[webkit-changes] [WebKit/WebKit] 6094b6: Cherry-pick 64bcd93cbc55. <bug>
Russell Epstein
noreply at github.com
Wed Dec 13 12:11:22 PST 2023
Branch: refs/heads/webkitglib/2.42
Home: https://github.com/WebKit/WebKit
Commit: 6094b6c0b3c2a00d3d26d9ed1b4ba7f834f0a9a8
https://github.com/WebKit/WebKit/commit/6094b6c0b3c2a00d3d26d9ed1b4ba7f834f0a9a8
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt
A LayoutTests/storage/indexeddb/abort-index-rename-crash.html
M Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryIndex.h
M Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h
Log Message:
-----------
Cherry-pick 64bcd93cbc55. <bug>
jsc_fuz/wktr: heap-use-after-free in WebCore::IDBServer::MemoryObjectStore::takeIndexByIdentifier(unsigned long long) MemoryObjectStore.cpp:128.
https://bugs.webkit.org/show_bug.cgi?id=264180.
rdar://117463447.
Reviewed by Sihui Liu.
MemoryIndex now keeps WeakPtr to MemoryObjectStore 'm_objectStore' and checks it's validity before using it. Also RefPtr conversion from WekPtr using get() API as applicable.
* LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt: Added the test expected file.
* LayoutTests/storage/indexeddb/abort-index-rename-crash.html: Added the test case.
* Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp: Checks the validity of MemoryObjectStore pointer before using.
(WebCore::IDBServer::MemoryBackingStoreTransaction::objectStoreDeleted):
(WebCore::IDBServer::MemoryBackingStoreTransaction::indexRenamed):
(WebCore::IDBServer::MemoryBackingStoreTransaction::abort):
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp: Changed direct reference to WeakPtr. Also used RefPtr conversion using get() API as applicable.
(WebCore::IDBServer::MemoryIndex::objectStoreCleared):
(WebCore::IDBServer::MemoryIndex::clearIndexValueStore):
(WebCore::IDBServer::MemoryIndex::replaceIndexValueStore):
(WebCore::IDBServer::MemoryIndex::getResultForKeyRange const):
(WebCore::IDBServer::MemoryIndex::getAllRecords const):
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.h: Changed direct reference to WeakPtr.
(WebCore::IDBServer::MemoryIndex::objectStore):
* Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp: Used RefPtr conversion using get() API for MemoryIndex based MemoryObjectStore object.
(WebCore::IDBServer::MemoryIndexCursor::currentData):
* Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h:
Canonical link: https://commits.webkit.org/267815.545@safari-7617-branch
Identifier: 267815.546 at safari-7617.1.17.10-branch
Canonical link: https://commits.webkit.org/266719.149@webkitglib/2.42
Commit: f4cbd6103a089eb7886b4aec53aa788111adfeb8
https://github.com/WebKit/WebKit/commit/f4cbd6103a089eb7886b4aec53aa788111adfeb8
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/fast/multicol/last-set-crash-expected.txt
A LayoutTests/fast/multicol/last-set-crash.html
M Source/WebCore/rendering/RenderMultiColumnFlow.cpp
M Source/WebCore/rendering/RenderMultiColumnFlow.h
Log Message:
-----------
Cherry-pick f524a15d0633. https://bugs.webkit.org/show_bug.cgi?id=264327
WTFCrashWithSecurityImplication in WebCore::RenderFragmentedFlow::removeLineFragmentInfo()
https://bugs.webkit.org/show_bug.cgi?id=264327
rdar://114559559
Reviewed by Alan Baradlay.
* LayoutTests/TestExpectations:
Skip test on debug due to some assertion failures.
* LayoutTests/fast/multicol/last-set-crash-expected.txt: Added.
* LayoutTests/fast/multicol/last-set-crash.html: Added.
* Source/WebCore/rendering/RenderMultiColumnFlow.cpp:
(WebCore::RenderMultiColumnFlow::fragmentAtBlockOffset const):
Tree mutations may have made m_lastSetWorkedOn cache invalid by moving the multicolumn set under a different multicolumn flow.
Check for this.
* Source/WebCore/rendering/RenderMultiColumnFlow.h:
Also make it use WeakPtr.
Canonical link: https://commits.webkit.org/267815.546@safari-7617-branch
Identifier: 267815.547 at safari-7617.1.17.10-branch
Canonical link: https://commits.webkit.org/266719.150@webkitglib/2.42
Commit: 257bccb2532b64ea1b40023299c29053f891188b
https://github.com/WebKit/WebKit/commit/257bccb2532b64ea1b40023299c29053f891188b
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/loader/SubresourceLoader.cpp
M Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp
M Source/WebCore/loader/cache/CachedCSSStyleSheet.h
Log Message:
-----------
Cherry-pick 4c3430842100. https://bugs.webkit.org/show_bug.cgi?id=264979
Crash under PAL::newTextCodec(PAL::TextEncoding const&)
https://bugs.webkit.org/show_bug.cgi?id=264979
rdar://118267012
Reviewed by Brent Fulgham.
There is evidence for crashes in the wild that the CachedCSSStyleSheet or
the TextResourceDecoder are being used after getting freed. To prevent this,
protect both these objects in the code path identified by the crashes.
This is a speculative fix but it should be very safe.
* Source/WebCore/loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::didFinishLoading):
* Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp:
(WebCore::CachedCSSStyleSheet::finishLoading):
(WebCore::CachedCSSStyleSheet::protectedDecoder const):
* Source/WebCore/loader/cache/CachedCSSStyleSheet.h:
Canonical link: https://commits.webkit.org/267815.575@safari-7617-branch
Identifier: 267815.574 at safari-7617.1.17.10-branch
Canonical link: https://commits.webkit.org/266719.151@webkitglib/2.42
Commit: 4f7b838e35687405c6ee4b8176347b52cc72323e
https://github.com/WebKit/WebKit/commit/4f7b838e35687405c6ee4b8176347b52cc72323e
Author: Scott Marcy <mscott at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/css/font-size-adjust-invalid-value-type-expected.txt
A LayoutTests/fast/css/font-size-adjust-invalid-value-type.html
M Source/WebCore/style/StyleBuilderConverter.h
Log Message:
-----------
Cherry-pick 267815.526 at safari-7617-branch (92043c608a1c). <bug>
rdar://115842409 (jsc_fuz/wktr: ASSERTION FAILED: is<Target>(source) &WTF::downcast(Source &) [Target = WebCore::CSSValuePair, Source = const WebCore::CSSValue] at StyleBuilderConverter.h:1632)
Checked for an unexpected CSS type for 'font-size-adjust' and returns a default value instead of crashing.
Reviewed by anttijk.
This prevents a crash on downcasting when an unexpected `CSSValue` subclass is provided.
Combined changes:
* LayoutTests/fast/css/font-size-adjust-invalid-value-type-expected.txt: Added.
* LayoutTests/fast/css/font-size-adjust-invalid-value-type.html: Added.
* Source/WebCore/style/StyleBuilderConverter.h:
(WebCore::Style::BuilderConverter::convertFontSizeAdjust):
Canonical link: https://commits.webkit.org/267815.526@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.152@webkitglib/2.42
Commit: 096cb1a99a8077cf6491a660b3c88c78061eba6c
https://github.com/WebKit/WebKit/commit/096cb1a99a8077cf6491a660b3c88c78061eba6c
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/Modules/cache/WorkerCacheStorageConnection.cpp
M Source/WebCore/Modules/permissions/Permissions.cpp
M Source/WebCore/Modules/storage/WorkerStorageConnection.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletMessagingProxy.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletThread.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletThread.h
M Source/WebCore/Modules/websockets/WebSocket.cpp
M Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp
M Source/WebCore/dom/BroadcastChannel.cpp
M Source/WebCore/dom/ScriptExecutionContext.cpp
M Source/WebCore/loader/WorkerThreadableLoader.cpp
M Source/WebCore/loader/WorkerThreadableLoader.h
M Source/WebCore/loader/cache/MemoryCache.cpp
M Source/WebCore/page/WorkerNavigator.cpp
M Source/WebCore/workers/WorkerGlobalScope.cpp
M Source/WebCore/workers/WorkerMessagingProxy.cpp
M Source/WebCore/workers/WorkerNotificationClient.cpp
M Source/WebCore/workers/WorkerOrWorkletThread.h
M Source/WebCore/workers/WorkerThread.cpp
M Source/WebCore/workers/WorkerThread.h
M Source/WebCore/workers/service/context/ServiceWorkerThreadProxy.cpp
M Source/WebCore/workers/shared/context/SharedWorkerThreadProxy.cpp
Log Message:
-----------
Cherry-pick 267815.537 at safari-7617-branch (4cae7c8ab138). https://bugs.webkit.org/show_bug.cgi?id=264327
Crash under WebCore::createMainThreadConnection(WebCore::WorkerGlobalScope&)
https://bugs.webkit.org/show_bug.cgi?id=264222
rdar://117727810
Reviewed by Darin Adler.
We're crashing when calling `createCacheStorageConnection()` on the WorkerLoaderProxy which
we got from the WorkerThread. I believe the WorkerLoaderProxy reference returned by the
WorkerThread is stale, which is possible since it keeps C++ references to its proxies.
To address the issue, I updated WorkerThread to keep raw pointers to its proxies instead of
C++ references. I am also adding a clearProxies() function to clear those raw pointers once
the proxies get destroyed. Finally, I added null checks are proxy use sites now that we null
them out.
In the future, we should convert this raw pointers into CheckedPtrs.
* Source/WebCore/Modules/badge/WorkerBadgeProxy.h:
* Source/WebCore/Modules/cache/WorkerCacheStorageConnection.cpp:
(WebCore::createMainThreadConnection):
* Source/WebCore/Modules/permissions/Permissions.cpp:
(WebCore::Permissions::query):
* Source/WebCore/Modules/storage/WorkerStorageConnection.cpp:
(WebCore::WorkerStorageConnection::getPersisted):
(WebCore::WorkerStorageConnection::getEstimate):
(WebCore::WorkerStorageConnection::fileSystemGetDirectory):
* Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp:
(WebCore::AudioWorkletGlobalScope::registerProcessor):
* Source/WebCore/Modules/webaudio/AudioWorkletMessagingProxy.cpp:
(WebCore::AudioWorkletMessagingProxy::~AudioWorkletMessagingProxy):
* Source/WebCore/Modules/webaudio/AudioWorkletThread.cpp:
(WebCore::AudioWorkletThread::clearProxies):
(WebCore::AudioWorkletThread::workerLoaderProxy):
(WebCore::AudioWorkletThread::messagingProxy):
* Source/WebCore/Modules/webaudio/AudioWorkletThread.h:
(WebCore::AudioWorkletThread::messagingProxy): Deleted.
* Source/WebCore/Modules/websockets/WebSocket.cpp:
(WebCore::WebSocket::connect):
* Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp:
(WebCore::WorkerThreadableWebSocketChannel::Bridge::Bridge):
(WebCore::WorkerThreadableWebSocketChannel::Bridge::mainThreadInitialize):
* Source/WebCore/dom/BroadcastChannel.cpp:
(WebCore::BroadcastChannel::MainThreadBridge::ensureOnMainThread):
* Source/WebCore/dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::postTaskToResponsibleDocument):
* Source/WebCore/loader/WorkerThreadableLoader.cpp:
(WebCore::WorkerThreadableLoader::WorkerThreadableLoader):
* Source/WebCore/loader/cache/MemoryCache.cpp:
(WebCore::MemoryCache::removeRequestFromSessionCaches):
* Source/WebCore/page/WorkerNavigator.cpp:
(WebCore::WorkerNavigator::setAppBadge):
* Source/WebCore/workers/WorkerDebuggerProxy.h:
* Source/WebCore/workers/WorkerGlobalScope.cpp:
(WebCore::WorkerGlobalScope::~WorkerGlobalScope):
(WebCore::WorkerGlobalScope::createRTCDataChannelRemoteHandlerConnection):
(WebCore::WorkerGlobalScope::close):
(WebCore::WorkerGlobalScope::logExceptionToConsole):
(WebCore::WorkerGlobalScope::wrapCryptoKey):
(WebCore::WorkerGlobalScope::unwrapCryptoKey):
(WebCore::WorkerGlobalScope::reportErrorToWorkerObject):
* Source/WebCore/workers/WorkerLoaderProxy.h:
* Source/WebCore/workers/WorkerMessagingProxy.cpp:
(WebCore::WorkerMessagingProxy::WorkerMessagingProxy):
(WebCore::WorkerMessagingProxy::~WorkerMessagingProxy):
(WebCore::WorkerMessagingProxy::workerGlobalScopeDestroyedInternal):
* Source/WebCore/workers/WorkerNotificationClient.cpp:
(WebCore::WorkerNotificationClient::postToMainThread):
* Source/WebCore/workers/WorkerOrWorkletThread.h:
* Source/WebCore/workers/WorkerReportingProxy.h:
* Source/WebCore/workers/WorkerThread.cpp:
(WebCore::WorkerThread::workerBadgeProxy const):
(WebCore::WorkerThread::workerDebuggerProxy const):
(WebCore::WorkerThread::workerLoaderProxy):
(WebCore::WorkerThread::workerReportingProxy const):
(WebCore::WorkerThread::clearProxies):
* Source/WebCore/workers/WorkerThread.h:
(WebCore::WorkerThread::workerBadgeProxy const): Deleted.
(WebCore::WorkerThread::workerReportingProxy const): Deleted.
* Source/WebCore/workers/service/context/ServiceWorkerThreadProxy.cpp:
(WebCore::ServiceWorkerThreadProxy::~ServiceWorkerThreadProxy):
* Source/WebCore/workers/shared/context/SharedWorkerThreadProxy.cpp:
(WebCore::SharedWorkerThreadProxy::~SharedWorkerThreadProxy):
Canonical link: https://commits.webkit.org/267815.537@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.153@webkitglib/2.42
Commit: 438c6a95c2a744c268928d9d0bc7c287b5282f03
https://github.com/WebKit/WebKit/commit/438c6a95c2a744c268928d9d0bc7c287b5282f03
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A JSTests/stress/re-enter-resolve-rope-string.js
M Source/JavaScriptCore/heap/Heap.h
M Source/JavaScriptCore/runtime/JSString.cpp
M Source/JavaScriptCore/runtime/JSStringInlines.h
Log Message:
-----------
Cherry-pick 267815.494 at safari-7617-branch (43754f3837df). https://bugs.webkit.org/show_bug.cgi?id=264016
[JSC] Fix reportExtraMemoryAllocated uses when resolving rope strings
https://bugs.webkit.org/show_bug.cgi?id=264016
rdar://117639567
Reviewed by Yusuke Suzuki.
Heap::reportExtraMemoryAllocated may trigger JSRopeString::resolveRope.
If this API needs to be used when resolving a rope string, then we should
make sure to call this API after the rope string is completely resolved.
* Source/JavaScriptCore/heap/Heap.h:
* Source/JavaScriptCore/runtime/JSString.cpp:
(JSC::JSRopeString::resolveRopeToAtomString const):
(JSC::JSRopeString::resolveRopeWithFunction const):
* Source/JavaScriptCore/runtime/JSStringInlines.h:
(JSC::jsAtomString):
Canonical link: https://commits.webkit.org/267815.494@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.154@webkitglib/2.42
Commit: fe115c9617a3e7a6efda73be56df8227ca6ccd81
https://github.com/WebKit/WebKit/commit/fe115c9617a3e7a6efda73be56df8227ca6ccd81
Author: BJ Burg <bburg at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/html/HTMLMediaElement.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewSuspendAllMediaPlayback.mm
Log Message:
-----------
Cherry-pick 267815.495 at safari-7617-branch (64b3c403419f). rdar://116595009
Element fullscreen requests should be ignored while media is suspended.
rdar://116595009
Reviewed by Jer Noble.
It is undesirable to allow entering element fullscreen while media is suspended.
Check for this condition and bail out if needed.
* Source/WebCore/html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::enterFullscreen):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewSuspendAllMediaPlayback.mm:
(TEST): Added test case.
Canonical link: https://commits.webkit.org/267815.495@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.155@webkitglib/2.42
Commit: 822396cfcbaf931e1641268488fb5db838a38874
https://github.com/WebKit/WebKit/commit/822396cfcbaf931e1641268488fb5db838a38874
Author: Erica Li <lerica at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists-expected.txt
A LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists.html
A LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists-expected.txt
A LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists.html
M Source/WebCore/css/CSSStyleSheet.cpp
M Source/WebCore/css/StyleSheetContents.cpp
M Source/WebCore/css/StyleSheetContents.h
Log Message:
-----------
Cherry-pick 267815.506 at safari-7617-branch (40098636b478). https://bugs.webkit.org/show_bug.cgi?id=263950
jsc_fuz/wktr: ASSERT_WITH_SECURITY_IMPLICATION(position <= size()); in CSSStyleSheet::insertRule(...) CSSStyleSheet.cpp:365
https://bugs.webkit.org/show_bug.cgi?id=263950
rdar://117469266
Reviewed by Antti Koivisto and Darin Adler.
Based on specification, we should return early and throw InvalidStateError exception when attempting to delete @namespace rule, and list contains anything other than @import or @namespace rules.
* LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists-expected.txt: Added.
* LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists.html: Added.
* Source/WebCore/css/CSSStyleSheet.cpp:
(WebCore::CSSStyleSheet::deleteRule):
* Source/WebCore/css/StyleSheetContents.cpp:
(WebCore::StyleSheetContents::wrapperDeleteRule):
* Source/WebCore/css/StyleSheetContents.h:
Canonical link: https://commits.webkit.org/267815.506@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.156@webkitglib/2.42
Commit: 89e825a1a3816eea5888d2ed93021a1ce824338b
https://github.com/WebKit/WebKit/commit/89e825a1a3816eea5888d2ed93021a1ce824338b
Author: Matthieu Dubet <m_dubet at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/css/insertrule-namespace-after-layer-expected.txt
A LayoutTests/fast/css/insertrule-namespace-after-layer.html
M Source/WebCore/css/StyleSheetContents.cpp
Log Message:
-----------
Cherry-pick 267815.351 at safari-7617-branch (cf04124d9563). rdar://117071899
[CSS] Don't crash when trying to insert namespace rule after layer rule
rdar://117071899
Reviewed by Antti Koivisto.
By spec, namespace rule can't be inserted after a layer rule.
https://drafts.csswg.org/css-namespaces/#syntax
* LayoutTests/fast/css/insertrule-namespace-after-layer-expected.txt: Added.
* LayoutTests/fast/css/insertrule-namespace-after-layer.html: Added.
* Source/WebCore/css/StyleSheetContents.cpp:
(WebCore::StyleSheetContents::wrapperInsertRule):
Canonical link: https://commits.webkit.org/267815.351@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.157@webkitglib/2.42
Commit: b2c3e847699cdb662778d557fcea5130ba700997
https://github.com/WebKit/WebKit/commit/b2c3e847699cdb662778d557fcea5130ba700997
Author: Alexey Shvayka <ashvayka at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A JSTests/stress/double-inlined-call-argument.js
A JSTests/stress/regress-116397731.js
M Source/JavaScriptCore/dfg/DFGVariableAccessData.cpp
Log Message:
-----------
Cherry-pick 267815.352 at safari-7617-branch (11987a2c00bf). https://bugs.webkit.org/show_bug.cgi?id=263090
[JSC] DFG might force a local to be double even if we store non-numeric values into it
https://bugs.webkit.org/show_bug.cgi?id=263090
<rdar://116397731>
Reviewed by Keith Miller.
This changes fixes tallyVotesForShouldUseDoubleFormat() to set NotUsingDoubleFormat if the variable
is no longer predicted to hold only doubles.
* JSTests/stress/double-inlined-call-argument.js: Added.
* JSTests/stress/regress-116397731.js: Added.
* Source/JavaScriptCore/dfg/DFGVariableAccessData.cpp:
(JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
Canonical link: https://commits.webkit.org/267815.352@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.158@webkitglib/2.42
Commit: d29dc914ce786b79336123e043629884713f07a0
https://github.com/WebKit/WebKit/commit/d29dc914ce786b79336123e043629884713f07a0
Author: David Degazio <d_degazio at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A JSTests/stress/ClassInfo-across-structure-transition.js
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
Cherry-pick 267815.353 at safari-7617-branch (20234c667f25). https://bugs.webkit.org/show_bug.cgi?id=263356
Load compact ClassInfo from structure correctly in FTL
https://bugs.webkit.org/show_bug.cgi?id=263356
rdar://115494572
Reviewed by Mark Lam.
Currently, FTL assumes loading the m_classInfo from a structure is a
loadPtr on all platforms - this is not the case, since ClassInfo is
represented as a 32-bit CompactPtr<ClassInfo> on platforms with 36-bit
addresses. As a result, when loading the ClassInfo in some FTL nodes, it
results in a junk value with the lower bits being the unshifted ClassInfo
address, and the upper bits being taken erroneously from
m_transitionPropertyName. This patch introduces a new loadCompactPtr()
helper to FTLLowerDFGToB3 that correctly loads and shifts compact pointer
fields, which in current FTL is just Structure.m_classInfo.
* JSTests/stress/ClassInfo-across-structure-transition.js: Added.
(calling):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
(JSC::FTL::DFG::LowerDFGToB3::compileFunctionToString):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Canonical link: https://commits.webkit.org/267815.353@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.159@webkitglib/2.42
Commit: a939442717bd849ddf6db1fd0c30b12a6cce29d9
https://github.com/WebKit/WebKit/commit/a939442717bd849ddf6db1fd0c30b12a6cce29d9
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash-expected.txt
A LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash.html
M Source/WebCore/html/HTMLPlugInImageElement.cpp
Log Message:
-----------
Cherry-pick 267815.354 at safari-7617-branch (c34793cc5793). https://bugs.webkit.org/show_bug.cgi?id=263204
Assertion hit under Document::dispatchPagehideEvent()
https://bugs.webkit.org/show_bug.cgi?id=263204
rdar://116715579
Reviewed by Ryosuke Niwa.
Delay the load if we're not allowed to run script right now. Scheduling a load will
cancel / stop any pending load, which may cause events to be fired and script to run.
The synchronous code path is kept when we're allowed to run script to avoid breaking
tests such as:
- imported/w3c/web-platform-tests/css/css-writing-modes/abs-pos-non-replaced-icb-vlr-*.xht
- imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/sandbox_004.htm
- imported/blink/svg/dom/viewspec-*.html
- fast/css/acid2.html
* LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash-expected.txt: Added.
* LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash.html: Added.
* Source/WebCore/html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::requestObject):
Canonical link: https://commits.webkit.org/267815.354@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.160@webkitglib/2.42
Commit: c3ca39cb1c6b232e58a26118dc3f0f5ee1be720d
https://github.com/WebKit/WebKit/commit/c3ca39cb1c6b232e58a26118dc3f0f5ee1be720d
Author: Keith Miller <keith_miller at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A JSTests/stress/array-iterator-to-this.js
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp
Log Message:
-----------
Cherry-pick 267815.357 at safari-7617-branch (ae764a813e03). https://bugs.webkit.org/show_bug.cgi?id=263408
Array iterator creation intrinsics need ToThis
https://bugs.webkit.org/show_bug.cgi?id=263408
rdar://113898245
Reviewed by Yusuke Suzuki.
Currently, we don't ToThis the 'this' value when we intrinsicify
the various Array iterator creation functions, which we should.
This patch also changes `clobbersExitState` to say exit state
is not clobbered if a node only writes to `HeapObjectCount`.
Our previous behavior was overly conservative, which caused
assertion failures as the `ToObject` following the `ToThis`
would get converted to a `Check(Object)` when exit was invalid.
* JSTests/stress/array-iterator-to-this.js: Added.
(opt):
(main):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
Canonical link: https://commits.webkit.org/267815.357@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.161@webkitglib/2.42
Commit: 53cf2a653d4c7697ed51a628fc06d01056217cd3
https://github.com/WebKit/WebKit/commit/53cf2a653d4c7697ed51a628fc06d01056217cd3
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WTF/wtf/Ref.h
M Source/WTF/wtf/RefPtr.h
M Source/WTF/wtf/TypeCasts.h
M Source/WebCore/html/shadow/DateTimeEditElement.cpp
M Source/WebCore/html/shadow/DateTimeFieldElement.cpp
M Source/WebCore/html/shadow/DetailsMarkerControl.cpp
M Source/WebCore/html/shadow/ProgressShadowElement.cpp
M Source/WebCore/html/shadow/SliderThumbElement.cpp
M Source/WebCore/html/shadow/TextControlInnerElements.cpp
Log Message:
-----------
Cherry-pick 267815.359 at safari-7617-branch (1f4ca4f6b608). https://bugs.webkit.org/show_bug.cgi?id=264327
[Hardening] Introduce checkedDowncast<>() and use it in a few places where the type is not obvious
https://bugs.webkit.org/show_bug.cgi?id=263463
rdar://117247122
Reviewed by Darin Adler and Ryosuke Niwa.
Introduce checkedDowncast<>() and use it in a few places where the type is not
obvious (no earlier is<>() check).
checkedDowncast<>() is just like downcast<>() but its internal type check is a
RELEASE_ASSERT() instead of a debug ASSERT().
In the future, we may want to promote using either dynamicDowncast<>() or
checkedDowncast<>() and maybe phasing out downcast<>() (in which case we could
rename checkedDowncast<>() to downcast()).
* Source/WTF/wtf/Ref.h:
(WTF::checkedDowncast):
* Source/WTF/wtf/RefPtr.h:
(WTF::checkedDowncast):
* Source/WTF/wtf/TypeCasts.h:
(WTF::checkedDowncast):
* Source/WebCore/html/shadow/DateTimeEditElement.cpp:
(WebCore::DateTimeEditElement::fieldsWrapperElement const):
* Source/WebCore/html/shadow/DateTimeFieldElement.cpp:
(WebCore::DateTimeFieldElement::updateVisibleValue):
* Source/WebCore/html/shadow/DetailsMarkerControl.cpp:
(WebCore::DetailsMarkerControl::rendererIsNeeded):
* Source/WebCore/html/shadow/ProgressShadowElement.cpp:
(WebCore::ProgressShadowElement::progressElement const):
* Source/WebCore/html/shadow/SliderThumbElement.cpp:
(WebCore::RenderSliderContainer::computeLogicalHeight const):
(WebCore::RenderSliderContainer::layout):
(WebCore::SliderThumbElement::hostInput const):
* Source/WebCore/html/shadow/TextControlInnerElements.cpp:
(WebCore::isStrongPasswordTextField):
(WebCore::TextControlInnerTextElement::renderer const):
(WebCore::TextControlInnerTextElement::resolveCustomStyle):
(WebCore::TextControlPlaceholderElement::resolveCustomStyle):
(WebCore::SearchFieldResultsButtonElement::defaultEventHandler):
(WebCore::SearchFieldCancelButtonElement::resolveCustomStyle):
(WebCore::SearchFieldCancelButtonElement::defaultEventHandler):
(WebCore::SearchFieldCancelButtonElement::willRespondToMouseClickEventsWithEditability const):
Canonical link: https://commits.webkit.org/267815.359@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.162@webkitglib/2.42
Commit: bd2159f999b3eef57cae44dfb9fd084dca1c58f0
https://github.com/WebKit/WebKit/commit/bd2159f999b3eef57cae44dfb9fd084dca1c58f0
Author: Ryan Haddad <ryanhaddad at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WTF/wtf/PlatformHave.h
Log Message:
-----------
Cherry-pick 267815.395 at safari-7617-branch (975762e3dd0f). https://bugs.webkit.org/show_bug.cgi?id=264327
Add definition for HAVE_UI_TEXT_SELECTION_DISPLAY_INTERACTION
rdar://117378587
Rubber-stamped by Wenson Hsieh.
The fix in webkit.org/b/263266 to "Suppress excessive logging due to calling into
`-[UITextInteractionAssistant selectionView]` in API tests" does not work on the
safari-7617-branch because we lack the definition for HAVE_UI_TEXT_SELECTION_DISPLAY_INTERACTION.
* Source/WTF/wtf/PlatformHave.h:
Canonical link: https://commits.webkit.org/267815.395@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.163@webkitglib/2.42
Commit: fe28561a92b5fe197ecdfcc09e2b005eaa3efd00
https://github.com/WebKit/WebKit/commit/fe28561a92b5fe197ecdfcc09e2b005eaa3efd00
Author: Erica Li <lerica at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/streams/writable-stream-create-within-multiple-workers-crash-expected.txt
A LayoutTests/streams/writable-stream-create-within-multiple-workers-crash.html
M Source/WebCore/bindings/js/InternalWritableStream.cpp
M Tools/DumpRenderTree/mac/DumpRenderTree.mm
Log Message:
-----------
Cherry-pick 267815.398 at safari-7617-branch (f11c81a103a8). https://bugs.webkit.org/show_bug.cgi\?id\=262865
jsc_fuz/wktr: null ptr deref in WebCore::invokeWritableStreamFunction(...) (InternalWritableStream.cpp:49)
https://bugs.webkit.org/show_bug.cgi\?id\=262865
rdar://116465595
Reviewed by Mark Lam.
Return early when worker is terminated while trying to get function from globalObject.
Set useDollarVM in test option initialization for cases when useDollarVM will be reset before injectInternalsObject is called in DRT.
* LayoutTests/streams/writable-stream-create-within-multiple-workers-crash-expected.txt: Added.
* LayoutTests/streams/writable-stream-create-within-multiple-workers-crash.html: Added.
* Source/WebCore/bindings/js/InternalWritableStream.cpp:
(WebCore::invokeWritableStreamFunction):
* Tools/DumpRenderTree/mac/DumpRenderTree.mm:
(testOptionsForTest):
Canonical link: https://commits.webkit.org/267815.398@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.164@webkitglib/2.42
Commit: 2577bb4e4338a256cf165d6ed93e03be10eae9c1
https://github.com/WebKit/WebKit/commit/2577bb4e4338a256cf165d6ed93e03be10eae9c1
Author: Antti Koivisto <antti at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/canvas-as-container-005-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/canvas-as-container-006-expected.txt
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/Element.cpp
Log Message:
-----------
Cherry-pick 267786 at main (514d0acadd36). https://bugs.webkit.org/show_bug.cgi?id=253936
canvas-as-container-005.html & canvas-as-container-006.html fail
https://bugs.webkit.org/show_bug.cgi?id=253936
rdar://106739131
Reviewed by Alan Baradlay.
When resolving computed style in a non-rendered subtree we fail to take container queries into account.
* LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/canvas-as-container-005-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/canvas-as-container-006-expected.txt:
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::styleForElementIgnoringPendingStylesheets):
Take care to have updated document style if it is not clean and we are resolving the root element.
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::resolveComputedStyle):
- Ensure the style scope is flushed so stylesheet data is current.
- Don't bail out when encountering display:none subtree, the ancestors may still affect its style.
- Fall back to a full style update if we encounter a query container with invalid style in the ancestor chain.
Canonical link: https://commits.webkit.org/267786@main
Canonical link: https://commits.webkit.org/266719.165@webkitglib/2.42
Commit: 09edd3d273d8dc93c82b3e72349f5f1fe4692461
https://github.com/WebKit/WebKit/commit/09edd3d273d8dc93c82b3e72349f5f1fe4692461
Author: Antti Koivisto <antti at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/css/container-style-editability-crash-expected.txt
A LayoutTests/fast/css/container-style-editability-crash.html
M LayoutTests/platform/ios-wk2/fast/dom/focus-dialog-blur-input-type-change-crash-expected.txt
M Source/WebCore/dom/Element.cpp
M Source/WebCore/dom/Element.h
Log Message:
-----------
Cherry-pick 267815.436 at safari-7617-branch (699e9669a530). https://bugs.webkit.org/show_bug.cgi?id=263522
REGRESSION(267786 at main): Crash under RenderBlock::isSelectionRoot() with query container
https://bugs.webkit.org/show_bug.cgi?id=263522
rdar://115777188
Reviewed by Alan Baradlay.
* LayoutTests/fast/css/container-style-editability-crash-expected.txt: Added.
* LayoutTests/fast/css/container-style-editability-crash.html: Added.
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::resolveComputedStyle):
(WebCore::Element::computedStyleForEditability):
Avoid triggering style resolution when computing editability.
* Source/WebCore/dom/Element.h:
Canonical link: https://commits.webkit.org/267815.436@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.166@webkitglib/2.42
Commit: 9075aaae5674dbf96a57dd63742261407859fca2
https://github.com/WebKit/WebKit/commit/9075aaae5674dbf96a57dd63742261407859fca2
Author: nishajain61 <nisha_jain at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector-expected.txt
A LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector.html
M Source/WTF/wtf/URLParser.cpp
Log Message:
-----------
Cherry-pick 267815.437 at safari-7617-branch (e5674422c86e). https://bugs.webkit.org/show_bug.cgi?id=263682
[cf9aab29ad0894e2] heap-use-after-free | WTF::URLParser::parse; WTF::URLParser::URLParser; WTF::URL::URL
https://bugs.webkit.org/show_bug.cgi?id=263682
rdar://116995567.
Reviewed by David Kilzer and Chris Dumez.
Modified WTF::URLParser::parse API so there is no invalid pointer reference to 'm_asciiBuffer' by 'StringView' after reallocation which results in invalid 'urlScheme'.
* LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector-expected.txt: Added user expected test result.
* LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector.html: Added test case which causes reallocation of buffer.
* Source/WTF/wtf/URLParser.cpp: Modified below API
(WTF::URLParser::parse): Modified order of function calls so no invalid reference to buffer is made after reallocation resulting in invalid 'urlScheme'.
Canonical link: https://commits.webkit.org/267815.437@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.167@webkitglib/2.42
Commit: 0cd7221a47f5c5c21517c2a380fa6b271828bc14
https://github.com/WebKit/WebKit/commit/0cd7221a47f5c5c21517c2a380fa6b271828bc14
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A JSTests/stress/int52rep-multiplication-with-overflow.js
M Source/JavaScriptCore/assembler/MacroAssemblerARM64.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Log Message:
-----------
Cherry-pick 267815.438 at safari-7617-branch (20a302272ec6). https://bugs.webkit.org/show_bug.cgi?id=263707
Int52Rep speculationCheck failed in DFG optimizations for the ArithMul operation.
https://bugs.webkit.org/show_bug.cgi?id=263707
rdar://117415514
Reviewed by Keith Miller.
The DFG ArithMul Int52Rep speculationCheck was using the binary form of the branchMul64
emitter to check for overflow of the multiplication. The ARM64 version of this binary
form branchMul64 has a bug: it's re-using one of the src registers as the dest register.
The underlying ARM64 implementation of branchMul64 needs to execute 2 instructions:
mul and smulh. Both of these instructions need to operate on the 2 source operands of
the multiplication. By making the dest register same as the src1 register, the mul
instruction which comes fist and computes dest, would trash src1. Subsequently, smulh
is computed with a corrupted src1 value.
The fix is simple:
1. Change the DFG ArithMul to use the ternary form of branchMul64. It will just do the
right thing, and in fact, eliminates an unnecessary move instruction on ARM64.
2. Remove the ARM64 binary form of branchMul64. It is now no longer used.
3. For robustness, change the ternary form of branchMul64 to also be resilient against
the scenario where dest equals either src1 or src2. This is achieved by computing
smulh first, which stores its result into a scratch register. Only after that, do
we compute mul, which is now free to set dest and potentially overwrite src1 or src2.
* JSTests/stress/int52rep-multiplication-with-overflow.js: Added.
(foo):
* Source/JavaScriptCore/assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::branchMul64):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
Canonical link: https://commits.webkit.org/267815.438@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.168@webkitglib/2.42
Commit: 04d78254390dd5a1aac265a3f0d915cd80081745
https://github.com/WebKit/WebKit/commit/04d78254390dd5a1aac265a3f0d915cd80081745
Author: Abigail Fox <abigail_fox at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Source/WebKit/UIProcess/WebProcessPool.cpp
Log Message:
-----------
Cherry-pick 267815.439 at safari-7617-branch (33927ceba2d6). https://bugs.webkit.org/show_bug.cgi?id=258161
Added allowsFirstPartyForCookies check
https://bugs.webkit.org/show_bug.cgi?id=258161
rdar://106997645
Reviewed by Alex Christensen.
Added a message check to validate that the process is allowed to add first
parties for cookies before allowing a call to addAllowedFirstPartyForCookies.
Adding this message check exposed a scenario where a service worker web
process could be spawned in a bad state without any allowed first parties.
An addAllowedFirstPartyForCookies call was added to prevent this bad state.
This error was caught by http/tests/cookies/same-site/fetch-in-cross-origin-service-worker.html
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::establishSWContextConnection):
* Source/WebKit/UIProcess/WebProcessPool.cpp:
(WebKit::WebProcessPool::establishRemoteWorkerContextConnectionToNetworkProcess):
Canonical link: https://commits.webkit.org/267815.439@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.169@webkitglib/2.42
Commit: c11fb1e8ef5df9fb422984b7eeab2c5e93d32238
https://github.com/WebKit/WebKit/commit/c11fb1e8ef5df9fb422984b7eeab2c5e93d32238
Author: Aditya Keerthi <akeerthi at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/PAL/pal/spi/cocoa/FoundationSPI.h
M Source/WebCore/PAL/pal/spi/mac/NSPasteboardSPI.h
M Source/WebCore/platform/Pasteboard.cpp
M Source/WebCore/platform/Pasteboard.h
M Source/WebCore/platform/PlatformPasteboard.h
M Source/WebCore/platform/ios/PlatformPasteboardIOS.mm
M Source/WebCore/platform/mac/PasteboardMac.mm
M Source/WebCore/platform/mac/PlatformPasteboardMac.mm
M Source/WebKit/Scripts/webkit/messages.py
M Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm
M Source/WebKit/UIProcess/WebPasteboardProxy.h
M Source/WebKit/UIProcess/WebPasteboardProxy.messages.in
M Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp
M Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm
M Tools/WebKitTestRunner/mac/WebKitTestRunnerPasteboard.mm
Log Message:
-----------
Cherry-pick 267815.441 at safari-7617-branch (d4645ae84721). https://bugs.webkit.org/show_bug.cgi?id=263622
[CoreIPC] The pasteboard may perform image conversion in UIProcess
https://bugs.webkit.org/show_bug.cgi?id=263622
rdar://98996437
Reviewed by Wenson Hsieh.
When reading data from the pasteboard, image conversion may be performed
when using `NSTIFFPboardType` as the requested type. This is a system feature,
where a PNG can be written to the pasteboard, and a TIFF can be read out.
However, this is undesirable from a WebKit perspective, as it allows for
arbitrary image conversion across the process boundary.
Fix by ensuring that the UI process always returns the original data, and
perform the image conversion in the Web process.
* Source/WebCore/PAL/pal/spi/cocoa/FoundationSPI.h:
* Source/WebCore/PAL/pal/spi/mac/NSPasteboardSPI.h:
Declare an internal `NSPasteboard` method to obtain the unconverted data.
* Source/WebCore/platform/Pasteboard.cpp:
* Source/WebCore/platform/Pasteboard.h:
(WebCore::Pasteboard::bufferConvertedToPasteboardType):
* Source/WebCore/platform/PlatformPasteboard.h:
* Source/WebCore/platform/ios/PlatformPasteboardIOS.mm:
(WebCore::PlatformPasteboard::bufferForType const):
* Source/WebCore/platform/mac/PasteboardMac.mm:
(WebCore::Pasteboard::bufferConvertedToPasteboardType):
Perform the conversion to TIFF using CoreGraphics in the Web process.
* Source/WebCore/platform/mac/PlatformPasteboardMac.mm:
(WebCore::PlatformPasteboard::bufferForType const):
When requesting `NSTIFFPboardType`, and an image source is available on the
pasteboard, return the original data and the original type, rather than
performing image conversion.
(WebCore::PlatformPasteboard::readBuffer const):
* Source/WebKit/Scripts/webkit/messages.py:
(headers_for_type):
* Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
(WebKit::WebPasteboardProxy::getPasteboardBufferForType):
* Source/WebKit/UIProcess/WebPasteboardProxy.h:
* Source/WebKit/UIProcess/WebPasteboardProxy.messages.in:
* Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp:
(WebKit::WebPlatformStrategies::bufferForType):
* Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm:
(WebPlatformStrategies::bufferForType):
* Tools/WebKitTestRunner/mac/WebKitTestRunnerPasteboard.mm:
(-[LocalPasteboard _dataWithoutConversionForType:securityScoped:]):
Override `_dataWithoutConversionForType:securityScoped:` since the custom
subclass used for testing does not account for pasteboard generation and
simply overrides `dataForType:`.
Without this implementation, the change would result in a call to the base
class and crash in `CFPasteboardGetGenerationCount`.
Canonical link: https://commits.webkit.org/267815.441@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.170@webkitglib/2.42
Commit: f44dbee955b52c4787e2352845a5e5f0d6c7b509
https://github.com/WebKit/WebKit/commit/f44dbee955b52c4787e2352845a5e5f0d6c7b509
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_ratectrl.c
M Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_svc_layercontext.c
Log Message:
-----------
Cherry-pick 267815.443 at safari-7617-branch (0528644ffe6b). rdar://117146735
Potential 'overflow' issue commited to upstream libvpx as e4db6c3aacb3fbcbb939f132915234988f8617c1
rdar://117146735
Reviewed by Eric Carlson.
We cherry-pick the changes of https://github.com/webmproject/libvpx/commit/e4db6c3aacb3fbcbb939f132915234988f8617c1,
except for the test part which does not apply cleanly.
* Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_ratectrl.c:
(vp9_rc_update_framerate):
* Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_svc_layercontext.c:
(vp9_update_layer_context_change_config):
(vp9_update_temporal_layer_framerate):
(vp9_update_spatial_layer_framerate):
Canonical link: https://commits.webkit.org/267815.443@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.171@webkitglib/2.42
Commit: 7ddf412f70c899f9a70549d64bb0536ea2b003e2
https://github.com/WebKit/WebKit/commit/7ddf412f70c899f9a70549d64bb0536ea2b003e2
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/webrtc/processIceTransportStateChange-gc-expected.txt
A LayoutTests/webrtc/processIceTransportStateChange-gc.html
M Source/WebCore/Modules/mediastream/RTCDtlsTransport.cpp
M Source/WebCore/Modules/mediastream/RTCIceTransport.cpp
M Source/WebCore/Modules/mediastream/RTCIceTransport.h
Log Message:
-----------
Cherry-pick 267815.446 at safari-7617-branch (8be2b8b167a1). rdar://117526483
Use-after-free in RTCPeerConnection::processIceTransportStateChange
rdar://117526483
Reviewed by Jean-Yves Avenard.
RTCIceTransport is calling RTCPeerConnection::processIceTransportStateChange without protecting its RTCPeerConnection.
processIceTransportStateChange can trigger JS execution so we need to protect the RTCPeerConnection.
Make RTCIceTransport do so, and update RTCIceTransport connection getter to return a RefPtr instead of a raw pointer.
* LayoutTests/webrtc/processIceTransportStateChange-gc-expected.txt: Added.
* LayoutTests/webrtc/processIceTransportStateChange-gc.html: Added.
* Source/WebCore/Modules/mediastream/RTCDtlsTransport.cpp:
(WebCore::RTCDtlsTransport::onStateChanged):
* Source/WebCore/Modules/mediastream/RTCIceTransport.cpp:
(WebCore::RTCIceTransport::onStateChanged):
* Source/WebCore/Modules/mediastream/RTCIceTransport.h:
(WebCore::RTCIceTransport::connection const):
Canonical link: https://commits.webkit.org/267815.446@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.172@webkitglib/2.42
Commit: ac8dad388db6575c658c39bd3485220dc3e2d037
https://github.com/WebKit/WebKit/commit/ac8dad388db6575c658c39bd3485220dc3e2d037
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/dom/deserialize-array-bufffer-view-fail-expected.txt
A LayoutTests/fast/dom/deserialize-array-bufffer-view-fail.html
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 267815.459 at safari-7617-branch (ce6d953127cf). https://bugs.webkit.org/show_bug.cgi?id=263794
The deserializer should fail properly if it cannot materialize ArrayBufferViews.
https://bugs.webkit.org/show_bug.cgi?id=263794
rdar://117572216
Reviewed by Sihui Liu and Keith Miller.
* LayoutTests/fast/dom/deserialize-array-bufffer-view-fail-expected.txt: Added.
* LayoutTests/fast/dom/deserialize-array-bufffer-view-fail.html: Added.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::readArrayBufferViewImpl):
Canonical link: https://commits.webkit.org/267815.459@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.173@webkitglib/2.42
Commit: 40a5e9743276f1a08f123ea7b8770049c81e8fe3
https://github.com/WebKit/WebKit/commit/40a5e9743276f1a08f123ea7b8770049c81e8fe3
Author: Tyler Wilcock <tyler_w at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/accessibility/cocoa/AccessibilityObjectCocoa.mm
Log Message:
-----------
Cherry-pick 267815.468 at safari-7617-branch (4fce5d70c3d6). rdar://117556782
AX: Nullptr deref of AXObjectCache in AccessibilityObject::contentForRange
rdar://117556782
Reviewed by Chris Fleizach.
* Source/WebCore/accessibility/cocoa/AccessibilityObjectCocoa.mm:
(WebCore::AccessibilityObject::contentForRange const):
Null-check AXObjectCache before using it to prevent a rare crash.
Canonical link: https://commits.webkit.org/267815.468@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.174@webkitglib/2.42
Commit: db46056004ae04cf73577c49890a7d3c195bff7b
https://github.com/WebKit/WebKit/commit/db46056004ae04cf73577c49890a7d3c195bff7b
Author: Tyler Wilcock <tyler_w at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/accessibility/AccessibilityNodeObject.cpp
Log Message:
-----------
Cherry-pick 267815.479 at safari-7617-branch (bb2e66a677f1). rdar://117640053
AccessibilityNodeObject::determineAccessibilityRoleFromNode needs to null-check node before using it
rdar://117640053
Reviewed by Chris Fleizach and Ryosuke Niwa.
It's possible for AccessibilityNodeObject::m_node (which is a WeakPtr)
to get destroyed in the middle of determineAccessibilityRoleFromNode,
meaning subsequent node()->foo accesses will cause a nullptr deref.
Use a RefPtr to keep the node alive until the end of this function, so
that after we null-check it once we know it's valid until we exit.
* Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
(WebCore::AccessibilityNodeObject::determineAccessibilityRoleFromNode const):
Canonical link: https://commits.webkit.org/267815.479@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.175@webkitglib/2.42
Commit: 03ed5c15b877b82fce5a3457c55c71a27d43377c
https://github.com/WebKit/WebKit/commit/03ed5c15b877b82fce5a3457c55c71a27d43377c
Author: Matthew Finkel <sysrqb at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/http/tests/security/isolate-geolocation-watch-id-per-document-expected.txt
A LayoutTests/http/tests/security/isolate-geolocation-watch-id-per-document.html
A LayoutTests/http/tests/security/resources/popup-watchid.html
Log Message:
-----------
Cherry-pick 267815.490 at safari-7617-branch (837e69390e41). https://bugs.webkit.org/show_bug.cgi?id=263277
Add test for Geolocation WatchID
https://bugs.webkit.org/show_bug.cgi?id=263277
rdar://8731258
Reviewed by David Kilzer.
Add a test that confirms the Geolocation WatchID is unique per document.
* LayoutTests/http/tests/security/isolate-geolocation-watch-id-per-document-expected.txt: Added.
* LayoutTests/http/tests/security/isolate-geolocation-watch-id-per-document.html: Added.
* LayoutTests/http/tests/security/resources/popup-watchid.html: Added.
Canonical link: https://commits.webkit.org/267815.490@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.176@webkitglib/2.42
Commit: 26d33963becb513d830c2540d4ea8322eb35a3bf
https://github.com/WebKit/WebKit/commit/26d33963becb513d830c2540d4ea8322eb35a3bf
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/platform/encryptedmedia/clearkey/CDMClearKey.cpp
Log Message:
-----------
Cherry-pick 267815.314 at safari-7617-branch (80d2fe008437). https://bugs.webkit.org/show_bug.cgi?id=263254
Fix bad capture by reference in CDMInstanceSessionClearKey::loadSession()
https://bugs.webkit.org/show_bug.cgi?id=263254
rdar://117061886
Reviewed by Brent Fulgham.
Fix bad capture by reference in an asynchronous callback in CDMInstanceSessionClearKey::loadSession().
* Source/WebCore/platform/encryptedmedia/clearkey/CDMClearKey.cpp:
(WebCore::CDMInstanceSessionClearKey::loadSession):
Canonical link: https://commits.webkit.org/267815.314@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.177@webkitglib/2.42
Commit: af483cdbdc8ee9644a91b79678aadd6808db16e4
https://github.com/WebKit/WebKit/commit/af483cdbdc8ee9644a91b79678aadd6808db16e4
Author: Andy Estes <aestes at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fullscreen/fullscreen-cancel-after-request-crash-expected.txt
A LayoutTests/fullscreen/fullscreen-cancel-after-request-crash.html
M Source/WebCore/dom/FullscreenManager.cpp
Log Message:
-----------
Cherry-pick 267815.332 at safari-7617-branch (dc44d44d42fd). https://bugs.webkit.org/show_bug.cgi?id=263140
Use-after-free in FullscreenManager::requestFullscreenForElement
https://bugs.webkit.org/show_bug.cgi?id=263140
rdar://116736343
Reviewed by Chris Dumez.
Calling DeferredPromise::reject from the failedPreflights lambda in
FullscreenManager::requestFullscreenForElement may cause the Document that owns the
FullscreenManager to be deallocated, resulting in a use-after-free when the document is accessed
again after rejecting the promise. Resolved this by keeping a Ref to m_document for the lifetime of
the failedPreflights lambda.
Added a layout test.
* LayoutTests/fullscreen/fullscreen-cancel-after-request-crash-expected.txt: Added.
* LayoutTests/fullscreen/fullscreen-cancel-after-request-crash.html: Added.
* Source/WebCore/dom/FullscreenManager.cpp:
(WebCore::FullscreenManager::requestFullscreenForElement):
Canonical link: https://commits.webkit.org/267815.332@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.178@webkitglib/2.42
Commit: a909b207e0dd795c67fe674b244d90a3f5484f7f
https://github.com/WebKit/WebKit/commit/a909b207e0dd795c67fe674b244d90a3f5484f7f
Author: Alan Baradlay <zalan at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/fast/text/zero-height-first-line-assert-expected.txt
A LayoutTests/fast/text/zero-height-first-line-assert.html
M Source/WebCore/layout/formattingContexts/inline/invalidation/InlineInvalidation.cpp
M Source/WebCore/layout/integration/inline/LayoutIntegrationInlineContentBuilder.cpp
Log Message:
-----------
Cherry-pick 267815.333 at safari-7617-branch (c1a2b21f2532). https://bugs.webkit.org/show_bug.cgi?id=263222
[IFC] Demote partial invalidation to full damage when computed damage extent is inconsistent
https://bugs.webkit.org/show_bug.cgi?id=263222
<rdar://117017324>
Reviewed by Antti Koivisto.
Fall back to full layout when we computed inconsistent damage extent.
(It could happen when previous layouts produced corrupt line content e.g. line with no boxes other than the root inline box).
* LayoutTests/fast/text/zero-height-first-line-assert-expected.txt: Added.
* LayoutTests/fast/text/zero-height-first-line-assert.html: Added.
* Source/WebCore/layout/formattingContexts/inline/invalidation/InlineInvalidation.cpp:
(WebCore::Layout::leadingContentDisplayForLineIndex):
(WebCore::Layout::InlineInvalidation::updateInlineDamage):
* Source/WebCore/layout/integration/inline/LayoutIntegrationInlineContentBuilder.cpp:
(WebCore::LayoutIntegration::InlineContentBuilder::build const):
Canonical link: https://commits.webkit.org/267815.333@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.179@webkitglib/2.42
Commit: b2414972d8326b7d4a8b84bcf0ee1ffaacceab96
https://github.com/WebKit/WebKit/commit/b2414972d8326b7d4a8b84bcf0ee1ffaacceab96
Author: Michael Saboff <msaboff at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A JSTests/stress/arrow-function-captured-arguments-aliased.js
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
M Source/JavaScriptCore/runtime/GetPutInfo.h
M Source/JavaScriptCore/runtime/ScopedArguments.h
M Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp
M Source/JavaScriptCore/runtime/ScopedArgumentsTable.h
M Source/JavaScriptCore/runtime/SymbolTable.cpp
M Source/JavaScriptCore/runtime/SymbolTable.h
Log Message:
-----------
Cherry-pick 267815.345 at safari-7617-branch (99b8814b73d1). https://bugs.webkit.org/show_bug.cgi?id=261934
Scoped Arguements needs to alias between named and unnamed accesses and across nested scopes
https://bugs.webkit.org/show_bug.cgi?id=261934
rdar://114925088
Reviewed by Yusuke Suzuki.
Fixed issue where an access to a named argument and a seperate access via its argument[i] counterpart weren't recognized throughout
all JIT tiers as accesses to the same scoped value. The DFG bytecode parser can unknowingly constant fold the read access.
Added aliasing via the SymbolTable and its ScopedArgumentsTable for both types of accesses of such values.
related objects
Added watchpoints for scoped arguments, and shared the watchpoint from the SymbolTableEntry for the named parameter with the
ScopedArgument entry for the matching index. Tagged op_put_to_scope bytecodes with a new ScopedArgumentInitialization
initialization type in GetPutInfo to signify this shared watchpoint case. Since currently all tiers write to scoped arguments
via ScopedArguments::setIndexQuickly(), that is where we fire its watchpoint.
Added a new test.
* JSTests/stress/arrow-function-captured-arguments-aliased.js: New test.
(createOptAll):
(createOpt500):
(createOpt2000):
(createOpt5000):
(main):
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/runtime/GetPutInfo.h:
(JSC::initializationModeName):
(JSC::isInitialization):
* Source/JavaScriptCore/runtime/ScopedArguments.h:
* Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp:
(JSC::ScopedArgumentsTable::tryCreate):
(JSC::ScopedArgumentsTable::tryClone):
(JSC::ScopedArgumentsTable::trySetLength):
(JSC::ScopedArgumentsTable::trySetWatchpointSet):
* Source/JavaScriptCore/runtime/ScopedArgumentsTable.h:
* Source/JavaScriptCore/runtime/SymbolTable.h:
Canonical link: https://commits.webkit.org/267815.345@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.180@webkitglib/2.42
Commit: 9446aed9a716340695e403a8e44e36ba75a81131
https://github.com/WebKit/WebKit/commit/9446aed9a716340695e403a8e44e36ba75a81131
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/JavaScriptCore/heap/PreciseAllocation.cpp
M Source/JavaScriptCore/heap/PreciseAllocation.h
Log Message:
-----------
Cherry-pick 267815.112 at safari-7617-branch (6ea412c32f09). https://bugs.webkit.org/show_bug.cgi?id=262011
Adjust PreciseAllocation alignment offset to also factor in cache line alignment requirements.
https://bugs.webkit.org/show_bug.cgi?id=262011
rdar://115959633
Reviewed by Keith Miller.
We should ensure that the JSObject header word and its butterfly are always in the same cache line.
See radar for details.
All JSObjects are either allocated out of a MarkedBlock or as a PreciseAllocation. All MarkedBlock
allocations are aligned on 16 byte boundaries (the MarkedBlock::atomSize). This means that it’s
impossible to get this condition with a MarkedBlock allocated object.
For PreciseAllocations, each allocation is preceded by a PreciseAllocation header (which is currently
96 bytes in size), and a 8 to 16 byte padding depending on what is need to get the resultant object
start address to start on an odd 8 byte boundary (i.e. but 3 is set). With PreciseAllocations,
depending on the size of the allocation and what memory slot the allocation comes from, there is a
way to get the JSObject header and butterfly to span across a cache line boundary.
This patch prevents this by dynamically adjusting the alignment padding at the start of the
PreciseAllocation to ensure that the start address of the JSObject always lands at a spot where the
header and butterfly does not span a cache line boundary.
* Source/JavaScriptCore/heap/PreciseAllocation.cpp:
(JSC::dataCacheLineSize):
(JSC::isAlignedForPreciseAllocation):
(JSC::isCacheAlignedForPreciseAllocation):
(JSC::PreciseAllocation::tryCreate):
(JSC::PreciseAllocation::tryReallocate):
(JSC::PreciseAllocation::tryCreateForLowerTier):
(JSC::PreciseAllocation::reuseForLowerTier):
(JSC::PreciseAllocation::PreciseAllocation):
* Source/JavaScriptCore/heap/PreciseAllocation.h:
(JSC::PreciseAllocation::headerSize):
(JSC::PreciseAllocation::basePointer const):
Canonical link: https://commits.webkit.org/267815.112@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.181@webkitglib/2.42
Commit: 3af62222ff09de7879c7bf1c98fa38d33237e390
https://github.com/WebKit/WebKit/commit/3af62222ff09de7879c7bf1c98fa38d33237e390
Author: nishajain61 <nisha_jain at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/text/crash-letter-spacing-infinite-expected.html
A LayoutTests/fast/text/crash-letter-spacing-infinite.html
A LayoutTests/fast/text/crash-word-spacing-infinite-expected.html
A LayoutTests/fast/text/crash-word-spacing-infinite.html
M Source/WebCore/platform/graphics/FontCascade.h
Log Message:
-----------
Cherry-pick 267815.115 at safari-7617-branch (935e894057d7). https://bugs.webkit.org/show_bug.cgi?id=264327
rdar://115423166 (jsc_fuz/wktr: ASSERT_WITH_SECURITY_IMPLICATION(widthForLargestKnownToFit <= maxWidth); in WebCore::truncateString(...))
rdar://115423166
Reviewed by Myles C. Maxfield.
letterSpacing API needs to be able to handle NaN value
Signed-off-by: nishajain61 <nisha_jain at apple.com>
Canonical link: https://commits.webkit.org/267815.115@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.182@webkitglib/2.42
Commit: a7a75cad4a5dacb2844d56f8192007db61012237
https://github.com/WebKit/WebKit/commit/a7a75cad4a5dacb2844d56f8192007db61012237
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/JavaScriptCore/b3/B3ReduceStrength.cpp
M Source/JavaScriptCore/b3/testb3.h
M Source/JavaScriptCore/b3/testb3_1.cpp
M Source/JavaScriptCore/b3/testb3_5.cpp
Log Message:
-----------
Cherry-pick 267815.118 at safari-7617-branch (3e7f362d98b7). https://bugs.webkit.org/show_bug.cgi?id=262224
[JSC] Wrong B3 range analysis on 64-bit values
https://bugs.webkit.org/show_bug.cgi?id=262224
rdar://115897433
Reviewed by Mark Lam.
This patch fixes B3's range analysis. When using 64bit value, we should use INT64_MIN / INT64_MAX instead of INT_MIN / INT_MAX.
We use std::numeric_limits to make it work. We also adjust `+ 1` check to avoid potential UB.
* Source/JavaScriptCore/b3/B3ReduceStrength.cpp:
* Source/JavaScriptCore/b3/testb3.h:
* Source/JavaScriptCore/b3/testb3_1.cpp:
(run):
* Source/JavaScriptCore/b3/testb3_5.cpp:
(testCheckAdd64Range):
Canonical link: https://commits.webkit.org/267815.118@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.183@webkitglib/2.42
Commit: 154565ddd36b09250d50134b968afc9f735d0dcc
https://github.com/WebKit/WebKit/commit/154565ddd36b09250d50134b968afc9f735d0dcc
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/JavaScriptCore/runtime/ArrayBufferView.h
M Source/JavaScriptCore/runtime/DataView.cpp
M Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h
M Source/JavaScriptCore/runtime/JSDataView.cpp
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
Log Message:
-----------
Cherry-pick 267815.120 at safari-7617-branch (ac9f4e07603c). https://bugs.webkit.org/show_bug.cgi?id=262338
[JSC] Add extra hardening about incorrectly configured shared growable typed array view
https://bugs.webkit.org/show_bug.cgi?id=262338
rdar://116168654
Reviewed by Mark Lam.
This is adding extra hardening against wrongly configured shared growable typed array view materialization from SerializedScriptValue.
This pattern must not happen from normal execution. This happens only when the current process gets a bug which can emit arbitrary serialized
data. And since SharedArrayBuffer cannot be sent to the other process, this issue is confined in the current process. Given that the attacker
is already getting a way to create arbitrary serialized data, probably this does not add much additionally, but just adding hardening for now
as an extra safety.
* Source/JavaScriptCore/runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::verifySubRangeLength):
* Source/JavaScriptCore/runtime/DataView.cpp:
(JSC::DataView::wrappedAs):
* Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::tryCreate):
(JSC::GenericTypedArrayView<Adaptor>::wrappedAs):
* Source/JavaScriptCore/runtime/JSDataView.cpp:
(JSC::JSDataView::create):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::create):
Canonical link: https://commits.webkit.org/267815.120@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.184@webkitglib/2.42
Commit: 985fc350636c2ea3ee35146185bde8651f7c6eb8
https://github.com/WebKit/WebKit/commit/985fc350636c2ea3ee35146185bde8651f7c6eb8
Author: David Kilzer <ddkilzer at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/dom/DocumentFragment.h
M Source/WebCore/dom/Node.h
M Source/WebCore/dom/XMLDocument.cpp
M Source/WebCore/dom/XMLDocument.h
M Source/WebCore/testing/js/WebCoreTestSupport.cpp
M Source/WebCore/testing/js/WebCoreTestSupport.h
Log Message:
-----------
Cherry-pick 267815.149 at safari-7617-branch (9bc754a9deaf). https://bugs.webkit.org/show_bug.cgi?id=264327
Add test function for WebCore::DocumentFragment::parseXML
https://bugs.webkit.org/show_bug.cgi?id=262426
<rdar://116267317>
Reviewed by Darin Adler.
* Source/WebCore/dom/DocumentFragment.h:
(WebCore::DocumentFragment::parseXML):
- Export method for WebCoreTestSupport.
* Source/WebCore/dom/Node.h:
(WebCore::Node::eventTargetInterface):
- Drive-by fix to comment.
* Source/WebCore/dom/XMLDocument.cpp:
(WebCore::XMLDocument::createXHTML): Add.
- Move implementation into source file.
* Source/WebCore/dom/XMLDocument.h:
(WebCore::XMLDocument::createXHTML):
- Change to exported method declaration.
* Source/WebCore/testing/js/WebCoreTestSupport.cpp:
(WebCoreTestSupport::testDocumentFragmentParseXML): Add.
- Add test method.
* Source/WebCore/testing/js/WebCoreTestSupport.h:
(WebCoreTestSupport::testDocumentFragmentParseXML): Add.
Canonical link: https://commits.webkit.org/267815.149@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.185@webkitglib/2.42
Commit: 4355f5aa8130f4b02f414c296e763c18c37bcb93
https://github.com/WebKit/WebKit/commit/4355f5aa8130f4b02f414c296e763c18c37bcb93
Author: nishajain61 <nisha_jain at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/cssom/crash-font-family-invalid-expected.html
A LayoutTests/cssom/crash-font-family-invalid.html
M Source/WebCore/style/StyleBuilderCustom.h
Log Message:
-----------
Cherry-pick 267815.169 at safari-7617-branch (6834321e777d). https://bugs.webkit.org/show_bug.cgi?id=262487
jsc_fuz/wktr: segfault with .attributeStyleMap.set('font-family', new CSSKeywordValue('x'))
https://bugs.webkit.org/show_bug.cgi?id=262487
rdar://115283280
Reviewed by Chris Dumez.
Invalid CSS value for CSS "Font-family" property has to be handled by returning instead of causing ASSERT.
Test: cssom/crash-font-family-invalid.html
* Source/WebCore/style/StyleBuilderCustom.h:
(BuilderCustom::applyValueFontFamily) : Replaced 'ASSERT' with 'return' while handling "Font-family" property.
* LayoutTests/cssom/crash-font-family-invalid-expected.html: Added test case expected file.
* LayoutTests/cssom/crash-font-family-invalid.html: Added test case.
Canonical link: https://commits.webkit.org/267815.169@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.186@webkitglib/2.42
Commit: b3c358d4525aec3be45a32e22c25b2c71fc1f3b4
https://github.com/WebKit/WebKit/commit/b3c358d4525aec3be45a32e22c25b2c71fc1f3b4
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M LayoutTests/fast/storage/serialized-script-value.html
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 267815.202 at safari-7617-branch (401705903095). https://bugs.webkit.org/show_bug.cgi?id=262616
An Array index in CloneSerializer and CloneDeserializer can be confused for NonIndexPropertiesTag.
https://bugs.webkit.org/show_bug.cgi?id=262616
rdar://116034413
Reviewed by Keith Miller, Sihui Liu and Chris Dumez.
CloneSerializer and CloneDeserializer were previously using NonIndexPropertiesTag as the terminator of
the indexed property section of an Array. However, NonIndexPropertiesTag's encoding is 0xFFFFFFFD,
which is less than MAX_ARRAY_INDEX (0xFFFFFFFE) i.e. an index of 0xFFFFFFFD can be confused for the
NonIndexPropertiesTag, resulting type confusion.
This patch changes the structure of a serialized Array to always terminate its indexed property section
with a TerminatorTag (0xFFFFFFFF) first before looking for either a NonIndexPropertiesTag or another
TerminatorTag. The presence of a NonIndexPropertiesTag after the 1st TerminatorTag indicates the
presence of a non-indexed properties section. The presense of a TerminatorTag immediately after the
1st TerminatorTag indicates that the non-indexed properties section is empty.
Also updated the comment describing the shape of a serialized Array, and rebased a test.
* LayoutTests/fast/storage/serialized-script-value.html:
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::deserialize):
Canonical link: https://commits.webkit.org/267815.202@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.187@webkitglib/2.42
Commit: b80ac5cb701ae61a6c75adbbd2609b5e49c80ee7
https://github.com/WebKit/WebKit/commit/b80ac5cb701ae61a6c75adbbd2609b5e49c80ee7
Author: Justin Michaud <justin_michaud at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A JSTests/wasm/stress/bbq-parallel-move.js
M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
Log Message:
-----------
Cherry-pick 267815.223 at safari-7617-branch (3c476842d24c). https://bugs.webkit.org/show_bug.cgi?id=262222
BBQJIT if conditions are very wrong
https://bugs.webkit.org/show_bug.cgi?id=262222
rdar://problem/116145012
Reviewed by Keith Miller.
BBQJIT if conditions are very wrong. By random chance, the condition value
happens to be allocated in nonPreservedNonArgumentGPR1, but if you use
more than 8 registers, we end up just reading a completely random value.
Let's not do that.
We also add some extra debugging assertions for parallel move. These shouldn't ever actually
be hit, but they help us avoid a potential problem in the future if we
make BBQ register allocation smarter.
Finally, we allow allocating eax on x86, and fix some bugs surrounding if/else as a result.
* JSTests/wasm/stress/bbq-parallel-move.js: Added.
(from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.func.log_value.import.string_appeared_here.string_appeared_here.param.i32.func.export.string_appeared_here.param.p0.i32.param.p1.i32.param.p2.i32.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.result.i32.local.p0.then.local.p2.local.p0.i32.const.0.else.i32.const.0.local.p2.call.f.func.f.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.pl.i32.call.log_value.local.pl.async test.):
(from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.func.log_value.import.string_appeared_here.string_appeared_here.param.i32.func.export.string_appeared_here.param.p0.i32.param.p1.i32.param.p2.i32.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.result.i32.local.p0.then.local.p2.local.p0.i32.const.0.else.i32.const.0.local.p2.call.f.func.f.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.pl.i32.call.log_value.local.pl.async test):
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJIT::ControlData::ControlData):
(JSC::Wasm::BBQJIT::addIf):
(JSC::Wasm::BBQJIT::emitIndirectCall):
(JSC::Wasm::BBQJIT::emitShuffle):
Canonical link: https://commits.webkit.org/267815.223@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.188@webkitglib/2.42
Commit: cb664fb1a65f24cddcdcc95f2509767fb23f73f6
https://github.com/WebKit/WebKit/commit/cb664fb1a65f24cddcdcc95f2509767fb23f73f6
Author: Erica Li <lerica at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event-expected.txt
A LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event.html
M Source/WebCore/loader/FrameLoader.cpp
Log Message:
-----------
Cherry-pick 267815.226 at safari-7617-branch (20bb95c77d7c). https://bugs.webkit.org/show_bug.cgi\?id\=262292
rdar://110000099 (jsc_fuz/wktr: invalid message WebPasteboardProxy_GetPasteboardChangeCount)
https://bugs.webkit.org/show_bug.cgi\?id\=262292
rdar://110000099
Reviewed by Wenson Hsieh.
Disable copy paste for beforeunload event.
* LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event-expected.txt: Added.
* LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event.html: Added.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::ForbidCopyPasteScope::ForbidCopyPasteScope):
(WebCore::ForbidCopyPasteScope::~ForbidCopyPasteScope):
(WebCore::FrameLoader::dispatchBeforeUnloadEvent):
Canonical link: https://commits.webkit.org/267815.226@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.189@webkitglib/2.42
Commit: d8661f82488c8202db34f543c5c5a8c2093ac107
https://github.com/WebKit/WebKit/commit/d8661f82488c8202db34f543c5c5a8c2093ac107
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/JavaScriptCore/assembler/AssemblerBuffer.h
M Source/WTF/wtf/PtrTag.h
Log Message:
-----------
Cherry-pick 267815.228 at safari-7617-branch (4eda4ebd52c1). https://bugs.webkit.org/show_bug.cgi?id=262938
ARM64EHash should be using the PAC DA key instead of DB.
https://bugs.webkit.org/show_bug.cgi?id=262938
rdar://116679398
Reviewed by Justin Michaud.
Currently, it uses the PAC DB key. However, the PAC DB key is already used by for the
PACCage for protecting TypedArray vector pointers. Using the PAC DA key instead would
ensure that there is no collision between the "namespace"s of PACCage pointers and
ARM64EHash intermediate values.
* Source/JavaScriptCore/assembler/AssemblerBuffer.h:
(JSC::ARM64EHash::nextValue):
(JSC::ARM64EHash::currentHash):
(JSC::ARM64EHash::setUpdatedHash):
* Source/WTF/wtf/PtrTag.h:
(WTF::untagInt):
(WTF::tagInt):
Canonical link: https://commits.webkit.org/267815.228@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.190@webkitglib/2.42
Commit: 3f264123d1e8aea85d25a73816ca24adba8a5c91
https://github.com/WebKit/WebKit/commit/3f264123d1e8aea85d25a73816ca24adba8a5c91
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 267815.245 at safari-7617-branch (bf21fed44b35). https://bugs.webkit.org/show_bug.cgi?id=262921
CloneDeserializer::readTerminal() should fail decoding if tag is not exposed to current JS context
https://bugs.webkit.org/show_bug.cgi?id=262921
rdar://115756703
Reviewed by Mark Lam.
In 265678 at main, I added a check to make sure the type getting deserialized was exposed to the
current JS context (e.g. audio worklet contexts don't have access to many of the types that
Window context do). I added an early return when detecting this but failed to call `fail()`
to explicitly fail decoding.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::readTerminal):
Canonical link: https://commits.webkit.org/267815.245@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.191@webkitglib/2.42
Commit: 4a95479db48214e9e166461405ca13c1c731e92a
https://github.com/WebKit/WebKit/commit/4a95479db48214e9e166461405ca13c1c731e92a
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/http/wpt/web-locks/lock-name-length-restriction.https-expected.txt
A LayoutTests/http/wpt/web-locks/lock-name-length-restriction.https.html
M Source/WebCore/Headers.cmake
M Source/WebCore/Modules/web-locks/WebLock.h
M Source/WebCore/Modules/web-locks/WebLockManager.cpp
M Source/WebCore/WebCore.xcodeproj/project.pbxproj
M Source/WebKit/UIProcess/WebLockRegistryProxy.cpp
Log Message:
-----------
Cherry-pick 267815.246 at safari-7617-branch (85aba6be5983). https://bugs.webkit.org/show_bug.cgi?id=262920
Restrict the length of requested web locks names
https://bugs.webkit.org/show_bug.cgi?id=262920
rdar://116189077
Reviewed by Brent Fulgham.
Restrict the length of requested web locks names to prevent abuse.
* LayoutTests/http/wpt/web-locks/lock-name-length-restriction.https-expected.txt: Added.
* LayoutTests/http/wpt/web-locks/lock-name-length-restriction.https.html: Added.
* Source/WebCore/Headers.cmake:
* Source/WebCore/Modules/web-locks/WebLock.h:
* Source/WebCore/Modules/web-locks/WebLockManager.cpp:
(WebCore::WebLockManager::request):
* Source/WebCore/WebCore.xcodeproj/project.pbxproj:
* Source/WebKit/UIProcess/WebLockRegistryProxy.cpp:
(WebKit::WebLockRegistryProxy::requestLock):
Canonical link: https://commits.webkit.org/267815.246@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.192@webkitglib/2.42
Commit: 94ceb11f89b2460f63a91d05f6f8410a0a6aac3b
https://github.com/WebKit/WebKit/commit/94ceb11f89b2460f63a91d05f6f8410a0a6aac3b
Author: Matt Woodrow <mattwoodrow at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/canvas/offscreen-giant-expected.html
A LayoutTests/fast/canvas/offscreen-giant.html
M LayoutTests/platform/mac-monterey/TestExpectations
M Source/WebCore/platform/graphics/ca/cocoa/GraphicsLayerAsyncContentsDisplayDelegateCocoa.mm
M Source/WebKit/Platform/SharedMemory.h
M Source/WebKit/Shared/RemoteLayerTree/CGDisplayList.h
M Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.h
M Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.mm
M Source/WebKit/Shared/ShareableBitmap.h
M Source/WebKit/WebProcess/WebPage/RemoteLayerTree/GraphicsLayerCARemote.mm
M Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.h
M Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.mm
Log Message:
-----------
Cherry-pick 267815.262 at safari-7617-branch (8ac19464ff91). https://bugs.webkit.org/show_bug.cgi?id=264327
jsc_fuz/wktr: null ptr deref in WebCore::GraphicsLayerAsyncContentsDisplayDelegateCocoa::tryCopyToLayer(WebCore::ImageBuffer&)
https://bugs.webkit.org/show_bug.cgi?id=262640
<rdar://115497296>
Reviewed by Kimmo Kinnunen.
This adds support for setDelegatedContents on a PlatformCALayerRemote having a generic ImageBufferBackendHandle (which includes
shared memory), instead of only MachSendRight.
Adds an explicit copy constructor to SharedMemoryHandle, UnixFileDescriptor and CGDisplayList to match MachSendRight and make
this possible.
Also switches Protection::ReadWrite to Protection::ReadOnly for the RemoteLayerBackingStore callers, since we were already using
this for tryCopyToLayer, and we need the ::map() call in the UI process to not try ask for extra permissions.
* Source/WTF/wtf/unix/UnixFileDescriptor.h:
(WTF::UnixFileDescriptor::UnixFileDescriptor):
* Source/WebKit/Platform/SharedMemory.h:
* Source/WebKit/Shared/RemoteLayerTree/CGDisplayList.h:
* Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.h:
* Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.mm:
(WebKit::RemoteLayerBackingStore::encode const):
(WebKit::RemoteLayerBackingStore::setDelegatedContents):
(WebKit::RemoteLayerBackingStoreProperties::layerContentsBufferFromBackendHandle):
* Source/WebKit/Shared/ShareableBitmap.h:
* Source/WebKit/WebProcess/WebPage/RemoteLayerTree/GraphicsLayerCARemote.mm:
* Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.h:
* Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.mm:
(WebKit::PlatformCALayerRemote::setDelegatedContents):
(WebKit::PlatformCALayerRemote::setRemoteDelegatedContents):
Canonical link: https://commits.webkit.org/267815.262@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.193@webkitglib/2.42
Commit: 639298fab982cd8666b7c516316edfc50f402b36
https://github.com/WebKit/WebKit/commit/639298fab982cd8666b7c516316edfc50f402b36
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/http/wpt/webcodecs/videoFrame-rect-expected.txt
A LayoutTests/http/wpt/webcodecs/videoFrame-rect.html
M Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp
Log Message:
-----------
Cherry-pick 267815.265 at safari-7617-branch (aa715fb68472). https://bugs.webkit.org/show_bug.cgi?id=262955
jsc_fuz/wktr: heap-buffer-overflow in WebCore::WebCodecsVideoFrame::copyTo(...) WebCodecsVideoFrame.cpp:488
https://bugs.webkit.org/show_bug.cgi?id=262955
rdar://115835656
Reviewed by Eric Carlson.
We add a check that x and y are positive or zero.
Otherwise, we might still pass the check that the total width or height is below the codedWidth/codedHeight, while it is not.
* LayoutTests/http/wpt/webcodecs/videoFrame-rect-expected.txt: Added.
* LayoutTests/http/wpt/webcodecs/videoFrame-rect.html: Added.
* Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp:
(WebCore::parseVisibleRect):
Canonical link: https://commits.webkit.org/267815.265@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.194@webkitglib/2.42
Commit: 937ce54230a1cfc9d6cdffdaec3f2bc273c29e4b
https://github.com/WebKit/WebKit/commit/937ce54230a1cfc9d6cdffdaec3f2bc273c29e4b
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/events/document-destruction-during-event-firing-crash-expected.txt
A LayoutTests/fast/events/document-destruction-during-event-firing-crash.html
M Source/WebCore/dom/EventTarget.cpp
Log Message:
-----------
Cherry-pick 267815.272 at safari-7617-branch (fc0cce085a99). https://bugs.webkit.org/show_bug.cgi?id=263029
Use-after-free crash under EventTarget::innerInvokeEventListeners()
https://bugs.webkit.org/show_bug.cgi?id=263029
rdar://116802026
Reviewed by Ryosuke Niwa.
Make sure we keep the script execution context alive by holding it in a Ref<>.
* LayoutTests/fast/events/document-destruction-during-event-firing-crash-expected.txt: Added.
* LayoutTests/fast/events/document-destruction-during-event-firing-crash.html: Added.
* Source/WebCore/dom/EventTarget.cpp:
(WebCore::EventTarget::innerInvokeEventListeners):
Canonical link: https://commits.webkit.org/267815.272@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.195@webkitglib/2.42
Commit: 423f54d638409d111534c668988202516b8b4e25
https://github.com/WebKit/WebKit/commit/423f54d638409d111534c668988202516b8b4e25
Author: Nicole Rosario <nicole_rosario at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fast/css/create-columns-onload-crash-expected.txt
A LayoutTests/fast/css/create-columns-onload-crash.html
M Source/WebCore/style/StyleBuilderConverter.h
Log Message:
-----------
Cherry-pick 267815.304 at safari-7617-branch (395cb173896a). rdar://115107618
jsc_fuz/wktr: ASSERTION FAILED: is<Target>(source) downcast(Source &) [Target = WebCore::CSSFunctionValue, Source = const WebCore::CSSValue]
rdar://115107618
Reviewed by Chris Dumez.
Downcast was attempted before ensuring type is correct, so added a typecheck before downcast
* Source/WebCore/style/StyleBuilderConverter.h:
(WebCore::Style::BuilderConverter::createGridTrackSize): added typecheck before downcast
Canonical link: https://commits.webkit.org/267815.304@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.196@webkitglib/2.42
Commit: 533055aea23269e8f723e7fb9437d8f618155ddb
https://github.com/WebKit/WebKit/commit/533055aea23269e8f723e7fb9437d8f618155ddb
Author: Sihui Liu <sihui_liu at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M LayoutTests/fast/storage/serialized-script-value.html
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 267815.465 at safari-7617-branch (9a56d2bb940b). rdar://117020274
J414s/23C25: 1Password extension does not work and keeps trying to open a blank new tab (Unhandled Promise Rejection: AbortError: IDBTransaction will abort due to uncaught exception in an event handler)
rdar://117020274
Reviewed by Mark Lam.
We updated serialization format of SerializedScriptValue in rdar://117020274, but we didn't change the version number.
This makes serialized values with old format stored in IndexedDB databases no longer readable, as we are looking for the
new format during deserialization.
* LayoutTests/fast/storage/serialized-script-value.html:
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::deserialize):
Canonical link: https://commits.webkit.org/267815.465@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.197@webkitglib/2.42
Commit: f6cf3189dfe989c4031be838c76fa31a517d1864
https://github.com/WebKit/WebKit/commit/f6cf3189dfe989c4031be838c76fa31a517d1864
Author: Said Abou-Hallawa <said at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/svg/custom/pattern-nested-reference-expected.txt
A LayoutTests/svg/custom/pattern-nested-reference.html
M Source/WebCore/rendering/svg/RenderSVGResource.cpp
M Source/WebCore/rendering/svg/RenderSVGResource.h
M Source/WebCore/rendering/svg/RenderSVGResourceClipper.cpp
M Source/WebCore/rendering/svg/RenderSVGResourceClipper.h
M Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp
M Source/WebCore/rendering/svg/RenderSVGResourceContainer.h
M Source/WebCore/rendering/svg/RenderSVGResourceFilter.cpp
M Source/WebCore/rendering/svg/RenderSVGResourceFilter.h
M Source/WebCore/rendering/svg/RenderSVGResourceGradient.cpp
M Source/WebCore/rendering/svg/RenderSVGResourceGradient.h
M Source/WebCore/rendering/svg/RenderSVGResourceMarker.cpp
M Source/WebCore/rendering/svg/RenderSVGResourceMarker.h
M Source/WebCore/rendering/svg/RenderSVGResourceMasker.cpp
M Source/WebCore/rendering/svg/RenderSVGResourceMasker.h
M Source/WebCore/rendering/svg/RenderSVGResourcePattern.cpp
M Source/WebCore/rendering/svg/RenderSVGResourcePattern.h
M Source/WebCore/rendering/svg/RenderSVGResourceSolidColor.h
Log Message:
-----------
Cherry-pick 267815.402 at safari-7617-branch (46e35d6223f3). https://bugs.webkit.org/show_bug.cgi?id=263349
Deeply nested SVG patterns can take log time to invalidate the target element
https://bugs.webkit.org/show_bug.cgi?id=263349
(rdar://116532387)
Reviewed by Simon Fraser.
The resource's clients invalidation does not take account the visited renderers.
With nested SVG resources this invalidation can have an exponential complexity.
This leads to DoS since loading the SVG or modifying its resources can take
minutes to finish.
Skipping the visited renderers while invalidating the resource's clients should
fix this problem. The complexity of the invalidation will be linear in this case.
* LayoutTests/svg/custom/pattern-nested-reference-expected.txt: Added.
* LayoutTests/svg/custom/pattern-nested-reference.html: Added.
* Source/WebCore/rendering/svg/RenderSVGResource.cpp:
(WebCore::RenderSVGResource::removeAllClientsFromCache):
(WebCore::removeFromCacheAndInvalidateDependencies):
(WebCore::RenderSVGResource::markForLayoutAndParentResourceInvalidation):
(WebCore::RenderSVGResource::markForLayoutAndParentResourceInvalidationIfNeeded):
* Source/WebCore/rendering/svg/RenderSVGResource.h:
* Source/WebCore/rendering/svg/RenderSVGResourceClipper.cpp:
(WebCore::RenderSVGResourceClipper::removeAllClientsFromCacheIfNeeded):
(WebCore::RenderSVGResourceClipper::removeAllClientsFromCache): Deleted.
* Source/WebCore/rendering/svg/RenderSVGResourceClipper.h:
* Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp:
(WebCore::RenderSVGResourceContainer::markAllClientsForInvalidation):
(WebCore::RenderSVGResourceContainer::markAllClientsForInvalidationIfNeeded):
* Source/WebCore/rendering/svg/RenderSVGResourceContainer.h:
* Source/WebCore/rendering/svg/RenderSVGResourceFilter.cpp:
(WebCore::RenderSVGResourceFilter::removeAllClientsFromCacheIfNeeded):
(WebCore::RenderSVGResourceFilter::removeAllClientsFromCache): Deleted.
* Source/WebCore/rendering/svg/RenderSVGResourceFilter.h:
* Source/WebCore/rendering/svg/RenderSVGResourceGradient.cpp:
(WebCore::RenderSVGResourceGradient::removeAllClientsFromCacheIfNeeded):
(WebCore::RenderSVGResourceGradient::removeAllClientsFromCache): Deleted.
* Source/WebCore/rendering/svg/RenderSVGResourceGradient.h:
* Source/WebCore/rendering/svg/RenderSVGResourceMarker.cpp:
(WebCore::RenderSVGResourceMarker::removeAllClientsFromCacheIfNeeded):
(WebCore::RenderSVGResourceMarker::removeAllClientsFromCache): Deleted.
* Source/WebCore/rendering/svg/RenderSVGResourceMarker.h:
* Source/WebCore/rendering/svg/RenderSVGResourceMasker.cpp:
(WebCore::RenderSVGResourceMasker::removeAllClientsFromCacheIfNeeded):
(WebCore::RenderSVGResourceMasker::removeAllClientsFromCache): Deleted.
* Source/WebCore/rendering/svg/RenderSVGResourceMasker.h:
* Source/WebCore/rendering/svg/RenderSVGResourcePattern.cpp:
(WebCore::RenderSVGResourcePattern::removeAllClientsFromCacheIfNeeded):
(WebCore::RenderSVGResourcePattern::removeAllClientsFromCache): Deleted.
* Source/WebCore/rendering/svg/RenderSVGResourcePattern.h:
* Source/WebCore/rendering/svg/RenderSVGResourceSolidColor.h:
Canonical link: https://commits.webkit.org/267815.402@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.198@webkitglib/2.42
Commit: 1c967d31b0908ee24ea4f0977fff00980448c675
https://github.com/WebKit/WebKit/commit/1c967d31b0908ee24ea4f0977fff00980448c675
Author: Dan Glastonbury <djg at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp
Log Message:
-----------
Cherry-pick 267815.442 at safari-7617-branch (d4e4706162ed). rdar://117540199
[ANGLE] Clear pending program linking in Context::onDestroy
rdar://117540199
Reviewed by Kimmo Kinnunen.
Cherry pick upstream ANGLE fix which clears the pending link earlier to avoid
UAF.
Tested with ASAN build of
/Volumes/WebKit/OpenSource/WebKitBuild/Debug/TestWebKitAPI
--gtest_filter=GraphicsContextGLCocoaTest.TwoLinks
* Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp:
(gl::Context::onDestroy):
Canonical link: https://commits.webkit.org/267815.442@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.199@webkitglib/2.42
Commit: 5a108bdc41182b6c991585cd9544580712f65eeb
https://github.com/WebKit/WebKit/commit/5a108bdc41182b6c991585cd9544580712f65eeb
Author: Vitor Roriz <vitor.roriz at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA-ref.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA.html
M LayoutTests/platform/mac/fast/text/softbank-emoji-expected.txt
M LayoutTests/platform/wpe/fast/text/softbank-emoji-expected.txt
M Source/WebCore/css/CSSFontSelector.cpp
M Source/WebCore/platform/graphics/FontCascadeFonts.cpp
M Source/WebCore/platform/graphics/FontRanges.cpp
M Source/WebCore/platform/graphics/FontRanges.h
M Source/WebCore/platform/graphics/coretext/FontCascadeCoreText.cpp
M Source/WebCore/platform/text/CharacterProperties.h
Log Message:
-----------
Cherry-pick 267815.424 at safari-7617-branch (8c7be2b8800b). https://bugs.webkit.org/show_bug.cgi?id=255629
Font fallback should ignore generic families for codepoints in PUA
https://bugs.webkit.org/show_bug.cgi?id=263261
rdar://115901340
Reviewed by Cameron McCormack.
According to spec: https://drafts.csswg.org/css-fonts-4/#char-handling-issues
"If a given character is a Private-Use Area Unicode codepoint, user agents must only match font families named in the font-family list that are not generic families. If none of the families named in the font-family list contain a glyph for that codepoint, user agents must display some form of missing glyph symbol for that character rather than attempting installed font fallback for that codepoint."
We are currently not ignoring generic font families for font fallback when a code point is in the private-use area (PUA).
This patch changes that. Now FontRanges has a flag to signal that the Font represented by the FontRanges
object came from a generic family. That way, we can skip it during font fallback when finding
the glyph data for a codepoint that is in the private-user area.
After attempting all user-specified font-families, if we couldn't find a font that can represent such codepoint,
we then use the .notdef glyph (glyph 0) and the last resource font of WebKit for it.
* LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA-ref.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA.html: Added.
* LayoutTests/platform/mac/fast/text/softbank-emoji-expected.txt:
* LayoutTests/platform/wpe/fast/text/softbank-emoji-expected.txt:
* Source/WebCore/css/CSSFontSelector.cpp:
(WebCore::CSSFontSelector::fontRangesForFamily):
* Source/WebCore/platform/graphics/FontCascadeFonts.cpp:
(WebCore::realizeNextFallback):
(WebCore::FontCascadeFonts::glyphDataForVariant):
(WebCore::FontCascadeFonts::glyphDataForCharacter):
* Source/WebCore/platform/graphics/FontRanges.cpp:
(WebCore::FontRanges::FontRanges):
(WebCore::FontRanges::glyphDataForCharacter const):
* Source/WebCore/platform/graphics/FontRanges.h:
(WebCore::FontRanges::isGeneric const):
* Source/WebCore/platform/graphics/WidthIterator.cpp:
(WebCore::WidthIterator::advanceInternal):
* Source/WebCore/platform/graphics/coretext/FontCascadeCoreText.cpp:
(WebCore::FontCascade::fontForCombiningCharacterSequence const):
* Source/WebCore/platform/text/CharacterProperties.h:
(WebCore::isPrivateUseAreaCharacter):
Canonical link: https://commits.webkit.org/267815.424@safari-7617-branch
Canonical link: https://commits.webkit.org/266719.200@webkitglib/2.42
Commit: 055822103c0b2ab090e030756a819e01b6fa1d6e
https://github.com/WebKit/WebKit/commit/055822103c0b2ab090e030756a819e01b6fa1d6e
Author: Russell Epstein <repstein at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A LayoutTests/fonts/font-cache-memory-pressure-crash-expected.txt
A LayoutTests/fonts/font-cache-memory-pressure-crash.html
M Source/WebCore/platform/graphics/FontCascadeFonts.cpp
Log Message:
-----------
Cherry-pick 267815.570 at safari-7617.1.17.10-branch (0276f2cb8a40). https://bugs.webkit.org/show_bug.cgi?id=264737
Cherry-pick a595ddd8348d. rdar://117805319
Adding last resort font to System Font fallback set for PUA characters
https://bugs.webkit.org/show_bug.cgi?id=264737
rdar://117805319
Reviewed by Brent Fulgham.
Until now, when we are purging inactive font data, we would just clear
the glyph page cache if we had to purge system fallback font.
This means that we consider glyph page cache would only point to
fonts from system fonts fallback.
When we are handling unicode's in the Private-User-Area (PUA) block,
we shouldn't fallback to system fonts searching for a font that can render
it, per spec: https://www.w3.org/TR/css-fonts-4/#char-handling-issues
Instead, we render the glyph 0 with the last resort font. However, this
font is just added to the custom font cache, and its font pointer in the
Glyph Page cache is not cleared during memory pressure.
We should add this font to the system font fallback set, to make sure
that the associated font pointer is removed from the glyph page cache
during memory pressure.
* LayoutTests/fonts/font-cache-memory-pressure-crash.html: Added.
* Source/WebCore/platform/graphics/FontCascadeFonts.cpp:
(WebCore::FontCascadeFonts::glyphDataForVariant):
* LayoutTests/fonts/font-cache-memory-pressure-crash-expected.txt: Added.
Canonical link: https://commits.webkit.org/267815.567@safari-7617-branch
Canonical link: https://commits.webkit.org/267815.570@safari-7617.1.17.10-branch
Canonical link: https://commits.webkit.org/266719.201@webkitglib/2.42
Compare: https://github.com/WebKit/WebKit/compare/7f8b31e40740...055822103c0b
More information about the webkit-changes
mailing list