[webkit-changes] [WebKit/WebKit] 22d6f9: AX: Nullptr deref of AXObjectCache in Accessibilit...

nishajain61 noreply at github.com
Fri Dec 15 11:12:53 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 22d6f99cb96bb3352c1427625695ab65552a66dc
      https://github.com/WebKit/WebKit/commit/22d6f99cb96bb3352c1427625695ab65552a66dc
  Author: Tyler Wilcock <tyler_w at apple.com>
  Date:   2023-12-15 (Fri, 15 Dec 2023)

  Changed paths:
    M Source/WebCore/accessibility/cocoa/AccessibilityObjectCocoa.mm

  Log Message:
  -----------
  AX: Nullptr deref of AXObjectCache in AccessibilityObject::contentForRange
rdar://117556782

Reviewed by Chris Fleizach.

* Source/WebCore/accessibility/cocoa/AccessibilityObjectCocoa.mm:
(WebCore::AccessibilityObject::contentForRange const):
Null-check AXObjectCache before using it to prevent a rare crash.

Originally-landed-as: 267815.468 at safari-7617-branch (4fce5d70c3d6). rdar://119595439
Canonical link: https://commits.webkit.org/272130@main


  Commit: df2939e8f62ae389a76393cca9dfd2daddb85d53
      https://github.com/WebKit/WebKit/commit/df2939e8f62ae389a76393cca9dfd2daddb85d53
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2023-12-15 (Fri, 15 Dec 2023)

  Changed paths:
    A LayoutTests/fast/dom/deserialize-array-bufffer-view-fail-expected.txt
    A LayoutTests/fast/dom/deserialize-array-bufffer-view-fail.html
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  The deserializer should fail properly if it cannot materialize ArrayBufferViews.
https://bugs.webkit.org/show_bug.cgi?id=263794
rdar://117572216

Reviewed by Sihui Liu and Keith Miller.

* LayoutTests/fast/dom/deserialize-array-bufffer-view-fail-expected.txt: Added.
* LayoutTests/fast/dom/deserialize-array-bufffer-view-fail.html: Added.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::readArrayBufferViewImpl):

Originally-landed-as: 267815.459 at safari-7617-branch (ce6d953127cf). rdar://119595755
Canonical link: https://commits.webkit.org/272131@main


  Commit: 56cd7079354bb20f8dd577299ccbd39d1b462466
      https://github.com/WebKit/WebKit/commit/56cd7079354bb20f8dd577299ccbd39d1b462466
  Author: Abigail Fox <abigail_fox at apple.com>
  Date:   2023-12-15 (Fri, 15 Dec 2023)

  Changed paths:
    M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
    M Source/WebKit/UIProcess/WebProcessPool.cpp

  Log Message:
  -----------
  Added allowsFirstPartyForCookies check
https://bugs.webkit.org/show_bug.cgi?id=258161
rdar://106997645

Reviewed by Alex Christensen.

Added a message check to validate that the process is allowed to add first
parties for cookies before allowing a call to addAllowedFirstPartyForCookies.

Adding this message check exposed a scenario where a service worker web
process could be spawned in a bad state without any allowed first parties.
An addAllowedFirstPartyForCookies call was added to prevent this bad state.

This error was caught by http/tests/cookies/same-site/fetch-in-cross-origin-service-worker.html

* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::establishSWContextConnection):
* Source/WebKit/UIProcess/WebProcessPool.cpp:
(WebKit::WebProcessPool::establishRemoteWorkerContextConnectionToNetworkProcess):

Originally-landed-as: 267815.439 at safari-7617-branch (33927ceba2d6). rdar://119596170
Canonical link: https://commits.webkit.org/272132@main


  Commit: fae7e4a1b9722c14512c35b546acd903e7299e92
      https://github.com/WebKit/WebKit/commit/fae7e4a1b9722c14512c35b546acd903e7299e92
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2023-12-15 (Fri, 15 Dec 2023)

  Changed paths:
    A JSTests/stress/int52rep-multiplication-with-overflow.js
    M Source/JavaScriptCore/assembler/MacroAssemblerARM64.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

  Log Message:
  -----------
  Int52Rep speculationCheck failed in DFG optimizations for the ArithMul operation.
https://bugs.webkit.org/show_bug.cgi?id=263707
rdar://117415514

Reviewed by Keith Miller.

The DFG ArithMul Int52Rep speculationCheck was using the binary form of the branchMul64
emitter to check for overflow of the multiplication.  The ARM64 version of this binary
form branchMul64 has a bug: it's re-using one of the src registers as the dest register.

The underlying ARM64 implementation of branchMul64 needs to execute 2 instructions:
mul and smulh.  Both of these instructions need to operate on the 2 source operands of
the multiplication.  By making the dest register same as the src1 register, the mul
instruction which comes fist and computes dest, would trash src1.  Subsequently, smulh
is computed with a corrupted src1 value.

The fix is simple:
1. Change the DFG ArithMul to use the ternary form of branchMul64.  It will just do the
   right thing, and in fact, eliminates an unnecessary move instruction on ARM64.

2. Remove the ARM64 binary form of branchMul64.  It is now no longer used.

3. For robustness, change the ternary form of branchMul64 to also be resilient against
   the scenario where dest equals either src1 or src2.  This is achieved by computing
   smulh first, which stores its result into a scratch register.  Only after that, do
   we compute mul, which is now free to set dest and potentially overwrite src1 or src2.

* JSTests/stress/int52rep-multiplication-with-overflow.js: Added.
(foo):
* Source/JavaScriptCore/assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::branchMul64):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:

Originally-landed-as: 267815.438 at safari-7617-branch (20a302272ec6). rdar://119596279
Canonical link: https://commits.webkit.org/272133@main


  Commit: 1325b97c04cdb848f8ba167b6c7595dcd5ef0cc7
      https://github.com/WebKit/WebKit/commit/1325b97c04cdb848f8ba167b6c7595dcd5ef0cc7
  Author: Nisha Jain <nisha_jain at apple.com>
  Date:   2023-12-15 (Fri, 15 Dec 2023)

  Changed paths:
    A LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector-expected.txt
    A LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector.html
    M Source/WTF/wtf/URLParser.cpp

  Log Message:
  -----------
  [cf9aab29ad0894e2] heap-use-after-free | WTF::URLParser::parse; WTF::URLParser::URLParser; WTF::URL::URL
https://bugs.webkit.org/show_bug.cgi?id=263682
rdar://116995567.

Reviewed by David Kilzer and Chris Dumez.

Modified WTF::URLParser::parse API so there is no invalid pointer reference to 'm_asciiBuffer' by 'StringView' after reallocation which results in invalid 'urlScheme'.

* LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector-expected.txt: Added user expected test result.
* LayoutTests/fast/parser/crash-urlparse-staleptr-stringview-to-vector.html: Added test case which causes reallocation of buffer.
* Source/WTF/wtf/URLParser.cpp: Modified below API
(WTF::URLParser::parse): Modified order of function calls so no invalid reference to buffer is made after reallocation resulting in invalid 'urlScheme'.

Originally-landed-as: 267815.437 at safari-7617-branch (e5674422c86e). rdar://119596267
Canonical link: https://commits.webkit.org/272134@main


Compare: https://github.com/WebKit/WebKit/compare/93de6d37c114...1325b97c04cd

More information about the webkit-changes mailing list