[webkit-changes] [WebKit/WebKit] 87a890: Cherry-pick 252432.940 at safari-7614-branch (e34a3c3...
David-Li-Jy
noreply at github.com
Wed Feb 1 00:49:32 PST 2023
Branch: refs/heads/webkitglib/2.38
Home: https://github.com/WebKit/WebKit
Commit: 87a8908368977e945744a964b929bd136d7664a1
https://github.com/WebKit/WebKit/commit/87a8908368977e945744a964b929bd136d7664a1
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M Source/WebCore/Modules/websockets/WebSocketDeflater.cpp
Log Message:
-----------
Cherry-pick 252432.940 at safari-7614-branch (e34a3c3b5918). rdar://problem/80071711
Fix int overflow leading to OOB write
rdar://problem/80071711
Reviewed by Chris Dumez and Ryan Haddad.
* Source/WebCore/Modules/websockets/WebSocketDeflater.cpp:
(WebCore::WebSocketDeflater::addBytes):
(WebCore::WebSocketDeflater::finish):
(WebCore::WebSocketInflater::addBytes):
(WebCore::WebSocketInflater::finish):
* Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:
(WebCore::RenderTreeBuilder::destroy):
(WebCore::RenderTreeBuilder::attach):
(WebCore::RenderTreeBuilder::attachToRenderElementInternal):
* Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::createTextRenderer):
Canonical link: https://commits.webkit.org/252432.940@safari-7614-branch
Commit: d12a9865c45835577955174cc86da4bf000f4aa5
https://github.com/WebKit/WebKit/commit/d12a9865c45835577955174cc86da4bf000f4aa5
Author: Charlie Wolfe <charles_wolfe at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
A LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload-expected.txt
A LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload.html
A LayoutTests/http/tests/navigation/resources/postmessage-on-hashchange.html
M Source/WebCore/loader/FrameLoader.cpp
Log Message:
-----------
Cherry-pick 252432.942 at safari-7614-branch (d7af255eed5c). https://bugs.webkit.org/show_bug.cgi?id=241753
cross origin iframe load event can be used for a malicious way
https://bugs.webkit.org/show_bug.cgi?id=241753
rdar://95467115
Reviewed by Chris Dumez and Ryan Haddad.
This bug describes an issue where it is possible to guess a URL that is
redirected to by a cross-origin iframe. To fix this, WebKit should fire a
load event when the direct parent frame is cross-origin.
This fix is very similar to what is described in https://crbug.com/1248444.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadInSameDocument):
* LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload-expected.txt: Added.
* LayoutTests/http/tests/navigation/cross-origin-navigation-fires-onload.html: Added.
* LayoutTests/http/tests/navigation/resources/postmessage-on-hashchange.html: Added.
Canonical link: https://commits.webkit.org/252432.942@safari-7614-branch
Commit: a462ab39cd5284c9dda5a03b0c1b79112be2c715
https://github.com/WebKit/WebKit/commit/a462ab39cd5284c9dda5a03b0c1b79112be2c715
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
A LayoutTests/fast/block/crash-empty-layoutStateStack-expected.txt
A LayoutTests/fast/block/crash-empty-layoutStateStack.html
M Source/WebCore/rendering/RenderBlock.cpp
Log Message:
-----------
Cherry-pick 256843.3 at webkit-2022.12-embargoed (1d7abcd180ab). https://bugs.webkit.org/show_bug.cgi?id=248771
Protect against empty layout state
https://bugs.webkit.org/show_bug.cgi?id=248771
Reviewed by Alan Baradlay.
Protect against empty layout state.
* LayoutTests/fast/block/crash-empty-layoutStateStack-expected.txt: Added.
* LayoutTests/fast/block/crash-empty-layoutStateStack.html: Added.
* Source/WebCore/rendering/RenderBlock.cpp:
(WebCore::RenderBlock::layoutPositionedObject):
(WebCore::RenderBlock::markForPaginationRelayoutIfNeeded):
Canonical link: https://commits.webkit.org/256843.3@webkit-2022.12-embargoed
Commit: 4cc83dae19c5dbcf96f740bac271505a041abea2
https://github.com/WebKit/WebKit/commit/4cc83dae19c5dbcf96f740bac271505a041abea2
Author: Philippe Normand <philn at igalia.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M Source/WebCore/platform/graphics/gstreamer/TextCombinerGStreamer.cpp
Log Message:
-----------
Cherry-pick 259419 at main (537d68a65fe7). https://bugs.webkit.org/show_bug.cgi?id=251142
[GStreamer][1.22] Critical warning in internal text combiner element
https://bugs.webkit.org/show_bug.cgi?id=251142
Reviewed by Xabier Rodriguez-Calvar.
The `concat` pad request was done with a pad template not belonging to the element, so instead use
the simple request-pad API and let the element figure out the pad template itself.
* Source/WebCore/platform/graphics/gstreamer/TextCombinerGStreamer.cpp:
(webkitTextCombinerRequestNewPad):
Canonical link: https://commits.webkit.org/259419@main
Commit: fe00271b8218ea548c30f4618f51ff16cce3e638
https://github.com/WebKit/WebKit/commit/fe00271b8218ea548c30f4618f51ff16cce3e638
Author: Angela Izquierdo Garcia <a_izquierdogarcia at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.cpp
M Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.h
Log Message:
-----------
Cherry-pick 252432.943 at safari-7614-branch (c6249012752b). https://bugs.webkit.org/show_bug.cgi?id=248288
Floating Point Exception in FEConvolveMatrixSoftwareApplier:: applyPatform
https://bugs.webkit.org/show_bug.cgi?id=248288
rdar://102137760
There is a division by zero due to the fact that sometimes there is one variable much bigger than other that are implied in a division (clipBottom and iterations) and as c++ rounds down it is consequently zero, which leads to the subsequent exception.
Reviewed by Geoffrey Garen and David Kilzer.
* Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.cpp:
(WebCore::FEConvolveMatrixSoftwareApplier::setInteriorPixels):
(WebCore::FEConvolveMatrixSoftwareApplier::applyPlatform const):
* Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.h:
Canonical link: https://commits.webkit.org/252432.943@safari-7614-branch
Commit: 752cd835e110da78f58fae8154ea8e746ba76d30
https://github.com/WebKit/WebKit/commit/752cd835e110da78f58fae8154ea8e746ba76d30
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back.html
A LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache-expected.txt
A LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache.html
R LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache-expected.txt
R LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache.html
A LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-1.html
A LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-2.html
R LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-1.html
R LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-2.html
M LayoutTests/fast/loader/stateobjects/resources/replacestate-in-iframe-window-child.html
M Source/WebCore/history/CachedPage.cpp
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/loader/FrameLoader.h
M Source/WebKit/UIProcess/WebBackForwardList.cpp
M Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm
Log Message:
-----------
Cherry-pick 252432.944 at safari-7614-branch (50b1632f78ae). https://bugs.webkit.org/show_bug.cgi?id=248716
Tweak back/forward list hijacking prevention logic
https://bugs.webkit.org/show_bug.cgi?id=248716
rdar://102923240
Reviewed by Geoffrey Garen and Ryan Haddad.
Tweak back/forward list hijacking prevention logic for better protection and to
align our behavior with Chrome.
In particular, let's consider this example:
Yahoo -> Yahoo#a (no userInteraction) -> Google -> Google#a (no user interaction) -> Google#b (no user interaction)
If we're currently on Google#b and navigate backwards:
- Old behavior: We load Google
- New behavior: We load Yahoo#a
The new behavior makes sense since the user feels like they are on Google
(since Google#a & Google#b happened without user interaction) and the last
page they viewed before Google was Yahoo#b.
If we're on Yahoo#a and navigate forwards:
- Old behavior: We load Google
- New behavior: We load Google#b
The new behavior makes sense as a symmetry to the case above.
Now let's consider this example:
Yahoo -> Yahoo#a (no userInteraction) -> Google
If we're on Google and navigate backwards:
- Old behavior: we load Yahoo
- New behavior: We load Yahoo#a
Finally, with this example:
Yahoo -> Google -> Google#a (no user interaction) -> Google#b (no user interaction)
If we're on Yahoo and navigate forwards:
- Old behavior: We load Google
- New behavior: We load Google#b
This patch also changes the behavior of the popstate event. We used to fire the
popstate event for navigations that were not within the same document. However,
this behavior wasn't aligned with the specification [1] or with other browsers.
The exploit attached to the radar was also relying on this event to hijack the
back/forward navigation and lock the user on a specific site.
I updated our code so that the popstate is now only fired for same-document
navigations and I updated our tests accordingly. I have verified that our
behavior is consistent with Blink on these new test versions.
* LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back-expected.txt:
* LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back-with-fragment-scroll-expected.txt:
* LayoutTests/fast/loader/stateobjects/document-destroyed-navigate-back.html:
* LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache-expected.txt: Renamed from LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache-expected.txt.
* LayoutTests/fast/loader/stateobjects/popstate-does-not-fire-with-page-cache.html: Renamed from LayoutTests/fast/loader/stateobjects/popstate-fires-with-page-cache.html.
* LayoutTests/fast/loader/stateobjects/replacestate-in-iframe-expected.txt:
* LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-1.html: Renamed from LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-1.html.
* LayoutTests/fast/loader/stateobjects/resources/popstate-does-not-fire-with-page-cache-2.html: Added.
* LayoutTests/fast/loader/stateobjects/resources/popstate-fires-with-page-cache-2.html: Removed.
* LayoutTests/fast/loader/stateobjects/resources/replacestate-in-iframe-window-child.html:
* Source/WebCore/history/CachedPage.cpp:
(WebCore::firePageShowEvent):
(WebCore::CachedPage::restore):
(WebCore::firePageShowAndPopStateEvents): Deleted.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::didBeginDocument):
(WebCore::FrameLoader::transitionToCommitted):
* Source/WebCore/loader/FrameLoader.h:
* Source/WebKit/UIProcess/WebBackForwardList.cpp:
(WebKit::itemSkippingBackForwardItemsAddedByJSWithoutUserGesture):
* Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardList.mm:
(runBackForwardNavigationSkipsItemsWithoutUserGestureTest):
(TEST):
(runBackForwardNavigationDoesNotSkipItemsWithUserGestureTest):
Canonical link: https://commits.webkit.org/252432.944@safari-7614-branch
Commit: 704856b4b9e8c85b8720ca91634817eb6f790956
https://github.com/WebKit/WebKit/commit/704856b4b9e8c85b8720ca91634817eb6f790956
Author: Nikolaos Mouchtaris <nmouchtaris at apple.com>
Date: 2023-02-01 (Wed, 01 Feb 2023)
Changed paths:
A LayoutTests/fast/scrolling/mac/smooth-scroll-fixed-element-expected.txt
A LayoutTests/fast/scrolling/mac/smooth-scroll-fixed-element.html
A LayoutTests/fast/scrolling/mac/smooth-scroll-iframe-expected.txt
A LayoutTests/fast/scrolling/mac/smooth-scroll-iframe.html
A LayoutTests/fast/scrolling/resources/smooth-scroll-iframe-helper-iframe.html
M Source/WebCore/dom/Document.cpp
M Source/WebCore/page/FrameView.cpp
M Source/WebCore/page/FrameView.h
M Source/WebCore/page/scrolling/AsyncScrollingCoordinator.cpp
M Source/WebCore/platform/ScrollAnimator.cpp
M Source/WebCore/platform/ScrollableArea.h
M Source/WebCore/rendering/RenderLayerScrollableArea.cpp
M Source/WebCore/rendering/RenderLayerScrollableArea.h
Log Message:
-----------
Cherry-pick 257665 at main (b08436732d9d). https://bugs.webkit.org/show_bug.cgi?id=245300
REGRESSION (251454 at main): Setting scrollTop on fixed element with overflow breaks scrolling on a 'overscroll-behavior:none' page
https://bugs.webkit.org/show_bug.cgi?id=245300
<rdar://100057532>
Reviewed by Simon Fraser.
This fixes a few issues with https://commits.webkit.org/251454@main. The first is the fix was originally only intended for
scroll-behavior: smooth, so only add the scrollable area when we are doing an animated scroll. The second is to be more
strict when these non-user scrollable areas are in the frame view's list of sccrollable areas. We accomplish this by
adding a call when the animation completes to updateScrollableAreaSet, which will determine if the particular scrollable
area should be in the set after the animation completes. Finally, we add a check to absoluteEventTrackingRegionsForFrame(),
to see if the scrollable area was added only because it needed to do an animation.
* LayoutTests/fast/scrolling/mac/smooth-scroll-fixed-element-expected.txt: Added.
* LayoutTests/fast/scrolling/mac/smooth-scroll-fixed-element.html: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::runScrollSteps):
* Source/WebCore/page/scrolling/AsyncScrollingCoordinator.cpp:
(WebCore::AsyncScrollingCoordinator::animatedScrollDidEndForNode):
* Source/WebCore/page/scrolling/ScrollingCoordinator.cpp:
(WebCore::ScrollingCoordinator::absoluteEventTrackingRegionsForFrame const):
* Source/WebCore/platform/ScrollAnimator.cpp:
(WebCore::ScrollAnimator::didStopAnimatedScroll):
* Source/WebCore/platform/ScrollableArea.h:
(WebCore::ScrollableArea::animatedScrollDidEnd):
* Source/WebCore/rendering/RenderLayerScrollableArea.cpp:
(WebCore::RenderLayerScrollableArea::scrollToOffset):
(WebCore::RenderLayerScrollableArea::registerScrollableAreaForAnimatedScroll):
(WebCore::RenderLayerScrollableArea::animatedScrollDidEnd):
(WebCore::RenderLayerScrollableArea::registerScrollableArea): Deleted.
* Source/WebCore/rendering/RenderLayerScrollableArea.h:
Canonical link: https://commits.webkit.org/257665@main
Commit: cc59c39e9af8434458f041aaca11f60bc1f0f16d
https://github.com/WebKit/WebKit/commit/cc59c39e9af8434458f041aaca11f60bc1f0f16d
Author: Nikolaos Mouchtaris <nmouchtaris at apple.com>
Date: 2023-02-01 (Wed, 01 Feb 2023)
Changed paths:
A LayoutTests/fast/scrolling/mac/smooth-scroll-crash-expected.txt
A LayoutTests/fast/scrolling/mac/smooth-scroll-crash.html
M Source/WebCore/rendering/RenderLayerScrollableArea.cpp
Log Message:
-----------
Cherry-pick 252432.947 at safari-7614-branch (2d531cf29dfa). https://bugs.webkit.org/show_bug.cgi?id=249242
jsc_fuz/wktr: heap-use-after-free in WebCore::ScrollableArea::existingScrollAnimator() const ScrollableArea.h:188
https://bugs.webkit.org/show_bug.cgi?id=249242
<rdar://103294792>
Reviewed by Simon Fraser and Ryan Haddad.
Remove scrollable area from m_scrollableAreasForAnimatedScroll
if scrollable area will be destroyed.
* LayoutTests/fast/scrolling/mac/smooth-scroll-crash-expected.txt: Added.
* LayoutTests/fast/scrolling/mac/smooth-scroll-crash.html: Added.
* Source/WebCore/rendering/RenderLayerScrollableArea.cpp:
(WebCore::RenderLayerScrollableArea::clear):
Canonical link: https://commits.webkit.org/252432.947@safari-7614-branch
Commit: 1ae8226dbb800c3ef7b3b540c7692fe85d1c4e77
https://github.com/WebKit/WebKit/commit/1ae8226dbb800c3ef7b3b540c7692fe85d1c4e77
Author: David Li <jingye_li at apple.com>
Date: 2023-02-01 (Wed, 01 Feb 2023)
Changed paths:
A LayoutTests/webgl/webgl-multi-draw-noop-expected.txt
A LayoutTests/webgl/webgl-multi-draw-noop.html
M Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp
M Source/ThirdParty/ANGLE/src/libANGLE/Context.h
M Source/ThirdParty/ANGLE/src/libANGLE/Context.inl.h
Log Message:
-----------
Cherry-pick 252432.953 at safari-7614-branch (e46603d76e04). rdar://94118546
[ANGLE] Add no-op check for ANGLE WEBGL_multi_draw functions
rdar://94118546
Reviewed by Jonathan Bedard and Kimmo Kinnunen.
* LayoutTests/webgl/webgl-multi-draw-noop-expected.txt: Added.
* LayoutTests/webgl/webgl-multi-draw-noop.html: Added.
* Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp:
(gl::Context::multiDrawArrays):
(gl::Context::multiDrawArraysInstanced):
(gl::Context::multiDrawElements):
(gl::Context::multiDrawElementsInstanced):
(gl::Context::multiDrawArraysInstancedBaseInstance):
(gl::Context::multiDrawElementsInstancedBaseVertexBaseInstance):
* Source/ThirdParty/ANGLE/src/libANGLE/Context.h:
* Source/ThirdParty/ANGLE/src/libANGLE/Context.inl.h:
(gl::Context::noopMultiDraw const):
Canonical link: https://commits.webkit.org/252432.953@safari-7614-branch
Compare: https://github.com/WebKit/WebKit/compare/35ecde32dfff...1ae8226dbb80
More information about the webkit-changes
mailing list