[webkit-changes] [WebKit/WebKit] 6094b6: Cherry-pick 64bcd93cbc55. <bug>

Russell Epstein noreply at github.com
Wed Dec 13 12:11:22 PST 2023


  Branch: refs/heads/webkitglib/2.42
  Home:   https://github.com/WebKit/WebKit
  Commit: 6094b6c0b3c2a00d3d26d9ed1b4ba7f834f0a9a8
      https://github.com/WebKit/WebKit/commit/6094b6c0b3c2a00d3d26d9ed1b4ba7f834f0a9a8
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt
    A LayoutTests/storage/indexeddb/abort-index-rename-crash.html
    M Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp
    M Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp
    M Source/WebCore/Modules/indexeddb/server/MemoryIndex.h
    M Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp
    M Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h

  Log Message:
  -----------
  Cherry-pick 64bcd93cbc55. <bug>

    jsc_fuz/wktr: heap-use-after-free in WebCore::IDBServer::MemoryObjectStore::takeIndexByIdentifier(unsigned long long) MemoryObjectStore.cpp:128.
    https://bugs.webkit.org/show_bug.cgi?id=264180.
    rdar://117463447.

    Reviewed by Sihui Liu.

    MemoryIndex now keeps WeakPtr to MemoryObjectStore 'm_objectStore' and checks it's validity before using it. Also RefPtr conversion from WekPtr using get() API as applicable.

    * LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt: Added the test expected file.
    * LayoutTests/storage/indexeddb/abort-index-rename-crash.html: Added the test case.
    * Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp: Checks the validity of MemoryObjectStore pointer before using.
    (WebCore::IDBServer::MemoryBackingStoreTransaction::objectStoreDeleted):
    (WebCore::IDBServer::MemoryBackingStoreTransaction::indexRenamed):
    (WebCore::IDBServer::MemoryBackingStoreTransaction::abort):
    * Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp: Changed direct reference to WeakPtr. Also used RefPtr conversion using get() API as applicable.
    (WebCore::IDBServer::MemoryIndex::objectStoreCleared):
    (WebCore::IDBServer::MemoryIndex::clearIndexValueStore):
    (WebCore::IDBServer::MemoryIndex::replaceIndexValueStore):
    (WebCore::IDBServer::MemoryIndex::getResultForKeyRange const):
    (WebCore::IDBServer::MemoryIndex::getAllRecords const):
    * Source/WebCore/Modules/indexeddb/server/MemoryIndex.h: Changed direct reference to WeakPtr.
    (WebCore::IDBServer::MemoryIndex::objectStore):
    * Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp: Used RefPtr conversion using get() API for MemoryIndex based MemoryObjectStore object.
    (WebCore::IDBServer::MemoryIndexCursor::currentData):
    * Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h:

    Canonical link: https://commits.webkit.org/267815.545@safari-7617-branch

    Identifier: 267815.546 at safari-7617.1.17.10-branch

Canonical link: https://commits.webkit.org/266719.149@webkitglib/2.42


  Commit: f4cbd6103a089eb7886b4aec53aa788111adfeb8
      https://github.com/WebKit/WebKit/commit/f4cbd6103a089eb7886b4aec53aa788111adfeb8
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/fast/multicol/last-set-crash-expected.txt
    A LayoutTests/fast/multicol/last-set-crash.html
    M Source/WebCore/rendering/RenderMultiColumnFlow.cpp
    M Source/WebCore/rendering/RenderMultiColumnFlow.h

  Log Message:
  -----------
  Cherry-pick f524a15d0633. https://bugs.webkit.org/show_bug.cgi?id=264327

    WTFCrashWithSecurityImplication in WebCore::RenderFragmentedFlow::removeLineFragmentInfo()
    https://bugs.webkit.org/show_bug.cgi?id=264327
    rdar://114559559

    Reviewed by Alan Baradlay.

    * LayoutTests/TestExpectations:

    Skip test on debug due to some assertion failures.

    * LayoutTests/fast/multicol/last-set-crash-expected.txt: Added.
    * LayoutTests/fast/multicol/last-set-crash.html: Added.
    * Source/WebCore/rendering/RenderMultiColumnFlow.cpp:
    (WebCore::RenderMultiColumnFlow::fragmentAtBlockOffset const):

    Tree mutations may have made m_lastSetWorkedOn cache invalid by moving the multicolumn set under a different multicolumn flow.
    Check for this.

    * Source/WebCore/rendering/RenderMultiColumnFlow.h:

    Also make it use WeakPtr.

    Canonical link: https://commits.webkit.org/267815.546@safari-7617-branch

    Identifier: 267815.547 at safari-7617.1.17.10-branch

Canonical link: https://commits.webkit.org/266719.150@webkitglib/2.42


  Commit: 257bccb2532b64ea1b40023299c29053f891188b
      https://github.com/WebKit/WebKit/commit/257bccb2532b64ea1b40023299c29053f891188b
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/WebCore/loader/SubresourceLoader.cpp
    M Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp
    M Source/WebCore/loader/cache/CachedCSSStyleSheet.h

  Log Message:
  -----------
  Cherry-pick 4c3430842100. https://bugs.webkit.org/show_bug.cgi?id=264979

    Crash under PAL::newTextCodec(PAL::TextEncoding const&)
    https://bugs.webkit.org/show_bug.cgi?id=264979
    rdar://118267012

    Reviewed by Brent Fulgham.

    There is evidence for crashes in the wild that the CachedCSSStyleSheet or
    the TextResourceDecoder are being used after getting freed. To prevent this,
    protect both these objects in the code path identified by the crashes.

    This is a speculative fix but it should be very safe.

    * Source/WebCore/loader/SubresourceLoader.cpp:
    (WebCore::SubresourceLoader::didFinishLoading):
    * Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp:
    (WebCore::CachedCSSStyleSheet::finishLoading):
    (WebCore::CachedCSSStyleSheet::protectedDecoder const):
    * Source/WebCore/loader/cache/CachedCSSStyleSheet.h:

    Canonical link: https://commits.webkit.org/267815.575@safari-7617-branch

    Identifier: 267815.574 at safari-7617.1.17.10-branch

Canonical link: https://commits.webkit.org/266719.151@webkitglib/2.42


  Commit: 4f7b838e35687405c6ee4b8176347b52cc72323e
      https://github.com/WebKit/WebKit/commit/4f7b838e35687405c6ee4b8176347b52cc72323e
  Author: Scott Marcy <mscott at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/fast/css/font-size-adjust-invalid-value-type-expected.txt
    A LayoutTests/fast/css/font-size-adjust-invalid-value-type.html
    M Source/WebCore/style/StyleBuilderConverter.h

  Log Message:
  -----------
  Cherry-pick 267815.526 at safari-7617-branch (92043c608a1c). <bug>

    rdar://115842409 (jsc_fuz/wktr: ASSERTION FAILED: is<Target>(source) &WTF::downcast(Source &) [Target = WebCore::CSSValuePair, Source = const WebCore::CSSValue] at StyleBuilderConverter.h:1632)

    Checked for an unexpected CSS type for 'font-size-adjust' and returns a default value instead of crashing.

    Reviewed by anttijk.

    This prevents a crash on downcasting when an unexpected `CSSValue` subclass is provided.

    Combined changes:
    * LayoutTests/fast/css/font-size-adjust-invalid-value-type-expected.txt: Added.
    * LayoutTests/fast/css/font-size-adjust-invalid-value-type.html: Added.
    * Source/WebCore/style/StyleBuilderConverter.h:
    (WebCore::Style::BuilderConverter::convertFontSizeAdjust):

    Canonical link: https://commits.webkit.org/267815.526@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.152@webkitglib/2.42


  Commit: 096cb1a99a8077cf6491a660b3c88c78061eba6c
      https://github.com/WebKit/WebKit/commit/096cb1a99a8077cf6491a660b3c88c78061eba6c
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/WebCore/Modules/cache/WorkerCacheStorageConnection.cpp
    M Source/WebCore/Modules/permissions/Permissions.cpp
    M Source/WebCore/Modules/storage/WorkerStorageConnection.cpp
    M Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp
    M Source/WebCore/Modules/webaudio/AudioWorkletMessagingProxy.cpp
    M Source/WebCore/Modules/webaudio/AudioWorkletThread.cpp
    M Source/WebCore/Modules/webaudio/AudioWorkletThread.h
    M Source/WebCore/Modules/websockets/WebSocket.cpp
    M Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp
    M Source/WebCore/dom/BroadcastChannel.cpp
    M Source/WebCore/dom/ScriptExecutionContext.cpp
    M Source/WebCore/loader/WorkerThreadableLoader.cpp
    M Source/WebCore/loader/WorkerThreadableLoader.h
    M Source/WebCore/loader/cache/MemoryCache.cpp
    M Source/WebCore/page/WorkerNavigator.cpp
    M Source/WebCore/workers/WorkerGlobalScope.cpp
    M Source/WebCore/workers/WorkerMessagingProxy.cpp
    M Source/WebCore/workers/WorkerNotificationClient.cpp
    M Source/WebCore/workers/WorkerOrWorkletThread.h
    M Source/WebCore/workers/WorkerThread.cpp
    M Source/WebCore/workers/WorkerThread.h
    M Source/WebCore/workers/service/context/ServiceWorkerThreadProxy.cpp
    M Source/WebCore/workers/shared/context/SharedWorkerThreadProxy.cpp

  Log Message:
  -----------
  Cherry-pick 267815.537 at safari-7617-branch (4cae7c8ab138). https://bugs.webkit.org/show_bug.cgi?id=264327

    Crash under WebCore::createMainThreadConnection(WebCore::WorkerGlobalScope&)
    https://bugs.webkit.org/show_bug.cgi?id=264222
    rdar://117727810

    Reviewed by Darin Adler.

    We're crashing when calling `createCacheStorageConnection()` on the WorkerLoaderProxy which
    we got from the WorkerThread. I believe the WorkerLoaderProxy reference returned by the
    WorkerThread is stale, which is possible since it keeps C++ references to its proxies.

    To address the issue, I updated WorkerThread to keep raw pointers to its proxies instead of
    C++ references. I am also adding a clearProxies() function to clear those raw pointers once
    the proxies get destroyed. Finally, I added null checks are proxy use sites now that we null
    them out.

    In the future, we should convert this raw pointers into CheckedPtrs.

    * Source/WebCore/Modules/badge/WorkerBadgeProxy.h:
    * Source/WebCore/Modules/cache/WorkerCacheStorageConnection.cpp:
    (WebCore::createMainThreadConnection):
    * Source/WebCore/Modules/permissions/Permissions.cpp:
    (WebCore::Permissions::query):
    * Source/WebCore/Modules/storage/WorkerStorageConnection.cpp:
    (WebCore::WorkerStorageConnection::getPersisted):
    (WebCore::WorkerStorageConnection::getEstimate):
    (WebCore::WorkerStorageConnection::fileSystemGetDirectory):
    * Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp:
    (WebCore::AudioWorkletGlobalScope::registerProcessor):
    * Source/WebCore/Modules/webaudio/AudioWorkletMessagingProxy.cpp:
    (WebCore::AudioWorkletMessagingProxy::~AudioWorkletMessagingProxy):
    * Source/WebCore/Modules/webaudio/AudioWorkletThread.cpp:
    (WebCore::AudioWorkletThread::clearProxies):
    (WebCore::AudioWorkletThread::workerLoaderProxy):
    (WebCore::AudioWorkletThread::messagingProxy):
    * Source/WebCore/Modules/webaudio/AudioWorkletThread.h:
    (WebCore::AudioWorkletThread::messagingProxy): Deleted.
    * Source/WebCore/Modules/websockets/WebSocket.cpp:
    (WebCore::WebSocket::connect):
    * Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp:
    (WebCore::WorkerThreadableWebSocketChannel::Bridge::Bridge):
    (WebCore::WorkerThreadableWebSocketChannel::Bridge::mainThreadInitialize):
    * Source/WebCore/dom/BroadcastChannel.cpp:
    (WebCore::BroadcastChannel::MainThreadBridge::ensureOnMainThread):
    * Source/WebCore/dom/ScriptExecutionContext.cpp:
    (WebCore::ScriptExecutionContext::postTaskToResponsibleDocument):
    * Source/WebCore/loader/WorkerThreadableLoader.cpp:
    (WebCore::WorkerThreadableLoader::WorkerThreadableLoader):
    * Source/WebCore/loader/cache/MemoryCache.cpp:
    (WebCore::MemoryCache::removeRequestFromSessionCaches):
    * Source/WebCore/page/WorkerNavigator.cpp:
    (WebCore::WorkerNavigator::setAppBadge):
    * Source/WebCore/workers/WorkerDebuggerProxy.h:
    * Source/WebCore/workers/WorkerGlobalScope.cpp:
    (WebCore::WorkerGlobalScope::~WorkerGlobalScope):
    (WebCore::WorkerGlobalScope::createRTCDataChannelRemoteHandlerConnection):
    (WebCore::WorkerGlobalScope::close):
    (WebCore::WorkerGlobalScope::logExceptionToConsole):
    (WebCore::WorkerGlobalScope::wrapCryptoKey):
    (WebCore::WorkerGlobalScope::unwrapCryptoKey):
    (WebCore::WorkerGlobalScope::reportErrorToWorkerObject):
    * Source/WebCore/workers/WorkerLoaderProxy.h:
    * Source/WebCore/workers/WorkerMessagingProxy.cpp:
    (WebCore::WorkerMessagingProxy::WorkerMessagingProxy):
    (WebCore::WorkerMessagingProxy::~WorkerMessagingProxy):
    (WebCore::WorkerMessagingProxy::workerGlobalScopeDestroyedInternal):
    * Source/WebCore/workers/WorkerNotificationClient.cpp:
    (WebCore::WorkerNotificationClient::postToMainThread):
    * Source/WebCore/workers/WorkerOrWorkletThread.h:
    * Source/WebCore/workers/WorkerReportingProxy.h:
    * Source/WebCore/workers/WorkerThread.cpp:
    (WebCore::WorkerThread::workerBadgeProxy const):
    (WebCore::WorkerThread::workerDebuggerProxy const):
    (WebCore::WorkerThread::workerLoaderProxy):
    (WebCore::WorkerThread::workerReportingProxy const):
    (WebCore::WorkerThread::clearProxies):
    * Source/WebCore/workers/WorkerThread.h:
    (WebCore::WorkerThread::workerBadgeProxy const): Deleted.
    (WebCore::WorkerThread::workerReportingProxy const): Deleted.
    * Source/WebCore/workers/service/context/ServiceWorkerThreadProxy.cpp:
    (WebCore::ServiceWorkerThreadProxy::~ServiceWorkerThreadProxy):
    * Source/WebCore/workers/shared/context/SharedWorkerThreadProxy.cpp:
    (WebCore::SharedWorkerThreadProxy::~SharedWorkerThreadProxy):

    Canonical link: https://commits.webkit.org/267815.537@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.153@webkitglib/2.42


  Commit: 438c6a95c2a744c268928d9d0bc7c287b5282f03
      https://github.com/WebKit/WebKit/commit/438c6a95c2a744c268928d9d0bc7c287b5282f03
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A JSTests/stress/re-enter-resolve-rope-string.js
    M Source/JavaScriptCore/heap/Heap.h
    M Source/JavaScriptCore/runtime/JSString.cpp
    M Source/JavaScriptCore/runtime/JSStringInlines.h

  Log Message:
  -----------
  Cherry-pick 267815.494 at safari-7617-branch (43754f3837df). https://bugs.webkit.org/show_bug.cgi?id=264016

    [JSC] Fix reportExtraMemoryAllocated uses when resolving rope strings
    https://bugs.webkit.org/show_bug.cgi?id=264016
    rdar://117639567

    Reviewed by Yusuke Suzuki.

    Heap::reportExtraMemoryAllocated may trigger JSRopeString::resolveRope.
    If this API needs to be used when resolving a rope string, then we should
    make sure to call this API after the rope string is completely resolved.

    * Source/JavaScriptCore/heap/Heap.h:
    * Source/JavaScriptCore/runtime/JSString.cpp:
    (JSC::JSRopeString::resolveRopeToAtomString const):
    (JSC::JSRopeString::resolveRopeWithFunction const):
    * Source/JavaScriptCore/runtime/JSStringInlines.h:
    (JSC::jsAtomString):

    Canonical link: https://commits.webkit.org/267815.494@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.154@webkitglib/2.42


  Commit: fe115c9617a3e7a6efda73be56df8227ca6ccd81
      https://github.com/WebKit/WebKit/commit/fe115c9617a3e7a6efda73be56df8227ca6ccd81
  Author: BJ Burg <bburg at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/WebCore/html/HTMLMediaElement.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewSuspendAllMediaPlayback.mm

  Log Message:
  -----------
  Cherry-pick 267815.495 at safari-7617-branch (64b3c403419f). rdar://116595009

    Element fullscreen requests should be ignored while media is suspended.
    rdar://116595009

    Reviewed by Jer Noble.

    It is undesirable to allow entering element fullscreen while media is suspended.
    Check for this condition and bail out if needed.

    * Source/WebCore/html/HTMLMediaElement.cpp:
    (WebCore::HTMLMediaElement::enterFullscreen):

    * Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewSuspendAllMediaPlayback.mm:
    (TEST): Added test case.

    Canonical link: https://commits.webkit.org/267815.495@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.155@webkitglib/2.42


  Commit: 822396cfcbaf931e1641268488fb5db838a38874
      https://github.com/WebKit/WebKit/commit/822396cfcbaf931e1641268488fb5db838a38874
  Author: Erica Li <lerica at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists-expected.txt
    A LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists.html
    A LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists.html
    M Source/WebCore/css/CSSStyleSheet.cpp
    M Source/WebCore/css/StyleSheetContents.cpp
    M Source/WebCore/css/StyleSheetContents.h

  Log Message:
  -----------
  Cherry-pick 267815.506 at safari-7617-branch (40098636b478). https://bugs.webkit.org/show_bug.cgi?id=263950

    jsc_fuz/wktr: ASSERT_WITH_SECURITY_IMPLICATION(position <= size()); in CSSStyleSheet::insertRule(...) CSSStyleSheet.cpp:365
    https://bugs.webkit.org/show_bug.cgi?id=263950
    rdar://117469266

    Reviewed by Antti Koivisto and Darin Adler.

    Based on specification, we should return early and throw InvalidStateError exception when attempting to delete @namespace rule, and list contains anything other than @import or @namespace rules.

    * LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists-expected.txt: Added.
    * LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists.html: Added.
    * Source/WebCore/css/CSSStyleSheet.cpp:
    (WebCore::CSSStyleSheet::deleteRule):
    * Source/WebCore/css/StyleSheetContents.cpp:
    (WebCore::StyleSheetContents::wrapperDeleteRule):
    * Source/WebCore/css/StyleSheetContents.h:

    Canonical link: https://commits.webkit.org/267815.506@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.156@webkitglib/2.42


  Commit: 89e825a1a3816eea5888d2ed93021a1ce824338b
      https://github.com/WebKit/WebKit/commit/89e825a1a3816eea5888d2ed93021a1ce824338b
  Author: Matthieu Dubet <m_dubet at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/fast/css/insertrule-namespace-after-layer-expected.txt
    A LayoutTests/fast/css/insertrule-namespace-after-layer.html
    M Source/WebCore/css/StyleSheetContents.cpp

  Log Message:
  -----------
  Cherry-pick 267815.351 at safari-7617-branch (cf04124d9563). rdar://117071899

    [CSS] Don't crash when trying to insert namespace rule after layer rule
    rdar://117071899

    Reviewed by Antti Koivisto.

    By spec, namespace rule can't be inserted after a layer rule.

    https://drafts.csswg.org/css-namespaces/#syntax

    * LayoutTests/fast/css/insertrule-namespace-after-layer-expected.txt: Added.
    * LayoutTests/fast/css/insertrule-namespace-after-layer.html: Added.
    * Source/WebCore/css/StyleSheetContents.cpp:
    (WebCore::StyleSheetContents::wrapperInsertRule):

    Canonical link: https://commits.webkit.org/267815.351@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.157@webkitglib/2.42


  Commit: b2c3e847699cdb662778d557fcea5130ba700997
      https://github.com/WebKit/WebKit/commit/b2c3e847699cdb662778d557fcea5130ba700997
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A JSTests/stress/double-inlined-call-argument.js
    A JSTests/stress/regress-116397731.js
    M Source/JavaScriptCore/dfg/DFGVariableAccessData.cpp

  Log Message:
  -----------
  Cherry-pick 267815.352 at safari-7617-branch (11987a2c00bf). https://bugs.webkit.org/show_bug.cgi?id=263090

    [JSC] DFG might force a local to be double even if we store non-numeric values into it
    https://bugs.webkit.org/show_bug.cgi?id=263090
    <rdar://116397731>

    Reviewed by Keith Miller.

    This changes fixes tallyVotesForShouldUseDoubleFormat() to set NotUsingDoubleFormat if the variable
    is no longer predicted to hold only doubles.

    * JSTests/stress/double-inlined-call-argument.js: Added.
    * JSTests/stress/regress-116397731.js: Added.
    * Source/JavaScriptCore/dfg/DFGVariableAccessData.cpp:
    (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):

    Canonical link: https://commits.webkit.org/267815.352@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.158@webkitglib/2.42


  Commit: d29dc914ce786b79336123e043629884713f07a0
      https://github.com/WebKit/WebKit/commit/d29dc914ce786b79336123e043629884713f07a0
  Author: David Degazio <d_degazio at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A JSTests/stress/ClassInfo-across-structure-transition.js
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  Cherry-pick 267815.353 at safari-7617-branch (20234c667f25). https://bugs.webkit.org/show_bug.cgi?id=263356

    Load compact ClassInfo from structure correctly in FTL
    https://bugs.webkit.org/show_bug.cgi?id=263356
    rdar://115494572

    Reviewed by Mark Lam.

    Currently, FTL assumes loading the m_classInfo from a structure is a
    loadPtr on all platforms - this is not the case, since ClassInfo is
    represented as a 32-bit CompactPtr<ClassInfo> on platforms with 36-bit
    addresses. As a result, when loading the ClassInfo in some FTL nodes, it
    results in a junk value with the lower bits being the unshifted ClassInfo
    address, and the upper bits being taken erroneously from
    m_transitionPropertyName. This patch introduces a new loadCompactPtr()
    helper to FTLLowerDFGToB3 that correctly loads and shifts compact pointer
    fields, which in current FTL is just Structure.m_classInfo.

    * JSTests/stress/ClassInfo-across-structure-transition.js: Added.
    (calling):
    * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
    (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
    (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
    (JSC::FTL::DFG::LowerDFGToB3::compileFunctionToString):
    (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):

    Canonical link: https://commits.webkit.org/267815.353@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.159@webkitglib/2.42


  Commit: a939442717bd849ddf6db1fd0c30b12a6cce29d9
      https://github.com/WebKit/WebKit/commit/a939442717bd849ddf6db1fd0c30b12a6cce29d9
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash-expected.txt
    A LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash.html
    M Source/WebCore/html/HTMLPlugInImageElement.cpp

  Log Message:
  -----------
  Cherry-pick 267815.354 at safari-7617-branch (c34793cc5793). https://bugs.webkit.org/show_bug.cgi?id=263204

    Assertion hit under Document::dispatchPagehideEvent()
    https://bugs.webkit.org/show_bug.cgi?id=263204
    rdar://116715579

    Reviewed by Ryosuke Niwa.

    Delay the load if we're not allowed to run script right now. Scheduling a load will
    cancel / stop any pending load, which may cause events to be fired and script to run.

    The synchronous code path is kept when we're allowed to run script to avoid breaking
    tests such as:
    - imported/w3c/web-platform-tests/css/css-writing-modes/abs-pos-non-replaced-icb-vlr-*.xht
    - imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/sandbox_004.htm
    - imported/blink/svg/dom/viewspec-*.html
    - fast/css/acid2.html

    * LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash-expected.txt: Added.
    * LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash.html: Added.
    * Source/WebCore/html/HTMLPlugInImageElement.cpp:
    (WebCore::HTMLPlugInImageElement::requestObject):

    Canonical link: https://commits.webkit.org/267815.354@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.160@webkitglib/2.42


  Commit: c3ca39cb1c6b232e58a26118dc3f0f5ee1be720d
      https://github.com/WebKit/WebKit/commit/c3ca39cb1c6b232e58a26118dc3f0f5ee1be720d
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A JSTests/stress/array-iterator-to-this.js
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp

  Log Message:
  -----------
  Cherry-pick 267815.357 at safari-7617-branch (ae764a813e03). https://bugs.webkit.org/show_bug.cgi?id=263408

    Array iterator creation intrinsics need ToThis
    https://bugs.webkit.org/show_bug.cgi?id=263408
    rdar://113898245

    Reviewed by Yusuke Suzuki.

    Currently, we don't ToThis the 'this' value when we intrinsicify
    the various Array iterator creation functions, which we should.
    This patch also changes `clobbersExitState` to say exit state
    is not clobbered if a node only writes to `HeapObjectCount`.
    Our previous behavior was overly conservative, which caused
    assertion failures as the `ToObject` following the `ToThis`
    would get converted to a `Check(Object)` when exit was invalid.

    * JSTests/stress/array-iterator-to-this.js: Added.
    (opt):
    (main):
    * Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
    * Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp:
    (JSC::DFG::clobbersExitState):

    Canonical link: https://commits.webkit.org/267815.357@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.161@webkitglib/2.42


  Commit: 53cf2a653d4c7697ed51a628fc06d01056217cd3
      https://github.com/WebKit/WebKit/commit/53cf2a653d4c7697ed51a628fc06d01056217cd3
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/WTF/wtf/Ref.h
    M Source/WTF/wtf/RefPtr.h
    M Source/WTF/wtf/TypeCasts.h
    M Source/WebCore/html/shadow/DateTimeEditElement.cpp
    M Source/WebCore/html/shadow/DateTimeFieldElement.cpp
    M Source/WebCore/html/shadow/DetailsMarkerControl.cpp
    M Source/WebCore/html/shadow/ProgressShadowElement.cpp
    M Source/WebCore/html/shadow/SliderThumbElement.cpp
    M Source/WebCore/html/shadow/TextControlInnerElements.cpp

  Log Message:
  -----------
  Cherry-pick 267815.359 at safari-7617-branch (1f4ca4f6b608). https://bugs.webkit.org/show_bug.cgi?id=264327

    [Hardening] Introduce checkedDowncast<>() and use it in a few places where the type is not obvious
    https://bugs.webkit.org/show_bug.cgi?id=263463
    rdar://117247122

    Reviewed by Darin Adler and Ryosuke Niwa.

    Introduce checkedDowncast<>() and use it in a few places where the type is not
    obvious (no earlier is<>() check).

    checkedDowncast<>() is just like downcast<>() but its internal type check is a
    RELEASE_ASSERT() instead of a debug ASSERT().

    In the future, we may want to promote using either dynamicDowncast<>() or
    checkedDowncast<>() and maybe phasing out downcast<>() (in which case we could
    rename checkedDowncast<>() to downcast()).

    * Source/WTF/wtf/Ref.h:
    (WTF::checkedDowncast):
    * Source/WTF/wtf/RefPtr.h:
    (WTF::checkedDowncast):
    * Source/WTF/wtf/TypeCasts.h:
    (WTF::checkedDowncast):
    * Source/WebCore/html/shadow/DateTimeEditElement.cpp:
    (WebCore::DateTimeEditElement::fieldsWrapperElement const):
    * Source/WebCore/html/shadow/DateTimeFieldElement.cpp:
    (WebCore::DateTimeFieldElement::updateVisibleValue):
    * Source/WebCore/html/shadow/DetailsMarkerControl.cpp:
    (WebCore::DetailsMarkerControl::rendererIsNeeded):
    * Source/WebCore/html/shadow/ProgressShadowElement.cpp:
    (WebCore::ProgressShadowElement::progressElement const):
    * Source/WebCore/html/shadow/SliderThumbElement.cpp:
    (WebCore::RenderSliderContainer::computeLogicalHeight const):
    (WebCore::RenderSliderContainer::layout):
    (WebCore::SliderThumbElement::hostInput const):
    * Source/WebCore/html/shadow/TextControlInnerElements.cpp:
    (WebCore::isStrongPasswordTextField):
    (WebCore::TextControlInnerTextElement::renderer const):
    (WebCore::TextControlInnerTextElement::resolveCustomStyle):
    (WebCore::TextControlPlaceholderElement::resolveCustomStyle):
    (WebCore::SearchFieldResultsButtonElement::defaultEventHandler):
    (WebCore::SearchFieldCancelButtonElement::resolveCustomStyle):
    (WebCore::SearchFieldCancelButtonElement::defaultEventHandler):
    (WebCore::SearchFieldCancelButtonElement::willRespondToMouseClickEventsWithEditability const):

    Canonical link: https://commits.webkit.org/267815.359@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.162@webkitglib/2.42


  Commit: bd2159f999b3eef57cae44dfb9fd084dca1c58f0
      https://github.com/WebKit/WebKit/commit/bd2159f999b3eef57cae44dfb9fd084dca1c58f0
  Author: Ryan Haddad <ryanhaddad at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/WTF/wtf/PlatformHave.h

  Log Message:
  -----------
  Cherry-pick 267815.395 at safari-7617-branch (975762e3dd0f). https://bugs.webkit.org/show_bug.cgi?id=264327

    Add definition for HAVE_UI_TEXT_SELECTION_DISPLAY_INTERACTION
    rdar://117378587

    Rubber-stamped by Wenson Hsieh.

    The fix in webkit.org/b/263266 to "Suppress excessive logging due to calling into
    `-[UITextInteractionAssistant selectionView]` in API tests" does not work on the
    safari-7617-branch because we lack the definition for HAVE_UI_TEXT_SELECTION_DISPLAY_INTERACTION.

    * Source/WTF/wtf/PlatformHave.h:

    Canonical link: https://commits.webkit.org/267815.395@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.163@webkitglib/2.42


  Commit: fe28561a92b5fe197ecdfcc09e2b005eaa3efd00
      https://github.com/WebKit/WebKit/commit/fe28561a92b5fe197ecdfcc09e2b005eaa3efd00
  Author: Erica Li <lerica at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/streams/writable-stream-create-within-multiple-workers-crash-expected.txt
    A LayoutTests/streams/writable-stream-create-within-multiple-workers-crash.html
    M Source/WebCore/bindings/js/InternalWritableStream.cpp
    M Tools/DumpRenderTree/mac/DumpRenderTree.mm

  Log Message:
  -----------
  Cherry-pick 267815.398 at safari-7617-branch (f11c81a103a8). https://bugs.webkit.org/show_bug.cgi\?id\=262865

    jsc_fuz/wktr: null ptr deref in WebCore::invokeWritableStreamFunction(...) (InternalWritableStream.cpp:49)
    https://bugs.webkit.org/show_bug.cgi\?id\=262865
    rdar://116465595

    Reviewed by Mark Lam.

    Return early when worker is terminated while trying to get function from globalObject.
    Set useDollarVM in test option initialization for cases when useDollarVM will be reset before injectInternalsObject is called in DRT.

    * LayoutTests/streams/writable-stream-create-within-multiple-workers-crash-expected.txt: Added.
    * LayoutTests/streams/writable-stream-create-within-multiple-workers-crash.html: Added.
    * Source/WebCore/bindings/js/InternalWritableStream.cpp:
    (WebCore::invokeWritableStreamFunction):
    * Tools/DumpRenderTree/mac/DumpRenderTree.mm:
    (testOptionsForTest):

    Canonical link: https://commits.webkit.org/267815.398@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.164@webkitglib/2.42


  Commit: 2577bb4e4338a256cf165d6ed93e03be10eae9c1
      https://github.com/WebKit/WebKit/commit/2577bb4e4338a256cf165d6ed93e03be10eae9c1
  Author: Antti Koivisto <antti at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/canvas-as-container-005-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/canvas-as-container-006-expected.txt
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/dom/Element.cpp

  Log Message:
  -----------
  Cherry-pick 267786 at main (514d0acadd36). https://bugs.webkit.org/show_bug.cgi?id=253936

    canvas-as-container-005.html & canvas-as-container-006.html fail
    https://bugs.webkit.org/show_bug.cgi?id=253936
    rdar://106739131

    Reviewed by Alan Baradlay.

    When resolving computed style in a non-rendered subtree we fail to take container queries into account.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/canvas-as-container-005-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/canvas-as-container-006-expected.txt:
    * Source/WebCore/dom/Document.cpp:
    (WebCore::Document::styleForElementIgnoringPendingStylesheets):

    Take care to have updated document style if it is not clean and we are resolving the root element.

    * Source/WebCore/dom/Element.cpp:
    (WebCore::Element::resolveComputedStyle):

    - Ensure the style scope is flushed so stylesheet data is current.
    - Don't bail out when encountering display:none subtree, the ancestors may still affect its style.
    - Fall back to a full style update if we encounter a query container with invalid style in the ancestor chain.

    Canonical link: https://commits.webkit.org/267786@main

Canonical link: https://commits.webkit.org/266719.165@webkitglib/2.42


  Commit: 09edd3d273d8dc93c82b3e72349f5f1fe4692461
      https://github.com/WebKit/WebKit/commit/09edd3d273d8dc93c82b3e72349f5f1fe4692461
  Author: Antti Koivisto <antti at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/fast/css/container-style-editability-crash-expected.txt
    A LayoutTests/fast/css/container-style-editability-crash.html
    M LayoutTests/platform/ios-wk2/fast/dom/focus-dialog-blur-input-type-change-crash-expected.txt
    M Source/WebCore/dom/Element.cpp
    M Source/WebCore/dom/Element.h

  Log Message:
  -----------
  Cherry-pick 267815.436 at safari-7617-branch (699e9669a530). https://bugs.webkit.org/show_bug.cgi?id=263522

    REGRESSION(267786 at main): Crash under RenderBlock::isSelectionRoot() with query container
    https://bugs.webkit.org/show_bug.cgi?id=263522
    rdar://115777188

    Reviewed by Alan Baradlay.

    * LayoutTests/fast/css/container-style-editability-crash-expected.txt: Added.
    * LayoutTests/fast/css/container-style-editability-crash.html: Added.
    * Source/WebCore/dom/Element.cpp:
    (WebCore::Element::resolveComputedStyle):
    (WebCore::Element::computedStyleForEditability):

    Avoid triggering style resolution when computing editability.

    * Source/WebCore/dom/Element.h:

    Canonical link: https://commits.webkit.org/267815.436@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.166@webkitglib/2.42


  Commit: 9075aaae5674dbf96a57dd63742261407859fca2
      https://github.com/WebKit/WebKit/commit/9075aaae5674dbf96a57dd63742261407859fca2
  Author: nishajain61 <nisha_jain at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector-expected.txt
    A LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector.html
    M Source/WTF/wtf/URLParser.cpp

  Log Message:
  -----------
  Cherry-pick 267815.437 at safari-7617-branch (e5674422c86e). https://bugs.webkit.org/show_bug.cgi?id=263682

    [cf9aab29ad0894e2] heap-use-after-free | WTF::URLParser::parse; WTF::URLParser::URLParser; WTF::URL::URL
    https://bugs.webkit.org/show_bug.cgi?id=263682
    rdar://116995567.

    Reviewed by David Kilzer and Chris Dumez.

    Modified WTF::URLParser::parse API so there is no invalid pointer reference to 'm_asciiBuffer' by 'StringView' after reallocation which results in invalid 'urlScheme'.

    * LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector-expected.txt: Added user expected test result.
    * LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector.html: Added test case which causes reallocation of buffer.
    * Source/WTF/wtf/URLParser.cpp: Modified below API
    (WTF::URLParser::parse): Modified order of function calls so no invalid reference to buffer is made after reallocation resulting in invalid 'urlScheme'.

    Canonical link: https://commits.webkit.org/267815.437@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.167@webkitglib/2.42


  Commit: 0cd7221a47f5c5c21517c2a380fa6b271828bc14
      https://github.com/WebKit/WebKit/commit/0cd7221a47f5c5c21517c2a380fa6b271828bc14
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A JSTests/stress/int52rep-multiplication-with-overflow.js
    M Source/JavaScriptCore/assembler/MacroAssemblerARM64.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

  Log Message:
  -----------
  Cherry-pick 267815.438 at safari-7617-branch (20a302272ec6). https://bugs.webkit.org/show_bug.cgi?id=263707

    Int52Rep speculationCheck failed in DFG optimizations for the ArithMul operation.
    https://bugs.webkit.org/show_bug.cgi?id=263707
    rdar://117415514

    Reviewed by Keith Miller.

    The DFG ArithMul Int52Rep speculationCheck was using the binary form of the branchMul64
    emitter to check for overflow of the multiplication.  The ARM64 version of this binary
    form branchMul64 has a bug: it's re-using one of the src registers as the dest register.

    The underlying ARM64 implementation of branchMul64 needs to execute 2 instructions:
    mul and smulh.  Both of these instructions need to operate on the 2 source operands of
    the multiplication.  By making the dest register same as the src1 register, the mul
    instruction which comes fist and computes dest, would trash src1.  Subsequently, smulh
    is computed with a corrupted src1 value.

    The fix is simple:
    1. Change the DFG ArithMul to use the ternary form of branchMul64.  It will just do the
       right thing, and in fact, eliminates an unnecessary move instruction on ARM64.

    2. Remove the ARM64 binary form of branchMul64.  It is now no longer used.

    3. For robustness, change the ternary form of branchMul64 to also be resilient against
       the scenario where dest equals either src1 or src2.  This is achieved by computing
       smulh first, which stores its result into a scratch register.  Only after that, do
       we compute mul, which is now free to set dest and potentially overwrite src1 or src2.

    * JSTests/stress/int52rep-multiplication-with-overflow.js: Added.
    (foo):
    * Source/JavaScriptCore/assembler/MacroAssemblerARM64.h:
    (JSC::MacroAssemblerARM64::branchMul64):
    * Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:

    Canonical link: https://commits.webkit.org/267815.438@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.168@webkitglib/2.42


  Commit: 04d78254390dd5a1aac265a3f0d915cd80081745
      https://github.com/WebKit/WebKit/commit/04d78254390dd5a1aac265a3f0d915cd80081745
  Author: Abigail Fox <abigail_fox at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
    M Source/WebKit/UIProcess/WebProcessPool.cpp

  Log Message:
  -----------
  Cherry-pick 267815.439 at safari-7617-branch (33927ceba2d6). https://bugs.webkit.org/show_bug.cgi?id=258161

    Added allowsFirstPartyForCookies check
    https://bugs.webkit.org/show_bug.cgi?id=258161
    rdar://106997645

    Reviewed by Alex Christensen.

    Added a message check to validate that the process is allowed to add first
    parties for cookies before allowing a call to addAllowedFirstPartyForCookies.

    Adding this message check exposed a scenario where a service worker web
    process could be spawned in a bad state without any allowed first parties.
    An addAllowedFirstPartyForCookies call was added to prevent this bad state.

    This error was caught by http/tests/cookies/same-site/fetch-in-cross-origin-service-worker.html

    * Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
    (WebKit::NetworkConnectionToWebProcess::establishSWContextConnection):
    * Source/WebKit/UIProcess/WebProcessPool.cpp:
    (WebKit::WebProcessPool::establishRemoteWorkerContextConnectionToNetworkProcess):

    Canonical link: https://commits.webkit.org/267815.439@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.169@webkitglib/2.42


  Commit: c11fb1e8ef5df9fb422984b7eeab2c5e93d32238
      https://github.com/WebKit/WebKit/commit/c11fb1e8ef5df9fb422984b7eeab2c5e93d32238
  Author: Aditya Keerthi <akeerthi at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/WebCore/PAL/pal/spi/cocoa/FoundationSPI.h
    M Source/WebCore/PAL/pal/spi/mac/NSPasteboardSPI.h
    M Source/WebCore/platform/Pasteboard.cpp
    M Source/WebCore/platform/Pasteboard.h
    M Source/WebCore/platform/PlatformPasteboard.h
    M Source/WebCore/platform/ios/PlatformPasteboardIOS.mm
    M Source/WebCore/platform/mac/PasteboardMac.mm
    M Source/WebCore/platform/mac/PlatformPasteboardMac.mm
    M Source/WebKit/Scripts/webkit/messages.py
    M Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm
    M Source/WebKit/UIProcess/WebPasteboardProxy.h
    M Source/WebKit/UIProcess/WebPasteboardProxy.messages.in
    M Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp
    M Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm
    M Tools/WebKitTestRunner/mac/WebKitTestRunnerPasteboard.mm

  Log Message:
  -----------
  Cherry-pick 267815.441 at safari-7617-branch (d4645ae84721). https://bugs.webkit.org/show_bug.cgi?id=263622

    [CoreIPC] The pasteboard may perform image conversion in UIProcess
    https://bugs.webkit.org/show_bug.cgi?id=263622
    rdar://98996437

    Reviewed by Wenson Hsieh.

    When reading data from the pasteboard, image conversion may be performed
    when using `NSTIFFPboardType` as the requested type. This is a system feature,
    where a PNG can be written to the pasteboard, and a TIFF can be read out.
    However, this is undesirable from a WebKit perspective, as it allows for
    arbitrary image conversion across the process boundary.

    Fix by ensuring that the UI process always returns the original data, and
    perform the image conversion in the Web process.

    * Source/WebCore/PAL/pal/spi/cocoa/FoundationSPI.h:
    * Source/WebCore/PAL/pal/spi/mac/NSPasteboardSPI.h:

    Declare an internal `NSPasteboard` method to obtain the unconverted data.

    * Source/WebCore/platform/Pasteboard.cpp:
    * Source/WebCore/platform/Pasteboard.h:
    (WebCore::Pasteboard::bufferConvertedToPasteboardType):
    * Source/WebCore/platform/PlatformPasteboard.h:
    * Source/WebCore/platform/ios/PlatformPasteboardIOS.mm:
    (WebCore::PlatformPasteboard::bufferForType const):
    * Source/WebCore/platform/mac/PasteboardMac.mm:
    (WebCore::Pasteboard::bufferConvertedToPasteboardType):

    Perform the conversion to TIFF using CoreGraphics in the Web process.

    * Source/WebCore/platform/mac/PlatformPasteboardMac.mm:
    (WebCore::PlatformPasteboard::bufferForType const):

    When requesting `NSTIFFPboardType`, and an image source is available on the
    pasteboard, return the original data and the original type, rather than
    performing image conversion.

    (WebCore::PlatformPasteboard::readBuffer const):
    * Source/WebKit/Scripts/webkit/messages.py:
    (headers_for_type):
    * Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
    (WebKit::WebPasteboardProxy::getPasteboardBufferForType):
    * Source/WebKit/UIProcess/WebPasteboardProxy.h:
    * Source/WebKit/UIProcess/WebPasteboardProxy.messages.in:
    * Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp:
    (WebKit::WebPlatformStrategies::bufferForType):
    * Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm:
    (WebPlatformStrategies::bufferForType):
    * Tools/WebKitTestRunner/mac/WebKitTestRunnerPasteboard.mm:
    (-[LocalPasteboard _dataWithoutConversionForType:securityScoped:]):

    Override `_dataWithoutConversionForType:securityScoped:` since the custom
    subclass used for testing does not account for pasteboard generation and
    simply overrides `dataForType:`.

    Without this implementation, the change would result in a call to the base
    class and crash in `CFPasteboardGetGenerationCount`.

    Canonical link: https://commits.webkit.org/267815.441@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.170@webkitglib/2.42


  Commit: f44dbee955b52c4787e2352845a5e5f0d6c7b509
      https://github.com/WebKit/WebKit/commit/f44dbee955b52c4787e2352845a5e5f0d6c7b509
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_ratectrl.c
    M Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_svc_layercontext.c

  Log Message:
  -----------
  Cherry-pick 267815.443 at safari-7617-branch (0528644ffe6b). rdar://117146735

    Potential 'overflow' issue commited to upstream libvpx as e4db6c3aacb3fbcbb939f132915234988f8617c1
    rdar://117146735

    Reviewed by Eric Carlson.

    We cherry-pick the changes of https://github.com/webmproject/libvpx/commit/e4db6c3aacb3fbcbb939f132915234988f8617c1,
    except for the test part which does not apply cleanly.

    * Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_ratectrl.c:
    (vp9_rc_update_framerate):
    * Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_svc_layercontext.c:
    (vp9_update_layer_context_change_config):
    (vp9_update_temporal_layer_framerate):
    (vp9_update_spatial_layer_framerate):

    Canonical link: https://commits.webkit.org/267815.443@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.171@webkitglib/2.42


  Commit: 7ddf412f70c899f9a70549d64bb0536ea2b003e2
      https://github.com/WebKit/WebKit/commit/7ddf412f70c899f9a70549d64bb0536ea2b003e2
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/webrtc/processIceTransportStateChange-gc-expected.txt
    A LayoutTests/webrtc/processIceTransportStateChange-gc.html
    M Source/WebCore/Modules/mediastream/RTCDtlsTransport.cpp
    M Source/WebCore/Modules/mediastream/RTCIceTransport.cpp
    M Source/WebCore/Modules/mediastream/RTCIceTransport.h

  Log Message:
  -----------
  Cherry-pick 267815.446 at safari-7617-branch (8be2b8b167a1). rdar://117526483

    Use-after-free in RTCPeerConnection::processIceTransportStateChange
    rdar://117526483

    Reviewed by Jean-Yves Avenard.

    RTCIceTransport is calling RTCPeerConnection::processIceTransportStateChange without protecting its RTCPeerConnection.
    processIceTransportStateChange can trigger JS execution so we need to protect the RTCPeerConnection.
    Make RTCIceTransport do so, and update RTCIceTransport connection getter to return a RefPtr instead of a raw pointer.

    * LayoutTests/webrtc/processIceTransportStateChange-gc-expected.txt: Added.
    * LayoutTests/webrtc/processIceTransportStateChange-gc.html: Added.
    * Source/WebCore/Modules/mediastream/RTCDtlsTransport.cpp:
    (WebCore::RTCDtlsTransport::onStateChanged):
    * Source/WebCore/Modules/mediastream/RTCIceTransport.cpp:
    (WebCore::RTCIceTransport::onStateChanged):
    * Source/WebCore/Modules/mediastream/RTCIceTransport.h:
    (WebCore::RTCIceTransport::connection const):

    Canonical link: https://commits.webkit.org/267815.446@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.172@webkitglib/2.42


  Commit: ac8dad388db6575c658c39bd3485220dc3e2d037
      https://github.com/WebKit/WebKit/commit/ac8dad388db6575c658c39bd3485220dc3e2d037
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/fast/dom/deserialize-array-bufffer-view-fail-expected.txt
    A LayoutTests/fast/dom/deserialize-array-bufffer-view-fail.html
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  Cherry-pick 267815.459 at safari-7617-branch (ce6d953127cf). https://bugs.webkit.org/show_bug.cgi?id=263794

    The deserializer should fail properly if it cannot materialize ArrayBufferViews.
    https://bugs.webkit.org/show_bug.cgi?id=263794
    rdar://117572216

    Reviewed by Sihui Liu and Keith Miller.

    * LayoutTests/fast/dom/deserialize-array-bufffer-view-fail-expected.txt: Added.
    * LayoutTests/fast/dom/deserialize-array-bufffer-view-fail.html: Added.
    * Source/WebCore/bindings/js/SerializedScriptValue.cpp:
    (WebCore::CloneDeserializer::readArrayBufferViewImpl):

    Canonical link: https://commits.webkit.org/267815.459@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.173@webkitglib/2.42


  Commit: 40a5e9743276f1a08f123ea7b8770049c81e8fe3
      https://github.com/WebKit/WebKit/commit/40a5e9743276f1a08f123ea7b8770049c81e8fe3
  Author: Tyler Wilcock <tyler_w at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/WebCore/accessibility/cocoa/AccessibilityObjectCocoa.mm

  Log Message:
  -----------
  Cherry-pick 267815.468 at safari-7617-branch (4fce5d70c3d6). rdar://117556782

    AX: Nullptr deref of AXObjectCache in AccessibilityObject::contentForRange
    rdar://117556782

    Reviewed by Chris Fleizach.

    * Source/WebCore/accessibility/cocoa/AccessibilityObjectCocoa.mm:
    (WebCore::AccessibilityObject::contentForRange const):
    Null-check AXObjectCache before using it to prevent a rare crash.

    Canonical link: https://commits.webkit.org/267815.468@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.174@webkitglib/2.42


  Commit: db46056004ae04cf73577c49890a7d3c195bff7b
      https://github.com/WebKit/WebKit/commit/db46056004ae04cf73577c49890a7d3c195bff7b
  Author: Tyler Wilcock <tyler_w at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/WebCore/accessibility/AccessibilityNodeObject.cpp

  Log Message:
  -----------
  Cherry-pick 267815.479 at safari-7617-branch (bb2e66a677f1). rdar://117640053

    AccessibilityNodeObject::determineAccessibilityRoleFromNode needs to null-check node before using it
    rdar://117640053

    Reviewed by Chris Fleizach and Ryosuke Niwa.

    It's possible for AccessibilityNodeObject::m_node (which is a WeakPtr)
    to get destroyed in the middle of determineAccessibilityRoleFromNode,
    meaning subsequent node()->foo accesses will cause a nullptr deref.

    Use a RefPtr to keep the node alive until the end of this function, so
    that after we null-check it once we know it's valid until we exit.

    * Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
    (WebCore::AccessibilityNodeObject::determineAccessibilityRoleFromNode const):

    Canonical link: https://commits.webkit.org/267815.479@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.175@webkitglib/2.42


  Commit: 03ed5c15b877b82fce5a3457c55c71a27d43377c
      https://github.com/WebKit/WebKit/commit/03ed5c15b877b82fce5a3457c55c71a27d43377c
  Author: Matthew Finkel <sysrqb at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/http/tests/security/isolate-geolocation-watch-id-per-document-expected.txt
    A LayoutTests/http/tests/security/isolate-geolocation-watch-id-per-document.html
    A LayoutTests/http/tests/security/resources/popup-watchid.html

  Log Message:
  -----------
  Cherry-pick 267815.490 at safari-7617-branch (837e69390e41). https://bugs.webkit.org/show_bug.cgi?id=263277

    Add test for Geolocation WatchID
    https://bugs.webkit.org/show_bug.cgi?id=263277
    rdar://8731258

    Reviewed by David Kilzer.

    Add a test that confirms the Geolocation WatchID is unique per document.

    * LayoutTests/http/tests/security/isolate-geolocation-watch-id-per-document-expected.txt: Added.
    * LayoutTests/http/tests/security/isolate-geolocation-watch-id-per-document.html: Added.
    * LayoutTests/http/tests/security/resources/popup-watchid.html: Added.

    Canonical link: https://commits.webkit.org/267815.490@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.176@webkitglib/2.42


  Commit: 26d33963becb513d830c2540d4ea8322eb35a3bf
      https://github.com/WebKit/WebKit/commit/26d33963becb513d830c2540d4ea8322eb35a3bf
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/WebCore/platform/encryptedmedia/clearkey/CDMClearKey.cpp

  Log Message:
  -----------
  Cherry-pick 267815.314 at safari-7617-branch (80d2fe008437). https://bugs.webkit.org/show_bug.cgi?id=263254

    Fix bad capture by reference in CDMInstanceSessionClearKey::loadSession()
    https://bugs.webkit.org/show_bug.cgi?id=263254
    rdar://117061886

    Reviewed by Brent Fulgham.

    Fix bad capture by reference in an asynchronous callback in CDMInstanceSessionClearKey::loadSession().

    * Source/WebCore/platform/encryptedmedia/clearkey/CDMClearKey.cpp:
    (WebCore::CDMInstanceSessionClearKey::loadSession):

    Canonical link: https://commits.webkit.org/267815.314@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.177@webkitglib/2.42


  Commit: af483cdbdc8ee9644a91b79678aadd6808db16e4
      https://github.com/WebKit/WebKit/commit/af483cdbdc8ee9644a91b79678aadd6808db16e4
  Author: Andy Estes <aestes at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/fullscreen/fullscreen-cancel-after-request-crash-expected.txt
    A LayoutTests/fullscreen/fullscreen-cancel-after-request-crash.html
    M Source/WebCore/dom/FullscreenManager.cpp

  Log Message:
  -----------
  Cherry-pick 267815.332 at safari-7617-branch (dc44d44d42fd). https://bugs.webkit.org/show_bug.cgi?id=263140

    Use-after-free in FullscreenManager::requestFullscreenForElement
    https://bugs.webkit.org/show_bug.cgi?id=263140
    rdar://116736343

    Reviewed by Chris Dumez.

    Calling DeferredPromise::reject from the failedPreflights lambda in
    FullscreenManager::requestFullscreenForElement may cause the Document that owns the
    FullscreenManager to be deallocated, resulting in a use-after-free when the document is accessed
    again after rejecting the promise. Resolved this by keeping a Ref to m_document for the lifetime of
    the failedPreflights lambda.

    Added a layout test.

    * LayoutTests/fullscreen/fullscreen-cancel-after-request-crash-expected.txt: Added.
    * LayoutTests/fullscreen/fullscreen-cancel-after-request-crash.html: Added.
    * Source/WebCore/dom/FullscreenManager.cpp:
    (WebCore::FullscreenManager::requestFullscreenForElement):

    Canonical link: https://commits.webkit.org/267815.332@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.178@webkitglib/2.42


  Commit: a909b207e0dd795c67fe674b244d90a3f5484f7f
      https://github.com/WebKit/WebKit/commit/a909b207e0dd795c67fe674b244d90a3f5484f7f
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/fast/text/zero-height-first-line-assert-expected.txt
    A LayoutTests/fast/text/zero-height-first-line-assert.html
    M Source/WebCore/layout/formattingContexts/inline/invalidation/InlineInvalidation.cpp
    M Source/WebCore/layout/integration/inline/LayoutIntegrationInlineContentBuilder.cpp

  Log Message:
  -----------
  Cherry-pick 267815.333 at safari-7617-branch (c1a2b21f2532). https://bugs.webkit.org/show_bug.cgi?id=263222

    [IFC] Demote partial invalidation to full damage when computed damage extent is inconsistent
    https://bugs.webkit.org/show_bug.cgi?id=263222
    <rdar://117017324>

    Reviewed by Antti Koivisto.

    Fall back to full layout when we computed inconsistent damage extent.
    (It could happen when previous layouts produced corrupt line content e.g. line with no boxes other than the root inline box).

    * LayoutTests/fast/text/zero-height-first-line-assert-expected.txt: Added.
    * LayoutTests/fast/text/zero-height-first-line-assert.html: Added.
    * Source/WebCore/layout/formattingContexts/inline/invalidation/InlineInvalidation.cpp:
    (WebCore::Layout::leadingContentDisplayForLineIndex):
    (WebCore::Layout::InlineInvalidation::updateInlineDamage):
    * Source/WebCore/layout/integration/inline/LayoutIntegrationInlineContentBuilder.cpp:
    (WebCore::LayoutIntegration::InlineContentBuilder::build const):

    Canonical link: https://commits.webkit.org/267815.333@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.179@webkitglib/2.42


  Commit: b2414972d8326b7d4a8b84bcf0ee1ffaacceab96
      https://github.com/WebKit/WebKit/commit/b2414972d8326b7d4a8b84bcf0ee1ffaacceab96
  Author: Michael Saboff <msaboff at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A JSTests/stress/arrow-function-captured-arguments-aliased.js
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
    M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
    M Source/JavaScriptCore/runtime/GetPutInfo.h
    M Source/JavaScriptCore/runtime/ScopedArguments.h
    M Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp
    M Source/JavaScriptCore/runtime/ScopedArgumentsTable.h
    M Source/JavaScriptCore/runtime/SymbolTable.cpp
    M Source/JavaScriptCore/runtime/SymbolTable.h

  Log Message:
  -----------
  Cherry-pick 267815.345 at safari-7617-branch (99b8814b73d1). https://bugs.webkit.org/show_bug.cgi?id=261934

    Scoped Arguements needs to alias between named and unnamed accesses and across nested scopes
    https://bugs.webkit.org/show_bug.cgi?id=261934
    rdar://114925088

    Reviewed by Yusuke Suzuki.

    Fixed issue where an access to a named argument and a seperate access via its argument[i] counterpart weren't recognized throughout
    all JIT tiers as accesses to the same scoped value.  The DFG bytecode parser can unknowingly constant fold the read access.
    Added aliasing via the SymbolTable and its ScopedArgumentsTable for both types of accesses of such values.
    related objects

    Added watchpoints for scoped arguments, and shared the watchpoint from the SymbolTableEntry for the named parameter with the
    ScopedArgument entry for the matching index.  Tagged op_put_to_scope bytecodes with a new ScopedArgumentInitialization
    initialization type in GetPutInfo to signify this shared watchpoint case.  Since currently all tiers write to scoped arguments
    via ScopedArguments::setIndexQuickly(), that is where we fire its watchpoint.

    Added a new test.

    * JSTests/stress/arrow-function-captured-arguments-aliased.js: New test.
    (createOptAll):
    (createOpt500):
    (createOpt2000):
    (createOpt5000):
    (main):
    * Source/JavaScriptCore/bytecode/CodeBlock.cpp:
    (JSC::CodeBlock::finishCreation):
    * Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
    (JSC::BytecodeGenerator::BytecodeGenerator):
    * Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::parseBlock):
    * Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
    * Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
    * Source/JavaScriptCore/runtime/GetPutInfo.h:
    (JSC::initializationModeName):
    (JSC::isInitialization):
    * Source/JavaScriptCore/runtime/ScopedArguments.h:
    * Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp:
    (JSC::ScopedArgumentsTable::tryCreate):
    (JSC::ScopedArgumentsTable::tryClone):
    (JSC::ScopedArgumentsTable::trySetLength):
    (JSC::ScopedArgumentsTable::trySetWatchpointSet):
    * Source/JavaScriptCore/runtime/ScopedArgumentsTable.h:
    * Source/JavaScriptCore/runtime/SymbolTable.h:

    Canonical link: https://commits.webkit.org/267815.345@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.180@webkitglib/2.42


  Commit: 9446aed9a716340695e403a8e44e36ba75a81131
      https://github.com/WebKit/WebKit/commit/9446aed9a716340695e403a8e44e36ba75a81131
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/heap/PreciseAllocation.cpp
    M Source/JavaScriptCore/heap/PreciseAllocation.h

  Log Message:
  -----------
  Cherry-pick 267815.112 at safari-7617-branch (6ea412c32f09). https://bugs.webkit.org/show_bug.cgi?id=262011

    Adjust PreciseAllocation alignment offset to also factor in cache line alignment requirements.
    https://bugs.webkit.org/show_bug.cgi?id=262011
    rdar://115959633

    Reviewed by Keith Miller.

    We should ensure that the JSObject header word and its butterfly are always in the same cache line.
    See radar for details.

    All JSObjects are either allocated out of a MarkedBlock or as a PreciseAllocation.  All MarkedBlock
    allocations are aligned on 16 byte boundaries (the MarkedBlock::atomSize).  This means that it’s
    impossible to get this condition with a MarkedBlock allocated object.

    For PreciseAllocations, each allocation is preceded by a PreciseAllocation header (which is currently
    96 bytes in size), and a 8 to 16 byte padding depending on what is need to get the resultant object
    start address to start on an odd 8 byte boundary (i.e. but 3 is set).  With PreciseAllocations,
    depending on the size of the allocation and what memory slot the allocation comes from, there is a
    way to get the JSObject header and butterfly to span across a cache line boundary.

    This patch prevents this by dynamically adjusting the alignment padding at the start of the
    PreciseAllocation to ensure that the start address of the JSObject always lands at a spot where the
    header and butterfly does not span a cache line boundary.

    * Source/JavaScriptCore/heap/PreciseAllocation.cpp:
    (JSC::dataCacheLineSize):
    (JSC::isAlignedForPreciseAllocation):
    (JSC::isCacheAlignedForPreciseAllocation):
    (JSC::PreciseAllocation::tryCreate):
    (JSC::PreciseAllocation::tryReallocate):
    (JSC::PreciseAllocation::tryCreateForLowerTier):
    (JSC::PreciseAllocation::reuseForLowerTier):
    (JSC::PreciseAllocation::PreciseAllocation):
    * Source/JavaScriptCore/heap/PreciseAllocation.h:
    (JSC::PreciseAllocation::headerSize):
    (JSC::PreciseAllocation::basePointer const):

    Canonical link: https://commits.webkit.org/267815.112@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.181@webkitglib/2.42


  Commit: 3af62222ff09de7879c7bf1c98fa38d33237e390
      https://github.com/WebKit/WebKit/commit/3af62222ff09de7879c7bf1c98fa38d33237e390
  Author: nishajain61 <nisha_jain at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/fast/text/crash-letter-spacing-infinite-expected.html
    A LayoutTests/fast/text/crash-letter-spacing-infinite.html
    A LayoutTests/fast/text/crash-word-spacing-infinite-expected.html
    A LayoutTests/fast/text/crash-word-spacing-infinite.html
    M Source/WebCore/platform/graphics/FontCascade.h

  Log Message:
  -----------
  Cherry-pick 267815.115 at safari-7617-branch (935e894057d7). https://bugs.webkit.org/show_bug.cgi?id=264327

    rdar://115423166 (jsc_fuz/wktr: ASSERT_WITH_SECURITY_IMPLICATION(widthForLargestKnownToFit <= maxWidth); in WebCore::truncateString(...))
    rdar://115423166

    Reviewed by Myles C. Maxfield.

    letterSpacing API needs to be able to handle NaN value

    Signed-off-by: nishajain61 <nisha_jain at apple.com>
    Canonical link: https://commits.webkit.org/267815.115@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.182@webkitglib/2.42


  Commit: a7a75cad4a5dacb2844d56f8192007db61012237
      https://github.com/WebKit/WebKit/commit/a7a75cad4a5dacb2844d56f8192007db61012237
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/b3/B3ReduceStrength.cpp
    M Source/JavaScriptCore/b3/testb3.h
    M Source/JavaScriptCore/b3/testb3_1.cpp
    M Source/JavaScriptCore/b3/testb3_5.cpp

  Log Message:
  -----------
  Cherry-pick 267815.118 at safari-7617-branch (3e7f362d98b7). https://bugs.webkit.org/show_bug.cgi?id=262224

    [JSC] Wrong B3 range analysis on 64-bit values
    https://bugs.webkit.org/show_bug.cgi?id=262224
    rdar://115897433

    Reviewed by Mark Lam.

    This patch fixes B3's range analysis. When using 64bit value, we should use INT64_MIN / INT64_MAX instead of INT_MIN / INT_MAX.
    We use std::numeric_limits to make it work. We also adjust `+ 1` check to avoid potential UB.

    * Source/JavaScriptCore/b3/B3ReduceStrength.cpp:
    * Source/JavaScriptCore/b3/testb3.h:
    * Source/JavaScriptCore/b3/testb3_1.cpp:
    (run):
    * Source/JavaScriptCore/b3/testb3_5.cpp:
    (testCheckAdd64Range):

    Canonical link: https://commits.webkit.org/267815.118@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.183@webkitglib/2.42


  Commit: 154565ddd36b09250d50134b968afc9f735d0dcc
      https://github.com/WebKit/WebKit/commit/154565ddd36b09250d50134b968afc9f735d0dcc
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/runtime/ArrayBufferView.h
    M Source/JavaScriptCore/runtime/DataView.cpp
    M Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h
    M Source/JavaScriptCore/runtime/JSDataView.cpp
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

  Log Message:
  -----------
  Cherry-pick 267815.120 at safari-7617-branch (ac9f4e07603c). https://bugs.webkit.org/show_bug.cgi?id=262338

    [JSC] Add extra hardening about incorrectly configured shared growable typed array view
    https://bugs.webkit.org/show_bug.cgi?id=262338
    rdar://116168654

    Reviewed by Mark Lam.

    This is adding extra hardening against wrongly configured shared growable typed array view materialization from SerializedScriptValue.
    This pattern must not happen from normal execution. This happens only when the current process gets a bug which can emit arbitrary serialized
    data. And since SharedArrayBuffer cannot be sent to the other process, this issue is confined in the current process. Given that the attacker
    is already getting a way to create arbitrary serialized data, probably this does not add much additionally, but just adding hardening for now
    as an extra safety.

    * Source/JavaScriptCore/runtime/ArrayBufferView.h:
    (JSC::ArrayBufferView::verifySubRangeLength):
    * Source/JavaScriptCore/runtime/DataView.cpp:
    (JSC::DataView::wrappedAs):
    * Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h:
    (JSC::GenericTypedArrayView<Adaptor>::tryCreate):
    (JSC::GenericTypedArrayView<Adaptor>::wrappedAs):
    * Source/JavaScriptCore/runtime/JSDataView.cpp:
    (JSC::JSDataView::create):
    * Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
    (JSC::JSGenericTypedArrayView<Adaptor>::create):

    Canonical link: https://commits.webkit.org/267815.120@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.184@webkitglib/2.42


  Commit: 985fc350636c2ea3ee35146185bde8651f7c6eb8
      https://github.com/WebKit/WebKit/commit/985fc350636c2ea3ee35146185bde8651f7c6eb8
  Author: David Kilzer <ddkilzer at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/WebCore/dom/DocumentFragment.h
    M Source/WebCore/dom/Node.h
    M Source/WebCore/dom/XMLDocument.cpp
    M Source/WebCore/dom/XMLDocument.h
    M Source/WebCore/testing/js/WebCoreTestSupport.cpp
    M Source/WebCore/testing/js/WebCoreTestSupport.h

  Log Message:
  -----------
  Cherry-pick 267815.149 at safari-7617-branch (9bc754a9deaf). https://bugs.webkit.org/show_bug.cgi?id=264327

    Add test function for WebCore::DocumentFragment::parseXML
    https://bugs.webkit.org/show_bug.cgi?id=262426
    <rdar://116267317>

    Reviewed by Darin Adler.

    * Source/WebCore/dom/DocumentFragment.h:
    (WebCore::DocumentFragment::parseXML):
    - Export method for WebCoreTestSupport.
    * Source/WebCore/dom/Node.h:
    (WebCore::Node::eventTargetInterface):
    - Drive-by fix to comment.
    * Source/WebCore/dom/XMLDocument.cpp:
    (WebCore::XMLDocument::createXHTML): Add.
    - Move implementation into source file.
    * Source/WebCore/dom/XMLDocument.h:
    (WebCore::XMLDocument::createXHTML):
    - Change to exported method declaration.
    * Source/WebCore/testing/js/WebCoreTestSupport.cpp:
    (WebCoreTestSupport::testDocumentFragmentParseXML): Add.
    - Add test method.
    * Source/WebCore/testing/js/WebCoreTestSupport.h:
    (WebCoreTestSupport::testDocumentFragmentParseXML): Add.

    Canonical link: https://commits.webkit.org/267815.149@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.185@webkitglib/2.42


  Commit: 4355f5aa8130f4b02f414c296e763c18c37bcb93
      https://github.com/WebKit/WebKit/commit/4355f5aa8130f4b02f414c296e763c18c37bcb93
  Author: nishajain61 <nisha_jain at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/cssom/crash-font-family-invalid-expected.html
    A LayoutTests/cssom/crash-font-family-invalid.html
    M Source/WebCore/style/StyleBuilderCustom.h

  Log Message:
  -----------
  Cherry-pick 267815.169 at safari-7617-branch (6834321e777d). https://bugs.webkit.org/show_bug.cgi?id=262487

    jsc_fuz/wktr: segfault with .attributeStyleMap.set('font-family', new CSSKeywordValue('x'))
    https://bugs.webkit.org/show_bug.cgi?id=262487
    rdar://115283280

    Reviewed by Chris Dumez.

    Invalid CSS value for CSS "Font-family" property has to be handled by returning instead of causing ASSERT.

    Test: cssom/crash-font-family-invalid.html

    * Source/WebCore/style/StyleBuilderCustom.h:
      (BuilderCustom::applyValueFontFamily) : Replaced 'ASSERT' with 'return' while handling "Font-family" property.
    * LayoutTests/cssom/crash-font-family-invalid-expected.html: Added test case expected file.
    * LayoutTests/cssom/crash-font-family-invalid.html: Added test case.

    Canonical link: https://commits.webkit.org/267815.169@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.186@webkitglib/2.42


  Commit: b3c358d4525aec3be45a32e22c25b2c71fc1f3b4
      https://github.com/WebKit/WebKit/commit/b3c358d4525aec3be45a32e22c25b2c71fc1f3b4
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M LayoutTests/fast/storage/serialized-script-value.html
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  Cherry-pick 267815.202 at safari-7617-branch (401705903095). https://bugs.webkit.org/show_bug.cgi?id=262616

    An Array index in CloneSerializer and CloneDeserializer can be confused for NonIndexPropertiesTag.
    https://bugs.webkit.org/show_bug.cgi?id=262616
    rdar://116034413

    Reviewed by Keith Miller, Sihui Liu and Chris Dumez.

    CloneSerializer and CloneDeserializer were previously using NonIndexPropertiesTag as the terminator of
    the indexed property section of an Array.  However, NonIndexPropertiesTag's encoding is 0xFFFFFFFD,
    which is less than MAX_ARRAY_INDEX (0xFFFFFFFE) i.e. an index of 0xFFFFFFFD can be confused for the
    NonIndexPropertiesTag, resulting type confusion.

    This patch changes the structure of a serialized Array to always terminate its indexed property section
    with a TerminatorTag (0xFFFFFFFF) first before looking for either a NonIndexPropertiesTag or another
    TerminatorTag.  The presence of a NonIndexPropertiesTag after the 1st TerminatorTag indicates the
    presence of a non-indexed properties section.  The presense of a TerminatorTag immediately after the
    1st TerminatorTag indicates that the non-indexed properties section is empty.

    Also updated the comment describing the shape of a serialized Array, and rebased a test.

    * LayoutTests/fast/storage/serialized-script-value.html:
    * Source/WebCore/bindings/js/SerializedScriptValue.cpp:
    (WebCore::CloneSerializer::serialize):
    (WebCore::CloneDeserializer::deserialize):

    Canonical link: https://commits.webkit.org/267815.202@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.187@webkitglib/2.42


  Commit: b80ac5cb701ae61a6c75adbbd2609b5e49c80ee7
      https://github.com/WebKit/WebKit/commit/b80ac5cb701ae61a6c75adbbd2609b5e49c80ee7
  Author: Justin Michaud <justin_michaud at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A JSTests/wasm/stress/bbq-parallel-move.js
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp

  Log Message:
  -----------
  Cherry-pick 267815.223 at safari-7617-branch (3c476842d24c). https://bugs.webkit.org/show_bug.cgi?id=262222

    BBQJIT if conditions are very wrong
    https://bugs.webkit.org/show_bug.cgi?id=262222
    rdar://problem/116145012

    Reviewed by Keith Miller.

    BBQJIT if conditions are very wrong. By random chance, the condition value
    happens to be allocated in nonPreservedNonArgumentGPR1, but if you use
    more than 8 registers, we end up just reading a completely random value.

    Let's not do that.

    We also add some extra debugging assertions for parallel move. These shouldn't ever actually
    be hit, but they help us avoid a potential problem in the future if we
    make BBQ register allocation smarter.

    Finally, we allow allocating eax on x86, and fix some bugs surrounding if/else as a result.

    * JSTests/wasm/stress/bbq-parallel-move.js: Added.
    (from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.func.log_value.import.string_appeared_here.string_appeared_here.param.i32.func.export.string_appeared_here.param.p0.i32.param.p1.i32.param.p2.i32.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.result.i32.local.p0.then.local.p2.local.p0.i32.const.0.else.i32.const.0.local.p2.call.f.func.f.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.pl.i32.call.log_value.local.pl.async test.):
    (from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.func.log_value.import.string_appeared_here.string_appeared_here.param.i32.func.export.string_appeared_here.param.p0.i32.param.p1.i32.param.p2.i32.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.result.i32.local.p0.then.local.p2.local.p0.i32.const.0.else.i32.const.0.local.p2.call.f.func.f.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.pl.i32.call.log_value.local.pl.async test):
    * Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
    (JSC::Wasm::BBQJIT::ControlData::ControlData):
    (JSC::Wasm::BBQJIT::addIf):
    (JSC::Wasm::BBQJIT::emitIndirectCall):
    (JSC::Wasm::BBQJIT::emitShuffle):

    Canonical link: https://commits.webkit.org/267815.223@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.188@webkitglib/2.42


  Commit: cb664fb1a65f24cddcdcc95f2509767fb23f73f6
      https://github.com/WebKit/WebKit/commit/cb664fb1a65f24cddcdcc95f2509767fb23f73f6
  Author: Erica Li <lerica at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event-expected.txt
    A LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event.html
    M Source/WebCore/loader/FrameLoader.cpp

  Log Message:
  -----------
  Cherry-pick 267815.226 at safari-7617-branch (20bb95c77d7c). https://bugs.webkit.org/show_bug.cgi\?id\=262292

    rdar://110000099 (jsc_fuz/wktr: invalid message WebPasteboardProxy_GetPasteboardChangeCount)
    https://bugs.webkit.org/show_bug.cgi\?id\=262292
    rdar://110000099

    Reviewed by Wenson Hsieh.

    Disable copy paste for beforeunload event.

    * LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event-expected.txt: Added.
    * LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event.html: Added.
    * Source/WebCore/loader/FrameLoader.cpp:
    (WebCore::ForbidCopyPasteScope::ForbidCopyPasteScope):
    (WebCore::ForbidCopyPasteScope::~ForbidCopyPasteScope):
    (WebCore::FrameLoader::dispatchBeforeUnloadEvent):

    Canonical link: https://commits.webkit.org/267815.226@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.189@webkitglib/2.42


  Commit: d8661f82488c8202db34f543c5c5a8c2093ac107
      https://github.com/WebKit/WebKit/commit/d8661f82488c8202db34f543c5c5a8c2093ac107
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/assembler/AssemblerBuffer.h
    M Source/WTF/wtf/PtrTag.h

  Log Message:
  -----------
  Cherry-pick 267815.228 at safari-7617-branch (4eda4ebd52c1). https://bugs.webkit.org/show_bug.cgi?id=262938

    ARM64EHash should be using the PAC DA key instead of DB.
    https://bugs.webkit.org/show_bug.cgi?id=262938
    rdar://116679398

    Reviewed by Justin Michaud.

    Currently, it uses the PAC DB key.  However, the PAC DB key is already used by for the
    PACCage for protecting TypedArray vector pointers.  Using the PAC DA key instead would
    ensure that there is no collision between the "namespace"s of PACCage pointers and
    ARM64EHash intermediate values.

    * Source/JavaScriptCore/assembler/AssemblerBuffer.h:
    (JSC::ARM64EHash::nextValue):
    (JSC::ARM64EHash::currentHash):
    (JSC::ARM64EHash::setUpdatedHash):
    * Source/WTF/wtf/PtrTag.h:
    (WTF::untagInt):
    (WTF::tagInt):

    Canonical link: https://commits.webkit.org/267815.228@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.190@webkitglib/2.42


  Commit: 3f264123d1e8aea85d25a73816ca24adba8a5c91
      https://github.com/WebKit/WebKit/commit/3f264123d1e8aea85d25a73816ca24adba8a5c91
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  Cherry-pick 267815.245 at safari-7617-branch (bf21fed44b35). https://bugs.webkit.org/show_bug.cgi?id=262921

    CloneDeserializer::readTerminal() should fail decoding if tag is not exposed to current JS context
    https://bugs.webkit.org/show_bug.cgi?id=262921
    rdar://115756703

    Reviewed by Mark Lam.

    In 265678 at main, I added a check to make sure the type getting deserialized was exposed to the
    current JS context (e.g. audio worklet contexts don't have access to many of the types that
    Window context do). I added an early return when detecting this but failed to call `fail()`
    to explicitly fail decoding.

    * Source/WebCore/bindings/js/SerializedScriptValue.cpp:
    (WebCore::CloneDeserializer::readTerminal):

    Canonical link: https://commits.webkit.org/267815.245@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.191@webkitglib/2.42


  Commit: 4a95479db48214e9e166461405ca13c1c731e92a
      https://github.com/WebKit/WebKit/commit/4a95479db48214e9e166461405ca13c1c731e92a
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/http/wpt/web-locks/lock-name-length-restriction.https-expected.txt
    A LayoutTests/http/wpt/web-locks/lock-name-length-restriction.https.html
    M Source/WebCore/Headers.cmake
    M Source/WebCore/Modules/web-locks/WebLock.h
    M Source/WebCore/Modules/web-locks/WebLockManager.cpp
    M Source/WebCore/WebCore.xcodeproj/project.pbxproj
    M Source/WebKit/UIProcess/WebLockRegistryProxy.cpp

  Log Message:
  -----------
  Cherry-pick 267815.246 at safari-7617-branch (85aba6be5983). https://bugs.webkit.org/show_bug.cgi?id=262920

    Restrict the length of requested web locks names
    https://bugs.webkit.org/show_bug.cgi?id=262920
    rdar://116189077

    Reviewed by Brent Fulgham.

    Restrict the length of requested web locks names to prevent abuse.

    * LayoutTests/http/wpt/web-locks/lock-name-length-restriction.https-expected.txt: Added.
    * LayoutTests/http/wpt/web-locks/lock-name-length-restriction.https.html: Added.
    * Source/WebCore/Headers.cmake:
    * Source/WebCore/Modules/web-locks/WebLock.h:
    * Source/WebCore/Modules/web-locks/WebLockManager.cpp:
    (WebCore::WebLockManager::request):
    * Source/WebCore/WebCore.xcodeproj/project.pbxproj:
    * Source/WebKit/UIProcess/WebLockRegistryProxy.cpp:
    (WebKit::WebLockRegistryProxy::requestLock):

    Canonical link: https://commits.webkit.org/267815.246@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.192@webkitglib/2.42


  Commit: 94ceb11f89b2460f63a91d05f6f8410a0a6aac3b
      https://github.com/WebKit/WebKit/commit/94ceb11f89b2460f63a91d05f6f8410a0a6aac3b
  Author: Matt Woodrow <mattwoodrow at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/fast/canvas/offscreen-giant-expected.html
    A LayoutTests/fast/canvas/offscreen-giant.html
    M LayoutTests/platform/mac-monterey/TestExpectations
    M Source/WebCore/platform/graphics/ca/cocoa/GraphicsLayerAsyncContentsDisplayDelegateCocoa.mm
    M Source/WebKit/Platform/SharedMemory.h
    M Source/WebKit/Shared/RemoteLayerTree/CGDisplayList.h
    M Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.h
    M Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.mm
    M Source/WebKit/Shared/ShareableBitmap.h
    M Source/WebKit/WebProcess/WebPage/RemoteLayerTree/GraphicsLayerCARemote.mm
    M Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.h
    M Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.mm

  Log Message:
  -----------
  Cherry-pick 267815.262 at safari-7617-branch (8ac19464ff91). https://bugs.webkit.org/show_bug.cgi?id=264327

    jsc_fuz/wktr: null ptr deref in WebCore::GraphicsLayerAsyncContentsDisplayDelegateCocoa::tryCopyToLayer(WebCore::ImageBuffer&)
    https://bugs.webkit.org/show_bug.cgi?id=262640
    <rdar://115497296>

    Reviewed by Kimmo Kinnunen.

    This adds support for setDelegatedContents on a PlatformCALayerRemote having a generic ImageBufferBackendHandle (which includes
    shared memory), instead of only MachSendRight.

    Adds an explicit copy constructor to SharedMemoryHandle, UnixFileDescriptor and CGDisplayList to match MachSendRight and make
    this possible.

    Also switches Protection::ReadWrite to Protection::ReadOnly for the RemoteLayerBackingStore callers, since we were already using
    this for tryCopyToLayer, and we need the ::map() call in the UI process to not try ask for extra permissions.

    * Source/WTF/wtf/unix/UnixFileDescriptor.h:
    (WTF::UnixFileDescriptor::UnixFileDescriptor):
    * Source/WebKit/Platform/SharedMemory.h:
    * Source/WebKit/Shared/RemoteLayerTree/CGDisplayList.h:
    * Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.h:
    * Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.mm:
    (WebKit::RemoteLayerBackingStore::encode const):
    (WebKit::RemoteLayerBackingStore::setDelegatedContents):
    (WebKit::RemoteLayerBackingStoreProperties::layerContentsBufferFromBackendHandle):
    * Source/WebKit/Shared/ShareableBitmap.h:
    * Source/WebKit/WebProcess/WebPage/RemoteLayerTree/GraphicsLayerCARemote.mm:
    * Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.h:
    * Source/WebKit/WebProcess/WebPage/RemoteLayerTree/PlatformCALayerRemote.mm:
    (WebKit::PlatformCALayerRemote::setDelegatedContents):
    (WebKit::PlatformCALayerRemote::setRemoteDelegatedContents):

    Canonical link: https://commits.webkit.org/267815.262@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.193@webkitglib/2.42


  Commit: 639298fab982cd8666b7c516316edfc50f402b36
      https://github.com/WebKit/WebKit/commit/639298fab982cd8666b7c516316edfc50f402b36
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/http/wpt/webcodecs/videoFrame-rect-expected.txt
    A LayoutTests/http/wpt/webcodecs/videoFrame-rect.html
    M Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp

  Log Message:
  -----------
  Cherry-pick 267815.265 at safari-7617-branch (aa715fb68472). https://bugs.webkit.org/show_bug.cgi?id=262955

    jsc_fuz/wktr: heap-buffer-overflow in  WebCore::WebCodecsVideoFrame::copyTo(...) WebCodecsVideoFrame.cpp:488
    https://bugs.webkit.org/show_bug.cgi?id=262955
    rdar://115835656

    Reviewed by Eric Carlson.

    We add a check that x and y are positive or zero.
    Otherwise, we might still pass the check that the total width or height is below the codedWidth/codedHeight, while it is not.

    * LayoutTests/http/wpt/webcodecs/videoFrame-rect-expected.txt: Added.
    * LayoutTests/http/wpt/webcodecs/videoFrame-rect.html: Added.
    * Source/WebCore/Modules/webcodecs/WebCodecsVideoFrameAlgorithms.cpp:
    (WebCore::parseVisibleRect):

    Canonical link: https://commits.webkit.org/267815.265@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.194@webkitglib/2.42


  Commit: 937ce54230a1cfc9d6cdffdaec3f2bc273c29e4b
      https://github.com/WebKit/WebKit/commit/937ce54230a1cfc9d6cdffdaec3f2bc273c29e4b
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/fast/events/document-destruction-during-event-firing-crash-expected.txt
    A LayoutTests/fast/events/document-destruction-during-event-firing-crash.html
    M Source/WebCore/dom/EventTarget.cpp

  Log Message:
  -----------
  Cherry-pick 267815.272 at safari-7617-branch (fc0cce085a99). https://bugs.webkit.org/show_bug.cgi?id=263029

    Use-after-free crash under EventTarget::innerInvokeEventListeners()
    https://bugs.webkit.org/show_bug.cgi?id=263029
    rdar://116802026

    Reviewed by Ryosuke Niwa.

    Make sure we keep the script execution context alive by holding it in a Ref<>.

    * LayoutTests/fast/events/document-destruction-during-event-firing-crash-expected.txt: Added.
    * LayoutTests/fast/events/document-destruction-during-event-firing-crash.html: Added.
    * Source/WebCore/dom/EventTarget.cpp:
    (WebCore::EventTarget::innerInvokeEventListeners):

    Canonical link: https://commits.webkit.org/267815.272@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.195@webkitglib/2.42


  Commit: 423f54d638409d111534c668988202516b8b4e25
      https://github.com/WebKit/WebKit/commit/423f54d638409d111534c668988202516b8b4e25
  Author: Nicole Rosario <nicole_rosario at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/fast/css/create-columns-onload-crash-expected.txt
    A LayoutTests/fast/css/create-columns-onload-crash.html
    M Source/WebCore/style/StyleBuilderConverter.h

  Log Message:
  -----------
  Cherry-pick 267815.304 at safari-7617-branch (395cb173896a). rdar://115107618

    jsc_fuz/wktr: ASSERTION FAILED: is<Target>(source) downcast(Source &) [Target = WebCore::CSSFunctionValue, Source = const WebCore::CSSValue]
    rdar://115107618

    Reviewed by Chris Dumez.

    Downcast was attempted before ensuring type is correct, so added a typecheck before downcast

    * Source/WebCore/style/StyleBuilderConverter.h:
    (WebCore::Style::BuilderConverter::createGridTrackSize): added typecheck before downcast

    Canonical link: https://commits.webkit.org/267815.304@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.196@webkitglib/2.42


  Commit: 533055aea23269e8f723e7fb9437d8f618155ddb
      https://github.com/WebKit/WebKit/commit/533055aea23269e8f723e7fb9437d8f618155ddb
  Author: Sihui Liu <sihui_liu at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M LayoutTests/fast/storage/serialized-script-value.html
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  Cherry-pick 267815.465 at safari-7617-branch (9a56d2bb940b). rdar://117020274

    J414s/23C25: 1Password extension does not work and keeps trying to open a blank new tab (Unhandled Promise Rejection: AbortError: IDBTransaction will abort due to uncaught exception in an event handler)
    rdar://117020274

    Reviewed by Mark Lam.

    We updated serialization format of SerializedScriptValue in rdar://117020274, but we didn't change the version number.
    This makes serialized values with old format stored in IndexedDB databases no longer readable, as we are looking for the
    new format during deserialization.

    * LayoutTests/fast/storage/serialized-script-value.html:
    * Source/WebCore/bindings/js/SerializedScriptValue.cpp:
    (WebCore::CloneDeserializer::deserialize):

    Canonical link: https://commits.webkit.org/267815.465@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.197@webkitglib/2.42


  Commit: f6cf3189dfe989c4031be838c76fa31a517d1864
      https://github.com/WebKit/WebKit/commit/f6cf3189dfe989c4031be838c76fa31a517d1864
  Author: Said Abou-Hallawa <said at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/svg/custom/pattern-nested-reference-expected.txt
    A LayoutTests/svg/custom/pattern-nested-reference.html
    M Source/WebCore/rendering/svg/RenderSVGResource.cpp
    M Source/WebCore/rendering/svg/RenderSVGResource.h
    M Source/WebCore/rendering/svg/RenderSVGResourceClipper.cpp
    M Source/WebCore/rendering/svg/RenderSVGResourceClipper.h
    M Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp
    M Source/WebCore/rendering/svg/RenderSVGResourceContainer.h
    M Source/WebCore/rendering/svg/RenderSVGResourceFilter.cpp
    M Source/WebCore/rendering/svg/RenderSVGResourceFilter.h
    M Source/WebCore/rendering/svg/RenderSVGResourceGradient.cpp
    M Source/WebCore/rendering/svg/RenderSVGResourceGradient.h
    M Source/WebCore/rendering/svg/RenderSVGResourceMarker.cpp
    M Source/WebCore/rendering/svg/RenderSVGResourceMarker.h
    M Source/WebCore/rendering/svg/RenderSVGResourceMasker.cpp
    M Source/WebCore/rendering/svg/RenderSVGResourceMasker.h
    M Source/WebCore/rendering/svg/RenderSVGResourcePattern.cpp
    M Source/WebCore/rendering/svg/RenderSVGResourcePattern.h
    M Source/WebCore/rendering/svg/RenderSVGResourceSolidColor.h

  Log Message:
  -----------
  Cherry-pick 267815.402 at safari-7617-branch (46e35d6223f3). https://bugs.webkit.org/show_bug.cgi?id=263349

    Deeply nested SVG patterns can take log time to invalidate the target element
    https://bugs.webkit.org/show_bug.cgi?id=263349
    (rdar://116532387)

    Reviewed by Simon Fraser.

    The resource's clients invalidation does not take account the visited renderers.
    With nested SVG resources this invalidation can have an exponential complexity.
    This leads to DoS since loading the SVG or modifying its resources can take
    minutes to finish.

    Skipping the visited renderers while invalidating the resource's clients should
    fix this problem. The complexity of the invalidation will be linear in this case.

    * LayoutTests/svg/custom/pattern-nested-reference-expected.txt: Added.
    * LayoutTests/svg/custom/pattern-nested-reference.html: Added.
    * Source/WebCore/rendering/svg/RenderSVGResource.cpp:
    (WebCore::RenderSVGResource::removeAllClientsFromCache):
    (WebCore::removeFromCacheAndInvalidateDependencies):
    (WebCore::RenderSVGResource::markForLayoutAndParentResourceInvalidation):
    (WebCore::RenderSVGResource::markForLayoutAndParentResourceInvalidationIfNeeded):
    * Source/WebCore/rendering/svg/RenderSVGResource.h:
    * Source/WebCore/rendering/svg/RenderSVGResourceClipper.cpp:
    (WebCore::RenderSVGResourceClipper::removeAllClientsFromCacheIfNeeded):
    (WebCore::RenderSVGResourceClipper::removeAllClientsFromCache): Deleted.
    * Source/WebCore/rendering/svg/RenderSVGResourceClipper.h:
    * Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp:
    (WebCore::RenderSVGResourceContainer::markAllClientsForInvalidation):
    (WebCore::RenderSVGResourceContainer::markAllClientsForInvalidationIfNeeded):
    * Source/WebCore/rendering/svg/RenderSVGResourceContainer.h:
    * Source/WebCore/rendering/svg/RenderSVGResourceFilter.cpp:
    (WebCore::RenderSVGResourceFilter::removeAllClientsFromCacheIfNeeded):
    (WebCore::RenderSVGResourceFilter::removeAllClientsFromCache): Deleted.
    * Source/WebCore/rendering/svg/RenderSVGResourceFilter.h:
    * Source/WebCore/rendering/svg/RenderSVGResourceGradient.cpp:
    (WebCore::RenderSVGResourceGradient::removeAllClientsFromCacheIfNeeded):
    (WebCore::RenderSVGResourceGradient::removeAllClientsFromCache): Deleted.
    * Source/WebCore/rendering/svg/RenderSVGResourceGradient.h:
    * Source/WebCore/rendering/svg/RenderSVGResourceMarker.cpp:
    (WebCore::RenderSVGResourceMarker::removeAllClientsFromCacheIfNeeded):
    (WebCore::RenderSVGResourceMarker::removeAllClientsFromCache): Deleted.
    * Source/WebCore/rendering/svg/RenderSVGResourceMarker.h:
    * Source/WebCore/rendering/svg/RenderSVGResourceMasker.cpp:
    (WebCore::RenderSVGResourceMasker::removeAllClientsFromCacheIfNeeded):
    (WebCore::RenderSVGResourceMasker::removeAllClientsFromCache): Deleted.
    * Source/WebCore/rendering/svg/RenderSVGResourceMasker.h:
    * Source/WebCore/rendering/svg/RenderSVGResourcePattern.cpp:
    (WebCore::RenderSVGResourcePattern::removeAllClientsFromCacheIfNeeded):
    (WebCore::RenderSVGResourcePattern::removeAllClientsFromCache): Deleted.
    * Source/WebCore/rendering/svg/RenderSVGResourcePattern.h:
    * Source/WebCore/rendering/svg/RenderSVGResourceSolidColor.h:

    Canonical link: https://commits.webkit.org/267815.402@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.198@webkitglib/2.42


  Commit: 1c967d31b0908ee24ea4f0977fff00980448c675
      https://github.com/WebKit/WebKit/commit/1c967d31b0908ee24ea4f0977fff00980448c675
  Author: Dan Glastonbury <djg at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp

  Log Message:
  -----------
  Cherry-pick 267815.442 at safari-7617-branch (d4e4706162ed). rdar://117540199

    [ANGLE] Clear pending program linking in Context::onDestroy
    rdar://117540199

    Reviewed by Kimmo Kinnunen.

    Cherry pick upstream ANGLE fix which clears the pending link earlier to avoid
    UAF.

    Tested with ASAN build of
    /Volumes/WebKit/OpenSource/WebKitBuild/Debug/TestWebKitAPI
    --gtest_filter=GraphicsContextGLCocoaTest.TwoLinks

    * Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp:
    (gl::Context::onDestroy):

    Canonical link: https://commits.webkit.org/267815.442@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.199@webkitglib/2.42


  Commit: 5a108bdc41182b6c991585cd9544580712f65eeb
      https://github.com/WebKit/WebKit/commit/5a108bdc41182b6c991585cd9544580712f65eeb
  Author: Vitor Roriz <vitor.roriz at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA-expected.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA-ref.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA.html
    M LayoutTests/platform/mac/fast/text/softbank-emoji-expected.txt
    M LayoutTests/platform/wpe/fast/text/softbank-emoji-expected.txt
    M Source/WebCore/css/CSSFontSelector.cpp
    M Source/WebCore/platform/graphics/FontCascadeFonts.cpp
    M Source/WebCore/platform/graphics/FontRanges.cpp
    M Source/WebCore/platform/graphics/FontRanges.h
    M Source/WebCore/platform/graphics/coretext/FontCascadeCoreText.cpp
    M Source/WebCore/platform/text/CharacterProperties.h

  Log Message:
  -----------
  Cherry-pick 267815.424 at safari-7617-branch (8c7be2b8800b). https://bugs.webkit.org/show_bug.cgi?id=255629

    Font fallback should ignore generic families for codepoints in PUA
    https://bugs.webkit.org/show_bug.cgi?id=263261
    rdar://115901340

    Reviewed by Cameron McCormack.

    According to spec: https://drafts.csswg.org/css-fonts-4/#char-handling-issues

    "If a given character is a Private-Use Area Unicode codepoint, user agents must only match font families named in the font-family list that are not generic families. If none of the families named in the font-family list contain a glyph for that codepoint, user agents must display some form of missing glyph symbol for that character rather than attempting installed font fallback for that codepoint."

    We are currently not ignoring generic font families for font fallback when a code point is in the private-use area (PUA).
    This patch changes that. Now FontRanges has a flag to signal that the Font represented by the FontRanges
    object came from a generic family. That way, we can skip it during font fallback when finding
    the glyph data for a codepoint that is in the private-user area.

    After attempting all user-specified font-families, if we couldn't find a font that can represent such codepoint,
    we then use the .notdef glyph (glyph 0) and the last resource font of WebKit for it.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA-expected.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA-ref.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-fonts/matching/font-unicode-PUA.html: Added.
    * LayoutTests/platform/mac/fast/text/softbank-emoji-expected.txt:
    * LayoutTests/platform/wpe/fast/text/softbank-emoji-expected.txt:
    * Source/WebCore/css/CSSFontSelector.cpp:
    (WebCore::CSSFontSelector::fontRangesForFamily):
    * Source/WebCore/platform/graphics/FontCascadeFonts.cpp:
    (WebCore::realizeNextFallback):
    (WebCore::FontCascadeFonts::glyphDataForVariant):
    (WebCore::FontCascadeFonts::glyphDataForCharacter):
    * Source/WebCore/platform/graphics/FontRanges.cpp:
    (WebCore::FontRanges::FontRanges):
    (WebCore::FontRanges::glyphDataForCharacter const):
    * Source/WebCore/platform/graphics/FontRanges.h:
    (WebCore::FontRanges::isGeneric const):
    * Source/WebCore/platform/graphics/WidthIterator.cpp:
    (WebCore::WidthIterator::advanceInternal):
    * Source/WebCore/platform/graphics/coretext/FontCascadeCoreText.cpp:
    (WebCore::FontCascade::fontForCombiningCharacterSequence const):
    * Source/WebCore/platform/text/CharacterProperties.h:
    (WebCore::isPrivateUseAreaCharacter):

    Canonical link: https://commits.webkit.org/267815.424@safari-7617-branch

Canonical link: https://commits.webkit.org/266719.200@webkitglib/2.42


  Commit: 055822103c0b2ab090e030756a819e01b6fa1d6e
      https://github.com/WebKit/WebKit/commit/055822103c0b2ab090e030756a819e01b6fa1d6e
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A LayoutTests/fonts/font-cache-memory-pressure-crash-expected.txt
    A LayoutTests/fonts/font-cache-memory-pressure-crash.html
    M Source/WebCore/platform/graphics/FontCascadeFonts.cpp

  Log Message:
  -----------
  Cherry-pick 267815.570 at safari-7617.1.17.10-branch (0276f2cb8a40). https://bugs.webkit.org/show_bug.cgi?id=264737

    Cherry-pick a595ddd8348d. rdar://117805319

        Adding last resort font to System Font fallback set for PUA characters
        https://bugs.webkit.org/show_bug.cgi?id=264737
        rdar://117805319

        Reviewed by Brent Fulgham.

        Until now, when we are purging inactive font data, we would just clear
        the glyph page cache if we had to purge system fallback font.
        This means that we consider glyph page cache would only point to
        fonts from system fonts fallback.

        When we are handling unicode's in the Private-User-Area (PUA) block,
        we shouldn't fallback to system fonts searching for a font that can render
        it, per spec: https://www.w3.org/TR/css-fonts-4/#char-handling-issues
        Instead, we render the glyph 0 with the last resort font. However, this
        font is just added to the custom font cache, and its font pointer in the
        Glyph Page cache is not cleared during memory pressure.

        We should add this font to the system font fallback set, to make sure
        that the associated font pointer is removed from the glyph page cache
        during memory pressure.

        * LayoutTests/fonts/font-cache-memory-pressure-crash.html: Added.
        * Source/WebCore/platform/graphics/FontCascadeFonts.cpp:
        (WebCore::FontCascadeFonts::glyphDataForVariant):
        * LayoutTests/fonts/font-cache-memory-pressure-crash-expected.txt: Added.

        Canonical link: https://commits.webkit.org/267815.567@safari-7617-branch

    Canonical link: https://commits.webkit.org/267815.570@safari-7617.1.17.10-branch

Canonical link: https://commits.webkit.org/266719.201@webkitglib/2.42


Compare: https://github.com/WebKit/WebKit/compare/7f8b31e40740...055822103c0b


More information about the webkit-changes mailing list