[webkit-changes] [WebKit/WebKit] 25ed9b: Cherry-pick 259548.75 at safari-7615-branch (22b0e734...
kkang-wr
noreply at github.com
Tue Apr 4 04:22:56 PDT 2023
Branch: refs/heads/webkitglib/2.40
Home: https://github.com/WebKit/WebKit
Commit: 25ed9bc731eb38b1391c3cab625e90d4b87735dd
https://github.com/WebKit/WebKit/commit/25ed9bc731eb38b1391c3cab625e90d4b87735dd
Author: Simon Fraser <simon.fraser at apple.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
M Source/WebCore/page/scrolling/ScrollingTree.cpp
M Source/WebCore/page/scrolling/ScrollingTree.h
M Source/WebCore/page/scrolling/ScrollingTreeFixedNode.cpp
M Source/WebCore/page/scrolling/ScrollingTreeFixedNode.h
M Source/WebCore/page/scrolling/ScrollingTreeFrameHostingNode.cpp
M Source/WebCore/page/scrolling/ScrollingTreeFrameHostingNode.h
M Source/WebCore/page/scrolling/ScrollingTreeFrameScrollingNode.cpp
M Source/WebCore/page/scrolling/ScrollingTreeFrameScrollingNode.h
M Source/WebCore/page/scrolling/ScrollingTreeNode.h
M Source/WebCore/page/scrolling/ScrollingTreeOverflowScrollProxyNode.cpp
M Source/WebCore/page/scrolling/ScrollingTreeOverflowScrollProxyNode.h
M Source/WebCore/page/scrolling/ScrollingTreePositionedNode.cpp
M Source/WebCore/page/scrolling/ScrollingTreePositionedNode.h
M Source/WebCore/page/scrolling/ScrollingTreeScrollingNode.cpp
M Source/WebCore/page/scrolling/ScrollingTreeScrollingNode.h
M Source/WebCore/page/scrolling/ScrollingTreeStickyNode.cpp
M Source/WebCore/page/scrolling/ScrollingTreeStickyNode.h
M Source/WebCore/page/scrolling/cocoa/ScrollingTreeFixedNodeCocoa.h
M Source/WebCore/page/scrolling/cocoa/ScrollingTreeFixedNodeCocoa.mm
M Source/WebCore/page/scrolling/cocoa/ScrollingTreeOverflowScrollProxyNodeCocoa.h
M Source/WebCore/page/scrolling/cocoa/ScrollingTreeOverflowScrollProxyNodeCocoa.mm
M Source/WebCore/page/scrolling/cocoa/ScrollingTreePositionedNodeCocoa.h
M Source/WebCore/page/scrolling/cocoa/ScrollingTreePositionedNodeCocoa.mm
M Source/WebCore/page/scrolling/cocoa/ScrollingTreeStickyNodeCocoa.h
M Source/WebCore/page/scrolling/cocoa/ScrollingTreeStickyNodeCocoa.mm
M Source/WebCore/page/scrolling/mac/ScrollingTreeFrameScrollingNodeMac.h
M Source/WebCore/page/scrolling/mac/ScrollingTreeFrameScrollingNodeMac.mm
M Source/WebCore/page/scrolling/mac/ScrollingTreeOverflowScrollingNodeMac.h
M Source/WebCore/page/scrolling/mac/ScrollingTreeOverflowScrollingNodeMac.mm
M Source/WebCore/page/scrolling/nicosia/ScrollingTreeFixedNodeNicosia.cpp
M Source/WebCore/page/scrolling/nicosia/ScrollingTreeFixedNodeNicosia.h
M Source/WebCore/page/scrolling/nicosia/ScrollingTreeFrameScrollingNodeNicosia.cpp
M Source/WebCore/page/scrolling/nicosia/ScrollingTreeFrameScrollingNodeNicosia.h
M Source/WebCore/page/scrolling/nicosia/ScrollingTreeOverflowScrollProxyNodeNicosia.cpp
M Source/WebCore/page/scrolling/nicosia/ScrollingTreeOverflowScrollProxyNodeNicosia.h
M Source/WebCore/page/scrolling/nicosia/ScrollingTreeOverflowScrollingNodeNicosia.cpp
M Source/WebCore/page/scrolling/nicosia/ScrollingTreeOverflowScrollingNodeNicosia.h
M Source/WebCore/page/scrolling/nicosia/ScrollingTreePositionedNodeNicosia.cpp
M Source/WebCore/page/scrolling/nicosia/ScrollingTreePositionedNodeNicosia.h
M Source/WebCore/page/scrolling/nicosia/ScrollingTreeStickyNodeNicosia.cpp
M Source/WebCore/page/scrolling/nicosia/ScrollingTreeStickyNodeNicosia.h
M Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingCoordinatorProxy.cpp
M Source/WebKit/UIProcess/RemoteLayerTree/ios/ScrollingTreeFrameScrollingNodeRemoteIOS.h
M Source/WebKit/UIProcess/RemoteLayerTree/ios/ScrollingTreeFrameScrollingNodeRemoteIOS.mm
M Source/WebKit/UIProcess/RemoteLayerTree/ios/ScrollingTreeOverflowScrollingNodeIOS.h
M Source/WebKit/UIProcess/RemoteLayerTree/ios/ScrollingTreeOverflowScrollingNodeIOS.mm
M Source/WebKit/UIProcess/RemoteLayerTree/mac/ScrollingTreeFrameScrollingNodeRemoteMac.cpp
M Source/WebKit/UIProcess/RemoteLayerTree/mac/ScrollingTreeFrameScrollingNodeRemoteMac.h
M Source/WebKit/UIProcess/RemoteLayerTree/mac/ScrollingTreeOverflowScrollingNodeRemoteMac.cpp
M Source/WebKit/UIProcess/RemoteLayerTree/mac/ScrollingTreeOverflowScrollingNodeRemoteMac.h
Log Message:
-----------
Cherry-pick 259548.75 at safari-7615-branch (22b0e73428bb). https://bugs.webkit.org/show_bug.cgi?id=251969
[CoreIPC] Type confusion bug in ScrollingTree::updateTreeFromStateNodeRecursive
https://bugs.webkit.org/show_bug.cgi?id=251969
rdar://102603165
Reviewed by Ryosuke Niwa.
Make sure we type-check before all the downcast<> calls in code under scrolling tree commits.
If a type-check fails, MESSAGE_CHECK in RemoteScrollingCoordinatorProxy::commitScrollingTree().
commitStateBeforeChildren() and commitStateAfterChildren() on all the scrolling tree node classes
now return bool, indicating success or failure.
* Source/WebCore/page/scrolling/ScrollingTree.cpp:
(WebCore::ScrollingTree::commitTreeState):
(WebCore::ScrollingTree::updateTreeFromStateNodeRecursive):
* Source/WebCore/page/scrolling/ScrollingTree.h:
* Source/WebCore/page/scrolling/ScrollingTreeFixedNode.cpp:
(WebCore::ScrollingTreeFixedNode::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/ScrollingTreeFixedNode.h:
* Source/WebCore/page/scrolling/ScrollingTreeFrameHostingNode.cpp:
(WebCore::ScrollingTreeFrameHostingNode::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/ScrollingTreeFrameHostingNode.h:
* Source/WebCore/page/scrolling/ScrollingTreeFrameScrollingNode.cpp:
(WebCore::ScrollingTreeFrameScrollingNode::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/ScrollingTreeFrameScrollingNode.h:
* Source/WebCore/page/scrolling/ScrollingTreeNode.h:
(WebCore::ScrollingTreeNode::commitStateAfterChildren):
* Source/WebCore/page/scrolling/ScrollingTreeOverflowScrollProxyNode.cpp:
(WebCore::ScrollingTreeOverflowScrollProxyNode::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/ScrollingTreeOverflowScrollProxyNode.h:
* Source/WebCore/page/scrolling/ScrollingTreePositionedNode.cpp:
(WebCore::ScrollingTreePositionedNode::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/ScrollingTreePositionedNode.h:
* Source/WebCore/page/scrolling/ScrollingTreeScrollingNode.cpp:
(WebCore::ScrollingTreeScrollingNode::commitStateBeforeChildren):
(WebCore::ScrollingTreeScrollingNode::commitStateAfterChildren):
* Source/WebCore/page/scrolling/ScrollingTreeScrollingNode.h:
* Source/WebCore/page/scrolling/ScrollingTreeStickyNode.cpp:
(WebCore::ScrollingTreeStickyNode::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/ScrollingTreeStickyNode.h:
* Source/WebCore/page/scrolling/cocoa/ScrollingTreeFixedNodeCocoa.h:
* Source/WebCore/page/scrolling/cocoa/ScrollingTreeFixedNodeCocoa.mm:
(WebCore::ScrollingTreeFixedNodeCocoa::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/cocoa/ScrollingTreeOverflowScrollProxyNodeCocoa.h:
* Source/WebCore/page/scrolling/cocoa/ScrollingTreeOverflowScrollProxyNodeCocoa.mm:
(WebCore::ScrollingTreeOverflowScrollProxyNodeCocoa::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/cocoa/ScrollingTreePositionedNodeCocoa.h:
* Source/WebCore/page/scrolling/cocoa/ScrollingTreePositionedNodeCocoa.mm:
(WebCore::ScrollingTreePositionedNodeCocoa::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/cocoa/ScrollingTreeStickyNodeCocoa.h:
* Source/WebCore/page/scrolling/cocoa/ScrollingTreeStickyNodeCocoa.mm:
(WebCore::ScrollingTreeStickyNodeCocoa::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/mac/ScrollingTreeFrameScrollingNodeMac.h:
* Source/WebCore/page/scrolling/mac/ScrollingTreeFrameScrollingNodeMac.mm:
(WebCore::ScrollingTreeFrameScrollingNodeMac::commitStateBeforeChildren):
(WebCore::ScrollingTreeFrameScrollingNodeMac::commitStateAfterChildren):
* Source/WebCore/page/scrolling/mac/ScrollingTreeOverflowScrollingNodeMac.h:
* Source/WebCore/page/scrolling/mac/ScrollingTreeOverflowScrollingNodeMac.mm:
(WebCore::ScrollingTreeOverflowScrollingNodeMac::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/nicosia/ScrollingTreeFixedNodeNicosia.cpp:
(WebCore::ScrollingTreeFixedNodeNicosia::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/nicosia/ScrollingTreeFixedNodeNicosia.h:
* Source/WebCore/page/scrolling/nicosia/ScrollingTreeFrameScrollingNodeNicosia.cpp:
(WebCore::ScrollingTreeFrameScrollingNodeNicosia::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/nicosia/ScrollingTreeFrameScrollingNodeNicosia.h:
* Source/WebCore/page/scrolling/nicosia/ScrollingTreeOverflowScrollProxyNodeNicosia.cpp:
(WebCore::ScrollingTreeOverflowScrollProxyNodeNicosia::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/nicosia/ScrollingTreeOverflowScrollProxyNodeNicosia.h:
* Source/WebCore/page/scrolling/nicosia/ScrollingTreeOverflowScrollingNodeNicosia.cpp:
(WebCore::ScrollingTreeOverflowScrollingNodeNicosia::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/nicosia/ScrollingTreeOverflowScrollingNodeNicosia.h:
* Source/WebCore/page/scrolling/nicosia/ScrollingTreePositionedNodeNicosia.cpp:
(WebCore::ScrollingTreePositionedNodeNicosia::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/nicosia/ScrollingTreePositionedNodeNicosia.h:
* Source/WebCore/page/scrolling/nicosia/ScrollingTreeStickyNodeNicosia.cpp:
(WebCore::ScrollingTreeStickyNodeNicosia::commitStateBeforeChildren):
* Source/WebCore/page/scrolling/nicosia/ScrollingTreeStickyNodeNicosia.h:
* Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingCoordinatorProxy.cpp:
(WebKit::RemoteScrollingCoordinatorProxy::commitScrollingTreeState):
* Source/WebKit/UIProcess/RemoteLayerTree/ios/ScrollingTreeFrameScrollingNodeRemoteIOS.h:
* Source/WebKit/UIProcess/RemoteLayerTree/ios/ScrollingTreeFrameScrollingNodeRemoteIOS.mm:
(WebKit::ScrollingTreeFrameScrollingNodeRemoteIOS::commitStateBeforeChildren):
(WebKit::ScrollingTreeFrameScrollingNodeRemoteIOS::commitStateAfterChildren):
* Source/WebKit/UIProcess/RemoteLayerTree/ios/ScrollingTreeOverflowScrollingNodeIOS.h:
* Source/WebKit/UIProcess/RemoteLayerTree/ios/ScrollingTreeOverflowScrollingNodeIOS.mm:
(WebKit::ScrollingTreeOverflowScrollingNodeIOS::commitStateBeforeChildren):
(WebKit::ScrollingTreeOverflowScrollingNodeIOS::commitStateAfterChildren):
* Source/WebKit/UIProcess/RemoteLayerTree/mac/ScrollingTreeFrameScrollingNodeRemoteMac.cpp:
(WebKit::ScrollingTreeFrameScrollingNodeRemoteMac::commitStateBeforeChildren):
* Source/WebKit/UIProcess/RemoteLayerTree/mac/ScrollingTreeFrameScrollingNodeRemoteMac.h:
* Source/WebKit/UIProcess/RemoteLayerTree/mac/ScrollingTreeOverflowScrollingNodeRemoteMac.cpp:
(WebKit::ScrollingTreeOverflowScrollingNodeRemoteMac::commitStateBeforeChildren):
* Source/WebKit/UIProcess/RemoteLayerTree/mac/ScrollingTreeOverflowScrollingNodeRemoteMac.h:
Canonical link: https://commits.webkit.org/259548.75@safari-7615-branch
Commit: f0763ecd1d667640b628b647754b9582be986101
https://github.com/WebKit/WebKit/commit/f0763ecd1d667640b628b647754b9582be986101
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
A LayoutTests/fast/css/style-update-timer-crash-expected.txt
A LayoutTests/fast/css/style-update-timer-crash.html
M Source/WebCore/style/StyleScope.cpp
Log Message:
-----------
Cherry-pick 259548.153 at safari-7615-branch (c49d1e6e50a4). https://bugs.webkit.org/show_bug.cgi?id=252091
Hold reference to shadowRoot and document when timer is triggered
https://bugs.webkit.org/show_bug.cgi?id=252091
rdar://105115603
Reviewed by Ryosuke Niwa.
This change fixes the issue where a Style::Scope can get deallocated
when the timer is fired, leading to a use-after-free. The fix holds onto
the shadowRoot and document in question, both of which own the
Style::Scope object.
* LayoutTests/fast/css/style-update-timer-crash-expected.txt: Added.
* LayoutTests/fast/css/style-update-timer-crash.html: Added.
* Source/WebCore/style/StyleScope.cpp:
(WebCore::Style::Scope::pendingUpdateTimerFired):
Canonical link: https://commits.webkit.org/259548.153@safari-7615-branch
Commit: acf989260c1e2cdddd160bf696a5c2f3e833cedb
https://github.com/WebKit/WebKit/commit/acf989260c1e2cdddd160bf696a5c2f3e833cedb
Author: Claudio Saavedra <csaavedra at igalia.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
A LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal-expected.txt
A LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal.html
Log Message:
-----------
Cherry-pick 256843.10 at webkit-2022.12-embargoed (b7f9b7f4679b). https://bugs.webkit.org/show_bug.cgi?id=248772
Add test for element's display contents change on sibling removal
https://bugs.webkit.org/show_bug.cgi?id=248772
Reviewed by Tim Nguyen.
This was already fixed with #248776, but add the test for completeness.
* LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal-expected.txt: Added.
* LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal.html: Added.
Canonical link: https://commits.webkit.org/256843.10@webkit-2022.12-embargoed
Commit: bb8f6d4ce717d151b02250760cd1d5c3bd2999a0
https://github.com/WebKit/WebKit/commit/bb8f6d4ce717d151b02250760cd1d5c3bd2999a0
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
A LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash-expected.txt
A LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash.html
Log Message:
-----------
Cherry-pick 256843.11 at webkit-2022.12-embargoed (7d616c4d06eb). https://bugs.webkit.org/show_bug.cgi?id=245377
Add crash test for disconnected frame switching to eager
https://bugs.webkit.org/show_bug.cgi?id=245377
Reviewed by Ryosuke Niwa.
Add crash test for disconnected frame switching to eager.
* LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash-expected.txt: Added.
* LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash.html: Added.
Canonical link: https://commits.webkit.org/256843.11@webkit-2022.12-embargoed
Commit: 0f42f77d61982b075eaf3d86ebc8e7c62d984962
https://github.com/WebKit/WebKit/commit/0f42f77d61982b075eaf3d86ebc8e7c62d984962
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
M Source/WebCore/loader/SubresourceLoader.cpp
Log Message:
-----------
Cherry-pick 259548.185 at safari-7615-branch (41af95f8b4e7). https://bugs.webkit.org/show_bug.cgi?id=252200
Clear the resource counter when releasingResources
https://bugs.webkit.org/show_bug.cgi?id=252200
rdar://104908871
Reviewed by Chris Dumez.
SubResourceLoader will clear the m_resource after releasing it, but the
resource counter still holds a raw pointer to it. This causes a UAF
issue. This fix clears the resource counter so that we don't end up
using it after releasing the resource.
* Source/WebCore/loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::releaseResources):
Canonical link: https://commits.webkit.org/259548.185@safari-7615-branch
Commit: 9731b18d6346bfdbce281e353d835ddb474a27c4
https://github.com/WebKit/WebKit/commit/9731b18d6346bfdbce281e353d835ddb474a27c4
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
M Source/WebCore/loader/SubresourceLoader.cpp
M Source/WebCore/loader/SubresourceLoader.h
M Source/WebCore/loader/cache/CachedResourceLoader.h
Log Message:
-----------
Cherry-pick 259548.186 at safari-7615-branch (1aa5ac3e3745). https://bugs.webkit.org/show_bug.cgi?id=252200
Use WeakPtr to track resources in SubresourceLoader
https://bugs.webkit.org/show_bug.cgi?id=252200
rdar://104908871
Reviewed by Chris Dumez.
CachedResource can get deallocated when the SubresourceLoader releases
its resources, in which case we'd be accessing a dangling pointer. This
change adopts WeakPtr for CachedResource so that we don't have a UAF.
* Source/WebCore/loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::didFinishLoading):
(WebCore::SubresourceLoader::didFail):
* Source/WebCore/loader/SubresourceLoader.h:
* Source/WebCore/loader/cache/CachedResource.h:
* Source/WebCore/loader/cache/CachedResourceLoader.h:
Canonical link: https://commits.webkit.org/259548.186@safari-7615-branch
Commit: 963a147e58008460165312301d6650120686f87e
https://github.com/WebKit/WebKit/commit/963a147e58008460165312301d6650120686f87e
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
M Source/WebKit/Platform/Logging.h
M Source/WebKit/UIProcess/mac/SecItemShimProxy.cpp
M Source/WebKit/UIProcess/mac/SecItemShimProxy.h
Log Message:
-----------
Cherry-pick 259548.192 at safari-7615-branch (da35f298761e). https://bugs.webkit.org/show_bug.cgi?id=252276
Do IPC hardening in SecItemShimProxy::secItemRequest()
https://bugs.webkit.org/show_bug.cgi?id=252276
rdar://104253249
Reviewed by Alex Christensen and Geoffrey Garen.
Make sure the dictionaries that SecItemShimProxy::secItemRequest() receives
over IPC do not contain the kSecValueRef & kSecUseItemList keys. Those are
used to pass "in-memory" objects, which wouldn't work over IPC. We don't use
those keys but a compromised sending process could craft a dictionary with
these that could cause trouble when passed to the Keychain API.
* Source/WebKit/Platform/Logging.h:
* Source/WebKit/UIProcess/mac/SecItemShimProxy.cpp:
(WebKit::dictionaryContainsInMemoryObject):
(WebKit::SecItemShimProxy::secItemRequest):
Canonical link: https://commits.webkit.org/259548.192@safari-7615-branch
Commit: 97f2c04aa4ec06a71a43a225358b3cff88f93631
https://github.com/WebKit/WebKit/commit/97f2c04aa4ec06a71a43a225358b3cff88f93631
Author: Ryosuke Niwa <rniwa at webkit.org>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
A LayoutTests/fast/dom/focus-dialog-blur-input-type-change-crash-expected.txt
A LayoutTests/fast/dom/focus-dialog-blur-input-type-change-crash.html
M Source/WebCore/dom/Document.cpp
Log Message:
-----------
Cherry-pick 259548.204 at safari-7615-branch (e110042815de). https://bugs.webkit.org/show_bug.cgi?id=252426
Nullptr crash in DateTimeFieldElement::isFocusable()
https://bugs.webkit.org/show_bug.cgi?id=252426
rdar://105383909
Reviewed by Aditya Keerthi and Wenson Hsieh.
The bug was caused by FocusController calling isFocusable() on a disconnected element of
the shadow tree of input element after blur event handler had changed the input type.
Fixed the crash by checking the connected-ness early and bailing out if it's disconnected.
* LayoutTests/fast/dom/focus-dialog-blur-input-type-change-crash-expected.txt: Added.
* LayoutTests/fast/dom/focus-dialog-blur-input-type-change-crash.html: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::setFocusedElement):
Canonical link: https://commits.webkit.org/259548.204@safari-7615-branch
Commit: 618c36903bacbf3983a34354eaabe4bc4ab5a252
https://github.com/WebKit/WebKit/commit/618c36903bacbf3983a34354eaabe4bc4ab5a252
Author: Eric Carlson <eric.carlson at apple.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
A LayoutTests/ipc/wait-for-video-output-will-change-expected.txt
A LayoutTests/ipc/wait-for-video-output-will-change.html
M Source/WebCore/html/HTMLVideoElement.cpp
M Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.cpp
M Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.h
M Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.cpp
M Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.h
M Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.messages.in
Log Message:
-----------
Cherry-pick 259548.221 at safari-7615-branch (31f1a2d977a5). https://bugs.webkit.org/show_bug.cgi?id=252502
Crash in MediaPlayerPrivateAVFoundationObjC::waitForVideoOutputMediaDataWillChange
https://bugs.webkit.org/show_bug.cgi?id=252502
rdar://105448724
Reviewed by Chris Dumez.
If MediaPlayerPrivateAVFoundationObjC::waitForVideoOutputMediaDataWillChange doesn’t have
a video frame, it spins the runloop for up to one second waiting for AVFoundation to
generate one. If the page is reloaded while the runloop is spinning, the player may
have been deleted by the time waitForVideoOutputMediaDataWillChange resumes. Make
RemoteMediaPlayerManagerProxy refcounted and have it hold a self reference when calling
player methods that can call waitForVideoOutputMediaDataWillChange.
* LayoutTests/ipc/wait-for-video-output-will-change-expected.txt: Added.
* LayoutTests/ipc/wait-for-video-output-will-change.html: Added.
* Source/WebCore/html/HTMLVideoElement.cpp:
(WebCore::HTMLVideoElement::colorSpace const): Cleanup syntax.
(WebCore::HTMLVideoElement::nativeImageForCurrentTime): Hold a player ref while calling
nativeImageForCurrentTime.
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.cpp:
(WebKit::RemoteMediaPlayerManagerProxy::createMediaPlayer): Store a proxy Ref instead of a
UniquePtr in the map.
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.h:
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.cpp:
(WebKit::RemoteMediaPlayerProxy::create): New.
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.h:
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.messages.in: Now ref counted.
Canonical link: https://commits.webkit.org/259548.221@safari-7615-branch
Commit: dcdef92f9af2cdf3c6c935461124400c330592e2
https://github.com/WebKit/WebKit/commit/dcdef92f9af2cdf3c6c935461124400c330592e2
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
A LayoutTests/fast/rendering/render-tree-as-text-uaf-expected.txt
A LayoutTests/fast/rendering/render-tree-as-text-uaf.html
M Source/WebCore/rendering/RenderTreeAsText.cpp
Log Message:
-----------
Cherry-pick 259548.232 at safari-7615-branch (2009557bee01). https://bugs.webkit.org/show_bug.cgi?id=252580
Fix UAF in RenderTreeAsText for RenderWidget
https://bugs.webkit.org/show_bug.cgi?id=252580
rdar://105545826
Reviewed by Ryan Haddad and Darin Adler.
In write(), a call to view.layoutContext().layout() can result in the
deletion of the RenderWidget object, which results in a UAF. This change
fixes that by removing the call to layout, as that is already done for
the full frame tree from externalRepresentation.
* LayoutTests/fast/rendering/render-tree-as-text-uaf-expected.txt: Added.
* LayoutTests/fast/rendering/render-tree-as-text-uaf.html: Added.
* Source/WebCore/rendering/RenderTreeAsText.cpp:
(WebCore::write):
(WebCore::externalRepresentation):
Canonical link: https://commits.webkit.org/259548.232@safari-7615-branch
Commit: 1c1cec3e742615d58e4d4e1b007dea6a5118ce38
https://github.com/WebKit/WebKit/commit/1c1cec3e742615d58e4d4e1b007dea6a5118ce38
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
A JSTests/stress/loaded-argument-conflict-with-new-argument.js
M Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp
Log Message:
-----------
Cherry-pick 259548.261 at safari-7615-branch (89f337538ec6). https://bugs.webkit.org/show_bug.cgi?id=252787
[JSC] Loaded argument can be conflict with newly defined argument in arguments elimination phase
https://bugs.webkit.org/show_bug.cgi?id=252787
rdar://105671461
Reviewed by Mark Lam and Ryan Haddad.
We now correctly analyze interference between eliminated arguments and newly created arguments.
But this interference is analyzed based on the state *just before executing Node's effect".
For example, LoadVarargs elimination can get stackslots and put stackslots. And these stackslots
can interfere if stackslots are alive and not-interfered when LoadVarargs starts.
@a: CreateDirectArguments (loc0, loc1, loc2)
...
LoadVarargs @a, (loc2, loc3, loc4)
Load @a content, and define loc2, loc3, loc4 stackslots.
We check whether LoadVarargs itself is not interfering with the candidate's slots. This is because
LoadVarargs can be lowered to the sequence of PutStacks and we may OSR exit in the middle of these
PutStacks. So we would like to ensure that these PutStacks are not interfering with the candidate
nodes. We need this check only for LoadVarargs since it is the only node which can be lowered to
PutStacks in this phase.
And let's run storeArgumentCountIncludingThis at last since this is not included in interference analysis
since it is putting a constant.
* JSTests/stress/loaded-argument-conflict-with-new-argument.js: Added.
(foo):
(bar):
(baz):
* Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:
Canonical link: https://commits.webkit.org/259548.261@safari-7615-branch
Commit: db99b3e857dee59cd3fa681d0a03ee37b7cb101b
https://github.com/WebKit/WebKit/commit/db99b3e857dee59cd3fa681d0a03ee37b7cb101b
Author: Ryosuke Niwa <rniwa at webkit.org>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
A LayoutTests/editing/selection/redo-selection-restore-different-document-crash-expected.txt
A LayoutTests/editing/selection/redo-selection-restore-different-document-crash.html
M Source/WebCore/editing/Editor.cpp
M Source/WebCore/editing/VisibleSelection.cpp
Log Message:
-----------
Cherry-pick 259548.273 at safari-7615-branch (0501c9fc905e). https://bugs.webkit.org/show_bug.cgi?id=252785
Assertion failure in ContainerNode::removeAllChildrenWithScriptAssertion
https://bugs.webkit.org/show_bug.cgi?id=252785
rdar://105643144
Reviewed by Chris Dumez and Geoffrey Garen.
The bug was caused by Editor::changeSelectionAfterCommand setting selection pointing to a wrong document.
Fixed the bug by detecting this case and exiting early.
* LayoutTests/editing/selection/redo-selection-restore-different-document-crash-expected.txt: Added.
* LayoutTests/editing/selection/redo-selection-restore-different-document-crash.html: Added.
* Source/WebCore/editing/Editor.cpp:
(WebCore::Editor::changeSelectionAfterCommand):
* Source/WebCore/editing/VisibleSelection.cpp:
(WebCore::VisibleSelection::document const): Now returns the document of m_anchor when base is null but anchor isn't.
Canonical link: https://commits.webkit.org/259548.273@safari-7615-branch
Commit: 078e71c3aacdc001a7e218c033b7c7054e84c201
https://github.com/WebKit/WebKit/commit/078e71c3aacdc001a7e218c033b7c7054e84c201
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
M Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp
M Source/JavaScriptCore/dfg/DFGAvailabilityMap.h
M Source/JavaScriptCore/dfg/DFGForAllKills.h
Log Message:
-----------
Cherry-pick 259548.275 at safari-7615-branch (b022d8caf560). https://bugs.webkit.org/show_bug.cgi?id=252798
[JSC] Restore liveness based interference analysis too
https://bugs.webkit.org/show_bug.cgi?id=252798
rdar://problem/105818549
Reviewed by Ryan Haddad and Michael Saboff.
This is partial revert of https://commits.webkit.org/259548.47@safari-7615-branch.
While the above change fixed the global interference problem, we have a problem.
1. We would like to check interference on all the live place since OSR exit may need to restore
phantomized candidate nodes.
2. If PutStack / GetStack happens in the basic block and the stack state gets incorrect in the
middle of basic block, we cannot know.
loc0 => @b
PutStack loc0 @a
...
OSR exit
...
PutStack loc0 @b
...
loc0 => @b
So we partially revert the change in https://commits.webkit.org/259548.47@safari-7615-branch,
1. First collect all stack modification. And record which part of stack is modified for each basic block unit.
2. Then, for each basic block
2.1. If this basic block does not have stack modification, then just check availability for live candidates availability
this head. Since this basic block does not have stack modification, this basic block itself never incurs interference.
Only thing we need to check is that now the live nodes are already clobbered in terms of availability because the
successors modified the stack.
2.2. If this basic block does stack modification, let's take live candidates at the tail of basic block and check whether
the basic block is clobbering this candidate's relying stack. If so, remove it from candidate.
2.3. For each newly killed DFG node at a node-index in this basic block, check (2.2)'s stack modification and remove it
from candidate if its stack is modified.
This added part is effectively the code removed in https://commits.webkit.org/259548.47@safari-7615-branch (so, existing code before).
Compared to the old behavior, 2.1 is added newly to cover inter-block handling.
* Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGAvailabilityMap.h:
(JSC::DFG::AvailabilityMap::forEachAvailability const):
(JSC::DFG::AvailabilityMap::closeOverNodes const):
(JSC::DFG::AvailabilityMap::closeStartingWithLocal const):
(JSC::DFG::AvailabilityMap::forEachAvailability): Deleted.
(JSC::DFG::AvailabilityMap::closeOverNodes): Deleted.
(JSC::DFG::AvailabilityMap::closeStartingWithLocal): Deleted.
Canonical link: https://commits.webkit.org/259548.275@safari-7615-branch
Commit: 7662f7578fda4b8af54f647f358b50e1e745068d
https://github.com/WebKit/WebKit/commit/7662f7578fda4b8af54f647f358b50e1e745068d
Author: Myles C. Maxfield <mmaxfield at apple.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
M Source/WebCore/css/CSSFontSelector.h
M Source/WebCore/rendering/svg/RenderSVGInlineText.cpp
M Source/WebCore/rendering/svg/RenderSVGText.cpp
M Source/WebCore/rendering/svg/RenderSVGText.h
M Source/WebCore/svg/SVGFontFaceElement.cpp
Log Message:
-----------
Cherry-pick 259548.279 at safari-7615-branch (41f425bc0ef8). https://bugs.webkit.org/show_bug.cgi?id=249434
Crash in SVGFontFaceElement::associatedFontElement crash when removing SVGFontFaceElement
https://bugs.webkit.org/show_bug.cgi?id=249434
<rdar://problem/103420468>
Reviewed by Said Abou-Hallawa.
Port of Blink commit https://src.chromium.org/viewvc/blink?revision=167993&view=revision.
The Blink commit message is:
> Fix crash in SVGFontFaceElement::associatedFontElement crash when removing SVGFontFaceElement.
>
> (1) We need to remove its font-face rule from FontCache when removing SVGFontFaceElement,
>
> (2) We should not use old styles in RenderSVGInlineText::styleDidChange.
> Since styleRecalc is done in document-order, we cannot see any styles of next renderer
> (obtained by nextInPreOrder).
> The old styles might have old fonts which are created by SVGFontFaceElement.
* Source/WebCore/css/CSSFontFaceSet.cpp:
(WebCore::CSSFontFaceSet::remove):
* Source/WebCore/css/CSSFontFaceSet.h:
* Source/WebCore/css/CSSFontSelector.h:
* Source/WebCore/rendering/svg/RenderSVGInlineText.cpp:
(WebCore::RenderSVGInlineText::styleDidChange):
* Source/WebCore/rendering/svg/RenderSVGText.cpp:
(WebCore::RenderSVGText::subtreeStyleDidChange):
(WebCore::RenderSVGText::layout):
* Source/WebCore/rendering/svg/RenderSVGText.h:
* Source/WebCore/svg/SVGFontFaceElement.cpp:
(WebCore::SVGFontFaceElement::removedFromAncestor):
Canonical link: https://commits.webkit.org/259548.279@safari-7615-branch
Commit: 83628bf28e17ea7db5c7bf959b2af705b5bfdf64
https://github.com/WebKit/WebKit/commit/83628bf28e17ea7db5c7bf959b2af705b5bfdf64
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/encodeframe_utils.c
Log Message:
-----------
Cherry-pick 259548.317 at safari-7615-branch (92bb5fbd72e5). https://bugs.webkit.org/show_bug.cgi?id=253015
Cherry-pick aom 3154860bdbe978da9271ba55eea60973b0be06b5
https://bugs.webkit.org/show_bug.cgi?id=253015
rdar://105507028
Reviewed by Geoffrey Garen.
Cherry-pick patch from upstream.
* Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/encodeframe_utils.c:
(av1_source_content_sb):
Canonical link: https://commits.webkit.org/259548.317@safari-7615-branch
Commit: 477353f734442d6d3a24494189e59773bc37a0c0
https://github.com/WebKit/WebKit/commit/477353f734442d6d3a24494189e59773bc37a0c0
Author: Matt Woodrow <mattwoodrow at apple.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
M Source/WebCore/html/OffscreenCanvas.cpp
Log Message:
-----------
Cherry-pick 259548.355 at safari-7615.2.1-branch (630b1e2aa50f). https://bugs.webkit.org/show_bug.cgi?id=253267
Disable main-thread WebGL in OffscreenCanvas.
https://bugs.webkit.org/show_bug.cgi?id=253267
<rdar://105684718>
Reviewed by Simon Fraser.
* Source/WebCore/html/OffscreenCanvas.cpp:
(WebCore::shouldEnableWebGL):
Canonical link: https://commits.webkit.org/259548.355@safari-7615-branch
Commit: 6faff0ca6ca13c64a5f1a4f4c9d3171985878050
https://github.com/WebKit/WebKit/commit/6faff0ca6ca13c64a5f1a4f4c9d3171985878050
Author: Matt Woodrow <mattwoodrow at apple.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
A LayoutTests/fast/canvas/offscreen-disabled-construct3-quirk-expected.txt
A LayoutTests/fast/canvas/offscreen-disabled-construct3-quirk.html
M Source/WebCore/bindings/js/JSDOMWindowCustom.cpp
Log Message:
-----------
Cherry-pick 259548.408 at safari-7615.2.1-branch (0489426718c9). https://bugs.webkit.org/show_bug.cgi?id=253431
OffscreenCanvas support without WebGL breaks Construct 3 content.
https://bugs.webkit.org/show_bug.cgi?id=253431
<rdar://106341361>
Reviewed by Chris Dumez.
Construct 3 is testing for the presence of OffscreenCanvas on the main thread, and then assumes
that a WebGL context will be able to be constructed from it.
We've only enabled Canvas2D on OffscreenCanvas currently, so detect this library and disable
OffscreenCanvas entirely.
* LayoutTests/fast/canvas/offscreen-disabled-construct3-quirk-expected.txt: Added.
* LayoutTests/fast/canvas/offscreen-disabled-construct3-quirk.html: Added.
* Source/WebCore/bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::getOwnPropertySlot):
Canonical link: https://commits.webkit.org/259548.408@safari-7615-branch
Commit: 045ad7f69abb31bc27d592e7209d77ae1e2cc3a0
https://github.com/WebKit/WebKit/commit/045ad7f69abb31bc27d592e7209d77ae1e2cc3a0
Author: Tyler Wilcock <tyler_w at apple.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
A LayoutTests/accessibility/changing-aria-hidden-with-display-none-parent-expected.txt
A LayoutTests/accessibility/changing-aria-hidden-with-display-none-parent.html
A LayoutTests/platform/ios-simulator/accessibility/changing-aria-hidden-with-display-none-parent-expected.txt
M LayoutTests/platform/ios/TestExpectations
M Source/WebCore/accessibility/AXObjectCache.cpp
M Source/WebCore/accessibility/AccessibilityNodeObject.cpp
Log Message:
-----------
Cherry-pick 259548.387 at safari-7615.2.1-branch (dd026e944caa). rdar://problem/106557770
Improve Ref / RefPtr hygiene in AXObjectCache::handleAttributeChange and AccessibilityNodeObject::textUnderElement
rdar://problem/106557770
Reviewed by Chris Fleizach.
Bring these two functions in line with the WebKit smart pointer style
guide (https://github.com/WebKit/WebKit/wiki/Smart-Pointer-Usage-Guidelines) by
reference counting AccessibilityObjects before passing them into non-trivial functions.
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::handleAttributeChange):
* Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
(WebCore::AccessibilityNodeObject::textUnderElement const):
* LayoutTests/platform/ios/TestExpectations:
Mark new test as passing.
* LayoutTests/accessibility/changing-aria-hidden-with-display-none-parent-expected.txt: Added.
* LayoutTests/accessibility/changing-aria-hidden-with-display-none-parent.html: Added.
* LayoutTests/platform/ios-simulator/accessibility/changing-aria-hidden-with-display-none-parent-expected.txt: Added.
Canonical link: https://commits.webkit.org/259548.387@safari-7615-branch
Commit: 3ed1c303301e1ed06190297ffeb4953031b76fed
https://github.com/WebKit/WebKit/commit/3ed1c303301e1ed06190297ffeb4953031b76fed
Author: Vitaly Dyachkov <vitaly at igalia.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
M Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp
Log Message:
-----------
Cherry-pick 262572 at main (42d171124def). https://bugs.webkit.org/show_bug.cgi?id=254917
[WPE][Debug] ASSERTION FAILED: !m_compositingAccordingToProxyMessages
https://bugs.webkit.org/show_bug.cgi?id=254917
Reviewed by Žan Doberšek.
Since 262317 at main, we send EnterAcceleratedCompositingMode as soon as
web process enters accelerated compositing mode. We must not send it
again after backing store update.
* Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:
(WebKit::DrawingAreaCoordinatedGraphics::layerHostDidFlushLayers):
Canonical link: https://commits.webkit.org/262572@main
Commit: 7d607ad72fcbba123200f3f4c308ae2f78ecb256
https://github.com/WebKit/WebKit/commit/7d607ad72fcbba123200f3f4c308ae2f78ecb256
Author: Kai Kang <kai.kang at windriver.com>
Date: 2023-04-04 (Tue, 04 Apr 2023)
Changed paths:
M Source/cmake/FindLibGcrypt.cmake
Log Message:
-----------
Cherry-pick 262568 at main (2bbc81a78b68). https://bugs.webkit.org/show_bug.cgi?id=254402
PC_GCRYPT_FOUND should be checked in FindLibGcrypt.cmake
https://bugs.webkit.org/show_bug.cgi?id=254402
Reviewed by Adrian Perez de Castro.
After `pkg_check_modules(PC_GCRYPT QUIET libgcrypt)` in
FindLibGcrypt.cmake, PC_GCRYPT_FOUND will be set but PC_GCRYPT is kept
empty. So check PC_GCRYPT_FOUND instead.
* Source/cmake/FindLibGcrypt.cmake:
Canonical link: https://commits.webkit.org/262568@main
Compare: https://github.com/WebKit/WebKit/compare/3cddc44be344...7d607ad72fcb
More information about the webkit-changes
mailing list