[webkit-changes] [WebKit/WebKit] 3d9ad3: Cherry-pick 262463 at main (6e7c8de0a165). https://bu...
Adrian Perez
noreply at github.com
Mon Apr 3 14:14:47 PDT 2023
Branch: refs/heads/webkitglib/2.40
Home: https://github.com/WebKit/WebKit
Commit: 3d9ad3960ea4c636b3d72de3e492017d1e11bd5c
https://github.com/WebKit/WebKit/commit/3d9ad3960ea4c636b3d72de3e492017d1e11bd5c
Author: Myles C. Maxfield <mmaxfield at apple.com>
Date: 2023-04-02 (Sun, 02 Apr 2023)
Changed paths:
A LayoutTests/fast/text/font-feature-settings-case-sensitive-expected.html
A LayoutTests/fast/text/font-feature-settings-case-sensitive.html
A LayoutTests/fast/text/resources/Ahem-feature-x-left-spacing.otf
M LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/parsing/font-feature-settings-computed-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/parsing/font-feature-settings-valid-expected.txt
M Source/WebCore/css/parser/CSSPropertyParserWorkerSafe.cpp
Log Message:
-----------
Cherry-pick 262463 at main (6e7c8de0a165). https://bugs.webkit.org/show_bug.cgi?id=254146
Can't activate feature with all caps tag via font-feature-settings
https://bugs.webkit.org/show_bug.cgi?id=254146
rdar://106966601
Reviewed by Tim Nguyen.
The CSS spec[1] says:
> The <string> is a case-sensitive OpenType feature tag.
Chrome and Firefox both treat it this way.
[1] http://w3c.github.io/csswg-drafts/css-fonts-4/#font-feature-settings-prop
Test: fast/text/font-feature-settings-case-sensitive.html
* LayoutTests/fast/text/font-feature-settings-case-sensitive-expected.html: Added.
* LayoutTests/fast/text/font-feature-settings-case-sensitive.html: Added.
* LayoutTests/fast/text/resources/Ahem-feature-x-left-spacing.otf: Added.
* Source/WebCore/css/parser/CSSPropertyParserWorkerSafe.cpp:
(WebCore::CSSPropertyParserHelpersWorkerSafe::consumeFontTag):
(WebCore::CSSPropertyParserHelpersWorkerSafe::consumeFeatureTagValue):
Canonical link: https://commits.webkit.org/262463@main
Commit: 04a53726bc1c8efe026e70a92b3dd94c313dfb87
https://github.com/WebKit/WebKit/commit/04a53726bc1c8efe026e70a92b3dd94c313dfb87
Author: Gerald Squelart <g_squelart at apple.com>
Date: 2023-04-02 (Sun, 02 Apr 2023)
Changed paths:
M Source/WebCore/platform/graphics/IntRect.h
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
Log Message:
-----------
Cherry-pick 259548.22 at safari-7615-branch (433aae06c3e1). rdar://101324985
Validate IPC-decoded IntRect's
rdar://101324985
Reviewed by Dean Jackson.
* Source/WebCore/platform/graphics/IntRect.h:
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
Canonical link: https://commits.webkit.org/259548.22@safari-7615-branch
Commit: 5751d8640a5698fb032ed1ffc88d8b22dafc51e5
https://github.com/WebKit/WebKit/commit/5751d8640a5698fb032ed1ffc88d8b22dafc51e5
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-04-02 (Sun, 02 Apr 2023)
Changed paths:
A LayoutTests/fast/table/table-cell-crash-when-detached-state-2-expected.txt
A LayoutTests/fast/table/table-cell-crash-when-detached-state-2.html
M Source/WebCore/rendering/RenderLayerModelObject.cpp
Log Message:
-----------
Cherry-pick 256843.4 at webkit-2022.12-embargoed (6234ec9c65b9). https://bugs.webkit.org/show_bug.cgi?id=248773
Do not issue repaints when in detached state
https://bugs.webkit.org/show_bug.cgi?id=248773
Reviewed by Antti Koivisto.
Do not issue repaints when the RenderObject is in detached state while removing render subtrees.
* LayoutTests/fast/table/table-cell-crash-when-detached-state-2-expected.txt: Added.
* LayoutTests/fast/table/table-cell-crash-when-detached-state-2.html: Added.
* Source/WebCore/rendering/RenderLayerModelObject.cpp:
(WebCore::RenderTableCell::willBeRemovedFromTree const):
Canonical link: https://commits.webkit.org/256843.4@webkit-2022.12-embargoed
Commit: c159a1464000d8e05bf826fd50af0ef25a3bc6cb
https://github.com/WebKit/WebKit/commit/c159a1464000d8e05bf826fd50af0ef25a3bc6cb
Author: Justin Michaud <justin_michaud at apple.com>
Date: 2023-04-02 (Sun, 02 Apr 2023)
Changed paths:
A JSTests/wasm/stress/many-locals-small-wasm-stack.js
A JSTests/wasm/stress/many-locals-small-wasm-stack.wasm
A JSTests/wasm/stress/many-locals-small-wasm-stack.wat
M Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
Log Message:
-----------
Cherry-pick 259548.25 at safari-7615-branch (1a20160f826c). rdar://104692168
Locals should update max stack size
rdar://104692168
Reviewed by Yusuke Suzuki.
We can forget to update the max stack size, causing an OOB stack read in
OSR entry. This only happens if you create a bunch of locals and never
push anything to the stack, so it should be very rare and difficult to
abuse.
* JSTests/wasm/stress/many-locals-small-wasm-stack.js: Added.
(async let):
* JSTests/wasm/stress/many-locals-small-wasm-stack.wasm: Added.
* JSTests/wasm/stress/many-locals-small-wasm-stack.wat: Added.
* Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::addLocal):
Canonical link: https://commits.webkit.org/259548.25@safari-7615-branch
Commit: 479543cd0021c0205a3ab852e1d6676851958896
https://github.com/WebKit/WebKit/commit/479543cd0021c0205a3ab852e1d6676851958896
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-04-02 (Sun, 02 Apr 2023)
Changed paths:
A LayoutTests/fast/dom/set-outer-text-on-moved-element-expected.html
A LayoutTests/fast/dom/set-outer-text-on-moved-element.html
M Source/WebCore/rendering/updating/RenderTreeUpdater.cpp
Log Message:
-----------
Cherry-pick 256843.6 at webkit-2022.12-embargoed (c4c0ef6360b2). https://bugs.webkit.org/show_bug.cgi?id=248775
Verify that style update roots are for correct document
https://bugs.webkit.org/show_bug.cgi?id=248775
Reviewed by Antti Koivisto.
Verify that style update roots are for the correct document since
we may be dealing with a pending update on an element/text node that
moved to another document.
* LayoutTests/fast/dom/set-outer-text-on-moved-element-expected.html: Added.
* LayoutTests/fast/dom/set-outer-text-on-moved-element.html: Added.
* Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::commit):
Canonical link: https://commits.webkit.org/256843.6@webkit-2022.12-embargoed
Commit: 6994243394e3fe0d638d62ed6688b5e1b8aac6d5
https://github.com/WebKit/WebKit/commit/6994243394e3fe0d638d62ed6688b5e1b8aac6d5
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-04-02 (Sun, 02 Apr 2023)
Changed paths:
M Source/WebKit/UIProcess/WebProcessProxy.cpp
Log Message:
-----------
Cherry-pick 259548.27 at safari-7615-branch (97035e098145). https://bugs.webkit.org/show_bug.cgi?id=251454
Use-after-free under WebProcessProxy::logDiagnosticMessageForResourceLimitTermination()
https://bugs.webkit.org/show_bug.cgi?id=251454
rdar://104818871
Reviewed by David Kilzer and Ryosuke Niwa.
The code was storing a reference to a temporary.
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::logDiagnosticMessageForResourceLimitTermination):
Canonical link: https://commits.webkit.org/259548.27@safari-7615-branch
Commit: 197515042a48ac684849898fcade8fc7afc15897
https://github.com/WebKit/WebKit/commit/197515042a48ac684849898fcade8fc7afc15897
Author: Patrick Angle <pangle at apple.com>
Date: 2023-04-02 (Sun, 02 Apr 2023)
Changed paths:
A LayoutTests/inspector/console/console-recursive-logging-expected.txt
A LayoutTests/inspector/console/console-recursive-logging.html
M Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.cpp
M Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.h
Log Message:
-----------
Cherry-pick 252432.1043 at safari-7614-branch (6633438abd8b). https://bugs.webkit.org/show_bug.cgi?id=251018
Web Inspector: Console messages that log a value that recursively logs crashes
https://bugs.webkit.org/show_bug.cgi?id=251018
rdar://104083913
Reviewed by Jonathan Bedard and Michael Saboff.
Web Inspector normally generates a preview for objects logged in the console when Web Inspector is open. However, it is
possible for authored pages to cause logging to occur when we attempt to generate the preview, as we must invoke getters
to get the values to display. In order to not recursively log messages to the console this patch turns off generating
previews for console messages that are logged while in middle of logging another console message. The user can still
generate a preview later in Web Inspector by using the disclosure triangle next to the message, which will then cause
the getter to be invoked, but the same protection will kick in to prevent recursive logging via generating previews
for objects.
* LayoutTests/inspector/console/console-recursive-logging-expected.txt: Added.
* LayoutTests/inspector/console/console-recursive-logging.html: Added.
* Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::addConsoleMessage):
* Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.h:
Canonical link: https://commits.webkit.org/252432.1043@safari-7614-branch
Commit: 6d228e96323cbce04d6ad855707254cf64c7229c
https://github.com/WebKit/WebKit/commit/6d228e96323cbce04d6ad855707254cf64c7229c
Author: Ryan Reno <rreno at apple.com>
Date: 2023-04-02 (Sun, 02 Apr 2023)
Changed paths:
M Source/JavaScriptCore/runtime/Error.cpp
M Source/JavaScriptCore/runtime/StackFrame.cpp
M Source/JavaScriptCore/runtime/StackFrame.h
M Source/WTF/wtf/URL.cpp
M Source/WTF/wtf/URL.h
M Source/WebInspectorUI/UserInterface/Base/URLUtilities.js
M Source/WebInspectorUI/UserInterface/Models/DebuggerData.js
M Tools/TestWebKitAPI/Tests/WTF/URL.cpp
Log Message:
-----------
Cherry-pick 259548.30 at safari-7615-branch (49109db4ab87). https://bugs.webkit.org/show_bug.cgi?id=250760
Error object stacktraces may leak sensitive data in URL query parameters
https://bugs.webkit.org/show_bug.cgi?id=250760
rdar://104376838
Reviewed by Patrick Angle.
If a remote script is delivered after a redirect sensitive data may be present
in the post-redirect URL. If the script later throws an error the error event
object will have that post-redirect URL in its stacktrace and sourceURL properties.
* Source/JavaScriptCore/runtime/Error.cpp:
(JSC::getLineColumnAndSource):
* Source/JavaScriptCore/runtime/StackFrame.cpp:
(JSC::StackFrame::sourceURLStripped const):
This is a new function which uses the URL class to strip
potentially sensitive information from the URL of the script
which contains the code for the current stack frame.
(JSC::StackFrame::toString const):
* Source/JavaScriptCore/runtime/StackFrame.h:
* Source/WTF/wtf/URL.cpp:
(WTF::URL::strippedForUseAsReport const):
This is a function similar to strippedForUseAsReferrer except we also remove
query parameters from the URL while strippedForUseAsReferrer only strips
user information and fragment.
* Source/WTF/wtf/URL.h:
* Source/WebInspectorUI/UserInterface/Base/URLUtilities.js:
Adds a utility function similar to WTF::URL::strippedForUseAsReport.
* Source/WebInspectorUI/UserInterface/Models/DebuggerData.js:
(WI.DebuggerData.prototype.scriptsForURL):
(WI.DebuggerData.prototype.addScript):
The Web Inspector debugger maps URLs it knows about to URLs reported
by the stack frames in an error object's stack trace. This allows one
to jump to offending source lines in the web inspector. In order to
correctly map the stripped URL reported in a stack trace we need to key
the map on the stripped URL as well.
* Tools/TestWebKitAPI/Tests/WTF/URL.cpp:
(TestWebKitAPI::TEST_F):
Adds a unit test for URL::strippedForUseAsReport
Canonical link: https://commits.webkit.org/259548.30@safari-7615-branch
Commit: 2cba805545c3e4c006520b2dcfd3eb67722e94d1
https://github.com/WebKit/WebKit/commit/2cba805545c3e4c006520b2dcfd3eb67722e94d1
Author: chirags27 <chirag_m_shah at apple.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
A LayoutTests/fast/css-grid-layout/grid-stylechange-crash-expected.txt
A LayoutTests/fast/css-grid-layout/grid-stylechange-crash.html
M Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp
M Source/WebCore/rendering/RenderGrid.cpp
M Source/WebCore/rendering/RenderGrid.h
Log Message:
-----------
Cherry-pick 252432.1044 at safari-7614-branch (22cbd76bcc96). rdar://104559684
Invalidate grid placement when style changes to subgrid
rdar://104559684
Reviewed by Jonathan Bedard and Matt Woodrow.
Before this change, we didn't invalidate parent and child placement
info, leading to a OOB read into the parent tracks information when
copying that to the child. This change fixes that.
* LayoutTests/fast/css-grid-layout/grid-stylechange-crash-expected.txt: Added.
* LayoutTests/fast/css-grid-layout/grid-stylechange-crash.html: Added.
* Source/WebCore/rendering/RenderGrid.cpp:
(WebCore::RenderGrid::styleDidChange):
(WebCore::RenderGrid::subgridDidChange const):
(WebCore::RenderGrid::dirtyGrid):
* Source/WebCore/rendering/RenderGrid.h:
* Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp:
(WebCore::GridTrackSizingAlgorithm::copyUsedTrackSizesForSubgrid):
Canonical link: https://commits.webkit.org/252432.1044@safari-7614-branch
Commit: 9de5616b9dd31d1d2e3ef9b25534926adc7dbe80
https://github.com/WebKit/WebKit/commit/9de5616b9dd31d1d2e3ef9b25534926adc7dbe80
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
M Source/JavaScriptCore/API/JSCallbackConstructor.h
M Source/JavaScriptCore/API/JSCallbackFunction.h
M Source/JavaScriptCore/API/JSClassRef.h
M Source/JavaScriptCore/API/JSWeakObjectMapRefInternal.h
M Source/JavaScriptCore/API/ObjCCallbackFunction.h
M Source/JavaScriptCore/runtime/ClassInfo.h
M Source/JavaScriptCore/runtime/Lookup.h
Log Message:
-----------
Cherry-pick 252432.1045 at safari-7614-branch (77446d5c727e). https://bugs.webkit.org/show_bug.cgi?id=248702
[Re-land] Add additional PAC diversity for function pointers in JSC API data structures as we do for vtbls.
https://bugs.webkit.org/show_bug.cgi?id=248702
<rdar://problem/102768157>
Reviewed by Yusuke Suzuki.
* Source/JavaScriptCore/API/JSCallbackConstructor.h:
* Source/JavaScriptCore/API/JSCallbackFunction.h:
* Source/JavaScriptCore/API/JSClassRef.h:
* Source/JavaScriptCore/API/JSWeakObjectMapRefInternal.h:
* Source/JavaScriptCore/API/ObjCCallbackFunction.h:
* Source/JavaScriptCore/runtime/ClassInfo.h:
* Source/JavaScriptCore/runtime/Lookup.h:
Canonical link: https://commits.webkit.org/252432.1045@safari-7614-branch
Commit: cd1fcbe5856a440ffdb75f3436b822f9af6b9d3e
https://github.com/WebKit/WebKit/commit/cd1fcbe5856a440ffdb75f3436b822f9af6b9d3e
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
M Source/WebCore/platform/mediastream/MediaConstraints.h
Log Message:
-----------
Cherry-pick 252432.1035 at safari-7614-branch (b9851bb36465). https://bugs.webkit.org/show_bug.cgi?id=250722
IPC hardening for MediaConstraint subclasses
https://bugs.webkit.org/show_bug.cgi?id=250722
rdar://103012405
Reviewed by Jonathan Bedard and David Kilzer.
Make sure we validate the constraint type whenever we IPC-deserialize a
MediaConstraint subclass.
* Source/WebCore/platform/mediastream/MediaConstraints.h:
(WebCore::NumericConstraint::decode):
(WebCore::StringConstraint::decode):
Canonical link: https://commits.webkit.org/252432.1035@safari-7614-branch
Commit: 7bb6ffcb673d68e8a881ccf6c9997edd6ff6782d
https://github.com/WebKit/WebKit/commit/7bb6ffcb673d68e8a881ccf6c9997edd6ff6782d
Author: Ryan Reno <rreno at apple.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
M Source/JavaScriptCore/API/JSScript.mm
M Source/JavaScriptCore/API/JSScriptRef.cpp
M Source/JavaScriptCore/inspector/ScriptCallFrame.cpp
M Source/JavaScriptCore/inspector/ScriptCallFrame.h
M Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp
M Source/JavaScriptCore/interpreter/StackVisitor.cpp
M Source/JavaScriptCore/interpreter/StackVisitor.h
M Source/JavaScriptCore/parser/SourceProvider.cpp
M Source/JavaScriptCore/parser/SourceProvider.h
M Source/JavaScriptCore/runtime/CachedTypes.cpp
M Source/JavaScriptCore/runtime/ScriptExecutable.h
M Source/WebCore/bindings/js/CachedScriptSourceProvider.h
M Source/WebCore/bindings/js/ScriptBufferSourceProvider.h
M Source/WebCore/bindings/js/ScriptModuleLoader.cpp
M Source/WebCore/bindings/js/ScriptSourceCode.h
M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
M Source/WebCore/workers/WorkerGlobalScope.cpp
M Source/WebCore/workers/WorkerThread.cpp
Log Message:
-----------
Cherry-pick 259548.39 at safari-7615-branch (c68b7da0d9b4). https://bugs.webkit.org/show_bug.cgi?id=251282
Cross-Site Information Leak: CSP violation reports may contain a post-redirect URL
https://bugs.webkit.org/show_bug.cgi?id=251282
rdar://104753003
Reviewed by Yusuke Suzuki.
The source-file field of a CSP violation report may contain a URL which has sensitive data in the
query string if it was the result of a redirect. The CSP spec in non-normative terms suggests
that in the case of a redirect (such as a login flow which appends a login token) we should report
violations in the resulting resource with the pre-redirect URL to avoid cross-site information leaks
via the CSP reporting API.
Source/JavaScriptCore:
Plubming code to make pre-redirect URLs available in ScriptCallStacks.
When a ScriptCallStack is created by the StackVisitor the ScriptCallFrame
objects will be populated with the pre-redirect URL by consulting the SourceProvider. WebCore
will conditionally set the preRedirectURL member if the resource was obtained via a redirected
response.
* Source/JavaScriptCore/API/JSScript.mm:
(-[JSScript sourceCode]):
* Source/JavaScriptCore/API/JSScriptRef.cpp:
* Source/JavaScriptCore/inspector/ScriptCallFrame.cpp:
(Inspector::ScriptCallFrame::ScriptCallFrame):
(Inspector::ScriptCallFrame::isEqual const):
* Source/JavaScriptCore/inspector/ScriptCallFrame.h:
* Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp:
(Inspector::CreateScriptCallStackFunctor::operator() const):
* Source/JavaScriptCore/interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::preRedirectURL const):
* Source/JavaScriptCore/interpreter/StackVisitor.h:
* Source/JavaScriptCore/parser/SourceProvider.cpp:
(JSC::SourceProvider::SourceProvider):
(JSC::BaseWebAssemblySourceProvider::BaseWebAssemblySourceProvider):
* Source/JavaScriptCore/parser/SourceProvider.h:
(JSC::SourceProvider::preRedirectURL const):
(JSC::StringSourceProvider::StringSourceProvider):
* Source/JavaScriptCore/runtime/CachedTypes.cpp:
(JSC::CachedSourceProviderShape::encode):
* Source/JavaScriptCore/runtime/ScriptExecutable.h:
(JSC::ScriptExecutable::preRedirectURL const):
Source/WebCore:
This updates the constructors for ScriptSourceCode objects to pass
null strings for the preRedirectURL parameter. In the cases where we can detect
whether a redirect happened or not we pass the pre-redirect URL to the SourceProvider.
* Source/WebCore/bindings/js/CachedScriptSourceProvider.h:
(WebCore::CachedScriptSourceProvider::CachedScriptSourceProvider):
* Source/WebCore/bindings/js/ScriptBufferSourceProvider.h:
* Source/WebCore/bindings/js/ScriptModuleLoader.cpp:
(WebCore::ScriptModuleLoader::notifyFinished):
* Source/WebCore/bindings/js/ScriptSourceCode.h:
(WebCore::ScriptSourceCode::ScriptSourceCode):
* Source/WebCore/workers/WorkerGlobalScope.cpp:
(WebCore::WorkerGlobalScope::importScripts):
* Source/WebCore/workers/WorkerThread.cpp:
(WebCore::WorkerThread::evaluateScriptIfNecessary):
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reportViolation const):
To populate the source-file field of a CSP report we consult the
JavaScript call stack. The source URL of the frame may be the
result of a redirect in which case we should use the pre-redirect
URL in the report to avoid leaking potentially sensitive data in the post-redirect URL.
Canonical link: https://commits.webkit.org/259548.39@safari-7615-branch
Commit: 05d427aadc7e04abb2aa6e022c253f4a1d81edb5
https://github.com/WebKit/WebKit/commit/05d427aadc7e04abb2aa6e022c253f4a1d81edb5
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
A LayoutTests/mathml/mathmltoken-layout-crash-expected.txt
A LayoutTests/mathml/mathmltoken-layout-crash.html
M Source/WebCore/rendering/mathml/RenderMathMLToken.cpp
Log Message:
-----------
Cherry-pick 259548.40 at safari-7615-branch (bf2c7c5b03b0). rdar://104598552
Fix layout for positioned children for RenderMathMLToken
rdar://104598552
Reviewed by Alan Baradlay.
Before this change, the layout method in RenderMathMLToken (<ms>) never
added positioned elements to the map for their container, which meant if
the positioned children are dirty, their layout will never be triggered.
This change fixes that by looking at direct children of
RenderMathMLToken and adding them to their container's positioned
elements map, so that their layout happens as expected.
* LayoutTests/mathml/mathmltoken-layout-crash-expected.txt: Added.
* LayoutTests/mathml/mathmltoken-layout-crash.html: Added.
* Source/WebCore/rendering/mathml/RenderMathMLToken.cpp:
(WebCore::RenderMathMLToken::layoutBlock):
Canonical link: https://commits.webkit.org/259548.40@safari-7615-branch
Commit: 3c873d87cdfafd3dbdb754229b1fa684a3478b2e
https://github.com/WebKit/WebKit/commit/3c873d87cdfafd3dbdb754229b1fa684a3478b2e
Author: Michael Saboff <msaboff at apple.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
M Source/JavaScriptCore/yarr/YarrJIT.cpp
Log Message:
-----------
Cherry-pick 259548.45 at safari-7615-branch (9930b53ebce1). https://bugs.webkit.org/show_bug.cgi?id=251741
[JSC] RegExp.test inline is missing another stack overflow checks
https://bugs.webkit.org/show_bug.cgi?id=251741
rdar://104072550
Reviewed by Mark Lam.
Converted the ASSERT(!m_failureReason) into a check that when true will bail out of the inline code
and call out to the C++ operation. This check handles any errors while compiling the RegExp pattern
into YarrJIT IR during the processing of opCompileBody().
I also audited all of the other possible error cases that the YarrJIT might produce and they are already
handled by this and the prior change.
The current test already covers this case.
* Source/JavaScriptCore/yarr/YarrJIT.cpp:
Canonical link: https://commits.webkit.org/259548.45@safari-7615-branch
Commit: bf3fe6d6b5fc47936b613f056d9e62ba9e9001ff
https://github.com/WebKit/WebKit/commit/bf3fe6d6b5fc47936b613f056d9e62ba9e9001ff
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
M Source/WTF/wtf/PlatformUse.h
M Source/WebCore/page/MemoryRelease.cpp
M Source/WebCore/platform/audio/HRTFElevation.cpp
M Source/WebCore/platform/audio/HRTFElevation.h
Log Message:
-----------
Cherry-pick 259548.46 at safari-7615-branch (a00a15e7abe0). https://bugs.webkit.org/show_bug.cgi?id=251643
Fix various issues with HRTFElevation's getConcatenatedImpulseResponsesForSubject()
https://bugs.webkit.org/show_bug.cgi?id=251643
rdar://104980786
Reviewed by Eric Carlson.
Fix various issues with HRTFElevation's getConcatenatedImpulseResponsesForSubject():
- Add a lock to synchronize access to the global HashMap of AudioBus objects
since this may get called from different threads.
- Make sure we call isolatedCopy() on the String key before adding it to the HashMap
for thread safety.
- Make sure we clear this global HashMap on critical memory pressure to free up
memory.
- Use smart pointers instead of raw pointers.
- Modernize the code a bit.
* Source/WTF/wtf/PlatformUse.h:
* Source/WebCore/page/MemoryRelease.cpp:
(WebCore::releaseCriticalMemory):
* Source/WebCore/platform/audio/HRTFElevation.cpp:
(WebCore::WTF_REQUIRES_LOCK):
(WebCore::getConcatenatedImpulseResponsesForSubject):
(WebCore::HRTFElevation::clearCache):
(WebCore::HRTFElevation::calculateKernelsForAzimuthElevation):
* Source/WebCore/platform/audio/HRTFElevation.h:
Canonical link: https://commits.webkit.org/259548.46@safari-7615-branch
Commit: 7c80400775dac09ac5d349aad3577aa8768b4bd2
https://github.com/WebKit/WebKit/commit/7c80400775dac09ac5d349aad3577aa8768b4bd2
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
A JSTests/stress/arguments-elimination-should-happen-only-when-stack-slot-is-available-at-replacement-site.js
M Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp
Log Message:
-----------
Cherry-pick 259548.47 at safari-7615-branch (0f2c12121b0a). https://bugs.webkit.org/show_bug.cgi?id=251640
[JSC] FTL arguments elimination should ensure that replacement sites can access to original stack slots
https://bugs.webkit.org/show_bug.cgi?id=251640
rdar://99273500
Reviewed by Mark Lam.
FTL arguments elimination does analysis and attempts to eliminate arguments allocation if it is not escaped.
We emit stack access at `arguments[0]` site for example, and remove `arguments` allocations.
But important thing is that stack slots used for the `arguments` need to be available at `arguments[0]` access site.
Since we are using stack slots for different purpose when inlining different functions, it is possible that the given
stack slot is no longer available when using `arguments[0]`. For example,
function a() { return arguments; }
function b() { do-something }
var arg = a()
b();
arg[0]; // If both "a" and "b" are inlined, stack slots used for inlined "a" can be used for the other purpose for "b"
// As a result, it is possible that the slot is not available at `arg[0]` access point.
We were doing stack slot interference analysis to avoid the above problem[1]. However, it was not complete solution since it is only
checking block-local status. So if we have branch between a() and arg[0], this analysis didn't work. Attached test
"arguments-elimination-should-happen-only-when-stack-slot-is-available-at-replacement-site.js" is literally doing this.
function empty() {}
function bar2(...a0) {
return a0;
}
function foo() {
let xs = bar2(undefined);
'' == 1 && 0;
return empty(...xs, undefined);
}
Between bar2 and `...xs` site, we have branch due to &&. And at "...xs" site, the stack slot were no longer available.
In this patch, we replace our existing interference analysis with the revised fix. We use OSR availability which can describe the
state of each stack slot. For all arguments, initially, it is flushed state with a node. Then, when slot gets unavailable or overridden,
we can see the availability change, which no longer points at the same node.
We first do this OSR availability analysis and capture availability map of each candidates. And then, we analyze whether replacement sites
are still seeing the same availability for arguments. And if it becomes different, we remove the candidate from optimization target. This change
simplifies our analysis significantly, and make it procedure global (previous one was block local).
[1]: https://commits.webkit.org/212536@main
* JSTests/stress/arguments-elimination-should-happen-only-when-stack-slot-is-available-at-replacement-site.js: Added.
(empty):
(bar2):
(foo):
(main):
* Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:
Canonical link: https://commits.webkit.org/259548.47@safari-7615-branch
Commit: 15221b26a20a1a5453a2bce95386b441db9ce5e5
https://github.com/WebKit/WebKit/commit/15221b26a20a1a5453a2bce95386b441db9ce5e5
Author: Antti Koivisto <antti at apple.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
A LayoutTests/fast/css/display-contents-slot-to-none-expected.txt
A LayoutTests/fast/css/display-contents-slot-to-none.html
M Source/WebCore/style/StyleTreeResolver.cpp
Log Message:
-----------
Cherry-pick 259548.51 at safari-7615-branch (44f75343da9e). https://bugs.webkit.org/show_bug.cgi?id=251788
[be894cadcf68a52a] (REGRESSION 256601 at main) ASAN_SEGV | WebCore::RenderObject::pushOntoGeometryMap; WebCore::RenderInline::pushMappingToContainer;
https://bugs.webkit.org/show_bug.cgi?id=251788
rdar://104793275
Reviewed by Alan Baradlay.
* LayoutTests/fast/css/display-contents-slot-to-none-expected.txt: Added.
* LayoutTests/fast/css/display-contents-slot-to-none.html: Added.
* Source/WebCore/style/StyleTreeResolver.cpp:
(WebCore::Style::affectsRenderedSubtree):
We may have had display:contents before and a rendered subtree may still be affected.
Canonical link: https://commits.webkit.org/259548.51@safari-7615-branch
Commit: 7eb6a2388c5eb547eafc8f8dc51b1ad33bf0c52c
https://github.com/WebKit/WebKit/commit/7eb6a2388c5eb547eafc8f8dc51b1ad33bf0c52c
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
A LayoutTests/fast/multicol/nested-columns-out-of-flow-crash-expected.txt
A LayoutTests/fast/multicol/nested-columns-out-of-flow-crash.html
M Source/WebCore/rendering/RenderObject.cpp
M Source/WebCore/rendering/RenderObject.h
Log Message:
-----------
Cherry-pick 256843.7 at webkit-2022.12-embargoed (3b92d70ba3ea). https://bugs.webkit.org/show_bug.cgi?id=245374
Do not skip fragmented flow thread descendents
https://bugs.webkit.org/show_bug.cgi?id=245374
rdar://98438399
Reviewed by Alan Baradlay.
Do not skip fragmented flow thread descendents in initializeFragmentedFlowStateOnInsertion
since its children may have a different state based on the inserted fragmented
flow thread. When a fragmented flow thread is removed there is no effect on the inner
fragmented flow threads so that behaviour is unchenged.
* LayoutTests/fast/multicol/nested-columns-out-of-flow-crash-expected.txt: Added.
* LayoutTests/fast/multicol/nested-columns-out-of-flow-crash.html: Added.
* Source/WebCore/rendering/RenderObject.cpp:
(WebCore::RenderObject::setFragmentedFlowStateIncludingDescendants):
(WebCore::RenderObject::initializeFragmentedFlowStateOnInsertion):
* Source/WebCore/rendering/RenderObject.h:
Canonical link: https://commits.webkit.org/256843.7@webkit-2022.12-embargoed
Commit: af00482e65a46fc7081f5ffe04a19c4efcbfc888
https://github.com/WebKit/WebKit/commit/af00482e65a46fc7081f5ffe04a19c4efcbfc888
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
A LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash-expected.html
A LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash.html
M Source/WebCore/rendering/RenderLayer.cpp
Log Message:
-----------
Cherry-pick 256843.8 at webkit-2022.12-embargoed (fe2f16c1dabe). https://bugs.webkit.org/show_bug.cgi?id=251013
Recalculate normal flow value in RenderLayer::establishesTopLayerDidChange
https://bugs.webkit.org/show_bug.cgi?id=251013
Reviewed by Tim Nguyen.
In RenderLayer::rebuildZOrderLists the RenderView layer makes sure the layers for dialogs/top-level elements are appended after
everything else in the positive z-order list. When removing the dialog layer, dirtyPaintOrderListsOnChildChange will be called
and since it is not a normal only flow everything will be handled correctly through dirtyStackingContextZOrderLists.
In the test case the behaviour is the same until dirtyPaintOrderListsOnChildChange is called on the dialog layer removal. Now that
layer to be removed *is* a normal only flow (the element is no longer positioned and has non visible overflow, see
RenderLayer::shouldBeNormalFlowOnly). This means the positive z-order list is unchanged and the deleted layer still part of it.
When the test cleanup code does a final repaint, the RenderView positive z-order list is processed as normal and when trying to
access the deleted layer the UAF happens.
To fix this, make sure the normal flow value is correct when adding the layer in RenderLayer::establishesTopLayerDidChange.
* LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash-expected.html: Added.
* LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash.html: Added.
* Source/WebCore/rendering/RenderLayer.cpp:
(WebCore::RenderLayer::establishesTopLayerDidChange):
Canonical link: https://commits.webkit.org/256843.8@webkit-2022.12-embargoed
Commit: 609a757e7ead7f7d3fcdf1ee933fe8026dbbc273
https://github.com/WebKit/WebKit/commit/609a757e7ead7f7d3fcdf1ee933fe8026dbbc273
Author: Claudio Saavedra <csaavedra at igalia.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
A LayoutTests/fast/css/content/content-on-focus-change-expected.txt
A LayoutTests/fast/css/content/content-on-focus-change.html
Log Message:
-----------
Cherry-pick 256843.9 at webkit-2022.12-embargoed (4c3dcd480f7e). https://bugs.webkit.org/show_bug.cgi?id=251014
Test display contents change on focus change
https://bugs.webkit.org/show_bug.cgi?id=251014
Reviewed by Tim Nguyen.
* LayoutTests/fast/css/content/content-on-focus-change-expected.txt: Added.
* LayoutTests/fast/css/content/content-on-focus-change.html: Added.
Canonical link: https://commits.webkit.org/256843.9@webkit-2022.12-embargoed
Commit: 5ea8890b91b50227353a707982f16dafce0a6cc6
https://github.com/WebKit/WebKit/commit/5ea8890b91b50227353a707982f16dafce0a6cc6
Author: Matt Woodrow <mattwoodrow at apple.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
M Source/WebCore/Modules/webxr/WebXRRigidTransform.cpp
M Source/WebCore/animation/KeyframeEffect.cpp
M Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp
M Source/WebCore/platform/graphics/transforms/RotateTransformOperation.cpp
M Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp
M Source/WebCore/platform/graphics/transforms/TransformationMatrix.h
Log Message:
-----------
Cherry-pick 259548.70 at safari-7615-branch (4f0cd71e42b8). https://bugs.webkit.org/show_bug.cgi?id=247835
Fix use of uninitialized memory in TransformationMatrix decompose()
https://bugs.webkit.org/show_bug.cgi?id=247835
<rdar://102263762>
Reviewed by Dean Jackson.
Fixes decompose4 to check for a failing return value from inverse, and early returns, rather
than continuing with the output matrix uninitialized.
Also adds WARN_UNUSED_RETURN to decompose2/4 to ensure that all callers handle this case.
* Source/WebCore/Modules/webxr/WebXRRigidTransform.cpp:
(WebCore::m_rawTransform):
* Source/WebCore/animation/KeyframeEffect.cpp:
(WebCore::KeyframeEffect::computeTransformedExtentViaTransformList const):
(WebCore::KeyframeEffect::computeTransformedExtentViaMatrix const):
* Source/WebCore/platform/graphics/transforms/RotateTransformOperation.cpp:
(WebCore::RotateTransformOperation::blend):
* Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp:
(WebCore::decompose4):
* Source/WebCore/platform/graphics/transforms/TransformationMatrix.h:
Canonical link: https://commits.webkit.org/259548.70@safari-7615-branch
Commit: b7022b490b4d1ca840f5ff2c423b49da5e33b77d
https://github.com/WebKit/WebKit/commit/b7022b490b4d1ca840f5ff2c423b49da5e33b77d
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
A LayoutTests/mathml/mathml-mover-layout-crash-expected.txt
A LayoutTests/mathml/mathml-mover-layout-crash.html
M LayoutTests/platform/mac-wk2/TestExpectations
M LayoutTests/platform/wpe/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt
M Source/WebCore/rendering/mathml/RenderMathMLUnderOver.cpp
Log Message:
-----------
Cherry-pick 259548.74 at safari-7615-branch (25cddfa82335). rdar://105071050
Fix layout for positioned children for RenderMathMLUnderOver
rdar://105071050
Reviewed by Alan Baradlay.
Before this change, the layout method in RenderMathMLUnderOver (<mover>) never
added positioned elements to the map for their container, which meant if
the positioned children are dirty, their layout will never be triggered.
This change fixes that by looking at direct children of
RenderMathMLUnderOver and adding them to their container's positioned
elements map, so that their layout happens as expected.
* LayoutTests/mathml/mathml-mover-layout-crash-expected.txt: Added.
* LayoutTests/mathml/mathml-mover-layout-crash.html: Added.
* Source/WebCore/rendering/mathml/RenderMathMLUnderOver.cpp:
(WebCore::RenderMathMLUnderOver::layoutBlock):
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt:
* LayoutTests/platform/mac-wk2/TestExpectations:
Canonical link: https://commits.webkit.org/259548.74@safari-7615-branch
Commit: e891766050ad4bbef9e5094f70850ab9f536d0a6
https://github.com/WebKit/WebKit/commit/e891766050ad4bbef9e5094f70850ab9f536d0a6
Author: Przemyslaw Gorszkowski <pgorszkowski at igalia.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
M Source/WebKit/UIProcess/API/glib/WebKitUIClient.cpp
Log Message:
-----------
Cherry-pick 262493 at main (9603260a265d). https://bugs.webkit.org/show_bug.cgi?id=254512
Fix typo in default database quota definition
https://bugs.webkit.org/show_bug.cgi?id=254512
Reviewed by Michael Catanzaro.
The current definition of the default database quota is wrongly
specified.
The fix uses MB constexpr to make it more obvious.
* Source/WebKit/UIProcess/API/glib/WebKitUIClient.cpp:
Canonical link: https://commits.webkit.org/262493@main
Commit: 3cddc44be34485ba7f835387b50d12ae6bc897d9
https://github.com/WebKit/WebKit/commit/3cddc44be34485ba7f835387b50d12ae6bc897d9
Author: Adrian Perez de Castro <aperez at igalia.com>
Date: 2023-04-03 (Mon, 03 Apr 2023)
Changed paths:
M Source/WebKit/UIProcess/API/glib/WebKitProtocolHandler.cpp
Log Message:
-----------
Cherry-pick 262504 at main (6a3c0713422d). https://bugs.webkit.org/show_bug.cgi?id=254913
[GLib] Crash opening webkit://gpu when XDG_CURRENT_DESKTOP is undefined
https://bugs.webkit.org/show_bug.cgi?id=254913
Reviewed by Philippe Normand.
* Source/WebKit/UIProcess/API/glib/WebKitProtocolHandler.cpp:
(WebKit::WebKitProtocolHandler::handleGPU): Check whether picking
XDG_CURRENT_DESKTOP from the environment returns non-null and the
variable is not empty before using it.
Canonical link: https://commits.webkit.org/262504@main
Compare: https://github.com/WebKit/WebKit/compare/c71b43dd393b...3cddc44be344
More information about the webkit-changes
mailing list