[webkit-changes] [WebKit/WebKit] 294263: CloneDeserializer::readTerminal() should fail deco...

NKRosario noreply at github.com
Fri Dec 15 11:16:20 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 294263160d19f7909f691abbed510e6506a6d4ee
      https://github.com/WebKit/WebKit/commit/294263160d19f7909f691abbed510e6506a6d4ee
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-12-15 (Fri, 15 Dec 2023)

  Changed paths:
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  CloneDeserializer::readTerminal() should fail decoding if tag is not exposed to current JS context
https://bugs.webkit.org/show_bug.cgi?id=262921
rdar://115756703

Reviewed by Mark Lam.

In 265678 at main, I added a check to make sure the type getting deserialized was exposed to the
current JS context (e.g. audio worklet contexts don't have access to many of the types that
Window context do). I added an early return when detecting this but failed to call `fail()`
to explicitly fail decoding.

* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::readTerminal):

Originally-landed-as: 267815.245 at safari-7617-branch (bf21fed44b35). rdar://119577123
Canonical link: https://commits.webkit.org/272136@main


  Commit: 0fa1c15c77c2df1f269442704135c8f416d3ab64
      https://github.com/WebKit/WebKit/commit/0fa1c15c77c2df1f269442704135c8f416d3ab64
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2023-12-15 (Fri, 15 Dec 2023)

  Changed paths:
    A LayoutTests/fast/css/content-visibility-crash-expected.txt
    A LayoutTests/fast/css/content-visibility-crash.html
    M Source/WebCore/dom/ContentVisibilityDocumentState.cpp

  Log Message:
  -----------
  Check m_elementViewportProximities lookup
https://bugs.webkit.org/show_bug.cgi?id=262061
rdar://115978526

Reviewed by Tim Nguyen.

It is possible a lookup in m_elementViewportProximities fails
to find an element, in that case do not use the iterator and
treat the viewport proximity as "far".

* LayoutTests/fast/css/content-visibility-crash-expected.txt: Added.
* LayoutTests/fast/css/content-visibility-crash.html: Added.
* Source/WebCore/dom/ContentVisibilityDocumentState.cpp:
(WebCore::ContentVisibilityDocumentState::checkRelevancyOfContentVisibilityElement const):

Originally-landed-as: 268451.2 at webkit-2023.9-embargoed (334d4db2351c). rdar://119566027
Canonical link: https://commits.webkit.org/272137@main


  Commit: 637470b5995fdf7e04b974ad1935b8f7da312f75
      https://github.com/WebKit/WebKit/commit/637470b5995fdf7e04b974ad1935b8f7da312f75
  Author: Matt Woodrow <mattwoodrow at apple.com>
  Date:   2023-12-15 (Fri, 15 Dec 2023)

  Changed paths:
    M Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.mm

  Log Message:
  -----------
  REGRESSION: OOB read in RemoteLayerTreeDrawingAreaProxy::commitLayerTree
https://bugs.webkit.org/show_bug.cgi?id=262977
<rdar://116651090>

Reviewed by Tim Horton and Chris Dumez.

Post-commit callbacks can run arbitrary code, including code that results in the drawing
area being removed. It's not ref-counted, so we can't prevent its destruction if we recurse
into code that destroys it.

Instead, use a WeakPtr to |this| to check if destruction happens, and avoid doing
any futher work.

* Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.mm:
(WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTreeTransaction):

Originally-landed-as: 267815.273 at safari-7617-branch (5257e528b2d7). rdar://119564982
Canonical link: https://commits.webkit.org/272138@main


  Commit: d385faf9aa709767d45073b35f385a9566e236a8
      https://github.com/WebKit/WebKit/commit/d385faf9aa709767d45073b35f385a9566e236a8
  Author: Nicole Rosario <nicole_rosario at apple.com>
  Date:   2023-12-15 (Fri, 15 Dec 2023)

  Changed paths:
    A LayoutTests/fast/css/create-columns-onload-crash-expected.txt
    A LayoutTests/fast/css/create-columns-onload-crash.html
    M Source/WebCore/style/StyleBuilderConverter.h

  Log Message:
  -----------
  jsc_fuz/wktr: ASSERTION FAILED: is<Target>(source) downcast(Source &) [Target = WebCore::CSSFunctionValue, Source = const WebCore::CSSValue]
rdar://115107618

Reviewed by Chris Dumez.

Downcast was attempted before ensuring type is correct, so added a typecheck before downcast

* Source/WebCore/style/StyleBuilderConverter.h:
(WebCore::Style::BuilderConverter::createGridTrackSize): added typecheck before downcast

Originally-landed-as: 267815.304 at safari-7617-branch (395cb173896a). rdar://119564042
Canonical link: https://commits.webkit.org/272139@main


Compare: https://github.com/WebKit/WebKit/compare/4629f05354c3...d385faf9aa70

More information about the webkit-changes mailing list