[webkit-changes] [WebKit/WebKit] 68c440: Branch point for webkit-2023.2-embargoed

Rob Buis noreply at github.com
Fri Feb 17 07:35:58 PST 2023 

  Branch: refs/heads/webkit-2023.2-embargoed
  Home:   https://github.com/WebKit/WebKit
  Commit: 68c44009f220b31e590385b9420c86734543b1d2
      https://github.com/WebKit/WebKit/commit/68c44009f220b31e590385b9420c86734543b1d2
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-02-14 (Tue, 14 Feb 2023)

  Changed paths:

  Log Message:
  -----------
  Branch point for webkit-2023.2-embargoed

Canonical link: https://commits.webkit.org/260286.1@webkit-2023.2-embargoed


  Commit: d18363c6c4ced4892e1875799dc7cba4b6e9b834
      https://github.com/WebKit/WebKit/commit/d18363c6c4ced4892e1875799dc7cba4b6e9b834
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2023-02-14 (Tue, 14 Feb 2023)

  Changed paths:
    A LayoutTests/fast/table/table-cell-crash-when-detached-state-2-expected.txt
    A LayoutTests/fast/table/table-cell-crash-when-detached-state-2.html
    M Source/WebCore/rendering/RenderLayerModelObject.cpp

  Log Message:
  -----------
  Cherry-pick 256843.4 at webkit-2022.12-embargoed (6234ec9c65b9). rdar://102808328

    Do not issue repaints when in detached state
    https://bugs.webkit.org/show_bug.cgi?id=248773
    rdar://102808328

    Reviewed by Antti Koivisto.

    Do not issue repaints when the RenderObject is in detached state while removing render subtrees.

    * LayoutTests/fast/table/table-cell-crash-when-detached-state-2-expected.txt: Added.
    * LayoutTests/fast/table/table-cell-crash-when-detached-state-2.html: Added.
    * Source/WebCore/rendering/RenderLayerModelObject.cpp:
    (WebCore::RenderTableCell::willBeRemovedFromTree const):

    Canonical link: https://commits.webkit.org/256843.4@webkit-2022.12-embargoed

Canonical link: https://commits.webkit.org/260286.2@webkit-2023.2-embargoed


  Commit: 92dee4feedbf5f6d2aef96496b09326d8a2fcfe0
      https://github.com/WebKit/WebKit/commit/92dee4feedbf5f6d2aef96496b09326d8a2fcfe0
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2023-02-14 (Tue, 14 Feb 2023)

  Changed paths:
    A LayoutTests/fast/css/content/quote-display-contents-crash-expected.txt
    A LayoutTests/fast/css/content/quote-display-contents-crash.html
    M Source/WebCore/dom/Element.cpp

  Log Message:
  -----------
  Cherry-pick 256843.5 at webkit-2022.12-embargoed (312254f5776d). rdar://102807985

    Check displayContentsChanged in destroyRenderTreeIfNeeded
    https://bugs.webkit.org/show_bug.cgi?id=248776
    rdar://102807985>

    Reviewed by Antti Koivisto.

    Check displayContentsChanged in destroyRenderTreeIfNeeded since
    display: contents may be removed due to focus removal while
    removing subtrees but we still need to clean up pseudo elements.

    * LayoutTests/fast/css/content/quote-display-contents-crash-expected.txt: Added.
    * LayoutTests/fast/css/content/quote-display-contents-crash.html: Added.
    * Source/WebCore/dom/ContainerNode.cpp:
    (WebCore::destroyRenderTreeIfNeeded):
    * Source/WebCore/dom/Element.cpp:
    (WebCore::Element::resolveComputedStyle):

    Canonical link: https://commits.webkit.org/256843.5@webkit-2022.12-embargoed

Canonical link: https://commits.webkit.org/260286.3@webkit-2023.2-embargoed


  Commit: 553700646910e53691d7c87dea6500265104f2cd
      https://github.com/WebKit/WebKit/commit/553700646910e53691d7c87dea6500265104f2cd
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2023-02-14 (Tue, 14 Feb 2023)

  Changed paths:
    A LayoutTests/fast/dom/set-outer-text-on-moved-element-expected.html
    A LayoutTests/fast/dom/set-outer-text-on-moved-element.html
    M Source/WebCore/rendering/updating/RenderTreeUpdater.cpp

  Log Message:
  -----------
  Cherry-pick 256843.6 at webkit-2022.12-embargoed (c4c0ef6360b2). rdar://102808104

    Verify that style update roots are for correct document
    https://bugs.webkit.org/show_bug.cgi?id=248775
    rdar://102808104

    Reviewed by Antti Koivisto.

    Verify that style update roots are for the correct document since
    we may be dealing with a pending update on an element/text node that
    moved to another document.

    * LayoutTests/fast/dom/set-outer-text-on-moved-element-expected.html: Added.
    * LayoutTests/fast/dom/set-outer-text-on-moved-element.html: Added.
    * Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:
    (WebCore::RenderTreeUpdater::commit):

    Canonical link: https://commits.webkit.org/256843.6@webkit-2022.12-embargoed

Canonical link: https://commits.webkit.org/260286.4@webkit-2023.2-embargoed


  Commit: fc9a39453ba0c1a619e3444eb2530c36a8731389
      https://github.com/WebKit/WebKit/commit/fc9a39453ba0c1a619e3444eb2530c36a8731389
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2023-02-14 (Tue, 14 Feb 2023)

  Changed paths:
    A LayoutTests/fast/multicol/nested-columns-out-of-flow-crash-expected.txt
    A LayoutTests/fast/multicol/nested-columns-out-of-flow-crash.html
    M Source/WebCore/rendering/RenderObject.cpp
    M Source/WebCore/rendering/RenderObject.h

  Log Message:
  -----------
  Cherry-pick 256843.7 at webkit-2022.12-embargoed (3b92d70ba3ea). rdar://98438399

    Do not skip fragmented flow thread descendents
    https://bugs.webkit.org/show_bug.cgi?id=245374
    rdar://98438399

    Reviewed by Alan Baradlay.

    Do not skip fragmented flow thread descendents in initializeFragmentedFlowStateOnInsertion
    since its children may have a different state based on the inserted fragmented
    flow thread. When a fragmented flow thread is removed there is no effect on the inner
    fragmented flow threads so that behaviour is unchenged.

    * LayoutTests/fast/multicol/nested-columns-out-of-flow-crash-expected.txt: Added.
    * LayoutTests/fast/multicol/nested-columns-out-of-flow-crash.html: Added.
    * Source/WebCore/rendering/RenderObject.cpp:
    (WebCore::RenderObject::setFragmentedFlowStateIncludingDescendants):
    (WebCore::RenderObject::initializeFragmentedFlowStateOnInsertion):
    * Source/WebCore/rendering/RenderObject.h:

    Canonical link: https://commits.webkit.org/256843.7@webkit-2022.12-embargoed

Canonical link: https://commits.webkit.org/260286.5@webkit-2023.2-embargoed


  Commit: 02347a3a82ac055e6917df761056a5a9b77e1666
      https://github.com/WebKit/WebKit/commit/02347a3a82ac055e6917df761056a5a9b77e1666
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2023-02-14 (Tue, 14 Feb 2023)

  Changed paths:
    A LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash-expected.html
    A LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash.html
    M Source/WebCore/rendering/RenderLayer.cpp

  Log Message:
  -----------
  Cherry-pick 256843.8 at webkit-2022.12-embargoed (fe2f16c1dabe). rdar://104134023

    Recalculate normal flow value in RenderLayer::establishesTopLayerDidChange
    https://bugs.webkit.org/show_bug.cgi?id=251013

    Reviewed by Tim Nguyen.

    In RenderLayer::rebuildZOrderLists the RenderView layer makes sure the layers for dialogs/top-level elements are appended after
    everything else in the positive z-order list. When removing the dialog layer, dirtyPaintOrderListsOnChildChange will be called
    and since it is not a normal only flow everything will be handled correctly through dirtyStackingContextZOrderLists.

    In the test case the behaviour is the same until dirtyPaintOrderListsOnChildChange is called on the dialog layer removal. Now that
    layer to be removed *is* a normal only flow (the element is no longer positioned and has non visible overflow, see
    RenderLayer::shouldBeNormalFlowOnly). This means the positive z-order list is unchanged and the deleted layer still part of it.
    When the test cleanup code does a final repaint, the RenderView positive z-order list is processed as normal and when trying to
    access the deleted layer the UAF happens.

    To fix this, make sure the normal flow value is correct when adding the layer in RenderLayer::establishesTopLayerDidChange.

    * LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash-expected.html: Added.
    * LayoutTests/fast/layers/normal-flow-dialog-remove-layer-crash.html: Added.
    * Source/WebCore/rendering/RenderLayer.cpp:
    (WebCore::RenderLayer::establishesTopLayerDidChange):

    Canonical link: https://commits.webkit.org/256843.8@webkit-2022.12-embargoed

Canonical link: https://commits.webkit.org/260286.6@webkit-2023.2-embargoed


  Commit: 1d078489fdd98b313694c29f43d0a6d6bd150b17
      https://github.com/WebKit/WebKit/commit/1d078489fdd98b313694c29f43d0a6d6bd150b17
  Author: Claudio Saavedra <csaavedra at igalia.com>
  Date:   2023-02-14 (Tue, 14 Feb 2023)

  Changed paths:
    A LayoutTests/fast/css/content/content-on-focus-change-expected.txt
    A LayoutTests/fast/css/content/content-on-focus-change.html

  Log Message:
  -----------
  Cherry-pick 256843.9 at webkit-2022.12-embargoed (4c3dcd480f7e). rdar://104256993

    Test display contents change on focus change
    https://bugs.webkit.org/show_bug.cgi?id=251014

    Reviewed by Tim Nguyen.

    * LayoutTests/fast/css/content/content-on-focus-change-expected.txt: Added.
    * LayoutTests/fast/css/content/content-on-focus-change.html: Added.

    Canonical link: https://commits.webkit.org/256843.9@webkit-2022.12-embargoed

Canonical link: https://commits.webkit.org/260286.7@webkit-2023.2-embargoed


  Commit: c5cf037a9b08e0daacb259461329ce915f954d42
      https://github.com/WebKit/WebKit/commit/c5cf037a9b08e0daacb259461329ce915f954d42
  Author: Claudio Saavedra <csaavedra at igalia.com>
  Date:   2023-02-14 (Tue, 14 Feb 2023)

  Changed paths:
    A LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal-expected.txt
    A LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal.html

  Log Message:
  -----------
  Cherry-pick 256843.10 at webkit-2022.12-embargoed (b7f9b7f4679b). rdar://102808942

    Add test for element's display contents change on sibling removal
    https://bugs.webkit.org/show_bug.cgi?id=248772

    Reviewed by Tim Nguyen.

    This was already fixed with #248776, but add the test for completeness.

    * LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal-expected.txt: Added.
    * LayoutTests/fast/dom/element-clearing-display-contents-on-node-removal.html: Added.

    Canonical link: https://commits.webkit.org/256843.10@webkit-2022.12-embargoed

Canonical link: https://commits.webkit.org/260286.8@webkit-2023.2-embargoed


  Commit: 482439c8ecdb5a274c7ca18054c1d5d4d7519cc3
      https://github.com/WebKit/WebKit/commit/482439c8ecdb5a274c7ca18054c1d5d4d7519cc3
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2023-02-14 (Tue, 14 Feb 2023)

  Changed paths:
    A LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash-expected.txt
    A LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash.html

  Log Message:
  -----------
  Cherry-pick 256843.11 at webkit-2022.12-embargoed (7d616c4d06eb). rdar://98898374

    Add crash test for disconnected frame switching to eager
    https://bugs.webkit.org/show_bug.cgi?id=245377

    Reviewed by Ryosuke Niwa.

    Add crash test for disconnected frame switching to eager.

    * LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash-expected.txt: Added.
    * LayoutTests/fast/frames/disconnected-frame-set-to-eager-crash.html: Added.

    Canonical link: https://commits.webkit.org/256843.11@webkit-2022.12-embargoed

Canonical link: https://commits.webkit.org/260286.9@webkit-2023.2-embargoed


Compare: https://github.com/WebKit/WebKit/compare/68c44009f220%5E...482439c8ecdb

More information about the webkit-changes mailing list