[webkit-changes] [WebKit/WebKit] e1f872: Cherry-pick 259548.3 at safari-7615-branch (e8f723331...
Ryosuke Niwa
noreply at github.com
Tue Mar 28 14:59:47 PDT 2023
Branch: refs/heads/webkitglib/2.40
Home: https://github.com/WebKit/WebKit
Commit: e1f8721fd722f0f6f037b1eeeabd0a7ee79383fd
https://github.com/WebKit/WebKit/commit/e1f8721fd722f0f6f037b1eeeabd0a7ee79383fd
Author: David Li <jingye_li at apple.com>
Date: 2023-03-28 (Tue, 28 Mar 2023)
Changed paths:
A LayoutTests/animations/animation-set-effect-expected.txt
A LayoutTests/animations/animation-set-effect.html
M Source/WebCore/animation/CSSAnimation.cpp
Log Message:
-----------
Cherry-pick 259548.3 at safari-7615-branch (e8f7233310fd). <bug>
Cherry-pick 252432.1013 at safari-7614-branch (1d545c7ebfef). rdar://104831379
[Web Animations] CSSAnimation::setBindingsEffect should also add KeyFrames to overriddenProperties
rdar://102137788
Reviewed by Jonathan Bedard and Antoine Quint.
* LayoutTests/animations/animation-set-effect-expected.txt: Added.
* LayoutTests/animations/animation-set-effect.html: Added.
* Source/WebCore/animation/CSSAnimation.cpp:
(WebCore::CSSAnimation::setBindingsEffect):
Canonical link: https://commits.webkit.org/252432.1013@safari-7614-branch
Canonical link: https://commits.webkit.org/259548.3@safari-7615-branch
Commit: 0972ae7e98ea650024cd118d6f4603e2891ad744
https://github.com/WebKit/WebKit/commit/0972ae7e98ea650024cd118d6f4603e2891ad744
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-03-28 (Tue, 28 Mar 2023)
Changed paths:
A LayoutTests/streams/blob-and-then-expected.txt
A LayoutTests/streams/blob-and-then.html
M Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp
M Source/WebCore/Modules/streams/ReadableStreamSink.cpp
Log Message:
-----------
Cherry-pick 259548.6 at safari-7615-branch (1b17df7c2063). <bug>
Cherry-pick 252432.1018 at safari-7614-branch (792c09f18dc7). rdar://103649054
Use-after-free in FetchBodyConsumer::resolve
https://bugs.webkit.org/show_bug.cgi?id=249996
rdar://103649054
Reviewed by Jonathan Bedard and Alex Christensen.
Make sure in FetchBodyConsumer that refed promise/source remain protected.
We also revert part of an unnecessary and wrong change from https://trac.webkit.org/changeset/227760.
This makes sure ReadableStreamToSharedBufferSink callback remains valid until completely executed in close case, as was the case in error case.
We use std::exchange instead of move as it is more semantically correct.
Covered by added test.
* LayoutTests/streams/blob-and-then-expected.txt: Added.
* LayoutTests/streams/blob-and-then.html: Added.
* Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp:
(WebCore::FetchBodyConsumer::resolveWithFormData):
(WebCore::FetchBodyConsumer::consumeFormDataAsStream):
(WebCore::FetchBodyConsumer::resolve):
* Source/WebCore/Modules/streams/ReadableStreamSink.cpp:
(WebCore::ReadableStreamToSharedBufferSink::close):
(WebCore::ReadableStreamToSharedBufferSink::error):
Canonical link: https://commits.webkit.org/252432.1018@safari-7614-branch
Canonical link: https://commits.webkit.org/259548.6@safari-7615-branch
Commit: 19fc5d5eee74f299e3b1fa214facc2d4d578d368
https://github.com/WebKit/WebKit/commit/19fc5d5eee74f299e3b1fa214facc2d4d578d368
Author: David Li <jingye_li at apple.com>
Date: 2023-03-28 (Tue, 28 Mar 2023)
Changed paths:
A LayoutTests/editing/async-clipboard/clipboard-clear-expected.txt
A LayoutTests/editing/async-clipboard/clipboard-clear.html
M Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.cpp
M Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.h
Log Message:
-----------
Cherry-pick 259548.7 at safari-7615-branch (83422ec49be9). <bug>
Cherry-pick 252432.1019 at safari-7614-branch (1988807a5229). rdar://103307563
[Clipboard] Explicitly call completion on clearing ClipboardItemTypeLoader
rdar://103307563
Reviewed by Jonathan Bedard and Wenson Hsieh.
In m_itemTypeLoaders.clear(), ClipboardItemBindingsDataSource::invokeCompletionHandler() is called after all m_itemTypeLoaders released
and traverses the itemTypeLoaders after itemTypeLoaders is clear but before the size is updated, causing nullptr accessment.
So we should explicitly call completion before itemTypeLoader is released.
* LayoutTests/editing/async-clipboard/clipboard-clear-expected.txt: Added.
* LayoutTests/editing/async-clipboard/clipboard-clear.html: Added.
* Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.cpp:
(WebCore::ClipboardItemBindingsDataSource::clearItemTypeLoaders):
(WebCore::ClipboardItemBindingsDataSource::collectDataForWriting):
(WebCore::ClipboardItemBindingsDataSource::ClipboardItemTypeLoader::~ClipboardItemTypeLoader):
* Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.h:
Canonical link: https://commits.webkit.org/252432.1019@safari-7614-branch
Canonical link: https://commits.webkit.org/259548.7@safari-7615-branch
Commit: a49d364fd077ba582dcd5a55aa90abb076484c48
https://github.com/WebKit/WebKit/commit/a49d364fd077ba582dcd5a55aa90abb076484c48
Author: JC Alvarado <joncarlo at apple.com>
Date: 2023-03-28 (Tue, 28 Mar 2023)
Changed paths:
A LayoutTests/fast/backgrounds/background-color-lch-crash-expected.txt
A LayoutTests/fast/backgrounds/background-color-lch-crash.html
M Source/WebCore/platform/graphics/ColorBlending.cpp
Log Message:
-----------
Cherry-pick 259548.8 at safari-7615-branch (5a0f792b008f). https://bugs.webkit.org/show_bug.cgi?id=251158
Check color opacity after lossy conversion when blending
https://bugs.webkit.org/show_bug.cgi?id=251158
rdar://104553839
Reviewed by Dean Jackson.
We check opacity to determine if we should forgo blending,
however after performing a lossy conversion we can end
up with alpha values that result in a division by zero.
Add an additional check after conversion to prevent this
case.
* LayoutTests/fast/backgrounds/background-color-lch-crash-expected.txt: Added.
* LayoutTests/fast/backgrounds/background-color-lch-crash.html: Added.
* Source/WebCore/platform/graphics/ColorBlending.cpp:
(WebCore::blendSourceOver):
Canonical link: https://commits.webkit.org/259548.8@safari-7615-branch
Commit: c2d5d32bba48c5baa89080bd95c20ff0eac92b82
https://github.com/WebKit/WebKit/commit/c2d5d32bba48c5baa89080bd95c20ff0eac92b82
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-03-28 (Tue, 28 Mar 2023)
Changed paths:
A LayoutTests/fast/css/content/quote-display-contents-crash-expected.txt
A LayoutTests/fast/css/content/quote-display-contents-crash.html
M Source/WebCore/dom/Element.cpp
Log Message:
-----------
Cherry-pick 256843.5 at webkit-2022.12-embargoed (312254f5776d). https://bugs.webkit.org/show_bug.cgi?id=248776
Check displayContentsChanged in destroyRenderTreeIfNeeded
https://bugs.webkit.org/show_bug.cgi?id=248776
rdar://102807985>
Reviewed by Antti Koivisto.
Check displayContentsChanged in destroyRenderTreeIfNeeded since
display: contents may be removed due to focus removal while
removing subtrees but we still need to clean up pseudo elements.
* LayoutTests/fast/css/content/quote-display-contents-crash-expected.txt: Added.
* LayoutTests/fast/css/content/quote-display-contents-crash.html: Added.
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::destroyRenderTreeIfNeeded):
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::resolveComputedStyle):
Canonical link: https://commits.webkit.org/256843.5@webkit-2022.12-embargoed
Commit: 4ae7f408059bd38eb1c5182bb95dbad92ab1d09b
https://github.com/WebKit/WebKit/commit/4ae7f408059bd38eb1c5182bb95dbad92ab1d09b
Author: Richard Robinson <richard_robinson2 at apple.com>
Date: 2023-03-28 (Tue, 28 Mar 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Cherry-pick 259548.12 at safari-7615-branch (099b24dd9eb3). <bug>
Cherry-pick 252432.1023 at safari-7614-branch (55c2b9caae92). rdar://101222657
[CoreIPC] Integer overflow in UIProcess from scaling/zoom factors
https://bugs.webkit.org/show_bug.cgi?id=250408
rdar://101222657
Reviewed by Wenson Hsieh and Jonathan Bedard.
Adds bounds checking via `MESSAGE_CHECK` to the page/plugin scale/zoom `factorDidChange`
methods in `WebPageProxy` to ensure that overflow will not occur in the web process.
The bounds were chosen to be `(0, 100]` because a factor of `<= 0.0` does not make sense,
and `100.0` ia a reasonable upper bound.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::pageScaleFactorDidChange):
(WebKit::WebPageProxy::pluginScaleFactorDidChange):
(WebKit::WebPageProxy::pluginZoomFactorDidChange):
Canonical link: https://commits.webkit.org/252432.1023@safari-7614-branch
Canonical link: https://commits.webkit.org/259548.12@safari-7615-branch
Commit: 8171f9091c7cfb32bd219593d0d037cb932ad405
https://github.com/WebKit/WebKit/commit/8171f9091c7cfb32bd219593d0d037cb932ad405
Author: Aditya Keerthi <akeerthi at apple.com>
Date: 2023-03-28 (Tue, 28 Mar 2023)
Changed paths:
M Source/WebCore/Modules/contact-picker/ContactsManager.cpp
M Source/WebCore/Modules/contact-picker/ContactsManager.h
Log Message:
-----------
Cherry-pick 259548.13 at safari-7615-branch (f322e936fb84). <bug>
Cherry-pick 252432.1024 at safari-7614-branch (2ea437d75522). rdar://101241436
Use-after-free in ContactsManager::select
https://bugs.webkit.org/show_bug.cgi?id=250351
rdar://101241436
Reviewed by Wenson Hsieh and Jonathan Bedard.
`ContactsManager` can be destroyed prior to receiving the user's selection, which
is performed asynchronously. Deploy `WeakPtr` to avoid a use-after-free in this
scenario.
A test was unable to be added, as the failure scenario involves opening a new
Window, using the new Window object's `navigator.contacts`, and performing user
interaction. Creating a new Window results in the creation of a new web view,
however all of our existing UIScriptController hooks only apply to the original
(main) web view. Consequently, it is not possible to use our testing
infrastructure to dismiss the contact picker and trigger the callback in the
failure scenario.
* Source/WebCore/Modules/contact-picker/ContactsManager.cpp:
(WebCore::ContactsManager::select):
* Source/WebCore/Modules/contact-picker/ContactsManager.h:
Canonical link: https://commits.webkit.org/252432.1024@safari-7614-branch
Canonical link: https://commits.webkit.org/259548.13@safari-7615-branch
Commit: 4524c8a9e1d4ae627ea2279ffed0ff05f806adf0
https://github.com/WebKit/WebKit/commit/4524c8a9e1d4ae627ea2279ffed0ff05f806adf0
Author: Ryosuke Niwa <rniwa at webkit.org>
Date: 2023-03-29 (Wed, 29 Mar 2023)
Changed paths:
A LayoutTests/editing/editability/design-mode-does-not-inherit-across-frames-expected.txt
A LayoutTests/editing/editability/design-mode-does-not-inherit-across-frames.html
M LayoutTests/fast/dom/HTMLElement/iscontenteditable-designmodeon-allinherit-subframe-expected.txt
M LayoutTests/fast/dom/HTMLElement/iscontenteditable-designmodeon-allinherit-subframe.html
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/Document.h
Log Message:
-----------
Cherry-pick 252432.1026 at safari-7614-branch (2a8469e53b2f). https://bugs.webkit.org/show_bug.cgi?id=248615
Remove inheritance of designMode attribute
https://bugs.webkit.org/show_bug.cgi?id=248615
Reviewed by Wenson Hsieh and Jonathan Bedard.
Stop making design mode inherit across frame boundaries.
This will prevent a form element from being injected into a victim page via drag & drop
and the new behavior matches that of Firefox and Chrome.
* LayoutTests/editing/editability/design-mode-does-not-inherit-across-frames-expected.txt: Added.
* LayoutTests/editing/editability/design-mode-does-not-inherit-across-frames.html: Added.
* LayoutTests/fast/dom/HTMLElement/iscontenteditable-designmodeon-allinherit-subframe-expected.txt:
* LayoutTests/fast/dom/HTMLElement/iscontenteditable-designmodeon-allinherit-subframe.html:
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::setDesignMode):
(WebCore::Document::inDesignMode const): Deleted.
* Source/WebCore/dom/Document.h:
(WebCore::Document::inDesignMode const):
Canonical link: https://commits.webkit.org/252432.1026@safari-7614-branch
Compare: https://github.com/WebKit/WebKit/compare/6dcdac4b3d5a...4524c8a9e1d4
More information about the webkit-changes
mailing list