[webkit-changes] [WebKit/WebKit] a5f812: Versioning.
Jonathan Bedard
noreply at github.com
Mon Mar 27 14:46:01 PDT 2023
Branch: refs/heads/safari-7614-branch
Home: https://github.com/WebKit/WebKit
Commit: a5f81296a5858fb2933266a8b4b5ea31c0627053
https://github.com/WebKit/WebKit/commit/a5f81296a5858fb2933266a8b4b5ea31c0627053
Author: Alan Coon <alancoon at apple.com>
Date: 2022-12-20 (Tue, 20 Dec 2022)
Changed paths:
M Source/JavaScriptCore/Configurations/Version.xcconfig
M Source/ThirdParty/ANGLE/Configurations/Version.xcconfig
M Source/ThirdParty/libwebrtc/Configurations/Version.xcconfig
M Source/WebCore/Configurations/Version.xcconfig
M Source/WebCore/PAL/Configurations/Version.xcconfig
M Source/WebGPU/Configurations/Version.xcconfig
M Source/WebInspectorUI/Configurations/Version.xcconfig
M Source/WebKit/Configurations/Version.xcconfig
M Source/WebKitLegacy/mac/Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7614.4.7
Canonical link: https://commits.webkit.org/252432.1008@safari-7614-branch
Commit: cdaf863de01a3bf508b4f32ae26bb4c71581a9c1
https://github.com/WebKit/WebKit/commit/cdaf863de01a3bf508b4f32ae26bb4c71581a9c1
Author: Kimmo Kinnunen <kkinnunen at apple.com>
Date: 2022-12-20 (Tue, 20 Dec 2022)
Changed paths:
M Source/WebCore/platform/graphics/angle/GraphicsContextGLANGLE.cpp
M Source/WebCore/platform/graphics/angle/GraphicsContextGLANGLE.h
M Source/WebKit/GPUProcess/graphics/RemoteGraphicsContextGL.cpp
M Source/WebKit/GPUProcess/graphics/RemoteGraphicsContextGL.h
M Source/WebKit/GPUProcess/graphics/RemoteGraphicsContextGL.messages.in
M Source/WebKit/GPUProcess/graphics/RemoteGraphicsContextGLCocoa.cpp
M Source/WebKit/WebProcess/GPU/graphics/RemoteGraphicsContextGLProxy.cpp
M Source/WebKit/WebProcess/GPU/graphics/RemoteGraphicsContextGLProxy.h
M Tools/Scripts/generate-gpup-webgl
Log Message:
-----------
Cherry-pick 5192197861cf. rdar://problem/103569153
REGRESSION (iOS 16): WebGL 2 crashing on glReadPixels
https://bugs.webkit.org/show_bug.cgi?id=245476
rdar://problem/100252324
Reviewed by Alex Christensen.
ReadPixels is currently a method that sends the client
passed data buffer to GPUP, reads the pixels into that
and passes the data back to WP.
Conceptually message of form ReadPixels(uint8_t* data) -> (uint8_t* data)
Before:
IPC encoding of memory arrays for calls like ReadPixels
would work as follows:
- If the array fits to the stream connection command buffer,
copy the array there
- Alternatively downgrade the message to out-of-stream message.
- Copy the array to the IPC::Encoder message body buffer.
- Pass the message body as Mach message memory mapping.
IPC decoding of memory arrays for calls like ReadPixels
would work as follows:
- Allocate temp Vector for the data
- Copy the data from stream command buffer / Mach message memory
mapping into the temp buffer
- Call ReadPixels
- Copy the temp Vector to IPC::Encoder message body buffer
similar to the encoding phase, and send it back to WP.
This would have two problems:
- Extensive copying is slow for very big buffers
- The temp Vector and Mach message buffers via IPC encoding
contribute to GPUP footprint.
- The call IPC encoding buffer is not explicitly attributed to
the caller. It's unclear to which process this belongs, likely
this contributes to GPUP footprint.
- The temp Vector is not attributed to the caller, contributing
to GPUP footprint.
- The reply IPC encoding buffer is not attributed to the caller,
contributing to the GPUP footprint.
- The ownership of the reply IPC encoding buffer, when passed as
Mach message memory, is unclear. Likly this contributes to
GPUP footprint. (Same as the encoding part).
After:
If the read pixels buffer is large, copy it to a newly allocated
shared memory buffer and use that to read the pixels.
Add a new IPC message variant for passing the shared memory area.
* Source/WebKit/GPUProcess/graphics/RemoteGraphicsContextGL.cpp:
(WebKit::RemoteGraphicsContextGL::readnPixels2):
* Source/WebKit/GPUProcess/graphics/RemoteGraphicsContextGL.h:
* Source/WebKit/GPUProcess/graphics/RemoteGraphicsContextGL.messages.in:
* Source/WebKit/WebProcess/GPU/graphics/RemoteGraphicsContextGLProxy.cpp:
(WebKit::RemoteGraphicsContextGLProxy::readnPixels):
(WebKit::RemoteGraphicsContextGLProxy::readnPixelsSharedMemory):
* Source/WebKit/WebProcess/GPU/graphics/RemoteGraphicsContextGLProxy.h:
* Tools/Scripts/generate-gpup-webgl:
Canonical link: https://commits.webkit.org/258127@main
Canonical link: https://commits.webkit.org/252432.1009@safari-7614-branch
Commit: 9a7b3938f3945b3090ac1ab24778b760247b5064
https://github.com/WebKit/WebKit/commit/9a7b3938f3945b3090ac1ab24778b760247b5064
Author: Alan Coon <alancoon at apple.com>
Date: 2022-12-20 (Tue, 20 Dec 2022)
Changed paths:
M Source/JavaScriptCore/API/JSCallbackConstructor.h
M Source/JavaScriptCore/API/JSCallbackFunction.h
M Source/JavaScriptCore/API/JSClassRef.h
M Source/JavaScriptCore/API/JSWeakObjectMapRefInternal.h
M Source/JavaScriptCore/API/ObjCCallbackFunction.h
M Source/JavaScriptCore/runtime/ClassInfo.h
M Source/JavaScriptCore/runtime/Lookup.h
Log Message:
-----------
Revert 8350477648f. rdar://103432055
Revert "Add additional PAC diversity for function pointers in JSC API data structures as we do for vtbls."
This reverts commit 8350477648f428584eeb8eadadf616e38b5dce75.
Canonical link: https://commits.webkit.org/252432.1010@safari-7614-branch
Commit: 8f48ccb49bfd4bf8274080a59e032fe13ce7e340
https://github.com/WebKit/WebKit/commit/8f48ccb49bfd4bf8274080a59e032fe13ce7e340
Author: Alan Coon <alancoon at apple.com>
Date: 2022-12-20 (Tue, 20 Dec 2022)
Changed paths:
M Source/WebCore/platform/graphics/angle/GraphicsContextGLANGLE.cpp
M Source/WebCore/platform/graphics/angle/GraphicsContextGLANGLE.h
M Source/WebKit/GPUProcess/graphics/RemoteGraphicsContextGL.cpp
M Source/WebKit/GPUProcess/graphics/RemoteGraphicsContextGL.h
M Source/WebKit/GPUProcess/graphics/RemoteGraphicsContextGL.messages.in
M Source/WebKit/GPUProcess/graphics/RemoteGraphicsContextGLCocoa.cpp
M Source/WebKit/WebProcess/GPU/graphics/RemoteGraphicsContextGLProxy.cpp
M Source/WebKit/WebProcess/GPU/graphics/RemoteGraphicsContextGLProxy.h
M Tools/Scripts/generate-gpup-webgl
Log Message:
-----------
Revert 5192197861cf. rdar://problem/103569153
This reverts commit cdaf863de01a3bf508b4f32ae26bb4c71581a9c1.
Canonical link: https://commits.webkit.org/252432.1011@safari-7614-branch
Commit: 9169d9ad76046114d6d30f6f947e10b43cc94e51
https://github.com/WebKit/WebKit/commit/9169d9ad76046114d6d30f6f947e10b43cc94e51
Author: Ryan Haddad <ryanhaddad at apple.com>
Date: 2022-12-21 (Wed, 21 Dec 2022)
Changed paths:
M Tools/MobileMiniBrowser/MobileMiniBrowserFramework/WebViewController.m
Log Message:
-----------
Revert parts of 256016 at main and 256252 at main that were cherry-picked with 252432.923 at safari-7614-branch
rdar://103600892
Reviewed by Chris Dumez and Jonathan Bedard.
252432.923 at safari-7614-branch included code that depended upon 256016 at main and 256252 at main,
which broke the build since these changes were not on the branch. Revert the part that
appears to be causing the build failure.
* Tools/MobileMiniBrowser/MobileMiniBrowserFramework/WebViewController.m:
(-[WebViewController addProtocolIfNecessary:]): Deleted.
(-[WebViewController targetURLorDefaultURL]): Deleted.
Canonical link: https://commits.webkit.org/252432.1012@safari-7614-branch
Commit: 1d545c7ebfefe8b2f1d3ee9b545e493ebf4abc03
https://github.com/WebKit/WebKit/commit/1d545c7ebfefe8b2f1d3ee9b545e493ebf4abc03
Author: David Li <jingye_li at apple.com>
Date: 2022-12-21 (Wed, 21 Dec 2022)
Changed paths:
A LayoutTests/animations/animation-set-effect-expected.txt
A LayoutTests/animations/animation-set-effect.html
M Source/WebCore/animation/CSSAnimation.cpp
Log Message:
-----------
[Web Animations] CSSAnimation::setBindingsEffect should also add KeyFrames to overriddenProperties
rdar://102137788
Reviewed by Jonathan Bedard and Antoine Quint.
* LayoutTests/animations/animation-set-effect-expected.txt: Added.
* LayoutTests/animations/animation-set-effect.html: Added.
* Source/WebCore/animation/CSSAnimation.cpp:
(WebCore::CSSAnimation::setBindingsEffect):
Canonical link: https://commits.webkit.org/252432.1013@safari-7614-branch
Commit: 3a91fd09a0767f76eae1561ce0dcfc2df311b608
https://github.com/WebKit/WebKit/commit/3a91fd09a0767f76eae1561ce0dcfc2df311b608
Author: Chris Dumez <cdumez at apple.com>
Date: 2022-12-22 (Thu, 22 Dec 2022)
Changed paths:
R LayoutTests/fast/workers/terminate-worker-with-event-listener-crash-expected.txt
R LayoutTests/fast/workers/terminate-worker-with-event-listener-crash.html
M LayoutTests/imported/w3c/web-platform-tests/workers/WorkerGlobalScope_ErrorEvent_colno-expected.txt
M Source/WebCore/Modules/indexeddb/IDBDatabase.cpp
M Source/WebCore/Modules/indexeddb/IDBRequest.cpp
M Source/WebCore/Modules/indexeddb/IDBTransaction.cpp
M Source/WebCore/animation/WebAnimation.cpp
M Source/WebCore/animation/WebAnimation.h
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/Document.h
M Source/WebCore/dom/EventTarget.cpp
M Source/WebCore/dom/ScriptExecutionContext.cpp
M Source/WebCore/dom/ScriptExecutionContext.h
M Source/WebCore/history/CachedFrame.cpp
M Source/WebCore/workers/WorkerGlobalScope.cpp
M Source/WebCore/workers/WorkerGlobalScope.h
M Source/WebCore/workers/WorkerOrWorkletGlobalScope.cpp
M Source/WebCore/workers/service/ServiceWorker.cpp
M Source/WebCore/workers/service/ServiceWorkerContainer.cpp
M Source/WebCore/workers/service/ServiceWorkerRegistration.cpp
M Source/WebCore/workers/service/ServiceWorkerRegistration.h
Log Message:
-----------
Unreviewed, revert 252432.807 at safari-7614-branch as it introduced new crashes
https://bugs.webkit.org/show_bug.cgi?id=249610
rdar://103439022
* LayoutTests/fast/workers/terminate-worker-with-event-listener-crash-expected.txt: Removed.
* LayoutTests/fast/workers/terminate-worker-with-event-listener-crash.html: Removed.
* LayoutTests/imported/w3c/web-platform-tests/workers/WorkerGlobalScope_ErrorEvent_colno-expected.txt:
* Source/WebCore/Modules/indexeddb/IDBDatabase.cpp:
(WebCore::IDBDatabase::stop):
* Source/WebCore/Modules/indexeddb/IDBRequest.cpp:
(WebCore::IDBRequest::stop):
* Source/WebCore/Modules/indexeddb/IDBTransaction.cpp:
(WebCore::IDBTransaction::stop):
* Source/WebCore/animation/WebAnimation.cpp:
(WebCore::WebAnimation::stop):
* Source/WebCore/animation/WebAnimation.h:
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::~Document):
(WebCore::Document::removeAllEventListenersInContext): Deleted.
* Source/WebCore/dom/Document.h:
* Source/WebCore/dom/EventTarget.cpp:
(WebCore::EventTarget::addEventListener):
(WebCore::EventTarget::removeEventListener):
(WebCore::EventTarget::removeAllEventListeners):
* Source/WebCore/dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::removeAllEventListenersInContext): Deleted.
(WebCore::ScriptExecutionContext::addEventTargetWithListener): Deleted.
(WebCore::ScriptExecutionContext::removeEventTargetWithListener): Deleted.
* Source/WebCore/dom/ScriptExecutionContext.h:
* Source/WebCore/history/CachedFrame.cpp:
(WebCore::CachedFrame::destroy):
* Source/WebCore/workers/WorkerGlobalScope.cpp:
(WebCore::WorkerGlobalScope::removeAllEventListeners):
(WebCore::WorkerGlobalScope::removeAllEventListenersInContext): Deleted.
* Source/WebCore/workers/WorkerGlobalScope.h:
* Source/WebCore/workers/WorkerOrWorkletGlobalScope.cpp:
(WebCore::WorkerOrWorkletGlobalScope::prepareForDestruction):
* Source/WebCore/workers/service/ServiceWorker.cpp:
(WebCore::ServiceWorker::stop):
* Source/WebCore/workers/service/ServiceWorkerContainer.cpp:
(WebCore::ServiceWorkerContainer::stop):
* Source/WebCore/workers/service/ServiceWorkerRegistration.cpp:
(WebCore::ServiceWorkerRegistration::stop):
* Source/WebCore/workers/service/ServiceWorkerRegistration.h:
Canonical link: https://commits.webkit.org/252432.1014@safari-7614-branch
Commit: 3be45019e7fde37f4b4c0e4d016834736729c364
https://github.com/WebKit/WebKit/commit/3be45019e7fde37f4b4c0e4d016834736729c364
Author: Ryosuke Niwa <rniwa at webkit.org>
Date: 2023-01-03 (Tue, 03 Jan 2023)
Changed paths:
A LayoutTests/fast/forms/datalist/datalist-id-change-crash-expected.txt
A LayoutTests/fast/forms/datalist/datalist-id-change-crash.html
M Source/WebCore/html/HTMLInputElement.cpp
Log Message:
-----------
Crash in HTMLInputElement::dataListMayHaveChanged via ListAttributeTargetObserver::idTargetChanged
https://bugs.webkit.org/show_bug.cgi?id=250039
Reviewed by Wenson Hsieh, Geoffrey Garen and Aditya Keerthi.
Merge https://commits.webkit.org/253773@main to avoid hitting this crash.
* LayoutTests/fast/forms/datalist/datalist-id-change-crash-expected.txt: Added.
* LayoutTests/fast/forms/datalist/datalist-id-change-crash.html: Added.
* Source/WebCore/html/HTMLInputElement.cpp:
(WebCore::HTMLInputElement::resetListAttributeTargetObserver):
(WebCore::ListAttributeTargetObserver::ListAttributeTargetObserver):
Canonical link: https://commits.webkit.org/252432.1015@safari-7614-branch
Commit: 064fa7584efd017ff9623cf707a17e177a02ecca
https://github.com/WebKit/WebKit/commit/064fa7584efd017ff9623cf707a17e177a02ecca
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-01-05 (Thu, 05 Jan 2023)
Changed paths:
M Tools/Scripts/libraries/webkitscmpy/setup.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py
Log Message:
-----------
Cherry-pick 257630 at main (df7b4f143931). rdar://102515722
[git-webkit] Make target PR remote sticky (Follow-up)
https://bugs.webkit.org/show_bug.cgi?id=248085
rdar://102515722
Reviewed by Ryan Haddad.
* Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py:
(PullRequest.create_pull_request): Use args.remote instead of non-existent variable.
Canonical link: https://commits.webkit.org/257630@main
Canonical link: https://commits.webkit.org/252432.1016@safari-7614-branch
Commit: 94d37ad7d541f342293e899ce5ee1a4d3af40131
https://github.com/WebKit/WebKit/commit/94d37ad7d541f342293e899ce5ee1a4d3af40131
Author: Richard Robinson <richard_robinson2 at apple.com>
Date: 2023-01-05 (Thu, 05 Jan 2023)
Changed paths:
M Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.h
M Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm
M Source/WebKitLegacy/mac/WebView/WebJSPDFDoc.mm
Log Message:
-----------
WebKit`WebKit::PDFPlugin::jsPDFDocPrint - type confusion
https://bugs.webkit.org/show_bug.cgi?id=249169
rdar://102740487
Reviewed by Tim Horton, Yusuke Suzuki and Jonathan Bedard.
When JavaScript is embedded inside a PDF and it invokes the `print()` function,
the `thisObject` parameter in `PDFPlugin::jsPDFDocPrint` is not guaranteed
to be the proper type. Currently, we errenously assume it always is the proper
type, and cast it to `PDFPlugin *`, which results in an object with garbage values.
This PR protects against this by first checking if the `thisObject` is the correct
JavaScript object type, before trying to cast it.
* Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.h:
* Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm:
(WebKit::PDFPlugin::jsPDFDocClass):
(WebKit::PDFPlugin::jsPDFDocPrint):
(WebKit::PDFPlugin::makeJSPDFDoc):
Canonical link: https://commits.webkit.org/252432.1017@safari-7614-branch
Commit: 792c09f18dc7a2439b37c486d2a27d94c2824bd3
https://github.com/WebKit/WebKit/commit/792c09f18dc7a2439b37c486d2a27d94c2824bd3
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-01-06 (Fri, 06 Jan 2023)
Changed paths:
A LayoutTests/streams/blob-and-then-expected.txt
A LayoutTests/streams/blob-and-then.html
M Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp
M Source/WebCore/Modules/streams/ReadableStreamSink.cpp
Log Message:
-----------
Use-after-free in FetchBodyConsumer::resolve
https://bugs.webkit.org/show_bug.cgi?id=249996
rdar://103649054
Reviewed by Jonathan Bedard and Alex Christensen.
Make sure in FetchBodyConsumer that refed promise/source remain protected.
We also revert part of an unnecessary and wrong change from https://trac.webkit.org/changeset/227760.
This makes sure ReadableStreamToSharedBufferSink callback remains valid until completely executed in close case, as was the case in error case.
We use std::exchange instead of move as it is more semantically correct.
Covered by added test.
* LayoutTests/streams/blob-and-then-expected.txt: Added.
* LayoutTests/streams/blob-and-then.html: Added.
* Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp:
(WebCore::FetchBodyConsumer::resolveWithFormData):
(WebCore::FetchBodyConsumer::consumeFormDataAsStream):
(WebCore::FetchBodyConsumer::resolve):
* Source/WebCore/Modules/streams/ReadableStreamSink.cpp:
(WebCore::ReadableStreamToSharedBufferSink::close):
(WebCore::ReadableStreamToSharedBufferSink::error):
Canonical link: https://commits.webkit.org/252432.1018@safari-7614-branch
Commit: 1988807a5229f98ba987b2aee78751a54a3cdb09
https://github.com/WebKit/WebKit/commit/1988807a5229f98ba987b2aee78751a54a3cdb09
Author: David Li <jingye_li at apple.com>
Date: 2023-01-06 (Fri, 06 Jan 2023)
Changed paths:
A LayoutTests/editing/async-clipboard/clipboard-clear-expected.txt
A LayoutTests/editing/async-clipboard/clipboard-clear.html
M Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.cpp
M Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.h
Log Message:
-----------
[Clipboard] Explicitly call completion on clearing ClipboardItemTypeLoader
rdar://103307563
Reviewed by Jonathan Bedard and Wenson Hsieh.
In m_itemTypeLoaders.clear(), ClipboardItemBindingsDataSource::invokeCompletionHandler() is called after all m_itemTypeLoaders released
and traverses the itemTypeLoaders after itemTypeLoaders is clear but before the size is updated, causing nullptr accessment.
So we should explicitly call completion before itemTypeLoader is released.
* LayoutTests/editing/async-clipboard/clipboard-clear-expected.txt: Added.
* LayoutTests/editing/async-clipboard/clipboard-clear.html: Added.
* Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.cpp:
(WebCore::ClipboardItemBindingsDataSource::clearItemTypeLoaders):
(WebCore::ClipboardItemBindingsDataSource::collectDataForWriting):
(WebCore::ClipboardItemBindingsDataSource::ClipboardItemTypeLoader::~ClipboardItemTypeLoader):
* Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.h:
Canonical link: https://commits.webkit.org/252432.1019@safari-7614-branch
Commit: b5d216c518eba7ca2f6386838a6b0bfdc8b05f94
https://github.com/WebKit/WebKit/commit/b5d216c518eba7ca2f6386838a6b0bfdc8b05f94
Author: Charlie Wolfe <charliew at apple.com>
Date: 2023-01-06 (Fri, 06 Jan 2023)
Changed paths:
M Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm
Log Message:
-----------
Cherry-pick 258151 at main (426bfda99e6f). rdar://103565182
Update some WebAuth tests to no longer use the generic error code
https://bugs.webkit.org/show_bug.cgi?id=249664
rdar://103565182
Reviewed by J Pascoe.
* Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/258151@main
Canonical link: https://commits.webkit.org/252432.1020@safari-7614-branch
Commit: 25b0bc667e1f8b63a4378941dccd01a19cc78145
https://github.com/WebKit/WebKit/commit/25b0bc667e1f8b63a4378941dccd01a19cc78145
Author: Dean Jackson <dino at apple.com>
Date: 2023-01-06 (Fri, 06 Jan 2023)
Changed paths:
M Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm
Log Message:
-----------
Cherry-pick 257825 at main (7b47f891dd8e). rdar://103318890
[iOS EWS] TestWebKitAPI.ProcessSwap.CrossOriginSystemPreview and TestWebKitAPI.ProcessSwap.SameOriginSystemPreview consistently timing out
https://bugs.webkit.org/show_bug.cgi?id=249277
rdar://103318890
Reviewed by Chris Dumez.
Traces suggest this is stalling trying to load something over
the network and, indeed, the test content references a real
URL inside the `img` element. Change this to point to a `pson`
scheme and intercept the load to provide fake data.
* Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:
Canonical link: https://commits.webkit.org/257825@main
Canonical link: https://commits.webkit.org/252432.1021@safari-7614-branch
Commit: 6bb77d7a0b9f0701c854289d813111432a97d4a2
https://github.com/WebKit/WebKit/commit/6bb77d7a0b9f0701c854289d813111432a97d4a2
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-01-10 (Tue, 10 Jan 2023)
Changed paths:
A LayoutTests/fast/css/content/quote-display-contents-crash-expected.txt
A LayoutTests/fast/css/content/quote-display-contents-crash.html
M Source/WebCore/dom/Element.cpp
Log Message:
-----------
Cherry-pick 256843.5 at webkit-2022.12-embargoed (312254f5776d). rdar://102807985>
Check displayContentsChanged in destroyRenderTreeIfNeeded
https://bugs.webkit.org/show_bug.cgi?id=248776
rdar://102807985>
Reviewed by Antti Koivisto.
Check displayContentsChanged in destroyRenderTreeIfNeeded since
display: contents may be removed due to focus removal while
removing subtrees but we still need to clean up pseudo elements.
* LayoutTests/fast/css/content/quote-display-contents-crash-expected.txt: Added.
* LayoutTests/fast/css/content/quote-display-contents-crash.html: Added.
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::destroyRenderTreeIfNeeded):
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::resolveComputedStyle):
Canonical link: https://commits.webkit.org/256843.5@webkit-2022.12-embargoed
Canonical link: https://commits.webkit.org/252432.1022@safari-7614-branch
Commit: 55c2b9caae923d8be62557d2dacd1b87a7573565
https://github.com/WebKit/WebKit/commit/55c2b9caae923d8be62557d2dacd1b87a7573565
Author: Richard Robinson <richard_robinson2 at apple.com>
Date: 2023-01-11 (Wed, 11 Jan 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
[CoreIPC] Integer overflow in UIProcess from scaling/zoom factors
https://bugs.webkit.org/show_bug.cgi?id=250408
rdar://101222657
Reviewed by Wenson Hsieh and Jonathan Bedard.
Adds bounds checking via `MESSAGE_CHECK` to the page/plugin scale/zoom `factorDidChange`
methods in `WebPageProxy` to ensure that overflow will not occur in the web process.
The bounds were chosen to be `(0, 100]` because a factor of `<= 0.0` does not make sense,
and `100.0` ia a reasonable upper bound.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::pageScaleFactorDidChange):
(WebKit::WebPageProxy::pluginScaleFactorDidChange):
(WebKit::WebPageProxy::pluginZoomFactorDidChange):
Canonical link: https://commits.webkit.org/252432.1023@safari-7614-branch
Commit: 2ea437d755221d74bcef65b0f1ceae21b74f619b
https://github.com/WebKit/WebKit/commit/2ea437d755221d74bcef65b0f1ceae21b74f619b
Author: Aditya Keerthi <akeerthi at apple.com>
Date: 2023-01-11 (Wed, 11 Jan 2023)
Changed paths:
M Source/WebCore/Modules/contact-picker/ContactsManager.cpp
M Source/WebCore/Modules/contact-picker/ContactsManager.h
Log Message:
-----------
Use-after-free in ContactsManager::select
https://bugs.webkit.org/show_bug.cgi?id=250351
rdar://101241436
Reviewed by Wenson Hsieh and Jonathan Bedard.
`ContactsManager` can be destroyed prior to receiving the user's selection, which
is performed asynchronously. Deploy `WeakPtr` to avoid a use-after-free in this
scenario.
A test was unable to be added, as the failure scenario involves opening a new
Window, using the new Window object's `navigator.contacts`, and performing user
interaction. Creating a new Window results in the creation of a new web view,
however all of our existing UIScriptController hooks only apply to the original
(main) web view. Consequently, it is not possible to use our testing
infrastructure to dismiss the contact picker and trigger the callback in the
failure scenario.
* Source/WebCore/Modules/contact-picker/ContactsManager.cpp:
(WebCore::ContactsManager::select):
* Source/WebCore/Modules/contact-picker/ContactsManager.h:
Canonical link: https://commits.webkit.org/252432.1024@safari-7614-branch
Commit: 7443b62d8437c5d1c085d5d0a75735bcea111e44
https://github.com/WebKit/WebKit/commit/7443b62d8437c5d1c085d5d0a75735bcea111e44
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-01-11 (Wed, 11 Jan 2023)
Changed paths:
M Tools/Scripts/libraries/webkitscmpy/setup.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/__init__.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/command.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/log.py
A Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/show.py
A Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/show_unittest.py
Log Message:
-----------
Cherry-pick 257760 at main (dd82be82d070). rdar://96963230
[git-webkit] Add show sub-command
https://bugs.webkit.org/show_bug.cgi?id=242400
rdar://96963230
Reviewed by Dewei Zhu.
* Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py: Add mock 'git show'.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/__init__.py: Add 'show' sub command.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/command.py:
(FilteredCommand.main): 'git show' will display diffs after the commit message, those diffs should be appropriately colorized.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/log.py:
(Log.parser): Move some options to Show.parser and invoke Show.parser.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/show.py: Copied from Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/log.py.
(Show.parser): Moved from Log.parser.
(Show.main):
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/show_unittest.py: Added.
(TestShow.test_git):
(TestShow.test_git_svn):
(TestShow.test_svn):
(TestShow.test_none):
Canonical link: https://commits.webkit.org/257760@main
Canonical link: https://commits.webkit.org/252432.1025@safari-7614-branch
Commit: 2a8469e53b2f6bd95e64cabe3cd4915bee1e6e36
https://github.com/WebKit/WebKit/commit/2a8469e53b2f6bd95e64cabe3cd4915bee1e6e36
Author: Ryosuke Niwa <rniwa at webkit.org>
Date: 2023-01-11 (Wed, 11 Jan 2023)
Changed paths:
A LayoutTests/editing/editability/design-mode-does-not-inherit-across-frames-expected.txt
A LayoutTests/editing/editability/design-mode-does-not-inherit-across-frames.html
M LayoutTests/fast/dom/HTMLElement/iscontenteditable-designmodeon-allinherit-subframe-expected.txt
M LayoutTests/fast/dom/HTMLElement/iscontenteditable-designmodeon-allinherit-subframe.html
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/Document.h
Log Message:
-----------
Remove inheritance of designMode attribute
https://bugs.webkit.org/show_bug.cgi?id=248615
Reviewed by Wenson Hsieh and Jonathan Bedard.
Stop making design mode inherit across frame boundaries.
This will prevent a form element from being injected into a victim page via drag & drop
and the new behavior matches that of Firefox and Chrome.
* LayoutTests/editing/editability/design-mode-does-not-inherit-across-frames-expected.txt: Added.
* LayoutTests/editing/editability/design-mode-does-not-inherit-across-frames.html: Added.
* LayoutTests/fast/dom/HTMLElement/iscontenteditable-designmodeon-allinherit-subframe-expected.txt:
* LayoutTests/fast/dom/HTMLElement/iscontenteditable-designmodeon-allinherit-subframe.html:
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::setDesignMode):
(WebCore::Document::inDesignMode const): Deleted.
* Source/WebCore/dom/Document.h:
(WebCore::Document::inDesignMode const):
Canonical link: https://commits.webkit.org/252432.1026@safari-7614-branch
Commit: 6b850b31d5e3c5dcd009117f825d8587e38000c0
https://github.com/WebKit/WebKit/commit/6b850b31d5e3c5dcd009117f825d8587e38000c0
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-01-12 (Thu, 12 Jan 2023)
Changed paths:
M Tools/Scripts/libraries/webkitscmpy/setup.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/commit.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/commit_unittest.py
Log Message:
-----------
Cherry-pick 258020 at main (b38081b1f854). rdar://103457359
[git-webkit] Cap identifier and revision size
https://bugs.webkit.org/show_bug.cgi?id=249496
rdar://103457359
Reviewed by Elliott Williams.
* Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/commit.py:
(Commit): Cap integers at 10 billion.
(Commit._parse_revision): Use NUMBER_RE.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/commit_unittest.py:
(TestCommit.test_parse_revision):
(TestCommit.test_parse_identifier):
(TestCommit.test_parse):
Canonical link: https://commits.webkit.org/258020@main
Canonical link: https://commits.webkit.org/252432.1027@safari-7614-branch
Commit: aa02d3f68425d9b3afffb3c89ade23bea3f12b29
https://github.com/WebKit/WebKit/commit/aa02d3f68425d9b3afffb3c89ade23bea3f12b29
Author: Elliott Williams <emw at apple.com>
Date: 2023-01-13 (Fri, 13 Jan 2023)
Changed paths:
M Tools/TestWebKitAPI/Configurations/TestWebKitAPI-macOS.entitlements
M Tools/TestWebKitAPI/Configurations/TestWebKitAPI.xcconfig
A Tools/WebKitTestRunner/Configurations/WebKitTestRunner-internal.entitlements
M Tools/WebKitTestRunner/Configurations/WebKitTestRunner.entitlements
M Tools/WebKitTestRunner/Configurations/WebKitTestRunner.xcconfig
Log Message:
-----------
Cherry-pick 254192 at main (e347e3e762ae). https://bugs.webkit.org/show_bug.cgi?id=242730
Allow ad-hoc code signing for TestWebKitAPI and WebKitTestRunner
https://bugs.webkit.org/show_bug.cgi?id=242730
Reviewed by Alexey Proskuryakov.
Xcode 14 requires a signing identity when building command-line tools.
Internal builds already use a custom signing identity
(WK_ENGINEERING_CODE_SIGN_IDENTITY). Change the default identity for
open-source builds to ad-hoc ("-").
* Tools/TestWebKitAPI/Configurations/TestWebKitAPI.xcconfig:
* Tools/WebKitTestRunner/Configurations/WebKitTestRunner.xcconfig:
Prior to this change, EWS was not signing these binaries with
entitlements, even though we declare them. It turns out that many of the
entitlements we declare require a valid signing identity. While the
long-term solution might be to give all EWS machines a proper signing
identity (and ask contributors to do the same), we can remove these
entitlements from open-source builds for now. Tests that depend on the
entitlements' capabilities will fail, but they were already failing.
* Tools/TestWebKitAPI/Configurations/TestWebKitAPI-macOS.entitlements:
TestWebKitAPI already has a "TestWebKitAPI-macOS-internal.entitlements"
file. Remove internal-only entitlements from this file.
* Tools/WebKitTestRunner/Configurations/WebKitTestRunner-internal.entitlements: Copied from Tools/WebKitTestRunner/Configurations/WebKitTestRunner.entitlements.
* Tools/WebKitTestRunner/Configurations/WebKitTestRunner.entitlements:
Remove internal-only entitlements.
Canonical link: https://commits.webkit.org/254192@main
Canonical link: https://commits.webkit.org/252432.1028@safari-7614-branch
Commit: 9dda7bfe768d219cfae798a108e9664b4564737b
https://github.com/WebKit/WebKit/commit/9dda7bfe768d219cfae798a108e9664b4564737b
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2023-01-17 (Tue, 17 Jan 2023)
Changed paths:
A JSTests/wasm/stress/wasm-tuple-return.js
M Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
Log Message:
-----------
LLInt WASM argument locals must be read before return values are written
https://bugs.webkit.org/show_bug.cgi?id=250482
rdar://103551585
Reviewed by Justin Michaud.
Given the wasm code which exports a wasm function `intFuncRef2` as a js function.
```
(func (export "intFuncRef2") (param $p0 f32) (param $p1 funcref) (result i32 funcref)
(i32.const 42)
(local.get $p1)
(return)
)
```
The corresponding dumped bytecodes show
```
[ 0] enter
[ 1] mov dst:loc2, src:42(const0)
[ 4] mov dst:loc3, src:loc2 // loc2 contains the funcref but now replaced with 42
[ 7] ret // return [loc2, loc3]
```
which is wrong. Instead we should do
```
[ 0] enter
[ 1] mov dst:loc18, src:42(const0)
[ 4] mov dst:loc19, src:loc2
[ 7] mov dst:loc2, src:loc18
[ 10] mov dst:loc3, src:loc19
[ 13] ret
```
Note that loc2 is both parameter and return lot.
Locals usually need to be materialized on wasm stack when they are about to be or could
be clobbered, usually before a control entry, a branch, or redefinition. Previously,
Return writes only one value to the result slot that clobber one argument slot which
is fine. Since now wasm function can return tuple that might bring us to the situation
as shown in above example. We should materialize expression stack when return more than
one values.
* JSTests/wasm/stress/tuple-return.js: Added.
(async test):
* Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::addReturn):
Canonical link: https://commits.webkit.org/252432.1029@safari-7614-branch
Commit: 433db4f2921901443445ea62f2f245584fbe1a6b
https://github.com/WebKit/WebKit/commit/433db4f2921901443445ea62f2f245584fbe1a6b
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-01-17 (Tue, 17 Jan 2023)
Changed paths:
M Source/WebCore/bindings/js/JSErrorHandler.cpp
M Source/WebCore/bindings/js/JSEventListener.cpp
M Source/WebCore/bindings/js/JSEventListener.h
M Source/WebCore/bindings/js/JSLazyEventListener.cpp
M Source/WebCore/bindings/js/WebCoreJSClientData.cpp
M Source/WebCore/bindings/js/WebCoreJSClientData.h
M Source/WebCore/dom/EventTarget.cpp
M Source/WebCore/inspector/CommandLineAPIHost.cpp
M Source/WebCore/inspector/WebInjectedScriptHost.cpp
M Source/WebCore/inspector/agents/InspectorDOMAgent.cpp
Log Message:
-----------
Heap use-after-free in DOMWrapperWorld::~DOMWrapperWorld
https://bugs.webkit.org/show_bug.cgi?id=246022
rdar://100763856
Reviewed by Jonathan Bedard and Ryosuke Niwa.
Right before a worker terminates, it destroys its WorkerOrWorkletScriptController,
which destroys the JS VM. Certain objects like DOMWrapperWorld cannot outlive
the VM since they keep a `VM&' as data member. However, DOMWrapperWorld is
refcounted and JSEventListeners hold a strong ref to their DOMWrapperWorld. If
JSEventListeners outlive the VM, then it would lead to a use-after free in the
DOMWrapperWorld destructor when destroying those JSEventListeners later on.
We have previously made several attempts to try and unregister all event
listeners before destroying the VM. However, those attempts were either
incomplete or led to other crashes. I am therefore trying a different approach
this time.
JSEventListeners now register themselves as client of the JSVMClientData (which
is owned by the VM) and the client gets a `willDestroyVM()` call before the
VM gets destroyed. This allows JSEventListeners to clear out their data members
which rely on the VM (DOMWrapperWorld and JSC::Weak data members).
* Source/WebCore/bindings/js/JSErrorHandler.cpp:
(WebCore::JSErrorHandler::handleEvent):
* Source/WebCore/bindings/js/JSEventListener.cpp:
(WebCore::JSEventListener::JSEventListener):
(WebCore::JSEventListener::handleEvent):
(WebCore::JSEventListener::functionName const):
(WebCore::JSEventListener::willDestroyVM):
* Source/WebCore/bindings/js/JSEventListener.h:
(WebCore::JSEventListener::isolatedWorld const):
(WebCore::JSEventListener::ensureJSFunction const):
* Source/WebCore/bindings/js/JSLazyEventListener.cpp:
(WebCore::JSLazyEventListener::initializeJSFunction const):
* Source/WebCore/bindings/js/WebCoreJSClientData.cpp:
(WebCore::JSVMClientData::~JSVMClientData):
* Source/WebCore/bindings/js/WebCoreJSClientData.h:
(WebCore::JSVMClientData::addClient):
* Source/WebCore/dom/EventTarget.cpp:
(WebCore::EventTarget::attributeEventListener):
* Source/WebCore/inspector/CommandLineAPIHost.cpp:
(WebCore::CommandLineAPIHost::getEventListeners):
* Source/WebCore/inspector/WebInjectedScriptHost.cpp:
(WebCore::objectForEventTargetListeners):
* Source/WebCore/inspector/agents/InspectorDOMAgent.cpp:
(WebCore::InspectorDOMAgent::buildObjectForEventListener):
Canonical link: https://commits.webkit.org/252432.1030@safari-7614-branch
Commit: 9f7e401c42a8e8ef4bc71f8e05e14969868a240f
https://github.com/WebKit/WebKit/commit/9f7e401c42a8e8ef4bc71f8e05e14969868a240f
Author: David Degazio <35146201+ddegazio at users.noreply.github.com>
Date: 2023-01-17 (Tue, 17 Jan 2023)
Changed paths:
A JSTests/stress/cell-speculated-array-indexof.js
M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Log Message:
-----------
Fix use-after-free in DFGFixupPhase for array indexOf
https://bugs.webkit.org/show_bug.cgi?id=250429
rdar://103852510
Reviewed by Jonathan Bedard and Michael Saboff.
During DFG fixup, array indexOf nodes are folded to -1 when the search element is speculated
to be a different type than the array element (for instance, JSCell instead of Int32). When
this happens, a speculation check is inserted, which can cause the DFG graph's varArgChildren
array to reallocate. This invalidates the searchElement Edge reference, which we use
immediately after the check insertion in the fixup phase. This patch fixes this potential
use-after-free by grabbing the searchElement's associated node before inserting any checks,
giving us a persistent pointer to a DFG node rather than a reference into a vector.
* JSTests/stress/cell-speculated-array-indexof.js: Added.
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupArrayIndexOf):
Canonical link: https://commits.webkit.org/252432.1031@safari-7614-branch
Commit: c8b8b96aa796753d59492a42c8257ff15897e6b0
https://github.com/WebKit/WebKit/commit/c8b8b96aa796753d59492a42c8257ff15897e6b0
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-01-17 (Tue, 17 Jan 2023)
Changed paths:
M Source/WTF/wtf/WeakHashSet.h
Log Message:
-----------
Cherry-pick 256541 at main (06391ab46e02). https://bugs.webkit.org/show_bug.cgi?id=247712
Do amortized clean up in WeakHashSet
https://bugs.webkit.org/show_bug.cgi?id=247712
Reviewed by Ryosuke Niwa.
Do amortized clean up in WeakHashSet, similarly to what we already do in
WeakHashMap.
* Source/WTF/wtf/WeakHashSet.h:
* Source/WebCore/dom/SlotAssignment.cpp:
Canonical link: https://commits.webkit.org/256541@main
Canonical link: https://commits.webkit.org/252432.1032@safari-7614-branch
Commit: 02e324c5768915bdea27aa055ee00d786ff24c65
https://github.com/WebKit/WebKit/commit/02e324c5768915bdea27aa055ee00d786ff24c65
Author: Simon Fraser <simon.fraser at apple.com>
Date: 2023-01-18 (Wed, 18 Jan 2023)
Changed paths:
M Source/WebKit/Shared/RemoteLayerTree/RemoteScrollingCoordinatorTransaction.cpp
Log Message:
-----------
Possible type confusion bug in RemoteScrollingCoordinatorTransaction::decode
https://bugs.webkit.org/show_bug.cgi?id=250742
<rdar://102373218>
Reviewed by Jonathan Bedard and Ryosuke Niwa.
RemoteScrollingCoordinatorTransaction::decode() fails to check whether the nodeID returned by
`m_scrollingStateTree->insertNode()` is a new one, different from the `nodeID` argument. If so, it
could indicate that the node type of `m_scrollingStateTree->stateNodeForID()` does not match
`nodeType`, leading to type confusion.
In the UI process, `m_scrollingStateTree->insertNode()` should never return a different nodeID; this
only happens when the given nodeType does not match the type of the existing node, which only
happens in the WebProcess. So if `insertNode()` returns a different nodeID, or when the returned
node doesn't have the expected type, we can consider it an IPC decoding error.
* Source/WebKit/Shared/RemoteLayerTree/RemoteScrollingCoordinatorTransaction.cpp:
(WebKit::RemoteScrollingCoordinatorTransaction::decode):
Canonical link: https://commits.webkit.org/252432.1033@safari-7614-branch
Commit: 3ee4a832198616615b71c5080ce4ba501f2ea93d
https://github.com/WebKit/WebKit/commit/3ee4a832198616615b71c5080ce4ba501f2ea93d
Author: Ryan Reno <rreno at apple.com>
Date: 2023-01-18 (Wed, 18 Jan 2023)
Changed paths:
A LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcard-host-checks-path.sub-expected.txt
A LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcard-host-checks-path.sub.html
M Source/WebCore/page/csp/ContentSecurityPolicySource.cpp
Log Message:
-----------
CSP bypass due to incorrect handling of wildcard character in host expression
https://bugs.webkit.org/show_bug.cgi?id=250709
rdar://104335301
Reviewed by Brent Fulgham and Jonathan Bedard.
We were treating something like "https://*/foo" as being a scheme-only source (so checking only against
'https'). That is fixed by not only checking for the host-part being an empty string but also whether or not
the host wildcard flag had been set by the CSP parser. Additionally, we were checking a given URL's host
against the wildcard assuming a format like "*.com" instead of the possibility of the catch-all "*" wildcard.
This change fixes our handling of the wildcard "*" in a directive's source list by correctly identifying when a
source is scheme-only and by correctly taking into account the entire host-part wildcard grammar when checking
a given host against a wildcard pattern.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcard-host-checks-path.sub-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/wildcard-host-checks-path.sub.html: Added.
* Source/WebCore/page/csp/ContentSecurityPolicySource.cpp:
(WebCore::ContentSecurityPolicySource::hostMatches const):
(WebCore::ContentSecurityPolicySource::isSchemeOnly const):
Canonical link: https://commits.webkit.org/252432.1034@safari-7614-branch
Commit: b9851bb3646559798fbba1d316a16e786ea8a574
https://github.com/WebKit/WebKit/commit/b9851bb3646559798fbba1d316a16e786ea8a574
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-01-18 (Wed, 18 Jan 2023)
Changed paths:
M Source/WebCore/platform/mediastream/MediaConstraints.h
Log Message:
-----------
IPC hardening for MediaConstraint subclasses
https://bugs.webkit.org/show_bug.cgi?id=250722
rdar://103012405
Reviewed by Jonathan Bedard and David Kilzer.
Make sure we validate the constraint type whenever we IPC-deserialize a
MediaConstraint subclass.
* Source/WebCore/platform/mediastream/MediaConstraints.h:
(WebCore::NumericConstraint::decode):
(WebCore::StringConstraint::decode):
Canonical link: https://commits.webkit.org/252432.1035@safari-7614-branch
Commit: c553da3adc35b876585132ecc919e072952ab749
https://github.com/WebKit/WebKit/commit/c553da3adc35b876585132ecc919e072952ab749
Author: Michael Saboff <msaboff at apple.com>
Date: 2023-01-20 (Fri, 20 Jan 2023)
Changed paths:
A JSTests/stress/regexp-testinline-stacklimits.js
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/JavaScriptCore/runtime/RegExp.h
M Source/JavaScriptCore/yarr/YarrJIT.cpp
Log Message:
-----------
[JSC] RegExp.test inline is missing some stack overflow checks
https://bugs.webkit.org/show_bug.cgi?id=250873
rdar://104072550
Reviewed by Yusuke Suzuki.
The RegExp.test inline code is missing two stack overflow checks.
1) When compiling the pattern string to a YarrPattern, we checked for stack overflow,
but didn't do anything with the failure.
2) When allocating the stack space needed to execute the JIT code for the expression
we need to first check that we have enough stack.
This change adds checks for both cases using the JSRegExpResult::JITCodeFailure return value when we
would have overflowed the stack. The results checking code after the inline code sees that error
value, it will now call out to the appropriate C++ helper function to perform the match.
Those functions are capable of throwing Out of Stack exceptions.
* JSTests/stress/regexp-testinline-stacklimits.js: Added new test.
(baz):
(bar):
(foo):
(true.string_appeared_here.repeat):
(true.catch):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileRegExpTestInline):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/runtime/RegExp.h:
* Source/JavaScriptCore/yarr/YarrJIT.cpp:
(JSC::Yarr::jitCompileInlinedTest):
Canonical link: https://commits.webkit.org/252432.1036@safari-7614-branch
Commit: 846e2a69bcaa3301ba898c057f26310ed737f6ce
https://github.com/WebKit/WebKit/commit/846e2a69bcaa3301ba898c057f26310ed737f6ce
Author: Fujii Hironori <Hironori.Fujii at sony.com>
Date: 2023-01-23 (Mon, 23 Jan 2023)
Changed paths:
M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/tests/file_lock_unittest.py
Log Message:
-----------
Cherry-pick 258154 at main (81d0d71c7efa). https://bugs.webkit.org/show_bug.cgi?id=249608
webkitcorepy.tests.file_lock_unittest.FileLockTestCase.test_locked_timeout is randomly failing
https://bugs.webkit.org/show_bug.cgi?id=249608
Reviewed by Jonathan Bedard.
test_locked_timeout was randomly failing because it compared two time
values by truncating fraction parts. For example, two time values
53.99 and 54.00 are enough close, but don't match in the comparison.
* Tools/Scripts/libraries/webkitcorepy/webkitcorepy/tests/file_lock_unittest.py:
(FileLockTestCase.test_locked_timeout):
Use assertAlmostEqual to compare time values.
Canonical link: https://commits.webkit.org/258154@main
Canonical link: https://commits.webkit.org/252432.1037@safari-7614-branch
Commit: 1d0ebb722153f2dc464ac76ff4bf9cb623a18b66
https://github.com/WebKit/WebKit/commit/1d0ebb722153f2dc464ac76ff4bf9cb623a18b66
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-01-23 (Mon, 23 Jan 2023)
Changed paths:
M Tools/Scripts/libraries/webkitbugspy/setup.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/__init__.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/github.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/issue.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/data.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/github.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/radar.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/bugzilla_unittest.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/github_unittest.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/radar_unittest.py
Log Message:
-----------
Cherry-pick 258831 at main (13d9ff026e75). rdar://104147220
[webkitbugspy] Access issue milestone
https://bugs.webkit.org/show_bug.cgi?id=250493
rdar://104147220
Reviewed by Aakash Jain.
* Tools/Scripts/libraries/webkitbugspy/setup.py: Bump version.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/__init__.py: Ditto.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/github.py:
(Tracker.populate): Extract milestone from GitHub response.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/issue.py:
(Issue.__init__): Add _milestone member variable.
(Issue.milestone): Populate _milestone, if not already done. Treat empty milestone as None.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/data.py: Add milestones.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/github.py:
(GitHub._issue): Include milestone in response.
(GitHub._create): Ditto.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/radar.py:
(RadarModel.Milestone): Add.
(RadarModel.__init__): Use mock Milestone class.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py:
(Tracker.populate): Extrat milestone from Radar object.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/bugzilla_unittest.py:
(test_milestone):
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/github_unittest.py:
(test_milestone):
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/radar_unittest.py:
(test_milestone):
Canonical link: https://commits.webkit.org/258831@main
Canonical link: https://commits.webkit.org/252432.1038@safari-7614-branch
Commit: c77483d635f1938e416e3b4999f6cdc64008fa1c
https://github.com/WebKit/WebKit/commit/c77483d635f1938e416e3b4999f6cdc64008fa1c
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-01-23 (Mon, 23 Jan 2023)
Changed paths:
M Tools/Scripts/libraries/webkitscmpy/setup.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pickable.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/trace.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pickable_unittest.py
Log Message:
-----------
Cherry-pick 258105 at main (6faa6aea3e00). rdar://103460662
[git-webkit] Handle cherry-picks from divergent branches
https://bugs.webkit.org/show_bug.cgi?id=249501
rdar://103460662
Reviewed by Dewei Zhu.
A commit that is cherry-picked from a commit which is not on the target branch should
be considered pickable.
* Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pickable.py:
(Pickable.pickable): Related commits should not be automatically added to the commits story,
so that we can use the commits story to filter out changes already on the target branch.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/trace.py:
(CommitsStory.__contains__): Check if the story contains a commit.
(CommitsStory.add): Use shared "__contains__" call.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pickable_unittest.py:
(TestPickable.test_branch_diverged_cherry_pick):
Canonical link: https://commits.webkit.org/258105@main
Canonical link: https://commits.webkit.org/252432.1039@safari-7614-branch
Commit: 5f64e30a652bbc9d3f844e1a085757694d8e5edf
https://github.com/WebKit/WebKit/commit/5f64e30a652bbc9d3f844e1a085757694d8e5edf
Author: Simon Fraser <simon.fraser at apple.com>
Date: 2023-01-23 (Mon, 23 Jan 2023)
Changed paths:
M Source/WebKit/UIProcess/RemoteLayerTree/ios/RemoteScrollingCoordinatorProxyIOS.mm
Log Message:
-----------
[CoreIPC] Type confusion bugs in RemoteScrollingCoordinatorProxyIOS::establishLayerTreeScrollingRelations
https://bugs.webkit.org/show_bug.cgi?id=250812
<rdar://102603221>
Reviewed by Jonathan Bedard and Ryosuke Niwa.
Add MESSAGE_CHECKing for two node types in code that runs in response to an IPC message.
Add an early return checking the root node type in code that runs from user events.
* Source/WebKit/UIProcess/RemoteLayerTree/ios/RemoteScrollingCoordinatorProxyIOS.mm:
(WebKit::RemoteScrollingCoordinatorProxy::establishLayerTreeScrollingRelations):
(WebKit::RemoteScrollingCoordinatorProxy::nearestActiveContentInsetAdjustedSnapOffset const):
Canonical link: https://commits.webkit.org/252432.1040@safari-7614-branch
Commit: 8488b5acfb39f32e31fcb37bd3733ed262c73ff2
https://github.com/WebKit/WebKit/commit/8488b5acfb39f32e31fcb37bd3733ed262c73ff2
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-01-23 (Mon, 23 Jan 2023)
Changed paths:
A LayoutTests/fast/table/table-cell-crash-when-detached-state-2-expected.txt
A LayoutTests/fast/table/table-cell-crash-when-detached-state-2.html
M Source/WebCore/rendering/RenderLayerModelObject.cpp
Log Message:
-----------
Cherry-pick 256843.4 at webkit-2022.12-embargoed (6234ec9c65b9). rdar://102808328
Do not issue repaints when in detached state
https://bugs.webkit.org/show_bug.cgi?id=248773
Reviewed by Antti Koivisto.
Do not issue repaints when the RenderObject is in detached state while removing render subtrees.
* LayoutTests/fast/table/table-cell-crash-when-detached-state-2-expected.txt: Added.
* LayoutTests/fast/table/table-cell-crash-when-detached-state-2.html: Added.
* Source/WebCore/rendering/RenderLayerModelObject.cpp:
(WebCore::RenderTableCell::willBeRemovedFromTree const):
Canonical link: https://commits.webkit.org/256843.4@webkit-2022.12-embargoed
Canonical link: https://commits.webkit.org/252432.1041@safari-7614-branch
Commit: c0de6f1c5c5fbc239f3838aa0f707b64991dbbea
https://github.com/WebKit/WebKit/commit/c0de6f1c5c5fbc239f3838aa0f707b64991dbbea
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-01-23 (Mon, 23 Jan 2023)
Changed paths:
A LayoutTests/fast/dom/set-outer-text-on-moved-element-expected.html
A LayoutTests/fast/dom/set-outer-text-on-moved-element.html
M Source/WebCore/rendering/updating/RenderTreeUpdater.cpp
Log Message:
-----------
Cherry-pick 256843.6 at webkit-2022.12-embargoed (c4c0ef6360b2). rdar://102808104
Verify that style update roots are for correct document
https://bugs.webkit.org/show_bug.cgi?id=248775
Reviewed by Antti Koivisto.
Verify that style update roots are for the correct document since
we may be dealing with a pending update on an element/text node that
moved to another document.
* LayoutTests/fast/dom/set-outer-text-on-moved-element-expected.html: Added.
* LayoutTests/fast/dom/set-outer-text-on-moved-element.html: Added.
* Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::commit):
Canonical link: https://commits.webkit.org/256843.6@webkit-2022.12-embargoed
Canonical link: https://commits.webkit.org/252432.1042@safari-7614-branch
Commit: 6633438abd8b9172113815a581d7d1daab0a4926
https://github.com/WebKit/WebKit/commit/6633438abd8b9172113815a581d7d1daab0a4926
Author: Patrick Angle <pangle at apple.com>
Date: 2023-01-23 (Mon, 23 Jan 2023)
Changed paths:
A LayoutTests/inspector/console/console-recursive-logging-expected.txt
A LayoutTests/inspector/console/console-recursive-logging.html
M Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.cpp
M Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.h
Log Message:
-----------
Web Inspector: Console messages that log a value that recursively logs crashes
https://bugs.webkit.org/show_bug.cgi?id=251018
rdar://104083913
Reviewed by Jonathan Bedard and Michael Saboff.
Web Inspector normally generates a preview for objects logged in the console when Web Inspector is open. However, it is
possible for authored pages to cause logging to occur when we attempt to generate the preview, as we must invoke getters
to get the values to display. In order to not recursively log messages to the console this patch turns off generating
previews for console messages that are logged while in middle of logging another console message. The user can still
generate a preview later in Web Inspector by using the disclosure triangle next to the message, which will then cause
the getter to be invoked, but the same protection will kick in to prevent recursive logging via generating previews
for objects.
* LayoutTests/inspector/console/console-recursive-logging-expected.txt: Added.
* LayoutTests/inspector/console/console-recursive-logging.html: Added.
* Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::addConsoleMessage):
* Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.h:
Canonical link: https://commits.webkit.org/252432.1043@safari-7614-branch
Commit: 22cbd76bcc96a38c1aec66125e22ee2a6f974504
https://github.com/WebKit/WebKit/commit/22cbd76bcc96a38c1aec66125e22ee2a6f974504
Author: chirags27 <chirag_m_shah at apple.com>
Date: 2023-01-26 (Thu, 26 Jan 2023)
Changed paths:
A LayoutTests/fast/css-grid-layout/grid-stylechange-crash-expected.txt
A LayoutTests/fast/css-grid-layout/grid-stylechange-crash.html
M Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp
M Source/WebCore/rendering/RenderGrid.cpp
M Source/WebCore/rendering/RenderGrid.h
Log Message:
-----------
Invalidate grid placement when style changes to subgrid
rdar://104559684
Reviewed by Jonathan Bedard and Matt Woodrow.
Before this change, we didn't invalidate parent and child placement
info, leading to a OOB read into the parent tracks information when
copying that to the child. This change fixes that.
* LayoutTests/fast/css-grid-layout/grid-stylechange-crash-expected.txt: Added.
* LayoutTests/fast/css-grid-layout/grid-stylechange-crash.html: Added.
* Source/WebCore/rendering/RenderGrid.cpp:
(WebCore::RenderGrid::styleDidChange):
(WebCore::RenderGrid::subgridDidChange const):
(WebCore::RenderGrid::dirtyGrid):
* Source/WebCore/rendering/RenderGrid.h:
* Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp:
(WebCore::GridTrackSizingAlgorithm::copyUsedTrackSizesForSubgrid):
Canonical link: https://commits.webkit.org/252432.1044@safari-7614-branch
Commit: 77446d5c727e85279103a86517fbb5799837e058
https://github.com/WebKit/WebKit/commit/77446d5c727e85279103a86517fbb5799837e058
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-01-27 (Fri, 27 Jan 2023)
Changed paths:
M Source/JavaScriptCore/API/JSCallbackConstructor.h
M Source/JavaScriptCore/API/JSCallbackFunction.h
M Source/JavaScriptCore/API/JSClassRef.h
M Source/JavaScriptCore/API/JSWeakObjectMapRefInternal.h
M Source/JavaScriptCore/API/ObjCCallbackFunction.h
M Source/JavaScriptCore/runtime/ClassInfo.h
M Source/JavaScriptCore/runtime/Lookup.h
Log Message:
-----------
[Re-land] Add additional PAC diversity for function pointers in JSC API data structures as we do for vtbls.
https://bugs.webkit.org/show_bug.cgi?id=248702
<rdar://problem/102768157>
Reviewed by Yusuke Suzuki.
* Source/JavaScriptCore/API/JSCallbackConstructor.h:
* Source/JavaScriptCore/API/JSCallbackFunction.h:
* Source/JavaScriptCore/API/JSClassRef.h:
* Source/JavaScriptCore/API/JSWeakObjectMapRefInternal.h:
* Source/JavaScriptCore/API/ObjCCallbackFunction.h:
* Source/JavaScriptCore/runtime/ClassInfo.h:
* Source/JavaScriptCore/runtime/Lookup.h:
Canonical link: https://commits.webkit.org/252432.1045@safari-7614-branch
Compare: https://github.com/WebKit/WebKit/compare/a5f81296a585%5E...77446d5c727e
More information about the webkit-changes
mailing list