[webkit-changes] [WebKit/WebKit] 96ab27: Cherry-pick 259548.22 at safari-7615-branch (433aae06...
Chirag Shah
noreply at github.com
Fri Mar 31 10:04:46 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 96ab27ee5dab69647ffea2ceb433d617f3c5e1e9
https://github.com/WebKit/WebKit/commit/96ab27ee5dab69647ffea2ceb433d617f3c5e1e9
Author: Gerald Squelart <g_squelart at apple.com>
Date: 2023-03-31 (Fri, 31 Mar 2023)
Changed paths:
M Source/WebCore/platform/graphics/IntRect.h
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
Log Message:
-----------
Cherry-pick 259548.22 at safari-7615-branch (433aae06c3e1). rdar://107445621
Validate IPC-decoded IntRect's
rdar://101324985
Reviewed by Dean Jackson.
* Source/WebCore/platform/graphics/IntRect.h:
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
Canonical link: https://commits.webkit.org/259548.22@safari-7615-branch
Canonical link: https://commits.webkit.org/262412@main
Commit: b3d58f33f176547ce13963aee482b6697537ea24
https://github.com/WebKit/WebKit/commit/b3d58f33f176547ce13963aee482b6697537ea24
Author: Simon Fraser <simon.fraser at apple.com>
Date: 2023-03-31 (Fri, 31 Mar 2023)
Changed paths:
M Source/WebKit/UIProcess/RemoteLayerTree/ios/RemoteScrollingCoordinatorProxyIOS.mm
Log Message:
-----------
Cherry-pick 252432.1040 at safari-7614-branch (5f64e30a652b). rdar://107445664
[CoreIPC] Type confusion bugs in RemoteScrollingCoordinatorProxyIOS::establishLayerTreeScrollingRelations
https://bugs.webkit.org/show_bug.cgi?id=250812
<rdar://102603221>
Reviewed by Jonathan Bedard and Ryosuke Niwa.
Add MESSAGE_CHECKing for two node types in code that runs in response to an IPC message.
Add an early return checking the root node type in code that runs from user events.
* Source/WebKit/UIProcess/RemoteLayerTree/ios/RemoteScrollingCoordinatorProxyIOS.mm:
(WebKit::RemoteScrollingCoordinatorProxy::establishLayerTreeScrollingRelations):
(WebKit::RemoteScrollingCoordinatorProxy::nearestActiveContentInsetAdjustedSnapOffset const):
Canonical link: https://commits.webkit.org/252432.1040@safari-7614-branch
Canonical link: https://commits.webkit.org/262413@main
Commit: 8256763cced0d44f93e2d41a8de38396cc50bcdf
https://github.com/WebKit/WebKit/commit/8256763cced0d44f93e2d41a8de38396cc50bcdf
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-03-31 (Fri, 31 Mar 2023)
Changed paths:
A LayoutTests/fast/table/table-cell-crash-when-detached-state-2-expected.txt
A LayoutTests/fast/table/table-cell-crash-when-detached-state-2.html
M Source/WebCore/rendering/RenderLayerModelObject.cpp
Log Message:
-----------
Cherry-pick 256843.4 at webkit-2022.12-embargoed (6234ec9c65b9). rdar://107445724
Do not issue repaints when in detached state
https://bugs.webkit.org/show_bug.cgi?id=248773
rdar://102808328
Reviewed by Antti Koivisto.
Do not issue repaints when the RenderObject is in detached state while removing render subtrees.
* LayoutTests/fast/table/table-cell-crash-when-detached-state-2-expected.txt: Added.
* LayoutTests/fast/table/table-cell-crash-when-detached-state-2.html: Added.
* Source/WebCore/rendering/RenderLayerModelObject.cpp:
(WebCore::RenderTableCell::willBeRemovedFromTree const):
Canonical link: https://commits.webkit.org/256843.4@webkit-2022.12-embargoed
Canonical link: https://commits.webkit.org/262414@main
Commit: 8a9408e8fc80e4be499eb9b34e5a816b4b4e4c1e
https://github.com/WebKit/WebKit/commit/8a9408e8fc80e4be499eb9b34e5a816b4b4e4c1e
Author: Justin Michaud <justin_michaud at apple.com>
Date: 2023-03-31 (Fri, 31 Mar 2023)
Changed paths:
A JSTests/wasm/stress/many-locals-small-wasm-stack.js
A JSTests/wasm/stress/many-locals-small-wasm-stack.wasm
A JSTests/wasm/stress/many-locals-small-wasm-stack.wat
M Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
Log Message:
-----------
Cherry-pick 259548.25 at safari-7615-branch (1a20160f826c). rdar://107446004
Locals should update max stack size
rdar://104692168
Reviewed by Yusuke Suzuki.
We can forget to update the max stack size, causing an OOB stack read in
OSR entry. This only happens if you create a bunch of locals and never
push anything to the stack, so it should be very rare and difficult to
abuse.
* JSTests/wasm/stress/many-locals-small-wasm-stack.js: Added.
(async let):
* JSTests/wasm/stress/many-locals-small-wasm-stack.wasm: Added.
* JSTests/wasm/stress/many-locals-small-wasm-stack.wat: Added.
* Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::addLocal):
Canonical link: https://commits.webkit.org/259548.25@safari-7615-branch
Canonical link: https://commits.webkit.org/262415@main
Commit: 2365ae2ca2bdf6abfe47b97f025413f746f00003
https://github.com/WebKit/WebKit/commit/2365ae2ca2bdf6abfe47b97f025413f746f00003
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-03-31 (Fri, 31 Mar 2023)
Changed paths:
A LayoutTests/fast/dom/set-outer-text-on-moved-element-expected.html
A LayoutTests/fast/dom/set-outer-text-on-moved-element.html
M Source/WebCore/rendering/updating/RenderTreeUpdater.cpp
Log Message:
-----------
Cherry-pick 256843.6 at webkit-2022.12-embargoed (c4c0ef6360b2). rdar://107446251
Verify that style update roots are for correct document
https://bugs.webkit.org/show_bug.cgi?id=248775
rdar://102808104
Reviewed by Antti Koivisto.
Verify that style update roots are for the correct document since
we may be dealing with a pending update on an element/text node that
moved to another document.
* LayoutTests/fast/dom/set-outer-text-on-moved-element-expected.html: Added.
* LayoutTests/fast/dom/set-outer-text-on-moved-element.html: Added.
* Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::commit):
Canonical link: https://commits.webkit.org/256843.6@webkit-2022.12-embargoed
Canonical link: https://commits.webkit.org/262416@main
Commit: 982b9cb9edd11ccee2c29597e227e8721140104f
https://github.com/WebKit/WebKit/commit/982b9cb9edd11ccee2c29597e227e8721140104f
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-03-31 (Fri, 31 Mar 2023)
Changed paths:
M Source/WebKit/UIProcess/WebProcessProxy.cpp
Log Message:
-----------
Cherry-pick 259548.27 at safari-7615-branch (97035e098145). rdar://107446353
Use-after-free under WebProcessProxy::logDiagnosticMessageForResourceLimitTermination()
https://bugs.webkit.org/show_bug.cgi?id=251454
rdar://104818871
Reviewed by David Kilzer and Ryosuke Niwa.
The code was storing a reference to a temporary.
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::logDiagnosticMessageForResourceLimitTermination):
Canonical link: https://commits.webkit.org/259548.27@safari-7615-branch
Canonical link: https://commits.webkit.org/262417@main
Commit: 919be435a3495611464794bc4969ac18d5648af1
https://github.com/WebKit/WebKit/commit/919be435a3495611464794bc4969ac18d5648af1
Author: Patrick Angle <pangle at apple.com>
Date: 2023-03-31 (Fri, 31 Mar 2023)
Changed paths:
A LayoutTests/inspector/console/console-recursive-logging-expected.txt
A LayoutTests/inspector/console/console-recursive-logging.html
M Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.cpp
M Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.h
Log Message:
-----------
Cherry-pick 252432.1043 at safari-7614-branch (6633438abd8b). rdar://107446401
Web Inspector: Console messages that log a value that recursively logs crashes
https://bugs.webkit.org/show_bug.cgi?id=251018
rdar://104083913
Reviewed by Jonathan Bedard and Michael Saboff.
Web Inspector normally generates a preview for objects logged in the console when Web Inspector is open. However, it is
possible for authored pages to cause logging to occur when we attempt to generate the preview, as we must invoke getters
to get the values to display. In order to not recursively log messages to the console this patch turns off generating
previews for console messages that are logged while in middle of logging another console message. The user can still
generate a preview later in Web Inspector by using the disclosure triangle next to the message, which will then cause
the getter to be invoked, but the same protection will kick in to prevent recursive logging via generating previews
for objects.
* LayoutTests/inspector/console/console-recursive-logging-expected.txt: Added.
* LayoutTests/inspector/console/console-recursive-logging.html: Added.
* Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::addConsoleMessage):
* Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.h:
Canonical link: https://commits.webkit.org/252432.1043@safari-7614-branch
Canonical link: https://commits.webkit.org/262418@main
Commit: ddfe0003cdba6838da5501c9bfb8db59d11eafc0
https://github.com/WebKit/WebKit/commit/ddfe0003cdba6838da5501c9bfb8db59d11eafc0
Author: Richard Robinson <richard_robinson2 at apple.com>
Date: 2023-03-31 (Fri, 31 Mar 2023)
Changed paths:
M Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm
Log Message:
-----------
Cherry-pick 259548.29 at safari-7615-branch (ce8f16b1a26e). rdar://107446506
[CoreIPC] division by zero in _restoreScrollAndZoomStateForTransaction
https://bugs.webkit.org/show_bug.cgi?id=251095
rdar://101521038
Reviewed by Wenson Hsieh and Jonathan Bedard.
In `_restorePageStateToUnobscuredCenter`, a division-by-zero can occur if `_scaleToRestore == 0.0`.
This PR adds a `MESSAGE_CHECK` to the IPC methods which set this variable to ensure that only
positive scale values may be set.
* Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm:
(WebKit::WebPageProxy::restorePageState):
(WebKit::WebPageProxy::restorePageCenterAndScale):
Canonical link: https://commits.webkit.org/259548.29@safari-7615-branch
Canonical link: https://commits.webkit.org/262419@main
Commit: 71985aa1520560154a329e5b54159fff3173cf22
https://github.com/WebKit/WebKit/commit/71985aa1520560154a329e5b54159fff3173cf22
Author: Ryan Reno <rreno at apple.com>
Date: 2023-03-31 (Fri, 31 Mar 2023)
Changed paths:
M Source/JavaScriptCore/runtime/Error.cpp
M Source/JavaScriptCore/runtime/StackFrame.cpp
M Source/JavaScriptCore/runtime/StackFrame.h
M Source/WTF/wtf/URL.cpp
M Source/WTF/wtf/URL.h
M Source/WebInspectorUI/UserInterface/Base/URLUtilities.js
M Source/WebInspectorUI/UserInterface/Models/DebuggerData.js
M Tools/TestWebKitAPI/Tests/WTF/URL.cpp
Log Message:
-----------
Cherry-pick 259548.30 at safari-7615-branch (49109db4ab87). rdar://107446551
Error object stacktraces may leak sensitive data in URL query parameters
https://bugs.webkit.org/show_bug.cgi?id=250760
rdar://104376838
Reviewed by Patrick Angle.
If a remote script is delivered after a redirect sensitive data may be present
in the post-redirect URL. If the script later throws an error the error event
object will have that post-redirect URL in its stacktrace and sourceURL properties.
* Source/JavaScriptCore/runtime/Error.cpp:
(JSC::getLineColumnAndSource):
* Source/JavaScriptCore/runtime/StackFrame.cpp:
(JSC::StackFrame::sourceURLStripped const):
This is a new function which uses the URL class to strip
potentially sensitive information from the URL of the script
which contains the code for the current stack frame.
(JSC::StackFrame::toString const):
* Source/JavaScriptCore/runtime/StackFrame.h:
* Source/WTF/wtf/URL.cpp:
(WTF::URL::strippedForUseAsReport const):
This is a function similar to strippedForUseAsReferrer except we also remove
query parameters from the URL while strippedForUseAsReferrer only strips
user information and fragment.
* Source/WTF/wtf/URL.h:
* Source/WebInspectorUI/UserInterface/Base/URLUtilities.js:
Adds a utility function similar to WTF::URL::strippedForUseAsReport.
* Source/WebInspectorUI/UserInterface/Models/DebuggerData.js:
(WI.DebuggerData.prototype.scriptsForURL):
(WI.DebuggerData.prototype.addScript):
The Web Inspector debugger maps URLs it knows about to URLs reported
by the stack frames in an error object's stack trace. This allows one
to jump to offending source lines in the web inspector. In order to
correctly map the stripped URL reported in a stack trace we need to key
the map on the stripped URL as well.
* Tools/TestWebKitAPI/Tests/WTF/URL.cpp:
(TestWebKitAPI::TEST_F):
Adds a unit test for URL::strippedForUseAsReport
Canonical link: https://commits.webkit.org/259548.30@safari-7615-branch
Canonical link: https://commits.webkit.org/262420@main
Commit: a8fc73077082ccee3003ba4eaab65cfb23d9c37b
https://github.com/WebKit/WebKit/commit/a8fc73077082ccee3003ba4eaab65cfb23d9c37b
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-03-31 (Fri, 31 Mar 2023)
Changed paths:
A LayoutTests/fast/css-grid-layout/grid-stylechange-crash-expected.txt
A LayoutTests/fast/css-grid-layout/grid-stylechange-crash.html
M Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp
M Source/WebCore/rendering/RenderGrid.cpp
M Source/WebCore/rendering/RenderGrid.h
Log Message:
-----------
Cherry-pick 252432.1044 at safari-7614-branch (22cbd76bcc96). rdar://107446655
Invalidate grid placement when style changes to subgrid
rdar://104559684
Reviewed by Jonathan Bedard and Matt Woodrow.
Before this change, we didn't invalidate parent and child placement
info, leading to a OOB read into the parent tracks information when
copying that to the child. This change fixes that.
* LayoutTests/fast/css-grid-layout/grid-stylechange-crash-expected.txt: Added.
* LayoutTests/fast/css-grid-layout/grid-stylechange-crash.html: Added.
* Source/WebCore/rendering/RenderGrid.cpp:
(WebCore::RenderGrid::styleDidChange):
(WebCore::RenderGrid::subgridDidChange const):
(WebCore::RenderGrid::dirtyGrid):
* Source/WebCore/rendering/RenderGrid.h:
* Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp:
(WebCore::GridTrackSizingAlgorithm::copyUsedTrackSizesForSubgrid):
Canonical link: https://commits.webkit.org/252432.1044@safari-7614-branch
Canonical link: https://commits.webkit.org/262421@main
Compare: https://github.com/WebKit/WebKit/compare/99b76ecafc37...a8fc73077082
More information about the webkit-changes
mailing list