[webkit-changes] [WebKit/WebKit] 9f8622: Cherry-pick 1fb95912042f. rdar://problem/112432640
Dan Robson
noreply at github.com
Wed Oct 25 14:27:44 PDT 2023
Branch: refs/heads/safari-7615.3.12.110-branch
Home: https://github.com/WebKit/WebKit
Commit: 9f8622da97620effd00f475c5aaa5d0df33b4d5e
https://github.com/WebKit/WebKit/commit/9f8622da97620effd00f475c5aaa5d0df33b4d5e
Author: Jer Noble <jer.noble at apple.com>
Date: 2023-08-15 (Tue, 15 Aug 2023)
Changed paths:
M Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.h
M Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm
Log Message:
-----------
Cherry-pick 1fb95912042f. rdar://problem/112432640
[Cocoa] CRASH in RemoteMediaPlayerProxy::updateVideoFullscreenInlineImage
https://bugs.webkit.org/show_bug.cgi?id=258898
rdar://107296485
Reviewed by Eric Carlson.
A command to destroy the MediaPlayer may be received while MediaPlayerPrivateAVFoundationObjC
is spinning the RunLoop in waitForVideoOutputMediaDataWillChange(). Detect this by instantiating
a WeakPtr in waitForVideoOutputMediaDataWillChange() and bailing early with an error code if the
WeakPtr has been invalidated while spinning the RunLoop.
Modify updateLastImage() to take a CompletionHandler, which will only fire if
waitForVideoOutputMediaDataWillChange() returns a non-exceptional result. If that method
detects that the WeakPtr was invalidated, the completion handler will not be called
(which will trigger an ASSERT in debug builds).
Update all the callers of updateLastImage() to do their subsequent work in the completion handler
they pass to updateLastImage().
* Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.h:
* Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
(WebCore::MediaPlayerPrivateAVFoundationObjC::updateVideoFullscreenInlineImage):
(WebCore::MediaPlayerPrivateAVFoundationObjC::setVideoFullscreenLayer):
(WebCore::MediaPlayerPrivateAVFoundationObjC::updateLastImage):
(WebCore::MediaPlayerPrivateAVFoundationObjC::paintWithVideoOutput):
(WebCore::MediaPlayerPrivateAVFoundationObjC::nativeImageForCurrentTime):
(WebCore::MediaPlayerPrivateAVFoundationObjC::colorSpace):
(WebCore::MediaPlayerPrivateAVFoundationObjC::waitForVideoOutputMediaDataWillChange):
Canonical link: https://commits.webkit.org/265870.11@safari-7616-branch
Identifier: 259548.873 at safari-7615.3.12.10-branch
Commit: 6d1f778e3a048e572271d2abb520cfe60e48a73b
https://github.com/WebKit/WebKit/commit/6d1f778e3a048e572271d2abb520cfe60e48a73b
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-08-15 (Tue, 15 Aug 2023)
Changed paths:
A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox-expected.txt
A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox.html
A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/frame-posting-messages.html
A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/only-same-origin-allowed.py
M LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt
M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt
M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt
M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt
M Source/WebCore/loader/DocumentLoader.cpp
M Source/WebCore/loader/DocumentLoader.h
Log Message:
-----------
Cherry-pick 4fc1843e1263. rdar://problem/113307811
WebKit applies dynamic sandbox flags on failed navigation
https://bugs.webkit.org/show_bug.cgi?id=259099
rdar://112044768
Reviewed by Alex Christensen.
In case of stopped navigation or failed navigation, we were sandboxing the current document.
The current document was thus running but in a different configuration.
Other browsers create a new document in that case, Firefox with the request URL and Chrome with a special error scheme URL.
To limit the scope of changes, we are now creating a new error document, which is empty, and are sandboxing this new document.
This gets us closer to Firefox and Safari.
We are still calling the fail delegate in case the application wants to do additional handling on this document.
* LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox-expected.txt: Added.
* LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox.html: Added.
* LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/frame-posting-messages.html: Added.
* LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/only-same-origin-allowed.py: Added.
(main):
* LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt:
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest):
(WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied):
(WebCore::DocumentLoader::loadErrorDocument):
* Source/WebCore/loader/DocumentLoader.h:
Canonical link: https://commits.webkit.org/265870.62@safari-7616-branch
Identifier: 259548.874 at safari-7615.3.12.10-branch
Commit: 9cf72f58bf6e0486e25e12fe35fdd74b4875bc22
https://github.com/WebKit/WebKit/commit/9cf72f58bf6e0486e25e12fe35fdd74b4875bc22
Author: Myles C. Maxfield <mmaxfield at apple.com>
Date: 2023-08-15 (Tue, 15 Aug 2023)
Changed paths:
A LayoutTests/http/tests/images/repaint-garbled-expected.html
A LayoutTests/http/tests/images/repaint-garbled.html
A LayoutTests/http/tests/images/resources/green-313x313.jxl
M Source/WebCore/platform/graphics/cg/ImageBackingStoreCG.cpp
Log Message:
-----------
Cherry-pick e633a9de382d. rdar://problem/113309544
[macOS Downlevels] AVIF and JPEG XL images can get corrupted
https://bugs.webkit.org/show_bug.cgi?id=259698
<rdar://problem/113007909>
Reviewed by Said Abou-Hallawa.
When we create a `NativeImage`, we call `ImageSource::frameAtIndexCacheIfNeeded()` with
a caching mode of `MetadataAndImage`. This does 2 things:
1. `auto platformImage = m_decoder->createFrameImageAtIndex(index, subsamplingLevelValue, decodingOptions);`
2. `cachePlatformImageAtIndex(WTFMove(platformImage), index, subsamplingLevelValue, DecodingOptions(DecodingMode::Synchronous));`
ImageSource owns its own cache of `Vector<ImageFrame, 1> m_frames;` whereas
`ScalableImageDecoder` owns its own
`Vector<ScalableImageDecoderFrame, 1> m_frameBufferCache`. Therefore, the output of
`createFrameImageAtIndex()` may be expected to outlive the `ImageDecoder` it came from.
However, `createFrameImageAtIndex()` indirectly calls into `ImageBackingStore::image()`
which creates the `CGImage` with a `CGDataProvider` that points into the
`ImageBackingStore`, which is owned by the `m_frameBufferCache` which is owned by the
`ScalableImageDecoder`. So, when the `ImageSource` destroys its `ImageDecoder`, it blows
away the contents of the `CGImage`s being cached, but the images themselves live on
inside the `ImageSource` itself. That leads to this kind of corruption.
The solution is to make the `CGImage` retain its backing data.
* LayoutTests/http/tests/images/repaint-garbled-expected.html: Added.
* LayoutTests/http/tests/images/repaint-garbled.html: Added.
* LayoutTests/http/tests/images/resources/green-313x313.jxl: Added.
* Source/WebCore/platform/graphics/cg/ImageBackingStoreCG.cpp:
(WebCore::ImageBackingStore::image const):
Canonical link: https://commits.webkit.org/265870.229@safari-7616-branch
Identifier: 259548.875 at safari-7615.3.12.10-branch
Commit: a3c236ec35fde31f5629aa44c3b38a380408591e
https://github.com/WebKit/WebKit/commit/a3c236ec35fde31f5629aa44c3b38a380408591e
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-08-15 (Tue, 15 Aug 2023)
Changed paths:
M Source/WebCore/html/ImageBitmap.cpp
M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
M Source/WebCore/loader/cache/CachedImage.h
M Source/WebCore/platform/graphics/BitmapImage.cpp
M Source/WebCore/platform/graphics/GraphicsContextGL.cpp
M Source/WebCore/platform/graphics/Image.cpp
M Source/WebCore/platform/graphics/Image.h
M Source/WebCore/platform/graphics/ImageObserver.h
M Source/WebCore/platform/graphics/ImageSource.cpp
M Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp
M Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp
M Source/WebCore/svg/graphics/SVGImage.cpp
M Source/WebCore/svg/graphics/SVGImageClients.h
M Tools/TestWebKitAPI/Tests/WebCore/SVGImageCasts.cpp
Log Message:
-----------
Cherry-pick a06556a11b58. rdar://problem/112432782
Crash under SVGImageChromeClient::invalidateContentsAndRootView()
https://bugs.webkit.org/show_bug.cgi?id=258992
rdar://111456803
Reviewed by David Kilzer.
Do hardening by deploying WeakPtr instead of raw pointers for
SVGImage and ImageObserver. Also make it so that we can ref
an ImageObserver.
* Source/WebCore/html/ImageBitmap.cpp:
* Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
(WebCore::CanvasRenderingContext2DBase::drawImage):
* Source/WebCore/loader/cache/CachedImage.h:
* Source/WebCore/platform/graphics/BitmapImage.cpp:
(WebCore::BitmapImage::draw):
(WebCore::BitmapImage::drawPattern):
(WebCore::BitmapImage::internalAdvanceAnimation):
(WebCore::BitmapImage::imageFrameAvailableAtIndex):
* Source/WebCore/platform/graphics/GraphicsContextGL.cpp:
(WebCore::GraphicsContextGL::packImageData):
* Source/WebCore/platform/graphics/Image.cpp:
(WebCore::Image::imageObserver const):
(WebCore::Image::setImageObserver):
(WebCore::Image::drawPattern):
* Source/WebCore/platform/graphics/Image.h:
(WebCore::Image::imageObserver const): Deleted.
(WebCore::Image::setImageObserver): Deleted.
* Source/WebCore/platform/graphics/ImageObserver.h:
(WebCore::ImageObserver::ref):
(WebCore::ImageObserver::deref):
* Source/WebCore/platform/graphics/ImageSource.cpp:
(WebCore::ImageSource::encodedDataStatusChanged):
(WebCore::ImageSource::decodedSizeChanged):
* Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp:
(WebCore::PDFDocumentImage::decodedSizeChanged):
(WebCore::PDFDocumentImage::draw):
* Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp:
(WebCore::TextureMapperTiledBackingStore::updateContentsFromImageIfNeeded):
* Source/WebCore/svg/graphics/SVGImage.cpp:
(WebCore::SVGImage::drawForContainer):
(WebCore::SVGImage::nativeImage):
(WebCore::SVGImage::draw):
(WebCore::SVGImage::dataChanged):
* Source/WebCore/svg/graphics/SVGImageClients.h:
* Tools/TestWebKitAPI/Tests/WebCore/SVGImageCasts.cpp:
(TestWebKitAPI::TestImageObserver::create):
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/265870.5@safari-7616-branch
Identifier: 259548.876 at safari-7615.3.12.10-branch
Commit: 6fc3e7947b97d9485f5320b92c0cdd4cb736d785
https://github.com/WebKit/WebKit/commit/6fc3e7947b97d9485f5320b92c0cdd4cb736d785
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-08-15 (Tue, 15 Aug 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Cherry-pick 3f548e40249b. rdar://problem/112432636
MESSAGE_CHECK() originalURLString in WebPageProxy::backForwardAddItemShared()
https://bugs.webkit.org/show_bug.cgi?id=259111
rdar://112058151
Reviewed by Brent Fulgham.
MESSAGE_CHECK() originalURLString in WebPageProxy::backForwardAddItemShared()
as hardening, the same way we already do for urlString.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::backForwardAddItemShared):
Canonical link: https://commits.webkit.org/265870.12@safari-7616-branch
Identifier: 259548.877 at safari-7615.3.12.10-branch
Commit: fddc653be138c651c43add25690f4a062fc24542
https://github.com/WebKit/WebKit/commit/fddc653be138c651c43add25690f4a062fc24542
Author: Alex Christensen <achristensen at apple.com>
Date: 2023-08-15 (Tue, 15 Aug 2023)
Changed paths:
A LayoutTests/http/tests/security/resources/xslt-external-entity.svg
A LayoutTests/http/tests/security/resources/xslt2.py
A LayoutTests/http/tests/security/xslt-external-entity-expected.txt
A LayoutTests/http/tests/security/xslt-external-entity.html
A LayoutTests/platform/mac-monterey-wk1/http/tests/security/xss-DENIED-xsl-external-entity-no-logging-expected.txt
A LayoutTests/platform/mac-monterey/http/tests/security/xslt-external-entity-expected.txt
M LayoutTests/platform/mac-monterey/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt
M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
Log Message:
-----------
Cherry-pick d2e39548861d. rdar://problem/113308146
Check if external entity loads from libxslt are allowed before loading them
https://bugs.webkit.org/show_bug.cgi?id=259235
rdar://111457167
Reviewed by David Kilzer.
Otherwise tricky use of libxslt can make arbitrary file loads to files allowed by the
web content process's sandbox. We should limit it to what the current security origin
can request.
Monterey has an older version of libxml2 which fails differently in this case.
Tests exist that verify that allowed external entities are still allowed.
The important thing is that the contents of the files are not in the Monterey test expectations.
* LayoutTests/http/tests/security/resources/xslt-external-entity.svg: Added.
* LayoutTests/http/tests/security/resources/xslt2.py: Added.
* LayoutTests/http/tests/security/xslt-external-entity-expected.txt: Added.
* LayoutTests/http/tests/security/xslt-external-entity.html: Added.
* Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::shouldAllowExternalLoad):
(WebCore::entityLoader):
(WebCore::initializeXMLParser):
Canonical link: https://commits.webkit.org/265870.131@safari-7616-branch
Identifier: 259548.878 at safari-7615.3.12.10-branch
Commit: 8d8f5fe663ad1cb10cc95050f520ecf5c6464ced
https://github.com/WebKit/WebKit/commit/8d8f5fe663ad1cb10cc95050f520ecf5c6464ced
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-08-15 (Tue, 15 Aug 2023)
Changed paths:
R LayoutTests/http/tests/security/resources/xslt-external-entity.svg
R LayoutTests/http/tests/security/resources/xslt2.py
R LayoutTests/http/tests/security/xslt-external-entity-expected.txt
R LayoutTests/http/tests/security/xslt-external-entity.html
R LayoutTests/platform/mac-monterey-wk1/http/tests/security/xss-DENIED-xsl-external-entity-no-logging-expected.txt
R LayoutTests/platform/mac-monterey/http/tests/security/xslt-external-entity-expected.txt
M LayoutTests/platform/mac-monterey/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt
M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
Log Message:
-----------
Revert "Cherry-pick d2e39548861d. rdar://problem/113308146"
This reverts commit fddc653be138c651c43add25690f4a062fc24542.
Identifier: 259548.879 at safari-7615.3.12.10-branch
Commit: 8541db0feadefe52e1a0320adce67ac8d1a12bd1
https://github.com/WebKit/WebKit/commit/8541db0feadefe52e1a0320adce67ac8d1a12bd1
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-08-15 (Tue, 15 Aug 2023)
Changed paths:
M Source/WebCore/html/ImageBitmap.cpp
M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
M Source/WebCore/loader/cache/CachedImage.h
M Source/WebCore/platform/graphics/BitmapImage.cpp
M Source/WebCore/platform/graphics/GraphicsContextGL.cpp
M Source/WebCore/platform/graphics/Image.cpp
M Source/WebCore/platform/graphics/Image.h
M Source/WebCore/platform/graphics/ImageObserver.h
M Source/WebCore/platform/graphics/ImageSource.cpp
M Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp
M Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp
M Source/WebCore/svg/graphics/SVGImage.cpp
M Source/WebCore/svg/graphics/SVGImageClients.h
M Tools/TestWebKitAPI/Tests/WebCore/SVGImageCasts.cpp
Log Message:
-----------
Revert "Cherry-pick a06556a11b58. rdar://problem/112432782"
This reverts commit a3c236ec35fde31f5629aa44c3b38a380408591e.
Identifier: 259548.880 at safari-7615.3.12.10-branch
Commit: d60114839ab47b3d661377572ed3f98c627fb031
https://github.com/WebKit/WebKit/commit/d60114839ab47b3d661377572ed3f98c627fb031
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-08-16 (Wed, 16 Aug 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Revert "Cherry-pick 3f548e40249b. rdar://problem/112432636"
This reverts commit 6fc3e7947b97d9485f5320b92c0cdd4cb736d785.
Identifier: 259548.881 at safari-7615.3.12.10-branch
Commit: 4a2ad51bcd5ceebab4546acb6af116feb23cb67e
https://github.com/WebKit/WebKit/commit/4a2ad51bcd5ceebab4546acb6af116feb23cb67e
Author: Dan Robson <dan_robson at apple.com>
Date: 2023-08-17 (Thu, 17 Aug 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Revert "Revert "Cherry-pick 3f548e40249b. rdar://problem/112432636""
This reverts commit d60114839ab47b3d661377572ed3f98c627fb031.
Identifier: 259548.882 at safari-7615.3.12.10-branch
Commit: 77e217600d99d9e6537458c14f630d7347b6ac00
https://github.com/WebKit/WebKit/commit/77e217600d99d9e6537458c14f630d7347b6ac00
Author: Dan Robson <dan_robson at apple.com>
Date: 2023-08-17 (Thu, 17 Aug 2023)
Changed paths:
M Source/WebCore/html/ImageBitmap.cpp
M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
M Source/WebCore/loader/cache/CachedImage.h
M Source/WebCore/platform/graphics/BitmapImage.cpp
M Source/WebCore/platform/graphics/GraphicsContextGL.cpp
M Source/WebCore/platform/graphics/Image.cpp
M Source/WebCore/platform/graphics/Image.h
M Source/WebCore/platform/graphics/ImageObserver.h
M Source/WebCore/platform/graphics/ImageSource.cpp
M Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp
M Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp
M Source/WebCore/svg/graphics/SVGImage.cpp
M Source/WebCore/svg/graphics/SVGImageClients.h
M Tools/TestWebKitAPI/Tests/WebCore/SVGImageCasts.cpp
Log Message:
-----------
Revert "Revert "Cherry-pick a06556a11b58. rdar://problem/112432782""
This reverts commit 8541db0feadefe52e1a0320adce67ac8d1a12bd1.
Identifier: 259548.883 at safari-7615.3.12.10-branch
Commit: 1dd941f948013acb75703d08beb7a9ac52d8b980
https://github.com/WebKit/WebKit/commit/1dd941f948013acb75703d08beb7a9ac52d8b980
Author: Dan Robson <dan_robson at apple.com>
Date: 2023-08-17 (Thu, 17 Aug 2023)
Changed paths:
A LayoutTests/http/tests/security/resources/xslt-external-entity.svg
A LayoutTests/http/tests/security/resources/xslt2.py
A LayoutTests/http/tests/security/xslt-external-entity-expected.txt
A LayoutTests/http/tests/security/xslt-external-entity.html
A LayoutTests/platform/mac-monterey-wk1/http/tests/security/xss-DENIED-xsl-external-entity-no-logging-expected.txt
A LayoutTests/platform/mac-monterey/http/tests/security/xslt-external-entity-expected.txt
M LayoutTests/platform/mac-monterey/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt
M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
Log Message:
-----------
Revert "Revert "Cherry-pick d2e39548861d. rdar://problem/113308146""
This reverts commit 8d8f5fe663ad1cb10cc95050f520ecf5c6464ced.
Identifier: 259548.884 at safari-7615.3.12.10-branch
Commit: 269db8ead050f857f0985c1714a2dbaec63eb20e
https://github.com/WebKit/WebKit/commit/269db8ead050f857f0985c1714a2dbaec63eb20e
Author: Dan Robson <dan_robson at apple.com>
Date: 2023-08-17 (Thu, 17 Aug 2023)
Changed paths:
M Source/WebCore/svg/graphics/SVGImage.cpp
Log Message:
-----------
Apply patch. rdar://problem/112432782
Identifier: 259548.885 at safari-7615.3.12.10-branch
Commit: 27a46d925c3c8331e287f5f2ce8595d99c9f43a1
https://github.com/WebKit/WebKit/commit/27a46d925c3c8331e287f5f2ce8595d99c9f43a1
Author: Dan Robson <dan_robson at apple.com>
Date: 2023-08-17 (Thu, 17 Aug 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Apply patch. rdar://problem/112432636
Identifier: 259548.886 at safari-7615.3.12.10-branch
Commit: 6ef154e66216c0b0eff04598edd5fcfcda086608
https://github.com/WebKit/WebKit/commit/6ef154e66216c0b0eff04598edd5fcfcda086608
Author: Dan Robson <dan_robson at apple.com>
Date: 2023-08-17 (Thu, 17 Aug 2023)
Changed paths:
M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
Log Message:
-----------
Apply patch. rdar://problem/113308146
Identifier: 259548.887 at safari-7615.3.12.10-branch
Commit: fe37ea4c7af6e89cc5dd52325ddb05e1b86cc796
https://github.com/WebKit/WebKit/commit/fe37ea4c7af6e89cc5dd52325ddb05e1b86cc796
Author: Dan Glastonbury <djg at apple.com>
Date: 2023-08-17 (Thu, 17 Aug 2023)
Changed paths:
M Source/ThirdParty/ANGLE/changes.diff
M Source/ThirdParty/ANGLE/src/libANGLE/features.h
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/ContextMtl.mm
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/DisplayMtl.mm
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_command_buffer.h
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_command_buffer.mm
Log Message:
-----------
Cherry-pick 3820b42a1a38. rdar://problem/113307877
Cherry-pick ef391b1f467b. rdar://problem/109176858
[ANGLE] Lose Metal-backed contexts
https://bugs.webkit.org/show_bug.cgi?id=257584
rdar://109176858
Reviewed by Dean Jackson.
ANGLE provides a mechanism for determing if there has been a error with the
renderer backend via the DisplayImpl::testDeviceLost() and
ContextImpl::getResetStatus() APIs. The Metal renderer backend never signals an
error.
Metal provides a status on command buffer completion to signal if there has been
an error when processing a MTLCommandBuffer. This patch adds experimental
support for losing the context when this status signals there was an error. The
context can't be recovered once it is lost and needs to be recreated.
The feature is available when ANGLE_METAL_LOSE_CONTEXT_ON_ERROR is defined when
compiling ANGLE.
* Source/ThirdParty/ANGLE/src/libANGLE/features.h:
* Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/DisplayMtl.mm:
(rx::DisplayMtl::testDeviceLost):
(rx::DisplayMtl::restoreLostDevice):
* Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_command_buffer.h:
* Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_command_buffer.mm:
(rx::mtl::CommandQueue::onCommandBufferCompleted):
Canonical link: https://commits.webkit.org/266377@main
Identifier: 265870.264 at safari-7616.1.27-branch
Identifier: 259548.888 at safari-7615.3.12.10-branch
Commit: 4ae35ffccabdb15691d45f93b72399dbef1c156d
https://github.com/WebKit/WebKit/commit/4ae35ffccabdb15691d45f93b72399dbef1c156d
Author: Dan Robson <dan_robson at apple.com>
Date: 2023-08-21 (Mon, 21 Aug 2023)
Changed paths:
R LayoutTests/http/tests/images/repaint-garbled-expected.html
R LayoutTests/http/tests/images/repaint-garbled.html
R LayoutTests/http/tests/images/resources/green-313x313.jxl
M Source/WebCore/platform/graphics/cg/ImageBackingStoreCG.cpp
Log Message:
-----------
Revert "Cherry-pick e633a9de382d. rdar://problem/113309544"
This reverts commit 9cf72f58bf6e0486e25e12fe35fdd74b4875bc22.
Identifier: 259548.889 at safari-7615.3.12.10-branch
Commit: 9ca36b86e0b005c2382eb38979da308b47423cdb
https://github.com/WebKit/WebKit/commit/9ca36b86e0b005c2382eb38979da308b47423cdb
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Source/WebKit/Shared/WebBackForwardListItem.h
M Source/WebKit/UIProcess/WebBackForwardCache.cpp
M Source/WebKit/UIProcess/WebBackForwardCache.h
Log Message:
-----------
Cherry-pick cb256ae0cae9. rdar://problem/111524465
Crash under WebKit::WebBackForwardCache::removeEntry()
https://bugs.webkit.org/show_bug.cgi?id=258698
rdar://111524465
Reviewed by Ryosuke Niwa.
In WebBackForwardCache::removeEntry(), the call to `item.setBackForwardCacheEntry(nullptr)`
may cause the `item` to get destroyed. However, we were using `item` on the next line for
logging purpose. To fix the bug, I am moving the logging before the setBackForwardCacheEntry()
call.
for hardening purposes, I am also updating m_itemsWithCachedPage to contain WeakPtrs instead
of raw pointers.
* Source/WebKit/Shared/WebBackForwardListItem.h:
* Source/WebKit/UIProcess/WebBackForwardCache.cpp:
(WebKit::WebBackForwardCache::removeEntry):
(WebKit::WebBackForwardCache::removeEntriesMatching):
(WebKit::WebBackForwardCache::clear):
* Source/WebKit/UIProcess/WebBackForwardCache.h:
Canonical link: https://commits.webkit.org/259548.865@safari-7615-branch
Identifier: 259548.867 at safari-7615.3.12.10-branch
Commit: f7dec52ee446dbf8a68bf980881396a439fa6d0c
https://github.com/WebKit/WebKit/commit/f7dec52ee446dbf8a68bf980881396a439fa6d0c
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Source/WebKit/Shared/WebBackForwardListItem.h
M Source/WebKit/UIProcess/WebBackForwardCache.cpp
M Source/WebKit/UIProcess/WebBackForwardCache.h
Log Message:
-----------
Revert "Cherry-pick cb256ae0cae9. rdar://problem/111524465"
This reverts commit 54c89560ad32445ea09fa3db14b23d7356d42279.
Commit: 3c3115b40eba843b5ad87f7ec0a13298bb686187
https://github.com/WebKit/WebKit/commit/3c3115b40eba843b5ad87f7ec0a13298bb686187
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7615.3.12.10.4
Identifier: 259548.892 at safari-7615.3.12.10-branch
Commit: 24e85d20f500fb322fb0e469384e00375fe1c189
https://github.com/WebKit/WebKit/commit/24e85d20f500fb322fb0e469384e00375fe1c189
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Source/WebCore/platform/mac/ScrollbarsControllerMac.mm
Log Message:
-----------
Cherry-pick bf54ee3c4df6. rdar://115118171
Use-after-free under WebCore::Scrollbar::supportsUpdateOnSecondaryThread()
https://bugs.webkit.org/show_bug.cgi?id=259890
rdar://113037440
Reviewed by Ryosuke Niwa.
Use a WeakPtr for _scrollbar instead of a raw pointer and add a null-check
in [WebScrollbarPartAnimation setCurrentProgress:].
* Source/WebCore/platform/mac/ScrollbarsControllerMac.mm:
(-[WebScrollbarPartAnimation setCurrentProgress:]):
(-[WebScrollerImpDelegate setUpAlphaAnimation:scrollerPainter:part:animateAlphaTo:duration:]):
(-[WebScrollerImpDelegate scrollerImp:animateUIStateTransitionWithDuration:]):
(-[WebScrollerImpDelegate scrollerImp:animateExpansionTransitionWithDuration:]):
Canonical link: https://commits.webkit.org/265870.236@safari-7616-branch
Identifier: 259548.893 at safari-7615.3.12.10-branch
Commit: 9b3803f40e2de20340db6c8255cfa978cc8d0940
https://github.com/WebKit/WebKit/commit/9b3803f40e2de20340db6c8255cfa978cc8d0940
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp
M Source/WebCore/workers/service/ServiceWorkerGlobalScope.h
Log Message:
-----------
Cherry-pick 76715edd316d. rdar://115118161
Potential use-after-free of the VM under ~FetchEvent()
https://bugs.webkit.org/show_bug.cgi?id=259896
rdar://113148936
Reviewed by Brent Fulgham.
The VM gets destroyed in between the call for WorkerGlobalScope::prepareForDestruction()
and the call for the WorkerGlobalScope destructor. The crash trace indicates that
the ServiceWorkerGlobalScope destructor destroys FetchEvent objects which end up needing
the VM in their destructor.
This is a speculative fix as I cannot reproduce the issue. Brady already imported the
test case at 266608 at main.
* Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp:
(WebCore::ServiceWorkerGlobalScope::prepareForDestruction):
* Source/WebCore/workers/service/ServiceWorkerGlobalScope.h:
Canonical link: https://commits.webkit.org/265870.237@safari-7616-branch
Identifier: 259548.894 at safari-7615.3.12.10-branch
Commit: 792ed78d229e23b18ef2145d6d428ab1d340e6e7
https://github.com/WebKit/WebKit/commit/792ed78d229e23b18ef2145d6d428ab1d340e6e7
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
A JSTests/stress/same-offset-different-property-name-multiple-get-by-variants.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGGraph.cpp
M Source/JavaScriptCore/dfg/DFGGraph.h
Log Message:
-----------
Cherry-pick 965be685c2ff. rdar://115117939
[JSC] DFG AI GetById adhoc folding should insert watchpoints for structures
https://bugs.webkit.org/show_bug.cgi?id=260678
rdar://114072069
Reviewed by Keith Miller.
For DFG AI GetById's variants, they are tuples of StructureSet and offset.
So, we should not obtain constant property just with offset since we first need to
ensure that the base object is having a structure in StructureSet.
Let's say [S0, 0] [S1, 1] variants are produced. In that case, we should not load
a value from offset 1 when object is S0. But previously we were doing that since
only thing we checked is that base is S0 or S1.
This patch just extends DFG AI GetById handling to use existing tryGetConstantProperty
mechanism with StructureSet. This properly inserts replacement watchpoints too, so that
we can guarantee that the loaded value is inferred constant (if it gets different, then
watchpoint fires). And we correctly check that the current object's structure is meeting
the requirement against *variant*'s structure set.
* JSTests/stress/same-offset-different-property-name-multiple-get-by-variants.js: Added.
(main.const.object1):
(main.const.object2):
(main.const.object3):
(main.get opt):
(main):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGGraph.cpp:
(JSC::DFG::Graph::inferredValueForProperty):
* Source/JavaScriptCore/dfg/DFGGraph.h:
Canonical link: https://commits.webkit.org/265870.440@safari-7616-branch
Identifier: 259548.895 at safari-7615.3.12.10-branch
Commit: 50726bc7ea63d985cceb5644b9df39c12aec4ca1
https://github.com/WebKit/WebKit/commit/50726bc7ea63d985cceb5644b9df39c12aec4ca1
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Source/WebCore/platform/graphics/Region.cpp
Log Message:
-----------
Cherry-pick ca4f7c9b9939. rdar://115117566
WebContent may get killed due to invalid RemoteLayerTreeDrawingAreaProxy_CommitLayerTree IPC message
https://bugs.webkit.org/show_bug.cgi?id=260757
rdar://113860744
Reviewed by Aditya Keerthi.
The fuzzer found a case where the RemoteLayerTreeDrawingAreaProxy_CommitLayerTree
IPC message may fail decoding because its contains an invalid IntRect. After some
investigation, I found that we didn't handle overflows in the arithmetics in
Region::Shape::bounds(), which means that we could end up with an IntRect that
had a negative width or height.
In the fuzzer case, we ended up with the following values:
minX=-2147483648, minY=3, maxX=62, maxY=2306
We would compute the width doing `62 - (-2147483648)` which would overflow and end
up with a negative width. We now use checkedDifference<int32_t>() to detect
overflows and clamp to std::numeric_limits<int32_t>::max() when it happens.
* Source/WebCore/platform/graphics/Region.cpp:
(WebCore::Region::Shape::bounds const):
Canonical link: https://commits.webkit.org/265870.452@safari-7616-branch
Identifier: 259548.896 at safari-7615.3.12.10-branch
Commit: 868236e65c1f72013a6c795d2329327392e59048
https://github.com/WebKit/WebKit/commit/868236e65c1f72013a6c795d2329327392e59048
Author: Jer Noble <jer.noble at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp
M Source/WebCore/Modules/mediarecorder/MediaRecorder.h
Log Message:
-----------
Cherry-pick f255dd40b82e. rdar://115118374
CRASH in MediaRecorderPrivate::startRecording()
https://bugs.webkit.org/show_bug.cgi?id=260736
rdar://113544631
Reviewed by Brent Fulgham and Eric Carlson.
MediaRecorder can be destroyed before the completion handler passed to
MediaRecorderPrivate::startRecording() is called. Detect this state by
passing a WeakPtr into the completion handler lambda. Because MediaRecoder
has multiple base classes which are CanMakeWeakPtr subclasses, disambiguate
which subclass's WeakPtr implementation to use in the MediaRecoder class
declaration.
* Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:
(WebCore::MediaRecorder::startRecording):
* Source/WebCore/Modules/mediarecorder/MediaRecorder.h:
Canonical link: https://commits.webkit.org/265870.463@safari-7616-branch
Identifier: 259548.897 at safari-7615.3.12.10-branch
Commit: 632ef076d154f343a26555d919b2b6c27c6dc0f9
https://github.com/WebKit/WebKit/commit/632ef076d154f343a26555d919b2b6c27c6dc0f9
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
A LayoutTests/webaudio/audioworklet-bad-array-type-expected.txt
A LayoutTests/webaudio/audioworklet-bad-array-type.html
A LayoutTests/webaudio/bad-array-type-processor.js
M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
Log Message:
-----------
Cherry-pick 3be781681be0. rdar://115356129
Bad jsCast<>() in copyDataFromJSArrayToBuses() in AudioWorkletProcessor.cpp
https://bugs.webkit.org/show_bug.cgi?id=261289
rdar://115042475
Reviewed by Ryosuke Niwa.
Use jsDynamicCast<>() instead of jsCast<>() in AudioWorkletProcessor.cpp for
safety.
* LayoutTests/webaudio/audioworklet-bad-array-type-expected.txt: Added.
* LayoutTests/webaudio/audioworklet-bad-array-type.html: Added.
* LayoutTests/webaudio/bad-array-type-processor.js: Added.
(CustomProcessor.prototype.process):
(CustomProcessor):
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
(WebCore::toJSArray):
(WebCore::toJSObject):
(WebCore::copyDataFromJSArrayToBuses):
(WebCore::AudioWorkletProcessor::process):
Canonical link: https://commits.webkit.org/265870.534@safari-7616-branch
Identifier: 259548.898 at safari-7615.3.12.10-branch
Commit: 49486f0db7d4ea40e1be3112ecae50e993bb7b24
https://github.com/WebKit/WebKit/commit/49486f0db7d4ea40e1be3112ecae50e993bb7b24
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
A LayoutTests/fast/forms/ua-shadow-select-all-behavior-expected.txt
A LayoutTests/fast/forms/ua-shadow-select-all-behavior.html
A LayoutTests/fast/forms/ua-shadow-select-all-crash-expected.txt
A LayoutTests/fast/forms/ua-shadow-select-all-crash.html
M LayoutTests/platform/mac-wk1/TestExpectations
M Source/WebCore/editing/VisibleSelection.cpp
Log Message:
-----------
Cherry-pick 786e20b52145. rdar://115117993
VisibleSelection::nonBoundaryShadowTreeRootNode should return null when its anchor is a shadow root
https://bugs.webkit.org/show_bug.cgi?id=249862
rdar://103683388
Reviewed by Ryosuke Niwa.
Cherry-pick the following fix from Blink:
https://src.chromium.org/viewvc/blink?view=revision&revision=188788
While WebKit doesn't crash in release with the Blink test case, it does
hit the `ASSERT(!isShadowRoot());` assertion inside `Node::nonBoundaryShadowTreeRootNode()`
on debug builds. Also, our selection behavior was vastly different from Chrome and Firefox.
We would end up with a caret while Blink and Gecko would end up with a proper range
selection. This patch aligns our behavior with Blink.
* LayoutTests/fast/forms/ua-shadow-select-all-behavior-expected.txt: Added.
* LayoutTests/fast/forms/ua-shadow-select-all-behavior.html: Added.
* LayoutTests/fast/forms/ua-shadow-select-all-crash.html: Added.
* LayoutTests/fast/forms/ua-shadow-select-all-crash-expected.txt: Added.
* Source/WebCore/editing/VisibleSelection.cpp:
(WebCore::VisibleSelection::nonBoundaryShadowTreeRootNode const):
Canonical link: https://commits.webkit.org/266505@main
Identifier: 259548.899 at safari-7615.3.12.10-branch
Commit: 25d7bbafb60403b7ba079500922d9d8ab3befe0d
https://github.com/WebKit/WebKit/commit/25d7bbafb60403b7ba079500922d9d8ab3befe0d
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Source/WebKit/UIProcess/Media/cocoa/AudioSessionRoutingArbitratorProxyCocoa.mm
Log Message:
-----------
Cherry-pick 9052a0395b9b. rdar://115117683
heap-use-after-free in WebKit::AudioSessionRoutingArbitratorProxy::logger
https://bugs.webkit.org/show_bug.cgi?id=259836
rdar://112774591
Reviewed by Simon Fraser.
Move the ALWAYS_LOG() inside the `if (weakThis)` scope since this macro will
call `this->logger()`.
* Source/WebKit/UIProcess/Media/cocoa/AudioSessionRoutingArbitratorProxyCocoa.mm:
(WebKit::AudioSessionRoutingArbitratorProxy::beginRoutingArbitrationWithCategory):
Canonical link: https://commits.webkit.org/265870.234@safari-7616-branch
Identifier: 259548.900 at safari-7615.3.12.10-branch
Commit: 2337fd7fa421f8cb2760c52b330fc73fb2e2421f
https://github.com/WebKit/WebKit/commit/2337fd7fa421f8cb2760c52b330fc73fb2e2421f
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm
Log Message:
-----------
Cherry-pick 8e677b301cae. rdar://115118584
Main frame URL is wrong after server-side redirect to a page serving the COOP header
https://bugs.webkit.org/show_bug.cgi?id=260046
rdar://111855179
Reviewed by Brent Fulgham and Alex Christensen.
In the poc, the page is opening a popup (without opener) to the same origin URL1.
This URL1 does a server-side redirect to URL2 which serves the `COOP: same-origin`
HTTP header. After the navigation, Safari was displaying URL1 instead of URL2 in
the URL bar.
It is important to note that that 2 process-swap occur here. The first occurs when
we do the navigation to URL1 in a popup that doesn't have an opener (in the
decidePolicyForNavigationAction). The second one occurs when we receive the
COOP header from URL2 (on navigation response).
In ProvisionalPageProxy::didCreateMainFrame(), we have code which does the following:
```
if (previousMainFrame && !previousMainFrame->provisionalURL().isEmpty()) {
// In case of a process swap after response policy, the didStartProvisionalLoad already happened but the new main frame doesn't know about it
// so we need to tell it so it can update its provisional URL.
m_mainFrame->didStartProvisionalLoad(previousMainFrame->provisionalURL());
}
```
During the second process-swap, we forward the provisional URL from the committed
frame to the provisional one. This is because the didStartProvisionalLoad IPC was
handled by the committed main frame, before we decided to process-swap on resource
response later on. As a result, the provisional main frame doesn't know yet about
the provisional load and we have to let it know about it so it sets its provisional
URL.
This worked fine in the usual case where the COOP process-swap doesn't follow
another process swap. However, in this case, the provisional URL got updated by
an earlier server side redirect which got handled by a provisional frame, not the
committed one. As a result, the committed frame didn't know about the latest
provisional URL, only the original one before the server side redirect.
To address the issue, whenever a provisional main frame receives a server-side
redirect, we now let the committed main frame know about it too so that the
committed frame's provisional URL always stays up-to-date. As a result, when
ProvisionalPageProxy::didCreateMainFrame() forwards the committed frame's URL to
the new provisional frame, it is now accurate.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didReceiveServerRedirectForProvisionalLoadForFrameShared):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:
Canonical link: https://commits.webkit.org/265870.357@safari-7616-branch
Identifier: 259548.901 at safari-7615.3.12.10-branch
Commit: 6a9bfbc9e863768dce6aacf6cddc5c1dc46e3a51
https://github.com/WebKit/WebKit/commit/6a9bfbc9e863768dce6aacf6cddc5c1dc46e3a51
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm
Log Message:
-----------
Revert "Cherry-pick 8e677b301cae. rdar://115118584"
This reverts commit 2337fd7fa421f8cb2760c52b330fc73fb2e2421f.
Identifier: 259548.902 at safari-7615.3.12.10-branch
Commit: 5101a10ca8b33b9d25dbaefb6fe26b655184c673
https://github.com/WebKit/WebKit/commit/5101a10ca8b33b9d25dbaefb6fe26b655184c673
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Source/WebKit/UIProcess/Media/cocoa/AudioSessionRoutingArbitratorProxyCocoa.mm
Log Message:
-----------
Revert "Cherry-pick 9052a0395b9b. rdar://115117683"
This reverts commit 25d7bbafb60403b7ba079500922d9d8ab3befe0d.
Identifier: 259548.903 at safari-7615.3.12.10-branch
Commit: 8b506daec82fca2a7a141814458d1603d0dcd307
https://github.com/WebKit/WebKit/commit/8b506daec82fca2a7a141814458d1603d0dcd307
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
R LayoutTests/fast/forms/ua-shadow-select-all-behavior-expected.txt
R LayoutTests/fast/forms/ua-shadow-select-all-behavior.html
R LayoutTests/fast/forms/ua-shadow-select-all-crash-expected.txt
R LayoutTests/fast/forms/ua-shadow-select-all-crash.html
M LayoutTests/platform/mac-wk1/TestExpectations
M Source/WebCore/editing/VisibleSelection.cpp
Log Message:
-----------
Revert "Cherry-pick 786e20b52145. rdar://115117993"
This reverts commit 49486f0db7d4ea40e1be3112ecae50e993bb7b24.
Identifier: 259548.904 at safari-7615.3.12.10-branch
Commit: 807b83668b24b5b74f3845631acb94cce5eb53b2
https://github.com/WebKit/WebKit/commit/807b83668b24b5b74f3845631acb94cce5eb53b2
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
R LayoutTests/webaudio/audioworklet-bad-array-type-expected.txt
R LayoutTests/webaudio/audioworklet-bad-array-type.html
R LayoutTests/webaudio/bad-array-type-processor.js
M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
Log Message:
-----------
Revert "Cherry-pick 3be781681be0. rdar://115356129"
This reverts commit 632ef076d154f343a26555d919b2b6c27c6dc0f9.
Identifier: 259548.905 at safari-7615.3.12.10-branch
Commit: 1e73b880d77c62d899e9c931533bf7a0169465d9
https://github.com/WebKit/WebKit/commit/1e73b880d77c62d899e9c931533bf7a0169465d9
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp
M Source/WebCore/Modules/mediarecorder/MediaRecorder.h
Log Message:
-----------
Revert "Cherry-pick f255dd40b82e. rdar://115118374"
This reverts commit 868236e65c1f72013a6c795d2329327392e59048.
Identifier: 259548.906 at safari-7615.3.12.10-branch
Commit: 2eb00ed465109e426c614ef25767e7ff978cc947
https://github.com/WebKit/WebKit/commit/2eb00ed465109e426c614ef25767e7ff978cc947
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Source/WebCore/platform/graphics/Region.cpp
Log Message:
-----------
Revert "Cherry-pick ca4f7c9b9939. rdar://115117566"
This reverts commit 50726bc7ea63d985cceb5644b9df39c12aec4ca1.
Identifier: 259548.907 at safari-7615.3.12.10-branch
Commit: 8b4c67c3ae5a422f4e104346a09c772a6bdfee84
https://github.com/WebKit/WebKit/commit/8b4c67c3ae5a422f4e104346a09c772a6bdfee84
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
R JSTests/stress/same-offset-different-property-name-multiple-get-by-variants.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGGraph.cpp
M Source/JavaScriptCore/dfg/DFGGraph.h
Log Message:
-----------
Revert "Cherry-pick 965be685c2ff. rdar://115117939"
This reverts commit 792ed78d229e23b18ef2145d6d428ab1d340e6e7.
Identifier: 259548.908 at safari-7615.3.12.10-branch
Commit: 6fb4b8b8c1629e826ef9cae90d90234f7e092843
https://github.com/WebKit/WebKit/commit/6fb4b8b8c1629e826ef9cae90d90234f7e092843
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp
M Source/WebCore/workers/service/ServiceWorkerGlobalScope.h
Log Message:
-----------
Revert "Cherry-pick 76715edd316d. rdar://115118161"
This reverts commit 9b3803f40e2de20340db6c8255cfa978cc8d0940.
Identifier: 259548.909 at safari-7615.3.12.10-branch
Commit: b562f311131fc0ac27b0113450586774b28eecaf
https://github.com/WebKit/WebKit/commit/b562f311131fc0ac27b0113450586774b28eecaf
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Source/WebCore/platform/mac/ScrollbarsControllerMac.mm
Log Message:
-----------
Revert "Cherry-pick bf54ee3c4df6. rdar://115118171"
This reverts commit 24e85d20f500fb322fb0e469384e00375fe1c189.
Identifier: 259548.910 at safari-7615.3.12.10-branch
Commit: 025e9f546d7315faa4406e5ad990374989cf8482
https://github.com/WebKit/WebKit/commit/025e9f546d7315faa4406e5ad990374989cf8482
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7616.1.27.10.14
Identifier: 259548.911 at safari-7615.3.12.10-branch
Commit: 4123060b88256fc5ea5a55e350c5c681fd9696b5
https://github.com/WebKit/WebKit/commit/4123060b88256fc5ea5a55e350c5c681fd9696b5
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7615.3.12.10.4
Identifier: 259548.912 at safari-7615.3.12.10-branch
Commit: 507d4c4e70d48e5c5021004a240a2a88a0619b50
https://github.com/WebKit/WebKit/commit/507d4c4e70d48e5c5021004a240a2a88a0619b50
Author: Keith Miller <keith_miller at apple.com>
Date: 2023-09-14 (Thu, 14 Sep 2023)
Changed paths:
A JSTests/stress/getbyoffset-cse-consistency.js
A JSTests/stress/multigetbyoffset-cse-consistency.js
M Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
M Source/JavaScriptCore/dfg/DFGClobberize.h
M Source/JavaScriptCore/dfg/DFGHeapLocation.h
Log Message:
-----------
Cherry-pick 47e039ffd689. rdar://115399657
clobberize needs to be more precise with the *ByOffset nodes
https://bugs.webkit.org/show_bug.cgi?id=261544
rdar://115399657
Reviewed by Yusuke Suzuki and Mark Lam.
CSE phase uses clobberize to figure out if it's safe to merge two operations that
def the same HeapLocation. Since HeapLocation does not currently have a way to
track the offset used by the various *ByOffset nodes it can get confused and
think that two ByOffset instructions produce the same value even if they don't
use the same offset. This patch solves this by adding a new field to HeapLocation,
which takes the metadata associated with the corresponding *ByOffset node. If two
*ByOffset operations don't share the same metadata then they cannot be CSEed.
* Source/JavaScriptCore/dfg/DFGCSEPhase.cpp:
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGHeapLocation.h:
(JSC::DFG::HeapLocation::HeapLocation):
(JSC::DFG::HeapLocation::extraState const):
(JSC::DFG::HeapLocation::hash const):
Canonical link: https://commits.webkit.org/265870.558@safari-7616-branch
Identifier: 259548.913 at safari-7615.3.12.10-branch
Commit: f0ea657d7fd027429d9fb96452477d665916e90c
https://github.com/WebKit/WebKit/commit/f0ea657d7fd027429d9fb96452477d665916e90c
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7615.3.12.10.5
Identifier: 259548.914 at safari-7615.3.12.10-branch
Commit: e570d78b88a366ae349a31acf2575e7993f08824
https://github.com/WebKit/WebKit/commit/e570d78b88a366ae349a31acf2575e7993f08824
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
A LayoutTests/fast/forms/ua-shadow-select-all-behavior-expected.txt
A LayoutTests/fast/forms/ua-shadow-select-all-behavior.html
A LayoutTests/fast/forms/ua-shadow-select-all-crash-expected.txt
A LayoutTests/fast/forms/ua-shadow-select-all-crash.html
M LayoutTests/platform/mac-wk1/TestExpectations
M Source/WebCore/editing/VisibleSelection.cpp
Log Message:
-----------
Cherry-pick 786e20b52145. rdar://115117993
VisibleSelection::nonBoundaryShadowTreeRootNode should return null when its anchor is a shadow root
https://bugs.webkit.org/show_bug.cgi?id=249862
rdar://103683388
Reviewed by Ryosuke Niwa.
Cherry-pick the following fix from Blink:
https://src.chromium.org/viewvc/blink?view=revision&revision=188788
While WebKit doesn't crash in release with the Blink test case, it does
hit the `ASSERT(!isShadowRoot());` assertion inside `Node::nonBoundaryShadowTreeRootNode()`
on debug builds. Also, our selection behavior was vastly different from Chrome and Firefox.
We would end up with a caret while Blink and Gecko would end up with a proper range
selection. This patch aligns our behavior with Blink.
* LayoutTests/fast/forms/ua-shadow-select-all-behavior-expected.txt: Added.
* LayoutTests/fast/forms/ua-shadow-select-all-behavior.html: Added.
* LayoutTests/fast/forms/ua-shadow-select-all-crash.html: Added.
* LayoutTests/fast/forms/ua-shadow-select-all-crash-expected.txt: Added.
* Source/WebCore/editing/VisibleSelection.cpp:
(WebCore::VisibleSelection::nonBoundaryShadowTreeRootNode const):
Canonical link: https://commits.webkit.org/266505@main
Identifier: 259548.915 at safari-7615.3.12.10-branch
Commit: 33945879631e9381af300106c5979d2dbe9fd8a3
https://github.com/WebKit/WebKit/commit/33945879631e9381af300106c5979d2dbe9fd8a3
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
M Source/WebKit/UIProcess/Media/cocoa/AudioSessionRoutingArbitratorProxyCocoa.mm
Log Message:
-----------
Cherry-pick 9052a0395b9b. rdar://115117683
heap-use-after-free in WebKit::AudioSessionRoutingArbitratorProxy::logger
https://bugs.webkit.org/show_bug.cgi?id=259836
rdar://112774591
Reviewed by Simon Fraser.
Move the ALWAYS_LOG() inside the `if (weakThis)` scope since this macro will
call `this->logger()`.
* Source/WebKit/UIProcess/Media/cocoa/AudioSessionRoutingArbitratorProxyCocoa.mm:
(WebKit::AudioSessionRoutingArbitratorProxy::beginRoutingArbitrationWithCategory):
Canonical link: https://commits.webkit.org/265870.234@safari-7616-branch
Identifier: 259548.916 at safari-7615.3.12.10-branch
Commit: 79a05f1aac54ab42f93e213606bd06dfd7b1ed88
https://github.com/WebKit/WebKit/commit/79a05f1aac54ab42f93e213606bd06dfd7b1ed88
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
M Source/WebCore/platform/mac/ScrollbarsControllerMac.mm
Log Message:
-----------
Cherry-pick bf54ee3c4df6. rdar://115118171
Use-after-free under WebCore::Scrollbar::supportsUpdateOnSecondaryThread()
https://bugs.webkit.org/show_bug.cgi?id=259890
rdar://113037440
Reviewed by Ryosuke Niwa.
Use a WeakPtr for _scrollbar instead of a raw pointer and add a null-check
in [WebScrollbarPartAnimation setCurrentProgress:].
* Source/WebCore/platform/mac/ScrollbarsControllerMac.mm:
(-[WebScrollbarPartAnimation setCurrentProgress:]):
(-[WebScrollerImpDelegate setUpAlphaAnimation:scrollerPainter:part:animateAlphaTo:duration:]):
(-[WebScrollerImpDelegate scrollerImp:animateUIStateTransitionWithDuration:]):
(-[WebScrollerImpDelegate scrollerImp:animateExpansionTransitionWithDuration:]):
Canonical link: https://commits.webkit.org/265870.236@safari-7616-branch
Identifier: 259548.917 at safari-7615.3.12.10-branch
Commit: 5fa15e8d43220df42884750170ed3849d8a0417c
https://github.com/WebKit/WebKit/commit/5fa15e8d43220df42884750170ed3849d8a0417c
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
M Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp
M Source/WebCore/workers/service/ServiceWorkerGlobalScope.h
Log Message:
-----------
Cherry-pick 76715edd316d. rdar://115118161
Potential use-after-free of the VM under ~FetchEvent()
https://bugs.webkit.org/show_bug.cgi?id=259896
rdar://113148936
Reviewed by Brent Fulgham.
The VM gets destroyed in between the call for WorkerGlobalScope::prepareForDestruction()
and the call for the WorkerGlobalScope destructor. The crash trace indicates that
the ServiceWorkerGlobalScope destructor destroys FetchEvent objects which end up needing
the VM in their destructor.
This is a speculative fix as I cannot reproduce the issue. Brady already imported the
test case at 266608 at main.
* Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp:
(WebCore::ServiceWorkerGlobalScope::prepareForDestruction):
* Source/WebCore/workers/service/ServiceWorkerGlobalScope.h:
Canonical link: https://commits.webkit.org/265870.237@safari-7616-branch
Identifier: 259548.918 at safari-7615.3.12.10-branch
Commit: de7738b47381099fcf2a09f446c8903a3795da7f
https://github.com/WebKit/WebKit/commit/de7738b47381099fcf2a09f446c8903a3795da7f
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
A JSTests/stress/same-offset-different-property-name-multiple-get-by-variants.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGGraph.cpp
M Source/JavaScriptCore/dfg/DFGGraph.h
Log Message:
-----------
Cherry-pick 965be685c2ff. rdar://115117939
[JSC] DFG AI GetById adhoc folding should insert watchpoints for structures
https://bugs.webkit.org/show_bug.cgi?id=260678
rdar://114072069
Reviewed by Keith Miller.
For DFG AI GetById's variants, they are tuples of StructureSet and offset.
So, we should not obtain constant property just with offset since we first need to
ensure that the base object is having a structure in StructureSet.
Let's say [S0, 0] [S1, 1] variants are produced. In that case, we should not load
a value from offset 1 when object is S0. But previously we were doing that since
only thing we checked is that base is S0 or S1.
This patch just extends DFG AI GetById handling to use existing tryGetConstantProperty
mechanism with StructureSet. This properly inserts replacement watchpoints too, so that
we can guarantee that the loaded value is inferred constant (if it gets different, then
watchpoint fires). And we correctly check that the current object's structure is meeting
the requirement against *variant*'s structure set.
* JSTests/stress/same-offset-different-property-name-multiple-get-by-variants.js: Added.
(main.const.object1):
(main.const.object2):
(main.const.object3):
(main.get opt):
(main):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGGraph.cpp:
(JSC::DFG::Graph::inferredValueForProperty):
* Source/JavaScriptCore/dfg/DFGGraph.h:
Canonical link: https://commits.webkit.org/265870.440@safari-7616-branch
Identifier: 259548.919 at safari-7615.3.12.10-branch
Commit: 3b5eaf84fcdcfab616c94c373cd4d518780b812a
https://github.com/WebKit/WebKit/commit/3b5eaf84fcdcfab616c94c373cd4d518780b812a
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
M Source/WebCore/platform/graphics/Region.cpp
Log Message:
-----------
Cherry-pick ca4f7c9b9939. rdar://115117566
WebContent may get killed due to invalid RemoteLayerTreeDrawingAreaProxy_CommitLayerTree IPC message
https://bugs.webkit.org/show_bug.cgi?id=260757
rdar://113860744
Reviewed by Aditya Keerthi.
The fuzzer found a case where the RemoteLayerTreeDrawingAreaProxy_CommitLayerTree
IPC message may fail decoding because its contains an invalid IntRect. After some
investigation, I found that we didn't handle overflows in the arithmetics in
Region::Shape::bounds(), which means that we could end up with an IntRect that
had a negative width or height.
In the fuzzer case, we ended up with the following values:
minX=-2147483648, minY=3, maxX=62, maxY=2306
We would compute the width doing `62 - (-2147483648)` which would overflow and end
up with a negative width. We now use checkedDifference<int32_t>() to detect
overflows and clamp to std::numeric_limits<int32_t>::max() when it happens.
* Source/WebCore/platform/graphics/Region.cpp:
(WebCore::Region::Shape::bounds const):
Canonical link: https://commits.webkit.org/265870.452@safari-7616-branch
Identifier: 259548.920 at safari-7615.3.12.10-branch
Commit: 4ddf36297402d7bcc2dc6bea29ac58113970c402
https://github.com/WebKit/WebKit/commit/4ddf36297402d7bcc2dc6bea29ac58113970c402
Author: Jer Noble <jer.noble at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
M Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp
M Source/WebCore/Modules/mediarecorder/MediaRecorder.h
Log Message:
-----------
Cherry-pick f255dd40b82e. rdar://115118374
CRASH in MediaRecorderPrivate::startRecording()
https://bugs.webkit.org/show_bug.cgi?id=260736
rdar://113544631
Reviewed by Brent Fulgham and Eric Carlson.
MediaRecorder can be destroyed before the completion handler passed to
MediaRecorderPrivate::startRecording() is called. Detect this state by
passing a WeakPtr into the completion handler lambda. Because MediaRecoder
has multiple base classes which are CanMakeWeakPtr subclasses, disambiguate
which subclass's WeakPtr implementation to use in the MediaRecoder class
declaration.
* Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:
(WebCore::MediaRecorder::startRecording):
* Source/WebCore/Modules/mediarecorder/MediaRecorder.h:
Canonical link: https://commits.webkit.org/265870.463@safari-7616-branch
Identifier: 259548.921 at safari-7615.3.12.10-branch
Commit: 648cf5654b22bc51cd53bedeada467f06c1743b3
https://github.com/WebKit/WebKit/commit/648cf5654b22bc51cd53bedeada467f06c1743b3
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
A LayoutTests/webaudio/audioworklet-bad-array-type-expected.txt
A LayoutTests/webaudio/audioworklet-bad-array-type.html
A LayoutTests/webaudio/bad-array-type-processor.js
M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
Log Message:
-----------
Cherry-pick 3be781681be0. rdar://115356129
Bad jsCast<>() in copyDataFromJSArrayToBuses() in AudioWorkletProcessor.cpp
https://bugs.webkit.org/show_bug.cgi?id=261289
rdar://115042475
Reviewed by Ryosuke Niwa.
Use jsDynamicCast<>() instead of jsCast<>() in AudioWorkletProcessor.cpp for
safety.
* LayoutTests/webaudio/audioworklet-bad-array-type-expected.txt: Added.
* LayoutTests/webaudio/audioworklet-bad-array-type.html: Added.
* LayoutTests/webaudio/bad-array-type-processor.js: Added.
(CustomProcessor.prototype.process):
(CustomProcessor):
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
(WebCore::toJSArray):
(WebCore::toJSObject):
(WebCore::copyDataFromJSArrayToBuses):
(WebCore::AudioWorkletProcessor::process):
Canonical link: https://commits.webkit.org/265870.534@safari-7616-branch
Identifier: 259548.922 at safari-7615.3.12.10-branch
Commit: b448c1f4df8f262f3442e5a33985c42b9efb5be3
https://github.com/WebKit/WebKit/commit/b448c1f4df8f262f3442e5a33985c42b9efb5be3
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm
Log Message:
-----------
Cherry-pick 8e677b301cae. rdar://115118584
Main frame URL is wrong after server-side redirect to a page serving the COOP header
https://bugs.webkit.org/show_bug.cgi?id=260046
rdar://111855179
Reviewed by Brent Fulgham and Alex Christensen.
In the poc, the page is opening a popup (without opener) to the same origin URL1.
This URL1 does a server-side redirect to URL2 which serves the `COOP: same-origin`
HTTP header. After the navigation, Safari was displaying URL1 instead of URL2 in
the URL bar.
It is important to note that that 2 process-swap occur here. The first occurs when
we do the navigation to URL1 in a popup that doesn't have an opener (in the
decidePolicyForNavigationAction). The second one occurs when we receive the
COOP header from URL2 (on navigation response).
In ProvisionalPageProxy::didCreateMainFrame(), we have code which does the following:
```
if (previousMainFrame && !previousMainFrame->provisionalURL().isEmpty()) {
// In case of a process swap after response policy, the didStartProvisionalLoad already happened but the new main frame doesn't know about it
// so we need to tell it so it can update its provisional URL.
m_mainFrame->didStartProvisionalLoad(previousMainFrame->provisionalURL());
}
```
During the second process-swap, we forward the provisional URL from the committed
frame to the provisional one. This is because the didStartProvisionalLoad IPC was
handled by the committed main frame, before we decided to process-swap on resource
response later on. As a result, the provisional main frame doesn't know yet about
the provisional load and we have to let it know about it so it sets its provisional
URL.
This worked fine in the usual case where the COOP process-swap doesn't follow
another process swap. However, in this case, the provisional URL got updated by
an earlier server side redirect which got handled by a provisional frame, not the
committed one. As a result, the committed frame didn't know about the latest
provisional URL, only the original one before the server side redirect.
To address the issue, whenever a provisional main frame receives a server-side
redirect, we now let the committed main frame know about it too so that the
committed frame's provisional URL always stays up-to-date. As a result, when
ProvisionalPageProxy::didCreateMainFrame() forwards the committed frame's URL to
the new provisional frame, it is now accurate.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didReceiveServerRedirectForProvisionalLoadForFrameShared):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:
Canonical link: https://commits.webkit.org/265870.357@safari-7616-branch
Identifier: 259548.923 at safari-7615.3.12.110-branch
Commit: e6679e96603c14bf1d15d7049791f5fff9e9f235
https://github.com/WebKit/WebKit/commit/e6679e96603c14bf1d15d7049791f5fff9e9f235
Author: Michael Saboff <msaboff at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
A JSTests/stress/regexp-vflag-property-of-strings.js
M Source/JavaScriptCore/yarr/YarrPattern.cpp
Log Message:
-----------
Cherry-pick b5b70c4574a7. rdar://115117991
CrashOnOverflow in CharacterClassConstructor::compareUTF32Strings
https://bugs.webkit.org/show_bug.cgi?id=260173
rdar://113872060
Reviewed by Ryosuke Niwa.
Fixed and simplified the the sort comparison function compareUTF32Strings() to properly handle
zero length strings.
Added relevant tests.
* JSTests/stress/regexp-vflag-property-of-strings.js:
* Source/JavaScriptCore/yarr/YarrPattern.cpp:
(JSC::Yarr::CharacterClassConstructor::compareUTF32Strings):
Canonical link: https://commits.webkit.org/265870.381@safari-7616-branch
Identifier: 259548.924 at safari-7615.3.12.110-branch
Commit: 5e0a52e051428772e7ad9676aecaeb1d459dd823
https://github.com/WebKit/WebKit/commit/5e0a52e051428772e7ad9676aecaeb1d459dd823
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
A JSTests/stress/date-set-time-purify-nan.js
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
Cherry-pick aa32244a89e7. rdar://115117919
[JSC] Purify NaN for Date#setTime DFG / FTL implementations
https://bugs.webkit.org/show_bug.cgi?id=260497
rdar://114177456
Reviewed by Mark Lam.
Date#setTime should purify NaN, otherwise, it can put arbitrary NaN boxed values, and cause type-confusion.
We can just use canonical NaN when the input is NaN.
* JSTests/stress/date-set-time-purify-nan.js: Added.
(opt):
(main):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileDateSet):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Canonical link: https://commits.webkit.org/265870.404@safari-7616-branch
Identifier: 259548.925 at safari-7615.3.12.110-branch
Commit: 1e5cfca79733110eaf11d6ab04402f31d5980a3d
https://github.com/WebKit/WebKit/commit/1e5cfca79733110eaf11d6ab04402f31d5980a3d
Author: Wenson Hsieh <wenson_hsieh at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
M Source/WebCore/html/HTMLInputElement.cpp
M Source/WebCore/html/HTMLInputElement.h
M Source/WebKit/Platform/spi/ios/UIKitSPI.h
M Source/WebKit/Shared/FocusedElementInformation.h
M Source/WebKit/Shared/FocusedElementInformation.serialization.in
M Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm
M Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm
M Tools/TestWebKitAPI/Tests/ios/AutocorrectionTestsIOS.mm
M Tools/TestWebKitAPI/ios/UIKitSPI.h
Log Message:
-----------
Cherry-pick 5cfdf9b1cbac. rdar://115117725
[iOS] Keyboard should not learn autocorrections after revealing password in Gmail login flow
https://bugs.webkit.org/show_bug.cgi?id=260864
rdar://111393742
Reviewed by Aditya Keerthi.
When focusing and editing secure inputs (i.e. input type="password"), we set `isSecureTextEntry` on
`UITextInputTraits` to `YES`, which disables autocorrection learning when the user types in this
field, suppresses the keyboard in screen recordings, and more.
However, some webpages (e.g. Gmail login) offer the ability to reveal the password as plain text as
a convenience to the user — this typically works by changing the input type from `"password"` to
just `"text"`. This currently causes all of the secure text entry behaviors to be disabled, which
includes disabling correction learning; this is undesirable, since the password may be offered as an
autocorrection candidate when editing in other plain text fields in the future, in non-secure
contexts.
Because the user opted to reveal the input, it doesn't really make sense to treat the input as fully
secure (for instance, there's no reason to suppress keyboard visibility in screen recordings if the
password text itself is fully visible). However, we need to (at least) prevent the keyboard from
learning suggestions when typing in this field. To achieve this, we add a flag on `HTMLInputElement`
to remember whether it was ever a password field; if so, we set the `-learnsCorrections` property on
text input traits to `NO`.
Test: AutocorrectionTests.DoNotLearnCorrectionsAfterChangingInputTypeFromPassword
* Source/WebCore/html/HTMLInputElement.cpp:
(WebCore::HTMLInputElement::runPostTypeUpdateTasks):
Set `m_hasEverBeenPasswordField` here.
* Source/WebCore/html/HTMLInputElement.h:
(WebCore::HTMLInputElement::hasEverBeenPasswordField const):
* Source/WebKit/Platform/spi/ios/UIKitSPI.h:
* Source/WebKit/Shared/FocusedElementInformation.h:
* Source/WebKit/Shared/FocusedElementInformation.serialization.in:
* Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm:
(-[WKContentView _updateTextInputTraits:]):
Consult `hasEverBeenPasswordField` on the focused element information, and disable learning from
corrections if it's set.
* Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm:
Propagate `hasEverBeenPasswordField` state to the UI process when focusing an input element.
(WebKit::WebPage::focusedElementInformation):
* Tools/TestWebKitAPI/Tests/ios/AutocorrectionTestsIOS.mm:
Add an API test to exercise the change.
* Tools/TestWebKitAPI/ios/UIKitSPI.h:
Canonical link: https://commits.webkit.org/265870.476@safari-7616-branch
Identifier: 259548.926 at safari-7615.3.12.110-branch
Commit: e6cb6ef7711d6f7b652b91e30050f7ac84cdce79
https://github.com/WebKit/WebKit/commit/e6cb6ef7711d6f7b652b91e30050f7ac84cdce79
Author: Antti Koivisto <antti at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
A LayoutTests/fast/css/style-scope-destruction-crash-expected.txt
A LayoutTests/fast/css/style-scope-destruction-crash.html
M Source/WebCore/rendering/PathOperation.cpp
M Source/WebCore/rendering/PathOperation.h
M Source/WebCore/style/StyleScope.cpp
Log Message:
-----------
Cherry-pick 382b02a5fc10. rdar://115118348
heap-use-after-free | Style::Scope::removeStyleSheetCandidateNode; WebCore::SVGStyleElement::~SVGStyleElement; WebCore::ContainerNode::~ContainerNode
https://bugs.webkit.org/show_bug.cgi?id=260896
rdar://114231775
Reviewed by Alan Baradlay.
* LayoutTests/fast/css/style-scope-destruction-crash-expected.txt: Added.
* LayoutTests/fast/css/style-scope-destruction-crash.html: Added.
* Source/WebCore/rendering/PathOperation.cpp:
(WebCore::ReferencePathOperation::ReferencePathOperation):
(WebCore::ReferencePathOperation::element const): Deleted.
Get rid of the unused element field. This creates a RenderStyle -> DOM ownership cycle which
allows this crash to happen.
* Source/WebCore/rendering/PathOperation.h:
* Source/WebCore/style/StyleScope.cpp:
(WebCore::Style::Scope::~Scope):
Ensure we revoke weak pointers at the start of the destructor to avoid this class of problems.
Canonical link: https://commits.webkit.org/265870.481@safari-7616-branch
Identifier: 259548.927 at safari-7615.3.12.110-branch
Commit: 58c22ddc96ea16fff6b1b8ce3fbce0d04d7cc041
https://github.com/WebKit/WebKit/commit/58c22ddc96ea16fff6b1b8ce3fbce0d04d7cc041
Author: Alexey Shvayka <ashvayka at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
A JSTests/stress/regress-114860483.js
M Source/JavaScriptCore/runtime/JSObject.cpp
M Source/JavaScriptCore/runtime/JSObjectInlines.h
Log Message:
-----------
Cherry-pick 049d074c4b1b. rdar://115356049
JSObject::anyObjectInChainMayInterceptIndexedAccesses and JSObject::didBecomePrototype need to account for JSGlobalProxy
https://bugs.webkit.org/show_bug.cgi?id=261287
rdar://114860483
Reviewed by Yusuke Suzuki.
Since JSObject::anyObjectInChainMayInterceptIndexedAccesses() walks up the [[Prototype]] chain,
whenever an indexed property is defined on a JSGlobalObject, we should add MayHaveIndexedAccessors
flag to JSGlobalProxy instead.
Currently, mayInterceptIndexedAccesses() is never queried on JSGlobalObject instances.
This change also fixes mayBePrototype() to be queried from JSGlobalProxy rather than JSGlobalObject,
which is correct given setPrototypeDirect() used to call didBecomePrototype() only on the proxy.
However, for extra robustness, this we propagate didBecomePrototype() to the global object as well.
* JSTests/stress/regress-114860483.js: Added.
* Source/JavaScriptCore/runtime/JSObjectInlines.h:
(JSC::JSObject::didBecomePrototype):
* Source/JavaScriptCore/runtime/JSObject.cpp:
(JSC::JSObject::notifyPresenceOfIndexedAccessors):
Canonical link: https://commits.webkit.org/265870.535@safari-7616-branch
Identifier: 259548.928 at safari-7615.3.12.110-branch
Commit: 5cd0140ab8bdf422bdcf5512ffb6bcbe58947a5b
https://github.com/WebKit/WebKit/commit/5cd0140ab8bdf422bdcf5512ffb6bcbe58947a5b
Author: Ryosuke Niwa <rniwa at webkit.org>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
A LayoutTests/animations/resolve-animation-should-not-execute-scripts-expected.txt
A LayoutTests/animations/resolve-animation-should-not-execute-scripts.html
M LayoutTests/platform/ios/imported/w3c/web-platform-tests/screen-orientation/active-lock-expected.txt
M Source/WebCore/Modules/paymentrequest/PaymentRequest.cpp
M Source/WebCore/Modules/paymentrequest/PaymentResponse.cpp
M Source/WebCore/Modules/webaudio/OfflineAudioContext.cpp
M Source/WebCore/animation/WebAnimation.cpp
M Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp
M Source/WebCore/dom/TaskSource.h
M Source/WebCore/page/ScreenOrientation.cpp
Log Message:
-----------
Cherry-pick 6d865c4bf3da. rdar://115356270
ScriptDisallowedScope bypass via a `then` getter in Document::updateStyleIfNeeded
https://bugs.webkit.org/show_bug.cgi?id=261256
<rdar://114545310>
Reviewed by Ryosuke Niwa.
This PR addresses several bugs:
1. There is a ScriptDisallowedScope bypass via DeferredPromise::callFunction.
2. WebAnimation::resolve() tries to execute scripts by rejecting promises during updateStyle.
3. WebAnimation::cancel() and WebAnimation::resetPendingTasks() also tries to execute scripts by
rejecting promises during updateStyle.
4. PaymentRequest and PaymentResponse try to reject promises during active DOM object suspension
as well as the script execution context is being stopped.
5. WebAudio tries to reject promises during active DOM object suspension.
For (1), this PR adds a release assertion in DeferredPromise::callFunction like the one we have in
ScriptController::canExecuteScripts. Note this has to be a thread safe variant since this code can be
executed in a worker thread.
For (2), this PR makes WebAnimation::resolve call updateFinishedState with SynchronouslyNotify::No
instead of SynchronouslyNotify::Yes. Note that in the spec [1], the only scenario in which this flag
is set to yes is when the author script calls finish() on an Animation object.
For (3), (4), and (5), this PR makes these actions asynchronous by scheduling a task / microtask
instead of synchronously rejecting promises.
[1] https://drafts.csswg.org/web-animations-1/#update-an-animations-finished-state
Based on original patch by Ryosuke Niwa.
* LayoutTests/animations/resolve-animation-should-not-execute-scripts-expected.txt: Added.
* LayoutTests/animations/resolve-animation-should-not-execute-scripts.html: Added.
* Source/WebCore/Modules/paymentrequest/PaymentRequest.cpp:
(WebCore::PaymentRequest::~PaymentRequest): Now allows pending activity to exist when the associated
script execution context had been stopped.
(WebCore::PaymentRequest::stop): Don't try to settle the promise in the middle of stopping this
active DOM object.
(WebCore::PaymentRequest::suspend): Ditto for suspension. Schedule a task to settle promise instead.
* Source/WebCore/Modules/paymentrequest/PaymentResponse.cpp:
(WebCore::PaymentResponse::~PaymentResponse): Now allows pending activity to exist when
the associated script execution context had been stopped.
(WebCore::PaymentResponse::suspend): Don't try to settle the promise in the middle of stopping this
active DOM object.
* Source/WebCore/Modules/webaudio/OfflineAudioContext.cpp:
(WebCore::OfflineAudioContext::uninitialize): Don't reject the promise when the active DOM objects
had already been stopped.
* Source/WebCore/animation/WebAnimation.cpp:
(WebCore::WebAnimation::cancel): Reject the finished promise in a newly scheduled task instead of
synchronously rejecting it, which would result in script execution.
(WebCore::WebAnimation::resolve): Resolve the promise asynchronously.
* Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp:
(WebCore::DeferredPromise::callFunction): Added a release assertion.
* Source/WebCore/dom/TaskSource.h:
Canonical link: https://commits.webkit.org/265870.536@safari-7616-branch
Identifier: 259548.929 at safari-7615.3.12.110-branch
Commit: c20b0d48d07c35dbcc2af413fedc7eebe560441e
https://github.com/WebKit/WebKit/commit/c20b0d48d07c35dbcc2af413fedc7eebe560441e
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7615.3.12.110.1
Identifier: 259548.930 at safari-7615.3.12.110-branch
Commit: 4cab6603a8ce89064e73ef4421a3624af53f2c57
https://github.com/WebKit/WebKit/commit/4cab6603a8ce89064e73ef4421a3624af53f2c57
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-15 (Fri, 15 Sep 2023)
Changed paths:
R JSTests/stress/date-set-time-purify-nan.js
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
Revert "Cherry-pick aa32244a89e7. rdar://115117919"
This reverts commit 5e0a52e051428772e7ad9676aecaeb1d459dd823.
Identifier: 259548.931 at safari-7615.3.12.110-branch
Commit: 1fe3c68813c1ba72e35a618e708207384e27eb65
https://github.com/WebKit/WebKit/commit/1fe3c68813c1ba72e35a618e708207384e27eb65
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-18 (Mon, 18 Sep 2023)
Changed paths:
M Source/JavaScriptCore/runtime/JSObjectInlines.h
Log Message:
-----------
Unreviewed build fix. rdar://115356049
Identifier: 259548.932 at safari-7615.3.12.110-branch
Commit: f04c47a02dfa2107c1721aee1b8def9dda15b3dd
https://github.com/WebKit/WebKit/commit/f04c47a02dfa2107c1721aee1b8def9dda15b3dd
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-19 (Tue, 19 Sep 2023)
Changed paths:
M Source/JavaScriptCore/runtime/JSObjectInlines.h
Log Message:
-----------
Unreviewed build fix. rdar://115356049
Identifier: 259548.933 at safari-7615.3.12.110-branch
Commit: d2440f97bb6b275e5528f69d4bd3573e891b418f
https://github.com/WebKit/WebKit/commit/d2440f97bb6b275e5528f69d4bd3573e891b418f
Author: Andres Gonzalez <andresg_22 at apple.com>
Date: 2023-09-19 (Tue, 19 Sep 2023)
Changed paths:
M Source/WebCore/accessibility/AXObjectCache.cpp
Log Message:
-----------
Cherry-pick 0f4469003671. rdar://115355939
AX: Heap-use-after-free in WebCore::AXObjectCache::get(WebCore::Node*)+0x41c
rdar://113770369
Reviewed by Ryosuke Niwa.
This UAF is most likely caused by a mutation in the WeakListHashSet while iterating over it. This patch avoids the problem by copying the set to a Vector and iterating over the Vector.
The same technique is applied to another iteration over a WeakListHashsSet, m_deferredNodeAddedOrRemovedList, in the same method.
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::performDeferredCacheUpdate):
Canonical link: https://commits.webkit.org/265870.560@safari-7616-branch
Identifier: 259548.934 at safari-7615.3.12.110-branch
Commit: f463b02b2f3717d2cbbc2642c5a9d43d78b2f8cc
https://github.com/WebKit/WebKit/commit/f463b02b2f3717d2cbbc2642c5a9d43d78b2f8cc
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-19 (Tue, 19 Sep 2023)
Changed paths:
M Source/WebCore/accessibility/AXObjectCache.cpp
Log Message:
-----------
Revert "Cherry-pick 0f4469003671. rdar://115355939"
This reverts commit d2440f97bb6b275e5528f69d4bd3573e891b418f.
Identifier: 259548.935 at safari-7615.3.12.110-branch
Commit: 7b18539dbbdc9811775b74a178ec58bdc9bc47d2
https://github.com/WebKit/WebKit/commit/7b18539dbbdc9811775b74a178ec58bdc9bc47d2
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-20 (Wed, 20 Sep 2023)
Changed paths:
M Source/WebCore/rendering/PathOperation.h
Log Message:
-----------
Unreviewed build fix. rdar://115356049
Identifier: 259548.936 at safari-7615.3.12.110-branch
Commit: 1623bbffa872735d1cd33ff648866246611b1183
https://github.com/WebKit/WebKit/commit/1623bbffa872735d1cd33ff648866246611b1183
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-20 (Wed, 20 Sep 2023)
Changed paths:
M Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp
Log Message:
-----------
Unreviewed build fix. rdar://115356270
Identifier: 259548.937 at safari-7615.3.12.110-branch
Commit: 779dea5f3ecc5133409ecc20640d6d444d93fd52
https://github.com/WebKit/WebKit/commit/779dea5f3ecc5133409ecc20640d6d444d93fd52
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-21 (Thu, 21 Sep 2023)
Changed paths:
R JSTests/stress/regexp-vflag-property-of-strings.js
M Source/JavaScriptCore/yarr/YarrPattern.cpp
Log Message:
-----------
Revert "Cherry-pick b5b70c4574a7. rdar://115117991"
This reverts commit e6679e96603c14bf1d15d7049791f5fff9e9f235.
Identifier: 259548.938 at safari-7615.3.12.110-branch
Commit: dcc13173274a45c4570463c15febfeadabb10ad9
https://github.com/WebKit/WebKit/commit/dcc13173274a45c4570463c15febfeadabb10ad9
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-09-21 (Thu, 21 Sep 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Unreviewed build fix. rdar://115118584.
Identifier: 259548.939 at safari-7615.3.12.110-branch
Commit: f5cdbf27a712da3f4e6a192bc5d6de90cab8d6a3
https://github.com/WebKit/WebKit/commit/f5cdbf27a712da3f4e6a192bc5d6de90cab8d6a3
Author: Tommy McHugh <thomas_mchugh at apple.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M LayoutTests/accessibility-isolated-tree/TestExpectations
A LayoutTests/accessibility/aria-labelledby-on-password-input-expected.txt
A LayoutTests/accessibility/aria-labelledby-on-password-input.html
M LayoutTests/platform/glib/TestExpectations
M Source/WebCore/accessibility/AccessibilityNodeObject.cpp
Log Message:
-----------
Cherry-pick 3b6d017ba868. rdar://112151034
AX: Don't include password input value in aria-labelledby description
https://bugs.webkit.org/show_bug.cgi?id=248717
rdar://problem/102815043
Reviewed by Tyler Wilcock.
accessibleNameForNode is erroneously returning the raw password input value when
an element has an aria-labelledby attribute to an input element with a password type.
This patch fixes that by checking HTMLInputElement::isPasswordField before returning
the input's value and when there is a password field returning a masked value matching
the length of the true value.
* LayoutTests/accessibility-isolated-tree/TestExpectations:
* LayoutTests/accessibility/aria-labelledby-on-password-input-expected.txt: Added.
* LayoutTests/accessibility/aria-labelledby-on-password-input.html: Added.
* LayoutTests/platform/glib/TestExpectations:
* Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
(WebCore::accessibleNameForNode):
Canonical link: https://commits.webkit.org/262433@main
Identifier: 259548.940 at safari-7615.3.12.110-branch
Commit: a157cdadd583606960fc6c967718d8118e3b75e7
https://github.com/WebKit/WebKit/commit/a157cdadd583606960fc6c967718d8118e3b75e7
Author: Dan Robson <dan_robson at apple.com>
Date: 2023-10-04 (Wed, 04 Oct 2023)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7615.3.12.110.2
Canonical link: https://commits.webkit.org/259548.941@safari-7615.3.12.110-branch
Commit: fa74de80a6ace9cefdc975851bd12480850beab1
https://github.com/WebKit/WebKit/commit/fa74de80a6ace9cefdc975851bd12480850beab1
Author: Dan Robson <dan_robson at apple.com>
Date: 2023-10-04 (Wed, 04 Oct 2023)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/encoder/onyx_if.c
Log Message:
-----------
Cherry-pick c453beba71d4. rdar://116481519
Cherry-pick 2213bac36f8b. rdar://116233358
Cherry-pick https://chromium.googlesource.com/webm/libvpx.git/+/51057f4ba894e13f9bba278905bacf6aaaecd992
https://bugs.webkit.org/show_bug.cgi?id=262365
rdar://116233358
Reviewed by Mark Lam.
* Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/encoder/onyx_if.c:
(vp8_change_config):
Canonical link: https://commits.webkit.org/267815.127@safari-7617-branch
Canonical link: https://commits.webkit.org/265870.337@safari-7616.1.27.10-branch
Compare: https://github.com/WebKit/WebKit/compare/9f8622da9762%5E...fa74de80a6ac
More information about the webkit-changes
mailing list