[webkit-changes] [WebKit/WebKit] 63e8ce: Versioning.

Jonathan Bedard noreply at github.com
Mon Dec 11 21:49:40 PST 2023


  Branch: refs/heads/safari-7617.1.17.11-branch
  Home:   https://github.com/WebKit/WebKit
  Commit: 63e8ce6b77a6df5354bd827e18eb6591889f485c
      https://github.com/WebKit/WebKit/commit/63e8ce6b77a6df5354bd827e18eb6591889f485c
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-617.1.17.11.1

Identifier: 267815.545 at safari-7617.1.17.11-branch


  Commit: 004f5c91b5f34d9b42e5ee3d84ebf9fc20e63bca
      https://github.com/WebKit/WebKit/commit/004f5c91b5f34d9b42e5ee3d84ebf9fc20e63bca
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-617.1.17.12.1

Identifier: 267815.546 at safari-7617.1.17.11-branch


  Commit: 5de4a868d2131daf7b9ba84a1070b9a8b3e9d61a
      https://github.com/WebKit/WebKit/commit/5de4a868d2131daf7b9ba84a1070b9a8b3e9d61a
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-617.1.17.11.1

Identifier: 267815.547 at safari-7617.1.17.11-branch


  Commit: 37cceff2936599c5bd380b82e5f016bf7f968fc7
      https://github.com/WebKit/WebKit/commit/37cceff2936599c5bd380b82e5f016bf7f968fc7
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    A LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt
    A LayoutTests/storage/indexeddb/abort-index-rename-crash.html
    M Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp
    M Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp
    M Source/WebCore/Modules/indexeddb/server/MemoryIndex.h
    M Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp
    M Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h

  Log Message:
  -----------
  Cherry-pick 64bcd93cbc55. rdar://117463447

    jsc_fuz/wktr: heap-use-after-free in WebCore::IDBServer::MemoryObjectStore::takeIndexByIdentifier(unsigned long long) MemoryObjectStore.cpp:128.
    https://bugs.webkit.org/show_bug.cgi?id=264180.
    rdar://117463447.

    Reviewed by Sihui Liu.

    MemoryIndex now keeps WeakPtr to MemoryObjectStore 'm_objectStore' and checks it's validity before using it. Also RefPtr conversion from WekPtr using get() API as applicable.

    * LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt: Added the test expected file.
    * LayoutTests/storage/indexeddb/abort-index-rename-crash.html: Added the test case.
    * Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp: Checks the validity of MemoryObjectStore pointer before using.
    (WebCore::IDBServer::MemoryBackingStoreTransaction::objectStoreDeleted):
    (WebCore::IDBServer::MemoryBackingStoreTransaction::indexRenamed):
    (WebCore::IDBServer::MemoryBackingStoreTransaction::abort):
    * Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp: Changed direct reference to WeakPtr. Also used RefPtr conversion using get() API as applicable.
    (WebCore::IDBServer::MemoryIndex::objectStoreCleared):
    (WebCore::IDBServer::MemoryIndex::clearIndexValueStore):
    (WebCore::IDBServer::MemoryIndex::replaceIndexValueStore):
    (WebCore::IDBServer::MemoryIndex::getResultForKeyRange const):
    (WebCore::IDBServer::MemoryIndex::getAllRecords const):
    * Source/WebCore/Modules/indexeddb/server/MemoryIndex.h: Changed direct reference to WeakPtr.
    (WebCore::IDBServer::MemoryIndex::objectStore):
    * Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp: Used RefPtr conversion using get() API for MemoryIndex based MemoryObjectStore object.
    (WebCore::IDBServer::MemoryIndexCursor::currentData):
    * Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h:

    Canonical link: https://commits.webkit.org/267815.545@safari-7617-branch

Identifier: 267815.548 at safari-7617.1.17.11-branch


  Commit: cb09f82cc10804495d9ab964af310535286b2ee4
      https://github.com/WebKit/WebKit/commit/cb09f82cc10804495d9ab964af310535286b2ee4
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/fast/multicol/last-set-crash-expected.txt
    A LayoutTests/fast/multicol/last-set-crash.html
    M Source/WebCore/rendering/RenderMultiColumnFlow.cpp
    M Source/WebCore/rendering/RenderMultiColumnFlow.h

  Log Message:
  -----------
  Cherry-pick f524a15d0633. rdar://114559559

    WTFCrashWithSecurityImplication in WebCore::RenderFragmentedFlow::removeLineFragmentInfo()
    https://bugs.webkit.org/show_bug.cgi?id=264327
    rdar://114559559

    Reviewed by Alan Baradlay.

    * LayoutTests/TestExpectations:

    Skip test on debug due to some assertion failures.

    * LayoutTests/fast/multicol/last-set-crash-expected.txt: Added.
    * LayoutTests/fast/multicol/last-set-crash.html: Added.
    * Source/WebCore/rendering/RenderMultiColumnFlow.cpp:
    (WebCore::RenderMultiColumnFlow::fragmentAtBlockOffset const):

    Tree mutations may have made m_lastSetWorkedOn cache invalid by moving the multicolumn set under a different multicolumn flow.
    Check for this.

    * Source/WebCore/rendering/RenderMultiColumnFlow.h:

    Also make it use WeakPtr.

    Canonical link: https://commits.webkit.org/267815.546@safari-7617-branch

Identifier: 267815.549 at safari-7617.1.17.11-branch


  Commit: 2c764868b8667da5520983b2cd8529ff62aac744
      https://github.com/WebKit/WebKit/commit/2c764868b8667da5520983b2cd8529ff62aac744
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/transforms/RotateTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/TransformOperation.h
    M Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp
    M Source/WebCore/platform/graphics/transforms/TransformationMatrix.h

  Log Message:
  -----------
  Apply patch. rdar://117209302

	REGRESSION (266237 at main): Poster circle animation is not continuous
	https://bugs.webkit.org/show_bug.cgi?id=263569
	<rdar://117209302>

	Reviewed by Simon Fraser.

	This is the same as the existing hasBig3DRotation rotation issue, where CA animates the shortest path between 3d rotations,
	because we represent them as matrices.

	Previously our computed matrices for rotate(180deg) didn’t have integer values, due to a float rounding issue during deg->rad.

	The new change computes the rotation matrix exactly, and now there’s no longer a defined direction for a 180deg rotation and
	we sometimes end up with a ‘backwards’ rotation.

	This adds an option to not do the snapping when we compute matrices for CA, so that the existing behavior is preserved.

	* Source/WebCore/platform/graphics/transforms/RotateTransformOperation.h:
	* Source/WebCore/platform/graphics/transforms/TransformOperation.h:
	(WebCore::TransformOperation::applyUnrounded const):
	* Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp:
	(WebCore::TransformationMatrix::rotate3d):
	(WebCore::TransformationMatrix::rotate):
	(WebCore::TransformationMatrix::rotateRadians):
	* Source/WebCore/platform/graphics/transforms/TransformationMatrix.h:

	Canonical link: https://commits.webkit.org/270294@main

Identifier: 267815.550 at safari-7617.1.17.11-branch


  Commit: a42f1a766c55e731f627f385c9b2dc0cfc994926
      https://github.com/WebKit/WebKit/commit/a42f1a766c55e731f627f385c9b2dc0cfc994926
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    M Source/WebCore/page/ContextMenuController.cpp
    M Source/WebCore/page/Page.cpp
    M Source/WebCore/page/Page.h
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp

  Log Message:
  -----------
  Cherry-pick 38398649280b. rdar://117215059

    AX: Sometimes unable to see play/pause animation context menu item when setting is toggled
    https://bugs.webkit.org/show_bug.cgi?id=263735
    rdar://117215059

    Reviewed by Tyler Wilcock.

    When deciding whether to add the "Play/Pause all animations" or "Play/Pause animation" context menu item, we had previously
    used a softlink to reference _AXSReduceMotionAutoplayAnimatedImagesEnabled. The issue with using this from the web content
    process, however, is that distributed notifications are not permitted as per the sandbox, so updates to this setting were
    not reaching that process.

    To resolve this, this patch now piggybacks onto our existing cross-process update for the animation setting using the
    AccessibilityPreferencesChanged notification and WebPage::updateImageAnimationEnabled. A new flag, m_systemAllowsAnimationControls,
    now maintains the state of this setting, and allows the Page to have an up-to-date view of the setting without relying on the
    softlink.

    * Source/WebCore/page/ContextMenuController.cpp:
    (WebCore::ContextMenuController::populate):
    * Source/WebCore/page/Page.cpp:
    (WebCore::Page::setSystemAllowsAnimationControls):
    * Source/WebCore/page/Page.h:
    (WebCore::Page::systemAllowsAnimationControls const):
    * Source/WebKit/WebProcess/WebPage/WebPage.cpp:
    (WebKit::WebPage::updateImageAnimationEnabled):

    Canonical link: https://commits.webkit.org/269878@main

Identifier: 267815.551 at safari-7617.1.17.11-branch


  Commit: 161dd790eb47625f7d13bdd42e01abc372ea8fab
      https://github.com/WebKit/WebKit/commit/161dd790eb47625f7d13bdd42e01abc372ea8fab
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/FontCascade.cpp
    M Source/WebCore/platform/graphics/FontCascadeFonts.cpp
    M Source/WebCore/platform/graphics/FontRanges.cpp
    M Source/WebCore/platform/graphics/GlyphPage.h

  Log Message:
  -----------
  Cherry-pick ef2295446d89. rdar://117905809

    Use GlyphData.isValid() consistently for checking whether GlyphData is valid.
    https://bugs.webkit.org/show_bug.cgi?id=264130
    rdar://117905809

    Reviewed by Tim Nguyen.

    Replace GlyphData validity checks using .glyph and .font directly with .isValid().
    Make .isValid() return false even if .glyph is non-zero and .font is null
    (which should never happen) since a .font null check isn't expensive anyway.

    * Source/WebCore/platform/graphics/FontCascade.cpp:
    (WebCore::FontCascade::fontForCombiningCharacterSequence const):
    * Source/WebCore/platform/graphics/FontCascadeFonts.cpp:
    (WebCore::FontCascadeFonts::GlyphPageCacheEntry::setGlyphDataForCharacter):
    (WebCore::FontCascadeFonts::glyphDataForSystemFallback):
    (WebCore::FontCascadeFonts::glyphDataForVariant):
    (WebCore::FontCascadeFonts::glyphDataForCharacter):
    * Source/WebCore/platform/graphics/FontRanges.cpp:
    (WebCore::FontRanges::glyphDataForCharacter const):
    * Source/WebCore/platform/graphics/GlyphPage.h:
    (WebCore::GlyphData::isValid const):

    Canonical link: https://commits.webkit.org/270299@main

Identifier: 267815.552 at safari-7617.1.17.11-branch


  Commit: 3ac3fabf6c35589cde578d8281a94d28cbeb7bb9
      https://github.com/WebKit/WebKit/commit/3ac3fabf6c35589cde578d8281a94d28cbeb7bb9
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-09 (Thu, 09 Nov 2023)

  Changed paths:
    A LayoutTests/fast/viewport/ios/full-screen-safe-area-insets-expected.txt
    A LayoutTests/fast/viewport/ios/full-screen-safe-area-insets.html
    A LayoutTests/fast/viewport/ios/resources/viewport-fit-contain.html
    A LayoutTests/fast/viewport/ios/resources/viewport-fit-cover.html
    A LayoutTests/fullscreen/full-screen-document-background-color-expected.txt
    A LayoutTests/fullscreen/full-screen-document-background-color.html
    M LayoutTests/fullscreen/full-screen-test.js
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/dom/FullscreenManager.cpp
    M Source/WebCore/page/LocalFrameView.cpp
    M Source/WebCore/page/Page.cpp
    M Source/WebCore/page/Page.h
    M Source/WebCore/testing/Internals.cpp
    M Source/WebCore/testing/Internals.h
    M Source/WebCore/testing/Internals.idl
    M Source/WebKit/UIProcess/API/ios/WKWebViewIOS.h
    M Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm
    M Source/WebKit/UIProcess/ios/WKScrollView.h
    M Source/WebKit/UIProcess/ios/WKScrollView.mm
    M Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenViewController.mm
    M Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenWindowControllerIOS.mm

  Log Message:
  -----------
  Cherry-pick 1d5314701b60. rdar://117304719

    Cherry-pick 270199 at main (56d49b081448). rdar://117304719

        [iOS] Element Fullscreen does not respect viewport-fit
        https://bugs.webkit.org/show_bug.cgi?id=264012
        rdar://117304719

        Reviewed by Wenson Hsieh and Tim Horton.

        Tests: fast/viewport/ios/full-screen-safe-area-insets.html
               fullscreen/full-screen-document-background-color.html

        When configuring the WKWebView during the enter fullscreen operation, various settings of the view
        must be returned to their default state for the "automatic" avoid-safe-areas behavior to kick in.
        For some calls made by clients, there is no way to reset those behaviors to default, and the
        existing implementation merely overrode those settings with other non-default values. The end
        result was that all fullscreen content was behaving as if `viewport-fit=cover` was specified, which
        allowed some content to slip into the safe areas.

        Additionally, when embedded content is taken fullscreen, the viewport settings of that embedded
        iframe are not respected, and the embedded content uses the viewport settings of whatever page
        embedded it. Also, the fullscreen element's background is not used in the overflow areas when
        iframe content is in fullscreen.

        * Source/WebCore/dom/Document.cpp:
        (WebCore::Document::updateViewportArguments):
        * Source/WebCore/dom/FullscreenManager.cpp:
        (WebCore::FullscreenManager::dispatchFullscreenChangeOrErrorEvent):
        (WebCore::FullscreenManager::deepestFullscreenDocument const):
        * Source/WebCore/dom/FullscreenManager.h:
        * Source/WebCore/page/LocalFrameView.cpp:
        (WebCore::LocalFrameView::documentBackgroundColor const):
        * Source/WebCore/page/Page.cpp:
        (WebCore::viewportDocumentForFrame):
        (WebCore::Page::viewportArguments const):
        * Source/WebKit/UIProcess/API/ios/WKWebViewIOS.h:
        * Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm:
        (-[WKWebView _resetScrollViewInsetAdjustmentBehavior]):
        (-[WKWebView _haveSetUnobscuredSafeAreaInsets]):
        (-[WKWebView _resetUnobscuredSafeAreaInsets]):
        (-[WKWebView _hasOverriddenLayoutParameters]):
        (-[WKWebView _viewLayoutSizeOverride]):
        (-[WKWebView _minimumUnobscuredSizeOverride]):
        (-[WKWebView _maximumUnobscuredSizeOverride]):
        (-[WKWebView _resetObscuredInsets]):
        (-[WKWebView _clearOverrideLayoutParameters]):
        * Source/WebKit/UIProcess/ios/WKContentView.mm:
        (-[WKContentView setFrame:]):
        * Source/WebKit/UIProcess/ios/WKScrollView.h:
        * Source/WebKit/UIProcess/ios/WKScrollView.mm:
        (-[WKScrollView _contentInsetWasExternallyOverridden]):
        (-[WKScrollView _resetContentInset]):
        (-[WKScrollView _resetContentInsetAdjustmentBehavior]):
        * Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenViewController.mm:
        (-[WKFullScreenViewController viewDidLayoutSubviews]):
        (-[WKFullScreenViewController viewWillTransitionToSize:withTransitionCoordinator:]):
        * Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenWindowControllerIOS.mm:
        (WebKit::WKWebViewState::applyTo):
        (WebKit::WKWebViewState::store):
        (-[WKFullScreenWindowController enterFullScreen:]):
        (-[WKFullScreenWindowController beganEnterFullScreenWithInitialFrame:finalFrame:]):

        Canonical link: https://commits.webkit.org/270199@main

Identifier: 267815.553 at safari-7617.1.17.11-branch


  Commit: 0c4ea08f74a87bdd10ee85af182877fc9b7ab34c
      https://github.com/WebKit/WebKit/commit/0c4ea08f74a87bdd10ee85af182877fc9b7ab34c
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-09 (Thu, 09 Nov 2023)

  Changed paths:
    M Source/WebCore/editing/FrameSelection.cpp
    M Source/WebCore/page/Page.cpp
    M Source/WebCore/page/Page.h
    M Source/WebKit/Shared/WebPageCreationParameters.h
    M Source/WebKit/Shared/WebPageCreationParameters.serialization.in
    M Source/WebKit/UIProcess/PageClient.h
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Source/WebKit/UIProcess/mac/PageClientImplMac.h
    M Source/WebKit/UIProcess/mac/PageClientImplMac.mm
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp
    M Source/WebKit/WebProcess/WebPage/WebPage.h
    M Source/WebKit/WebProcess/WebPage/mac/WebPageMac.mm

  Log Message:
  -----------
  Cherry-pick ee3805278f95. rdar://117909679

    macOS: Text cursor in HTML note is black, regardless of set Accent Color
    https://bugs.webkit.org/show_bug.cgi?id=264189
    rdar://117909679

    Reviewed by Aditya Keerthi and Tim Horton.

    266070 at main changed the behavior of the caret color to more closely follow the spec, and improve
    web compat. However, this behavior change also affected HTML Notes, which sets `color` on
    an ancestor of the editable div. As a result, the caret color is black. However, it should match
    the accent color of the app it is in, if it sets a custom accent color.

    To fix, implement the same solution as 269314 at main effectively, but on macOS.

    * Source/WebCore/editing/FrameSelection.cpp:
    (WebCore::FrameSelection::paintCaret):
    (WebCore::CaretBase::computeCaretColor):
    (WebCore::CaretBase::paintCaret const):
    (WebCore::DragCaretController::paintDragCaret const):
    * Source/WebCore/editing/FrameSelection.h:
    * Source/WebCore/page/Page.cpp:
    (WebCore::Page::setAppUsesCustomAccentColor):
    (WebCore::Page::appUsesCustomAccentColor const):
    * Source/WebCore/page/Page.h:
    * Source/WebCore/rendering/RenderThemeIOS.mm:
    (WebCore::RenderThemeIOS::autocorrectionReplacementMarkerColor const):
    * Source/WebCore/rendering/style/RenderStyle.h:
    * Source/WebKit/Shared/WebPageCreationParameters.h:
    * Source/WebKit/Shared/WebPageCreationParameters.serialization.in:
    * Source/WebKit/UIProcess/PageClient.h:
    * Source/WebKit/UIProcess/WebPageProxy.cpp:
    (WebKit::WebPageProxy::creationParameters):
    * Source/WebKit/UIProcess/mac/PageClientImplMac.h:
    * Source/WebKit/UIProcess/mac/PageClientImplMac.mm:
    (WebKit::cachedAppUsesCustomAccentColor):
    (WebKit::PageClientImpl::appUsesCustomAccentColor):
    * Source/WebKit/WebProcess/WebPage/WebPage.cpp:
    (WebKit::m_historyItemClient):
    (WebKit::WebPage::reinitializeWebPage):
    * Source/WebKit/WebProcess/WebPage/WebPage.h:
    * Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm:
    (WebKit::WebPage::getPlatformEditorState const):
    * Source/WebKit/WebProcess/WebPage/mac/WebPageMac.mm:
    (WebKit::WebPage::setAppUsesCustomAccentColor):

    Canonical link: https://commits.webkit.org/270325@main

(cherry picked from commit dae531d205959f8686e79a92dd5ea8e6b50796a2)

Identifier: 267815.554 at safari-7617.1.17.11-branch


  Commit: 9fed41d7f0074857bd647f9d5463a8bd3cc0381c
      https://github.com/WebKit/WebKit/commit/9fed41d7f0074857bd647f9d5463a8bd3cc0381c
  Author: Matthew Finkel <sysrqb at apple.com>
  Date:   2023-11-09 (Thu, 09 Nov 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/fast/canvas/canvas-noise-injection-expected.txt
    A LayoutTests/fast/canvas/canvas-noise-injection.html
    M Source/WebCore/html/CanvasBase.cpp
    M Source/WebCore/html/CanvasBase.h
    M Source/WebCore/html/CanvasNoiseInjection.cpp
    M Source/WebCore/html/CanvasNoiseInjection.h
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.h
    M Source/WebCore/testing/Internals.cpp
    M Source/WebCore/testing/Internals.h
    M Source/WebCore/testing/Internals.idl

  Log Message:
  -----------
  Don't apply canvas noise on drawImage/putImageData rects
https://bugs.webkit.org/show_bug.cgi?id=263129
rdar://115313154

Reviewed by Simon Fraser.

When noise injection is enabled, the backing pixelbuffer of Canvas2D has noise
applied as an anti-fingerprinting protection. That operation is expensive and
the protection is not needed in situations where we are given an explicit
ImageData or specific types of Images because those data don't reveal any
identifying information about the machine when extracted via getImageData() or
toDataURL().

This patch abstracts the default DidDrawOptions into a static function that
includes DidDrawOption::ApplyPostProcessing, and a companion function that
doesn't include ApplyPostProcessing. These are static class functions because
they should both be updated if the default DidDrawOption OptionSet changes in
the future, and defining them separately seems error prone.

As described above, the noise injection post-processing is not applied after
certain drawImage operations where the image is a bitmap, and post-processing
is conditionally applied when the entire canvas is dirty.

* LayoutTests/TestExpectations:
* LayoutTests/fast/canvas/canvas-noise-injection-expected.txt:
* LayoutTests/fast/canvas/canvas-noise-injection.html:
* Source/WebCore/html/CanvasBase.cpp:
(WebCore::CanvasBase::didDraw):
* Source/WebCore/html/CanvasNoiseInjection.cpp:
(WebCore::CanvasNoiseInjection::clearDirtyRect):
* Source/WebCore/html/CanvasNoiseInjection.h:
* Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
(WebCore::CanvasRenderingContext2DBase::clearRect):
(WebCore::CanvasRenderingContext2DBase::drawImage):
(WebCore::CanvasRenderingContext2DBase::didDrawEntireCanvas):
(WebCore::CanvasRenderingContext2DBase::didDraw):
* Source/WebCore/html/canvas/CanvasRenderingContext2DBase.h:
(WebCore::CanvasRenderingContext2DBase::defaultDidDrawOptions):
(WebCore::CanvasRenderingContext2DBase::defaultDidDrawOptionsWithoutPostProcessing):
(WebCore::CanvasRenderingContext2DBase::didDraw): Deleted.

Canonical link: https://commits.webkit.org/267815.555@safari-7617.1.17.11-branch


  Commit: 638af07b2d069c2d11ced5de4a115545f723286d
      https://github.com/WebKit/WebKit/commit/638af07b2d069c2d11ced5de4a115545f723286d
  Author: Matthew Finkel <sysrqb at apple.com>
  Date:   2023-11-09 (Thu, 09 Nov 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    R LayoutTests/fast/canvas/canvas-noise-injection-expected.txt
    R LayoutTests/fast/canvas/canvas-noise-injection.html
    M Source/WebCore/html/CanvasBase.cpp
    M Source/WebCore/html/CanvasBase.h
    M Source/WebCore/html/CanvasNoiseInjection.cpp
    M Source/WebCore/html/CanvasNoiseInjection.h
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.h
    M Source/WebCore/testing/Internals.cpp
    M Source/WebCore/testing/Internals.h
    M Source/WebCore/testing/Internals.idl

  Log Message:
  -----------
  Revert "Don't apply canvas noise on drawImage/putImageData rects"

This reverts commit 9fed41d7f0074857bd647f9d5463a8bd3cc0381c.

Canonical link: https://commits.webkit.org/267815.556@safari-7617.1.17.11-branch


  Commit: 51c02b03c7c02d7807828cbec7196eee546445bd
      https://github.com/WebKit/WebKit/commit/51c02b03c7c02d7807828cbec7196eee546445bd
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-09 (Thu, 09 Nov 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/fast/canvas/canvas-noise-injection-expected.txt
    A LayoutTests/fast/canvas/canvas-noise-injection.html
    M Source/WebCore/html/CanvasBase.cpp
    M Source/WebCore/html/CanvasBase.h
    M Source/WebCore/html/CanvasNoiseInjection.cpp
    M Source/WebCore/html/CanvasNoiseInjection.h
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.h
    M Source/WebCore/testing/Internals.cpp
    M Source/WebCore/testing/Internals.h
    M Source/WebCore/testing/Internals.idl

  Log Message:
  -----------
  Cherry-pick bde990fd62dd. rdar://115313154

    Don't apply canvas noise on drawImage/putImageData rects
    https://bugs.webkit.org/show_bug.cgi?id=263129
    rdar://115313154

    Reviewed by Simon Fraser.

    When noise injection is enabled, the backing pixelbuffer of Canvas2D has noise
    applied as an anti-fingerprinting protection. That operation is expensive and
    the protection is not needed in situations where we are given an explicit
    ImageData or specific types of Images because those data don't reveal any
    identifying information about the machine when extracted via getImageData() or
    toDataURL().

    This patch abstracts the default DidDrawOptions into a static function that
    includes DidDrawOption::ApplyPostProcessing, and a companion function that
    doesn't include ApplyPostProcessing. These are static class functions because
    they should both be updated if the default DidDrawOption OptionSet changes in
    the future, and defining them separately seems error prone.

    As described above, the noise injection post-processing is not applied after
    certain drawImage operations where the image is a bitmap, and post-processing
    is conditionally applied when the entire canvas is dirty.

    * LayoutTests/TestExpectations:
    * LayoutTests/fast/canvas/canvas-noise-injection-expected.txt:
    * LayoutTests/fast/canvas/canvas-noise-injection.html:
    * Source/WebCore/html/CanvasBase.cpp:
    (WebCore::CanvasBase::didDraw):
    * Source/WebCore/html/CanvasNoiseInjection.cpp:
    (WebCore::CanvasNoiseInjection::clearDirtyRect):
    * Source/WebCore/html/CanvasNoiseInjection.h:
    * Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
    (WebCore::CanvasRenderingContext2DBase::clearRect):
    (WebCore::CanvasRenderingContext2DBase::drawImage):
    (WebCore::CanvasRenderingContext2DBase::didDrawEntireCanvas):
    (WebCore::CanvasRenderingContext2DBase::didDraw):
    * Source/WebCore/html/canvas/CanvasRenderingContext2DBase.h:
    (WebCore::CanvasRenderingContext2DBase::defaultDidDrawOptions):
    (WebCore::CanvasRenderingContext2DBase::defaultDidDrawOptionsWithoutPostProcessing):
    (WebCore::CanvasRenderingContext2DBase::didDraw): Deleted.

    Canonical link: https://commits.webkit.org/270207@main

Identifier: 267815.556 at safari-7617-branch
Canonical link: https://commits.webkit.org/267815.557@safari-7617.1.17.11-branch


  Commit: 6bdd1ae2ab1ec30c43d62c9ceb026a92ed891924
      https://github.com/WebKit/WebKit/commit/6bdd1ae2ab1ec30c43d62c9ceb026a92ed891924
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-09 (Thu, 09 Nov 2023)

  Changed paths:
    M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.h
    M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm
    M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.h
    M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.mm

  Log Message:
  -----------
  Cherry-pick 9e08e9d30f55. rdar://118121639

    Cookies from AppSSO extension are getting stored in iframe even when CSP restricts page to be loaded in iframe
    https://bugs.webkit.org/show_bug.cgi?id=264447
    rdar://118121639

    Reviewed by Brent Fulgham.

    In https://bugs.webkit.org/show_bug.cgi?id=260100, we added CSP validation when setting cookies
    in the response of an AppSSO request. However, in that patch, we consider CSP options that are
    only relevant for i-frames in the redirect case. In NetworkResourceLoader::shouldInterruptLoadForXFrameOptions,
    we do an early return in non-main frame cases, but do not in the check for AppSSO.

    In SOAuthorizationCoordinator::tryAuthorize, it can be gleamed that a non-mainframe navigation implies
    a SubFrameSOAuthorizationSession will be created. Therefore we only need to perform these i-frame specific
    CSP checks whenever we have a SubFrameSOAuthorizationSession.

    * Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm:
    (WebKit::SOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):
    * Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.h:
    (WebKit::SOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):
    * Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm:
    (WebKit::SOAuthorizationSession::shouldInterruptLoadForXFrameOptions): Deleted.
    (WebKit::SOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions): Deleted.
    * Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.h:
    * Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.mm:
    (WebKit::SubFrameSOAuthorizationSession::shouldInterruptLoadForXFrameOptions):
    (WebKit::SubFrameSOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):

    Canonical link: https://commits.webkit.org/270422@main

Identifier: 267815.554 at safari-7617-branch
Canonical link: https://commits.webkit.org/267815.558@safari-7617.1.17.11-branch


  Commit: bc2c6ed9b61b0e6090bb753ec04c83c5f4c3f3c9
      https://github.com/WebKit/WebKit/commit/bc2c6ed9b61b0e6090bb753ec04c83c5f4c3f3c9
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-10 (Fri, 10 Nov 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7617.1.17.11.2

Canonical link: https://commits.webkit.org/267815.559@safari-7617.1.17.11-branch


  Commit: 368f16c9195cca88a62ab96d7e444ecafc01aa8c
      https://github.com/WebKit/WebKit/commit/368f16c9195cca88a62ab96d7e444ecafc01aa8c
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-10 (Fri, 10 Nov 2023)

  Changed paths:
    M LayoutTests/platform/mac-wk1/TestExpectations
    M Source/WebCore/platform/RunLoopObserver.h
    M Source/WebCore/platform/cf/RunLoopObserverCF.cpp
    M Source/WebKitLegacy/mac/WebView/WebViewRenderingUpdateScheduler.h
    M Source/WebKitLegacy/mac/WebView/WebViewRenderingUpdateScheduler.mm

  Log Message:
  -----------
  Cherry-pick 927b1ffbab10. rdar://118024764

    Unreviewed, reverting 269859 at main.
    https://bugs.webkit.org/show_bug.cgi?id=264534

    Caused CPU spins in some WebView client applications

    Reverted changeset:

    "REGRESSION (263917 at main): [ macOS ] 3 inspector/timeline/timeline-event-Timer tests are a consistent failure"
    https://bugs.webkit.org/show_bug.cgi?id=260360
    https://commits.webkit.org/269859@main

    Canonical link: https://commits.webkit.org/270489@main

Canonical link: https://commits.webkit.org/267815.560@safari-7617.1.17.11-branch


  Commit: 9d5fbd34096bbc4c41a77e53a4c4e66e00523ca3
      https://github.com/WebKit/WebKit/commit/9d5fbd34096bbc4c41a77e53a4c4e66e00523ca3
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-10 (Fri, 10 Nov 2023)

  Changed paths:
    A LayoutTests/accessibility/custom-elements/shadow-element-text-expected.txt
    A LayoutTests/accessibility/custom-elements/shadow-element-text.html
    A LayoutTests/platform/glib/accessibility/custom-elements/shadow-element-text-expected.txt
    M Source/WebCore/accessibility/AccessibilityNodeObject.cpp

  Log Message:
  -----------
  Cherry-pick ecb40fdcddf8. rdar://118118138

    AX: VoiceOver does not announce button in text if button is in shadow root
    https://bugs.webkit.org/show_bug.cgi?id=264410
    rdar://118118138

    Reviewed by Tyler Wilcock.

    In shadow DOM elements, if text was within nested elements, textUnderElement would not include it.

    This patch resolves that by adding to our logic for when we decide whether or not to skip a child's
    text. Instead of just checking whether the child's parent and the current node match, we also check
    that the elements are either both in the DOM or Shadow DOM.

    * LayoutTests/accessibility/custom-elements/shadow-element-text-expected.txt: Added.
    * LayoutTests/accessibility/custom-elements/shadow-element-text.html: Added.
    * LayoutTests/platform/glib/accessibility/custom-elements/shadow-element-text-expected.txt: Added.
    * Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
    (WebCore::AccessibilityNodeObject::textUnderElement const):

    Canonical link: https://commits.webkit.org/270542@main

Canonical link: https://commits.webkit.org/267815.561@safari-7617.1.17.11-branch


  Commit: d10583e7561262779617acc686104dee0a23789b
      https://github.com/WebKit/WebKit/commit/d10583e7561262779617acc686104dee0a23789b
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-10 (Fri, 10 Nov 2023)

  Changed paths:
    M Source/WebKit/WebProcess/GPU/GPUProcessConnection.cpp
    M Source/WebKit/WebProcess/WebProcess.cpp
    M Source/WebKit/WebProcess/WebProcess.h

  Log Message:
  -----------
  Cherry-pick 0532f1c87a63. rdar://117840925

    RELEASE_ASSERT() under GPUProcessConnection::create(IPC::Connection&)
    https://bugs.webkit.org/show_bug.cgi?id=264612
    rdar://117840925

    Reviewed by Brent Fulgham.

    When a WebProcess requests a connection to the GPUProcess, the UIProcess
    needs to pass preferences for this WebProcess. Preferences are associated
    with WebPages and thus we cannot initiate a connection to the GPUProcess
    before a WebPage has been created.

    I had tried to add an assertion to this effect in
    GPUProcessConnection::create(). However, my assertion was a little
    stricter than needed and could get hit in the wild. It is sufficient for
    a process to have ever had a WebPage (The WebProcessProxy stores the
    preferences locally), we don't need to have a living WebPage at the
    moment when the connection gets requested.

    * Source/WebKit/WebProcess/GPU/GPUProcessConnection.cpp:
    (WebKit::GPUProcessConnection::create):
    * Source/WebKit/WebProcess/WebProcess.cpp:
    (WebKit::WebProcess::createWebPage):
    * Source/WebKit/WebProcess/WebProcess.h:
    (WebKit::WebProcess::hasEverHadAnyWebPages const):
    (WebKit::WebProcess::hasWebPages const): Deleted.

    Canonical link: https://commits.webkit.org/270569@main

Canonical link: https://commits.webkit.org/267815.562@safari-7617.1.17.11-branch


  Commit: 486aa223cd32f77f602ee7745b641413b57bfa76
      https://github.com/WebKit/WebKit/commit/486aa223cd32f77f602ee7745b641413b57bfa76
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-13 (Mon, 13 Nov 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-617.1.17.11.3

Identifier: 267815.563 at safari-7617.1.17.11-branch


  Commit: 6917a849d7355e5d81284c86ba7bca33b490218e
      https://github.com/WebKit/WebKit/commit/6917a849d7355e5d81284c86ba7bca33b490218e
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-13 (Mon, 13 Nov 2023)

  Changed paths:
    M Source/WebCore/rendering/TextBoxPainter.cpp

  Log Message:
  -----------
  Cherry-pick f9ec06b716a3. rdar://117897402

    Crash under TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::collectDecoratingBoxesForTextBox
    https://bugs.webkit.org/show_bug.cgi?id=264728
    rdar://117897402

    Reviewed by Alan Baradlay.

    * Source/WebCore/rendering/TextBoxPainter.cpp:
    (WebCore::TextBoxPainter<TextBoxPath>::collectDecoratingBoxesForTextBox):

    There appears to be some case where parentInlineBox is not found. Add null checking.

    Canonical link: https://commits.webkit.org/270634@main

Canonical link: https://commits.webkit.org/267815.564@safari-7617.1.17.11-branch


  Commit: 51b96e64dc33b0ac4881e27939b9d1389039a3d4
      https://github.com/WebKit/WebKit/commit/51b96e64dc33b0ac4881e27939b9d1389039a3d4
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-13 (Mon, 13 Nov 2023)

  Changed paths:
    R JSTests/stress/arrow-function-captured-arguments-aliased.js
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
    M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
    M Source/JavaScriptCore/runtime/GetPutInfo.h
    M Source/JavaScriptCore/runtime/ScopedArguments.h
    M Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp
    M Source/JavaScriptCore/runtime/ScopedArgumentsTable.h
    M Source/JavaScriptCore/runtime/SymbolTable.cpp
    M Source/JavaScriptCore/runtime/SymbolTable.h

  Log Message:
  -----------
  Cherry-pick af7c136e799e. rdar://117838992

    Reverting https://commits.webkit.org/267815.345@safari-7617-branch
    https://bugs.webkit.org/show_bug.cgi?id=264767
    rdar://117838992

    Reviewed by Michael Saboff.

    * JSTests/stress/arrow-function-captured-arguments-aliased.js: Removed.
    * Source/JavaScriptCore/bytecode/CodeBlock.cpp:
    (JSC::CodeBlock::finishCreation):
    * Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
    (JSC::BytecodeGenerator::BytecodeGenerator):
    * Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::parseBlock):
    * Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
    * Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
    * Source/JavaScriptCore/runtime/GetPutInfo.h:
    (JSC::initializationModeName):
    (JSC::isInitialization):
    * Source/JavaScriptCore/runtime/ScopedArguments.h:
    * Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp:
    (JSC::ScopedArgumentsTable::tryCreate):
    (JSC::ScopedArgumentsTable::tryClone):
    (JSC::ScopedArgumentsTable::trySetLength):
    (JSC::ScopedArgumentsTable::trySetWatchpointSet): Deleted.
    * Source/JavaScriptCore/runtime/ScopedArgumentsTable.h:
    * Source/JavaScriptCore/runtime/SymbolTable.cpp:
    (JSC::SymbolTable::localToEntry):
    (JSC::SymbolTable::cloneScopePart):
    * Source/JavaScriptCore/runtime/SymbolTable.h:

    Canonical link: https://commits.webkit.org/267815.566@safari-7617-branch

Identifier: 267815.565 at safari-7617.1.17.11-branch


  Commit: 02f02260d25d59958623d1d45b95a7c560f8c7a4
      https://github.com/WebKit/WebKit/commit/02f02260d25d59958623d1d45b95a7c560f8c7a4
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-14 (Tue, 14 Nov 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7617.1.17.11.4

Canonical link: https://commits.webkit.org/267815.566@safari-7617.1.17.11-branch


  Commit: 4c66f09968e39fef126aca7ad69f771f421705b9
      https://github.com/WebKit/WebKit/commit/4c66f09968e39fef126aca7ad69f771f421705b9
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-14 (Tue, 14 Nov 2023)

  Changed paths:
    A LayoutTests/fonts/font-cache-memory-pressure-crash-expected.txt
    A LayoutTests/fonts/font-cache-memory-pressure-crash.html
    M Source/WebCore/platform/graphics/FontCascadeFonts.cpp

  Log Message:
  -----------
  Cherry-pick a595ddd8348d. rdar://117805319

    Adding last resort font to System Font fallback set for PUA characters
    https://bugs.webkit.org/show_bug.cgi?id=264737
    rdar://117805319

    Reviewed by Brent Fulgham.

    Until now, when we are purging inactive font data, we would just clear
    the glyph page cache if we had to purge system fallback font.
    This means that we consider glyph page cache would only point to
    fonts from system fonts fallback.

    When we are handling unicode's in the Private-User-Area (PUA) block,
    we shouldn't fallback to system fonts searching for a font that can render
    it, per spec: https://www.w3.org/TR/css-fonts-4/#char-handling-issues
    Instead, we render the glyph 0 with the last resort font. However, this
    font is just added to the custom font cache, and its font pointer in the
    Glyph Page cache is not cleared during memory pressure.

    We should add this font to the system font fallback set, to make sure
    that the associated font pointer is removed from the glyph page cache
    during memory pressure.

    * LayoutTests/fonts/font-cache-memory-pressure-crash.html: Added.
    * Source/WebCore/platform/graphics/FontCascadeFonts.cpp:
    (WebCore::FontCascadeFonts::glyphDataForVariant):
    * LayoutTests/fonts/font-cache-memory-pressure-crash-expected.txt: Added.

    Canonical link: https://commits.webkit.org/267815.567@safari-7617-branch

Canonical link: https://commits.webkit.org/267815.567@safari-7617.1.17.11-branch


  Commit: 03bf0fb341e7518c6a5f027f1c528aaae5444dbe
      https://github.com/WebKit/WebKit/commit/03bf0fb341e7518c6a5f027f1c528aaae5444dbe
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-11-14 (Tue, 14 Nov 2023)

  Changed paths:
    M Source/WebKit/UIProcess/mac/PageClientImplMac.mm

  Log Message:
  -----------
  Cherry-pick 9ed78dcdcb4a. rdar://118249650

    REGRESSION (270325 at main): Overrelease of NSColor under PageClientImpl::appUsesCustomAccentColor
    https://bugs.webkit.org/show_bug.cgi?id=264845
    <rdar://problem/118312264>

    Reviewed by Aditya Keerthi, Chris Dumez and Simon Fraser.

    * Source/WebKit/UIProcess/mac/PageClientImplMac.mm:
    (WebKit::PageClientImpl::appUsesCustomAccentColor):
    We don't own these colors, don't adopt them.

    Canonical link: https://commits.webkit.org/270735@main

Identifier: 267815.568 at safari-7617.1.17.11-branch


  Commit: fb9dcef71efd9d5ae566904b5e00db3e172f2fa7
      https://github.com/WebKit/WebKit/commit/fb9dcef71efd9d5ae566904b5e00db3e172f2fa7
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-11-15 (Wed, 15 Nov 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7617.1.17.11.5

Identifier: 267815.569 at safari-7617.1.17.11-branch


  Commit: 6ea376501afdb33467d4a12408d221ec626f164a
      https://github.com/WebKit/WebKit/commit/6ea376501afdb33467d4a12408d221ec626f164a
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-11-16 (Thu, 16 Nov 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7617.1.17.11.6

Identifier: 267815.570 at safari-7617.1.17.11-branch


  Commit: b66ff306d78f874fcb6544f7293ac1c729dc0a8d
      https://github.com/WebKit/WebKit/commit/b66ff306d78f874fcb6544f7293ac1c729dc0a8d
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-11-16 (Thu, 16 Nov 2023)

  Changed paths:
    M Source/JavaScriptCore/b3/B3LowerToAir.cpp
    M Source/JavaScriptCore/b3/air/AirValidate.cpp

  Log Message:
  -----------
  Cherry-pick 49ba637c4abb. rdar://118515062

    Extr can overflow when imm=64, allowing a random register to be read
    rdar://118515062

    Reviewed by Yusuke Suzuki.

    Extr can overflow when imm=64, allowing a random register to be read.

    * Source/JavaScriptCore/b3/B3LowerToAir.cpp:
    * Source/JavaScriptCore/b3/air/AirValidate.cpp:

    Canonical link: https://commits.webkit.org/267815.574@safari-7617-branch

Identifier: 267815.571 at safari-7617.1.17.11-branch


  Commit: bda88b917cb9ff49b7f7fa1439bd690fe64da597
      https://github.com/WebKit/WebKit/commit/bda88b917cb9ff49b7f7fa1439bd690fe64da597
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-11-16 (Thu, 16 Nov 2023)

  Changed paths:
    M Source/WebCore/loader/SubresourceLoader.cpp
    M Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp
    M Source/WebCore/loader/cache/CachedCSSStyleSheet.h

  Log Message:
  -----------
  Cherry-pick 4c3430842100. rdar://118267012

    Crash under PAL::newTextCodec(PAL::TextEncoding const&)
    https://bugs.webkit.org/show_bug.cgi?id=264979
    rdar://118267012

    Reviewed by Brent Fulgham.

    There is evidence for crashes in the wild that the CachedCSSStyleSheet or
    the TextResourceDecoder are being used after getting freed. To prevent this,
    protect both these objects in the code path identified by the crashes.

    This is a speculative fix but it should be very safe.

    * Source/WebCore/loader/SubresourceLoader.cpp:
    (WebCore::SubresourceLoader::didFinishLoading):
    * Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp:
    (WebCore::CachedCSSStyleSheet::finishLoading):
    (WebCore::CachedCSSStyleSheet::protectedDecoder const):
    * Source/WebCore/loader/cache/CachedCSSStyleSheet.h:

    Canonical link: https://commits.webkit.org/267815.575@safari-7617-branch

Identifier: 267815.572 at safari-7617.1.17.11-branch


  Commit: df862d179a3f79307b03f123f4f31ef46ce0dd51
      https://github.com/WebKit/WebKit/commit/df862d179a3f79307b03f123f4f31ef46ce0dd51
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-17 (Fri, 17 Nov 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7617.1.17.11.7

Canonical link: https://commits.webkit.org/267815.573@safari-7617.1.17.11-branch


  Commit: d6da46b03706f48a5aa18e061df8e567d9462f73
      https://github.com/WebKit/WebKit/commit/d6da46b03706f48a5aa18e061df8e567d9462f73
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-17 (Fri, 17 Nov 2023)

  Changed paths:
    M Source/JavaScriptCore/runtime/Structure.cpp

  Log Message:
  -----------
  Cherry-pick b0a755e34426. rdar://118548733

    Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure
    https://bugs.webkit.org/show_bug.cgi?id=265067
    rdar://118548733

    Reviewed by Justin Michaud and Mark Lam.

    Like Array shift/unshift, flattenDictionaryStructure is the other code which can shrink butterfly for named properties (no other code does it).
    Compiler threads rely on the fact that normally named property storage never shrunk. And we should catch this exceptional case by taking a cellLock
    in the compiler thread. But flattenDictionaryStructure is not taking cellLock correctly.

    This patch computes afterOutOfLineCapacity first to detect that whether this flattening will shrink the butterfly.
    And if it is, then we take a cellLock. We do not need to take it if we do not shrink the butterfly.

    * Source/JavaScriptCore/runtime/Structure.cpp:
    (JSC::Structure::flattenDictionaryStructure):

    Canonical link: https://commits.webkit.org/267815.577@safari-7617-branch

Canonical link: https://commits.webkit.org/267815.574@safari-7617.1.17.11-branch


  Commit: e505b925c5f31b58ac3e14a674d19c9fabb43955
      https://github.com/WebKit/WebKit/commit/e505b925c5f31b58ac3e14a674d19c9fabb43955
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-17 (Fri, 17 Nov 2023)

  Changed paths:
    M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml

  Log Message:
  -----------
  Revert b16d10297d26. rdar://118303187

Canonical link: https://commits.webkit.org/267815.575@safari-7617.1.17.11-branch


  Commit: 60ce9762e4d4ab37781d758854625a4c87838ec2
      https://github.com/WebKit/WebKit/commit/60ce9762e4d4ab37781d758854625a4c87838ec2
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-17 (Fri, 17 Nov 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7617.1.17.11.8

Canonical link: https://commits.webkit.org/267815.576@safari-7617.1.17.11-branch


  Commit: 2ba79a10eae67096bfc5050f768bdef18274c5d8
      https://github.com/WebKit/WebKit/commit/2ba79a10eae67096bfc5050f768bdef18274c5d8
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-11-27 (Mon, 27 Nov 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py

  Log Message:
  -----------
  Cherry-pick 270059 at main (219eb0bb7b43). rdar://116915892

    [AutoInstall] prefer wheels whenever possible (Follow-up fix)
    https://bugs.webkit.org/show_bug.cgi?id=263119
    rdar://116915892

    Reviewed by Elliott Williams and Sam Sneddon.

    Wheel installs of rapidfuzz aren't valid for all configurations, and
    it doesn't take long to install manually.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Opt out of wheel for rapidfuzz.

    Canonical link: https://commits.webkit.org/270059@main

    Canonical link: https://commits.webkit.org/267815.561@safari-7617-branch

Identifier: 267815.577 at safari-7617.1.17.11-branch


Compare: https://github.com/WebKit/WebKit/compare/63e8ce6b77a6%5E...2ba79a10eae6


More information about the webkit-changes mailing list