[webkit-changes] [WebKit/WebKit] c12b24: Branch point for webkit-2022.12-embargoed
Rob Buis
noreply at github.com
Tue Apr 25 09:50:14 PDT 2023
Branch: refs/heads/webkit-2022.12-embargoed
Home: https://github.com/WebKit/WebKit
Commit: c12b24a039e42f65fde9a72cb9c2d4ec46f0c4ee
https://github.com/WebKit/WebKit/commit/c12b24a039e42f65fde9a72cb9c2d4ec46f0c4ee
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2022-11-18 (Fri, 18 Nov 2022)
Changed paths:
Log Message:
-----------
Branch point for webkit-2022.12-embargoed
Canonical link: https://commits.webkit.org/256843.1@webkit-2022.12-embargoed
Commit: 155bed7390009a843b69d83e18f31097c198f7d7
https://github.com/WebKit/WebKit/commit/155bed7390009a843b69d83e18f31097c198f7d7
Author: Claudio Saavedra <csaavedra at igalia.com>
Date: 2022-12-05 (Mon, 05 Dec 2022)
Changed paths:
A LayoutTests/http/tests/security/embedded-self-reference-after-url-modified-expected.txt
A LayoutTests/http/tests/security/embedded-self-reference-after-url-modified.html
M Source/WebCore/html/HTMLFrameOwnerElement.cpp
Log Message:
-----------
HTMLFrameOwnerElement: use Document::creationURL() for self-reference check
https://bugs.webkit.org/show_bug.cgi?id=248469
Reviewed by Darin Adler.
Document::url() can be changed through the History API, therefore it's not
a reliable source to verify whether a given URL is self-referencing. Use
creationURL instead, which is immutable.
* LayoutTests/http/tests/security/embedded-self-reference-after-url-modified-expected.txt: Added.
* LayoutTests/http/tests/security/embedded-self-reference-after-url-modified.html: Added.
* Source/WebCore/html/HTMLFrameOwnerElement.cpp:
(WebCore::HTMLFrameOwnerElement::isProhibitedSelfReference const):
Canonical link: https://commits.webkit.org/256843.2@webkit-2022.12-embargoed
Commit: 1d7abcd180abe9c3164366f5b6c0fb86e69790b5
https://github.com/WebKit/WebKit/commit/1d7abcd180abe9c3164366f5b6c0fb86e69790b5
Author: Rob Buis <rbuis at igalia.com>
Date: 2022-12-08 (Thu, 08 Dec 2022)
Changed paths:
A LayoutTests/fast/block/crash-empty-layoutStateStack-expected.txt
A LayoutTests/fast/block/crash-empty-layoutStateStack.html
M Source/WebCore/rendering/RenderBlock.cpp
Log Message:
-----------
Protect against empty layout state
https://bugs.webkit.org/show_bug.cgi?id=248771
Reviewed by Alan Baradlay.
Protect against empty layout state.
* LayoutTests/fast/block/crash-empty-layoutStateStack-expected.txt: Added.
* LayoutTests/fast/block/crash-empty-layoutStateStack.html: Added.
* Source/WebCore/rendering/RenderBlock.cpp:
(WebCore::RenderBlock::layoutPositionedObject):
(WebCore::RenderBlock::markForPaginationRelayoutIfNeeded):
Canonical link: https://commits.webkit.org/256843.3@webkit-2022.12-embargoed
Commit: 6234ec9c65b9f2d07fc59985ffba242fdd0da686
https://github.com/WebKit/WebKit/commit/6234ec9c65b9f2d07fc59985ffba242fdd0da686
Author: Rob Buis <rbuis at igalia.com>
Date: 2022-12-16 (Fri, 16 Dec 2022)
Changed paths:
A LayoutTests/fast/table/table-cell-crash-when-detached-state-2-expected.txt
A LayoutTests/fast/table/table-cell-crash-when-detached-state-2.html
M Source/WebCore/rendering/RenderLayerModelObject.cpp
Log Message:
-----------
Do not issue repaints when in detached state
https://bugs.webkit.org/show_bug.cgi?id=248773
Reviewed by Antti Koivisto.
Do not issue repaints when the RenderObject is in detached state while removing render subtrees.
* LayoutTests/fast/table/table-cell-crash-when-detached-state-2-expected.txt: Added.
* LayoutTests/fast/table/table-cell-crash-when-detached-state-2.html: Added.
* Source/WebCore/rendering/RenderLayerModelObject.cpp:
(WebCore::RenderTableCell::willBeRemovedFromTree const):
Canonical link: https://commits.webkit.org/256843.4@webkit-2022.12-embargoed
Commit: 312254f5776dd16bde18cd4d99444d81a0c331d6
https://github.com/WebKit/WebKit/commit/312254f5776dd16bde18cd4d99444d81a0c331d6
Author: Rob Buis <rbuis at igalia.com>
Date: 2022-12-16 (Fri, 16 Dec 2022)
Changed paths:
A LayoutTests/fast/css/content/quote-display-contents-crash-expected.txt
A LayoutTests/fast/css/content/quote-display-contents-crash.html
M Source/WebCore/dom/ContainerNode.cpp
M Source/WebCore/dom/Element.cpp
Log Message:
-----------
Check displayContentsChanged in destroyRenderTreeIfNeeded
https://bugs.webkit.org/show_bug.cgi?id=248776
rdar://102807985>
Reviewed by Antti Koivisto.
Check displayContentsChanged in destroyRenderTreeIfNeeded since
display: contents may be removed due to focus removal while
removing subtrees but we still need to clean up pseudo elements.
* LayoutTests/fast/css/content/quote-display-contents-crash-expected.txt: Added.
* LayoutTests/fast/css/content/quote-display-contents-crash.html: Added.
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::destroyRenderTreeIfNeeded):
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::resolveComputedStyle):
Canonical link: https://commits.webkit.org/256843.5@webkit-2022.12-embargoed
Commit: c4c0ef6360b2aa3fd32b1b9f6a5b6b5ccaa61a98
https://github.com/WebKit/WebKit/commit/c4c0ef6360b2aa3fd32b1b9f6a5b6b5ccaa61a98
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-01-12 (Thu, 12 Jan 2023)
Changed paths:
A LayoutTests/fast/dom/set-outer-text-on-moved-element-expected.html
A LayoutTests/fast/dom/set-outer-text-on-moved-element.html
M Source/WebCore/rendering/updating/RenderTreeUpdater.cpp
Log Message:
-----------
Verify that style update roots are for correct document
https://bugs.webkit.org/show_bug.cgi?id=248775
Reviewed by Antti Koivisto.
Verify that style update roots are for the correct document since
we may be dealing with a pending update on an element/text node that
moved to another document.
* LayoutTests/fast/dom/set-outer-text-on-moved-element-expected.html: Added.
* LayoutTests/fast/dom/set-outer-text-on-moved-element.html: Added.
* Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::commit):
Canonical link: https://commits.webkit.org/256843.6@webkit-2022.12-embargoed
Commit: 3b92d70ba3eada547a0ff60880424579179b0603
https://github.com/WebKit/WebKit/commit/3b92d70ba3eada547a0ff60880424579179b0603
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-01-20 (Fri, 20 Jan 2023)
Changed paths:
A LayoutTests/fast/multicol/nested-columns-out-of-flow-crash-expected.txt
A LayoutTests/fast/multicol/nested-columns-out-of-flow-crash.html
M Source/WebCore/rendering/RenderObject.cpp
M Source/WebCore/rendering/RenderObject.h
Log Message:
-----------
Do not skip fragmented flow thread descendents
https://bugs.webkit.org/show_bug.cgi?id=245374
rdar://98438399
Reviewed by Alan Baradlay.
Do not skip fragmented flow thread descendents in initializeFragmentedFlowStateOnInsertion
since its children may have a different state based on the inserted fragmented
flow thread. When a fragmented flow thread is removed there is no effect on the inner
fragmented flow threads so that behaviour is unchenged.
* LayoutTests/fast/multicol/nested-columns-out-of-flow-crash-expected.txt: Added.
* LayoutTests/fast/multicol/nested-columns-out-of-flow-crash.html: Added.
* Source/WebCore/rendering/RenderObject.cpp:
(WebCore::RenderObject::setFragmentedFlowStateIncludingDescendants):
(WebCore::RenderObject::initializeFragmentedFlowStateOnInsertion):
* Source/WebCore/rendering/RenderObject.h:
Canonical link: https://commits.webkit.org/256843.7@webkit-2022.12-embargoed
Commit: fe2f16c1dabebbeb3002b1ff82fb6d3f5e1b2b8c
https://github.com/WebKit/WebKit/commit/fe2f16c1dabebbeb3002b1ff82fb6d3f5e1b2b8c
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-02-04 (Sat, 04 Feb 2023)
Changed paths:
A LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash-expected.html
A LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash.html
M Source/WebCore/rendering/RenderLayer.cpp
Log Message:
-----------
Recalculate normal flow value in RenderLayer::establishesTopLayerDidChange
https://bugs.webkit.org/show_bug.cgi?id=251013
Reviewed by Tim Nguyen.
In RenderLayer::rebuildZOrderLists the RenderView layer makes sure the layers for dialogs/top-level elements are appended after
everything else in the positive z-order list. When removing the dialog layer, dirtyPaintOrderListsOnChildChange will be called
and since it is not a normal only flow everything will be handled correctly through dirtyStackingContextZOrderLists.
In the test case the behaviour is the same until dirtyPaintOrderListsOnChildChange is called on the dialog layer removal. Now that
layer to be removed *is* a normal only flow (the element is no longer positioned and has non visible overflow, see
RenderLayer::shouldBeNormalFlowOnly). This means the positive z-order list is unchanged and the deleted layer still part of it.
When the test cleanup code does a final repaint, the RenderView positive z-order list is processed as normal and when trying to
access the deleted layer the UAF happens.
To fix this, make sure the normal flow value is correct when adding the layer in RenderLayer::establishesTopLayerDidChange.
* LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash-expected.html: Added.
* LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash.html: Added.
* Source/WebCore/rendering/RenderLayer.cpp:
(WebCore::RenderLayer::establishesTopLayerDidChange):
Canonical link: https://commits.webkit.org/256843.8@webkit-2022.12-embargoed
Commit: 4c3dcd480f7e28a4e1f6a8e275ffde0009461d96
https://github.com/WebKit/WebKit/commit/4c3dcd480f7e28a4e1f6a8e275ffde0009461d96
Author: Claudio Saavedra <csaavedra at igalia.com>
Date: 2023-02-07 (Tue, 07 Feb 2023)
Changed paths:
A LayoutTests/fast/css/content/content-on-focus-change-expected.txt
A LayoutTests/fast/css/content/content-on-focus-change.html
Log Message:
-----------
Test display contents change on focus change
https://bugs.webkit.org/show_bug.cgi?id=251014
Reviewed by Tim Nguyen.
* LayoutTests/fast/css/content/content-on-focus-change-expected.txt: Added.
* LayoutTests/fast/css/content/content-on-focus-change.html: Added.
Canonical link: https://commits.webkit.org/256843.9@webkit-2022.12-embargoed
Commit: b7f9b7f4679b6f7e30b24a47d6071f2fb62a4aba
https://github.com/WebKit/WebKit/commit/b7f9b7f4679b6f7e30b24a47d6071f2fb62a4aba
Author: Claudio Saavedra <csaavedra at igalia.com>
Date: 2023-02-08 (Wed, 08 Feb 2023)
Changed paths:
A LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal-expected.txt
A LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal.html
Log Message:
-----------
Add test for element's display contents change on sibling removal
https://bugs.webkit.org/show_bug.cgi?id=248772
Reviewed by Tim Nguyen.
This was already fixed with #248776, but add the test for completeness.
* LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal-expected.txt: Added.
* LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal.html: Added.
Canonical link: https://commits.webkit.org/256843.10@webkit-2022.12-embargoed
Commit: 7d616c4d06eb0783beafe355a90ed17bf9aacf6f
https://github.com/WebKit/WebKit/commit/7d616c4d06eb0783beafe355a90ed17bf9aacf6f
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-02-13 (Mon, 13 Feb 2023)
Changed paths:
A LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash-expected.txt
A LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash.html
Log Message:
-----------
Add crash test for disconnected frame switching to eager
https://bugs.webkit.org/show_bug.cgi?id=245377
Reviewed by Ryosuke Niwa.
Add crash test for disconnected frame switching to eager.
* LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash-expected.txt: Added.
* LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash.html: Added.
Canonical link: https://commits.webkit.org/256843.11@webkit-2022.12-embargoed
Compare: https://github.com/WebKit/WebKit/compare/c12b24a039e4%5E...7d616c4d06eb
More information about the webkit-changes
mailing list