[webkit-changes] [WebKit/WebKit] 428751: [git-webkit] Add cherry-pick command
Antti Koivisto
noreply at github.com
Mon Dec 19 20:24:29 PST 2022
Branch: refs/heads/webkitglib/2.38
Home: https://github.com/WebKit/WebKit
Commit: 4287511926dc09e8ddd897da0eb18caf5c5b91d3
https://github.com/WebKit/WebKit/commit/4287511926dc09e8ddd897da0eb18caf5c5b91d3
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Tools/Scripts/hooks/prepare-commit-msg
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/__init__.py
A Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/cherry_pick.py
A Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/cherry_pick_unittest.py
Log Message:
-----------
[git-webkit] Add cherry-pick command
https://bugs.webkit.org/show_bug.cgi?id=244307
<rdar://problem/97399601>
Reviewed by Aakash Jain.
* Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
* Tools/Scripts/hooks/prepare-commit-msg: Format `cherry-pick` commit messages.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py: Support `cherry-pick`.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/__init__.py: Add CherryPick command.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/cherry_pick.py: Added.
(CherryPick.parser):
(CherryPick.main): Convert argument to commit object, pass commit representation to `git cherry-pcik` command.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/cherry_pick_unittest.py: Added.
(TestCherryPick.setUp):
(TestCherryPick.test_none):
(TestCherryPick.test_basic):
(TestCherryPick.test_alternate_issue):
Canonical link: https://commits.webkit.org/253927@main
Commit: b34dc3b42475b4034897b4a340da104132e6de38
https://github.com/WebKit/WebKit/commit/b34dc3b42475b4034897b4a340da104132e6de38
Author: Philippe Normand <philn at igalia.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Source/WebCore/platform/graphics/gstreamer/AppSinkWorkaround.cpp
Log Message:
-----------
Cherry-pick 255632 at main (90eec06ee98c). https://bugs.webkit.org/show_bug.cgi?id=246630
[GStreamer] Critical warnings in appsink workaround thing
https://bugs.webkit.org/show_bug.cgi?id=246630
Reviewed by Xabier Rodriguez-Calvar.
* Source/WebCore/platform/graphics/gstreamer/AppSinkWorkaround.cpp:
(WebCore::registerAppsinkWorkaroundIfNeeded): Register debug category before logging anything from checkNeedsAppsinkWorkaround().
Canonical link: https://commits.webkit.org/255632@main
Commit: 5049a030fbbe990944317cf8fe54d58260abf744
https://github.com/WebKit/WebKit/commit/5049a030fbbe990944317cf8fe54d58260abf744
Author: Philippe Normand <philn at igalia.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M LayoutTests/platform/glib/TestExpectations
M Source/WebCore/Modules/mediastream/gstreamer/GStreamerMediaEndpoint.cpp
M Source/WebCore/Modules/mediastream/gstreamer/GStreamerMediaEndpoint.h
M Source/WebCore/Modules/mediastream/gstreamer/GStreamerPeerConnectionBackend.cpp
M Source/WebCore/Modules/mediastream/gstreamer/GStreamerStatsCollector.cpp
M Source/WebCore/Modules/mediastream/gstreamer/GStreamerStatsCollector.h
M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h
M Source/WebCore/platform/mediastream/RealtimeMediaSource.cpp
M Source/WebCore/platform/mediastream/RealtimeMediaSource.h
M Source/WebCore/platform/mediastream/gstreamer/GStreamerMediaStreamSource.cpp
M Source/WebCore/platform/mediastream/gstreamer/RealtimeIncomingVideoSourceGStreamer.cpp
M Source/WebCore/platform/mediastream/gstreamer/RealtimeIncomingVideoSourceGStreamer.h
M Source/WebCore/platform/mediastream/gstreamer/RealtimeOutgoingVideoSourceGStreamer.cpp
M Source/WebCore/platform/mediastream/gstreamer/RealtimeOutgoingVideoSourceGStreamer.h
Log Message:
-----------
Cherry-pick 256395 at main (fbe198894a3b). https://bugs.webkit.org/show_bug.cgi?id=247487
[GStreamer][WebRTC] Video encoder/decoder stats support
https://bugs.webkit.org/show_bug.cgi?id=247487
Reviewed by Xabier Rodriguez-Calvar.
This patch adds support for filling the `framesDecoded` field in inbound RTP stream stats and the
`framesSent`/`framesEncoded` in outbound RTP stream stats. Decoded frames count is queried by the
mediastream source, the query travels downstream and is handled by the media player, where decoders
are actually part of the pipeline. Outbound metrics are filled in the outgoing video source, using a
pad probe on the source pad.
These additional statistics are then aggregated with the statistics reported by webrtcbin, in the
GStreamerStatsCollector.
* LayoutTests/platform/glib/TestExpectations:
* Source/WebCore/Modules/mediastream/gstreamer/GStreamerMediaEndpoint.cpp:
(WebCore::GStreamerMediaEndpoint::getStats):
* Source/WebCore/Modules/mediastream/gstreamer/GStreamerMediaEndpoint.h:
* Source/WebCore/Modules/mediastream/gstreamer/GStreamerPeerConnectionBackend.cpp:
(WebCore::GStreamerPeerConnectionBackend::getStats):
* Source/WebCore/Modules/mediastream/gstreamer/GStreamerStatsCollector.cpp:
(WebCore::fillRTCRTPStreamStats):
(WebCore::fillRemoteInboundRTPStreamStats):
(WebCore::fillInboundRTPStreamStats):
(WebCore::fillOutboundRTPStreamStats):
(WebCore::ReportHolder::ReportHolder):
(WebCore::fillReportCallback):
(WebCore::GStreamerStatsCollector::getStats):
* Source/WebCore/Modules/mediastream/gstreamer/GStreamerStatsCollector.h:
* Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
(WebCore::MediaPlayerPrivateGStreamer::configureVideoDecoder):
* Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h:
(WebCore::MediaPlayerPrivateGStreamer::incrementDecodedVideoFramesCount):
(WebCore::MediaPlayerPrivateGStreamer::decodedVideoFramesCount const):
* Source/WebCore/platform/mediastream/RealtimeMediaSource.cpp:
(WebCore::RealtimeMediaSource::forEachVideoFrameObserver):
* Source/WebCore/platform/mediastream/RealtimeMediaSource.h:
* Source/WebCore/platform/mediastream/gstreamer/GStreamerMediaStreamSource.cpp:
* Source/WebCore/platform/mediastream/gstreamer/RealtimeIncomingVideoSourceGStreamer.cpp:
(WebCore::RealtimeIncomingVideoSourceGStreamer::stats):
* Source/WebCore/platform/mediastream/gstreamer/RealtimeIncomingVideoSourceGStreamer.h:
* Source/WebCore/platform/mediastream/gstreamer/RealtimeOutgoingVideoSourceGStreamer.cpp:
(WebCore::RealtimeOutgoingVideoSourceGStreamer::RealtimeOutgoingVideoSourceGStreamer):
(WebCore::RealtimeOutgoingVideoSourceGStreamer::updateStats):
* Source/WebCore/platform/mediastream/gstreamer/RealtimeOutgoingVideoSourceGStreamer.h:
Canonical link: https://commits.webkit.org/256395@main
Commit: 6b65a74df89790f2e709e7cb635185f51d793db6
https://github.com/WebKit/WebKit/commit/6b65a74df89790f2e709e7cb635185f51d793db6
Author: Michael Catanzaro <mcatanzaro at redhat.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Source/bmalloc/libpas/src/libpas/pas_segregated_page.c
Log Message:
-----------
Cherry-pick 256486 at main (0b3756093c94). https://bugs.webkit.org/show_bug.cgi?id=245968
Crash in pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl
https://bugs.webkit.org/show_bug.cgi?id=245968
Reviewed by Mark Lam and Yusuke Suzuki.
There is a pretty frequent crash here that occurs when derefrencing
cache_node->page_lock when cache_node is nullptr. It's a little strange
because the crash occurs on line 146, which should be unreachable in
this case because there is a check for nullptr on line 137 that ensures
the rest of the function is skipped in this case. And yet, it's
happening anyway. Perhaps that check is being optimized out due to the
even earlier dereference of cache_node on line 130? I'm not sure, but
clearly cache_node is expected to be nullptr here, so let's check for
it earlier before the first dereference, which is good to do no matter
what.
This solution was suggested by Benjamin Otte, but it's not his fault if
it doesn't fix the crash! This is only a speculative fix. To know for
sure whether this is the problem, somebody would have to study the
disassembled code more closely.
* Source/bmalloc/libpas/src/libpas/pas_segregated_page.c:
(pas_segregated_page_switch_lock_and_rebias_while_ineligible_impl):
Canonical link: https://commits.webkit.org/256486@main
Commit: d88c545bb5d3458571503fca65c4335dcf953fcd
https://github.com/WebKit/WebKit/commit/d88c545bb5d3458571503fca65c4335dcf953fcd
Author: Michael Catanzaro <mcatanzaro at redhat.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Source/WebKit/NetworkProcess/Classifier/WebResourceLoadStatisticsStore.cpp
Log Message:
-----------
Cherry-pick 256566 at main (ca03533a50a8). https://bugs.webkit.org/show_bug.cgi?id=247442
Network process crash in WebResourceLoadStatisticsStore::registrableDomains
https://bugs.webkit.org/show_bug.cgi?id=247442
Reviewed by John Wilander.
Opening Epiphany's website data dialog in ephemeral mode causes an
immediate network process crash when fetching website data due to an
assertion that WebResourceLoadStatisticsStore::postTask is never called
in ephemeral mode. Other WebResourceLoadStatisticsStore functions have
special handling for ephemeral mode, so we need it here too.
* Source/WebKit/NetworkProcess/Classifier/WebResourceLoadStatisticsStore.cpp:
(WebKit::WebResourceLoadStatisticsStore::registrableDomains):
Canonical link: https://commits.webkit.org/256566@main
Commit: e2bb8b3aeb08c7ffee7f8afe2a55bd3be3b0ec03
https://github.com/WebKit/WebKit/commit/e2bb8b3aeb08c7ffee7f8afe2a55bd3be3b0ec03
Author: Dominique Leuenberger <dimstar at opensuse.org>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Source/JavaScriptCore/offlineasm/config.rb
M Source/JavaScriptCore/offlineasm/parser.rb
M Source/WebInspectorUI/Scripts/update-LegacyInspectorBackendCommands.rb
Log Message:
-----------
Cherry-pick 257775 at main (b7ac5d0ccc7c). https://bugs.webkit.org/show_bug.cgi?id=246743
Fix build with Ruby 3.2
https://bugs.webkit.org/show_bug.cgi?id=246743
Reviewed by Ross Kirsling.
File.exists has been declared deprecated since Ruby 2.1 (2013) and with Ruby 3.2 gets removed for good.
* Source/JavaScriptCore/offlineasm/config.rb:
* Source/JavaScriptCore/offlineasm/parser.rb:
* Source/WebInspectorUI/Scripts/update-LegacyInspectorBackendCommands.rb:
Canonical link: https://commits.webkit.org/257775@main
Commit: a3639c885485f32b18ba30840d3a5279f42b313c
https://github.com/WebKit/WebKit/commit/a3639c885485f32b18ba30840d3a5279f42b313c
Author: Philippe Normand <philn at igalia.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Source/WebCore/platform/graphics/gstreamer/mse/AppendPipeline.cpp
Log Message:
-----------
Cherry-pick 257838 at main (dc208a0a320c). https://bugs.webkit.org/show_bug.cgi?id=249155
[GStreamer][MSE] Fix a caps leak in AppendPipeline
https://bugs.webkit.org/show_bug.cgi?id=249155
Reviewed by Alicia Boya Garcia.
The return value of `gst_pad_get_current_caps()` is `transfer full` so we need to adopt it.
* Source/WebCore/platform/graphics/gstreamer/mse/AppendPipeline.cpp:
(WebCore::AppendPipeline::AppendPipeline):
Canonical link: https://commits.webkit.org/257838@main
Commit: 4c03a2dcd6ade57be79546264e4a833dc35c3afa
https://github.com/WebKit/WebKit/commit/4c03a2dcd6ade57be79546264e4a833dc35c3afa
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Source/JavaScriptCore/dfg/DFGFailedFinalizer.h
M Source/JavaScriptCore/dfg/DFGFinalizer.h
M Source/JavaScriptCore/dfg/DFGJITFinalizer.h
M Source/JavaScriptCore/dfg/DFGPlan.cpp
M Source/JavaScriptCore/ftl/FTLJITFinalizer.h
Log Message:
-----------
Cherry-pick 255714 at main (c4c58496ef4a). https://bugs.webkit.org/show_bug.cgi?id=246724
[JSC] Simplify Finalization in DFG / FTL
https://bugs.webkit.org/show_bug.cgi?id=246724
rdar://101165751
Reviewed by Justin Michaud.
This patch simplifies DFG / FTL finalization by early returning failure case.
* Source/JavaScriptCore/dfg/DFGFailedFinalizer.h:
* Source/JavaScriptCore/dfg/DFGFinalizer.h:
* Source/JavaScriptCore/dfg/DFGJITFinalizer.h:
* Source/JavaScriptCore/dfg/DFGPlan.cpp:
(JSC::DFG::Plan::finalize):
* Source/JavaScriptCore/ftl/FTLJITFinalizer.h:
Canonical link: https://commits.webkit.org/255714@main
Commit: 1cb73b576ea68f5e55d11c10336ee187963f1226
https://github.com/WebKit/WebKit/commit/1cb73b576ea68f5e55d11c10336ee187963f1226
Author: Matt Woodrow <mattwoodrow at apple.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M LayoutTests/imported/w3c/web-platform-tests/html/canvas/element/manual/imagebitmap/createImageBitmap-serializable-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/html/canvas/element/manual/imagebitmap/createImageBitmap-transfer-expected.txt
M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/canvas/element/manual/imagebitmap/createImageBitmap-serializable-expected.txt
M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/canvas/element/manual/imagebitmap/createImageBitmap-transfer-expected.txt
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 255882 at main (ad6383440b73). https://bugs.webkit.org/show_bug.cgi?id=246783
Throw a DataCloneError when attempting to serialize an ImageBitmap without the origin-clean flag.
https://bugs.webkit.org/show_bug.cgi?id=246783
<rdar://100901435>
Reviewed by Youenn Fablet.
The HTML spec expects us to reject serialization/transfer of ImageBitmaps that don't have the origin-clean flag, rather
than tansferring them and tainting any <canvas> elements they get drawn to.
* LayoutTests/imported/w3c/web-platform-tests/html/canvas/element/manual/imagebitmap/createImageBitmap-serializable-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/canvas/element/manual/imagebitmap/createImageBitmap-transfer-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/canvas/element/manual/imagebitmap/createImageBitmap-serializable-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/canvas/element/manual/imagebitmap/createImageBitmap-transfer-expected.txt:
* LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/html/canvas/element/manual/imagebitmap/createImageBitmap-serializable-expected.txt:
* LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/html/canvas/element/manual/imagebitmap/createImageBitmap-transfer-expected.txt:
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::dumpImageBitmap):
(WebCore::SerializedScriptValue::create):
Canonical link: https://commits.webkit.org/255882@main
Commit: 7f70191afd1a581c3e1c0c8a901623aa968a112e
https://github.com/WebKit/WebKit/commit/7f70191afd1a581c3e1c0c8a901623aa968a112e
Author: Wenson Hsieh <wenson_hsieh at apple.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Source/WebCore/page/EventHandler.cpp
Log Message:
-----------
Cherry-pick 256032 at main (ef03f9068d2c). https://bugs.webkit.org/show_bug.cgi?id=247067
Adjust a check in `EventHandler::handleDrag` when setting `restrictedOriginForImageData`
https://bugs.webkit.org/show_bug.cgi?id=247067
rdar://101554713
Reviewed by Aditya Keerthi.
Make this logic apply to both `DragSourceAction::DHTML` and `DragSourceAction::Image`, since we
write image data to the system pasteboard in both of these cases.
* Source/WebCore/page/EventHandler.cpp:
(WebCore::EventHandler::handleDrag):
Canonical link: https://commits.webkit.org/256032@main
Commit: aa3f983f3bbac697167dcd8719d43add1e54b667
https://github.com/WebKit/WebKit/commit/aa3f983f3bbac697167dcd8719d43add1e54b667
Author: David Degazio <d_degazio at apple.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
A JSTests/stress/intl-locale-invalid-hourCycles.js
M Source/JavaScriptCore/runtime/IntlLocale.cpp
Log Message:
-----------
Cherry-pick 256473 at main (86fbeb6fcd63). https://bugs.webkit.org/show_bug.cgi?id=247562
Intl.Locale.prototype.hourCycles leaks empty JSValue to script
https://bugs.webkit.org/show_bug.cgi?id=247562
rdar://102031379
Reviewed by Mark Lam.
We currently don't check if IntlLocale::hourCycles returns a null JSArray, which allows it
to be encoded as an empty JSValue and exposed to user code. This patch throws a TypeError
when udatpg_open returns a failed status.
* JSTests/stress/intl-locale-invalid-hourCycles.js: Added.
(main):
* Source/JavaScriptCore/runtime/IntlLocale.cpp:
(JSC::IntlLocale::hourCycles):
Canonical link: https://commits.webkit.org/256473@main
Commit: b25e6a48e3a9a7d43d5fc9c5d03727e7b57fcdec
https://github.com/WebKit/WebKit/commit/b25e6a48e3a9a7d43d5fc9c5d03727e7b57fcdec
Author: Justin Michaud <justin_michaud at apple.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
A JSTests/stress/delete-cache-error.js
A JSTests/stress/get-own-property-slot-cache-error.js
A JSTests/stress/get-property-cache-error.js
M Source/JavaScriptCore/runtime/ErrorInstance.cpp
M Source/JavaScriptCore/runtime/ErrorInstance.h
Log Message:
-----------
Cherry-pick 256519 at main (28686e63de0d). https://bugs.webkit.org/show_bug.cgi?id=247699
Error() ICs should not cache special properties.
https://bugs.webkit.org/show_bug.cgi?id=247699
Reviewed by Yusuke Suzuki.
HasOwnProperty/DeleteProperty are not always cacheable for special Error()
properties like column. These special properties are materialized on-demand
in materializeErrorInfoIfNeeded, but this function's behaviour can be changed
by Error.stackTraceLimit without causing a structure transition or firing watchpoints.
That is, we cannot cache property misses, and we cannot assume HasOwnProperty is deterministic
for a given structure if we are using one of these properties.
* Source/JavaScriptCore/runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::deleteProperty):
* Source/JavaScriptCore/runtime/ErrorInstance.h:
Canonical link: https://commits.webkit.org/256519@main
Commit: 39ea793a543451f86e199e50774074d00af9819b
https://github.com/WebKit/WebKit/commit/39ea793a543451f86e199e50774074d00af9819b
Author: Rob Buis <rbuis at igalia.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Source/WebCore/dom/Element.cpp
M Source/WebCore/dom/Element.h
M Source/WebCore/rendering/updating/RenderTreeUpdater.cpp
Log Message:
-----------
Cherry-pick 255527 at main (f6f2c95eb900). https://bugs.webkit.org/show_bug.cgi?id=246450
Tear down child renderers when removing display: contents
https://bugs.webkit.org/show_bug.cgi?id=246450
rdar://95570441
Reviewed by Antti Koivisto.
Detect when we transition away from display: contents when
resolving computed styles and tear down child renderers in
that case. To keep track of when to do this add a flag
to Element.
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::resolveComputedStyle):
* Source/WebCore/dom/Element.h:
(WebCore::Element::displayContentsChanged const):
(WebCore::Element::setDisplayContentsChanged):
* Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::updateElementRenderer):
Canonical link: https://commits.webkit.org/255527@main
Commit: a780b0cd9b7b0ec1bcb6248fdd6413f1c3afc3eb
https://github.com/WebKit/WebKit/commit/a780b0cd9b7b0ec1bcb6248fdd6413f1c3afc3eb
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Source/WebCore/dom/ContainerNode.cpp
Log Message:
-----------
Cherry-pick 258098 at main (d030f866382e).
Cherry-pick 252432.689 at safari-7614-branch (706a0693c737). rdar://103520049
Correctly teardown children for elements with NULL renderer which have
display contents changed.
rdar://problem/99616850
Reviewed by Antti Koivisto.
- When an element has display-contents:true, we don't created a renderer
for it, but its children may still have rendenders which point to
nodes in the DOM. When certain nodes in the DOM are torn down, these
renderers were holding stale references, which caused use-after-free
issues. The patch fixes the issue by correcting the teardown logic for
such nodes.
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::destroyRenderTreeIfNeeded):
Canonical link: https://commits.webkit.org/252432.689@safari-7614-branch
Canonical link: https://commits.webkit.org/258098@main
Commit: 7fa74ea6672d4fedaf33e3f775cf5db739a8c38c
https://github.com/WebKit/WebKit/commit/7fa74ea6672d4fedaf33e3f775cf5db739a8c38c
Author: Chris Dumez <cdumez at apple.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Cherry-pick 258103 at main (88fe91451e9c). https://bugs.webkit.org/show_bug.cgi?id=247449
Cherry-pick 252432.766 at safari-7614-branch (57372567b7b7). rdar://99729137
Do IPC hardening in WebPageProxy::didStartProvisionalLoadForFrameShared()
https://bugs.webkit.org/show_bug.cgi?id=247449
rdar://99729137
Reviewed by Geoffrey Garen.
Add message check for the unreachable URL as well, not just the URL.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didStartProvisionalLoadForFrameShared):
Canonical link: https://commits.webkit.org/252432.766@safari-7614-branch
Canonical link: https://commits.webkit.org/258103@main
Commit: 08cd8b07aa56b62ac7d11e241d884e3c5a1681df
https://github.com/WebKit/WebKit/commit/08cd8b07aa56b62ac7d11e241d884e3c5a1681df
Author: Mark Lam <mark.lam at apple.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
A JSTests/stress/speculate-real-number-in-object-is.js
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
Cherry-pick 258113 at main (98940f219ba0). https://bugs.webkit.org/show_bug.cgi?id=248266
Cherry-pick 252432.839 at safari-7614-branch (71cdc1c09ef1). rdar://102531234
The provenType filtering in FTL's speculateRealNumber is incorrect.
https://bugs.webkit.org/show_bug.cgi?id=248266
<rdar://problem/102531234>
Reviewed by Justin Michaud.
speculateRealNumber does a doubleEqual compare, which filters out double values which
are not NaN. NaN values will fall through to the `intCase` block. In the `intCase` block,
the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble.
Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal,
SpecDoublePureNaN }. SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and
SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN. Hence, the filtering
of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given
a proven type of
{ SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN }
which yields
{ SpecInt32Only }.
As a result, the compiler will think that that isNotIn32() check will always fail. This
is not correct if the actual incoming value for that edge is actually a PureNaN. In this
case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that
the isNotInt32() check will always fail and elide the check altogether.
In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal. We also
rename the `intCase` block to `intOrNaNCase` to document what it actually handles.
* JSTests/stress/speculate-real-number-in-object-is.js: Added.
(test.object_is_opt):
(test):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch
Canonical link: https://commits.webkit.org/258113@main
Commit: c38d3b5f0550575acef9f3c7ff68367942b9914e
https://github.com/WebKit/WebKit/commit/c38d3b5f0550575acef9f3c7ff68367942b9914e
Author: Antti Koivisto <antti at apple.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M LayoutTests/TestExpectations
M Source/WebCore/rendering/RenderBox.cpp
M Source/WebCore/rendering/RenderElement.cpp
M Source/WebCore/style/StylePendingResources.cpp
Log Message:
-----------
Cherry-pick 253553 at main (4385a00da760). https://bugs.webkit.org/show_bug.cgi?id=244039
Support background images on ::first-line
https://bugs.webkit.org/show_bug.cgi?id=244039
<rdar://98157640>
Reviewed by Simon Fraser.
This sort-of-worked (no paint invalidation) and got completely broken in 248098 at main refactoring
because we don't even trigger the resource load.
This patch fixes the regression and also adds paint invalidation.
* LayoutTests/TestExpectations:
* Source/WebCore/rendering/RenderBox.cpp:
Issue a repaint for ::first-line style if needed.
(WebCore::RenderBox::imageChanged):
* Source/WebCore/rendering/RenderElement.cpp:
(WebCore::RenderElement::styleDidChange):
Register renderer as client for resources in ::first-line style.
(WebCore::RenderElement::willBeDestroyed):
Unregister.
* Source/WebCore/style/StylePendingResources.cpp:
(WebCore::Style::loadPendingResources):
Trigger the load for resources in ::first-line style.
Canonical link: https://commits.webkit.org/253553@main
Commit: eed56952c889d8800db6b483fc74cc9b0ab28d82
https://github.com/WebKit/WebKit/commit/eed56952c889d8800db6b483fc74cc9b0ab28d82
Author: Antti Koivisto <antti at apple.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Source/WebCore/rendering/RenderElement.cpp
M Source/WebCore/rendering/RenderElement.h
Log Message:
-----------
Cherry-pick 256215 at main (091a04e55c80). https://bugs.webkit.org/show_bug.cgi?id=247317
RenderElement::updateFillImages should take pointer arguments like other similar functions
https://bugs.webkit.org/show_bug.cgi?id=247317
rdar://100273147
Reviewed by Alan Baradlay.
* Source/WebCore/rendering/RenderElement.cpp:
(WebCore::RenderElement::updateFillImages):
(WebCore::RenderElement::styleDidChange):
* Source/WebCore/rendering/RenderElement.h:
Canonical link: https://commits.webkit.org/256215@main
Compare: https://github.com/WebKit/WebKit/compare/4cafd7d5a913...eed56952c889
More information about the webkit-changes
mailing list