[webkit-changes] [WebKit/WebKit] cfa076: Ensure CanvasBase remains alive while in use

Mon Aug 7 11:53:57 PDT 2023

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cfa0760b282e1e9c22c371a7a1850e5413150084
      https://github.com/WebKit/WebKit/commit/cfa0760b282e1e9c22c371a7a1850e5413150084
  Author: Matthew Finkel <sysrqb at apple.com>
  Date:   2023-08-07 (Mon, 07 Aug 2023)

  Changed paths:
    M Source/WebCore/html/CanvasBase.h
    M Source/WebCore/html/HTMLCanvasElement.h
    M Source/WebCore/html/OffscreenCanvas.cpp
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
    M Source/WebCore/rendering/style/StyleCanvasImage.cpp

  Log Message:
  -----------
  Ensure CanvasBase remains alive while in use
https://bugs.webkit.org/show_bug.cgi?id=257234
rdar://109540621

Reviewed by Chris Dumez.

A HTMLCanvasElement could be destroyed when it calls CanvasBase::setImageBuffer
because that call could trigger a GC. We've seen crashes originating from
HTMLCanvasElement::setImageBufferAndMarkDirty, but this patch adds protection
around other setImageBuffer call sites, as well.

* Source/WebCore/html/CanvasBase.h:
(WebCore::CanvasBase::ref):
(WebCore::CanvasBase::deref):
* Source/WebCore/html/HTMLCanvasElement.h:
* Source/WebCore/html/OffscreenCanvas.cpp:
(WebCore::OffscreenCanvas::create):
(WebCore::OffscreenCanvas::setPlaceholderCanvas):
(WebCore::OffscreenCanvas::pushBufferToPlaceholder):
* Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
(WebCore::CanvasRenderingContext2DBase::drawImage):
* Source/WebCore/rendering/style/StyleCanvasImage.cpp:
(WebCore::StyleCanvasImage::image const):

Originally-landed-as: 259548.787 at safari-7615-branch (88ed3825fa4e). rdar://113174107
Canonical link: https://commits.webkit.org/266647@main

  Commit: 0d4cfda000f801690abc792ef725450b7a3a78da
      https://github.com/WebKit/WebKit/commit/0d4cfda000f801690abc792ef725450b7a3a78da
  Author: Charlie Wolfe <charliew at apple.com>
  Date:   2023-08-07 (Mon, 07 Aug 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Source/WebKit/UIProcess/WebProcessPool.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.h
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm

  Log Message:
  -----------
  Process Isolation Bypass via navigating to about:* context
https://bugs.webkit.org/show_bug.cgi?id=257348
rdar://109853048

Reviewed by Chris Dumez and J Pascoe.

This patch fixes an issue where we will never swap processes when navigating from an
about:* page. A compromised WebContent process could leverage this behavior to avoid
swapping processes when navigating to a cross-origin domain.

This is fixed by checking the following when navigating from an about:* page.
- The page has not committed a provisional load to a URL that isn't about:*.
- The source process last loaded a domain from the same origin as the domain we are navigating to.

If neither of these two conditions are met, we won’t reuse the process.

* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didExplicitOpenForFrame):
(WebKit::WebPageProxy::didCommitLoadForFrame):
* Source/WebKit/UIProcess/WebProcessPool.cpp:
(WebKit::WebProcessPool::processForNavigationInternal):
* Source/WebKit/UIProcess/WebProcessProxy.h:
(WebKit::WebProcessProxy::didCommitMeaningfulProvisionalLoad):
(WebKit::WebProcessProxy::hasCommittedAnyMeaningfulProvisionalLoads const):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:

Originally-landed-as: 259548.792 at safari-7615-branch (f52bc7e18a7c). rdar://113174653
Canonical link: https://commits.webkit.org/266648@main

  Commit: 6b2695cfef05b365de2f53f0be203a4c951a9963
      https://github.com/WebKit/WebKit/commit/6b2695cfef05b365de2f53f0be203a4c951a9963
  Author: Charlie Wolfe <charliew at apple.com>
  Date:   2023-08-07 (Mon, 07 Aug 2023)

  Changed paths:
    M Source/WebKit/UIProcess/API/C/WKPage.cpp
    M Source/WebKit/UIProcess/API/C/WKPage.h
    M Source/WebKit/UIProcess/WebProcessProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.h
    M Tools/WebKitTestRunner/TestController.cpp

  Log Message:
  -----------
  REGRESSION(259548.792 at safari-7615-branch) http/tests/contentextensions/block-everything-unless-domain-redirect.py & http/tests/loading/preload-append-scan.py are failing
https://bugs.webkit.org/show_bug.cgi?id=257833
rdar://110350341

Reviewed by Alex Christensen.

259548.792 at safari-7615-branch made a change where we will swap processes when navigating from about:blank when
the current process has made a provisional load to a URL that was not about:*. This state was not reset between
tests, and since about:blank is loaded between each test, we would process swap in cases where we previously
hadn’t when running tests. Let’s fix this by clearing this state on `WebProcessProxy` between each test run.

* Source/WebKit/UIProcess/API/C/WKPage.cpp:
(WKPageResetProcessState):
* Source/WebKit/UIProcess/API/C/WKPage.h:
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::resetState):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Tools/WebKitTestRunner/TestController.cpp:
(WTR::TestController::resetStateToConsistentValues):

Originally-landed-as: 259548.812 at safari-7615-branch (5e250c9fb3d7). rdar://113175034
Canonical link: https://commits.webkit.org/266649@main

Compare: https://github.com/WebKit/WebKit/compare/2f97007c9a1e...6b2695cfef05