[webkit-changes] [WebKit/WebKit] 016b79: Revert "[WPE][GTK] Do not deref CreationData's buf...
Alex Christensen
noreply at github.com
Thu May 25 14:00:20 PDT 2023
Branch: refs/heads/webkitglib/2.40
Home: https://github.com/WebKit/WebKit
Commit: 016b79db98596c60ed96897742b3a81fa1ae81e4
https://github.com/WebKit/WebKit/commit/016b79db98596c60ed96897742b3a81fa1ae81e4
Author: Michael Catanzaro <mcatanzaro at redhat.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
M Source/WebCore/platform/graphics/Font.h
M Source/WebCore/platform/graphics/FontCustomPlatformData.h
M Source/WebCore/platform/graphics/freetype/FontCustomPlatformDataFreeType.cpp
Log Message:
-----------
Revert "[WPE][GTK] Do not deref CreationData's buffer when Cairo font is destroyed" on 2.40 branch
This commit depends on 263084 at main, which I don't want to backport to
this branch.
* Source/WebCore/platform/graphics/Font.h:
* Source/WebCore/platform/graphics/FontCustomPlatformData.h:
* Source/WebCore/platform/graphics/freetype/FontCustomPlatformDataFreeType.cpp:
(WebCore::releaseCustomFontData):
(WebCore::FontCustomPlatformData::FontCustomPlatformData):
Canonical link: https://commits.webkit.org/260527.340@webkitglib/2.40
Commit: ae40f7ee8db5e4f1a09b5b3e1b13f63caa502a92
https://github.com/WebKit/WebKit/commit/ae40f7ee8db5e4f1a09b5b3e1b13f63caa502a92
Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
A LayoutTests/imported/w3c/web-platform-tests/css/cssom/css-stylesheet-replaceSync-null-deref-expected.txt
A LayoutTests/imported/w3c/web-platform-tests/css/cssom/css-stylesheet-replaceSync-null-deref.html
M Source/WebCore/css/CSSStyleSheet.cpp
Log Message:
-----------
Cherry-pick 259548.524 at safari-7615-branch (a48f8590fa3e). https://bugs.webkit.org/show_bug.cgi?id=254727.
Null ptr deref in CSSStyleSheet::replaceSync.
https://bugs.webkit.org/show_bug.cgi?id=254727.
rdar://101629411.
Reviewed by Chris Dumez.
Added a null check in CSSStyleSheet::replaceSync to prevent a null deref.
* LayoutTests/imported/w3c/web-platform-tests/css/cssom/css-stylesheet-replaceSync-null-deref-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/cssom/css-stylesheet-replaceSync-null-deref.html: Added.
* Source/WebCore/css/CSSStyleSheet.cpp:
(WebCore::CSSStyleSheet::replaceSync):
Canonical link: https://commits.webkit.org/259548.524@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.341@webkitglib/2.40
Commit: ccf34efe975eae4a56b29d111989e52bf4644421
https://github.com/WebKit/WebKit/commit/ccf34efe975eae4a56b29d111989e52bf4644421
Author: JC Alvarado <joncarlo at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
A LayoutTests/fast/scrolling/scroll-snap-crash-expected.txt
A LayoutTests/fast/scrolling/scroll-snap-crash.html
M Source/WebCore/platform/ScrollSnapAnimatorState.cpp
Log Message:
-----------
Cherry-pick 259548.525 at safari-7615-branch (3d4fc69bfad2). https://bugs.webkit.org/show_bug.cgi?id=254383
Ignore snap offsets with an identifier of zero
https://bugs.webkit.org/show_bug.cgi?id=254383
rdar://107130316
Reviewed by Simon Fraser.
When updating snap offsets, if there is no element for a RenderBox,
then a snap offset with an identifier of 0 is created. This can lead
to issues when we add that offset identifier to a HashSet so we should
ignore them in ScrollSnapAnimatorState::currentlySnappedBoxes().
* LayoutTests/fast/animation/scroll-snap-crash-expected.txt: Added.
* LayoutTests/fast/animation/scroll-snap-crash.html: Added.
* Source/WebCore/platform/ScrollSnapAnimatorState.cpp:
(WebCore::ScrollSnapAnimatorState::currentlySnappedBoxes const):
Canonical link: https://commits.webkit.org/259548.525@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.342@webkitglib/2.40
Commit: 858ff599635f2cf5822f7768f5cccf96ad88fa93
https://github.com/WebKit/WebKit/commit/858ff599635f2cf5822f7768f5cccf96ad88fa93
Author: Antoine Quint <graouts at webkit.org>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
M Source/WebCore/animation/WebAnimation.cpp
Log Message:
-----------
Cherry-pick 259548.532 at safari-7615-branch (1d6fe184ea53). https://bugs.webkit.org/show_bug.cgi?id=254840
Potential use-after-free in WebAnimation::commitStyles
https://bugs.webkit.org/show_bug.cgi?id=254840
rdar://107444873
Reviewed by Dean Jackson and Darin Adler.
Ensure that the animation's effect and target are kept alive for the duration of this method
since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus
these two pointers could be changed to a null value using the Web Animations API.
* Source/WebCore/animation/WebAnimation.cpp:
(WebCore::WebAnimation::commitStyles):
Canonical link: https://commits.webkit.org/259548.532@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.343@webkitglib/2.40
Commit: f4239204176891c5ed5128b27e43c1ee53c36429
https://github.com/WebKit/WebKit/commit/f4239204176891c5ed5128b27e43c1ee53c36429
Author: Alexey Shvayka <ashvayka at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
A LayoutTests/fast/forms/input-type-radio-form-gc-crash-expected.txt
A LayoutTests/fast/forms/input-type-radio-form-gc-crash.html
M Source/WebCore/html/FormAssociatedCustomElement.cpp
M Source/WebCore/html/FormAssociatedCustomElement.h
M Source/WebCore/html/ValidatedFormListedElement.cpp
M Source/WebCore/html/ValidatedFormListedElement.h
Log Message:
-----------
Cherry-pick 259548.534 at safari-7615-branch (f5dc82736e2c). https://bugs.webkit.org/show_bug.cgi?id=253860
<input type=radio> crashes in removeInvalidElementToAncestorFromInsertionPoint() during GC
https://bugs.webkit.org/show_bug.cgi?id=253860
<rdar://105086386>
Reviewed by Ryosuke Niwa.
When a <form> gets destroyed, it calls into formWillBeDestroyed() callback of <input type=radio>
which, when removing radio buttons themselves, calls into updateValidity() and then into
removeInvalidElementToAncestorFromInsertionPoint() with partially-deleted ContainerNode as an
argument, causing a crash.
This change guards removeInvalidElementToAncestorFromInsertionPoint() and its counterpart
from being called during form destruction.
* LayoutTests/fast/forms/input-type-radio-form-gc-crash-expected.txt: Added.
* LayoutTests/fast/forms/input-type-radio-form-gc-crash.html: Added.
* Source/WebCore/html/FormAssociatedCustomElement.cpp:
(WebCore::FormAssociatedCustomElement::didChangeForm):
(WebCore::FormAssociatedCustomElement::formWillBeDestroyed): Deleted.
* Source/WebCore/html/FormAssociatedCustomElement.h:
* Source/WebCore/html/ValidatedFormListedElement.cpp:
(WebCore::ValidatedFormListedElement::updateValidity):
(WebCore::ValidatedFormListedElement::formWillBeDestroyed):
* Source/WebCore/html/ValidatedFormListedElement.h:
(WebCore::ValidatedFormListedElement::belongsToFormThatIsBeingDestroyed const):
Canonical link: https://commits.webkit.org/259548.534@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.344@webkitglib/2.40
Commit: 296cc117281afd395de14e4b40555af34a70e5a7
https://github.com/WebKit/WebKit/commit/296cc117281afd395de14e4b40555af34a70e5a7
Author: JC Alvarado <joncarlo at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
A LayoutTests/fast/editing/insert-text-hit-testing-crash-expected.txt
A LayoutTests/fast/editing/insert-text-hit-testing-crash.html
M Source/WebCore/dom/Document.cpp
M Source/WebCore/rendering/HitTestRequest.h
Log Message:
-----------
Cherry-pick 259548.535 at safari-7615-branch (3bc53a0a2ccf). https://bugs.webkit.org/show_bug.cgi?id=253615
Update layout of child frames before hit testing a document if necessary
https://bugs.webkit.org/show_bug.cgi?id=253615
rdar://107375598
Reviewed by Alan Baradlay.
If hit testing can recurse into a child frame, we should make sure that
layout and style are updated for all children before proceeding with
hit testing.
* LayoutTests/fast/editing/insert-text-hit-testing-crash-expected.txt: Added.
* LayoutTests/fast/editing/insert-text-hit-testing-crash.html: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::hitTest):
Canonical link: https://commits.webkit.org/259548.535@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.345@webkitglib/2.40
Commit: 114314c6b2e963887cb29ddeabd65bad9936794e
https://github.com/WebKit/WebKit/commit/114314c6b2e963887cb29ddeabd65bad9936794e
Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
A LayoutTests/http/tests/media/fairplay/fps-init-data-sinf-oob-crash-expected.txt
A LayoutTests/http/tests/media/fairplay/fps-init-data-sinf-oob-crash.html
M Source/WebCore/platform/graphics/iso/ISOTrackEncryptionBox.cpp
Log Message:
-----------
Cherry-pick 259548.536 at safari-7615-branch (8320a5247c74). https://bugs.webkit.org/show_bug.cgi?id=254781.
CDMPrivateFairPlayStreaming parsing of WebCore::ISOTrackEncryptionBox can lead to a heap-buffer-overflow.
https://bugs.webkit.org/show_bug.cgi?id=254781.
rdar://103849722.
Reviewed by Jer Noble.
WebCore::ISOTrackEncryptionBox::parse() is missing basic bounds checking before memcpy. This change add the check.
* LayoutTests/http/tests/media/fairplay/fps-init-data-sinf-oob-crash-expected.txt: Added.
* LayoutTests/http/tests/media/fairplay/fps-init-data-sinf-oob-crash.html: Added.
* Source/WebCore/platform/graphics/iso/ISOTrackEncryptionBox.cpp:
(WebCore::ISOTrackEncryptionBox::parse):
Canonical link: https://commits.webkit.org/259548.536@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.346@webkitglib/2.40
Commit: f7db434186298910f194e3e296e1a671da7ca722
https://github.com/WebKit/WebKit/commit/f7db434186298910f194e3e296e1a671da7ca722
Author: Michael Saboff <msaboff at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
A JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
M Source/JavaScriptCore/runtime/StringPrototype.cpp
M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
Log Message:
-----------
Cherry-pick 259548.551 at safari-7615-branch (e34edaa74575). https://bugs.webkit.org/show_bug.cgi?id=254930
[JSC] RegExpGlobalData::performMatch issue leading to OOB read
https://bugs.webkit.org/show_bug.cgi?id=254930
rdar://107436732
Reviewed by Alexey Shvayka.
Fixed two issues:
1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP
characters. Since it is an assertion, we shouldn't advance the character position.
Made the same fix to matchAssertionEOL().
2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of
a non-BMP character for the case where the RegExp match is empty.
* JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test.
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance):
(JSC::Yarr::Interpreter::matchAssertionBOL):
(JSC::Yarr::Interpreter::matchAssertionEOL):
Canonical link: https://commits.webkit.org/259548.551@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.347@webkitglib/2.40
Commit: b44c0d582e1cf9fe70e59d8a97b10269db356ffa
https://github.com/WebKit/WebKit/commit/b44c0d582e1cf9fe70e59d8a97b10269db356ffa
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
A LayoutTests/fast/rendering/glyph-display-list-cache-crash-expected.txt
A LayoutTests/fast/rendering/glyph-display-list-cache-crash.html
M Source/WebCore/rendering/GlyphDisplayListCache.h
Log Message:
-----------
Cherry-pick 259548.555 at safari-7615-branch (707d4fb8838c). https://bugs.webkit.org/show_bug.cgi?id=254941
Fix equals() for GlyphDisplayListCacheEntryHash
https://bugs.webkit.org/show_bug.cgi?id=254941
rdar://107416408
Reviewed by Cameron McCormack.
This change fixes a heap use after free in GlyphDisplayListCache, which
happens when the destructor of GlyphDisplayListCacheEntry tries to
remove this from the HashSet<GlyphDisplayListCacheEntry*>. The change
fixes the security issue by correcting the equal() implementation, which
now only checks for pointer equality.
* LayoutTests/fast/rendering/glyph-display-list-cache-crash-expected.txt: Added.
* LayoutTests/fast/rendering/glyph-display-list-cache-crash.html: Added.
* Source/WebCore/rendering/GlyphDisplayListCache.h:
(WebCore::GlyphDisplayListCacheEntryHash::equal):
Canonical link: https://commits.webkit.org/259548.555@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.348@webkitglib/2.40
Commit: 97f5a4a8486105695bfaf33aed9343d809530134
https://github.com/WebKit/WebKit/commit/97f5a4a8486105695bfaf33aed9343d809530134
Author: Matt Woodrow <mattwoodrow at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
M Source/WebKit/GPUProcess/graphics/RemoteImageBuffer.h
M Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.cpp
Log Message:
-----------
Cherry-pick 259548.560 at safari-7615-branch (96ee5835ab95). https://bugs.webkit.org/show_bug.cgi?id=254367
RemoteRenderingBackend::moveToImageBuffer can be called multiple times simultaneously.
https://bugs.webkit.org/show_bug.cgi?id=254367
<rdar://106972794>
Reviewed by Kimmo Kinnunen.
It adds locking to RemoteSerializedImageBuffer, so that only one thread can take ownership of the image buffer backend.
* Source/WebKit/GPUProcess/graphics/RemoteImageBuffer.h:
* Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.cpp:
(WebKit::RemoteRenderingBackend::moveToImageBuffer):
Canonical link: https://commits.webkit.org/259548.560@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.349@webkitglib/2.40
Commit: c53479b2802f785f424cc2191705b10cf55a29d5
https://github.com/WebKit/WebKit/commit/c53479b2802f785f424cc2191705b10cf55a29d5
Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
M Source/WebCore/platform/graphics/iso/ISOProtectionSystemSpecificHeaderBox.cpp
Log Message:
-----------
Cherry-pick 259548.574 at safari-7615-branch (0c76eb21f2d8). https://bugs.webkit.org/show_bug.cgi?id=254931.
Potential OOB Read in ISOProtectionSystemSpecificHeaderBox::parse(...).
https://bugs.webkit.org/show_bug.cgi?id=254931.
rdar://107441432.
Reviewed by Jer Noble.
There is a potential OOB access in ISOProtectionSystemSpecificHeaderBox::parse when we do memcpy without a bounds check. This adds a bounds check to prevent such access.
* Source/WebCore/platform/graphics/iso/ISOProtectionSystemSpecificHeaderBox.cpp:
(WebCore::ISOProtectionSystemSpecificHeaderBox::parse):
Canonical link: https://commits.webkit.org/259548.574@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.350@webkitglib/2.40
Commit: 63375db425fe181471dcae5e2f2e3b6434aa1e43
https://github.com/WebKit/WebKit/commit/63375db425fe181471dcae5e2f2e3b6434aa1e43
Author: Sihui Liu <sihui_liu at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
M Source/WebKit/NetworkProcess/storage/CacheStorageDiskStore.cpp
M Source/WebKit/NetworkProcess/storage/CacheStorageDiskStore.h
Log Message:
-----------
Cherry-pick 259548.577 at safari-7615-branch (3679790c14ce). rdar://106965632
v2: CrashTracer: com.apple.WebKit.Networking at JavaScriptCore: WTF::StringImpl::hashSlowCase const
rdar://106965632
Reviewed by Youenn Fablet and Ryosuke Niwa.
Moving a lambda might involve copying its captured variables. According to crash trace, recordInfos
(Vector<CacheStorageRecordInformation>) captured by didReadRecordFiles is copied when running on the WorkQueue of
CacheStorageDiskStore (com.apple.WebKit.CacheStorageCache). This is an issue as CacheStorageRecordInformation is not
thread-safe. To avoid this, we now replace the lambda with CompletionHandler, which has a more definitive move behavior
that does not involves copy.
* Source/WebKit/NetworkProcess/storage/CacheStorageDiskStore.cpp:
(WebKit::CacheStorageDiskStore::readAllRecordInfosInternal):
(WebKit::CacheStorageDiskStore::readAllRecordInfos):
(WebKit::CacheStorageDiskStore::readRecordsInternal):
(WebKit::CacheStorageDiskStore::readRecords):
* Source/WebKit/NetworkProcess/storage/CacheStorageDiskStore.h:
Canonical link: https://commits.webkit.org/259548.577@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.351@webkitglib/2.40
Commit: 0f0d5a8b4e66e830eafd6a11dcf23b61fea1a0ad
https://github.com/WebKit/WebKit/commit/0f0d5a8b4e66e830eafd6a11dcf23b61fea1a0ad
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
Log Message:
-----------
Cherry-pick 259548.581 at safari-7615-branch (1698533dc391). https://bugs.webkit.org/show_bug.cgi?id=255030
CodeBlock::baselineAlternative() lookup only needs an if statement.
https://bugs.webkit.org/show_bug.cgi?id=255030
<rdar://problem/107657983>
Reviewed by Justin Michaud and Yusuke Suzuki.
There is only ever 1 possible alternative i.e. the baseline CodeBlock. Since there is
none beyond that, there is no need to loop here.
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setAlternative):
(JSC::CodeBlock::baselineAlternative):
Canonical link: https://commits.webkit.org/259548.581@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.352@webkitglib/2.40
Commit: 59a4096eafd16a1f4ee69a3c92813e732aa1e215
https://github.com/WebKit/WebKit/commit/59a4096eafd16a1f4ee69a3c92813e732aa1e215
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
M Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h
Log Message:
-----------
Cherry-pick 259548.592 at safari-7615-branch (61fa810ab89d). https://bugs.webkit.org/show_bug.cgi?id=255136
untagArrayPtr() should do validation if FPAC is not available, not the other way around.
https://bugs.webkit.org/show_bug.cgi?id=255136
rdar://107739543
Reviewed by Yusuke Suzuki and Justin Michaud.
The current code erroneously tests for the inverted condition.
* Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:
(JSC::MacroAssemblerARM64E::untagArrayPtr):
(JSC::MacroAssemblerARM64E::untagArrayPtrLength64):
Canonical link: https://commits.webkit.org/259548.592@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.353@webkitglib/2.40
Commit: de361a84ce99e996435dfc921c39fce63c76b548
https://github.com/WebKit/WebKit/commit/de361a84ce99e996435dfc921c39fce63c76b548
Author: Justin Michaud <justin_michaud at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
A JSTests/wasm/stress/block_end_aliasing.js
A JSTests/wasm/stress/block_end_aliasing.wasm
A JSTests/wasm/stress/block_end_aliasing_2.js
A JSTests/wasm/stress/block_end_aliasing_2.wasm
A JSTests/wasm/stress/block_end_aliasing_2.wat
A JSTests/wasm/stress/if-block-arguments-2.js
A JSTests/wasm/stress/if-block-arguments.js
M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
Log Message:
-----------
Cherry-pick 259548.624 at safari-7615-branch (c9d960b1956a). rdar://106354199
OMG should pop try arguments
rdar://106354199
Reviewed by Yusuke Suzuki.
The parser and the B3 generator both maintain their own separate wasm stacks.
When we end a block, these two stacks can get out of sync because we forgot
to pop on the b3 side. This can cause type confusion.
The real fix for this is to fix the underlying design flaw.
In the future, we should only store one copy of the stack state in the parser,
including the wasm type, and refer exclusively to that. This is what the new BBQ tier does.
For now, we just pop as needed.
* JSTests/wasm/stress/block_end_aliasing.js: Added.
(instantiate):
(async let):
* JSTests/wasm/stress/block_end_aliasing.wasm: Added.
* JSTests/wasm/stress/block_end_aliasing_2.js: Added.
(instantiate):
(async let):
(async let.i4.await.instantiate):
* JSTests/wasm/stress/block_end_aliasing_2.wasm: Added.
* JSTests/wasm/stress/block_end_aliasing_2.wat: Added.
* JSTests/wasm/stress/loop-end-aliasing.js: Added.
(from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.import.string_appeared_here.string_appeared_here.memory.mem.1.func.export.string_appeared_here.result.i64.funcref.i64.const.14.block.param.i64.end.ref.func.0.return.async test):
* Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::didPopValueFromStack):
(JSC::Wasm::B3IRGenerator::makePushVariable):
(JSC::Wasm::B3IRGenerator::addEndToUnreachable):
Canonical link: https://commits.webkit.org/259548.624@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.354@webkitglib/2.40
Commit: c3d8a36a63918c3e63ec015dff3bd579a4a209e6
https://github.com/WebKit/WebKit/commit/c3d8a36a63918c3e63ec015dff3bd579a4a209e6
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
A LayoutTests/fast/rendering/render-text-control-crash-with-designmode-off-expected.txt
A LayoutTests/fast/rendering/render-text-control-crash-with-designmode-off.html
M Source/WebCore/rendering/RenderTextControl.cpp
M Source/WebCore/rendering/RenderTextControlSingleLine.cpp
Log Message:
-----------
Cherry-pick 259548.635 at safari-7615-branch (064579d997ae). https://bugs.webkit.org/show_bug.cgi?id=255423
Fix crash when innerTextElement() can be null when designMode="off"
https://bugs.webkit.org/show_bug.cgi?id=255423
rdar://107985448
Reviewed by Antti Koivisto.
This change guards against innerTextElement() being null. The file
already checked for this in some places, but it wasn't consistent.
* LayoutTests/fast/rendering/render-text-control-crash-with-designmode-off-expected.txt: Added.
* LayoutTests/fast/rendering/render-text-control-crash-with-designmode-off.html: Added.
* Source/WebCore/rendering/RenderTextControl.cpp:
(WebCore::RenderTextControl::textBlockLogicalWidth const):
(WebCore::RenderTextControl::computeLogicalHeight const):
(WebCore::RenderTextControl::computeIntrinsicLogicalWidths const):
* Source/WebCore/rendering/RenderTextControlSingleLine.cpp:
(WebCore::RenderTextControlSingleLine::layout):
(WebCore::RenderTextControlSingleLine::preferredContentLogicalWidth const):
Canonical link: https://commits.webkit.org/259548.635@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.355@webkitglib/2.40
Commit: 1c21333f8f8871a61262d42dc1cc2a778f868af9
https://github.com/WebKit/WebKit/commit/1c21333f8f8871a61262d42dc1cc2a778f868af9
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
M Source/JavaScriptCore/assembler/MacroAssemblerARM64.h
M Source/JavaScriptCore/assembler/testmasm.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/WTF/wtf/PtrTag.h
Log Message:
-----------
Cherry-pick 259548.636 at safari-7615-branch (a45dfa3dc3d4). https://bugs.webkit.org/show_bug.cgi?id=255475
Ensure that tagArrayPtr's size diversifier's top 16 bits are always 0.
https://bugs.webkit.org/show_bug.cgi?id=255475
rdar://107724053
Reviewed by Justin Michaud.
On ARM64, sizes never exceed 48 bits anyway. This also ensures that the signed values
will not conflict with the namespace of other data pointers signed with the same PAC key.
* Source/JavaScriptCore/assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::zeroExtend48ToWord):
* Source/JavaScriptCore/assembler/testmasm.cpp:
(JSC::testZeroExtend48ToWord):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::emitNewTypedArrayWithSize):
* Source/WTF/wtf/PtrTag.h:
(WTF::tagArrayPtr):
(WTF::retagArrayPtr):
Canonical link: https://commits.webkit.org/259548.636@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.356@webkitglib/2.40
Commit: ffa1fe87b2791fd07557e3526c61e21337158550
https://github.com/WebKit/WebKit/commit/ffa1fe87b2791fd07557e3526c61e21337158550
Author: Alex Christensen <achristensen at apple.com>
Date: 2023-05-25 (Thu, 25 May 2023)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
Log Message:
-----------
Cherry-pick 259548.637 at safari-7615-branch (2aa0035b7a09). <bug>
Cherry-pick 71578313d03d. rdar://106952778
Network process should only consider web archives to have been loaded if loaded using local scheme
https://bugs.webkit.org/show_bug.cgi?id=255459
rdar://106952778
Reviewed by John Pascoe.
Adding the scheme check matches the check in DocumentLoader::disallowWebArchive
* Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::didReceiveMainResourceResponse):
Canonical link: https://commits.webkit.org/259548.637@safari-7615-branch
Canonical link: https://commits.webkit.org/260527.357@webkitglib/2.40
Compare: https://github.com/WebKit/WebKit/compare/b3a18564f431...ffa1fe87b279
More information about the webkit-changes
mailing list