[webkit-changes] [WebKit/WebKit] 4b5765: Cherry-pick 259548.70 at safari-7615-branch (4f0cd71e...

Rob Buis noreply at github.com
Sat Apr 1 07:24:04 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 4b5765425bc9d69907b47f0d75b3aa7097f52a61
      https://github.com/WebKit/WebKit/commit/4b5765425bc9d69907b47f0d75b3aa7097f52a61
  Author: Matt Woodrow <mattwoodrow at apple.com>
  Date:   2023-04-01 (Sat, 01 Apr 2023)

  Changed paths:
    M Source/WebCore/Modules/webxr/WebXRRigidTransform.cpp
    M Source/WebCore/animation/KeyframeEffect.cpp
    M Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp
    M Source/WebCore/platform/graphics/transforms/RotateTransformOperation.cpp
    M Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp
    M Source/WebCore/platform/graphics/transforms/TransformationMatrix.h

  Log Message:
  -----------
  Cherry-pick 259548.70 at safari-7615-branch (4f0cd71e42b8). rdar://107499416

    Fix use of uninitialized memory in TransformationMatrix decompose()
    https://bugs.webkit.org/show_bug.cgi?id=247835
    <rdar://102263762>

    Reviewed by Dean Jackson.

    Fixes decompose4 to check for a failing return value from inverse, and early returns, rather
    than continuing with the output matrix uninitialized.

    Also adds WARN_UNUSED_RETURN to decompose2/4 to ensure that all callers handle this case.

    * Source/WebCore/Modules/webxr/WebXRRigidTransform.cpp:
    (WebCore::m_rawTransform):
    * Source/WebCore/animation/KeyframeEffect.cpp:
    (WebCore::KeyframeEffect::computeTransformedExtentViaTransformList const):
    (WebCore::KeyframeEffect::computeTransformedExtentViaMatrix const):
    * Source/WebCore/platform/graphics/transforms/RotateTransformOperation.cpp:
    (WebCore::RotateTransformOperation::blend):
    * Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp:
    (WebCore::decompose4):
    * Source/WebCore/platform/graphics/transforms/TransformationMatrix.h:

    Canonical link: https://commits.webkit.org/259548.70@safari-7615-branch

Canonical link: https://commits.webkit.org/262471@main


  Commit: c839c78f8d13517130966a615158e807b0552140
      https://github.com/WebKit/WebKit/commit/c839c78f8d13517130966a615158e807b0552140
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-04-01 (Sat, 01 Apr 2023)

  Changed paths:
    A LayoutTests/mathml/mathml-mover-layout-crash-expected.txt
    A LayoutTests/mathml/mathml-mover-layout-crash.html
    M LayoutTests/platform/gtk/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt
    M Source/WebCore/rendering/mathml/RenderMathMLUnderOver.cpp

  Log Message:
  -----------
  Cherry-pick 259548.74 at safari-7615-branch (25cddfa82335). rdar://107499427

    Fix layout for positioned children for RenderMathMLUnderOver
    rdar://105071050

    Reviewed by Alan Baradlay.

    Before this change, the layout method in RenderMathMLUnderOver (<mover>) never
    added positioned elements to the map for their container, which meant if
    the positioned children are dirty, their layout will never be triggered.
    This change fixes that by looking at direct children of
    RenderMathMLUnderOver and adding them to their container's positioned
    elements map, so that their layout happens as expected.

    * LayoutTests/mathml/mathml-mover-layout-crash-expected.txt: Added.
    * LayoutTests/mathml/mathml-mover-layout-crash.html: Added.
    * Source/WebCore/rendering/mathml/RenderMathMLUnderOver.cpp:
    (WebCore::RenderMathMLUnderOver::layoutBlock):
    * LayoutTests/platform/glib/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt:
    * LayoutTests/platform/mac-wk2/TestExpectations:

    Canonical link: https://commits.webkit.org/259548.74@safari-7615-branch

Canonical link: https://commits.webkit.org/262472@main


  Commit: 03ee49b03ed6a90fe8b8bef3d74b254386d8488d
      https://github.com/WebKit/WebKit/commit/03ee49b03ed6a90fe8b8bef3d74b254386d8488d
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-04-01 (Sat, 01 Apr 2023)

  Changed paths:
    A LayoutTests/fast/css/style-update-timer-crash-expected.txt
    A LayoutTests/fast/css/style-update-timer-crash.html
    M Source/WebCore/style/StyleScope.cpp

  Log Message:
  -----------
  Cherry-pick 259548.153 at safari-7615-branch (c49d1e6e50a4). rdar://107499581

    Hold reference to shadowRoot and document when timer is triggered
    https://bugs.webkit.org/show_bug.cgi?id=252091
    rdar://105115603

    Reviewed by Ryosuke Niwa.

    This change fixes the issue where a Style::Scope can get deallocated
    when the timer is fired, leading to a use-after-free. The fix holds onto
    the shadowRoot and document in question, both of which own the
    Style::Scope object.

    * LayoutTests/fast/css/style-update-timer-crash-expected.txt: Added.
    * LayoutTests/fast/css/style-update-timer-crash.html: Added.
    * Source/WebCore/style/StyleScope.cpp:
    (WebCore::Style::Scope::pendingUpdateTimerFired):

    Canonical link: https://commits.webkit.org/259548.153@safari-7615-branch

Canonical link: https://commits.webkit.org/262473@main


  Commit: 79423597243d8278d721a864d3e22d80bc38a9da
      https://github.com/WebKit/WebKit/commit/79423597243d8278d721a864d3e22d80bc38a9da
  Author: Claudio Saavedra <csaavedra at igalia.com>
  Date:   2023-04-01 (Sat, 01 Apr 2023)

  Changed paths:
    A LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal-expected.txt
    A LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal.html

  Log Message:
  -----------
  Cherry-pick 256843.10 at webkit-2022.12-embargoed (b7f9b7f4679b). rdar://107499606

    Add test for element's display contents change on sibling removal
    https://bugs.webkit.org/show_bug.cgi?id=248772

    Reviewed by Tim Nguyen.

    This was already fixed with #248776, but add the test for completeness.

    * LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal-expected.txt: Added.
    * LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal.html: Added.

    Canonical link: https://commits.webkit.org/256843.10@webkit-2022.12-embargoed

Canonical link: https://commits.webkit.org/262474@main


  Commit: 6b3a0ebbfaefa2ce656f28af49b1d079279671a6
      https://github.com/WebKit/WebKit/commit/6b3a0ebbfaefa2ce656f28af49b1d079279671a6
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2023-04-01 (Sat, 01 Apr 2023)

  Changed paths:
    A LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash-expected.txt
    A LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash.html

  Log Message:
  -----------
  Cherry-pick 256843.11 at webkit-2022.12-embargoed (7d616c4d06eb). rdar://107499625

    Add crash test for disconnected frame switching to eager
    https://bugs.webkit.org/show_bug.cgi?id=245377

    Reviewed by Ryosuke Niwa.

    Add crash test for disconnected frame switching to eager.

    * LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash-expected.txt: Added.
    * LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash.html: Added.

    Canonical link: https://commits.webkit.org/256843.11@webkit-2022.12-embargoed

Canonical link: https://commits.webkit.org/262475@main


Compare: https://github.com/WebKit/WebKit/compare/0effd07b7ef3...6b3a0ebbfaef

More information about the webkit-changes mailing list