[webkit-changes] [WebKit/WebKit] ae98f7: Cherry-pick 259548.678 at safari-7615-branch (7c662f5...

Brady Eidson noreply at github.com
Fri Jul 28 08:47:24 PDT 2023


  Branch: refs/heads/webkitglib/2.40
  Home:   https://github.com/WebKit/WebKit
  Commit: ae98f7b3181b76c6ca9917814709899abbc9eba1
      https://github.com/WebKit/WebKit/commit/ae98f7b3181b76c6ca9917814709899abbc9eba1
  Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt
    A LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html
    M Source/WebCore/rendering/RenderInline.cpp

  Log Message:
  -----------
  Cherry-pick 259548.678 at safari-7615-branch (7c662f5b36e3). https://bugs.webkit.org/show_bug.cgi?id=255552.

    Renderinline::offsetForInFlowPositionedInline causes a null-deref of a laybox on repaint.
    https://bugs.webkit.org/show_bug.cgi?id=255552.
    rdar://107952390.

    Reviewed by Alan Baradlay.

    Line layout codepath invalidation is triggered by JS which issues a repaint on the newly inserted renderer. The newly inserted renderer is used for geometry computations and which calls offsetForInFlowPositionedInline in case of inline boxes. This tries to access the lineBoxes assocaited with the renderers but they invalidated by previous repaints. This leads to null deref of the lineboxes.

    * LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt: Added.
    * LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html: Added.
    * Source/WebCore/rendering/RenderBlockFlow.cpp:
    (WebCore::RenderBlockFlow::isLineLayoutPresent const):
    * Source/WebCore/rendering/RenderBlockFlow.h:
    * Source/WebCore/rendering/RenderInline.cpp:
    (WebCore::RenderInline::offsetForInFlowPositionedInline const):

    Canonical link: https://commits.webkit.org/259548.678@safari-7615-branch


  Commit: a0610381408a875a2edc1127f61c8b9ae90e0074
      https://github.com/WebKit/WebKit/commit/a0610381408a875a2edc1127f61c8b9ae90e0074
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A JSTests/stress/regress-255806.js
    M Source/JavaScriptCore/runtime/StringPrototype.cpp

  Log Message:
  -----------
  Cherry-pick 259548.689 at safari-7615-branch (a75d564e8c5f). https://bugs.webkit.org/show_bug.cgi?id=255806

    jsc_fuzz: ASSERTION FAILED: !is8Bit() || isEmpty() in stringProtoFuncToWellFormed()
    https://bugs.webkit.org/show_bug.cgi?id=255806
    <rdar://108256807>

    Reviewed by Yusuke Suzuki.

    It's necessary to resolve a rope to determine if a string is 8-bit: JSRopeString's is8BitInPointer merely
    implies it can be represented as 8-bit, but after the rope is resolved, it can become a 16-bit string.

    * JSTests/stress/regress-255806.js: Added.
    * Source/JavaScriptCore/runtime/StringPrototype.cpp:
    (JSC::JSC_DEFINE_HOST_FUNCTION):

    Canonical link: https://commits.webkit.org/259548.689@safari-7615-branch


  Commit: 0fe701393004d6f0e1df461645985de53d313477
      https://github.com/WebKit/WebKit/commit/0fe701393004d6f0e1df461645985de53d313477
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A JSTests/stress/marked-buffer-fill-should-be-gc-aware.js
    M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
    M Source/JavaScriptCore/runtime/ArgList.h

  Log Message:
  -----------
  Cherry-pick 259548.690 at safari-7615-branch (b05050e0cc00). https://bugs.webkit.org/show_bug.cgi?id=255951

    [JSC] MarkedVector::fill should register itself as a root
    https://bugs.webkit.org/show_bug.cgi?id=255951
    rdar://108261913

    Reviewed by Alexey Shvayka and Justin Michaud.

    1. MarkedVector::fill is not registering itself as a strong root of GC. This patch fixes it with m_markSet->add.
    2. Initialize buffer with empty value in MarkedVector::fill. This buffer can be scanned via GC when GC is invoked from
       a passed lambda.

    * JSTests/stress/marked-buffer-fill-should-be-gc-aware.js: Added.
    (foo):
    * Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:
    (JSC::LLInt::handleVarargsCheckpoint):
    * Source/JavaScriptCore/runtime/ArgList.h:
    (JSC::MarkedVector::fill):

    Canonical link: https://commits.webkit.org/259548.690@safari-7615-branch


  Commit: e5958f914416c14e02ff967a16257409315944e9
      https://github.com/WebKit/WebKit/commit/e5958f914416c14e02ff967a16257409315944e9
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M Source/WebCore/animation/KeyframeEffect.cpp
    M Source/WebCore/platform/graphics/transforms/IdentityTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/Matrix3DTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/MatrixTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/PerspectiveTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/RotateTransformOperation.cpp
    M Source/WebCore/platform/graphics/transforms/RotateTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/ScaleTransformOperation.cpp
    M Source/WebCore/platform/graphics/transforms/ScaleTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/SkewTransformOperation.cpp
    M Source/WebCore/platform/graphics/transforms/SkewTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/TransformOperation.h
    M Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.cpp
    M Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.h
    M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in

  Log Message:
  -----------
  Cherry-pick 259548.723 at safari-7615-branch (9e8e582627a8). https://bugs.webkit.org/show_bug.cgi?id=255629

    TransformOperation subclasses should verify deserialized type
    https://bugs.webkit.org/show_bug.cgi?id=255629
    rdar://108161092

    Reviewed by David Kilzer.

    The type needs to line up with the same types used by the is, downcast, and dynamicDowncast functions.

    * Source/WebCore/animation/KeyframeEffect.cpp:
    (WebCore::KeyframeEffect::computedNeedsForcedLayout):
    * Source/WebCore/platform/graphics/transforms/IdentityTransformOperation.h:
    * Source/WebCore/platform/graphics/transforms/Matrix3DTransformOperation.h:
    * Source/WebCore/platform/graphics/transforms/MatrixTransformOperation.h:
    * Source/WebCore/platform/graphics/transforms/PerspectiveTransformOperation.h:
    * Source/WebCore/platform/graphics/transforms/RotateTransformOperation.cpp:
    (WebCore::RotateTransformOperation::RotateTransformOperation):
    * Source/WebCore/platform/graphics/transforms/RotateTransformOperation.h:
    * Source/WebCore/platform/graphics/transforms/ScaleTransformOperation.cpp:
    (WebCore::ScaleTransformOperation::ScaleTransformOperation):
    * Source/WebCore/platform/graphics/transforms/ScaleTransformOperation.h:
    * Source/WebCore/platform/graphics/transforms/SkewTransformOperation.cpp:
    (WebCore::SkewTransformOperation::SkewTransformOperation):
    * Source/WebCore/platform/graphics/transforms/SkewTransformOperation.h:
    * Source/WebCore/platform/graphics/transforms/TransformOperation.h:
    (WebCore::TransformOperation::isRotateTransformOperationType):
    (WebCore::TransformOperation::isScaleTransformOperationType):
    (WebCore::TransformOperation::isSkewTransformOperationType):
    (WebCore::TransformOperation::isTranslateTransformOperationType):
    (WebCore::TransformOperation::isRotateTransformOperationType const): Deleted.
    (WebCore::TransformOperation::isScaleTransformOperationType const): Deleted.
    (WebCore::TransformOperation::isSkewTransformOperationType const): Deleted.
    (WebCore::TransformOperation::isTranslateTransformOperationType const): Deleted.
    * Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.cpp:
    (WebCore::TranslateTransformOperation::TranslateTransformOperation):
    * Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.h:
    * Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:

    Canonical link: https://commits.webkit.org/259548.723@safari-7615-branch


  Commit: 1b50a3df73d21bef150af61c2810002df3bc141e
      https://github.com/WebKit/WebKit/commit/1b50a3df73d21bef150af61c2810002df3bc141e
  Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A LayoutTests/fast/css/style-builder-apply-value-content-type-confusion-expected.txt
    A LayoutTests/fast/css/style-builder-apply-value-content-type-confusion.html
    M Source/WebCore/style/StyleBuilderCustom.h

  Log Message:
  -----------
  Cherry-pick 259548.730 at safari-7615-branch (c123784dc828). https://bugs.webkit.org/show_bug.cgi?id=255955.

    Fix type confusion in BuilderConverter::applyValueContent.
    https://bugs.webkit.org/show_bug.cgi?id=255955.
    rdar://108499561.

    Reviewed by Antti Koivisto.

    This change fixes applyValueContent so that it can deal with single
    values instead of expecting a list of values towards the end.

    * LayoutTests/fast/css/style-builder-apply-value-content-type-confusion-expected.txt: Added.
    * LayoutTests/fast/css/style-builder-apply-value-content-type-confusion.html: Added.
    * Source/WebCore/style/StyleBuilderCustom.h:
      (WebCore::Style::BuilderCustom::applyValueContent):

    Canonical link: https://commits.webkit.org/259548.730@safari-7615-branch


  Commit: 2a8268d01eb0085e7efd3e0ca27aa6c30d452a86
      https://github.com/WebKit/WebKit/commit/2a8268d01eb0085e7efd3e0ca27aa6c30d452a86
  Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion-expected.txt
    A LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion.html
    M Source/WebCore/style/StyleBuilderConverter.h

  Log Message:
  -----------
  Cherry-pick 259548.746 at safari-7615-branch (1b98f8905ce2). https://bugs.webkit.org/show_bug.cgi?id=256055.

    Fix type confusion in StyleBuilder::ConvertGridTrackSizeList.
    https://bugs.webkit.org/show_bug.cgi?id=256055.
    rdar://108501981.

    Reviewed by Antti Koivisto.

    This change fixes convertGridTrackSizeList so that it can deal with single
    values instead of expecting a list of values towards the end.

    * LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion-expected.txt: Added.
    * LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion.html: Added.
    * Source/WebCore/style/StyleBuilderConverter.h:
    (WebCore::Style::BuilderConverter::convertGridTrackSizeList):

    Canonical link: https://commits.webkit.org/259548.746@safari-7615-branch


  Commit: 8c362780c39314228531777335d72cf16b065465
      https://github.com/WebKit/WebKit/commit/8c362780c39314228531777335d72cf16b065465
  Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M Source/WebCore/page/DOMWindow.h

  Log Message:
  -----------
  Cherry-pick 259548.729 at safari-7615-branch (5cc2ead4986a). https://bugs.webkit.org/show_bug.cgi?id=256205.

    Handle potential overflow of gamepadEventListenerCount.
    https://bugs.webkit.org/show_bug.cgi?id=256205.
    rdar://80838189.

    Reviewed by Ryosuke Niwa.

    m_gamepadEventListenerCount can overflow if addEventListener() is called UINT_MAX+1 times.
    Once the window is freed, we will be left with a dangling pointer in the GamepadManager.
    This change adds a flag to check for overflow and keep the behavior same in the event of overflow..

    * Source/WebCore/page/DOMWindow.cpp:
    (WebCore::DOMWindow::~DOMWindow):
    (WebCore::DOMWindow::incrementGamepadEventListenerCount):
    (WebCore::DOMWindow::decrementGamepadEventListenerCount):
    * Source/WebCore/page/DOMWindow.h:

    Canonical link: https://commits.webkit.org/259548.729@safari-7615-branch


  Commit: 818c5df196cc3257598e8799acc698fa3cb4f1d9
      https://github.com/WebKit/WebKit/commit/818c5df196cc3257598e8799acc698fa3cb4f1d9
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M Source/WebKit/Platform/IPC/Connection.cpp
    M Source/WebKit/Scripts/webkit/model.py
    M Source/WebKit/Scripts/webkit/tests/MessageNames.cpp
    M Source/WebKit/Scripts/webkit/tests/MessageNames.h
    M Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp

  Log Message:
  -----------
  Cherry-pick 259548.751 at safari-7615-branch (9fc652968e3c). https://bugs.webkit.org/show_bug.cgi?id=256373

    Drop MessageName::Terminate IPC message
    https://bugs.webkit.org/show_bug.cgi?id=256373
    rdar://108899132

    Reviewed by Sihui Liu.

    Drop MessageName::Terminate IPC message as it could easily be abused by a
    compromised WebProcess to kill the UIProcess.

    It was temporarily introduced in 243810 at main to investigate NetworkProcess
    hangs we were seeing and should no longer be needed. This reverts 243810 at main.

    * Source/WebKit/Platform/IPC/Connection.cpp:
    (IPC::Connection::processIncomingMessage):
    (IPC::terminateDueToIPCTerminateMessage): Deleted.
    * Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp:
    (WebKit::NetworkProcessProxy::didBecomeUnresponsive):
    (WebKit::shouldTerminateNetworkProcessBySendingMessage): Deleted.

    Canonical link: https://commits.webkit.org/259548.751@safari-7615-branch


  Commit: 13db18fbb54ae73f4399a2c4addfac94f7bd7e95
      https://github.com/WebKit/WebKit/commit/13db18fbb54ae73f4399a2c4addfac94f7bd7e95
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M LayoutTests/fast/files/null-origin-string-expected.txt
    M LayoutTests/fast/files/null-origin-string.html
    A LayoutTests/http/tests/security/block-top-level-navigation-to-different-scheme-by-third-party-iframes-expected.txt
    A LayoutTests/http/tests/security/block-top-level-navigation-to-different-scheme-by-third-party-iframes.html
    A LayoutTests/http/tests/security/block-top-level-navigation-via-redirect-by-third-party-iframes-expected.txt
    A LayoutTests/http/tests/security/block-top-level-navigation-via-redirect-by-third-party-iframes.html
    A LayoutTests/http/tests/security/resources/navigate-top-level-frame-to-failure-page-different-scheme.html
    A LayoutTests/http/tests/security/resources/navigate-top-level-frame-to-failure-page-via-redirect.html
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/dom/Document.h
    M Source/WebCore/loader/DocumentLoader.cpp
    M Source/WebCore/loader/NavigationRequester.cpp
    M Source/WebCore/loader/NavigationRequester.h
    M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in

  Log Message:
  -----------
  Cherry-pick 259548.752 at safari-7615-branch (a0fa94d1a572). https://bugs.webkit.org/show_bug.cgi?id=256549

    Restrict further top-frame navigations by a third-party iframe
    https://bugs.webkit.org/show_bug.cgi?id=256549
    rdar://108794051

    Reviewed by Geoffrey Garen.

    Restrict further top-frame navigations by a third-party iframe:
    - Block navigations to a different scheme
    - Block navigations that start off same-site but redirect to a different site

    * Source/WebCore/dom/Document.cpp:
    (WebCore::Document::isNavigationBlockedByThirdPartyIFrameRedirectBlocking):
    * Source/WebCore/dom/Document.h:
    * Source/WebCore/loader/DocumentLoader.cpp:
    (WebCore::DocumentLoader::willSendRequest):
    * Source/WebCore/loader/NavigationRequester.cpp:
    (WebCore::NavigationRequester::from):
    * Source/WebCore/loader/NavigationRequester.h:
    (WebCore::NavigationRequester::encode const):
    (WebCore::NavigationRequester::decode):

    Canonical link: https://commits.webkit.org/259548.752@safari-7615-branch


  Commit: 0e104f71f859197cf31a12ac0b4fad835d4bd3db
      https://github.com/WebKit/WebKit/commit/0e104f71f859197cf31a12ac0b4fad835d4bd3db
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A JSTests/stress/regress-109134454.js
    M Source/JavaScriptCore/b3/B3ReduceStrength.cpp

  Log Message:
  -----------
  Cherry-pick 259548.761 at safari-7615-branch (776066945bf4). https://bugs.webkit.org/show_bug.cgi?id=256573

    [JSC] Fix IntRange speculation for zExt32
    https://bugs.webkit.org/show_bug.cgi?id=256573
    rdar://109134454

    Reviewed by Yusuke Suzuki.

    Previously, the IntRange speculation in B3ReduceStrength for node
    zExt32 is wrong. This patch fixes this issue.

    * JSTests/stress/regress-109134454.js: Added.
    * Source/JavaScriptCore/b3/B3ReduceStrength.cpp:

    Canonical link: https://commits.webkit.org/259548.761@safari-7615-branch


  Commit: b0f4f94839df47f872a0991b8ab46ba66543e223
      https://github.com/WebKit/WebKit/commit/b0f4f94839df47f872a0991b8ab46ba66543e223
  Author: David Degazio <d_degazio at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A JSTests/wasm/stress/throw-multiple-values.js
    A JSTests/wasm/stress/throw-with-live-value-on-stack.js
    M Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp

  Log Message:
  -----------
  Cherry-pick 259548.762 at safari-7615-branch (7fb3ced7874a). https://bugs.webkit.org/show_bug.cgi?id=256818

    Parameters to throw alias with stack elements in WASM LLInt
    https://bugs.webkit.org/show_bug.cgi?id=256818
    rdar://108036137

    Reviewed by Yusuke Suzuki.

    Correctly computes stack offsets when materializing the operands of
    a wasm_throw instruction in the WasmLLIntGenerator by counting relative
    to the stack height before the operands were popped as opposed to after.

    * JSTests/wasm/stress/throw-multiple-values.js: Added.
    (async test):
    * JSTests/wasm/stress/throw-with-live-value-on-stack.js: Added.
    (async test):
    * Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:
    (JSC::Wasm::LLIntGenerator::addThrow):

    Canonical link: https://commits.webkit.org/259548.762@safari-7615-branch


  Commit: ec83f7580fdcc4a4ad7c1597053adc78dd0a922b
      https://github.com/WebKit/WebKit/commit/ec83f7580fdcc4a4ad7c1597053adc78dd0a922b
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M Source/WebCore/loader/DocumentLoader.cpp

  Log Message:
  -----------
  Cherry-pick 259548.773 at safari-7615-branch (3d72c3255b5f). https://bugs.webkit.org/show_bug.cgi?id=257161

    Follow-up to 259548.752 at safari-7615-branch to cancel navigations instead of blocking them
    https://bugs.webkit.org/show_bug.cgi?id=257161
    rdar://108794051

    Reviewed by Alex Christensen.

    259548.752 at safari-7615-branch added further restrictions to prevent top-frame navigations
    by third-party iframes, in particular using redirects. I had decided to block the redirect
    with a blockedError(). However, it turns out that Safari shows an error page when doing
    so, which results in a bad user experience since the top frame is still being navigated
    (to an error page).

    To address the issue, I am now cancelling the redirect instead and returning a
    cancelledError(). I have verified that Safari doesn't show an error page in this case and
    that the top frame is not getting navigated.

    * Source/WebCore/loader/DocumentLoader.cpp:
    (WebCore::DocumentLoader::willSendRequest):

    Canonical link: https://commits.webkit.org/259548.773@safari-7615-branch


  Commit: 42bc82e63347c5c777dc201d955b7a747cb3cfff
      https://github.com/WebKit/WebKit/commit/42bc82e63347c5c777dc201d955b7a747cb3cfff
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt
    A LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html
    M Source/JavaScriptCore/bytecode/PropertyCondition.cpp
    M Source/JavaScriptCore/runtime/ClassInfo.h
    M Source/JavaScriptCore/runtime/PropertySlot.h
    M Source/JavaScriptCore/runtime/Structure.cpp
    M Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

  Log Message:
  -----------
  Cherry-pick 259548.775 at safari-7615-branch (ffe32d106cb2). https://bugs.webkit.org/show_bug.cgi?id=255952

    [JSC] PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() should take non-reified static properties into account
    https://bugs.webkit.org/show_bug.cgi?id=255952
    <rdar://108334411>

    Reviewed by Yusuke Suzuki.

    Currently, PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() is not checking the
    structure's non-reified static properties against the condition. This can lead to incorrect analysis
    of side effects: AbsenceOfSetEffect condition with a non-reified static setter is considered pure
    even though a setter with arbitrary code can be invoked.

    This patch fixes AbsenceOfSetEffect validity check for structures with non-reified static properties
    while takes extra care to make the fix as precise as possible to avoid unnecessary slowdowns.

    * LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt: Added.
    * LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html: Added.
    * Source/JavaScriptCore/bytecode/PropertyCondition.cpp:
    (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
    * Source/JavaScriptCore/runtime/ClassInfo.h:
    * Source/JavaScriptCore/runtime/PropertySlot.h:
    * Source/JavaScriptCore/runtime/Structure.cpp:
    (JSC::ClassInfo::hasStaticReadOnlyOrGetterSetterProperty const):
    * Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:

    Canonical link: https://commits.webkit.org/259548.775@safari-7615-branch


  Commit: ef65ba56c109cb54c24ed6da30a39ef230b1acf7
      https://github.com/WebKit/WebKit/commit/ef65ba56c109cb54c24ed6da30a39ef230b1acf7
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A JSTests/stress/regress-109102631.js
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

  Log Message:
  -----------
  Cherry-pick 259548.763 at safari-7615-branch (62d974e46170). https://bugs.webkit.org/show_bug.cgi?id=256865

    [JSC] GetTypedArrayByteOffset should do speculation check for all bits in DFG
    https://bugs.webkit.org/show_bug.cgi?id=256865
    rdar://109428505

    Reviewed by Yusuke Suzuki.

    DFG abstract interpreter speculates that GetTypedArrayByteOffset node
    should have int32 result. However, when compiling GetTypedArrayByteOffset
    we only do speculation check on lower bits of the result, which is wrong.
    This patch fixes this problem.

    * Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:

    Canonical link: https://commits.webkit.org/259548.763@safari-7615-branch


  Commit: d784299e55fa84c267ca35ed257ef08a500571f7
      https://github.com/WebKit/WebKit/commit/d784299e55fa84c267ca35ed257ef08a500571f7
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A JSTests/stress/define-property-on-receiver-jsfunction-prototype-no-crash.js
    M JSTests/stress/ordinary-set-exceptions.js
    M Source/JavaScriptCore/runtime/JSObject.cpp

  Log Message:
  -----------
  Cherry-pick 259548.774 at safari-7615-branch (23e9761b5751). https://bugs.webkit.org/show_bug.cgi?id=257164

    [JSC] putByValWithThis shouldn't bypass definePropertyOnReceiverSlow
    https://bugs.webkit.org/show_bug.cgi?id=257164
    <rdar://108759737>

    Reviewed by Yusuke Suzuki.

    The OrdinarySet revamp in https://webkit.org/b/217916 assumed that there are only 2 cases to take the slow path
    for altered receivers: overriden [[Set]] in prototype chain and Reflect.set(). I thought that it's unobservable
    to take the fast path otherwise since overriden methods were already called.

    However, the third case was missed: put_by_val_with_this bytecode op, which is emitted for setting a property
    on `super` base, and with https://webkit.org/b/252602, for ProxyObjectStore IC when the trap is missing.

    Among other minor web compatibility bugs, missing that case caused properties to be put right on ProxyObject's
    structure, where they are unaccessible, skipping calls to "set" and "defineProperty" traps.

    This change relaxes the condition for taking the definePropertyOnReceiverSlow() while ensuring all common
    [[Set]] targets like JSArray or `class X extends Y {}` are just as fast.

    * JSTests/stress/define-property-on-receiver-jsfunction-prototype-no-crash.js: Added.
    * Source/JavaScriptCore/runtime/JSObject.cpp:
    (JSC::canDefinePropertyOnReceiverFast):
    (JSC::JSObject::definePropertyOnReceiver):

    Canonical link: https://commits.webkit.org/259548.774@safari-7615-branch


  Commit: fff78f2470f4e688798baa4c3133698963b3a4f3
      https://github.com/WebKit/WebKit/commit/fff78f2470f4e688798baa4c3133698963b3a4f3
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M JSTests/stress/regress-109102631.js

  Log Message:
  -----------
  Cherry-pick 259548.776 at safari-7615-branch (7849e30e34aa). https://bugs.webkit.org/show_bug.cgi?id=257215

    [JSC] Skip memory limited systems for test case allocating large size array
    https://bugs.webkit.org/show_bug.cgi?id=257215
    rdar://109729172

    Reviewed by Yusuke Suzuki.

    * JSTests/stress/regress-109102631.js:

    Canonical link: https://commits.webkit.org/259548.776@safari-7615-branch


  Commit: 920a6190c80740deae08cfe24e0c37eabb7cf9da
      https://github.com/WebKit/WebKit/commit/920a6190c80740deae08cfe24e0c37eabb7cf9da
  Author: Patrick Angle <pangle at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M Source/JavaScriptCore/inspector/ScriptCallStack.cpp
    M Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.cpp

  Log Message:
  -----------
  Cherry-pick 259548.777 at safari-7615-branch (e74d4b07ad38). https://bugs.webkit.org/show_bug.cgi?id=256932

    Web Inspector: Deeply nested console logging can cause ConsoleMessage to be destroyed while we are still trying to log it
    https://bugs.webkit.org/show_bug.cgi?id=256932
    rdar://108063640

    Reviewed by Mark Lam.

    InspectorConsoleAgent has been incorrectly managing the lifetime of each ConsoleMessage by moving messages into a vector
    of messages before we have passed those messages on to the frontend. This means that a console message that causes
    another console message to be logged may eventually cause our original message to be dropped from the vector if this
    occurs deeply enough. At that point, when we unwind back to the original message, it has been destroyed while we are
    trying to send it to the frontend, which results in a bad time because we are still inside a function on the
    ConsoleMessage that tries to access its own member variables like m_arguments, and fails because the message object
    itself has been destroyed, taking its members with it.

    This also fixes a subtle message inversion in the backlog of messages and what is logged to the console when Web
    Inspector is open, since the message is sent to the frontend after all other processing, but we were previously adding
    the message to the vector of past messages before that processing (which may in turn cause more logging before the
    actual logging we called in to perform) to occur.

    A second minor issue is that ScriptCallStack is incorrectly asserting in its constructor, which preventing investigation
    of this issue initially. The call stack should be less than __or equal to__ the max call stack, not just less than.

    * Source/JavaScriptCore/inspector/ConsoleMessage.cpp:
    (Inspector::ConsoleMessage::addToFrontend):
    * Source/JavaScriptCore/inspector/InjectedScript.cpp:
    (Inspector::InjectedScript::wrapObject const):
    (Inspector::InjectedScript::wrapTable const):
    * Source/JavaScriptCore/inspector/ScriptCallStack.cpp:
    (Inspector::ScriptCallStack::ScriptCallStack):
    * Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.cpp:
    (Inspector::InspectorConsoleAgent::addConsoleMessage):
    * Source/WebCore/page/PageConsoleClient.cpp:
    (WebCore::PageConsoleClient::messageWithTypeAndLevel):

    Canonical link: https://commits.webkit.org/259548.777@safari-7615-branch


  Commit: 58983074a9c84dfb0b3f6c4aab6c6de07648c6ae
      https://github.com/WebKit/WebKit/commit/58983074a9c84dfb0b3f6c4aab6c6de07648c6ae
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A JSTests/stress/resizable-array-buffer-copy-within-length-update.js
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h

  Log Message:
  -----------
  Cherry-pick 259548.785 at safari-7615-branch (f2a2820d312c). https://bugs.webkit.org/show_bug.cgi?id=257387

    [JSC] Recompute length properly when resize happens during TypedArray#copyWithin
    https://bugs.webkit.org/show_bug.cgi?id=257387
    rdar://109851495

    Reviewed by Mark Lam.

    copyWithin's side effectful operation can resize resizable ArrayBuffer. We have a code catching this and recompute the appropriate copy count
    again, but it can overflow if `to` or `from` are larger than the newly updated `length`. This patch handles this case correctly: returning
    since there is no copying content in this case.

    * JSTests/stress/resizable-array-buffer-copy-within-length-update.js: Added.
    (call_back):
    * Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
    (JSC::genericTypedArrayViewProtoFuncCopyWithin):

    Canonical link: https://commits.webkit.org/259548.785@safari-7615-branch


  Commit: 83d9025caca38091a9ba7f6978689d275960c5ab
      https://github.com/WebKit/WebKit/commit/83d9025caca38091a9ba7f6978689d275960c5ab
  Author: Matthew Finkel <sysrqb at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M Source/WebCore/html/CanvasBase.h
    M Source/WebCore/html/HTMLCanvasElement.h
    M Source/WebCore/html/OffscreenCanvas.cpp
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
    M Source/WebCore/rendering/style/StyleCanvasImage.cpp

  Log Message:
  -----------
  Cherry-pick 259548.787 at safari-7615-branch (88ed3825fa4e). https://bugs.webkit.org/show_bug.cgi?id=257234

    Ensure CanvasBase remains alive while in use
    https://bugs.webkit.org/show_bug.cgi?id=257234
    rdar://109540621

    Reviewed by Chris Dumez.

    A HTMLCanvasElement could be destroyed when it calls CanvasBase::setImageBuffer
    because that call could trigger a GC. We've seen crashes originating from
    HTMLCanvasElement::setImageBufferAndMarkDirty, but this patch adds protection
    around other setImageBuffer call sites, as well.

    * Source/WebCore/html/CanvasBase.h:
    (WebCore::CanvasBase::ref):
    (WebCore::CanvasBase::deref):
    * Source/WebCore/html/HTMLCanvasElement.h:
    * Source/WebCore/html/OffscreenCanvas.cpp:
    (WebCore::OffscreenCanvas::create):
    (WebCore::OffscreenCanvas::setPlaceholderCanvas):
    (WebCore::OffscreenCanvas::pushBufferToPlaceholder):
    * Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
    (WebCore::CanvasRenderingContext2DBase::drawImage):
    * Source/WebCore/rendering/style/StyleCanvasImage.cpp:
    (WebCore::StyleCanvasImage::image const):

    Canonical link: https://commits.webkit.org/259548.787@safari-7615-branch


  Commit: 5473f46b40d0c5f81440c2cfcf49d4a2d31c06bd
      https://github.com/WebKit/WebKit/commit/5473f46b40d0c5f81440c2cfcf49d4a2d31c06bd
  Author: Charlie Wolfe <charliew at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Source/WebKit/UIProcess/WebProcessPool.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.h
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm

  Log Message:
  -----------
  Cherry-pick 259548.792 at safari-7615-branch (f52bc7e18a7c). https://bugs.webkit.org/show_bug.cgi?id=257348

    Process Isolation Bypass via navigating to about:* context
    https://bugs.webkit.org/show_bug.cgi?id=257348
    rdar://109853048

    Reviewed by Chris Dumez and J Pascoe.

    This patch fixes an issue where we will never swap processes when navigating from an
    about:* page. A compromised WebContent process could leverage this behavior to avoid
    swapping processes when navigating to a cross-origin domain.

    This is fixed by checking the following when navigating from an about:* page.
    - The page has not committed a provisional load to a URL that isn't about:*.
    - The source process last loaded a domain from the same origin as the domain we are navigating to.

    If neither of these two conditions are met, we won’t reuse the process.

    * Source/WebKit/UIProcess/WebPageProxy.cpp:
    (WebKit::WebPageProxy::didExplicitOpenForFrame):
    (WebKit::WebPageProxy::didCommitLoadForFrame):
    * Source/WebKit/UIProcess/WebProcessPool.cpp:
    (WebKit::WebProcessPool::processForNavigationInternal):
    * Source/WebKit/UIProcess/WebProcessProxy.h:
    (WebKit::WebProcessProxy::didCommitMeaningfulProvisionalLoad):
    (WebKit::WebProcessProxy::hasCommittedAnyMeaningfulProvisionalLoads const):
    * Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:

    Canonical link: https://commits.webkit.org/259548.792@safari-7615-branch


  Commit: 993ed03d6b750a915d1bbca7712ce880c8605491
      https://github.com/WebKit/WebKit/commit/993ed03d6b750a915d1bbca7712ce880c8605491
  Author: Charlie Wolfe <charliew at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M Source/WebKit/UIProcess/API/C/WKPage.cpp
    M Source/WebKit/UIProcess/API/C/WKPage.h
    M Source/WebKit/UIProcess/WebProcessProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.h
    M Tools/WebKitTestRunner/TestController.cpp

  Log Message:
  -----------
  Cherry-pick 259548.812 at safari-7615-branch (5e250c9fb3d7). https://bugs.webkit.org/show_bug.cgi?id=257833

    REGRESSION(259548.792 at safari-7615-branch) http/tests/contentextensions/block-everything-unless-domain-redirect.py & http/tests/loading/preload-append-scan.py are failing
    https://bugs.webkit.org/show_bug.cgi?id=257833
    rdar://110350341

    Reviewed by Alex Christensen.

    259548.792 at safari-7615-branch made a change where we will swap processes when navigating from about:blank when
    the current process has made a provisional load to a URL that was not about:*. This state was not reset between
    tests, and since about:blank is loaded between each test, we would process swap in cases where we previously
    hadn’t when running tests. Let’s fix this by clearing this state on `WebProcessProxy` between each test run.

    * Source/WebKit/UIProcess/API/C/WKPage.cpp:
    (WKPageResetProcessState):
    * Source/WebKit/UIProcess/API/C/WKPage.h:
    * Source/WebKit/UIProcess/WebProcessProxy.cpp:
    (WebKit::WebProcessProxy::resetState):
    * Source/WebKit/UIProcess/WebProcessProxy.h:
    * Tools/WebKitTestRunner/TestController.cpp:
    (WTR::TestController::resetStateToConsistentValues):

    Canonical link: https://commits.webkit.org/259548.812@safari-7615-branch


  Commit: dfd82a930eeb410f063928b9817357d123039d24
      https://github.com/WebKit/WebKit/commit/dfd82a930eeb410f063928b9817357d123039d24
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A JSTests/stress/regress-108468977.js
    M Source/JavaScriptCore/bytecode/PropertyCondition.cpp
    M Source/JavaScriptCore/runtime/JSObject.cpp
    M Source/JavaScriptCore/runtime/JSObject.h

  Log Message:
  -----------
  Cherry-pick 259548.797 at safari-7615-branch (169a4b7e3f48). https://bugs.webkit.org/show_bug.cgi?id=257271

    [JSC] PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() should take all put() overrides into account
    https://bugs.webkit.org/show_bug.cgi?id=257271
    <rdar://108468977>

    Reviewed by Yusuke Suzuki.

    Currently, PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() is not taking into account
    all existing put() overrides when analyzing side effects of AbsenceOfSetEffect condition, which leads
    to incorrect results for e.g. StringObject's "length", which is no-op in sloppy mode yet we rely on
    structure being transitioned.

    This patch fixes AbsenceOfSetEffect validity check to be more pessimistic when there is overriden put(),
    unless it's a common assigment target like JSArray or JSFunction to avoid performance regressions,
    all while the helper that checks for special properties with JSObject::definePropertyOnReceiver().

    * JSTests/stress/regress-108468977.js: Added.
    * Source/JavaScriptCore/bytecode/PropertyCondition.cpp:
    (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
    (JSC::nonStructurePropertyMayBecomeReadOnlyWithoutTransition): Deleted.
    * Source/JavaScriptCore/runtime/JSObject.cpp:
    (JSC::JSObject::mightBeSpecialProperty):
    (JSC::JSObject::definePropertyOnReceiver):
    (JSC::canDefinePropertyOnReceiverFast): Deleted.
    * Source/JavaScriptCore/runtime/JSObject.h:

    Canonical link: https://commits.webkit.org/259548.797@safari-7615-branch


  Commit: cb67dbb46230e8b0aecab3b6bb67caee8e7f0194
      https://github.com/WebKit/WebKit/commit/cb67dbb46230e8b0aecab3b6bb67caee8e7f0194
  Author: Justin Michaud <justin_michaud at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A JSTests/stress/get-concurrently-should-take-cell-lock.js
    M Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp
    M Source/JavaScriptCore/bytecode/PropertyCondition.cpp
    M Source/JavaScriptCore/dfg/DFGGraph.cpp
    M Source/JavaScriptCore/runtime/JSArray.cpp
    M Source/JavaScriptCore/runtime/JSCell.h
    M Source/JavaScriptCore/runtime/JSObject.h

  Log Message:
  -----------
  Cherry-pick 259548.798 at safari-7615-branch (b7e3ebd9c372). https://bugs.webkit.org/show_bug.cgi?id=257285

    JSObject::getDirectConcurrently should take the cell lock.
    https://bugs.webkit.org/show_bug.cgi?id=257285
    rdar://108166258

    Reviewed by Yusuke Suzuki.

    `JSArray::unshiftCountWithArrayStorage` takes the cell lock and then the
    structure lock to prevent the compiler thread from accessing the butterfly
    before it is fully initialized.

    `JSObject::getDirectConcurrently` only takes the structure lock. This means
    that the compiler can take the structure lock, the cell can transition
    to a new structure, then unshift can mess up the butterfly, and finally
    the compiler thread proceeds to see garbage.

    The attached POC only reproduces if waits are introduced to extend the race window.

    It seems that the comment above cellLock is outdated, as our current concurrency
    protocol to prevent deadlocks is to take the cell lock then the structure lock.
    I could not find anywhere that uses the reverse, but if I missed something,
    a deadlock will be pretty easy to debug.

    * Source/JavaScriptCore/runtime/JSArray.cpp:
    (JSC::JSArray::unshiftCountWithArrayStorage):
    * Source/JavaScriptCore/runtime/JSCell.h:
    (JSC::JSCell::cellLock const):
    (JSC::JSCell::cellLock): Deleted.
    * Source/JavaScriptCore/runtime/JSObject.h:
    (JSC::JSObject::getDirectConcurrently const):

    Canonical link: https://commits.webkit.org/259548.798@safari-7615-branch


  Commit: 36a57b922accd6bd4a15f84f89b97fc29e713d25
      https://github.com/WebKit/WebKit/commit/36a57b922accd6bd4a15f84f89b97fc29e713d25
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M LayoutTests/http/tests/referrer-policy-iframe/no-referrer-when-downgrade/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/no-referrer/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/origin-when-cross-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/same-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/strict-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/unsafe-url/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/no-referrer-when-downgrade/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/no-referrer/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/unsafe-url/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt
    M LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
    M LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe.html
    A LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe.html
    M LayoutTests/http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-header-and-meta-tag-emptyString.html
    M LayoutTests/http/tests/security/referrer-policy-header-and-meta-tag.html
    M LayoutTests/http/tests/security/referrer-policy-header-multipart.html
    M LayoutTests/http/tests/security/referrer-policy-header-test.js
    M LayoutTests/http/tests/security/referrer-policy-header.html
    M LayoutTests/http/tests/security/referrer-policy-https-always-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-always.html
    M LayoutTests/http/tests/security/referrer-policy-https-default-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-default.html
    M LayoutTests/http/tests/security/referrer-policy-https-never-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-never.html
    M LayoutTests/http/tests/security/referrer-policy-https-no-referrer-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-no-referrer-when-downgrade-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-no-referrer-when-downgrade.html
    M LayoutTests/http/tests/security/referrer-policy-https-no-referrer.html
    M LayoutTests/http/tests/security/referrer-policy-https-origin-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-origin.html
    M LayoutTests/http/tests/security/referrer-policy-https-unsafe-url-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-unsafe-url.html
    M LayoutTests/http/tests/security/resources/postReferrer.py
    M LayoutTests/http/tests/security/resources/referrer-policy-log.py
    M LayoutTests/http/tests/security/resources/sandboxed-iframe-geolocation-getCurrentPosition.html
    M LayoutTests/http/tests/security/resources/sandboxed-iframe-geolocation-watchPosition.html
    M LayoutTests/http/tests/security/resources/serve-referrer-policy-and-meta-tag.py
    M LayoutTests/http/tests/security/resources/serve-referrer-policy-and-test.py
    R LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http-expected.txt
    R LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http.html
    M LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-https-with-embedded-http-with-embedded-https.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub-expected.txt
    A LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/fs/FileSystemFileHandle-create-sync-access-handle.https.tentative.window-expected.txt
    A LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/screen-orientation/nested-documents-expected.txt
    A LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/screen-orientation/unlock-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-image-in-iframe-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt
    R LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-image-in-iframe-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt
    M Source/WebCore/Modules/websockets/WebSocket.cpp
    M Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp
    M Source/WebCore/html/HTMLFormElement.cpp
    M Source/WebCore/loader/DocumentLoader.cpp
    M Source/WebCore/loader/DocumentThreadableLoader.cpp
    M Source/WebCore/loader/MixedContentChecker.cpp
    M Source/WebCore/loader/MixedContentChecker.h
    M Source/WebCore/loader/SubframeLoader.cpp
    M Source/WebCore/loader/cache/CachedResourceLoader.cpp

  Log Message:
  -----------
  Cherry-pick 259548.802 at safari-7615-branch (bc09b6fca325). https://bugs.webkit.org/show_bug.cgi?id=257331

    Framed pages have ability to bypass Mixed Content restrictions
    https://bugs.webkit.org/show_bug.cgi?id=257331
    rdar://109100886

    Reviewed by Brent Fulgham.

    It is possible to bypass mixed content restrictions in pages which are
    framed. There are actually two issues here: secure frames embedded in
    insecure frames can bypass and frames which are sandboxed can bypass.

    In the former case we are only checking the for mixed content in the
    frame making the request as well as the top frame. So if an insecure frame
    embeds a secure frame, that secure frame could then embed an insecure frame and
    make mixed content requests without being blocked since the middle frame
    is not checked against the URL for mixed content.

    For the latter case we check whether or not the security origin
    of the requestor has an "https" protocol. The problem is sandboxed iframes
    are given an opaque origin which does not have the "https" protocol (or
    any protocol for that matter) and so we were skipping the mixed content check.

    This patch cleans up the MixedContentChecker implementation and fixes
    these two methods of bypass. This is accomplished by 1) checking the entire
    ancestor frame path from the requestor up to the top frame and 2) considering
    what the protocol of the security origin for the frame making the
    request would have been if it were not opaque. We special case a main resource
    load in the DocumentLoader by checking for mixed content starting from the parent frame.
    Otherwise we would block an insecure main frame from navigating a secure
    iframe to an insecure URL which is allowed by other browser engines.

    LayoutTests/http/tests/security:
        Rewrote some tests to no longer use HTTP iframes in HTTPS frames
        which is now blocked. These changes also include new console output
        for mixed content blocking messages.

    * LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http-expected.txt: Removed.
    * LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http.html: Removed.
        This test is no longer needed. We now block loading a HTTP iframe
        in a middle HTTPS frame so the innermost frame would never have a
        chance to load a worker anyway.

    * LayoutTests/imported/w3c/web-platform-tests/fs/FileSystemFileHandle-create-sync-access-handle.https.tentative.window-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/csp.https.window-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/nested-iframes.window-expected.txt:

    LayoutTests/platform:
        Updated platform-specific expectations.

    * Source/WebCore/Modules/websockets/WebSocket.cpp:
    (WebCore::WebSocket::connect):
    * Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp:
    (WebCore::WorkerThreadableWebSocketChannel::Bridge::connect):
    * Source/WebCore/html/HTMLFormElement.cpp:
    (WebCore::HTMLFormElement::parseAttribute):
    * Source/WebCore/loader/DocumentLoader.cpp:
    (WebCore::DocumentLoader::willSendRequest):
    * Source/WebCore/loader/DocumentThreadableLoader.cpp:
    (WebCore::DocumentThreadableLoader::loadRequest):

    Source/WebCore/loader/MixedContentChecker:
        Refactor the MixedContentChecker to expose a more clear API.
        isMixedContent was never called by client code and canDisplay and
        canShow functions should be more clear that they will be checking
        the entire frame ancestor hierarchy so clients don't try to do that
        themselves. Move helpers to be static functions in the .cpp file.

    * Source/WebCore/loader/MixedContentChecker.cpp:
    (WebCore::isMixedContent):
    (WebCore::foundMixedContentInFrameTree):
    (WebCore::MixedContentChecker::frameAndAncestorsCanDisplayInsecureContent):
    (WebCore::MixedContentChecker::frameAndAncestorsCanRunInsecureContent):
    (WebCore::MixedContentChecker::checkFormForMixedContent):
    (WebCore::MixedContentChecker::checkForMixedContentInFrameTree): Deleted.
    (WebCore::MixedContentChecker::isMixedContent): Deleted.
    (WebCore::MixedContentChecker::canDisplayInsecureContent): Deleted.
    (WebCore::MixedContentChecker::canRunInsecureContent): Deleted.
    * Source/WebCore/loader/MixedContentChecker.h:

    * Source/WebCore/loader/SubframeLoader.cpp:
    (WebCore::FrameLoader::SubframeLoader::pluginIsLoadable):
    * Source/WebCore/loader/cache/CachedResourceLoader.cpp:
    (WebCore::CachedResourceLoader::checkInsecureContent const):

    Canonical link: https://commits.webkit.org/259548.802@safari-7615-branch


  Commit: 8536c77b03e96a3aa6da0d979999796adeb153a5
      https://github.com/WebKit/WebKit/commit/8536c77b03e96a3aa6da0d979999796adeb153a5
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A LayoutTests/fast/media/print-video-crash-expected.txt
    A LayoutTests/fast/media/print-video-crash.html
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Source/WebKit/UIProcess/WebPageProxy.h
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp
    M Source/WebKit/WebProcess/WebPage/WebPage.h
    M Source/WebKit/WebProcess/WebPage/WebPage.messages.in
    M Tools/WebKitTestRunner/TestController.cpp

  Log Message:
  -----------
  Cherry-pick 263022.8 at webkit-2023.4-embargoed (221c50b850f8). https://bugs.webkit.org/show_bug.cgi?id=237291

    Make sure end printing is handled before PrintFrame
    https://bugs.webkit.org/show_bug.cgi?id=237291

    Reviewed by Chris Dumez.

    To ensure end printing is handled (and layer tree is unfrozen)
    introduce a completion handler on EndPrinting and tie its completion
    to the completion handler in WebPageProxy::printFrame.

    Also do not call endPrinting from TestController.cpp since
    WebPageProxy::printFrame takes care of that.

    * LayoutTests/fast/media/print-video-crash-expected.txt: Added.
    * LayoutTests/fast/media/print-video-crash.html: Added.
    * Source/WebKit/UIProcess/WebPageProxy.cpp:
    (WebKit::WebPageProxy::printFrame):
    (WebKit::WebPageProxy::endPrinting):
    * Source/WebKit/UIProcess/WebPageProxy.h:
    * Source/WebKit/WebProcess/WebPage/WebPage.cpp:
    (WebKit::WebPage::endPrinting):
    * Source/WebKit/WebProcess/WebPage/WebPage.h:
    (WebKit::WebPage::endPrinting):
    (WebKit::WebPage::endPrintingDuringDOMPrintOperation):
    * Source/WebKit/WebProcess/WebPage/WebPage.messages.in:
    * Tools/WebKitTestRunner/TestController.cpp:
    (WTR::printFrame):

    Canonical link: https://commits.webkit.org/263022.8@webkit-2023.4-embargoed


  Commit: 6217482b85fa8cc40ece4119a0799ddf55683826
      https://github.com/WebKit/WebKit/commit/6217482b85fa8cc40ece4119a0799ddf55683826
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A LayoutTests/fast/canvas/canvas-print-crash-expected.txt
    A LayoutTests/fast/canvas/canvas-print-crash.html

  Log Message:
  -----------
  Cherry-pick 263022.9 at webkit-2023.4-embargoed (a0645306d06d). https://bugs.webkit.org/show_bug.cgi?id=251370

    Add test case for bug 251370
    https://bugs.webkit.org/show_bug.cgi?id=251370

    Reviewed by Chris Dumez.

    Already fixed by https://commits.webkit.org/263022.8@webkit-2023.4-embargoed, but
    add this test for completeness.

    * LayoutTests/fast/canvas/canvas-print-crash-expected.txt: Added.
    * LayoutTests/fast/canvas/canvas-print-crash.html: Added.

    Canonical link: https://commits.webkit.org/263022.9@webkit-2023.4-embargoed


  Commit: 3a117ed1a61280d2f945414d776f8cdf297d59c8
      https://github.com/WebKit/WebKit/commit/3a117ed1a61280d2f945414d776f8cdf297d59c8
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation-expected.txt
    A LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation.html
    A LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation-expected.txt
    A LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation.html
    M Source/WebCore/loader/FrameLoader.cpp
    M Source/WebCore/loader/NavigationRequester.cpp
    M Source/WebCore/loader/NavigationRequester.h
    M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in

  Log Message:
  -----------
  Cherry-pick 259548.813 at safari-7615-branch (47ed6aa2ea88). https://bugs.webkit.org/show_bug.cgi?id=257824

    Block sandboxed frames from navigating to javascript URLs without allow-scripts sandbox flag.
    https://bugs.webkit.org/show_bug.cgi?id=257824
    rdar://108462161

    Reviewed by Alex Christensen.

    Sandboxed iframes could execute script in a target frame by navigating
    the frame to a javascript: URL. For example, the top frame when the
    iframe has the sandbox flag "allow-top-navigation". This change checks to see if
    the "allow-scripts" flag is set before executing the URL in the target frame.

    * LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation-expected.txt: Added.
    * LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation.html: Added.
    * LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation-expected.txt: Added.
    * LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation.html: Added.
    * Source/WebCore/loader/FrameLoader.cpp:
    (WebCore::FrameLoader::executeJavaScriptURL):
    * Source/WebCore/loader/NavigationRequester.cpp:
    (WebCore::NavigationRequester::from):
    * Source/WebCore/loader/NavigationRequester.h:
    (WebCore::NavigationRequester::encode const):
    (WebCore::NavigationRequester::decode):

    Canonical link: https://commits.webkit.org/259548.813@safari-7615-branch


  Commit: b140015f7c677a9ad75b8921f15206eefa6d2847
      https://github.com/WebKit/WebKit/commit/b140015f7c677a9ad75b8921f15206eefa6d2847
  Author: Marcos Caceres <marcosc at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/http/wpt/content-security-policy/manifest.json
    A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub-expected.txt
    A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub.html
    A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub.html.headers
    A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-expected.txt
    A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked.html
    A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked.html.headers
    M LayoutTests/platform/ios-wk2/TestExpectations
    M LayoutTests/platform/mac-wk2/TestExpectations
    M Source/WebCore/loader/ApplicationManifestLoader.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/ApplicationManifest.mm

  Log Message:
  -----------
  Cherry-pick 259548.816 at safari-7615-branch (8437c2302b67). https://bugs.webkit.org/show_bug.cgi?id=256686

    Incorrect CORS mode for ApplicationManifest
    https://bugs.webkit.org/show_bug.cgi?id=256686
    rdar://109154572

    Reviewed by Brent Fulgham.

    * LayoutTests/TestExpectations:
    * LayoutTests/http/wpt/content-security-policy/manifest.json: Added.
    * LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub-expected.txt: Added.
    * LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub.html: Added.
    * LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub.html.headers: Added.
    * LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-expected.txt: Added.
    * LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked.html: Added.
    * LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked.html.headers: Added.
    * LayoutTests/platform/ios-wk2/TestExpectations:
    * LayoutTests/platform/mac-wk2/TestExpectations:
    * Source/WebCore/loader/ApplicationManifestLoader.cpp:
    (WebCore::ApplicationManifestLoader::startLoading):
    * Tools/TestWebKitAPI/Tests/WebKitCocoa/ApplicationManifest.mm:
    (TestWebKitAPI::TEST):

    Canonical link: https://commits.webkit.org/259548.816@safari-7615-branch


  Commit: 4b892d294751e3e37d7e31b4c89f0f15775c9797
      https://github.com/WebKit/WebKit/commit/4b892d294751e3e37d7e31b4c89f0f15775c9797
  Author: Said Abou-Hallawa <said at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A LayoutTests/css3/filters/filter-visited-links-expected.html
    A LayoutTests/css3/filters/filter-visited-links.html
    M Source/WebCore/rendering/PaintPhase.h
    M Source/WebCore/rendering/RenderLayer.cpp
    M Source/WebCore/rendering/StyledMarkedText.cpp
    M Source/WebCore/rendering/TextDecorationPainter.cpp
    M Source/WebCore/rendering/TextDecorationPainter.h
    M Source/WebCore/rendering/TextPaintStyle.cpp
    M Source/WebCore/rendering/style/RenderStyle.cpp
    M Source/WebCore/rendering/style/RenderStyle.h

  Log Message:
  -----------
  Cherry-pick 259548.820 at safari-7615-branch (89399f0f4614). https://bugs.webkit.org/show_bug.cgi?id=257822

    Prevent SVG filters from leaking visited hyperlinks
    https://bugs.webkit.org/show_bug.cgi?id=257822
    rdar://109749006

    Reviewed by Simon Fraser.

    We should prevent websites from learning which sites have been visited via SVG
    filters on hyperlinks, per the attack described in https://arxiv.org/abs/2305.12784.

    This can be acheived by ignoring the visited links color when a filter is applied
    to the anchor element.

    * LayoutTests/css3/filters/filter-visited-links-expected.html: Added.
    * LayoutTests/css3/filters/filter-visited-links.html: Added.
    * Source/WebCore/rendering/PaintPhase.h:
    * Source/WebCore/rendering/RenderLayer.cpp:
    (WebCore::RenderLayer::paintLayerContents):
    (WebCore::RenderLayer::paintForegroundForFragments):
    (WebCore::RenderLayer::calculateClipRects const):
    * Source/WebCore/rendering/StyledMarkedText.cpp:
    (WebCore::resolveStyleForMarkedText):
    (WebCore::StyledMarkedText::computeStyleForUnmarkedMarkedText):
    * Source/WebCore/rendering/TextDecorationPainter.cpp:
    (WebCore::collectStylesForRenderer):
    (WebCore::TextDecorationPainter::decorationColor):
    (WebCore::TextDecorationPainter::stylesForRenderer):
    * Source/WebCore/rendering/TextDecorationPainter.h:
    (WebCore::TextDecorationPainter::decorationColor):
    (WebCore::TextDecorationPainter::stylesForRenderer):
    * Source/WebCore/rendering/TextPaintStyle.cpp:
    (WebCore::computeTextPaintStyle):
    * Source/WebCore/rendering/style/RenderStyle.cpp:
    (WebCore::RenderStyle::visitedDependentColor const):
    (WebCore::RenderStyle::visitedDependentColorWithColorFilter const):
    * Source/WebCore/rendering/style/RenderStyle.h:
    (WebCore::RenderStyle::visitedDependentColor):
    (WebCore::RenderStyle::visitedDependentColorWithColorFilter):

    Canonical link: https://commits.webkit.org/259548.820@safari-7615-branch


  Commit: 686e5d97f21aae290daff443dd623107d0ac5372
      https://github.com/WebKit/WebKit/commit/686e5d97f21aae290daff443dd623107d0ac5372
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp-expected.txt
    A LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp.html
    A LayoutTests/http/tests/security/resources/attempt-top-level-navigation-with-csp.py
    M Source/WebCore/dom/Document.cpp

  Log Message:
  -----------
  Cherry-pick 259548.823 at safari-7615-branch (18a05c43972c). https://bugs.webkit.org/show_bug.cgi?id=257903

    Third Party IFrame Navigation Block Bypass via Content Security Policy Sandbox
    https://bugs.webkit.org/show_bug.cgi?id=257903
    rdar://109059471

    Reviewed by Brent Fulgham.

    If a third-party iframe is unsandboxed we will prevent top navigation
    without user interaction with the frame. However, this is bypassable if
    the iframe gives itself a sandbox which allows top navigation via CSP.

    This change checks to see if the iframe element was unsandboxed and
    proceeds with the more strict third-party checks if so.

    * LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp-expected.txt: Added.
    * LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp.html: Added.
    * LayoutTests/http/tests/security/resources/attempt-top-level-navigation-with-csp.py: Added.
    * Source/WebCore/dom/Document.cpp:
    (WebCore::Document::isNavigationBlockedByThirdPartyIFrameRedirectBlocking):

    Canonical link: https://commits.webkit.org/259548.823@safari-7615-branch


  Commit: 77073e695d06411a1c311163812ec64c5160b1df
      https://github.com/WebKit/WebKit/commit/77073e695d06411a1c311163812ec64c5160b1df
  Author: J Pascoe <j_pascoe at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M Source/WebCore/page/DOMWindow.cpp
    M Source/WebCore/page/Quirks.cpp
    M Source/WebCore/page/Quirks.h
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  Cherry-pick 259548.824 at safari-7615-branch (cff01e3a9ba5). https://bugs.webkit.org/show_bug.cgi?id=257352

    https://bugs.webkit.org/show_bug.cgi?id=257352
    rdar://106974958

    Reviewed by John Wilander and Brent Fulgham.

    This quirk is no longer nessesary to get favorites and recents to show up
    in the radio player, which is why it was added in the first place. Therefore
    it can be removed.

    * Source/WebCore/page/DOMWindow.cpp:
    (WebCore::DOMWindow::open):
    * Source/WebCore/page/Quirks.cpp:
    (WebCore::Quirks::triggerOptionalStorageAccessQuirk const):
    (WebCore::Quirks::BBCRadioPlayerURLString): Deleted.
    (WebCore::Quirks::staticRadioPlayerURLString): Deleted.
    (WebCore::isBBCDomain): Deleted.
    (WebCore::isBBCPopUpPlayerElement): Deleted.
    * Source/WebCore/page/Quirks.h:
    * Source/WebKit/UIProcess/WebPageProxy.cpp:
    (WebKit::WebPageProxy::createNewPage):

    Canonical link: https://commits.webkit.org/259548.824@safari-7615-branch


  Commit: bf79ad432fb005b24f5c317014e79911de3bb993
      https://github.com/WebKit/WebKit/commit/bf79ad432fb005b24f5c317014e79911de3bb993
  Author: Sihui Liu <sihui_liu at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-expected.txt
    A LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-private-expected.txt
    A LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-private.html
    A LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event.html
    A LayoutTests/storage/indexeddb/modern/resources/request-dispatch-untrusted-event.js
    M Source/WebCore/Modules/indexeddb/IDBRequest.cpp

  Log Message:
  -----------
  Cherry-pick 259548.825 at safari-7615-branch (9b3d228ec2cb). rdar://110459666

    jsc_fuz/wktr: null ptr deref in WebCore::IDBRequest::dispatchEvent(WebCore::Event&)
    rdar://110459666

    Reviewed by Brady Eidson.

    Make sure untrusted event does not change the internal state of IDBRequest. Also, move the assert that request must have
    pending activity when event is being dispatched to a later point, because IDBRequest::dispatchEvent might be invoked
    from JavaScript code (i.e. request does not actually have pending activity).

    Test: storage/indexeddb/modern/request-dispatch-untrusted-event.html
          storage/indexeddb/modern/request-dispatch-untrusted-event-private.html

    * LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-expected.txt: Added.
    * LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-private-expected.txt: Added.
    * LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-private.html: Added.
    * LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event.html: Added.
    * LayoutTests/storage/indexeddb/modern/resources/request-dispatch-untrusted-event.js: Added.
    (loadImage):
    (openDatabase):
    * Source/WebCore/Modules/indexeddb/IDBRequest.cpp:
    (WebCore::IDBRequest::dispatchEvent):

    Canonical link: https://commits.webkit.org/259548.825@safari-7615-branch


  Commit: a6294d763dca254a658172d5bc58b80994f5bbe8
      https://github.com/WebKit/WebKit/commit/a6294d763dca254a658172d5bc58b80994f5bbe8
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M Source/WebCore/editing/markup.cpp

  Log Message:
  -----------
  Cherry-pick 259548.830 at safari-7615-branch (9cd44913c84e). https://bugs.webkit.org/show_bug.cgi?id=258100

    Disable link preload when sanitizing web content
    https://bugs.webkit.org/show_bug.cgi?id=258100
    rdar://109675198

    Reviewed by Chris Dumez.

    Otherwise we get a request in the network process with an invalid pageID,
    and it MESSAGE_CHECKs and terminates the process.

    * Source/WebCore/editing/markup.cpp:
    (WebCore::createPageForSanitizingWebContent):

    Canonical link: https://commits.webkit.org/259548.830@safari-7615-branch


  Commit: b384b6ffd356f2f4354d6c8696ea447a36c5a083
      https://github.com/WebKit/WebKit/commit/b384b6ffd356f2f4354d6c8696ea447a36c5a083
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M Source/WTF/wtf/URLHelpers.cpp
    M Tools/TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm

  Log Message:
  -----------
  Cherry-pick 259548.832 at safari-7615-branch (aecf4d579f39). https://bugs.webkit.org/show_bug.cgi?id=256813

    Expand list of URL spoofing characters
    https://bugs.webkit.org/show_bug.cgi?id=256813
    rdar://109105078, rdar://109056841, and rdar://109056217

    Reviewed by Tim Horton.

    U+1E9C and U+1E9D are Medievalist characters, which means they haven't been used much
    in the last several centuries.  They look kind of like 'f' and other browsers punycode
    encode them when seen in URL hosts, so let's do the same.  Same with U+1EFE and U+1EFF.

    Deseret has been used much more recently, but still not much since the late 1800's.
    There is a sign in a restaurant in the Salt Lake City airport that uses it, but it
    seems to be a historical reference.  Classify Deseret like we do the International
    Phonetic Alphabet and punycode encode it if seen in URL hosts.

    * Source/WTF/wtf/URLHelpers.cpp:
    (WTF::URLHelpers::isLookalikeCharacter):
    * Tools/TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm:
    (TestWebKitAPI::TEST):

    Canonical link: https://commits.webkit.org/259548.832@safari-7615-branch


  Commit: a4748238ffbd3e9629be45b1e2d07d136da17e66
      https://github.com/WebKit/WebKit/commit/a4748238ffbd3e9629be45b1e2d07d136da17e66
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction-expected.txt
    A LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction.html
    A LayoutTests/fast/workers/resources/pending-requestAnimationFrame-upon-destruction-popup.html
    M Source/WebCore/workers/WorkerAnimationController.cpp

  Log Message:
  -----------
  Cherry-pick 259548.833 at safari-7615-branch (c60c40574fc5). https://bugs.webkit.org/show_bug.cgi?id=258058

    Crash under WebCore::JSRequestAnimationFrameCallback::~JSRequestAnimationFrameCallback()
    https://bugs.webkit.org/show_bug.cgi?id=258058
    rdar://110530772

    Reviewed by Ryosuke Niwa.

    JSRequestAnimationFrameCallback were outliving the VM and thus using the VM
    after-free in their destructor. JS Wrapper should never outlive the VM.

    JSRequestAnimationFrameCallback are subclasses of RequestAnimationFrameCallback,
    which were being kept alive by the WorkerAnimationController via its
    m_animationCallbacks vector.

    To address the issue, WorkerAnimationController now clears m_animationCallbacks
    in stop(), which gets called when the global scope (and thus the VM) are about
    to go away.

    * LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction-expected.txt: Added.
    * LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction.html: Added.
    * LayoutTests/fast/workers/resources/pending-requestAnimationFrame-upon-destruction-popup.html: Added.
    * Source/WebCore/workers/WorkerAnimationController.cpp:
    (WebCore::WorkerAnimationController::stop):

    Canonical link: https://commits.webkit.org/259548.833@safari-7615-branch


  Commit: 21a661fd0240f047fc943f12fb94380709aca2ca
      https://github.com/WebKit/WebKit/commit/21a661fd0240f047fc943f12fb94380709aca2ca
  Author: Brandon Stewart <brandonstewart at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A LayoutTests/fast/css-grid-layout/baseline-masonry-crash-expected.html
    A LayoutTests/fast/css-grid-layout/baseline-masonry-crash.html
    M Source/WebCore/rendering/RenderGrid.cpp

  Log Message:
  -----------
  Cherry-pick 259548.835 at safari-7615-branch (b63d45649891). https://bugs.webkit.org/show_bug.cgi?id=257509

    Crash in GridBaselineAlignment::baselineGroupForChild
    https://bugs.webkit.org/show_bug.cgi?id=257509
    rdar://110027455

    Reviewed by Alan Baradlay.

    Certain baseline properties are not properly handled in CSS Masonry.
    We will just disable these calculations for now and then remove this in the future.

    * LayoutTests/fast/css-grid-layout/baseline-masonry-crash-expected.html: Added.
    * LayoutTests/fast/css-grid-layout/baseline-masonry-crash.html: Added.
    * Source/WebCore/rendering/RenderGrid.cpp:
    (WebCore::RenderGrid::columnAxisBaselineOffsetForChild const):
    (WebCore::RenderGrid::rowAxisBaselineOffsetForChild const):

    Canonical link: https://commits.webkit.org/259548.835@safari-7615-branch


  Commit: 169f297fcb3cb4c1f26c0c22b759044e3a448d48
      https://github.com/WebKit/WebKit/commit/169f297fcb3cb4c1f26c0c22b759044e3a448d48
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M Source/WebCore/loader/MixedContentChecker.cpp

  Log Message:
  -----------
  Cherry-pick 259548.841 at safari-7615-branch (74f32c21189a). https://bugs.webkit.org/show_bug.cgi?id=258303

    Remove unnecessary release assertion from mixed content checker.
    https://bugs.webkit.org/show_bug.cgi?id=258303
    <rdar://110766912>

    Reviewed by Brent Fulgham.

    We now check the entire frame tree for mixed content checks for all
    resources loads. An assertion that a document has a frame is no
    longer valid in general. This assertion was originally added in
    215749 at main in an attempt to cover an untestable case. This replaces
    the assert with a null check.

    * Source/WebCore/loader/MixedContentChecker.cpp:
    (WebCore::foundMixedContentInFrameTree):

    Canonical link: https://commits.webkit.org/259548.841@safari-7615-branch


  Commit: 950982a90668214d1fd91e180fc5db2c6d16391f
      https://github.com/WebKit/WebKit/commit/950982a90668214d1fd91e180fc5db2c6d16391f
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  Cherry-pick 259548.842 at safari-7615-branch (e6347f30ecf1). https://bugs.webkit.org/show_bug.cgi?id=258322

    [IPC][Hardening] Validate URLs sent by the WebProcess via the WebPageProxy::DidFailProvisionalLoad IPC
    https://bugs.webkit.org/show_bug.cgi?id=258322
    rdar://111059792

    Reviewed by Brent Fulgham.

    Validate URLs sent by the WebProcess via the WebPageProxy::DidFailProvisionalLoad IPC.

    * Source/WebKit/UIProcess/WebPageProxy.cpp:
    (WebKit::WebPageProxy::didFailProvisionalLoadForFrameShared):

    Canonical link: https://commits.webkit.org/259548.842@safari-7615-branch


  Commit: 20aeaf0e736a315ff857d13ce7626f061bc7254c
      https://github.com/WebKit/WebKit/commit/20aeaf0e736a315ff857d13ce7626f061bc7254c
  Author: David Degazio <d_degazio at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    A JSTests/wasm/stress/phi-live-across-rethrow.js
    A JSTests/wasm/stress/phi-live-across-throw.js
    M Source/JavaScriptCore/b3/B3DuplicateTails.cpp
    M Source/JavaScriptCore/b3/B3Kind.cpp
    M Source/JavaScriptCore/b3/B3Kind.h
    M Source/JavaScriptCore/b3/B3PatchpointValue.cpp
    M Source/JavaScriptCore/b3/B3PatchpointValue.h
    M Source/JavaScriptCore/b3/B3ValueInlines.h
    M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

  Log Message:
  -----------
  Cherry-pick 259548.844 at safari-7615-branch (2e29306082ae). https://bugs.webkit.org/show_bug.cgi?id=258408

    Prevent duplication of WASM throw and rethrow patchpoints in B3
    https://bugs.webkit.org/show_bug.cgi?id=258408
    rdar://110634913

    Reviewed by Yusuke Suzuki.

    Adds a cloningForbidden property to B3Kind, used to prevent a B3 value
    from being cloned during optimizations, and applies it to the patchpoints
    generated for the WASM throw and rethrow opcodes in WasmB3IRGenerator.
    This prevents a problem where these patchpoints could be duplicated, still
    share a stackmap/callsite index, but have conflicting live value
    locations.

    * JSTests/wasm/stress/phi-live-across-rethrow.js: Added.
    (async test):
    * JSTests/wasm/stress/phi-live-across-throw.js: Added.
    (async test):
    * Source/JavaScriptCore/b3/B3DuplicateTails.cpp:
    * Source/JavaScriptCore/b3/B3Kind.cpp:
    (JSC::B3::Kind::dump const):
    * Source/JavaScriptCore/b3/B3Kind.h:
    (JSC::B3::Kind::hasCloningForbidden):
    (JSC::B3::Kind::hasCloningForbidden const):
    (JSC::B3::Kind::isCloningForbidden const):
    (JSC::B3::Kind::setIsCloningForbidden):
    (JSC::B3::Kind::operator== const):
    (JSC::B3::Kind::hash const):
    (JSC::B3::cloningForbidden):
    * Source/JavaScriptCore/b3/B3PatchpointValue.cpp:
    (JSC::B3::PatchpointValue::PatchpointValue):
    * Source/JavaScriptCore/b3/B3PatchpointValue.h:
    * Source/JavaScriptCore/b3/B3ValueInlines.h:
    (JSC::B3::Value::cloneImpl const):
    * Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:
    (JSC::Wasm::B3IRGenerator::addThrow):
    (JSC::Wasm::B3IRGenerator::addRethrow):

    Canonical link: https://commits.webkit.org/259548.844@safari-7615-branch


  Commit: 4876897fd30ae1f4831a518a21ba13b66f99a179
      https://github.com/WebKit/WebKit/commit/4876897fd30ae1f4831a518a21ba13b66f99a179
  Author: Brady Eidson <beidson at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h
    M Source/WebCore/bindings/js/ScriptController.cpp
    M Source/WebCore/dom/UserGestureIndicator.cpp
    M Source/WebCore/dom/UserGestureIndicator.h
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/AsyncFunction.mm

  Log Message:
  -----------
  Cherry-pick 259548.840 at safari-7615-branch (259842c7afc2). <bug>

    Cherry-pick 265168 at main (8e5ddea16577). rdar://110919134

        evaluateJavaScript: and callAsyncJavaScript: should not leave behind transient activation
        https://bugs.webkit.org/show_bug.cgi?id=258037
        rdar://107102031

        Reviewed by Ben Nham.

        JavaScript evaluated by the client app is executed as if from a user gesture, which is fine for now.
        But before this change, such JS left behind transient user activation for (currently) 5 seconds, which is not fine.

        Let's remove that sticky side effect.

        * Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.cpp:
        (WTF::computeSDKAlignedBehaviors):
        * Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h:

        * Source/WebCore/bindings/js/ScriptController.cpp:
        (WebCore::ScriptController::executeScriptInWorld):
        (WebCore::ScriptController::executeAsynchronousUserAgentScriptInWorld):

        * Source/WebCore/dom/UserGestureIndicator.cpp:
        (WebCore::UserGestureToken::forEachImpactedDocument):
        * Source/WebCore/dom/UserGestureIndicator.h:

        * Tools/TestWebKitAPI/Tests/WebKitCocoa/AsyncFunction.mm:
        (TestWebKitAPI::TEST):

        Canonical link: https://commits.webkit.org/265168@main

    Canonical link: https://commits.webkit.org/259548.840@safari-7615-branch


  Commit: 988aef019b272b6120c8658e88b273322a08a154
      https://github.com/WebKit/WebKit/commit/988aef019b272b6120c8658e88b273322a08a154
  Author: Brady Eidson <beidson at apple.com>
  Date:   2023-07-28 (Fri, 28 Jul 2023)

  Changed paths:
    M Source/WebCore/bindings/js/RunJavaScriptParameters.h
    M Source/WebCore/bindings/js/ScriptController.cpp
    M Source/WebKit/Shared/Cocoa/DefaultWebBrowserChecks.h
    M Source/WebKit/Shared/Cocoa/DefaultWebBrowserChecks.mm
    M Source/WebKit/UIProcess/API/C/WKPage.cpp
    M Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm
    M Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp
    M Source/WebKit/UIProcess/Inspector/socket/RemoteInspectorProtocolHandler.cpp

  Log Message:
  -----------
  Cherry-pick 259548.854 at safari-7615-branch (465b681115e6). rdar://104748908

    User agent JavaScript from full web browsers should clear transient activation.
    rdar://104748908
    https://bugs.webkit.org/show_bug.cgi?id=251276

    Reviewed by Brent Fulgham.

    Take the solution from https://commits.webkit.org/265168@main and extend it to full web browsers now.

    * Source/WebCore/bindings/js/RunJavaScriptParameters.h:
    (WebCore::RunJavaScriptParameters::RunJavaScriptParameters):
    (WebCore::RunJavaScriptParameters::encode const):
    (WebCore::RunJavaScriptParameters::decode):

    * Source/WebCore/bindings/js/ScriptController.cpp:
    (WebCore::ScriptController::executeScriptInWorldIgnoringException):
    (WebCore::ScriptController::executeScriptInWorld):
    (WebCore::ScriptController::executeUserAgentScriptInWorld):

    * Source/WebKit/Shared/Cocoa/DefaultWebBrowserChecks.h:
    * Source/WebKit/Shared/Cocoa/DefaultWebBrowserChecks.mm:
    (WebKit::shouldEvaluateJavaScriptWithoutTransientActivation):

    * Source/WebKit/UIProcess/API/C/WKPage.cpp:
    (WKPageRunJavaScriptInMainFrame):

    * Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm:
    (-[WKWebView _evaluateJavaScript:asAsyncFunction:withSourceURL:withArguments:forceUserGesture:inFrame:inWorld:completionHandler:]):

    Canonical link: https://commits.webkit.org/259548.854@safari-7615-branch


Compare: https://github.com/WebKit/WebKit/compare/e5070753347b...988aef019b27


More information about the webkit-changes mailing list