[webkit-changes] [WebKit/WebKit] ae98f7: Cherry-pick 259548.678 at safari-7615-branch (7c662f5...
Brady Eidson
noreply at github.com
Fri Jul 28 08:47:24 PDT 2023
Branch: refs/heads/webkitglib/2.40
Home: https://github.com/WebKit/WebKit
Commit: ae98f7b3181b76c6ca9917814709899abbc9eba1
https://github.com/WebKit/WebKit/commit/ae98f7b3181b76c6ca9917814709899abbc9eba1
Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt
A LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html
M Source/WebCore/rendering/RenderInline.cpp
Log Message:
-----------
Cherry-pick 259548.678 at safari-7615-branch (7c662f5b36e3). https://bugs.webkit.org/show_bug.cgi?id=255552.
Renderinline::offsetForInFlowPositionedInline causes a null-deref of a laybox on repaint.
https://bugs.webkit.org/show_bug.cgi?id=255552.
rdar://107952390.
Reviewed by Alan Baradlay.
Line layout codepath invalidation is triggered by JS which issues a repaint on the newly inserted renderer. The newly inserted renderer is used for geometry computations and which calls offsetForInFlowPositionedInline in case of inline boxes. This tries to access the lineBoxes assocaited with the renderers but they invalidated by previous repaints. This leads to null deref of the lineboxes.
* LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt: Added.
* LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html: Added.
* Source/WebCore/rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::isLineLayoutPresent const):
* Source/WebCore/rendering/RenderBlockFlow.h:
* Source/WebCore/rendering/RenderInline.cpp:
(WebCore::RenderInline::offsetForInFlowPositionedInline const):
Canonical link: https://commits.webkit.org/259548.678@safari-7615-branch
Commit: a0610381408a875a2edc1127f61c8b9ae90e0074
https://github.com/WebKit/WebKit/commit/a0610381408a875a2edc1127f61c8b9ae90e0074
Author: Alexey Shvayka <ashvayka at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A JSTests/stress/regress-255806.js
M Source/JavaScriptCore/runtime/StringPrototype.cpp
Log Message:
-----------
Cherry-pick 259548.689 at safari-7615-branch (a75d564e8c5f). https://bugs.webkit.org/show_bug.cgi?id=255806
jsc_fuzz: ASSERTION FAILED: !is8Bit() || isEmpty() in stringProtoFuncToWellFormed()
https://bugs.webkit.org/show_bug.cgi?id=255806
<rdar://108256807>
Reviewed by Yusuke Suzuki.
It's necessary to resolve a rope to determine if a string is 8-bit: JSRopeString's is8BitInPointer merely
implies it can be represented as 8-bit, but after the rope is resolved, it can become a 16-bit string.
* JSTests/stress/regress-255806.js: Added.
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
Canonical link: https://commits.webkit.org/259548.689@safari-7615-branch
Commit: 0fe701393004d6f0e1df461645985de53d313477
https://github.com/WebKit/WebKit/commit/0fe701393004d6f0e1df461645985de53d313477
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A JSTests/stress/marked-buffer-fill-should-be-gc-aware.js
M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
M Source/JavaScriptCore/runtime/ArgList.h
Log Message:
-----------
Cherry-pick 259548.690 at safari-7615-branch (b05050e0cc00). https://bugs.webkit.org/show_bug.cgi?id=255951
[JSC] MarkedVector::fill should register itself as a root
https://bugs.webkit.org/show_bug.cgi?id=255951
rdar://108261913
Reviewed by Alexey Shvayka and Justin Michaud.
1. MarkedVector::fill is not registering itself as a strong root of GC. This patch fixes it with m_markSet->add.
2. Initialize buffer with empty value in MarkedVector::fill. This buffer can be scanned via GC when GC is invoked from
a passed lambda.
* JSTests/stress/marked-buffer-fill-should-be-gc-aware.js: Added.
(foo):
* Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:
(JSC::LLInt::handleVarargsCheckpoint):
* Source/JavaScriptCore/runtime/ArgList.h:
(JSC::MarkedVector::fill):
Canonical link: https://commits.webkit.org/259548.690@safari-7615-branch
Commit: e5958f914416c14e02ff967a16257409315944e9
https://github.com/WebKit/WebKit/commit/e5958f914416c14e02ff967a16257409315944e9
Author: Alex Christensen <achristensen at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M Source/WebCore/animation/KeyframeEffect.cpp
M Source/WebCore/platform/graphics/transforms/IdentityTransformOperation.h
M Source/WebCore/platform/graphics/transforms/Matrix3DTransformOperation.h
M Source/WebCore/platform/graphics/transforms/MatrixTransformOperation.h
M Source/WebCore/platform/graphics/transforms/PerspectiveTransformOperation.h
M Source/WebCore/platform/graphics/transforms/RotateTransformOperation.cpp
M Source/WebCore/platform/graphics/transforms/RotateTransformOperation.h
M Source/WebCore/platform/graphics/transforms/ScaleTransformOperation.cpp
M Source/WebCore/platform/graphics/transforms/ScaleTransformOperation.h
M Source/WebCore/platform/graphics/transforms/SkewTransformOperation.cpp
M Source/WebCore/platform/graphics/transforms/SkewTransformOperation.h
M Source/WebCore/platform/graphics/transforms/TransformOperation.h
M Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.cpp
M Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.h
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
Log Message:
-----------
Cherry-pick 259548.723 at safari-7615-branch (9e8e582627a8). https://bugs.webkit.org/show_bug.cgi?id=255629
TransformOperation subclasses should verify deserialized type
https://bugs.webkit.org/show_bug.cgi?id=255629
rdar://108161092
Reviewed by David Kilzer.
The type needs to line up with the same types used by the is, downcast, and dynamicDowncast functions.
* Source/WebCore/animation/KeyframeEffect.cpp:
(WebCore::KeyframeEffect::computedNeedsForcedLayout):
* Source/WebCore/platform/graphics/transforms/IdentityTransformOperation.h:
* Source/WebCore/platform/graphics/transforms/Matrix3DTransformOperation.h:
* Source/WebCore/platform/graphics/transforms/MatrixTransformOperation.h:
* Source/WebCore/platform/graphics/transforms/PerspectiveTransformOperation.h:
* Source/WebCore/platform/graphics/transforms/RotateTransformOperation.cpp:
(WebCore::RotateTransformOperation::RotateTransformOperation):
* Source/WebCore/platform/graphics/transforms/RotateTransformOperation.h:
* Source/WebCore/platform/graphics/transforms/ScaleTransformOperation.cpp:
(WebCore::ScaleTransformOperation::ScaleTransformOperation):
* Source/WebCore/platform/graphics/transforms/ScaleTransformOperation.h:
* Source/WebCore/platform/graphics/transforms/SkewTransformOperation.cpp:
(WebCore::SkewTransformOperation::SkewTransformOperation):
* Source/WebCore/platform/graphics/transforms/SkewTransformOperation.h:
* Source/WebCore/platform/graphics/transforms/TransformOperation.h:
(WebCore::TransformOperation::isRotateTransformOperationType):
(WebCore::TransformOperation::isScaleTransformOperationType):
(WebCore::TransformOperation::isSkewTransformOperationType):
(WebCore::TransformOperation::isTranslateTransformOperationType):
(WebCore::TransformOperation::isRotateTransformOperationType const): Deleted.
(WebCore::TransformOperation::isScaleTransformOperationType const): Deleted.
(WebCore::TransformOperation::isSkewTransformOperationType const): Deleted.
(WebCore::TransformOperation::isTranslateTransformOperationType const): Deleted.
* Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.cpp:
(WebCore::TranslateTransformOperation::TranslateTransformOperation):
* Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.h:
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
Canonical link: https://commits.webkit.org/259548.723@safari-7615-branch
Commit: 1b50a3df73d21bef150af61c2810002df3bc141e
https://github.com/WebKit/WebKit/commit/1b50a3df73d21bef150af61c2810002df3bc141e
Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A LayoutTests/fast/css/style-builder-apply-value-content-type-confusion-expected.txt
A LayoutTests/fast/css/style-builder-apply-value-content-type-confusion.html
M Source/WebCore/style/StyleBuilderCustom.h
Log Message:
-----------
Cherry-pick 259548.730 at safari-7615-branch (c123784dc828). https://bugs.webkit.org/show_bug.cgi?id=255955.
Fix type confusion in BuilderConverter::applyValueContent.
https://bugs.webkit.org/show_bug.cgi?id=255955.
rdar://108499561.
Reviewed by Antti Koivisto.
This change fixes applyValueContent so that it can deal with single
values instead of expecting a list of values towards the end.
* LayoutTests/fast/css/style-builder-apply-value-content-type-confusion-expected.txt: Added.
* LayoutTests/fast/css/style-builder-apply-value-content-type-confusion.html: Added.
* Source/WebCore/style/StyleBuilderCustom.h:
(WebCore::Style::BuilderCustom::applyValueContent):
Canonical link: https://commits.webkit.org/259548.730@safari-7615-branch
Commit: 2a8268d01eb0085e7efd3e0ca27aa6c30d452a86
https://github.com/WebKit/WebKit/commit/2a8268d01eb0085e7efd3e0ca27aa6c30d452a86
Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion-expected.txt
A LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion.html
M Source/WebCore/style/StyleBuilderConverter.h
Log Message:
-----------
Cherry-pick 259548.746 at safari-7615-branch (1b98f8905ce2). https://bugs.webkit.org/show_bug.cgi?id=256055.
Fix type confusion in StyleBuilder::ConvertGridTrackSizeList.
https://bugs.webkit.org/show_bug.cgi?id=256055.
rdar://108501981.
Reviewed by Antti Koivisto.
This change fixes convertGridTrackSizeList so that it can deal with single
values instead of expecting a list of values towards the end.
* LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion-expected.txt: Added.
* LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion.html: Added.
* Source/WebCore/style/StyleBuilderConverter.h:
(WebCore::Style::BuilderConverter::convertGridTrackSizeList):
Canonical link: https://commits.webkit.org/259548.746@safari-7615-branch
Commit: 8c362780c39314228531777335d72cf16b065465
https://github.com/WebKit/WebKit/commit/8c362780c39314228531777335d72cf16b065465
Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M Source/WebCore/page/DOMWindow.h
Log Message:
-----------
Cherry-pick 259548.729 at safari-7615-branch (5cc2ead4986a). https://bugs.webkit.org/show_bug.cgi?id=256205.
Handle potential overflow of gamepadEventListenerCount.
https://bugs.webkit.org/show_bug.cgi?id=256205.
rdar://80838189.
Reviewed by Ryosuke Niwa.
m_gamepadEventListenerCount can overflow if addEventListener() is called UINT_MAX+1 times.
Once the window is freed, we will be left with a dangling pointer in the GamepadManager.
This change adds a flag to check for overflow and keep the behavior same in the event of overflow..
* Source/WebCore/page/DOMWindow.cpp:
(WebCore::DOMWindow::~DOMWindow):
(WebCore::DOMWindow::incrementGamepadEventListenerCount):
(WebCore::DOMWindow::decrementGamepadEventListenerCount):
* Source/WebCore/page/DOMWindow.h:
Canonical link: https://commits.webkit.org/259548.729@safari-7615-branch
Commit: 818c5df196cc3257598e8799acc698fa3cb4f1d9
https://github.com/WebKit/WebKit/commit/818c5df196cc3257598e8799acc698fa3cb4f1d9
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M Source/WebKit/Platform/IPC/Connection.cpp
M Source/WebKit/Scripts/webkit/model.py
M Source/WebKit/Scripts/webkit/tests/MessageNames.cpp
M Source/WebKit/Scripts/webkit/tests/MessageNames.h
M Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp
Log Message:
-----------
Cherry-pick 259548.751 at safari-7615-branch (9fc652968e3c). https://bugs.webkit.org/show_bug.cgi?id=256373
Drop MessageName::Terminate IPC message
https://bugs.webkit.org/show_bug.cgi?id=256373
rdar://108899132
Reviewed by Sihui Liu.
Drop MessageName::Terminate IPC message as it could easily be abused by a
compromised WebProcess to kill the UIProcess.
It was temporarily introduced in 243810 at main to investigate NetworkProcess
hangs we were seeing and should no longer be needed. This reverts 243810 at main.
* Source/WebKit/Platform/IPC/Connection.cpp:
(IPC::Connection::processIncomingMessage):
(IPC::terminateDueToIPCTerminateMessage): Deleted.
* Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp:
(WebKit::NetworkProcessProxy::didBecomeUnresponsive):
(WebKit::shouldTerminateNetworkProcessBySendingMessage): Deleted.
Canonical link: https://commits.webkit.org/259548.751@safari-7615-branch
Commit: 13db18fbb54ae73f4399a2c4addfac94f7bd7e95
https://github.com/WebKit/WebKit/commit/13db18fbb54ae73f4399a2c4addfac94f7bd7e95
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M LayoutTests/fast/files/null-origin-string-expected.txt
M LayoutTests/fast/files/null-origin-string.html
A LayoutTests/http/tests/security/block-top-level-navigation-to-different-scheme-by-third-party-iframes-expected.txt
A LayoutTests/http/tests/security/block-top-level-navigation-to-different-scheme-by-third-party-iframes.html
A LayoutTests/http/tests/security/block-top-level-navigation-via-redirect-by-third-party-iframes-expected.txt
A LayoutTests/http/tests/security/block-top-level-navigation-via-redirect-by-third-party-iframes.html
A LayoutTests/http/tests/security/resources/navigate-top-level-frame-to-failure-page-different-scheme.html
A LayoutTests/http/tests/security/resources/navigate-top-level-frame-to-failure-page-via-redirect.html
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/Document.h
M Source/WebCore/loader/DocumentLoader.cpp
M Source/WebCore/loader/NavigationRequester.cpp
M Source/WebCore/loader/NavigationRequester.h
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
Log Message:
-----------
Cherry-pick 259548.752 at safari-7615-branch (a0fa94d1a572). https://bugs.webkit.org/show_bug.cgi?id=256549
Restrict further top-frame navigations by a third-party iframe
https://bugs.webkit.org/show_bug.cgi?id=256549
rdar://108794051
Reviewed by Geoffrey Garen.
Restrict further top-frame navigations by a third-party iframe:
- Block navigations to a different scheme
- Block navigations that start off same-site but redirect to a different site
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::isNavigationBlockedByThirdPartyIFrameRedirectBlocking):
* Source/WebCore/dom/Document.h:
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest):
* Source/WebCore/loader/NavigationRequester.cpp:
(WebCore::NavigationRequester::from):
* Source/WebCore/loader/NavigationRequester.h:
(WebCore::NavigationRequester::encode const):
(WebCore::NavigationRequester::decode):
Canonical link: https://commits.webkit.org/259548.752@safari-7615-branch
Commit: 0e104f71f859197cf31a12ac0b4fad835d4bd3db
https://github.com/WebKit/WebKit/commit/0e104f71f859197cf31a12ac0b4fad835d4bd3db
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A JSTests/stress/regress-109134454.js
M Source/JavaScriptCore/b3/B3ReduceStrength.cpp
Log Message:
-----------
Cherry-pick 259548.761 at safari-7615-branch (776066945bf4). https://bugs.webkit.org/show_bug.cgi?id=256573
[JSC] Fix IntRange speculation for zExt32
https://bugs.webkit.org/show_bug.cgi?id=256573
rdar://109134454
Reviewed by Yusuke Suzuki.
Previously, the IntRange speculation in B3ReduceStrength for node
zExt32 is wrong. This patch fixes this issue.
* JSTests/stress/regress-109134454.js: Added.
* Source/JavaScriptCore/b3/B3ReduceStrength.cpp:
Canonical link: https://commits.webkit.org/259548.761@safari-7615-branch
Commit: b0f4f94839df47f872a0991b8ab46ba66543e223
https://github.com/WebKit/WebKit/commit/b0f4f94839df47f872a0991b8ab46ba66543e223
Author: David Degazio <d_degazio at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A JSTests/wasm/stress/throw-multiple-values.js
A JSTests/wasm/stress/throw-with-live-value-on-stack.js
M Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
Log Message:
-----------
Cherry-pick 259548.762 at safari-7615-branch (7fb3ced7874a). https://bugs.webkit.org/show_bug.cgi?id=256818
Parameters to throw alias with stack elements in WASM LLInt
https://bugs.webkit.org/show_bug.cgi?id=256818
rdar://108036137
Reviewed by Yusuke Suzuki.
Correctly computes stack offsets when materializing the operands of
a wasm_throw instruction in the WasmLLIntGenerator by counting relative
to the stack height before the operands were popped as opposed to after.
* JSTests/wasm/stress/throw-multiple-values.js: Added.
(async test):
* JSTests/wasm/stress/throw-with-live-value-on-stack.js: Added.
(async test):
* Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::addThrow):
Canonical link: https://commits.webkit.org/259548.762@safari-7615-branch
Commit: ec83f7580fdcc4a4ad7c1597053adc78dd0a922b
https://github.com/WebKit/WebKit/commit/ec83f7580fdcc4a4ad7c1597053adc78dd0a922b
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M Source/WebCore/loader/DocumentLoader.cpp
Log Message:
-----------
Cherry-pick 259548.773 at safari-7615-branch (3d72c3255b5f). https://bugs.webkit.org/show_bug.cgi?id=257161
Follow-up to 259548.752 at safari-7615-branch to cancel navigations instead of blocking them
https://bugs.webkit.org/show_bug.cgi?id=257161
rdar://108794051
Reviewed by Alex Christensen.
259548.752 at safari-7615-branch added further restrictions to prevent top-frame navigations
by third-party iframes, in particular using redirects. I had decided to block the redirect
with a blockedError(). However, it turns out that Safari shows an error page when doing
so, which results in a bad user experience since the top frame is still being navigated
(to an error page).
To address the issue, I am now cancelling the redirect instead and returning a
cancelledError(). I have verified that Safari doesn't show an error page in this case and
that the top frame is not getting navigated.
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest):
Canonical link: https://commits.webkit.org/259548.773@safari-7615-branch
Commit: 42bc82e63347c5c777dc201d955b7a747cb3cfff
https://github.com/WebKit/WebKit/commit/42bc82e63347c5c777dc201d955b7a747cb3cfff
Author: Alexey Shvayka <ashvayka at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt
A LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html
M Source/JavaScriptCore/bytecode/PropertyCondition.cpp
M Source/JavaScriptCore/runtime/ClassInfo.h
M Source/JavaScriptCore/runtime/PropertySlot.h
M Source/JavaScriptCore/runtime/Structure.cpp
M Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
Log Message:
-----------
Cherry-pick 259548.775 at safari-7615-branch (ffe32d106cb2). https://bugs.webkit.org/show_bug.cgi?id=255952
[JSC] PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() should take non-reified static properties into account
https://bugs.webkit.org/show_bug.cgi?id=255952
<rdar://108334411>
Reviewed by Yusuke Suzuki.
Currently, PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() is not checking the
structure's non-reified static properties against the condition. This can lead to incorrect analysis
of side effects: AbsenceOfSetEffect condition with a non-reified static setter is considered pure
even though a setter with arbitrary code can be invoked.
This patch fixes AbsenceOfSetEffect validity check for structures with non-reified static properties
while takes extra care to make the fix as precise as possible to avoid unnecessary slowdowns.
* LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt: Added.
* LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html: Added.
* Source/JavaScriptCore/bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
* Source/JavaScriptCore/runtime/ClassInfo.h:
* Source/JavaScriptCore/runtime/PropertySlot.h:
* Source/JavaScriptCore/runtime/Structure.cpp:
(JSC::ClassInfo::hasStaticReadOnlyOrGetterSetterProperty const):
* Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:
Canonical link: https://commits.webkit.org/259548.775@safari-7615-branch
Commit: ef65ba56c109cb54c24ed6da30a39ef230b1acf7
https://github.com/WebKit/WebKit/commit/ef65ba56c109cb54c24ed6da30a39ef230b1acf7
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A JSTests/stress/regress-109102631.js
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Log Message:
-----------
Cherry-pick 259548.763 at safari-7615-branch (62d974e46170). https://bugs.webkit.org/show_bug.cgi?id=256865
[JSC] GetTypedArrayByteOffset should do speculation check for all bits in DFG
https://bugs.webkit.org/show_bug.cgi?id=256865
rdar://109428505
Reviewed by Yusuke Suzuki.
DFG abstract interpreter speculates that GetTypedArrayByteOffset node
should have int32 result. However, when compiling GetTypedArrayByteOffset
we only do speculation check on lower bits of the result, which is wrong.
This patch fixes this problem.
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
Canonical link: https://commits.webkit.org/259548.763@safari-7615-branch
Commit: d784299e55fa84c267ca35ed257ef08a500571f7
https://github.com/WebKit/WebKit/commit/d784299e55fa84c267ca35ed257ef08a500571f7
Author: Alexey Shvayka <ashvayka at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A JSTests/stress/define-property-on-receiver-jsfunction-prototype-no-crash.js
M JSTests/stress/ordinary-set-exceptions.js
M Source/JavaScriptCore/runtime/JSObject.cpp
Log Message:
-----------
Cherry-pick 259548.774 at safari-7615-branch (23e9761b5751). https://bugs.webkit.org/show_bug.cgi?id=257164
[JSC] putByValWithThis shouldn't bypass definePropertyOnReceiverSlow
https://bugs.webkit.org/show_bug.cgi?id=257164
<rdar://108759737>
Reviewed by Yusuke Suzuki.
The OrdinarySet revamp in https://webkit.org/b/217916 assumed that there are only 2 cases to take the slow path
for altered receivers: overriden [[Set]] in prototype chain and Reflect.set(). I thought that it's unobservable
to take the fast path otherwise since overriden methods were already called.
However, the third case was missed: put_by_val_with_this bytecode op, which is emitted for setting a property
on `super` base, and with https://webkit.org/b/252602, for ProxyObjectStore IC when the trap is missing.
Among other minor web compatibility bugs, missing that case caused properties to be put right on ProxyObject's
structure, where they are unaccessible, skipping calls to "set" and "defineProperty" traps.
This change relaxes the condition for taking the definePropertyOnReceiverSlow() while ensuring all common
[[Set]] targets like JSArray or `class X extends Y {}` are just as fast.
* JSTests/stress/define-property-on-receiver-jsfunction-prototype-no-crash.js: Added.
* Source/JavaScriptCore/runtime/JSObject.cpp:
(JSC::canDefinePropertyOnReceiverFast):
(JSC::JSObject::definePropertyOnReceiver):
Canonical link: https://commits.webkit.org/259548.774@safari-7615-branch
Commit: fff78f2470f4e688798baa4c3133698963b3a4f3
https://github.com/WebKit/WebKit/commit/fff78f2470f4e688798baa4c3133698963b3a4f3
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M JSTests/stress/regress-109102631.js
Log Message:
-----------
Cherry-pick 259548.776 at safari-7615-branch (7849e30e34aa). https://bugs.webkit.org/show_bug.cgi?id=257215
[JSC] Skip memory limited systems for test case allocating large size array
https://bugs.webkit.org/show_bug.cgi?id=257215
rdar://109729172
Reviewed by Yusuke Suzuki.
* JSTests/stress/regress-109102631.js:
Canonical link: https://commits.webkit.org/259548.776@safari-7615-branch
Commit: 920a6190c80740deae08cfe24e0c37eabb7cf9da
https://github.com/WebKit/WebKit/commit/920a6190c80740deae08cfe24e0c37eabb7cf9da
Author: Patrick Angle <pangle at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M Source/JavaScriptCore/inspector/ScriptCallStack.cpp
M Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.cpp
Log Message:
-----------
Cherry-pick 259548.777 at safari-7615-branch (e74d4b07ad38). https://bugs.webkit.org/show_bug.cgi?id=256932
Web Inspector: Deeply nested console logging can cause ConsoleMessage to be destroyed while we are still trying to log it
https://bugs.webkit.org/show_bug.cgi?id=256932
rdar://108063640
Reviewed by Mark Lam.
InspectorConsoleAgent has been incorrectly managing the lifetime of each ConsoleMessage by moving messages into a vector
of messages before we have passed those messages on to the frontend. This means that a console message that causes
another console message to be logged may eventually cause our original message to be dropped from the vector if this
occurs deeply enough. At that point, when we unwind back to the original message, it has been destroyed while we are
trying to send it to the frontend, which results in a bad time because we are still inside a function on the
ConsoleMessage that tries to access its own member variables like m_arguments, and fails because the message object
itself has been destroyed, taking its members with it.
This also fixes a subtle message inversion in the backlog of messages and what is logged to the console when Web
Inspector is open, since the message is sent to the frontend after all other processing, but we were previously adding
the message to the vector of past messages before that processing (which may in turn cause more logging before the
actual logging we called in to perform) to occur.
A second minor issue is that ScriptCallStack is incorrectly asserting in its constructor, which preventing investigation
of this issue initially. The call stack should be less than __or equal to__ the max call stack, not just less than.
* Source/JavaScriptCore/inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::addToFrontend):
* Source/JavaScriptCore/inspector/InjectedScript.cpp:
(Inspector::InjectedScript::wrapObject const):
(Inspector::InjectedScript::wrapTable const):
* Source/JavaScriptCore/inspector/ScriptCallStack.cpp:
(Inspector::ScriptCallStack::ScriptCallStack):
* Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::addConsoleMessage):
* Source/WebCore/page/PageConsoleClient.cpp:
(WebCore::PageConsoleClient::messageWithTypeAndLevel):
Canonical link: https://commits.webkit.org/259548.777@safari-7615-branch
Commit: 58983074a9c84dfb0b3f6c4aab6c6de07648c6ae
https://github.com/WebKit/WebKit/commit/58983074a9c84dfb0b3f6c4aab6c6de07648c6ae
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A JSTests/stress/resizable-array-buffer-copy-within-length-update.js
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h
Log Message:
-----------
Cherry-pick 259548.785 at safari-7615-branch (f2a2820d312c). https://bugs.webkit.org/show_bug.cgi?id=257387
[JSC] Recompute length properly when resize happens during TypedArray#copyWithin
https://bugs.webkit.org/show_bug.cgi?id=257387
rdar://109851495
Reviewed by Mark Lam.
copyWithin's side effectful operation can resize resizable ArrayBuffer. We have a code catching this and recompute the appropriate copy count
again, but it can overflow if `to` or `from` are larger than the newly updated `length`. This patch handles this case correctly: returning
since there is no copying content in this case.
* JSTests/stress/resizable-array-buffer-copy-within-length-update.js: Added.
(call_back):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncCopyWithin):
Canonical link: https://commits.webkit.org/259548.785@safari-7615-branch
Commit: 83d9025caca38091a9ba7f6978689d275960c5ab
https://github.com/WebKit/WebKit/commit/83d9025caca38091a9ba7f6978689d275960c5ab
Author: Matthew Finkel <sysrqb at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M Source/WebCore/html/CanvasBase.h
M Source/WebCore/html/HTMLCanvasElement.h
M Source/WebCore/html/OffscreenCanvas.cpp
M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
M Source/WebCore/rendering/style/StyleCanvasImage.cpp
Log Message:
-----------
Cherry-pick 259548.787 at safari-7615-branch (88ed3825fa4e). https://bugs.webkit.org/show_bug.cgi?id=257234
Ensure CanvasBase remains alive while in use
https://bugs.webkit.org/show_bug.cgi?id=257234
rdar://109540621
Reviewed by Chris Dumez.
A HTMLCanvasElement could be destroyed when it calls CanvasBase::setImageBuffer
because that call could trigger a GC. We've seen crashes originating from
HTMLCanvasElement::setImageBufferAndMarkDirty, but this patch adds protection
around other setImageBuffer call sites, as well.
* Source/WebCore/html/CanvasBase.h:
(WebCore::CanvasBase::ref):
(WebCore::CanvasBase::deref):
* Source/WebCore/html/HTMLCanvasElement.h:
* Source/WebCore/html/OffscreenCanvas.cpp:
(WebCore::OffscreenCanvas::create):
(WebCore::OffscreenCanvas::setPlaceholderCanvas):
(WebCore::OffscreenCanvas::pushBufferToPlaceholder):
* Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
(WebCore::CanvasRenderingContext2DBase::drawImage):
* Source/WebCore/rendering/style/StyleCanvasImage.cpp:
(WebCore::StyleCanvasImage::image const):
Canonical link: https://commits.webkit.org/259548.787@safari-7615-branch
Commit: 5473f46b40d0c5f81440c2cfcf49d4a2d31c06bd
https://github.com/WebKit/WebKit/commit/5473f46b40d0c5f81440c2cfcf49d4a2d31c06bd
Author: Charlie Wolfe <charliew at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebProcessPool.cpp
M Source/WebKit/UIProcess/WebProcessProxy.h
M Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm
Log Message:
-----------
Cherry-pick 259548.792 at safari-7615-branch (f52bc7e18a7c). https://bugs.webkit.org/show_bug.cgi?id=257348
Process Isolation Bypass via navigating to about:* context
https://bugs.webkit.org/show_bug.cgi?id=257348
rdar://109853048
Reviewed by Chris Dumez and J Pascoe.
This patch fixes an issue where we will never swap processes when navigating from an
about:* page. A compromised WebContent process could leverage this behavior to avoid
swapping processes when navigating to a cross-origin domain.
This is fixed by checking the following when navigating from an about:* page.
- The page has not committed a provisional load to a URL that isn't about:*.
- The source process last loaded a domain from the same origin as the domain we are navigating to.
If neither of these two conditions are met, we won’t reuse the process.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didExplicitOpenForFrame):
(WebKit::WebPageProxy::didCommitLoadForFrame):
* Source/WebKit/UIProcess/WebProcessPool.cpp:
(WebKit::WebProcessPool::processForNavigationInternal):
* Source/WebKit/UIProcess/WebProcessProxy.h:
(WebKit::WebProcessProxy::didCommitMeaningfulProvisionalLoad):
(WebKit::WebProcessProxy::hasCommittedAnyMeaningfulProvisionalLoads const):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:
Canonical link: https://commits.webkit.org/259548.792@safari-7615-branch
Commit: 993ed03d6b750a915d1bbca7712ce880c8605491
https://github.com/WebKit/WebKit/commit/993ed03d6b750a915d1bbca7712ce880c8605491
Author: Charlie Wolfe <charliew at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M Source/WebKit/UIProcess/API/C/WKPage.cpp
M Source/WebKit/UIProcess/API/C/WKPage.h
M Source/WebKit/UIProcess/WebProcessProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.h
M Tools/WebKitTestRunner/TestController.cpp
Log Message:
-----------
Cherry-pick 259548.812 at safari-7615-branch (5e250c9fb3d7). https://bugs.webkit.org/show_bug.cgi?id=257833
REGRESSION(259548.792 at safari-7615-branch) http/tests/contentextensions/block-everything-unless-domain-redirect.py & http/tests/loading/preload-append-scan.py are failing
https://bugs.webkit.org/show_bug.cgi?id=257833
rdar://110350341
Reviewed by Alex Christensen.
259548.792 at safari-7615-branch made a change where we will swap processes when navigating from about:blank when
the current process has made a provisional load to a URL that was not about:*. This state was not reset between
tests, and since about:blank is loaded between each test, we would process swap in cases where we previously
hadn’t when running tests. Let’s fix this by clearing this state on `WebProcessProxy` between each test run.
* Source/WebKit/UIProcess/API/C/WKPage.cpp:
(WKPageResetProcessState):
* Source/WebKit/UIProcess/API/C/WKPage.h:
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::resetState):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Tools/WebKitTestRunner/TestController.cpp:
(WTR::TestController::resetStateToConsistentValues):
Canonical link: https://commits.webkit.org/259548.812@safari-7615-branch
Commit: dfd82a930eeb410f063928b9817357d123039d24
https://github.com/WebKit/WebKit/commit/dfd82a930eeb410f063928b9817357d123039d24
Author: Alexey Shvayka <ashvayka at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A JSTests/stress/regress-108468977.js
M Source/JavaScriptCore/bytecode/PropertyCondition.cpp
M Source/JavaScriptCore/runtime/JSObject.cpp
M Source/JavaScriptCore/runtime/JSObject.h
Log Message:
-----------
Cherry-pick 259548.797 at safari-7615-branch (169a4b7e3f48). https://bugs.webkit.org/show_bug.cgi?id=257271
[JSC] PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() should take all put() overrides into account
https://bugs.webkit.org/show_bug.cgi?id=257271
<rdar://108468977>
Reviewed by Yusuke Suzuki.
Currently, PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() is not taking into account
all existing put() overrides when analyzing side effects of AbsenceOfSetEffect condition, which leads
to incorrect results for e.g. StringObject's "length", which is no-op in sloppy mode yet we rely on
structure being transitioned.
This patch fixes AbsenceOfSetEffect validity check to be more pessimistic when there is overriden put(),
unless it's a common assigment target like JSArray or JSFunction to avoid performance regressions,
all while the helper that checks for special properties with JSObject::definePropertyOnReceiver().
* JSTests/stress/regress-108468977.js: Added.
* Source/JavaScriptCore/bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
(JSC::nonStructurePropertyMayBecomeReadOnlyWithoutTransition): Deleted.
* Source/JavaScriptCore/runtime/JSObject.cpp:
(JSC::JSObject::mightBeSpecialProperty):
(JSC::JSObject::definePropertyOnReceiver):
(JSC::canDefinePropertyOnReceiverFast): Deleted.
* Source/JavaScriptCore/runtime/JSObject.h:
Canonical link: https://commits.webkit.org/259548.797@safari-7615-branch
Commit: cb67dbb46230e8b0aecab3b6bb67caee8e7f0194
https://github.com/WebKit/WebKit/commit/cb67dbb46230e8b0aecab3b6bb67caee8e7f0194
Author: Justin Michaud <justin_michaud at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A JSTests/stress/get-concurrently-should-take-cell-lock.js
M Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp
M Source/JavaScriptCore/bytecode/PropertyCondition.cpp
M Source/JavaScriptCore/dfg/DFGGraph.cpp
M Source/JavaScriptCore/runtime/JSArray.cpp
M Source/JavaScriptCore/runtime/JSCell.h
M Source/JavaScriptCore/runtime/JSObject.h
Log Message:
-----------
Cherry-pick 259548.798 at safari-7615-branch (b7e3ebd9c372). https://bugs.webkit.org/show_bug.cgi?id=257285
JSObject::getDirectConcurrently should take the cell lock.
https://bugs.webkit.org/show_bug.cgi?id=257285
rdar://108166258
Reviewed by Yusuke Suzuki.
`JSArray::unshiftCountWithArrayStorage` takes the cell lock and then the
structure lock to prevent the compiler thread from accessing the butterfly
before it is fully initialized.
`JSObject::getDirectConcurrently` only takes the structure lock. This means
that the compiler can take the structure lock, the cell can transition
to a new structure, then unshift can mess up the butterfly, and finally
the compiler thread proceeds to see garbage.
The attached POC only reproduces if waits are introduced to extend the race window.
It seems that the comment above cellLock is outdated, as our current concurrency
protocol to prevent deadlocks is to take the cell lock then the structure lock.
I could not find anywhere that uses the reverse, but if I missed something,
a deadlock will be pretty easy to debug.
* Source/JavaScriptCore/runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountWithArrayStorage):
* Source/JavaScriptCore/runtime/JSCell.h:
(JSC::JSCell::cellLock const):
(JSC::JSCell::cellLock): Deleted.
* Source/JavaScriptCore/runtime/JSObject.h:
(JSC::JSObject::getDirectConcurrently const):
Canonical link: https://commits.webkit.org/259548.798@safari-7615-branch
Commit: 36a57b922accd6bd4a15f84f89b97fc29e713d25
https://github.com/WebKit/WebKit/commit/36a57b922accd6bd4a15f84f89b97fc29e713d25
Author: Ryan Reno <rreno at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M LayoutTests/http/tests/referrer-policy-iframe/no-referrer-when-downgrade/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/referrer-policy-iframe/no-referrer/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/referrer-policy-iframe/origin-when-cross-origin/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/referrer-policy-iframe/origin/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/referrer-policy-iframe/same-origin/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/referrer-policy-iframe/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/referrer-policy-iframe/strict-origin/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/referrer-policy-iframe/unsafe-url/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/referrer-policy/no-referrer-when-downgrade/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/referrer-policy/no-referrer/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/referrer-policy/origin/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/referrer-policy/unsafe-url/cross-origin-http.https-expected.txt
M LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt
M LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
M LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe.html
A LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe-expected.txt
A LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe.html
M LayoutTests/http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked-expected.txt
M LayoutTests/http/tests/security/referrer-policy-header-and-meta-tag-emptyString.html
M LayoutTests/http/tests/security/referrer-policy-header-and-meta-tag.html
M LayoutTests/http/tests/security/referrer-policy-header-multipart.html
M LayoutTests/http/tests/security/referrer-policy-header-test.js
M LayoutTests/http/tests/security/referrer-policy-header.html
M LayoutTests/http/tests/security/referrer-policy-https-always-expected.txt
M LayoutTests/http/tests/security/referrer-policy-https-always.html
M LayoutTests/http/tests/security/referrer-policy-https-default-expected.txt
M LayoutTests/http/tests/security/referrer-policy-https-default.html
M LayoutTests/http/tests/security/referrer-policy-https-never-expected.txt
M LayoutTests/http/tests/security/referrer-policy-https-never.html
M LayoutTests/http/tests/security/referrer-policy-https-no-referrer-expected.txt
M LayoutTests/http/tests/security/referrer-policy-https-no-referrer-when-downgrade-expected.txt
M LayoutTests/http/tests/security/referrer-policy-https-no-referrer-when-downgrade.html
M LayoutTests/http/tests/security/referrer-policy-https-no-referrer.html
M LayoutTests/http/tests/security/referrer-policy-https-origin-expected.txt
M LayoutTests/http/tests/security/referrer-policy-https-origin.html
M LayoutTests/http/tests/security/referrer-policy-https-unsafe-url-expected.txt
M LayoutTests/http/tests/security/referrer-policy-https-unsafe-url.html
M LayoutTests/http/tests/security/resources/postReferrer.py
M LayoutTests/http/tests/security/resources/referrer-policy-log.py
M LayoutTests/http/tests/security/resources/sandboxed-iframe-geolocation-getCurrentPosition.html
M LayoutTests/http/tests/security/resources/sandboxed-iframe-geolocation-watchPosition.html
M LayoutTests/http/tests/security/resources/serve-referrer-policy-and-meta-tag.py
M LayoutTests/http/tests/security/resources/serve-referrer-policy-and-test.py
R LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http-expected.txt
R LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http.html
M LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-https-with-embedded-http-with-embedded-https.https-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub-expected.txt
A LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/fs/FileSystemFileHandle-create-sync-access-handle.https.tentative.window-expected.txt
A LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/screen-orientation/nested-documents-expected.txt
A LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/screen-orientation/unlock-expected.txt
A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt
A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe-expected.txt
A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-image-in-iframe-expected.txt
A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt
A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt
M LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt
M LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt
R LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
M LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt
M LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-image-in-iframe-expected.txt
M LayoutTests/platform/wk2/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt
M LayoutTests/platform/wk2/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt
M Source/WebCore/Modules/websockets/WebSocket.cpp
M Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp
M Source/WebCore/html/HTMLFormElement.cpp
M Source/WebCore/loader/DocumentLoader.cpp
M Source/WebCore/loader/DocumentThreadableLoader.cpp
M Source/WebCore/loader/MixedContentChecker.cpp
M Source/WebCore/loader/MixedContentChecker.h
M Source/WebCore/loader/SubframeLoader.cpp
M Source/WebCore/loader/cache/CachedResourceLoader.cpp
Log Message:
-----------
Cherry-pick 259548.802 at safari-7615-branch (bc09b6fca325). https://bugs.webkit.org/show_bug.cgi?id=257331
Framed pages have ability to bypass Mixed Content restrictions
https://bugs.webkit.org/show_bug.cgi?id=257331
rdar://109100886
Reviewed by Brent Fulgham.
It is possible to bypass mixed content restrictions in pages which are
framed. There are actually two issues here: secure frames embedded in
insecure frames can bypass and frames which are sandboxed can bypass.
In the former case we are only checking the for mixed content in the
frame making the request as well as the top frame. So if an insecure frame
embeds a secure frame, that secure frame could then embed an insecure frame and
make mixed content requests without being blocked since the middle frame
is not checked against the URL for mixed content.
For the latter case we check whether or not the security origin
of the requestor has an "https" protocol. The problem is sandboxed iframes
are given an opaque origin which does not have the "https" protocol (or
any protocol for that matter) and so we were skipping the mixed content check.
This patch cleans up the MixedContentChecker implementation and fixes
these two methods of bypass. This is accomplished by 1) checking the entire
ancestor frame path from the requestor up to the top frame and 2) considering
what the protocol of the security origin for the frame making the
request would have been if it were not opaque. We special case a main resource
load in the DocumentLoader by checking for mixed content starting from the parent frame.
Otherwise we would block an insecure main frame from navigating a secure
iframe to an insecure URL which is allowed by other browser engines.
LayoutTests/http/tests/security:
Rewrote some tests to no longer use HTTP iframes in HTTPS frames
which is now blocked. These changes also include new console output
for mixed content blocking messages.
* LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http-expected.txt: Removed.
* LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http.html: Removed.
This test is no longer needed. We now block loading a HTTP iframe
in a middle HTTPS frame so the innermost frame would never have a
chance to load a worker anyway.
* LayoutTests/imported/w3c/web-platform-tests/fs/FileSystemFileHandle-create-sync-access-handle.https.tentative.window-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mixed-content/csp.https.window-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mixed-content/nested-iframes.window-expected.txt:
LayoutTests/platform:
Updated platform-specific expectations.
* Source/WebCore/Modules/websockets/WebSocket.cpp:
(WebCore::WebSocket::connect):
* Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp:
(WebCore::WorkerThreadableWebSocketChannel::Bridge::connect):
* Source/WebCore/html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::parseAttribute):
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest):
* Source/WebCore/loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::loadRequest):
Source/WebCore/loader/MixedContentChecker:
Refactor the MixedContentChecker to expose a more clear API.
isMixedContent was never called by client code and canDisplay and
canShow functions should be more clear that they will be checking
the entire frame ancestor hierarchy so clients don't try to do that
themselves. Move helpers to be static functions in the .cpp file.
* Source/WebCore/loader/MixedContentChecker.cpp:
(WebCore::isMixedContent):
(WebCore::foundMixedContentInFrameTree):
(WebCore::MixedContentChecker::frameAndAncestorsCanDisplayInsecureContent):
(WebCore::MixedContentChecker::frameAndAncestorsCanRunInsecureContent):
(WebCore::MixedContentChecker::checkFormForMixedContent):
(WebCore::MixedContentChecker::checkForMixedContentInFrameTree): Deleted.
(WebCore::MixedContentChecker::isMixedContent): Deleted.
(WebCore::MixedContentChecker::canDisplayInsecureContent): Deleted.
(WebCore::MixedContentChecker::canRunInsecureContent): Deleted.
* Source/WebCore/loader/MixedContentChecker.h:
* Source/WebCore/loader/SubframeLoader.cpp:
(WebCore::FrameLoader::SubframeLoader::pluginIsLoadable):
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::checkInsecureContent const):
Canonical link: https://commits.webkit.org/259548.802@safari-7615-branch
Commit: 8536c77b03e96a3aa6da0d979999796adeb153a5
https://github.com/WebKit/WebKit/commit/8536c77b03e96a3aa6da0d979999796adeb153a5
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A LayoutTests/fast/media/print-video-crash-expected.txt
A LayoutTests/fast/media/print-video-crash.html
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebPageProxy.h
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.h
M Source/WebKit/WebProcess/WebPage/WebPage.messages.in
M Tools/WebKitTestRunner/TestController.cpp
Log Message:
-----------
Cherry-pick 263022.8 at webkit-2023.4-embargoed (221c50b850f8). https://bugs.webkit.org/show_bug.cgi?id=237291
Make sure end printing is handled before PrintFrame
https://bugs.webkit.org/show_bug.cgi?id=237291
Reviewed by Chris Dumez.
To ensure end printing is handled (and layer tree is unfrozen)
introduce a completion handler on EndPrinting and tie its completion
to the completion handler in WebPageProxy::printFrame.
Also do not call endPrinting from TestController.cpp since
WebPageProxy::printFrame takes care of that.
* LayoutTests/fast/media/print-video-crash-expected.txt: Added.
* LayoutTests/fast/media/print-video-crash.html: Added.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::printFrame):
(WebKit::WebPageProxy::endPrinting):
* Source/WebKit/UIProcess/WebPageProxy.h:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::endPrinting):
* Source/WebKit/WebProcess/WebPage/WebPage.h:
(WebKit::WebPage::endPrinting):
(WebKit::WebPage::endPrintingDuringDOMPrintOperation):
* Source/WebKit/WebProcess/WebPage/WebPage.messages.in:
* Tools/WebKitTestRunner/TestController.cpp:
(WTR::printFrame):
Canonical link: https://commits.webkit.org/263022.8@webkit-2023.4-embargoed
Commit: 6217482b85fa8cc40ece4119a0799ddf55683826
https://github.com/WebKit/WebKit/commit/6217482b85fa8cc40ece4119a0799ddf55683826
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A LayoutTests/fast/canvas/canvas-print-crash-expected.txt
A LayoutTests/fast/canvas/canvas-print-crash.html
Log Message:
-----------
Cherry-pick 263022.9 at webkit-2023.4-embargoed (a0645306d06d). https://bugs.webkit.org/show_bug.cgi?id=251370
Add test case for bug 251370
https://bugs.webkit.org/show_bug.cgi?id=251370
Reviewed by Chris Dumez.
Already fixed by https://commits.webkit.org/263022.8@webkit-2023.4-embargoed, but
add this test for completeness.
* LayoutTests/fast/canvas/canvas-print-crash-expected.txt: Added.
* LayoutTests/fast/canvas/canvas-print-crash.html: Added.
Canonical link: https://commits.webkit.org/263022.9@webkit-2023.4-embargoed
Commit: 3a117ed1a61280d2f945414d776f8cdf297d59c8
https://github.com/WebKit/WebKit/commit/3a117ed1a61280d2f945414d776f8cdf297d59c8
Author: Ryan Reno <rreno at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation-expected.txt
A LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation.html
A LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation-expected.txt
A LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation.html
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/loader/NavigationRequester.cpp
M Source/WebCore/loader/NavigationRequester.h
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
Log Message:
-----------
Cherry-pick 259548.813 at safari-7615-branch (47ed6aa2ea88). https://bugs.webkit.org/show_bug.cgi?id=257824
Block sandboxed frames from navigating to javascript URLs without allow-scripts sandbox flag.
https://bugs.webkit.org/show_bug.cgi?id=257824
rdar://108462161
Reviewed by Alex Christensen.
Sandboxed iframes could execute script in a target frame by navigating
the frame to a javascript: URL. For example, the top frame when the
iframe has the sandbox flag "allow-top-navigation". This change checks to see if
the "allow-scripts" flag is set before executing the URL in the target frame.
* LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation-expected.txt: Added.
* LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation.html: Added.
* LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation-expected.txt: Added.
* LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation.html: Added.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::executeJavaScriptURL):
* Source/WebCore/loader/NavigationRequester.cpp:
(WebCore::NavigationRequester::from):
* Source/WebCore/loader/NavigationRequester.h:
(WebCore::NavigationRequester::encode const):
(WebCore::NavigationRequester::decode):
Canonical link: https://commits.webkit.org/259548.813@safari-7615-branch
Commit: b140015f7c677a9ad75b8921f15206eefa6d2847
https://github.com/WebKit/WebKit/commit/b140015f7c677a9ad75b8921f15206eefa6d2847
Author: Marcos Caceres <marcosc at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/http/wpt/content-security-policy/manifest.json
A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub-expected.txt
A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub.html
A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub.html.headers
A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-expected.txt
A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked.html
A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked.html.headers
M LayoutTests/platform/ios-wk2/TestExpectations
M LayoutTests/platform/mac-wk2/TestExpectations
M Source/WebCore/loader/ApplicationManifestLoader.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/ApplicationManifest.mm
Log Message:
-----------
Cherry-pick 259548.816 at safari-7615-branch (8437c2302b67). https://bugs.webkit.org/show_bug.cgi?id=256686
Incorrect CORS mode for ApplicationManifest
https://bugs.webkit.org/show_bug.cgi?id=256686
rdar://109154572
Reviewed by Brent Fulgham.
* LayoutTests/TestExpectations:
* LayoutTests/http/wpt/content-security-policy/manifest.json: Added.
* LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub-expected.txt: Added.
* LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub.html: Added.
* LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub.html.headers: Added.
* LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-expected.txt: Added.
* LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked.html: Added.
* LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked.html.headers: Added.
* LayoutTests/platform/ios-wk2/TestExpectations:
* LayoutTests/platform/mac-wk2/TestExpectations:
* Source/WebCore/loader/ApplicationManifestLoader.cpp:
(WebCore::ApplicationManifestLoader::startLoading):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/ApplicationManifest.mm:
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/259548.816@safari-7615-branch
Commit: 4b892d294751e3e37d7e31b4c89f0f15775c9797
https://github.com/WebKit/WebKit/commit/4b892d294751e3e37d7e31b4c89f0f15775c9797
Author: Said Abou-Hallawa <said at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A LayoutTests/css3/filters/filter-visited-links-expected.html
A LayoutTests/css3/filters/filter-visited-links.html
M Source/WebCore/rendering/PaintPhase.h
M Source/WebCore/rendering/RenderLayer.cpp
M Source/WebCore/rendering/StyledMarkedText.cpp
M Source/WebCore/rendering/TextDecorationPainter.cpp
M Source/WebCore/rendering/TextDecorationPainter.h
M Source/WebCore/rendering/TextPaintStyle.cpp
M Source/WebCore/rendering/style/RenderStyle.cpp
M Source/WebCore/rendering/style/RenderStyle.h
Log Message:
-----------
Cherry-pick 259548.820 at safari-7615-branch (89399f0f4614). https://bugs.webkit.org/show_bug.cgi?id=257822
Prevent SVG filters from leaking visited hyperlinks
https://bugs.webkit.org/show_bug.cgi?id=257822
rdar://109749006
Reviewed by Simon Fraser.
We should prevent websites from learning which sites have been visited via SVG
filters on hyperlinks, per the attack described in https://arxiv.org/abs/2305.12784.
This can be acheived by ignoring the visited links color when a filter is applied
to the anchor element.
* LayoutTests/css3/filters/filter-visited-links-expected.html: Added.
* LayoutTests/css3/filters/filter-visited-links.html: Added.
* Source/WebCore/rendering/PaintPhase.h:
* Source/WebCore/rendering/RenderLayer.cpp:
(WebCore::RenderLayer::paintLayerContents):
(WebCore::RenderLayer::paintForegroundForFragments):
(WebCore::RenderLayer::calculateClipRects const):
* Source/WebCore/rendering/StyledMarkedText.cpp:
(WebCore::resolveStyleForMarkedText):
(WebCore::StyledMarkedText::computeStyleForUnmarkedMarkedText):
* Source/WebCore/rendering/TextDecorationPainter.cpp:
(WebCore::collectStylesForRenderer):
(WebCore::TextDecorationPainter::decorationColor):
(WebCore::TextDecorationPainter::stylesForRenderer):
* Source/WebCore/rendering/TextDecorationPainter.h:
(WebCore::TextDecorationPainter::decorationColor):
(WebCore::TextDecorationPainter::stylesForRenderer):
* Source/WebCore/rendering/TextPaintStyle.cpp:
(WebCore::computeTextPaintStyle):
* Source/WebCore/rendering/style/RenderStyle.cpp:
(WebCore::RenderStyle::visitedDependentColor const):
(WebCore::RenderStyle::visitedDependentColorWithColorFilter const):
* Source/WebCore/rendering/style/RenderStyle.h:
(WebCore::RenderStyle::visitedDependentColor):
(WebCore::RenderStyle::visitedDependentColorWithColorFilter):
Canonical link: https://commits.webkit.org/259548.820@safari-7615-branch
Commit: 686e5d97f21aae290daff443dd623107d0ac5372
https://github.com/WebKit/WebKit/commit/686e5d97f21aae290daff443dd623107d0ac5372
Author: Ryan Reno <rreno at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp-expected.txt
A LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp.html
A LayoutTests/http/tests/security/resources/attempt-top-level-navigation-with-csp.py
M Source/WebCore/dom/Document.cpp
Log Message:
-----------
Cherry-pick 259548.823 at safari-7615-branch (18a05c43972c). https://bugs.webkit.org/show_bug.cgi?id=257903
Third Party IFrame Navigation Block Bypass via Content Security Policy Sandbox
https://bugs.webkit.org/show_bug.cgi?id=257903
rdar://109059471
Reviewed by Brent Fulgham.
If a third-party iframe is unsandboxed we will prevent top navigation
without user interaction with the frame. However, this is bypassable if
the iframe gives itself a sandbox which allows top navigation via CSP.
This change checks to see if the iframe element was unsandboxed and
proceeds with the more strict third-party checks if so.
* LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp-expected.txt: Added.
* LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp.html: Added.
* LayoutTests/http/tests/security/resources/attempt-top-level-navigation-with-csp.py: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::isNavigationBlockedByThirdPartyIFrameRedirectBlocking):
Canonical link: https://commits.webkit.org/259548.823@safari-7615-branch
Commit: 77073e695d06411a1c311163812ec64c5160b1df
https://github.com/WebKit/WebKit/commit/77073e695d06411a1c311163812ec64c5160b1df
Author: J Pascoe <j_pascoe at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M Source/WebCore/page/DOMWindow.cpp
M Source/WebCore/page/Quirks.cpp
M Source/WebCore/page/Quirks.h
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Cherry-pick 259548.824 at safari-7615-branch (cff01e3a9ba5). https://bugs.webkit.org/show_bug.cgi?id=257352
https://bugs.webkit.org/show_bug.cgi?id=257352
rdar://106974958
Reviewed by John Wilander and Brent Fulgham.
This quirk is no longer nessesary to get favorites and recents to show up
in the radio player, which is why it was added in the first place. Therefore
it can be removed.
* Source/WebCore/page/DOMWindow.cpp:
(WebCore::DOMWindow::open):
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::triggerOptionalStorageAccessQuirk const):
(WebCore::Quirks::BBCRadioPlayerURLString): Deleted.
(WebCore::Quirks::staticRadioPlayerURLString): Deleted.
(WebCore::isBBCDomain): Deleted.
(WebCore::isBBCPopUpPlayerElement): Deleted.
* Source/WebCore/page/Quirks.h:
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::createNewPage):
Canonical link: https://commits.webkit.org/259548.824@safari-7615-branch
Commit: bf79ad432fb005b24f5c317014e79911de3bb993
https://github.com/WebKit/WebKit/commit/bf79ad432fb005b24f5c317014e79911de3bb993
Author: Sihui Liu <sihui_liu at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-expected.txt
A LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-private-expected.txt
A LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-private.html
A LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event.html
A LayoutTests/storage/indexeddb/modern/resources/request-dispatch-untrusted-event.js
M Source/WebCore/Modules/indexeddb/IDBRequest.cpp
Log Message:
-----------
Cherry-pick 259548.825 at safari-7615-branch (9b3d228ec2cb). rdar://110459666
jsc_fuz/wktr: null ptr deref in WebCore::IDBRequest::dispatchEvent(WebCore::Event&)
rdar://110459666
Reviewed by Brady Eidson.
Make sure untrusted event does not change the internal state of IDBRequest. Also, move the assert that request must have
pending activity when event is being dispatched to a later point, because IDBRequest::dispatchEvent might be invoked
from JavaScript code (i.e. request does not actually have pending activity).
Test: storage/indexeddb/modern/request-dispatch-untrusted-event.html
storage/indexeddb/modern/request-dispatch-untrusted-event-private.html
* LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-expected.txt: Added.
* LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-private-expected.txt: Added.
* LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-private.html: Added.
* LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event.html: Added.
* LayoutTests/storage/indexeddb/modern/resources/request-dispatch-untrusted-event.js: Added.
(loadImage):
(openDatabase):
* Source/WebCore/Modules/indexeddb/IDBRequest.cpp:
(WebCore::IDBRequest::dispatchEvent):
Canonical link: https://commits.webkit.org/259548.825@safari-7615-branch
Commit: a6294d763dca254a658172d5bc58b80994f5bbe8
https://github.com/WebKit/WebKit/commit/a6294d763dca254a658172d5bc58b80994f5bbe8
Author: Alex Christensen <achristensen at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M Source/WebCore/editing/markup.cpp
Log Message:
-----------
Cherry-pick 259548.830 at safari-7615-branch (9cd44913c84e). https://bugs.webkit.org/show_bug.cgi?id=258100
Disable link preload when sanitizing web content
https://bugs.webkit.org/show_bug.cgi?id=258100
rdar://109675198
Reviewed by Chris Dumez.
Otherwise we get a request in the network process with an invalid pageID,
and it MESSAGE_CHECKs and terminates the process.
* Source/WebCore/editing/markup.cpp:
(WebCore::createPageForSanitizingWebContent):
Canonical link: https://commits.webkit.org/259548.830@safari-7615-branch
Commit: b384b6ffd356f2f4354d6c8696ea447a36c5a083
https://github.com/WebKit/WebKit/commit/b384b6ffd356f2f4354d6c8696ea447a36c5a083
Author: Alex Christensen <achristensen at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M Source/WTF/wtf/URLHelpers.cpp
M Tools/TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm
Log Message:
-----------
Cherry-pick 259548.832 at safari-7615-branch (aecf4d579f39). https://bugs.webkit.org/show_bug.cgi?id=256813
Expand list of URL spoofing characters
https://bugs.webkit.org/show_bug.cgi?id=256813
rdar://109105078, rdar://109056841, and rdar://109056217
Reviewed by Tim Horton.
U+1E9C and U+1E9D are Medievalist characters, which means they haven't been used much
in the last several centuries. They look kind of like 'f' and other browsers punycode
encode them when seen in URL hosts, so let's do the same. Same with U+1EFE and U+1EFF.
Deseret has been used much more recently, but still not much since the late 1800's.
There is a sign in a restaurant in the Salt Lake City airport that uses it, but it
seems to be a historical reference. Classify Deseret like we do the International
Phonetic Alphabet and punycode encode it if seen in URL hosts.
* Source/WTF/wtf/URLHelpers.cpp:
(WTF::URLHelpers::isLookalikeCharacter):
* Tools/TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm:
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/259548.832@safari-7615-branch
Commit: a4748238ffbd3e9629be45b1e2d07d136da17e66
https://github.com/WebKit/WebKit/commit/a4748238ffbd3e9629be45b1e2d07d136da17e66
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction-expected.txt
A LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction.html
A LayoutTests/fast/workers/resources/pending-requestAnimationFrame-upon-destruction-popup.html
M Source/WebCore/workers/WorkerAnimationController.cpp
Log Message:
-----------
Cherry-pick 259548.833 at safari-7615-branch (c60c40574fc5). https://bugs.webkit.org/show_bug.cgi?id=258058
Crash under WebCore::JSRequestAnimationFrameCallback::~JSRequestAnimationFrameCallback()
https://bugs.webkit.org/show_bug.cgi?id=258058
rdar://110530772
Reviewed by Ryosuke Niwa.
JSRequestAnimationFrameCallback were outliving the VM and thus using the VM
after-free in their destructor. JS Wrapper should never outlive the VM.
JSRequestAnimationFrameCallback are subclasses of RequestAnimationFrameCallback,
which were being kept alive by the WorkerAnimationController via its
m_animationCallbacks vector.
To address the issue, WorkerAnimationController now clears m_animationCallbacks
in stop(), which gets called when the global scope (and thus the VM) are about
to go away.
* LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction-expected.txt: Added.
* LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction.html: Added.
* LayoutTests/fast/workers/resources/pending-requestAnimationFrame-upon-destruction-popup.html: Added.
* Source/WebCore/workers/WorkerAnimationController.cpp:
(WebCore::WorkerAnimationController::stop):
Canonical link: https://commits.webkit.org/259548.833@safari-7615-branch
Commit: 21a661fd0240f047fc943f12fb94380709aca2ca
https://github.com/WebKit/WebKit/commit/21a661fd0240f047fc943f12fb94380709aca2ca
Author: Brandon Stewart <brandonstewart at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A LayoutTests/fast/css-grid-layout/baseline-masonry-crash-expected.html
A LayoutTests/fast/css-grid-layout/baseline-masonry-crash.html
M Source/WebCore/rendering/RenderGrid.cpp
Log Message:
-----------
Cherry-pick 259548.835 at safari-7615-branch (b63d45649891). https://bugs.webkit.org/show_bug.cgi?id=257509
Crash in GridBaselineAlignment::baselineGroupForChild
https://bugs.webkit.org/show_bug.cgi?id=257509
rdar://110027455
Reviewed by Alan Baradlay.
Certain baseline properties are not properly handled in CSS Masonry.
We will just disable these calculations for now and then remove this in the future.
* LayoutTests/fast/css-grid-layout/baseline-masonry-crash-expected.html: Added.
* LayoutTests/fast/css-grid-layout/baseline-masonry-crash.html: Added.
* Source/WebCore/rendering/RenderGrid.cpp:
(WebCore::RenderGrid::columnAxisBaselineOffsetForChild const):
(WebCore::RenderGrid::rowAxisBaselineOffsetForChild const):
Canonical link: https://commits.webkit.org/259548.835@safari-7615-branch
Commit: 169f297fcb3cb4c1f26c0c22b759044e3a448d48
https://github.com/WebKit/WebKit/commit/169f297fcb3cb4c1f26c0c22b759044e3a448d48
Author: Ryan Reno <rreno at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M Source/WebCore/loader/MixedContentChecker.cpp
Log Message:
-----------
Cherry-pick 259548.841 at safari-7615-branch (74f32c21189a). https://bugs.webkit.org/show_bug.cgi?id=258303
Remove unnecessary release assertion from mixed content checker.
https://bugs.webkit.org/show_bug.cgi?id=258303
<rdar://110766912>
Reviewed by Brent Fulgham.
We now check the entire frame tree for mixed content checks for all
resources loads. An assertion that a document has a frame is no
longer valid in general. This assertion was originally added in
215749 at main in an attempt to cover an untestable case. This replaces
the assert with a null check.
* Source/WebCore/loader/MixedContentChecker.cpp:
(WebCore::foundMixedContentInFrameTree):
Canonical link: https://commits.webkit.org/259548.841@safari-7615-branch
Commit: 950982a90668214d1fd91e180fc5db2c6d16391f
https://github.com/WebKit/WebKit/commit/950982a90668214d1fd91e180fc5db2c6d16391f
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Cherry-pick 259548.842 at safari-7615-branch (e6347f30ecf1). https://bugs.webkit.org/show_bug.cgi?id=258322
[IPC][Hardening] Validate URLs sent by the WebProcess via the WebPageProxy::DidFailProvisionalLoad IPC
https://bugs.webkit.org/show_bug.cgi?id=258322
rdar://111059792
Reviewed by Brent Fulgham.
Validate URLs sent by the WebProcess via the WebPageProxy::DidFailProvisionalLoad IPC.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didFailProvisionalLoadForFrameShared):
Canonical link: https://commits.webkit.org/259548.842@safari-7615-branch
Commit: 20aeaf0e736a315ff857d13ce7626f061bc7254c
https://github.com/WebKit/WebKit/commit/20aeaf0e736a315ff857d13ce7626f061bc7254c
Author: David Degazio <d_degazio at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
A JSTests/wasm/stress/phi-live-across-rethrow.js
A JSTests/wasm/stress/phi-live-across-throw.js
M Source/JavaScriptCore/b3/B3DuplicateTails.cpp
M Source/JavaScriptCore/b3/B3Kind.cpp
M Source/JavaScriptCore/b3/B3Kind.h
M Source/JavaScriptCore/b3/B3PatchpointValue.cpp
M Source/JavaScriptCore/b3/B3PatchpointValue.h
M Source/JavaScriptCore/b3/B3ValueInlines.h
M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
Log Message:
-----------
Cherry-pick 259548.844 at safari-7615-branch (2e29306082ae). https://bugs.webkit.org/show_bug.cgi?id=258408
Prevent duplication of WASM throw and rethrow patchpoints in B3
https://bugs.webkit.org/show_bug.cgi?id=258408
rdar://110634913
Reviewed by Yusuke Suzuki.
Adds a cloningForbidden property to B3Kind, used to prevent a B3 value
from being cloned during optimizations, and applies it to the patchpoints
generated for the WASM throw and rethrow opcodes in WasmB3IRGenerator.
This prevents a problem where these patchpoints could be duplicated, still
share a stackmap/callsite index, but have conflicting live value
locations.
* JSTests/wasm/stress/phi-live-across-rethrow.js: Added.
(async test):
* JSTests/wasm/stress/phi-live-across-throw.js: Added.
(async test):
* Source/JavaScriptCore/b3/B3DuplicateTails.cpp:
* Source/JavaScriptCore/b3/B3Kind.cpp:
(JSC::B3::Kind::dump const):
* Source/JavaScriptCore/b3/B3Kind.h:
(JSC::B3::Kind::hasCloningForbidden):
(JSC::B3::Kind::hasCloningForbidden const):
(JSC::B3::Kind::isCloningForbidden const):
(JSC::B3::Kind::setIsCloningForbidden):
(JSC::B3::Kind::operator== const):
(JSC::B3::Kind::hash const):
(JSC::B3::cloningForbidden):
* Source/JavaScriptCore/b3/B3PatchpointValue.cpp:
(JSC::B3::PatchpointValue::PatchpointValue):
* Source/JavaScriptCore/b3/B3PatchpointValue.h:
* Source/JavaScriptCore/b3/B3ValueInlines.h:
(JSC::B3::Value::cloneImpl const):
* Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addThrow):
(JSC::Wasm::B3IRGenerator::addRethrow):
Canonical link: https://commits.webkit.org/259548.844@safari-7615-branch
Commit: 4876897fd30ae1f4831a518a21ba13b66f99a179
https://github.com/WebKit/WebKit/commit/4876897fd30ae1f4831a518a21ba13b66f99a179
Author: Brady Eidson <beidson at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h
M Source/WebCore/bindings/js/ScriptController.cpp
M Source/WebCore/dom/UserGestureIndicator.cpp
M Source/WebCore/dom/UserGestureIndicator.h
M Tools/TestWebKitAPI/Tests/WebKitCocoa/AsyncFunction.mm
Log Message:
-----------
Cherry-pick 259548.840 at safari-7615-branch (259842c7afc2). <bug>
Cherry-pick 265168 at main (8e5ddea16577). rdar://110919134
evaluateJavaScript: and callAsyncJavaScript: should not leave behind transient activation
https://bugs.webkit.org/show_bug.cgi?id=258037
rdar://107102031
Reviewed by Ben Nham.
JavaScript evaluated by the client app is executed as if from a user gesture, which is fine for now.
But before this change, such JS left behind transient user activation for (currently) 5 seconds, which is not fine.
Let's remove that sticky side effect.
* Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.cpp:
(WTF::computeSDKAlignedBehaviors):
* Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h:
* Source/WebCore/bindings/js/ScriptController.cpp:
(WebCore::ScriptController::executeScriptInWorld):
(WebCore::ScriptController::executeAsynchronousUserAgentScriptInWorld):
* Source/WebCore/dom/UserGestureIndicator.cpp:
(WebCore::UserGestureToken::forEachImpactedDocument):
* Source/WebCore/dom/UserGestureIndicator.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/AsyncFunction.mm:
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/265168@main
Canonical link: https://commits.webkit.org/259548.840@safari-7615-branch
Commit: 988aef019b272b6120c8658e88b273322a08a154
https://github.com/WebKit/WebKit/commit/988aef019b272b6120c8658e88b273322a08a154
Author: Brady Eidson <beidson at apple.com>
Date: 2023-07-28 (Fri, 28 Jul 2023)
Changed paths:
M Source/WebCore/bindings/js/RunJavaScriptParameters.h
M Source/WebCore/bindings/js/ScriptController.cpp
M Source/WebKit/Shared/Cocoa/DefaultWebBrowserChecks.h
M Source/WebKit/Shared/Cocoa/DefaultWebBrowserChecks.mm
M Source/WebKit/UIProcess/API/C/WKPage.cpp
M Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm
M Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp
M Source/WebKit/UIProcess/Inspector/socket/RemoteInspectorProtocolHandler.cpp
Log Message:
-----------
Cherry-pick 259548.854 at safari-7615-branch (465b681115e6). rdar://104748908
User agent JavaScript from full web browsers should clear transient activation.
rdar://104748908
https://bugs.webkit.org/show_bug.cgi?id=251276
Reviewed by Brent Fulgham.
Take the solution from https://commits.webkit.org/265168@main and extend it to full web browsers now.
* Source/WebCore/bindings/js/RunJavaScriptParameters.h:
(WebCore::RunJavaScriptParameters::RunJavaScriptParameters):
(WebCore::RunJavaScriptParameters::encode const):
(WebCore::RunJavaScriptParameters::decode):
* Source/WebCore/bindings/js/ScriptController.cpp:
(WebCore::ScriptController::executeScriptInWorldIgnoringException):
(WebCore::ScriptController::executeScriptInWorld):
(WebCore::ScriptController::executeUserAgentScriptInWorld):
* Source/WebKit/Shared/Cocoa/DefaultWebBrowserChecks.h:
* Source/WebKit/Shared/Cocoa/DefaultWebBrowserChecks.mm:
(WebKit::shouldEvaluateJavaScriptWithoutTransientActivation):
* Source/WebKit/UIProcess/API/C/WKPage.cpp:
(WKPageRunJavaScriptInMainFrame):
* Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm:
(-[WKWebView _evaluateJavaScript:asAsyncFunction:withSourceURL:withArguments:forceUserGesture:inFrame:inWorld:completionHandler:]):
Canonical link: https://commits.webkit.org/259548.854@safari-7615-branch
Compare: https://github.com/WebKit/WebKit/compare/e5070753347b...988aef019b27
More information about the webkit-changes
mailing list