[webkit-changes] [WebKit/WebKit] cf8b52: Cherry-pick 252432.1045 at safari-7614-branch (77446d...

Chris Dumez noreply at github.com
Fri Mar 31 14:50:07 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cf8b521ab2010b043f9ce89169149f479c5f02ac
      https://github.com/WebKit/WebKit/commit/cf8b521ab2010b043f9ce89169149f479c5f02ac
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2023-03-31 (Fri, 31 Mar 2023)

  Changed paths:
    M Source/JavaScriptCore/API/JSCallbackConstructor.h
    M Source/JavaScriptCore/API/JSCallbackFunction.h
    M Source/JavaScriptCore/API/JSClassRef.h
    M Source/JavaScriptCore/API/JSWeakObjectMapRefInternal.h
    M Source/JavaScriptCore/API/ObjCCallbackFunction.h
    M Source/JavaScriptCore/runtime/ClassInfo.h
    M Source/JavaScriptCore/runtime/Lookup.h

  Log Message:
  -----------
  Cherry-pick 252432.1045 at safari-7614-branch (77446d5c727e). rdar://107473787

    [Re-land] Add additional PAC diversity for function pointers in JSC API data structures as we do for vtbls.
    https://bugs.webkit.org/show_bug.cgi?id=248702
    <rdar://problem/102768157>

    Reviewed by Yusuke Suzuki.

    * Source/JavaScriptCore/API/JSCallbackConstructor.h:
    * Source/JavaScriptCore/API/JSCallbackFunction.h:
    * Source/JavaScriptCore/API/JSClassRef.h:
    * Source/JavaScriptCore/API/JSWeakObjectMapRefInternal.h:
    * Source/JavaScriptCore/API/ObjCCallbackFunction.h:
    * Source/JavaScriptCore/runtime/ClassInfo.h:
    * Source/JavaScriptCore/runtime/Lookup.h:

    Canonical link: https://commits.webkit.org/252432.1045@safari-7614-branch

Canonical link: https://commits.webkit.org/262447@main


  Commit: bbd4b0ac5848fa94bbcb7c6aa87df4ab352acabf
      https://github.com/WebKit/WebKit/commit/bbd4b0ac5848fa94bbcb7c6aa87df4ab352acabf
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-03-31 (Fri, 31 Mar 2023)

  Changed paths:
    M Source/JavaScriptCore/API/JSScript.mm
    M Source/JavaScriptCore/API/JSScriptRef.cpp
    M Source/JavaScriptCore/inspector/ScriptCallFrame.cpp
    M Source/JavaScriptCore/inspector/ScriptCallFrame.h
    M Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp
    M Source/JavaScriptCore/interpreter/StackVisitor.cpp
    M Source/JavaScriptCore/interpreter/StackVisitor.h
    M Source/JavaScriptCore/parser/SourceProvider.cpp
    M Source/JavaScriptCore/parser/SourceProvider.h
    M Source/JavaScriptCore/runtime/CachedTypes.cpp
    M Source/JavaScriptCore/runtime/ScriptExecutable.h
    M Source/WebCore/bindings/js/CachedScriptSourceProvider.h
    M Source/WebCore/bindings/js/ScriptBufferSourceProvider.h
    M Source/WebCore/bindings/js/ScriptModuleLoader.cpp
    M Source/WebCore/bindings/js/ScriptSourceCode.h
    M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
    M Source/WebCore/workers/WorkerGlobalScope.cpp
    M Source/WebCore/workers/WorkerThread.cpp

  Log Message:
  -----------
  Cherry-pick 259548.39 at safari-7615-branch (c68b7da0d9b4). rdar://107474520

    Cross-Site Information Leak: CSP violation reports may contain a post-redirect URL
    https://bugs.webkit.org/show_bug.cgi?id=251282
    rdar://104753003

    Reviewed by Yusuke Suzuki.

    The source-file field of a CSP violation report may contain a URL which has sensitive data in the
    query string if it was the result of a redirect. The CSP spec in non-normative terms suggests
    that in the case of a redirect (such as a login flow which appends a login token) we should report
    violations in the resulting resource with the pre-redirect URL to avoid cross-site information leaks
    via the CSP reporting API.

    Source/JavaScriptCore:
      Plubming code to make pre-redirect URLs available in ScriptCallStacks.
      When a ScriptCallStack is created by the StackVisitor the ScriptCallFrame
      objects will be populated with the pre-redirect URL by consulting the SourceProvider. WebCore
      will conditionally set the preRedirectURL member if the resource was obtained via a redirected
      response.

    * Source/JavaScriptCore/API/JSScript.mm:
    (-[JSScript sourceCode]):
    * Source/JavaScriptCore/API/JSScriptRef.cpp:
    * Source/JavaScriptCore/inspector/ScriptCallFrame.cpp:
    (Inspector::ScriptCallFrame::ScriptCallFrame):
    (Inspector::ScriptCallFrame::isEqual const):
    * Source/JavaScriptCore/inspector/ScriptCallFrame.h:
    * Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp:
    (Inspector::CreateScriptCallStackFunctor::operator() const):
    * Source/JavaScriptCore/interpreter/StackVisitor.cpp:
    (JSC::StackVisitor::Frame::preRedirectURL const):
    * Source/JavaScriptCore/interpreter/StackVisitor.h:
    * Source/JavaScriptCore/parser/SourceProvider.cpp:
    (JSC::SourceProvider::SourceProvider):
    (JSC::BaseWebAssemblySourceProvider::BaseWebAssemblySourceProvider):
    * Source/JavaScriptCore/parser/SourceProvider.h:
    (JSC::SourceProvider::preRedirectURL const):
    (JSC::StringSourceProvider::StringSourceProvider):
    * Source/JavaScriptCore/runtime/CachedTypes.cpp:
    (JSC::CachedSourceProviderShape::encode):
    * Source/JavaScriptCore/runtime/ScriptExecutable.h:
    (JSC::ScriptExecutable::preRedirectURL const):

    Source/WebCore:
      This updates the constructors for ScriptSourceCode objects to pass
      null strings for the preRedirectURL parameter. In the cases where we can detect
      whether a redirect happened or not we pass the pre-redirect URL to the SourceProvider.

    * Source/WebCore/bindings/js/CachedScriptSourceProvider.h:
    (WebCore::CachedScriptSourceProvider::CachedScriptSourceProvider):
    * Source/WebCore/bindings/js/ScriptBufferSourceProvider.h:
    * Source/WebCore/bindings/js/ScriptModuleLoader.cpp:
    (WebCore::ScriptModuleLoader::notifyFinished):
    * Source/WebCore/bindings/js/ScriptSourceCode.h:
    (WebCore::ScriptSourceCode::ScriptSourceCode):
    * Source/WebCore/workers/WorkerGlobalScope.cpp:
    (WebCore::WorkerGlobalScope::importScripts):
    * Source/WebCore/workers/WorkerThread.cpp:
    (WebCore::WorkerThread::evaluateScriptIfNecessary):

    * Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
    (WebCore::ContentSecurityPolicy::reportViolation const):
      To populate the source-file field of a CSP report we consult the
      JavaScript call stack. The source URL of the frame may be the
      result of a redirect in which case we should use the pre-redirect
      URL in the report to avoid leaking potentially sensitive data in the post-redirect URL.

    Canonical link: https://commits.webkit.org/259548.39@safari-7615-branch

Canonical link: https://commits.webkit.org/262448@main


  Commit: faa22c0d431338ec56125e08b68ae2bf9b4e5949
      https://github.com/WebKit/WebKit/commit/faa22c0d431338ec56125e08b68ae2bf9b4e5949
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-03-31 (Fri, 31 Mar 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/mathml/relations/css-styling/out-of-flow/all-mathml-containers-expected.txt
    A LayoutTests/mathml/mathmltoken-layout-crash-expected.txt
    A LayoutTests/mathml/mathmltoken-layout-crash.html
    M Source/WebCore/rendering/mathml/RenderMathMLToken.cpp

  Log Message:
  -----------
  Cherry-pick 259548.40 at safari-7615-branch (bf2c7c5b03b0). rdar://107474555

    Fix layout for positioned children for RenderMathMLToken
    rdar://104598552

    Reviewed by Alan Baradlay.

    Before this change, the layout method in RenderMathMLToken (<ms>) never
    added positioned elements to the map for their container, which meant if
    the positioned children are dirty, their layout will never be triggered.
    This change fixes that by looking at direct children of
    RenderMathMLToken and adding them to their container's positioned
    elements map, so that their layout happens as expected.

    * LayoutTests/mathml/mathmltoken-layout-crash-expected.txt: Added.
    * LayoutTests/mathml/mathmltoken-layout-crash.html: Added.
    * Source/WebCore/rendering/mathml/RenderMathMLToken.cpp:
    (WebCore::RenderMathMLToken::layoutBlock):

    Canonical link: https://commits.webkit.org/259548.40@safari-7615-branch

Canonical link: https://commits.webkit.org/262449@main


  Commit: 16963d77f57d897e338a0bea9e74257fc65c88d9
      https://github.com/WebKit/WebKit/commit/16963d77f57d897e338a0bea9e74257fc65c88d9
  Author: Michael Saboff <msaboff at apple.com>
  Date:   2023-03-31 (Fri, 31 Mar 2023)

  Changed paths:
    M Source/JavaScriptCore/yarr/YarrJIT.cpp

  Log Message:
  -----------
  Cherry-pick 259548.45 at safari-7615-branch (9930b53ebce1). rdar://107474607

    [JSC] RegExp.test inline is missing another stack overflow checks
    https://bugs.webkit.org/show_bug.cgi?id=251741
    rdar://104072550

    Reviewed by Mark Lam.

    Converted the ASSERT(!m_failureReason) into a check that when true will bail out of the inline code
    and call out to the C++ operation.  This check handles any errors while compiling the RegExp pattern
    into YarrJIT IR during the processing of opCompileBody().

    I also audited all of the other possible error cases that the YarrJIT might produce and they are already
    handled by this and the prior change.

    The current test already covers this case.

    * Source/JavaScriptCore/yarr/YarrJIT.cpp:

    Canonical link: https://commits.webkit.org/259548.45@safari-7615-branch

Canonical link: https://commits.webkit.org/262450@main


  Commit: 2f7c74050e5b28c93963c359dddc44325fe14832
      https://github.com/WebKit/WebKit/commit/2f7c74050e5b28c93963c359dddc44325fe14832
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-03-31 (Fri, 31 Mar 2023)

  Changed paths:
    M Source/WTF/wtf/PlatformUse.h
    M Source/WebCore/page/MemoryRelease.cpp
    M Source/WebCore/platform/audio/HRTFElevation.cpp
    M Source/WebCore/platform/audio/HRTFElevation.h

  Log Message:
  -----------
  Cherry-pick 259548.46 at safari-7615-branch (a00a15e7abe0). rdar://107474676

    Fix various issues with HRTFElevation's getConcatenatedImpulseResponsesForSubject()
    https://bugs.webkit.org/show_bug.cgi?id=251643
    rdar://104980786

    Reviewed by Eric Carlson.

    Fix various issues with HRTFElevation's getConcatenatedImpulseResponsesForSubject():
    - Add a lock to synchronize access to the global HashMap of AudioBus objects
      since this may get called from different threads.
    - Make sure we call isolatedCopy() on the String key before adding it to the HashMap
      for thread safety.
    - Make sure we clear this global HashMap on critical memory pressure to free up
      memory.
    - Use smart pointers instead of raw pointers.
    - Modernize the code a bit.

    * Source/WTF/wtf/PlatformUse.h:
    * Source/WebCore/page/MemoryRelease.cpp:
    (WebCore::releaseCriticalMemory):
    * Source/WebCore/platform/audio/HRTFElevation.cpp:
    (WebCore::WTF_REQUIRES_LOCK):
    (WebCore::getConcatenatedImpulseResponsesForSubject):
    (WebCore::HRTFElevation::clearCache):
    (WebCore::HRTFElevation::calculateKernelsForAzimuthElevation):
    * Source/WebCore/platform/audio/HRTFElevation.h:

    Canonical link: https://commits.webkit.org/259548.46@safari-7615-branch

Canonical link: https://commits.webkit.org/262451@main


Compare: https://github.com/WebKit/WebKit/compare/55616cb231b6...2f7c74050e5b

More information about the webkit-changes mailing list