[webkit-changes] [WebKit/WebKit] 7093bc: Cherry-pick 264244 at main (a84036c6d1d6). https://bu...
Adrian Perez
noreply at github.com
Mon May 22 14:37:28 PDT 2023
Branch: refs/heads/webkitglib/2.40
Home: https://github.com/WebKit/WebKit
Commit: 7093bcb6d649597962c82fd0e9a92d329ba8fb48
https://github.com/WebKit/WebKit/commit/7093bcb6d649597962c82fd0e9a92d329ba8fb48
Author: Carlos Alberto Lopez Perez <clopez at igalia.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M Source/cmake/BubblewrapSandboxChecks.cmake
M Tools/yocto/targets.conf
Log Message:
-----------
Cherry-pick 264244 at main (a84036c6d1d6). https://bugs.webkit.org/show_bug.cgi?id=251835
[WPE][GTK][CMake] The path to bwrap and xdg-dbus-proxy should not be auto-detected when cross-compiling
https://bugs.webkit.org/show_bug.cgi?id=256679
Reviewed by Adrian Perez de Castro.
When enabling -DENABLE_BUBBLEWRAP_SANDBOX=ON is needed to define to the build
the paths (full-paths) to the bwrap and xdg-dbus-proxy binaries.
The current CMake code is auto-detecting those paths by calling the CMake
function find_program(): so it is defining the paths to those programs with
the values from the host system.
But when cross-compiling that is wrong because the target binaries end with the
values for the paths from the host system which don't necessary have to match
the values from the target system.
I can't see how it will be possible to auto-detect the value that this programs
will have in the target system from the host system, so the only sane way of
dealing with this seems to be to give an error at configure time and ask for
those paths to be defined manually.
This patch changes the code to only try to auto-detect those binaries when no
cross-compiling.
Also update the default build parameters for the cross-building of targets
with cross-toolchain-helper to define the right paths that those targets will
have at run-time.
* Source/cmake/BubblewrapSandboxChecks.cmake:
* Tools/yocto/targets.conf:
Canonical link: https://commits.webkit.org/264244@main
Commit: 8e4517d1d5e1ee00e8e410f27796b1cba50dc5f0
https://github.com/WebKit/WebKit/commit/8e4517d1d5e1ee00e8e410f27796b1cba50dc5f0
Author: Patrick Griffis <pgriffis at igalia.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M Source/WTF/wtf/glib/Sandbox.cpp
M Source/WTF/wtf/glib/Sandbox.h
M Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp
Log Message:
-----------
Cherry-pick 264196 at main (4c39f3875728). https://bugs.webkit.org/show_bug.cgi?id=256917
[GLib] Re-enable bwrap sandbox in containers when supported
https://bugs.webkit.org/show_bug.cgi?id=256917
Reviewed by Michael Catanzaro.
This detects if bwrap actually works inside of a container instead
of always disabling it.
* Source/WTF/wtf/glib/Sandbox.cpp:
(WTF::isInsideUnsupportedContainer):
(WTF::isInsideContainer): Deleted.
* Source/WTF/wtf/glib/Sandbox.h:
* Source/WebKit/UIProcess/Launcher/glib/ProcessLauncherGLib.cpp:
(WebKit::ProcessLauncher::launchProcess):
Canonical link: https://commits.webkit.org/264196@main
Commit: 521133306268084f6a6d9367b7a1cf4d15b1fd6a
https://github.com/WebKit/WebKit/commit/521133306268084f6a6d9367b7a1cf4d15b1fd6a
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A LayoutTests/fullscreen/element-clear-during-fullscreen-crash-expected.txt
A LayoutTests/fullscreen/element-clear-during-fullscreen-crash.html
M Source/WebKit/WebProcess/FullScreen/WebFullScreenManager.cpp
Log Message:
-----------
Cherry-pick 259548.352 at safari-7615-branch (9f301d9e042e). https://bugs.webkit.org/show_bug.cgi?id=253129
Bail out early if m_element is deleted
https://bugs.webkit.org/show_bug.cgi?id=253129
rdar://104290899
Reviewed by Jer Noble.
A call to WebFullScreenManager::willEnterFullScreen() can end up calling
WebFullScreenManager::clearElement() which can happen when location.hash
is changed. This clears the m_element which is then later used in
willEnterFullScreen(). This change bails out early if this happens and
cleans up the state-machine.
* LayoutTests/fullscreen/element-clear-during-fullscreen-crash-expected.txt: Added.
* LayoutTests/fullscreen/element-clear-during-fullscreen-crash.html: Added.
* Source/WebKit/WebProcess/FullScreen/WebFullScreenManager.cpp:
(WebKit::WebFullScreenManager::willEnterFullScreen):
Canonical link: https://commits.webkit.org/259548.352@safari-7615-branch
Commit: ffc8ffc4b0d337d53425b2806d6e66012bcad21a
https://github.com/WebKit/WebKit/commit/ffc8ffc4b0d337d53425b2806d6e66012bcad21a
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A LayoutTests/fast/html/element-moving-to-new-document-crash-expected.txt
A LayoutTests/fast/html/element-moving-to-new-document-crash.html
M Source/WebCore/dom/Element.cpp
M Source/WebCore/dom/UserActionElementSet.cpp
M Source/WebCore/dom/UserActionElementSet.h
Log Message:
-----------
Cherry-pick 259548.353 at safari-7615-branch (b82284c1f8c5). https://bugs.webkit.org/show_bug.cgi?id=253012
Clear UserActionElement state for the node when it is moved from the Document to a different one
https://bugs.webkit.org/show_bug.cgi?id=253012
rdar://105876245
Reviewed by Ryosuke Niwa.
Before this change, when an element was moved from oldDocument to
newDocument, and we had UserActionElementSet state for it, we never
cleared that. This meant that the element was still marked to have this
state, which the newDocument doesn't know about. This change fixes
that.
* LayoutTests/fast/html/element-moving-to-new-document-crash-expected.txt: Added.
* LayoutTests/fast/html/element-moving-to-new-document-crash.html: Added.
* Source/WebCore/dom/Element.cpp:
(WebCore::Element::removedFromAncestor):
* Source/WebCore/dom/UserActionElementSet.cpp:
(WebCore::UserActionElementSet::clear):
* Source/WebCore/dom/UserActionElementSet.h:
(WebCore::UserActionElementSet::clearAllForElement):
Canonical link: https://commits.webkit.org/259548.353@safari-7615-branch
Commit: 368c41d71d0bdcd39dc779760cbbcc8a21610ba6
https://github.com/WebKit/WebKit/commit/368c41d71d0bdcd39dc779760cbbcc8a21610ba6
Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A LayoutTests/fast/css-grid-layout/gridmatrix-columnSize-failure-expected.txt
A LayoutTests/fast/css-grid-layout/gridmatrix-columnSize-failure.html
M Source/WebCore/rendering/Grid.cpp
M Source/WebCore/rendering/Grid.h
Log Message:
-----------
Cherry-pick 259548.376 at safari-7615-branch (189d480c5fbd). https://bugs.webkit.org/show_bug.cgi?id=253127
Assertion failure in GridIterator ASSERT(m_grid.numTracks(ForColumns))
https://bugs.webkit.org/show_bug.cgi?id=253127
rdar://105548703
Reviewed by Matt Woodrow.
The grid matrix for a subgrid of an element in the row-axis has one row with no columns, which are then lazily created as needed. An assertion in GridIterator constructor fails as column size is zero. This change additionally checks the maximum Columns ivar of the grid class to assert only for valid cases.
* Source/WebCore/rendering/Grid.cpp:
(WebCore::Grid::gridItemSpanIgnoringCollapsedTracks const):
(WebCore::GridIterator::GridIterator):
(WebCore::GridIterator::nextGridItem):
(WebCore::GridIterator::isEmptyAreaEnough const):
(WebCore::GridIterator::nextEmptyGridArea):
* Source/WebCore/rendering/Grid.h:
Canonical link: https://commits.webkit.org/259548.376@safari-7615-branch
Commit: efc442b8bbbcb10b37b2aec1314f4697df8efc0b
https://github.com/WebKit/WebKit/commit/efc442b8bbbcb10b37b2aec1314f4697df8efc0b
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A JSTests/stress/ftl-bound-check-for-enumerator-next-update-index-and-mode.js
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
Cherry-pick 259548.377 at safari-7615-branch (25a414a61f3e). https://bugs.webkit.org/show_bug.cgi?id=252801
FTL missing bound check of for-in loop
https://bugs.webkit.org/show_bug.cgi?id=252801
rdar://105820083
Reviewed by Michael Saboff.
EnumeratorNextUpdateIndexAndMode for IndexedMode uses HasIndexProperty internally. But
this node does not do bound check when ArrayMode is inBounds in FTL since FTL SSALowering
phase extracts this bound check as a separate CheckInBounds node. But EnumeratorNextUpdateIndexAndMode,
we cannot do that since EnumeratorNextUpdateIndexAndMode's index is incremented internally. Thus,
we need to do bound check inside EnumeratorNextUpdateIndexAndMode when it is not done in HasIndexProperty's
code.
* JSTests/stress/ftl-bound-check-for-enumerator-next-update-index-and-mode.js: Added.
(shouldBe):
(opt):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Canonical link: https://commits.webkit.org/259548.377@safari-7615-branch
Commit: b1691f21891aec9f24f4b3c43f139d31a0ef564e
https://github.com/WebKit/WebKit/commit/b1691f21891aec9f24f4b3c43f139d31a0ef564e
Author: Michael Saboff <msaboff at apple.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A JSTests/stress/regexp-lookbehind-greedy-backreference.js
M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
Log Message:
-----------
Cherry-pick 259548.378 at safari-7615-branch (3d135908241d). https://bugs.webkit.org/show_bug.cgi?id=253466
ASAN_BUS | Yarr::Interpreter::matchDisjunction; Yarr::Interpreter::backtrackParentheses; Yarr::Interpreter::matchDisjunction
https://bugs.webkit.org/show_bug.cgi?id=253466
rdar://105669717
Reviewed by Yusuke Suzuki.
When backtracking, i.e. unmatching a greedy backreference in a lookbehind, the unmatch requires moving the input pointer
forward. THis means we need to do a checkInput() instead of a rewind() in this case.
* JSTests/stress/regexp-lookbehind-greedy-backreference.js: Added.
(arrayToString):
(dumpValue):
(compareArray):
(testRegExp):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::backtrackBackReference):
Canonical link: https://commits.webkit.org/259548.378@safari-7615-branch
Commit: 4d3e2508cb2d773e2f8175b89f8dc803c4d4f502
https://github.com/WebKit/WebKit/commit/4d3e2508cb2d773e2f8175b89f8dc803c4d4f502
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/common/resize.c
M Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/common/resize.h
M Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/encoder_utils.c
Log Message:
-----------
Cherry-pick 259548.381 at safari-7615-branch (1de648970cbf). https://bugs.webkit.org/show_bug.cgi?id=253498
av1/encoder/encoder_utils.c & a/av1/common/resize: Stack-buffer-overflow in aom_scaled_2d_ssse3
https://bugs.webkit.org/show_bug.cgi?id=253498
rdar://106063201
Reviewed by Eric Carlson.
Cherry-pick upstream change from https://aomedia.googlesource.com/aom/+/6318378f833b2a0d8e67fb3d12bcdc4e1c26b0e6%5E%21/#F2.
* Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/common/resize.c:
(av1_realloc_and_scale_if_required):
* Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/common/resize.h:
* Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/encoder_utils.c:
(av1_scale_references):
Canonical link: https://commits.webkit.org/259548.381@safari-7615-branch
Commit: a4cd16417868c048617d90e6581295901557ae04
https://github.com/WebKit/WebKit/commit/a4cd16417868c048617d90e6581295901557ae04
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/webrtc/api/stats/rtc_stats_report.h
M Source/ThirdParty/libwebrtc/Source/webrtc/pc/rtc_stats_collector.cc
M Source/ThirdParty/libwebrtc/Source/webrtc/pc/rtc_stats_collector_unittest.cc
M Source/ThirdParty/libwebrtc/Source/webrtc/pc/test/fake_peer_connection_for_stats.h
M Source/ThirdParty/libwebrtc/Source/webrtc/stats/rtc_stats_report.cc
Log Message:
-----------
Cherry-pick 259548.382 at safari-7615-branch (adde9296b1b1). https://bugs.webkit.org/show_bug.cgi?id=253510
[WebRTC] heap-use-after-free : webrtc::`anonymous namespace'::ProduceRemoteInboundRtpStreamStatsFromReportBlockData
https://bugs.webkit.org/show_bug.cgi?id=253510
rdar://106063452
Reviewed by Eric Carlson.
We first cherry-pick libwebrc b2be392c708c975ff5a81d8cd4dba588752a8dad to remove duplicate RTCCodec entries.
We then apply da6297dc53cb2eaae7b1c5381652de9d707a7d48.
* Source/ThirdParty/libwebrtc/Source/webrtc/api/stats/rtc_stats_report.h:
* Source/ThirdParty/libwebrtc/Source/webrtc/pc/rtc_stats_collector.cc:
* Source/ThirdParty/libwebrtc/Source/webrtc/pc/rtc_stats_collector_unittest.cc:
* Source/ThirdParty/libwebrtc/Source/webrtc/pc/test/fake_peer_connection_for_stats.h:
(webrtc::FakePeerConnectionForStats::AddVoiceChannel):
(webrtc::FakePeerConnectionForStats::AddVideoChannel):
(webrtc::FakePeerConnectionForStats::GetOrCreateFirstTransceiverOfType):
(webrtc::FakePeerConnectionForStats::CreateTransceiverOfType):
* Source/ThirdParty/libwebrtc/Source/webrtc/stats/rtc_stats_report.cc:
Canonical link: https://commits.webkit.org/259548.382@safari-7615-branch
Commit: 35cf9b0a952ba49214860a32724fb0921267b5c4
https://github.com/WebKit/WebKit/commit/35cf9b0a952ba49214860a32724fb0921267b5c4
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/arm/neon/av1_fwd_txfm2d_neon.c
Log Message:
-----------
Cherry-pick 259548.383 at safari-7615-branch (4b0ac875e7fa). https://bugs.webkit.org/show_bug.cgi?id=253512
ASan global-buffer-overflow READ in com.apple.WebKit.WebContent.Development at libwebrtc.dylib: av1_lowbd_fwd_txfm2d_8x8_neon
https://bugs.webkit.org/show_bug.cgi?id=253512
rdar://105650593
Reviewed by Eric Carlson.
Cherry-pick from upstream the corresponding fix (582d2fd1e9b6a212cb7d30bcf63d3c1e78aa8fca).
Remove the call to vld1_s8, which reads 8 bytes while only 3 bytes are available, even though only 2 are used.
* Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/arm/neon/av1_fwd_txfm2d_neon.c:
(av1_lowbd_fwd_txfm2d_4x8_neon):
(av1_lowbd_fwd_txfm2d_4x16_neon):
(av1_lowbd_fwd_txfm2d_8x4_neon):
(av1_lowbd_fwd_txfm2d_8x8_neon):
(av1_lowbd_fwd_txfm2d_8x16_neon):
(av1_lowbd_fwd_txfm2d_8x32_neon):
(av1_lowbd_fwd_txfm2d_16x4_neon):
(av1_lowbd_fwd_txfm2d_16x8_neon):
(av1_lowbd_fwd_txfm2d_16x16_neon):
(av1_lowbd_fwd_txfm2d_16x32_neon):
(av1_lowbd_fwd_txfm2d_32x8_neon):
(av1_lowbd_fwd_txfm2d_32x16_neon):
Canonical link: https://commits.webkit.org/259548.383@safari-7615-branch
Commit: 0cec5348b8c1c0aa060db188331632bd9a79887e
https://github.com/WebKit/WebKit/commit/0cec5348b8c1c0aa060db188331632bd9a79887e
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M Source/WebCore/loader/HistoryController.cpp
Log Message:
-----------
Cherry-pick 259548.385 at safari-7615-branch (4bf0507391a9). https://bugs.webkit.org/show_bug.cgi?id=253465
DocumentLoader might be null when calling HistoryController::updateCurrentItem (
https://bugs.webkit.org/show_bug.cgi?id=253465
rdar://106276228
Reviewed by Ryosuke Niwa.
FrameLoader::transitionToCommitted can set the documentLoader to nullptr
before it calls HistoryController::updateCurrentItem(), in which case we
crash. This change makes it so that we bail our early in that case.
* Source/WebCore/loader/HistoryController.cpp:
(WebCore::FrameLoader::HistoryController::updateCurrentItem):
Canonical link: https://commits.webkit.org/259548.385@safari-7615-branch
Commit: 5e0bf0de8b3141c72da3e2f124a2617e66cb975a
https://github.com/WebKit/WebKit/commit/5e0bf0de8b3141c72da3e2f124a2617e66cb975a
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash-expected.txt
A LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash.html
M Source/WebCore/platform/graphics/filters/FEConvolveMatrix.cpp
M Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.cpp
M Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.h
M Source/WebCore/svg/SVGFEConvolveMatrixElement.cpp
M Source/WebCore/svg/SVGFEConvolveMatrixElement.h
Log Message:
-----------
Cherry-pick 259548.425 at safari-7615-branch (499c0bf6a8a9). https://bugs.webkit.org/show_bug.cgi?id=253721
Fix buffer overflow in FEConvolveMatrixSoftwareApplier
https://bugs.webkit.org/show_bug.cgi?id=253721
rdar://97909186
Reviewed by Said Abou-Hallawa.
This change fixes a buffer overflow issue in the
FEConvolveMatrixSoftwareApplier code which happens when dealing with the
interior area and setting the destination pixels. This happens because
when the targetX/targetY doesn't fit in the convolution kernel, we don't
clip it, and that ends up moving the pixel offset by more than what is
needed. This change fixes that by making sure that when the SVG
attribute changes, we detect the invalid offset and rebuild the filter.
* LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash-expected.txt: Added.
* LayoutTests/svg/filters/feconvolve-matrix-invalid-target-offset-crash.html: Added.
* Source/WebCore/platform/graphics/filters/FEConvolveMatrix.cpp:
(WebCore::FEConvolveMatrix::FEConvolveMatrix):
* Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.cpp:
(WebCore::FEConvolveMatrixSoftwareApplier::FEConvolveMatrixSoftwareApplier):
* Source/WebCore/platform/graphics/filters/software/FEConvolveMatrixSoftwareApplier.h:
* Source/WebCore/svg/SVGFEConvolveMatrixElement.cpp:
(WebCore::SVGFEConvolveMatrixElement::isValidTargetXOffset const):
(WebCore::SVGFEConvolveMatrixElement::isValidTargetYOffset const):
(WebCore::SVGFEConvolveMatrixElement::svgAttributeChanged):
(WebCore::SVGFEConvolveMatrixElement::createFilterEffect const):
* Source/WebCore/svg/SVGFEConvolveMatrixElement.h:
Canonical link: https://commits.webkit.org/259548.425@safari-7615-branch
Commit: 060439bb0c3c86d60703f96cadd131586562d9f9
https://github.com/WebKit/WebKit/commit/060439bb0c3c86d60703f96cadd131586562d9f9
Author: David Degazio <d_degazio at apple.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A JSTests/stress/loop-osr-with-inlined-create-rest.js
Log Message:
-----------
Cherry-pick 259548.426 at safari-7615-branch (dde3cbd34027). https://bugs.webkit.org/show_bug.cgi?id=253902
Add stress test for liveness-based interference analysis across loop OSR
https://bugs.webkit.org/show_bug.cgi?id=253902
rdar://105671759
Reviewed by Yusuke Suzuki.
Adds a stress test that breaks without https://bugs.webkit.org/show_bug.cgi?id=252798,
to ensure we don't regress this behavior in the future.
* JSTests/stress/loop-osr-with-inlined-create-rest.js: Added.
(bar):
(foo):
Canonical link: https://commits.webkit.org/259548.426@safari-7615-branch
Commit: dd2442009ab1632a4e4bb72d8e5519ac2d7cae1e
https://github.com/WebKit/WebKit/commit/dd2442009ab1632a4e4bb72d8e5519ac2d7cae1e
Author: David Kilzer <ddkilzer at apple.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A LayoutTests/fast/xsl/xslt-node-set-empty-expected.txt
A LayoutTests/fast/xsl/xslt-node-set-empty.html
M Source/WebCore/xml/SoftLinkLibxslt.cpp
M Source/WebCore/xml/SoftLinkLibxslt.h
M Source/WebCore/xml/XSLTExtensions.cpp
Log Message:
-----------
Cherry-pick 259548.430 at safari-7615-branch (06af3d226e2b). https://bugs.webkit.org/show_bug.cgi?id=253857
XSLTProcessor fails when xsl calls exsl:node-set() on empty variable
https://bugs.webkit.org/show_bug.cgi?id=253857
<rdar://103622929>
Reviewed by Alex Christensen.
Merge fix for Chromium Issue 689977:
https://chromium.googlesource.com/chromium/src.git/+/99ead7d1564d35a70799b7ee4c3821053fb3985c
Tests:
fast/xsl/exslt-node-set.xml
fast/xsl/xslt-node-set-empty.html
* LayoutTests/fast/xsl/xslt-node-set-empty-expected.txt: Add.
* LayoutTests/fast/xsl/xslt-node-set-empty.html: Add.
* Source/WebCore/xml/SoftLinkLibxslt.cpp:
* Source/WebCore/xml/SoftLinkLibxslt.h:
- Add soft-linking for newly called libxslt functions.
* Source/WebCore/xml/XSLTExtensions.cpp:
(xsltTransformErrorTrampoline): Add.
- Provide workaround for soft-linking xsltTransformError()
with varargs.
(WebCore::exsltNodeSetFunction):
- Update to match logic in libxslt v1.1.35.
Canonical link: https://commits.webkit.org/259548.430@safari-7615-branch
Commit: 943103cd102caf61b509b0259d8fa04b5a6f2d39
https://github.com/WebKit/WebKit/commit/943103cd102caf61b509b0259d8fa04b5a6f2d39
Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A LayoutTests/fast/css-grid-layout/GridtrackSizing-overflowon-mutating-grid-columns-expected.txt
A LayoutTests/fast/css-grid-layout/GridtrackSizing-overflowon-mutating-grid-columns.html
M Source/WebCore/rendering/RenderGrid.cpp
Log Message:
-----------
Cherry-pick 259548.434 at safari-7615-branch (54a21b4db4fa). https://bugs.webkit.org/show_bug.cgi?id=253916.
Web content process crashes when mutating grid-template-columns of subgrid parent grid.
https://bugs.webkit.org/show_bug.cgi?id=253916.
rdar://106458581.
Reviewed by Matt Woodrow.
After grid-template-column of the subgrid's parent grid mutates, needsItemsPlacement flag is not set for the subgrid's currentgrid. As a result, gridTracks for subgrids->curretGrid() don't undergo resizing, resulting in a OOB in copyUsedTrackSizesForSubgrid().This changes sets needsItemPlacement flag as needed.
* LayoutTests/fast/css-grid-layout/GridtrackSizing-overflowon-mutating-grid-columns-expected.txt: Added.
* LayoutTests/fast/css-grid-layout/GridtrackSizing-overflowon-mutating-grid-columns.html: Added.
* Source/WebCore/rendering/RenderGrid.cpp:
(WebCore::RenderGrid::placeItemsOnGrid):
Canonical link: https://commits.webkit.org/259548.434@safari-7615-branch
Commit: 90026387617aae13ccf5cbb3065973d393483692
https://github.com/WebKit/WebKit/commit/90026387617aae13ccf5cbb3065973d393483692
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A LayoutTests/fast/scrolling/fixed-positioned-element-update-crash-expected.txt
A LayoutTests/fast/scrolling/fixed-positioned-element-update-crash.html
Log Message:
-----------
Cherry-pick 260286.10 at webkit-2023.2-embargoed (010528ca060e). https://bugs.webkit.org/show_bug.cgi?id=245389
Add crash test for bad update of fixed position scrolling node
https://bugs.webkit.org/show_bug.cgi?id=245389
Reviewed by Simon Fraser.
This was already fixed with #255114, but add the test for completeness.
* LayoutTests/fast/scrolling/fixed-positioned-element-update-crash-expected.txt: Added.
* LayoutTests/fast/scrolling/fixed-positioned-element-update-crash.html: Added.
Canonical link: https://commits.webkit.org/260286.10@webkit-2023.2-embargoed
Commit: 8bd10c409af45c7c39921f2be5014c4edb0cd6b1
https://github.com/WebKit/WebKit/commit/8bd10c409af45c7c39921f2be5014c4edb0cd6b1
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A LayoutTests/fast/multicol/legend-in-column-outline-auto-crash-expected.txt
A LayoutTests/fast/multicol/legend-in-column-outline-auto-crash.html
M Source/WebCore/rendering/RenderObject.cpp
Log Message:
-----------
Cherry-pick 260286.11 at webkit-2023.2-embargoed (e7b0459eaad2). https://bugs.webkit.org/show_bug.cgi?id=251381
Take legend element into account in propagateRepaintToParentWithOutlineAutoIfNeeded
https://bugs.webkit.org/show_bug.cgi?id=251381
rdar://104813886
Reviewed by Alan Baradlay.
In change r259412 logic was introduced for spanner placeholders and a check was done
to see if the previous sibling renderer is a column set. However legends are kept out of
column flows and thus may also have a column set as previous sibling, in this case we
don't want to enter the spanner placeholder logic.
* LayoutTests/fast/multicol/legend-in-column-outline-auto-crash-expected.txt: Added.
* LayoutTests/fast/multicol/legend-in-column-outline-auto-crash.html: Added.
* Source/WebCore/rendering/RenderObject.cpp:
(WebCore::RenderObject::propagateRepaintToParentWithOutlineAutoIfNeeded const):
Canonical link: https://commits.webkit.org/260286.11@webkit-2023.2-embargoed
Commit: 4c373f354b8f5a7198339f97d61be50edfb56ef7
https://github.com/WebKit/WebKit/commit/4c373f354b8f5a7198339f97d61be50edfb56ef7
Author: Claudio Saavedra <csaavedra at igalia.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A LayoutTests/fast/css/content/display-contents-on-focus-crash-expected.txt
A LayoutTests/fast/css/content/display-contents-on-focus-crash.html
Log Message:
-----------
Cherry-pick 260286.12 at webkit-2023.2-embargoed (042db6f5677e). https://bugs.webkit.org/show_bug.cgi?id=251380
Add test for display contents on focus change
https://bugs.webkit.org/show_bug.cgi?id=251380
Reviewed by Antti Koivisto.
Already fixed by #248776, but add this test for
completeness.
* LayoutTests/fast/css/content/display-contents-on-focus-crash-expected.txt: Added.
* LayoutTests/fast/css/content/display-contents-on-focus-crash.html: Added.
Canonical link: https://commits.webkit.org/260286.12@webkit-2023.2-embargoed
Commit: 69b675e69a7ab404f8730aad1d486da523408339
https://github.com/WebKit/WebKit/commit/69b675e69a7ab404f8730aad1d486da523408339
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/ratectrl.c
M Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/ratectrl.h
Log Message:
-----------
Cherry-pick 259548.439 at safari-7615-branch (4a5ecd489674). rdar://106645234
OSS: [WebRTC] Heap-buffer-overflow in av1_get_one_pass_rt_params - Heap Buffer Overflow in AV1 Video Encoder
rdar://106645234
Reviewed by Eric Carlson.
Cherry-picking of https://aomedia.googlesource.com/aom/+/bee1caded272127a6d6b70ac79479083d183d5d0%5E%21/#F0.
I had to manually apply the patch since it does not apply cleanly.
* Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/ratectrl.c:
(av1_rc_postencode_update):
(av1_rc_postencode_update_drop_frame):
(av1_get_one_pass_rt_params):
* Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/ratectrl.h:
Canonical link: https://commits.webkit.org/259548.439@safari-7615-branch
Commit: be07dcb2fd2e3b6f6cc2d60170acb3433f868b3b
https://github.com/WebKit/WebKit/commit/be07dcb2fd2e3b6f6cc2d60170acb3433f868b3b
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/http/wpt/webcodecs/resources/green.png
A LayoutTests/http/wpt/webcodecs/resources/image.py
A LayoutTests/http/wpt/webcodecs/webcodecs-crossOrigin.sub-expected.txt
A LayoutTests/http/wpt/webcodecs/webcodecs-crossOrigin.sub.html
M LayoutTests/imported/w3c/web-platform-tests/webcodecs/videoFrame-canvasImageSource-expected.txt
M Source/WebCore/Modules/webcodecs/WebCodecsVideoFrame.cpp
M Source/WebCore/css/CSSImageValue.h
M Source/WebCore/css/typedom/CSSStyleImageValue.h
M Source/WebCore/html/HTMLImageElement.cpp
M Source/WebCore/html/HTMLImageElement.h
M Source/WebCore/html/canvas/CanvasRenderingContext.cpp
Log Message:
-----------
Cherry-pick 259548.440 at safari-7615-branch (2ef6b76e1902). https://bugs.webkit.org/show_bug.cgi?id=253129
VideoFrame constructor should throw on tainted input
https://bugs.webkit.org/show_bug.cgi?id=253828
rdar://problem/106643249
Reviewed by Jean-Yves Avenard.
Add a CORS check in VideoFrame constructor code paths.
Covered by added tests.
* LayoutTests/TestExpectations:
* LayoutTests/http/wpt/webcodecs/green.png: Added.
* LayoutTests/http/wpt/webcodecs/image.py: Added.
(main):
* LayoutTests/http/wpt/webcodecs/webcodecs-crossOrigin.sub-expected.txt: Added.
* LayoutTests/http/wpt/webcodecs/webcodecs-crossOrigin.sub.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/webcodecs/videoFrame-canvasImageSource-crossOrigin.sub-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/webcodecs/videoFrame-canvasImageSource-crossOrigin.sub.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/webcodecs/videoFrame-canvasImageSource-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/webcodecs/videoFrame-canvasImageSource.html:
* Source/WebCore/Modules/webcodecs/WebCodecsVideoFrame.cpp:
(WebCore::isCachedImageTaintsOrigin):
(WebCore::checkImageUsability):
(WebCore::WebCodecsVideoFrame::create):
* Source/WebCore/css/CSSImageValue.h:
* Source/WebCore/css/typedom/CSSStyleImageValue.h:
Canonical link: https://commits.webkit.org/259548.440@safari-7615-branch
Commit: f5993c61372729c437bbf9cf243413dde587946b
https://github.com/WebKit/WebKit/commit/f5993c61372729c437bbf9cf243413dde587946b
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
A LayoutTests/fast/css-grid-layout/positioned-grid-with-large-inset-and-scrollbar-expected.txt
A LayoutTests/fast/css-grid-layout/positioned-grid-with-large-inset-and-scrollbar.html
M Source/WebCore/rendering/RenderBlock.cpp
Log Message:
-----------
Cherry-pick 260286.13 at webkit-2023.2-embargoed (0a7c35b68439). https://bugs.webkit.org/show_bug.cgi?id=253037
Adapt OOF with specified height case in availableLogicalHeightForPercentageComputation
https://bugs.webkit.org/show_bug.cgi?id=253037
Reviewed by Alan Baradlay.
The computed height for OOF can result in being zero for certain insets (but never negative).
In that case subtracting scrollbar sizes could result in negative values like in the test case, so
clamp to zero.
* LayoutTests/fast/css-grid-layout/positioned-grid-with-large-inset-and-scrollbar-expected.txt: Added.
* LayoutTests/fast/css-grid-layout/positioned-grid-with-large-inset-and-scrollbar.html: Added.
* Source/WebCore/rendering/RenderBlock.cpp:
(WebCore::RenderBlock::availableLogicalHeightForPercentageComputation const):
Canonical link: https://commits.webkit.org/260286.13@webkit-2023.2-embargoed
Commit: cc7ce9c57bc6c6ad68c41bfa47e8c29f61b9d172
https://github.com/WebKit/WebKit/commit/cc7ce9c57bc6c6ad68c41bfa47e8c29f61b9d172
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M Source/WebCore/rendering/RenderObject.cpp
M Source/WebCore/rendering/RenderObject.h
Log Message:
-----------
Cherry-pick 260286.14 at webkit-2023.2-embargoed (0888aabefd69). https://bugs.webkit.org/show_bug.cgi?id=245374
Improve isInsideMulticolumnFlow lambda for top-layer elements
https://bugs.webkit.org/show_bug.cgi?id=245374
Reviewed by Alan Baradlay.
Improve isInsideMulticolumnFlow lambda for top-layer elements.
Top-layer elements can skip many ancestors since the containing
block is the RenderView. So instead of checking the fragmentedFlowRoot
boundary, check the containing block fragmented flow state.
* Source/WebCore/rendering/RenderObject.cpp:
(WebCore::RenderObject::setFragmentedFlowStateIncludingDescendants):
(WebCore::RenderObject::initializeFragmentedFlowStateOnInsertion):
(WebCore::RenderObject::resetFragmentedFlowStateOnRemoval):
* Source/WebCore/rendering/RenderObject.h:
Canonical link: https://commits.webkit.org/260286.14@webkit-2023.2-embargoed
Commit: cbdc482f614b250a2b20368b9768148e57db22ec
https://github.com/WebKit/WebKit/commit/cbdc482f614b250a2b20368b9768148e57db22ec
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-05-20 (Sat, 20 May 2023)
Changed paths:
M Source/JavaScriptCore/assembler/AbortReason.h
M Source/JavaScriptCore/interpreter/Interpreter.cpp
M Source/JavaScriptCore/jit/ExecutableAllocator.cpp
M Source/JavaScriptCore/llint/LLIntData.cpp
M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
M Source/JavaScriptCore/runtime/JSCConfig.h
M Source/JavaScriptCore/runtime/VM.cpp
M Source/WTF/wtf/Assertions.h
M Source/WTF/wtf/WTFConfig.h
M Source/WebKit/GPUProcess/EntryPoint/Cocoa/XPCService/GPUServiceEntryPoint.mm
Log Message:
-----------
Cherry-pick 259548.460 at safari-7615-branch (2396d8a6e829). https://bugs.webkit.org/show_bug.cgi?id=253129
Forbid JS execution in the GPU Process.
https://bugs.webkit.org/show_bug.cgi?id=254101
rdar://106869810
Reviewed by Yusuke Suzuki and Justin Michaud.
The GPU Process does not need to execute any JS code. We should enforce this invariant.
* Source/JavaScriptCore/assembler/AbortReason.h:
* Source/JavaScriptCore/interpreter/Interpreter.cpp
(JSC::Interpreter::Interpreter):
* Source/JavaScriptCore/jit/ExecutableAllocator.cpp:
(JSC::ExecutableAllocator::initialize):
* Source/JavaScriptCore/llint/LLIntData.cpp:
(JSC::LLInt::neuterOpcodeMaps):
(JSC::LLInt::initialize):
* Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:
(JSC::LLInt::llint_check_vm_entry_permission):
* Source/JavaScriptCore/runtime/JSCConfig.h:
* Source/JavaScriptCore/runtime/VM.cpp:
(JSC::VM::VM):
* Source/WTF/wtf/Assertions.h:
* Source/WTF/wtf/WTFConfig.h:
* Source/WebKit/GPUProcess/EntryPoint/Cocoa/XPCService/GPUServiceEntryPoint.mm:
(GPU_SERVICE_INITIALIZER):
Canonical link: https://commits.webkit.org/259548.460@safari-7615-branch
Compare: https://github.com/WebKit/WebKit/compare/c1567e86b6b9...cbdc482f614b
More information about the webkit-changes
mailing list