[webkit-changes] [WebKit/WebKit] 60635d: Versioning.
Aditya Keerthi
noreply at github.com
Tue Jan 31 17:48:30 PST 2023
Branch: refs/tags/WebKit-7615.1.19
Home: https://github.com/WebKit/WebKit
Commit: 60635d719037e2e723734d9c86c6c91806d4a28f
https://github.com/WebKit/WebKit/commit/60635d719037e2e723734d9c86c6c91806d4a28f
Author: Alan Coon <alancoon at apple.com>
Date: 2023-01-30 (Mon, 30 Jan 2023)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7615.1.19
Canonical link: https://commits.webkit.org/259548.1@safari-7615-branch
Commit: b82676592fa369882f94330e8ab345956415f771
https://github.com/WebKit/WebKit/commit/b82676592fa369882f94330e8ab345956415f771
Author: Brent Fulgham <bfulgham at apple.com>
Date: 2023-01-30 (Mon, 30 Jan 2023)
Changed paths:
M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
Log Message:
-----------
Cherry-pick c4d95cca9a1f. rdar://problem/104830750
Revert `FullScreenEnabled` feature flag from `internal` back to `embedder`
https://bugs.webkit.org/show_bug.cgi?id=251390
<rdar://104830750>
Reviewed by Tim Nguyen.
The `FullScreenEnabled` preference is not meant to be an internal debugging
toggle, so should be labeled as `embedder`.
This patch is a partial revert of 259054 at main.
* Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml:
Canonical link: https://commits.webkit.org/259586@main
Canonical link: https://commits.webkit.org/259548.2@safari-7615-branch
Commit: e8f7233310fd9bcb67c6fdc4387363dea01ee243
https://github.com/WebKit/WebKit/commit/e8f7233310fd9bcb67c6fdc4387363dea01ee243
Author: David Li <jingye_li at apple.com>
Date: 2023-01-30 (Mon, 30 Jan 2023)
Changed paths:
A LayoutTests/animations/animation-set-effect-expected.txt
A LayoutTests/animations/animation-set-effect.html
M Source/WebCore/animation/CSSAnimation.cpp
Log Message:
-----------
Cherry-pick 252432.1013 at safari-7614-branch (1d545c7ebfef). rdar://104831379
[Web Animations] CSSAnimation::setBindingsEffect should also add KeyFrames to overriddenProperties
rdar://102137788
Reviewed by Jonathan Bedard and Antoine Quint.
* LayoutTests/animations/animation-set-effect-expected.txt: Added.
* LayoutTests/animations/animation-set-effect.html: Added.
* Source/WebCore/animation/CSSAnimation.cpp:
(WebCore::CSSAnimation::setBindingsEffect):
Canonical link: https://commits.webkit.org/252432.1013@safari-7614-branch
Canonical link: https://commits.webkit.org/259548.3@safari-7615-branch
Commit: 9fa8efe1b2e2564a89db574400a0c9c25beb0a73
https://github.com/WebKit/WebKit/commit/9fa8efe1b2e2564a89db574400a0c9c25beb0a73
Author: Sihui Liu <sihui_liu at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M LayoutTests/platform/ios/TestExpectations
M Source/WebKit/NetworkProcess/storage/SQLiteStorageArea.cpp
Log Message:
-----------
Cherry-pick 4590ce7d98b4. rdar://problem/104498135
REGRESSION (256863 at main): [ iOS ] imported/w3c/web-platform-tests/webstorage/storage_local_window_open.window.html is a consistent timeout
https://bugs.webkit.org/show_bug.cgi?id=250922
rdar://104498135
Reviewed by Chris Dumez.
Currently quota check of LocalStorage is performed in both web process (StorageAreaMap) and network process
(SQLiteStorageArea). Web process only sends a setting item request to network process when the local quota check passes.
The issue they calculate usage differently: web process calculates usage based on size of string (WebCore::StorageMap)
and network process uses database file size. Also network process stores upconverted characters in database
(SQLiteStorageArea stores value as blob and SQLiteStatement::bindBlob upconverts characters). The result is web process
may send more requests to network process than it is supposed to.
For example, in the failing test, web process can send about 5000 setItem requests to network process, and network
process will start return error after finishing about 2500 requests. Since 256863 at main, network process will include all
stored items in the request reply when a request fails, so that web process can sync its local cache and two processes
have a consistent view of data. The reason the test starts to fail is reading all items takes time, and there are too
many failed requests.
To fix this issue, this patch increases database size limit to 10MB (double of quota), which should make quota check
results in different processes to be more closer.
* LayoutTests/platform/ios/TestExpectations:
* Source/WebKit/NetworkProcess/storage/SQLiteStorageArea.cpp:
(WebKit::SQLiteStorageArea::prepareDatabase):
Canonical link: https://commits.webkit.org/259571@main
Canonical link: https://commits.webkit.org/259548.5@safari-7615-branch
Commit: a70b0bbd3039ee0cc265602b006c770afb40f22f
https://github.com/WebKit/WebKit/commit/a70b0bbd3039ee0cc265602b006c770afb40f22f
Author: Wenson Hsieh <wenson_hsieh at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M Source/WebCore/platform/mac/DataDetectorHighlight.mm
Log Message:
-----------
Cherry-pick 312ff43f570c. rdar://problem/104723803
Fix a rare crash under data detector highlight painting logic
https://bugs.webkit.org/show_bug.cgi?id=251384
rdar://104723803
Reviewed by Megan Gardner.
Add a null check for the `DDHighlightRef` before attempting to ask for `DDHighlightGetBoundingRect`.
It's not clear how to trigger this crash, so this patch only makes this painting codepath robust
against `m_highlight` being `nil`.
* Source/WebCore/platform/mac/DataDetectorHighlight.mm:
(WebCore::DataDetectorHighlight::paintContents):
Canonical link: https://commits.webkit.org/259599@main
Canonical link: https://commits.webkit.org/259548.6@safari-7615-branch
Commit: 1b17df7c206361fffed2586dc250a1f091af5498
https://github.com/WebKit/WebKit/commit/1b17df7c206361fffed2586dc250a1f091af5498
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
A LayoutTests/streams/blob-and-then-expected.txt
A LayoutTests/streams/blob-and-then.html
M Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp
M Source/WebCore/Modules/streams/ReadableStreamSink.cpp
Log Message:
-----------
Cherry-pick 252432.1018 at safari-7614-branch (792c09f18dc7). rdar://103649054
Use-after-free in FetchBodyConsumer::resolve
https://bugs.webkit.org/show_bug.cgi?id=249996
rdar://103649054
Reviewed by Jonathan Bedard and Alex Christensen.
Make sure in FetchBodyConsumer that refed promise/source remain protected.
We also revert part of an unnecessary and wrong change from https://trac.webkit.org/changeset/227760.
This makes sure ReadableStreamToSharedBufferSink callback remains valid until completely executed in close case, as was the case in error case.
We use std::exchange instead of move as it is more semantically correct.
Covered by added test.
* LayoutTests/streams/blob-and-then-expected.txt: Added.
* LayoutTests/streams/blob-and-then.html: Added.
* Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp:
(WebCore::FetchBodyConsumer::resolveWithFormData):
(WebCore::FetchBodyConsumer::consumeFormDataAsStream):
(WebCore::FetchBodyConsumer::resolve):
* Source/WebCore/Modules/streams/ReadableStreamSink.cpp:
(WebCore::ReadableStreamToSharedBufferSink::close):
(WebCore::ReadableStreamToSharedBufferSink::error):
Canonical link: https://commits.webkit.org/252432.1018@safari-7614-branch
Canonical link: https://commits.webkit.org/259548.6@safari-7615-branch
Commit: 83422ec49be9a26a887566eb35a449917592fa11
https://github.com/WebKit/WebKit/commit/83422ec49be9a26a887566eb35a449917592fa11
Author: David Li <jingye_li at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
A LayoutTests/editing/async-clipboard/clipboard-clear-expected.txt
A LayoutTests/editing/async-clipboard/clipboard-clear.html
M Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.cpp
M Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.h
Log Message:
-----------
Cherry-pick 252432.1019 at safari-7614-branch (1988807a5229). rdar://103307563
[Clipboard] Explicitly call completion on clearing ClipboardItemTypeLoader
rdar://103307563
Reviewed by Jonathan Bedard and Wenson Hsieh.
In m_itemTypeLoaders.clear(), ClipboardItemBindingsDataSource::invokeCompletionHandler() is called after all m_itemTypeLoaders released
and traverses the itemTypeLoaders after itemTypeLoaders is clear but before the size is updated, causing nullptr accessment.
So we should explicitly call completion before itemTypeLoader is released.
* LayoutTests/editing/async-clipboard/clipboard-clear-expected.txt: Added.
* LayoutTests/editing/async-clipboard/clipboard-clear.html: Added.
* Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.cpp:
(WebCore::ClipboardItemBindingsDataSource::clearItemTypeLoaders):
(WebCore::ClipboardItemBindingsDataSource::collectDataForWriting):
(WebCore::ClipboardItemBindingsDataSource::ClipboardItemTypeLoader::~ClipboardItemTypeLoader):
* Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.h:
Canonical link: https://commits.webkit.org/252432.1019@safari-7614-branch
Canonical link: https://commits.webkit.org/259548.7@safari-7615-branch
Commit: 5a0f792b008f1f20f03f3020ab94cc18e04e28f4
https://github.com/WebKit/WebKit/commit/5a0f792b008f1f20f03f3020ab94cc18e04e28f4
Author: JC Alvarado <joncarlo at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
A LayoutTests/fast/backgrounds/background-color-lch-crash-expected.txt
A LayoutTests/fast/backgrounds/background-color-lch-crash.html
M Source/WebCore/platform/graphics/ColorBlending.cpp
Log Message:
-----------
Check color opacity after lossy conversion when blending
https://bugs.webkit.org/show_bug.cgi?id=251158
rdar://104553839
Reviewed by Dean Jackson.
We check opacity to determine if we should forgo blending,
however after performing a lossy conversion we can end
up with alpha values that result in a division by zero.
Add an additional check after conversion to prevent this
case.
* LayoutTests/fast/backgrounds/background-color-lch-crash-expected.txt: Added.
* LayoutTests/fast/backgrounds/background-color-lch-crash.html: Added.
* Source/WebCore/platform/graphics/ColorBlending.cpp:
(WebCore::blendSourceOver):
Canonical link: https://commits.webkit.org/259548.8@safari-7615-branch
Commit: 2ca6487cbce8949e446d98c3070fe8f2379a7d60
https://github.com/WebKit/WebKit/commit/2ca6487cbce8949e446d98c3070fe8f2379a7d60
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
A LayoutTests/fast/css/content/quote-display-contents-crash-expected.txt
A LayoutTests/fast/css/content/quote-display-contents-crash.html
M Source/WebCore/dom/Element.cpp
Log Message:
-----------
Cherry-pick 256843.5 at webkit-2022.12-embargoed (312254f5776d). rdar://102807985
Check displayContentsChanged in destroyRenderTreeIfNeeded
https://bugs.webkit.org/show_bug.cgi?id=248776
rdar://102807985>
Reviewed by Antti Koivisto.
Check displayContentsChanged in destroyRenderTreeIfNeeded since
display: contents may be removed due to focus removal while
removing subtrees but we still need to clean up pseudo elements.
* LayoutTests/fast/css/content/quote-display-contents-crash-expected.txt: Added.
* LayoutTests/fast/css/content/quote-display-contents-crash.html: Added.
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::destroyRenderTreeIfNeeded):
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::resolveComputedStyle):
Canonical link: https://commits.webkit.org/256843.5@webkit-2022.12-embargoed
Canonical link: https://commits.webkit.org/259548.9@safari-7615-branch
Commit: d0b789c9fd718e237060c07e85bb8864ee98f97c
https://github.com/WebKit/WebKit/commit/d0b789c9fd718e237060c07e85bb8864ee98f97c
Author: Richard Robinson <richard_robinson2 at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.h
M Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm
M Source/WebKitLegacy/mac/WebView/WebJSPDFDoc.mm
Log Message:
-----------
Cherry-pick 252432.1017 at safari-7614-branch (94d37ad7d541). rdar://102740487
WebKit`WebKit::PDFPlugin::jsPDFDocPrint - type confusion
https://bugs.webkit.org/show_bug.cgi?id=249169
rdar://102740487
Reviewed by Tim Horton, Yusuke Suzuki and Jonathan Bedard.
When JavaScript is embedded inside a PDF and it invokes the `print()` function,
the `thisObject` parameter in `PDFPlugin::jsPDFDocPrint` is not guaranteed
to be the proper type. Currently, we errenously assume it always is the proper
type, and cast it to `PDFPlugin *`, which results in an object with garbage values.
This PR protects against this by first checking if the `thisObject` is the correct
JavaScript object type, before trying to cast it.
* Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.h:
* Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm:
(WebKit::PDFPlugin::jsPDFDocClass):
(WebKit::PDFPlugin::jsPDFDocPrint):
(WebKit::PDFPlugin::makeJSPDFDoc):
Canonical link: https://commits.webkit.org/252432.1017@safari-7614-branch
Canonical link: https://commits.webkit.org/259548.10@safari-7615-branch
Commit: d98b4a43ecd47e273238216eafa2c5254580acf2
https://github.com/WebKit/WebKit/commit/d98b4a43ecd47e273238216eafa2c5254580acf2
Author: Per Arne Vollan <pvollan at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in
Log Message:
-----------
Cherry-pick c070affcd03f. rdar://problem/104604967
[macOS] Modify Audio related sandbox rule
https://bugs.webkit.org/show_bug.cgi?id=251163
rdar://104604967
Reviewed by Brent Fulgham.
Modify Audio related sandbox rule in the GPU process on macOS to allow reading subpaths of Audio directory.
* Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in:
Canonical link: https://commits.webkit.org/259643@main
Canonical link: https://commits.webkit.org/259548.12@safari-7615-branch
Commit: 099b24dd9eb3f1a2fb67968629db80e6484ab41d
https://github.com/WebKit/WebKit/commit/099b24dd9eb3f1a2fb67968629db80e6484ab41d
Author: Richard Robinson <richard_robinson2 at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Cherry-pick 252432.1023 at safari-7614-branch (55c2b9caae92). rdar://101222657
[CoreIPC] Integer overflow in UIProcess from scaling/zoom factors
https://bugs.webkit.org/show_bug.cgi?id=250408
rdar://101222657
Reviewed by Wenson Hsieh and Jonathan Bedard.
Adds bounds checking via `MESSAGE_CHECK` to the page/plugin scale/zoom `factorDidChange`
methods in `WebPageProxy` to ensure that overflow will not occur in the web process.
The bounds were chosen to be `(0, 100]` because a factor of `<= 0.0` does not make sense,
and `100.0` ia a reasonable upper bound.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::pageScaleFactorDidChange):
(WebKit::WebPageProxy::pluginScaleFactorDidChange):
(WebKit::WebPageProxy::pluginZoomFactorDidChange):
Canonical link: https://commits.webkit.org/252432.1023@safari-7614-branch
Canonical link: https://commits.webkit.org/259548.12@safari-7615-branch
Commit: f322e936fb840d8242edb89a6bbef6fa0509c44c
https://github.com/WebKit/WebKit/commit/f322e936fb840d8242edb89a6bbef6fa0509c44c
Author: Aditya Keerthi <akeerthi at apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M Source/WebCore/Modules/contact-picker/ContactsManager.cpp
M Source/WebCore/Modules/contact-picker/ContactsManager.h
Log Message:
-----------
Cherry-pick 252432.1024 at safari-7614-branch (2ea437d75522). rdar://101241436
Use-after-free in ContactsManager::select
https://bugs.webkit.org/show_bug.cgi?id=250351
rdar://101241436
Reviewed by Wenson Hsieh and Jonathan Bedard.
`ContactsManager` can be destroyed prior to receiving the user's selection, which
is performed asynchronously. Deploy `WeakPtr` to avoid a use-after-free in this
scenario.
A test was unable to be added, as the failure scenario involves opening a new
Window, using the new Window object's `navigator.contacts`, and performing user
interaction. Creating a new Window results in the creation of a new web view,
however all of our existing UIScriptController hooks only apply to the original
(main) web view. Consequently, it is not possible to use our testing
infrastructure to dismiss the contact picker and trigger the callback in the
failure scenario.
* Source/WebCore/Modules/contact-picker/ContactsManager.cpp:
(WebCore::ContactsManager::select):
* Source/WebCore/Modules/contact-picker/ContactsManager.h:
Canonical link: https://commits.webkit.org/252432.1024@safari-7614-branch
Canonical link: https://commits.webkit.org/259548.13@safari-7615-branch
Compare: https://github.com/WebKit/WebKit/compare/60635d719037%5E...f322e936fb84
More information about the webkit-changes
mailing list