[webkit-changes] [WebKit/WebKit] 8a1997: [JSC] PropertyCondition::isStillValidAssumingImpur...

Arunsundar Kannan noreply at github.com
Fri Aug 4 08:39:08 PDT 2023


  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8a1997806028a9b1490488a6503a238dca0239ff
      https://github.com/WebKit/WebKit/commit/8a1997806028a9b1490488a6503a238dca0239ff
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2023-08-04 (Fri, 04 Aug 2023)

  Changed paths:
    A LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt
    A LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html
    M Source/JavaScriptCore/bytecode/PropertyCondition.cpp

  Log Message:
  -----------
  [JSC] PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() should take non-reified static properties into account
https://bugs.webkit.org/show_bug.cgi?id=255952
<rdar://108334411>

Reviewed by Yusuke Suzuki.

Currently, PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() is not checking the
structure's non-reified static properties against the condition. This can lead to incorrect analysis
of side effects: AbsenceOfSetEffect condition with a non-reified static setter is considered pure
even though a setter with arbitrary code can be invoked.

This patch fixes AbsenceOfSetEffect validity check for structures with non-reified static properties
while takes extra care to make the fix as precise as possible to avoid unnecessary slowdowns.

* LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt: Added.
* LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html: Added.
* Source/JavaScriptCore/bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):

Originally-landed-as: 259548.775 at safari-7615-branch (ffe32d106cb2). rdar://113160398
Canonical link: https://commits.webkit.org/266582@main


  Commit: e4c0a68634713df2f29808131c7dca900a3dc7e7
      https://github.com/WebKit/WebKit/commit/e4c0a68634713df2f29808131c7dca900a3dc7e7
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-08-04 (Fri, 04 Aug 2023)

  Changed paths:
    M LayoutTests/platform/mac-wk1/TestExpectations
    M Source/WebCore/platform/cocoa/SharedVideoFrameInfo.h
    M Source/WebCore/platform/cocoa/SharedVideoFrameInfo.mm

  Log Message:
  -----------
  [GPUP][CoreIPC] Integer overflow in SharedVideoFrameInfo::storageSize leading to OOB read
rdar://107023292

Reviewed by Eric Carlson.

Compute with safeMultitply/safeAdd the total size of the frame.
If there is an overflow, we now fail the decoding of SharedVideoFrameInfo.
We store the size of the frame in SharedVideoFrameInfo to not recompute it a second time.

Covered by provided IPC test.

* LayoutTests/ipc/shared-video-frame-size-expected.txt: Added.
* LayoutTests/ipc/shared-video-frame-size.html: Added.
* LayoutTests/platform/mac-wk1/TestExpectations:
* Source/WebCore/platform/cocoa/SharedVideoFrameInfo.h:
* Source/WebCore/platform/cocoa/SharedVideoFrameInfo.mm:
(WebCore::SharedVideoFrameInfo::storageSize const):
(WebCore::SharedVideoFrameInfo::decode):

Originally-landed-as: 259548.590 at safari-7615-branch (dd4ad7b0b286). rdar://113166244
Canonical link: https://commits.webkit.org/266583@main


  Commit: 549d44e287b72e8ef61a07b54494990d8528307e
      https://github.com/WebKit/WebKit/commit/549d44e287b72e8ef61a07b54494990d8528307e
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-08-04 (Fri, 04 Aug 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/fullscreen/exit-full-screen-video-crash-expected.txt
    A LayoutTests/fullscreen/exit-full-screen-video-crash.html
    A LayoutTests/platform/gtk/fullscreen/exit-full-screen-video-crash-expected.txt
    M Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm

  Log Message:
  -----------
  Fix crash when HTMLMediaElement::exitFullscreen is called on a video
element which is not currently full screen
https://bugs.webkit.org/show_bug.cgi?id=255970
rdar://108489504

Reviewed by Jer Noble.

This change fixes an issue where exitFullScreen is called on video, but
the current full screen element is div, due to which we end up
scheduling the webkitendfullscreenEvent event for video, which trips
over an assertion.

* LayoutTests/fullscreen/exit-full-screen-video-crash-expected.txt: Added.
* LayoutTests/fullscreen/exit-full-screen-video-crash.html: Added.
* Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm:
(WebKit::VideoFullscreenManager::exitVideoFullscreenForVideoElement):
(WebKit::VideoFullscreenManager::exitVideoFullscreenToModeWithoutAnimation):

Originally-landed-as: 259548.703 at safari-7615-branch (0ffc79d64999). rdar://113167859
Canonical link: https://commits.webkit.org/266584@main


  Commit: 067d7d9bd14860f25f32e8334c8c6b0898b08979
      https://github.com/WebKit/WebKit/commit/067d7d9bd14860f25f32e8334c8c6b0898b08979
  Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
  Date:   2023-08-04 (Fri, 04 Aug 2023)

  Changed paths:
    A LayoutTests/fast/css/style-builder-apply-value-content-type-confusion-expected.txt
    A LayoutTests/fast/css/style-builder-apply-value-content-type-confusion.html

  Log Message:
  -----------
  Fix type confusion in BuilderConverter::applyValueContent.
https://bugs.webkit.org/show_bug.cgi?id=255955.
rdar://108499561.

Reviewed by Antti Koivisto.

This change fixes applyValueContent so that it can deal with single
values instead of expecting a list of values towards the end.

* LayoutTests/fast/css/style-builder-apply-value-content-type-confusion-expected.txt: Added.
* LayoutTests/fast/css/style-builder-apply-value-content-type-confusion.html: Added.
* Source/WebCore/style/StyleBuilderCustom.h:
  (WebCore::Style::BuilderCustom::applyValueContent):

Originally-landed-as: 259548.730 at safari-7615-branch (c123784dc828). rdar://113168576
Canonical link: https://commits.webkit.org/266585@main


  Commit: 6e63c9facca092bb4e3d0ab86014b6767925c6b8
      https://github.com/WebKit/WebKit/commit/6e63c9facca092bb4e3d0ab86014b6767925c6b8
  Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
  Date:   2023-08-04 (Fri, 04 Aug 2023)

  Changed paths:
    M Source/WebCore/page/LocalDOMWindow.h

  Log Message:
  -----------
  Handle potential overflow of gamepadEventListenerCount.
https://bugs.webkit.org/show_bug.cgi?id=256205.
rdar://80838189.

Reviewed by Ryosuke Niwa.

m_gamepadEventListenerCount can overflow if addEventListener() is called UINT_MAX+1 times.
Once the window is freed, we will be left with a dangling pointer in the GamepadManager.
This change adds a flag to check for overflow and keep the behavior same in the event of overflow..

* Source/WebCore/page/DOMWindow.cpp:
(WebCore::DOMWindow::~DOMWindow):
(WebCore::DOMWindow::incrementGamepadEventListenerCount):
(WebCore::DOMWindow::decrementGamepadEventListenerCount):
* Source/WebCore/page/DOMWindow.h:

Originally-landed-as: 259548.729 at safari-7615-branch (5cc2ead4986a). rdar://113169820
Canonical link: https://commits.webkit.org/266586@main


Compare: https://github.com/WebKit/WebKit/compare/a41543cba4bf...6e63c9facca0


More information about the webkit-changes mailing list