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatIndividual)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatDisjoint)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestJointXMergeable)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestJointYMergeable)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestJointX)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestJointY)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestEvenSegments)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestSortedSpan)):
(TestWebKitAPI::randomRect):
(TestWebKitAPI::TEST(RegionTests, FuzzOperationsIsValidShape)):
(TestWebKitAPI::TEST(RegionTests, IsValidShape1)):
(TestWebKitAPI::TEST(RegionTests, IsValidShape2)):
Canonical link: https://commits.webkit.org/282416.342@webkitglib/2.46
Commit: 8b684039eb85a73ec07fa6e5b592561adf855c0f
https://github.com/WebKit/WebKit/commit/8b684039eb85a73ec07fa6e5b592561adf855c0f
Author: Nitin Mahendru <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A
LayoutTests/storage/filesystemaccess/filesystem-directory-handle-rename-expected.txt
A
LayoutTests/storage/filesystemaccess/filesystem-directory-handle-rename.html
M Source/WTF/wtf/FileSystem.cpp
M Source/WTF/wtf/FileSystem.h
M Tools/TestWebKitAPI/Tests/WTF/FileSystem.cpp
Log Message:
-----------
Cherry-pick 283286.251@safari-7620-branch (30ab479e8242).
https://bugs.webkit.org/show_bug.cgi?id=281280
std::filesystem::copy should not be used to recursively copy parent into it's
child.
https://bugs.webkit.org/show_bug.cgi?id=281280
rdar://137177339
Reviewed by Sihui Liu and Alex Christensen.
The added test case filesystem-directory-handle-rename.html will cause
std::filesystem::copy to be
called with top OPFS FileSystem directory being copied into itself under a
subdirectory with name `\u0480`.
This will cause a recursive directory tree to be generated inside the root
storage directory.
If FileSystem::directorySize() is called over that directory, it will abort
with `Too many open files`.
The Unicode `\u0480` has no significance but just a weird character to use for
the file name.
If you see this, It should raise questions. Thus the choice.
The same error will happen if we choose "anyRandomAsciiName".
The fix added here will prevent std::filesystem::copy to be called in case
source is ancestor of destination.
* LayoutTests/storage/filesystemaccess/filesystem-directory-handle-rename.html:
Added.
* Source/WTF/wtf/FileSystem.cpp:
(WTF::FileSystemImpl::isAncestor):
* Source/WTF/wtf/FileSystem.h:
* Source/WebKit/NetworkProcess/storage/FileSystemStorageHandle.cpp:
(WebKit::FileSystemStorageHandle::move):
* Tools/TestWebKitAPI/Tests/WTF/FileSystem.cpp:
(TestWebKitAPI::TEST_F(FileSystemTest, isAncestor)):
Canonical link: https://commits.webkit.org/282416.343@webkitglib/2.46
Commit: 0667b7d549d53d0a9c74dd59f2408182429a8e51
https://github.com/WebKit/WebKit/commit/0667b7d549d53d0a9c74dd59f2408182429a8e51
Author: David Kilzer <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/JavaScriptCore/tools/FunctionAllowlist.cpp
Log Message:
-----------
Cherry-pick 283286.315@safari-7620-branch (98b6fa893826).
https://bugs.webkit.org/show_bug.cgi?id=281675
Potential unsigned integer underflow in
JSC::FunctionAllowlist::FunctionAllowlist constructor
<https://bugs.webkit.org/show_bug.cgi?id=281675>
<rdar://138127490>
Reviewed by Darin Adler.
* Source/JavaScriptCore/tools/FunctionAllowlist.cpp:
(JSC::FunctionAllowlist::FunctionAllowlist):
- Check that `length` returned from strlen() is non-zero before checking
the end of the C-string for a newline character.
Canonical link: https://commits.webkit.org/282416.344@webkitglib/2.46
Commit: a1a9523b4b0478a19377c4257aac5ce56bb996d5
https://github.com/WebKit/WebKit/commit/a1a9523b4b0478a19377c4257aac5ce56bb996d5
Author: Nitin Mahendru <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A
LayoutTests/security/contentSecurityPolicy/block-javascripturl-non-inline-csp-expected.txt
A
LayoutTests/security/contentSecurityPolicy/block-javascripturl-non-inline-csp.html
A LayoutTests/security/contentSecurityPolicy/resources/csp-javascript-url.js
A LayoutTests/security/contentSecurityPolicy/resources/no-csp.html
M Source/WebCore/loader/FrameLoader.cpp
Log Message:
-----------
Cherry-pick 283286.352@safari-7620-branch (378ba1584ade).
https://bugs.webkit.org/show_bug.cgi?id=281477
`javascript: url` navigation to another browsing context (created from
`window.open`) misses checking the source's CSP
rdar://137941234
https://bugs.webkit.org/show_bug.cgi?id=281477
Reviewed by Alex Christensen.
A change in window.location.href causes a navigation. Were were not checking
the CSP in
that flow. This change adds that.
*
LayoutTests/security/contentSecurityPolicy/block-javascripturl-non-inline-csp-expected.txt:
Added.
*
LayoutTests/security/contentSecurityPolicy/block-javascripturl-non-inline-csp.html:
Added.
* LayoutTests/security/contentSecurityPolicy/resources/csp-javascript-url.js:
Added.
(sleep):
(sleep.500.then):
* LayoutTests/security/contentSecurityPolicy/resources/no-csp.html: Added.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadWithNavigationAction):
Canonical link: https://commits.webkit.org/282416.345@webkitglib/2.46
Commit: 0a7bf5435b6439673e04dda64c1cb34d27e9d011
https://github.com/WebKit/WebKit/commit/0a7bf5435b6439673e04dda64c1cb34d27e9d011
Author: Rupin Mittal <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A LayoutTests/http/tests/security/document-cached-font-loading-expected.txt
A LayoutTests/http/tests/security/document-cached-font-loading.html
A
LayoutTests/http/tests/security/resources/document-cached-font-loading-helper.html
A LayoutTests/http/tests/security/resources/font.ttf
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/DocumentFontLoader.cpp
M Source/WebCore/dom/DocumentFontLoader.h
Log Message:
-----------
Cherry-pick 283286.365@safari-7620-branch (e7b7957de026).
https://bugs.webkit.org/show_bug.cgi?id=281912
DocumentFontLoader::fontLoadingTimerFired() must keep a Ref of Document on the
stack
https://bugs.webkit.org/show_bug.cgi?id=281912
rdar://138215892
Reviewed by Chris Dumez.
DocumentFontLoader::fontLoadingTimerFired() calls
CachedResourceLoader::loadDone(),
which holds a RefPtr to the Document. It seems that in certain cases (like the
reproduction case in the radar), this is the only Ref keeping the Document
alive.
So when the function ends, the Document is destroyed. Then, when
fontLoadingTimerFired()
calls Document::frame() with it's WeakRef m_document, there is a crash since the
Document has been destroyed.
Since Document owns DocumentFontLoader, we make DocumentFontLoader forward its
refcounting
to its owning Document. Then we ensure that the Document is alive by holding a
RefPtr to
the DocumentFontLoader itself at the beginning of fontLoadingTimerFired().
* LayoutTests/http/tests/security/document-cached-font-loading-expected.txt:
Added.
* LayoutTests/http/tests/security/document-cached-font-loading.html: Added.
*
LayoutTests/http/tests/security/resources/document-cached-font-loading-helper.html:
Added.
* LayoutTests/http/tests/security/resources/font.ttf: Added.
This is the test created based on the reproduction case in the Radar.
* Source/WebCore/dom/DocumentFontLoader.cpp:
(WebCore::DocumentFontLoader::fontLoadingTimerFired):
Canonical link: https://commits.webkit.org/282416.346@webkitglib/2.46
Commit: f91af249d30d434350e882bde617654d5d9f6395
https://github.com/WebKit/WebKit/commit/f91af249d30d434350e882bde617654d5d9f6395
Author: Dan Hecht <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A JSTests/wasm/stress/compile-unreachable-catch.js
M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
M Source/JavaScriptCore/wasm/WasmBBQJIT.h
Log Message:
-----------
Cherry-pick 283286.367@safari-7620-branch (6146215d9220).
https://bugs.webkit.org/show_bug.cgi?id=282180
[JSC] BBQJIT::addCatchToUnreachable should unbind all temps
https://bugs.webkit.org/show_bug.cgi?id=282180
rdar://138178927
Reviewed by David Degazio.
BBQJIT::addCatchToUnreachable() and BBQJIT::addCatchAllToUnreachable()
are used after a control flow instruction is reached that makes the
end of the block unreachable, so they both avoid emitting code to
flush temps. However, they still need to unbind temps, otherwise
temps that are used within the catch will refer to stale bindings.
This issue occurs when catch or catch_all follows return_call or
unreachable bytecodes as these do not themselves flush the temps
back to their canonical locations (whereas uncondtional branch will since
the temps can still be live).
* JSTests/wasm/stress/compile-unreachable-catch.js: Added.
(async runOne):
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addCatchToUnreachable):
(JSC::Wasm::BBQJITImpl::BBQJIT::addCatchAllToUnreachable):
(JSC::Wasm::BBQJITImpl::BBQJIT::addEndToUnreachable):
(JSC::Wasm::BBQJITImpl::BBQJIT::unbindAllRegisters):
* Source/JavaScriptCore/wasm/WasmBBQJIT.h:
Canonical link: https://commits.webkit.org/282416.347@webkitglib/2.46
Commit: a2618d4a5fdb2a60cb6d42c49278fc52904c2274
https://github.com/WebKit/WebKit/commit/a2618d4a5fdb2a60cb6d42c49278fc52904c2274
Author: Zak Ridouh <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
M Source/WebKit/UIProcess/WebPageProxy.messages.in
Log Message:
-----------
Cherry-pick 283286.409@safari-7620-branch (d52d0ebc7afb).
https://bugs.webkit.org/show_bug.cgi?id=282487
[CoreIPC] Reject frame size updates if site isolation is disabled
https://bugs.webkit.org/show_bug.cgi?id=282487
<rdar://135006098>
Reviewed by Sihui Liu and Ryosuke Niwa.
We should reject frame size update requests in the UI process if site
isolation is disabled, instead of just `ASSERT` in debug builds.
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::updateFrameSize):
Canonical link: https://commits.webkit.org/282416.348@webkitglib/2.46
Commit: a5a7d17cc50687bf390c59b7df96a38efc82e2d2
https://github.com/WebKit/WebKit/commit/a5a7d17cc50687bf390c59b7df96a38efc82e2d2
Author: Keith Miller <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A JSTests/stress/put-by-val-alias-out-of-bounds.js
M Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
M Source/JavaScriptCore/dfg/DFGClobberize.h
M Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
M Source/JavaScriptCore/dfg/DFGHeapLocation.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Log Message:
-----------
Cherry-pick 283286.410@safari-7620-branch (903f38de509c).
https://bugs.webkit.org/show_bug.cgi?id=282450
TypedArray OutOfBounds gets ArrayModes need to report this to `def`
https://bugs.webkit.org/show_bug.cgi?id=282450
rdar://138178696
Reviewed by Yusuke Suzuki.
Now that TypedArrays don't force an OSR exit on an out of bounds access we could
incorrectly convert a PutByVal to a PutByValAlias. In particular, if we have
something
like:
```
18 1 28: D@69:<!3:-> GetByVal(KnownCell:D@49, Int32:D@64,
Check:Untyped:D@139, JS|MustGen|VarArgs|PureInt|UseAsInt,
BoolInt32|NonBoolInt32|Other,
Int32Array+OriginalNonArray+OutOfBounds+AsIs+Read,
R:TypedArrayProperties,MiscFields, Exits, bc#60, ExitValid) predicting
BoolInt32|Other
19 1 28: D@70:<!0:-> MovHint(Check:Untyped:D@69, MustGen, loc9,
W:SideState, ClobbersExit, bc#60, ExitInvalid)
20 1 28: D@72:< 1:-> JSConstant(JS|PureInt|UseAsInt, NonBoolInt32,
Int32: 65535, bc#66, ExitValid)
21 1 28: D@140:< 1:-> ValueToInt32(NotCellNorBigInt:D@69,
Int32|PureInt|UseAsInt, Int32, Exits, bc#66, ExitValid)
22 1 28: D@73:< 2:-> ArithBitAnd(KnownInt32:D@140, Int32:D@72,
Int32|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Int32, Exits, bc#66,
ExitValid)
23 1 28: D@86:<!0:-> Phantom(Check:Untyped:D@69, MustGen, bc#66,
ExitValid)
24 1 28: D@74:<!0:-> MovHint(Check:Untyped:D@73, MustGen, loc9,
W:SideState, ClobbersExit, bc#66, ExitInvalid)
25 1 28: D@76:<!0:-> PutByVal(KnownCell:D@49, Int32:D@64, Int32:D@73,
Check:Untyped:D@139, MustGen|VarArgs,
Int32Array+OriginalNonArray+InBounds+AsIs+Write, R:MiscFields,
W:TypedArrayProperties, Exits, ClobbersExit, bc#72, ExitValid)
```
The above PutByVal will be converted to a PutByValAlias since it appears to
`def` write the same HeapLocation `GetByVal` says it defs.
TypedArrays should now report that the HeapLocation they're writing to is
OutOfBoundsSaneChain. We don't have to actually check the
prototype chain for typed arrays since they don't consult it for indexed
properties.
* JSTests/stress/put-by-val-alias-out-of-bounds.js: Added.
(test):
* Source/JavaScriptCore/dfg/DFGCSEPhase.cpp:
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGHeapLocation.cpp:
(WTF::printInternal): Deleted.
* Source/JavaScriptCore/dfg/DFGHeapLocation.h:
(JSC::DFG::indexedPropertyLocToOutOfBoundsSaneChain):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
Canonical link: https://commits.webkit.org/282416.349@webkitglib/2.46
Commit: ed447a4089a9e6e3d598d857f52f62755c43c7fd
https://github.com/WebKit/WebKit/commit/ed447a4089a9e6e3d598d857f52f62755c43c7fd
Author: Daniel Liu <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A JSTests/stress/string-add-conversion-unused.js
M Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
Log Message:
-----------
Cherry-pick 299278ffc3f1. https://bugs.webkit.org/show_bug.cgi?id=282661
DFG ToString should only care about Other uses when it can be Other
https://bugs.webkit.org/show_bug.cgi?id=282661
rdar://138325184
Reviewed by Yusuke Suzuki.
DFG's ToString should only backpropagate a UseAsOther when the use
has the potential to be Other. Otherwise, we end up with a mismatch
in expected value formats.
* Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
Canonical link: https://commits.webkit.org/282416.350@webkitglib/2.46
Commit: 017d39de1545f678a45672f2686082958dd22070
https://github.com/WebKit/WebKit/commit/017d39de1545f678a45672f2686082958dd22070
Author: Keith Miller <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WTF/wtf/LockAlgorithm.h
Log Message:
-----------
Cherry-pick 4d456933d70e. https://bugs.webkit.org/show_bug.cgi?id=282865
LockAlgorithm::unlockFast is too fast
https://bugs.webkit.org/show_bug.cgi?id=282865
rdar://139548123
Reviewed by Yusuke Suzuki.
Right now it has relaxed ordering but that's not correct since it means writes
to the critical section
could happen after the lock is unlocked. This could lead to arbitrary crashes
or other general badness.
* Source/WTF/wtf/LockAlgorithm.h:
(WTF::LockAlgorithm::unlockFast):
Canonical link: https://commits.webkit.org/283286.466@safari-7620-branch
Canonical link: https://commits.webkit.org/282416.351@webkitglib/2.46
Commit: 87545f00621bb9623abb7f5719c1c5b3ea48c980
https://github.com/WebKit/WebKit/commit/87545f00621bb9623abb7f5719c1c5b3ea48c980
Author: Yusuke Suzuki <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A JSTests/wasm/stress/wasm-bbq-catch-unbind.js
M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
Log Message:
-----------
Cherry-pick 39727612b542. https://bugs.webkit.org/show_bug.cgi?id=282825
[JSC] Aborted in JSC::Wasm::BBQJITImpl::BBQJIT::bind
https://bugs.webkit.org/show_bug.cgi?id=282825
rdar://139502479
Reviewed by David Degazio.
This patch adds unbinding for all registers for addCatch and addCatchAll
too since they also should not carry any bindings from the other blocks.
* JSTests/wasm/stress/wasm-bbq-catch-unbind.js: Added.
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addCatch):
(JSC::Wasm::BBQJITImpl::BBQJIT::addCatchAll):
Canonical link: https://commits.webkit.org/282416.352@webkitglib/2.46
Commit: 624da0c97614bbfbd5c65a3e2c5dd917d8171515
https://github.com/WebKit/WebKit/commit/624da0c97614bbfbd5c65a3e2c5dd917d8171515
Author: Charlie Wolfe <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/loader/FrameLoader.h
M Source/WebCore/loader/cache/CachedResourceLoader.cpp
M Source/WebCore/page/SecurityPolicy.h
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/SOAuthorizationTests.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKHTTPCookieStore.mm
Log Message:
-----------
Cherry-pick b7402f10b17c. https://bugs.webkit.org/show_bug.cgi?id=283309
sameSiteInfo.isSameSite may not match URLs used in Data Isolation checks
https://bugs.webkit.org/show_bug.cgi?id=283309
rdar://140129837
Reviewed by Sihui Liu.
This patch fixes an issue where a WebContent process can send IPC with URLs
that are not same-site, but
contains `sameSiteInfo` that indicates that the request is same-site. This can
lead to requesting cookies
for a URL that was not considered in the data isolation check.
To lower risk, we reject cookie access instead of terminating the sender
process. More details provided
below.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::setOriginalURLForDownloadRequest):
(WebCore::FrameLoader::updateRequestAndAddExtraFields):
(WebCore::FrameLoader::addSameSiteInfoToRequestIfNeeded):
* Source/WebCore/loader/FrameLoader.h:
These quirks were added when cookies were SameSite=Lax by default, which is no
longer the case, so it can
be removed. Keeping this would mean certain requests would unexpectedly be
considered same-site, and
would fail the check being added in the network process.
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestResource):
This is an existing bug that was revealed by this change, and is needed to fix
`http/tests/cache/disk-cache/disk-cache-vary-cookie.html`.
* Source/WebCore/page/SecurityPolicy.h:
Export `shouldInheritSecurityOriginFromOwner` so that it can be used in the
network process.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::shouldTreatAsSameSite const):
Add a network process side same-site check, similar to
`FrameLoader::addSameSiteInfoToRequestIfNeeded`.
(WebKit::NetworkConnectionToWebProcess::cookiesForDOM):
(WebKit::NetworkConnectionToWebProcess::setCookiesFromDOM):
(WebKit::NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue):
(WebKit::NetworkConnectionToWebProcess::getRawCookies):
(WebKit::NetworkConnectionToWebProcess::cookiesForDOMAsync):
(WebKit::NetworkConnectionToWebProcess::setCookieFromDOMAsync):
Validate all cookie messages that contain `sameSiteInfo`.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm:
(InvalidSameSiteInfoCookieRequestHeaderFieldValue)):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/SOAuthorizationTests.mm:
(TestWebKitAPI::TEST(SOAuthorizationSubFrame, InterceptionSucceedWithCookie)):
Fix this test, which was trying to a cookie from example.com on a page with an
empty main frame URL.
Canonical link: https://commits.webkit.org/282416.353@webkitglib/2.46
Commit: bac2623a6e48a36da85fc94f71828e5a47a4c99e
https://github.com/WebKit/WebKit/commit/bac2623a6e48a36da85fc94f71828e5a47a4c99e
Author: Ryosuke Niwa <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WebCore/platform/Timer.cpp
Log Message:
-----------
Cherry-pick d542dd305ab0. https://bugs.webkit.org/show_bug.cgi?id=283383
Disable the release assert in Timer::Timer
https://bugs.webkit.org/show_bug.cgi?id=283383
<rdar://140233024>
Reviewed by Chris Dumez.
Removed the release assert for now.
* Source/WebCore/platform/Timer.cpp:
(WebCore::TimerBase::TimerBase):
Canonical link: https://commits.webkit.org/282416.354@webkitglib/2.46
Commit: 9dc912cbc0fa366854935011585a1e25385a2062
https://github.com/WebKit/WebKit/commit/9dc912cbc0fa366854935011585a1e25385a2062
Author: Charlie Wolfe <[email protected]>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WebCore/page/Page.cpp
M Source/WebCore/page/Page.h
M Source/WebCore/page/ResourceUsageOverlay.cpp
M Source/WebCore/page/ResourceUsageOverlay.h
Log Message:
-----------
Cherry-pick 283286.393@safari-7620-branch (7af554d1d875).
https://bugs.webkit.org/show_bug.cgi?id=282350
Use-after-free in `ResourceUsageOverlay::initialize()`
https://bugs.webkit.org/show_bug.cgi?id=282350
rdar://138880313
Reviewed by David Kilzer and Chris Dumez.
The ResourceUsageOverlay constructor uses callOnMainThread to call
ResourceUsageOverlay::initialize(),
so the page owning ResourceUsageOverlay may be destroyed when the lambda
executes. ResourceUsageOverlay
should hold a WeakPtr to m_page.
ResourceUsageOverlay also needs to be made ref counted to avoid a UAF on `this`
in the lambda.
* Source/WebCore/page/Page.cpp:
(WebCore::Page::setResourceUsageOverlayVisible):
* Source/WebCore/page/Page.h:
* Source/WebCore/page/ResourceUsageOverlay.cpp:
(WebCore::ResourceUsageOverlay::create):
(WebCore::ResourceUsageOverlay::ResourceUsageOverlay):
(WebCore::ResourceUsageOverlay::~ResourceUsageOverlay):
(WebCore::ResourceUsageOverlay::initialize):
(WebCore::ResourceUsageOverlay::mouseEvent):
* Source/WebCore/page/ResourceUsageOverlay.h:
Canonical link: https://commits.webkit.org/282416.355@webkitglib/2.46
Compare: https://github.com/WebKit/WebKit/compare/0ea2b918562b...9dc912cbc0fa
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
