[webkit-changes] [WebKit/WebKit] 9f8622: Cherry-pick 1fb95912042f. rdar://problem/112432640

Dan Robson noreply at github.com
Wed Oct 25 14:27:44 PDT 2023


  Branch: refs/heads/safari-7615.3.12.110-branch
  Home:   https://github.com/WebKit/WebKit
  Commit: 9f8622da97620effd00f475c5aaa5d0df33b4d5e
      https://github.com/WebKit/WebKit/commit/9f8622da97620effd00f475c5aaa5d0df33b4d5e
  Author: Jer Noble <jer.noble at apple.com>
  Date:   2023-08-15 (Tue, 15 Aug 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.h
    M Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm

  Log Message:
  -----------
  Cherry-pick 1fb95912042f. rdar://problem/112432640

    [Cocoa] CRASH in RemoteMediaPlayerProxy::updateVideoFullscreenInlineImage
    https://bugs.webkit.org/show_bug.cgi?id=258898
    rdar://107296485

    Reviewed by Eric Carlson.

    A command to destroy the MediaPlayer may be received while MediaPlayerPrivateAVFoundationObjC
    is spinning the RunLoop in waitForVideoOutputMediaDataWillChange(). Detect this by instantiating
    a WeakPtr in waitForVideoOutputMediaDataWillChange() and bailing early with an error code if the
    WeakPtr has been invalidated while spinning the RunLoop.

    Modify updateLastImage() to take a CompletionHandler, which will only fire if
    waitForVideoOutputMediaDataWillChange() returns a non-exceptional result. If that method
    detects that the WeakPtr was invalidated, the completion handler will not be called
    (which will trigger an ASSERT in debug builds).

    Update all the callers of updateLastImage() to do their subsequent work in the completion handler
    they pass to updateLastImage().

    * Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.h:
    * Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
    (WebCore::MediaPlayerPrivateAVFoundationObjC::updateVideoFullscreenInlineImage):
    (WebCore::MediaPlayerPrivateAVFoundationObjC::setVideoFullscreenLayer):
    (WebCore::MediaPlayerPrivateAVFoundationObjC::updateLastImage):
    (WebCore::MediaPlayerPrivateAVFoundationObjC::paintWithVideoOutput):
    (WebCore::MediaPlayerPrivateAVFoundationObjC::nativeImageForCurrentTime):
    (WebCore::MediaPlayerPrivateAVFoundationObjC::colorSpace):
    (WebCore::MediaPlayerPrivateAVFoundationObjC::waitForVideoOutputMediaDataWillChange):

    Canonical link: https://commits.webkit.org/265870.11@safari-7616-branch
Identifier: 259548.873 at safari-7615.3.12.10-branch


  Commit: 6d1f778e3a048e572271d2abb520cfe60e48a73b
      https://github.com/WebKit/WebKit/commit/6d1f778e3a048e572271d2abb520cfe60e48a73b
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-08-15 (Tue, 15 Aug 2023)

  Changed paths:
    A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox-expected.txt
    A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox.html
    A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/frame-posting-messages.html
    A LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/only-same-origin-allowed.py
    M LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt
    M Source/WebCore/loader/DocumentLoader.cpp
    M Source/WebCore/loader/DocumentLoader.h

  Log Message:
  -----------
  Cherry-pick 4fc1843e1263. rdar://problem/113307811

    WebKit applies dynamic sandbox flags on failed navigation
    https://bugs.webkit.org/show_bug.cgi?id=259099
    rdar://112044768

    Reviewed by Alex Christensen.

    In case of stopped navigation or failed navigation, we were sandboxing the current document.
    The current document was thus running but in a different configuration.
    Other browsers create a new document in that case, Firefox with the request URL and Chrome with a special error scheme URL.
    To limit the scope of changes, we are now creating a new error document, which is empty, and are sandboxing this new document.
    This gets us closer to Firefox and Safari.
    We are still calling the fail delegate in case the application wants to do additional handling on this document.

    * LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox-expected.txt: Added.
    * LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/navigating-iframe-sandbox.html: Added.
    * LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/frame-posting-messages.html: Added.
    * LayoutTests/http/wpt/html/browsers/browsing-the-web/navigating-across-documents/resources/only-same-origin-allowed.py: Added.
    (main):
    * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt:
    * LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/header-parsing.https-expected.txt:
    * LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-blank.https-expected.txt:
    * LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/require-corp-about-srcdoc.https-expected.txt:
    * Source/WebCore/loader/DocumentLoader.cpp:
    (WebCore::DocumentLoader::willSendRequest):
    (WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied):
    (WebCore::DocumentLoader::loadErrorDocument):
    * Source/WebCore/loader/DocumentLoader.h:

    Canonical link: https://commits.webkit.org/265870.62@safari-7616-branch
Identifier: 259548.874 at safari-7615.3.12.10-branch


  Commit: 9cf72f58bf6e0486e25e12fe35fdd74b4875bc22
      https://github.com/WebKit/WebKit/commit/9cf72f58bf6e0486e25e12fe35fdd74b4875bc22
  Author: Myles C. Maxfield <mmaxfield at apple.com>
  Date:   2023-08-15 (Tue, 15 Aug 2023)

  Changed paths:
    A LayoutTests/http/tests/images/repaint-garbled-expected.html
    A LayoutTests/http/tests/images/repaint-garbled.html
    A LayoutTests/http/tests/images/resources/green-313x313.jxl
    M Source/WebCore/platform/graphics/cg/ImageBackingStoreCG.cpp

  Log Message:
  -----------
  Cherry-pick e633a9de382d. rdar://problem/113309544

    [macOS Downlevels] AVIF and JPEG XL images can get corrupted
    https://bugs.webkit.org/show_bug.cgi?id=259698
    <rdar://problem/113007909>

    Reviewed by Said Abou-Hallawa.

    When we create a `NativeImage`, we call `ImageSource::frameAtIndexCacheIfNeeded()` with
    a caching mode of `MetadataAndImage`. This does 2 things:
    1. `auto platformImage = m_decoder->createFrameImageAtIndex(index, subsamplingLevelValue, decodingOptions);`
    2. `cachePlatformImageAtIndex(WTFMove(platformImage), index, subsamplingLevelValue, DecodingOptions(DecodingMode::Synchronous));`
    ImageSource owns its own cache of `Vector<ImageFrame, 1> m_frames;` whereas
    `ScalableImageDecoder` owns its own
    `Vector<ScalableImageDecoderFrame, 1> m_frameBufferCache`. Therefore, the output of
    `createFrameImageAtIndex()` may be expected to outlive the `ImageDecoder` it came from.
    However, `createFrameImageAtIndex()` indirectly calls into `ImageBackingStore::image()`
    which creates the `CGImage` with a `CGDataProvider` that points into the
    `ImageBackingStore`, which is owned by the `m_frameBufferCache` which is owned by the
    `ScalableImageDecoder`. So, when the `ImageSource` destroys its `ImageDecoder`, it blows
    away the contents of the `CGImage`s being cached, but the images themselves live on
    inside the `ImageSource` itself. That leads to this kind of corruption.

    The solution is to make the `CGImage` retain its backing data.

    * LayoutTests/http/tests/images/repaint-garbled-expected.html: Added.
    * LayoutTests/http/tests/images/repaint-garbled.html: Added.
    * LayoutTests/http/tests/images/resources/green-313x313.jxl: Added.
    * Source/WebCore/platform/graphics/cg/ImageBackingStoreCG.cpp:
    (WebCore::ImageBackingStore::image const):

    Canonical link: https://commits.webkit.org/265870.229@safari-7616-branch
Identifier: 259548.875 at safari-7615.3.12.10-branch


  Commit: a3c236ec35fde31f5629aa44c3b38a380408591e
      https://github.com/WebKit/WebKit/commit/a3c236ec35fde31f5629aa44c3b38a380408591e
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-08-15 (Tue, 15 Aug 2023)

  Changed paths:
    M Source/WebCore/html/ImageBitmap.cpp
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
    M Source/WebCore/loader/cache/CachedImage.h
    M Source/WebCore/platform/graphics/BitmapImage.cpp
    M Source/WebCore/platform/graphics/GraphicsContextGL.cpp
    M Source/WebCore/platform/graphics/Image.cpp
    M Source/WebCore/platform/graphics/Image.h
    M Source/WebCore/platform/graphics/ImageObserver.h
    M Source/WebCore/platform/graphics/ImageSource.cpp
    M Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp
    M Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp
    M Source/WebCore/svg/graphics/SVGImage.cpp
    M Source/WebCore/svg/graphics/SVGImageClients.h
    M Tools/TestWebKitAPI/Tests/WebCore/SVGImageCasts.cpp

  Log Message:
  -----------
  Cherry-pick a06556a11b58. rdar://problem/112432782

    Crash under SVGImageChromeClient::invalidateContentsAndRootView()
    https://bugs.webkit.org/show_bug.cgi?id=258992
    rdar://111456803

    Reviewed by David Kilzer.

    Do hardening by deploying WeakPtr instead of raw pointers for
    SVGImage and ImageObserver. Also make it so that we can ref
    an ImageObserver.

    * Source/WebCore/html/ImageBitmap.cpp:
    * Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
    (WebCore::CanvasRenderingContext2DBase::drawImage):
    * Source/WebCore/loader/cache/CachedImage.h:
    * Source/WebCore/platform/graphics/BitmapImage.cpp:
    (WebCore::BitmapImage::draw):
    (WebCore::BitmapImage::drawPattern):
    (WebCore::BitmapImage::internalAdvanceAnimation):
    (WebCore::BitmapImage::imageFrameAvailableAtIndex):
    * Source/WebCore/platform/graphics/GraphicsContextGL.cpp:
    (WebCore::GraphicsContextGL::packImageData):
    * Source/WebCore/platform/graphics/Image.cpp:
    (WebCore::Image::imageObserver const):
    (WebCore::Image::setImageObserver):
    (WebCore::Image::drawPattern):
    * Source/WebCore/platform/graphics/Image.h:
    (WebCore::Image::imageObserver const): Deleted.
    (WebCore::Image::setImageObserver): Deleted.
    * Source/WebCore/platform/graphics/ImageObserver.h:
    (WebCore::ImageObserver::ref):
    (WebCore::ImageObserver::deref):
    * Source/WebCore/platform/graphics/ImageSource.cpp:
    (WebCore::ImageSource::encodedDataStatusChanged):
    (WebCore::ImageSource::decodedSizeChanged):
    * Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp:
    (WebCore::PDFDocumentImage::decodedSizeChanged):
    (WebCore::PDFDocumentImage::draw):
    * Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp:
    (WebCore::TextureMapperTiledBackingStore::updateContentsFromImageIfNeeded):
    * Source/WebCore/svg/graphics/SVGImage.cpp:
    (WebCore::SVGImage::drawForContainer):
    (WebCore::SVGImage::nativeImage):
    (WebCore::SVGImage::draw):
    (WebCore::SVGImage::dataChanged):
    * Source/WebCore/svg/graphics/SVGImageClients.h:
    * Tools/TestWebKitAPI/Tests/WebCore/SVGImageCasts.cpp:
    (TestWebKitAPI::TestImageObserver::create):
    (TestWebKitAPI::TEST):

    Canonical link: https://commits.webkit.org/265870.5@safari-7616-branch
Identifier: 259548.876 at safari-7615.3.12.10-branch


  Commit: 6fc3e7947b97d9485f5320b92c0cdd4cb736d785
      https://github.com/WebKit/WebKit/commit/6fc3e7947b97d9485f5320b92c0cdd4cb736d785
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-08-15 (Tue, 15 Aug 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  Cherry-pick 3f548e40249b. rdar://problem/112432636

    MESSAGE_CHECK() originalURLString in WebPageProxy::backForwardAddItemShared()
    https://bugs.webkit.org/show_bug.cgi?id=259111
    rdar://112058151

    Reviewed by Brent Fulgham.

    MESSAGE_CHECK() originalURLString in WebPageProxy::backForwardAddItemShared()
    as hardening, the same way we already do for urlString.

    * Source/WebKit/UIProcess/WebPageProxy.cpp:
    (WebKit::WebPageProxy::backForwardAddItemShared):

    Canonical link: https://commits.webkit.org/265870.12@safari-7616-branch
Identifier: 259548.877 at safari-7615.3.12.10-branch


  Commit: fddc653be138c651c43add25690f4a062fc24542
      https://github.com/WebKit/WebKit/commit/fddc653be138c651c43add25690f4a062fc24542
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2023-08-15 (Tue, 15 Aug 2023)

  Changed paths:
    A LayoutTests/http/tests/security/resources/xslt-external-entity.svg
    A LayoutTests/http/tests/security/resources/xslt2.py
    A LayoutTests/http/tests/security/xslt-external-entity-expected.txt
    A LayoutTests/http/tests/security/xslt-external-entity.html
    A LayoutTests/platform/mac-monterey-wk1/http/tests/security/xss-DENIED-xsl-external-entity-no-logging-expected.txt
    A LayoutTests/platform/mac-monterey/http/tests/security/xslt-external-entity-expected.txt
    M LayoutTests/platform/mac-monterey/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt
    M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

  Log Message:
  -----------
  Cherry-pick d2e39548861d. rdar://problem/113308146

    Check if external entity loads from libxslt are allowed before loading them
    https://bugs.webkit.org/show_bug.cgi?id=259235
    rdar://111457167

    Reviewed by David Kilzer.

    Otherwise tricky use of libxslt can make arbitrary file loads to files allowed by the
    web content process's sandbox.  We should limit it to what the current security origin
    can request.

    Monterey has an older version of libxml2 which fails differently in this case.
    Tests exist that verify that allowed external entities are still allowed.
    The important thing is that the contents of the files are not in the Monterey test expectations.

    * LayoutTests/http/tests/security/resources/xslt-external-entity.svg: Added.
    * LayoutTests/http/tests/security/resources/xslt2.py: Added.
    * LayoutTests/http/tests/security/xslt-external-entity-expected.txt: Added.
    * LayoutTests/http/tests/security/xslt-external-entity.html: Added.
    * Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:
    (WebCore::shouldAllowExternalLoad):
    (WebCore::entityLoader):
    (WebCore::initializeXMLParser):

    Canonical link: https://commits.webkit.org/265870.131@safari-7616-branch
Identifier: 259548.878 at safari-7615.3.12.10-branch


  Commit: 8d8f5fe663ad1cb10cc95050f520ecf5c6464ced
      https://github.com/WebKit/WebKit/commit/8d8f5fe663ad1cb10cc95050f520ecf5c6464ced
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-08-15 (Tue, 15 Aug 2023)

  Changed paths:
    R LayoutTests/http/tests/security/resources/xslt-external-entity.svg
    R LayoutTests/http/tests/security/resources/xslt2.py
    R LayoutTests/http/tests/security/xslt-external-entity-expected.txt
    R LayoutTests/http/tests/security/xslt-external-entity.html
    R LayoutTests/platform/mac-monterey-wk1/http/tests/security/xss-DENIED-xsl-external-entity-no-logging-expected.txt
    R LayoutTests/platform/mac-monterey/http/tests/security/xslt-external-entity-expected.txt
    M LayoutTests/platform/mac-monterey/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt
    M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

  Log Message:
  -----------
  Revert "Cherry-pick d2e39548861d. rdar://problem/113308146"

This reverts commit fddc653be138c651c43add25690f4a062fc24542.

Identifier: 259548.879 at safari-7615.3.12.10-branch


  Commit: 8541db0feadefe52e1a0320adce67ac8d1a12bd1
      https://github.com/WebKit/WebKit/commit/8541db0feadefe52e1a0320adce67ac8d1a12bd1
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-08-15 (Tue, 15 Aug 2023)

  Changed paths:
    M Source/WebCore/html/ImageBitmap.cpp
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
    M Source/WebCore/loader/cache/CachedImage.h
    M Source/WebCore/platform/graphics/BitmapImage.cpp
    M Source/WebCore/platform/graphics/GraphicsContextGL.cpp
    M Source/WebCore/platform/graphics/Image.cpp
    M Source/WebCore/platform/graphics/Image.h
    M Source/WebCore/platform/graphics/ImageObserver.h
    M Source/WebCore/platform/graphics/ImageSource.cpp
    M Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp
    M Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp
    M Source/WebCore/svg/graphics/SVGImage.cpp
    M Source/WebCore/svg/graphics/SVGImageClients.h
    M Tools/TestWebKitAPI/Tests/WebCore/SVGImageCasts.cpp

  Log Message:
  -----------
  Revert "Cherry-pick a06556a11b58. rdar://problem/112432782"

This reverts commit a3c236ec35fde31f5629aa44c3b38a380408591e.

Identifier: 259548.880 at safari-7615.3.12.10-branch


  Commit: d60114839ab47b3d661377572ed3f98c627fb031
      https://github.com/WebKit/WebKit/commit/d60114839ab47b3d661377572ed3f98c627fb031
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-08-16 (Wed, 16 Aug 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  Revert "Cherry-pick 3f548e40249b. rdar://problem/112432636"

This reverts commit 6fc3e7947b97d9485f5320b92c0cdd4cb736d785.

Identifier: 259548.881 at safari-7615.3.12.10-branch


  Commit: 4a2ad51bcd5ceebab4546acb6af116feb23cb67e
      https://github.com/WebKit/WebKit/commit/4a2ad51bcd5ceebab4546acb6af116feb23cb67e
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-08-17 (Thu, 17 Aug 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  Revert "Revert "Cherry-pick 3f548e40249b. rdar://problem/112432636""

This reverts commit d60114839ab47b3d661377572ed3f98c627fb031.

Identifier: 259548.882 at safari-7615.3.12.10-branch


  Commit: 77e217600d99d9e6537458c14f630d7347b6ac00
      https://github.com/WebKit/WebKit/commit/77e217600d99d9e6537458c14f630d7347b6ac00
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-08-17 (Thu, 17 Aug 2023)

  Changed paths:
    M Source/WebCore/html/ImageBitmap.cpp
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
    M Source/WebCore/loader/cache/CachedImage.h
    M Source/WebCore/platform/graphics/BitmapImage.cpp
    M Source/WebCore/platform/graphics/GraphicsContextGL.cpp
    M Source/WebCore/platform/graphics/Image.cpp
    M Source/WebCore/platform/graphics/Image.h
    M Source/WebCore/platform/graphics/ImageObserver.h
    M Source/WebCore/platform/graphics/ImageSource.cpp
    M Source/WebCore/platform/graphics/cg/PDFDocumentImage.cpp
    M Source/WebCore/platform/graphics/texmap/TextureMapperTiledBackingStore.cpp
    M Source/WebCore/svg/graphics/SVGImage.cpp
    M Source/WebCore/svg/graphics/SVGImageClients.h
    M Tools/TestWebKitAPI/Tests/WebCore/SVGImageCasts.cpp

  Log Message:
  -----------
  Revert "Revert "Cherry-pick a06556a11b58. rdar://problem/112432782""

This reverts commit 8541db0feadefe52e1a0320adce67ac8d1a12bd1.

Identifier: 259548.883 at safari-7615.3.12.10-branch


  Commit: 1dd941f948013acb75703d08beb7a9ac52d8b980
      https://github.com/WebKit/WebKit/commit/1dd941f948013acb75703d08beb7a9ac52d8b980
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-08-17 (Thu, 17 Aug 2023)

  Changed paths:
    A LayoutTests/http/tests/security/resources/xslt-external-entity.svg
    A LayoutTests/http/tests/security/resources/xslt2.py
    A LayoutTests/http/tests/security/xslt-external-entity-expected.txt
    A LayoutTests/http/tests/security/xslt-external-entity.html
    A LayoutTests/platform/mac-monterey-wk1/http/tests/security/xss-DENIED-xsl-external-entity-no-logging-expected.txt
    A LayoutTests/platform/mac-monterey/http/tests/security/xslt-external-entity-expected.txt
    M LayoutTests/platform/mac-monterey/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt
    M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

  Log Message:
  -----------
  Revert "Revert "Cherry-pick d2e39548861d. rdar://problem/113308146""

This reverts commit 8d8f5fe663ad1cb10cc95050f520ecf5c6464ced.

Identifier: 259548.884 at safari-7615.3.12.10-branch


  Commit: 269db8ead050f857f0985c1714a2dbaec63eb20e
      https://github.com/WebKit/WebKit/commit/269db8ead050f857f0985c1714a2dbaec63eb20e
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-08-17 (Thu, 17 Aug 2023)

  Changed paths:
    M Source/WebCore/svg/graphics/SVGImage.cpp

  Log Message:
  -----------
  Apply patch. rdar://problem/112432782

Identifier: 259548.885 at safari-7615.3.12.10-branch


  Commit: 27a46d925c3c8331e287f5f2ce8595d99c9f43a1
      https://github.com/WebKit/WebKit/commit/27a46d925c3c8331e287f5f2ce8595d99c9f43a1
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-08-17 (Thu, 17 Aug 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  Apply patch. rdar://problem/112432636

Identifier: 259548.886 at safari-7615.3.12.10-branch


  Commit: 6ef154e66216c0b0eff04598edd5fcfcda086608
      https://github.com/WebKit/WebKit/commit/6ef154e66216c0b0eff04598edd5fcfcda086608
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-08-17 (Thu, 17 Aug 2023)

  Changed paths:
    M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

  Log Message:
  -----------
  Apply patch. rdar://problem/113308146

Identifier: 259548.887 at safari-7615.3.12.10-branch


  Commit: fe37ea4c7af6e89cc5dd52325ddb05e1b86cc796
      https://github.com/WebKit/WebKit/commit/fe37ea4c7af6e89cc5dd52325ddb05e1b86cc796
  Author: Dan Glastonbury <djg at apple.com>
  Date:   2023-08-17 (Thu, 17 Aug 2023)

  Changed paths:
    M Source/ThirdParty/ANGLE/changes.diff
    M Source/ThirdParty/ANGLE/src/libANGLE/features.h
    M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/ContextMtl.mm
    M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/DisplayMtl.mm
    M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_command_buffer.h
    M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_command_buffer.mm

  Log Message:
  -----------
  Cherry-pick 3820b42a1a38. rdar://problem/113307877

    Cherry-pick ef391b1f467b. rdar://problem/109176858

        [ANGLE] Lose Metal-backed contexts
        https://bugs.webkit.org/show_bug.cgi?id=257584
        rdar://109176858

        Reviewed by Dean Jackson.

        ANGLE provides a mechanism for determing if there has been a error with the
        renderer backend via the DisplayImpl::testDeviceLost() and
        ContextImpl::getResetStatus() APIs. The Metal renderer backend never signals an
        error.

        Metal provides a status on command buffer completion to signal if there has been
        an error when processing a MTLCommandBuffer. This patch adds experimental
        support for losing the context when this status signals there was an error. The
        context can't be recovered once it is lost and needs to be recreated.

        The feature is available when ANGLE_METAL_LOSE_CONTEXT_ON_ERROR is defined when
        compiling ANGLE.

        * Source/ThirdParty/ANGLE/src/libANGLE/features.h:
        * Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/DisplayMtl.mm:
        (rx::DisplayMtl::testDeviceLost):
        (rx::DisplayMtl::restoreLostDevice):
        * Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_command_buffer.h:
        * Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_command_buffer.mm:
        (rx::mtl::CommandQueue::onCommandBufferCompleted):

        Canonical link: https://commits.webkit.org/266377@main

    Identifier: 265870.264 at safari-7616.1.27-branch

Identifier: 259548.888 at safari-7615.3.12.10-branch


  Commit: 4ae35ffccabdb15691d45f93b72399dbef1c156d
      https://github.com/WebKit/WebKit/commit/4ae35ffccabdb15691d45f93b72399dbef1c156d
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-08-21 (Mon, 21 Aug 2023)

  Changed paths:
    R LayoutTests/http/tests/images/repaint-garbled-expected.html
    R LayoutTests/http/tests/images/repaint-garbled.html
    R LayoutTests/http/tests/images/resources/green-313x313.jxl
    M Source/WebCore/platform/graphics/cg/ImageBackingStoreCG.cpp

  Log Message:
  -----------
  Revert "Cherry-pick e633a9de382d. rdar://problem/113309544"

This reverts commit 9cf72f58bf6e0486e25e12fe35fdd74b4875bc22.

Identifier: 259548.889 at safari-7615.3.12.10-branch


  Commit: 9ca36b86e0b005c2382eb38979da308b47423cdb
      https://github.com/WebKit/WebKit/commit/9ca36b86e0b005c2382eb38979da308b47423cdb
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Source/WebKit/Shared/WebBackForwardListItem.h
    M Source/WebKit/UIProcess/WebBackForwardCache.cpp
    M Source/WebKit/UIProcess/WebBackForwardCache.h

  Log Message:
  -----------
  Cherry-pick cb256ae0cae9. rdar://problem/111524465

    Crash under WebKit::WebBackForwardCache::removeEntry()
    https://bugs.webkit.org/show_bug.cgi?id=258698
    rdar://111524465

    Reviewed by Ryosuke Niwa.

    In WebBackForwardCache::removeEntry(), the call to `item.setBackForwardCacheEntry(nullptr)`
    may cause the `item` to get destroyed. However, we were using `item` on the next line for
    logging purpose. To fix the bug, I am moving the logging before the setBackForwardCacheEntry()
    call.

    for hardening purposes, I am also updating m_itemsWithCachedPage to contain WeakPtrs instead
    of raw pointers.

    * Source/WebKit/Shared/WebBackForwardListItem.h:
    * Source/WebKit/UIProcess/WebBackForwardCache.cpp:
    (WebKit::WebBackForwardCache::removeEntry):
    (WebKit::WebBackForwardCache::removeEntriesMatching):
    (WebKit::WebBackForwardCache::clear):
    * Source/WebKit/UIProcess/WebBackForwardCache.h:

    Canonical link: https://commits.webkit.org/259548.865@safari-7615-branch

Identifier: 259548.867 at safari-7615.3.12.10-branch


  Commit: f7dec52ee446dbf8a68bf980881396a439fa6d0c
      https://github.com/WebKit/WebKit/commit/f7dec52ee446dbf8a68bf980881396a439fa6d0c
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Source/WebKit/Shared/WebBackForwardListItem.h
    M Source/WebKit/UIProcess/WebBackForwardCache.cpp
    M Source/WebKit/UIProcess/WebBackForwardCache.h

  Log Message:
  -----------
  Revert "Cherry-pick cb256ae0cae9. rdar://problem/111524465"

This reverts commit 54c89560ad32445ea09fa3db14b23d7356d42279.


  Commit: 3c3115b40eba843b5ad87f7ec0a13298bb686187
      https://github.com/WebKit/WebKit/commit/3c3115b40eba843b5ad87f7ec0a13298bb686187
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.12.10.4

Identifier: 259548.892 at safari-7615.3.12.10-branch


  Commit: 24e85d20f500fb322fb0e469384e00375fe1c189
      https://github.com/WebKit/WebKit/commit/24e85d20f500fb322fb0e469384e00375fe1c189
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Source/WebCore/platform/mac/ScrollbarsControllerMac.mm

  Log Message:
  -----------
  Cherry-pick bf54ee3c4df6. rdar://115118171

    Use-after-free under WebCore::Scrollbar::supportsUpdateOnSecondaryThread()
    https://bugs.webkit.org/show_bug.cgi?id=259890
    rdar://113037440

    Reviewed by Ryosuke Niwa.

    Use a WeakPtr for _scrollbar instead of a raw pointer and add a null-check
    in [WebScrollbarPartAnimation setCurrentProgress:].

    * Source/WebCore/platform/mac/ScrollbarsControllerMac.mm:
    (-[WebScrollbarPartAnimation setCurrentProgress:]):
    (-[WebScrollerImpDelegate setUpAlphaAnimation:scrollerPainter:part:animateAlphaTo:duration:]):
    (-[WebScrollerImpDelegate scrollerImp:animateUIStateTransitionWithDuration:]):
    (-[WebScrollerImpDelegate scrollerImp:animateExpansionTransitionWithDuration:]):

    Canonical link: https://commits.webkit.org/265870.236@safari-7616-branch

Identifier: 259548.893 at safari-7615.3.12.10-branch


  Commit: 9b3803f40e2de20340db6c8255cfa978cc8d0940
      https://github.com/WebKit/WebKit/commit/9b3803f40e2de20340db6c8255cfa978cc8d0940
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp
    M Source/WebCore/workers/service/ServiceWorkerGlobalScope.h

  Log Message:
  -----------
  Cherry-pick 76715edd316d. rdar://115118161

    Potential use-after-free of the VM under ~FetchEvent()
    https://bugs.webkit.org/show_bug.cgi?id=259896
    rdar://113148936

    Reviewed by Brent Fulgham.

    The VM gets destroyed in between the call for WorkerGlobalScope::prepareForDestruction()
    and the call for the WorkerGlobalScope destructor. The crash trace indicates that
    the ServiceWorkerGlobalScope destructor destroys FetchEvent objects which end up needing
    the VM in their destructor.

    This is a speculative fix as I cannot reproduce the issue. Brady already imported the
    test case at 266608 at main.

    * Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp:
    (WebCore::ServiceWorkerGlobalScope::prepareForDestruction):
    * Source/WebCore/workers/service/ServiceWorkerGlobalScope.h:

    Canonical link: https://commits.webkit.org/265870.237@safari-7616-branch

Identifier: 259548.894 at safari-7615.3.12.10-branch


  Commit: 792ed78d229e23b18ef2145d6d428ab1d340e6e7
      https://github.com/WebKit/WebKit/commit/792ed78d229e23b18ef2145d6d428ab1d340e6e7
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    A JSTests/stress/same-offset-different-property-name-multiple-get-by-variants.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGGraph.cpp
    M Source/JavaScriptCore/dfg/DFGGraph.h

  Log Message:
  -----------
  Cherry-pick 965be685c2ff. rdar://115117939

    [JSC] DFG AI GetById adhoc folding should insert watchpoints for structures
    https://bugs.webkit.org/show_bug.cgi?id=260678
    rdar://114072069

    Reviewed by Keith Miller.

    For DFG AI GetById's variants, they are tuples of StructureSet and offset.
    So, we should not obtain constant property just with offset since we first need to
    ensure that the base object is having a structure in StructureSet.
    Let's say [S0, 0] [S1, 1] variants are produced. In that case, we should not load
    a value from offset 1 when object is S0. But previously we were doing that since
    only thing we checked is that base is S0 or S1.
    This patch just extends DFG AI GetById handling to use existing tryGetConstantProperty
    mechanism with StructureSet. This properly inserts replacement watchpoints too, so that
    we can guarantee that the loaded value is inferred constant (if it gets different, then
    watchpoint fires). And we correctly check that the current object's structure is meeting
    the requirement against *variant*'s structure set.

    * JSTests/stress/same-offset-different-property-name-multiple-get-by-variants.js: Added.
    (main.const.object1):
    (main.const.object2):
    (main.const.object3):
    (main.get opt):
    (main):
    * Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
    (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
    * Source/JavaScriptCore/dfg/DFGGraph.cpp:
    (JSC::DFG::Graph::inferredValueForProperty):
    * Source/JavaScriptCore/dfg/DFGGraph.h:

    Canonical link: https://commits.webkit.org/265870.440@safari-7616-branch

Identifier: 259548.895 at safari-7615.3.12.10-branch


  Commit: 50726bc7ea63d985cceb5644b9df39c12aec4ca1
      https://github.com/WebKit/WebKit/commit/50726bc7ea63d985cceb5644b9df39c12aec4ca1
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/Region.cpp

  Log Message:
  -----------
  Cherry-pick ca4f7c9b9939. rdar://115117566

    WebContent may get killed due to invalid RemoteLayerTreeDrawingAreaProxy_CommitLayerTree IPC message
    https://bugs.webkit.org/show_bug.cgi?id=260757
    rdar://113860744

    Reviewed by Aditya Keerthi.

    The fuzzer found a case where the RemoteLayerTreeDrawingAreaProxy_CommitLayerTree
    IPC message may fail decoding because its contains an invalid IntRect. After some
    investigation, I found that we didn't handle overflows in the arithmetics in
    Region::Shape::bounds(), which means that we could end up with an IntRect that
    had a negative width or height.

    In the fuzzer case, we ended up with the following values:
    minX=-2147483648, minY=3, maxX=62, maxY=2306

    We would compute the width doing `62 - (-2147483648)` which would overflow and end
    up with a negative width. We now use checkedDifference<int32_t>() to detect
    overflows and clamp to std::numeric_limits<int32_t>::max() when it happens.

    * Source/WebCore/platform/graphics/Region.cpp:
    (WebCore::Region::Shape::bounds const):

    Canonical link: https://commits.webkit.org/265870.452@safari-7616-branch

Identifier: 259548.896 at safari-7615.3.12.10-branch


  Commit: 868236e65c1f72013a6c795d2329327392e59048
      https://github.com/WebKit/WebKit/commit/868236e65c1f72013a6c795d2329327392e59048
  Author: Jer Noble <jer.noble at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp
    M Source/WebCore/Modules/mediarecorder/MediaRecorder.h

  Log Message:
  -----------
  Cherry-pick f255dd40b82e. rdar://115118374

    CRASH in MediaRecorderPrivate::startRecording()
    https://bugs.webkit.org/show_bug.cgi?id=260736
    rdar://113544631

    Reviewed by Brent Fulgham and Eric Carlson.

    MediaRecorder can be destroyed before the completion handler passed to
    MediaRecorderPrivate::startRecording() is called. Detect this state by
    passing a WeakPtr into the completion handler lambda. Because MediaRecoder
    has multiple base classes which are CanMakeWeakPtr subclasses, disambiguate
    which subclass's WeakPtr implementation to use in the MediaRecoder class
    declaration.

    * Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:
    (WebCore::MediaRecorder::startRecording):
    * Source/WebCore/Modules/mediarecorder/MediaRecorder.h:

    Canonical link: https://commits.webkit.org/265870.463@safari-7616-branch

Identifier: 259548.897 at safari-7615.3.12.10-branch


  Commit: 632ef076d154f343a26555d919b2b6c27c6dc0f9
      https://github.com/WebKit/WebKit/commit/632ef076d154f343a26555d919b2b6c27c6dc0f9
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    A LayoutTests/webaudio/audioworklet-bad-array-type-expected.txt
    A LayoutTests/webaudio/audioworklet-bad-array-type.html
    A LayoutTests/webaudio/bad-array-type-processor.js
    M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp

  Log Message:
  -----------
  Cherry-pick 3be781681be0. rdar://115356129

    Bad jsCast<>() in copyDataFromJSArrayToBuses() in AudioWorkletProcessor.cpp
    https://bugs.webkit.org/show_bug.cgi?id=261289
    rdar://115042475

    Reviewed by Ryosuke Niwa.

    Use jsDynamicCast<>() instead of jsCast<>() in AudioWorkletProcessor.cpp for
    safety.

    * LayoutTests/webaudio/audioworklet-bad-array-type-expected.txt: Added.
    * LayoutTests/webaudio/audioworklet-bad-array-type.html: Added.
    * LayoutTests/webaudio/bad-array-type-processor.js: Added.
    (CustomProcessor.prototype.process):
    (CustomProcessor):
    * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
    (WebCore::toJSArray):
    (WebCore::toJSObject):
    (WebCore::copyDataFromJSArrayToBuses):
    (WebCore::AudioWorkletProcessor::process):

    Canonical link: https://commits.webkit.org/265870.534@safari-7616-branch

Identifier: 259548.898 at safari-7615.3.12.10-branch


  Commit: 49486f0db7d4ea40e1be3112ecae50e993bb7b24
      https://github.com/WebKit/WebKit/commit/49486f0db7d4ea40e1be3112ecae50e993bb7b24
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    A LayoutTests/fast/forms/ua-shadow-select-all-behavior-expected.txt
    A LayoutTests/fast/forms/ua-shadow-select-all-behavior.html
    A LayoutTests/fast/forms/ua-shadow-select-all-crash-expected.txt
    A LayoutTests/fast/forms/ua-shadow-select-all-crash.html
    M LayoutTests/platform/mac-wk1/TestExpectations
    M Source/WebCore/editing/VisibleSelection.cpp

  Log Message:
  -----------
  Cherry-pick 786e20b52145. rdar://115117993

    VisibleSelection::nonBoundaryShadowTreeRootNode should return null when its anchor is a shadow root
    https://bugs.webkit.org/show_bug.cgi?id=249862
    rdar://103683388

    Reviewed by Ryosuke Niwa.

    Cherry-pick the following fix from Blink:
    https://src.chromium.org/viewvc/blink?view=revision&revision=188788

    While WebKit doesn't crash in release with the Blink test case, it does
    hit the `ASSERT(!isShadowRoot());` assertion inside `Node::nonBoundaryShadowTreeRootNode()`
    on debug builds. Also, our selection behavior was vastly different from Chrome and Firefox.
    We would end up with a caret while Blink and Gecko would end up with a proper range
    selection. This patch aligns our behavior with Blink.

    * LayoutTests/fast/forms/ua-shadow-select-all-behavior-expected.txt: Added.
    * LayoutTests/fast/forms/ua-shadow-select-all-behavior.html: Added.
    * LayoutTests/fast/forms/ua-shadow-select-all-crash.html: Added.
    * LayoutTests/fast/forms/ua-shadow-select-all-crash-expected.txt: Added.
    * Source/WebCore/editing/VisibleSelection.cpp:
    (WebCore::VisibleSelection::nonBoundaryShadowTreeRootNode const):

    Canonical link: https://commits.webkit.org/266505@main

Identifier: 259548.899 at safari-7615.3.12.10-branch


  Commit: 25d7bbafb60403b7ba079500922d9d8ab3befe0d
      https://github.com/WebKit/WebKit/commit/25d7bbafb60403b7ba079500922d9d8ab3befe0d
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Source/WebKit/UIProcess/Media/cocoa/AudioSessionRoutingArbitratorProxyCocoa.mm

  Log Message:
  -----------
  Cherry-pick 9052a0395b9b. rdar://115117683

    heap-use-after-free in WebKit::AudioSessionRoutingArbitratorProxy::logger
    https://bugs.webkit.org/show_bug.cgi?id=259836
    rdar://112774591

    Reviewed by Simon Fraser.

    Move the ALWAYS_LOG() inside the `if (weakThis)` scope since this macro will
    call `this->logger()`.

    * Source/WebKit/UIProcess/Media/cocoa/AudioSessionRoutingArbitratorProxyCocoa.mm:
    (WebKit::AudioSessionRoutingArbitratorProxy::beginRoutingArbitrationWithCategory):

    Canonical link: https://commits.webkit.org/265870.234@safari-7616-branch

Identifier: 259548.900 at safari-7615.3.12.10-branch


  Commit: 2337fd7fa421f8cb2760c52b330fc73fb2e2421f
      https://github.com/WebKit/WebKit/commit/2337fd7fa421f8cb2760c52b330fc73fb2e2421f
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm

  Log Message:
  -----------
  Cherry-pick 8e677b301cae. rdar://115118584

    Main frame URL is wrong after server-side redirect to a page serving the COOP header
    https://bugs.webkit.org/show_bug.cgi?id=260046
    rdar://111855179

    Reviewed by Brent Fulgham and Alex Christensen.

    In the poc, the page is opening a popup (without opener) to the same origin URL1.
    This URL1 does a server-side redirect to URL2 which serves the `COOP: same-origin`
    HTTP header. After the navigation, Safari was displaying URL1 instead of URL2 in
    the URL bar.

    It is important to note that that 2 process-swap occur here. The first occurs when
    we do the navigation to URL1 in a popup that doesn't have an opener (in the
    decidePolicyForNavigationAction). The second one occurs when we receive the
    COOP header from URL2 (on navigation response).

    In ProvisionalPageProxy::didCreateMainFrame(), we have code which does the following:
    ```
    if (previousMainFrame && !previousMainFrame->provisionalURL().isEmpty()) {
            // In case of a process swap after response policy, the didStartProvisionalLoad already happened but the new main frame doesn't know about it
            // so we need to tell it so it can update its provisional URL.
            m_mainFrame->didStartProvisionalLoad(previousMainFrame->provisionalURL());
        }
    ```

    During the second process-swap, we forward the provisional URL from the committed
    frame to the provisional one. This is because the didStartProvisionalLoad IPC was
    handled by the committed main frame, before we decided to process-swap on resource
    response later on. As a result, the provisional main frame doesn't know yet about
    the provisional load and we have to let it know about it so it sets its provisional
    URL.

    This worked fine in the usual case where the COOP process-swap doesn't follow
    another process swap. However, in this case, the provisional URL got updated by
    an earlier server side redirect which got handled by a provisional frame, not the
    committed one. As a result, the committed frame didn't know about the latest
    provisional URL, only the original one before the server side redirect.

    To address the issue, whenever a provisional main frame receives a server-side
    redirect, we now let the committed main frame know about it too so that the
    committed frame's provisional URL always stays up-to-date. As a result, when
    ProvisionalPageProxy::didCreateMainFrame() forwards the committed frame's URL to
    the new provisional frame, it is now accurate.

    * Source/WebKit/UIProcess/WebPageProxy.cpp:
    (WebKit::WebPageProxy::didReceiveServerRedirectForProvisionalLoadForFrameShared):
    * Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:

    Canonical link: https://commits.webkit.org/265870.357@safari-7616-branch

Identifier: 259548.901 at safari-7615.3.12.10-branch


  Commit: 6a9bfbc9e863768dce6aacf6cddc5c1dc46e3a51
      https://github.com/WebKit/WebKit/commit/6a9bfbc9e863768dce6aacf6cddc5c1dc46e3a51
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm

  Log Message:
  -----------
  Revert "Cherry-pick 8e677b301cae. rdar://115118584"

This reverts commit 2337fd7fa421f8cb2760c52b330fc73fb2e2421f.

Identifier: 259548.902 at safari-7615.3.12.10-branch


  Commit: 5101a10ca8b33b9d25dbaefb6fe26b655184c673
      https://github.com/WebKit/WebKit/commit/5101a10ca8b33b9d25dbaefb6fe26b655184c673
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Source/WebKit/UIProcess/Media/cocoa/AudioSessionRoutingArbitratorProxyCocoa.mm

  Log Message:
  -----------
  Revert "Cherry-pick 9052a0395b9b. rdar://115117683"

This reverts commit 25d7bbafb60403b7ba079500922d9d8ab3befe0d.

Identifier: 259548.903 at safari-7615.3.12.10-branch


  Commit: 8b506daec82fca2a7a141814458d1603d0dcd307
      https://github.com/WebKit/WebKit/commit/8b506daec82fca2a7a141814458d1603d0dcd307
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    R LayoutTests/fast/forms/ua-shadow-select-all-behavior-expected.txt
    R LayoutTests/fast/forms/ua-shadow-select-all-behavior.html
    R LayoutTests/fast/forms/ua-shadow-select-all-crash-expected.txt
    R LayoutTests/fast/forms/ua-shadow-select-all-crash.html
    M LayoutTests/platform/mac-wk1/TestExpectations
    M Source/WebCore/editing/VisibleSelection.cpp

  Log Message:
  -----------
  Revert "Cherry-pick 786e20b52145. rdar://115117993"

This reverts commit 49486f0db7d4ea40e1be3112ecae50e993bb7b24.

Identifier: 259548.904 at safari-7615.3.12.10-branch


  Commit: 807b83668b24b5b74f3845631acb94cce5eb53b2
      https://github.com/WebKit/WebKit/commit/807b83668b24b5b74f3845631acb94cce5eb53b2
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    R LayoutTests/webaudio/audioworklet-bad-array-type-expected.txt
    R LayoutTests/webaudio/audioworklet-bad-array-type.html
    R LayoutTests/webaudio/bad-array-type-processor.js
    M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp

  Log Message:
  -----------
  Revert "Cherry-pick 3be781681be0. rdar://115356129"

This reverts commit 632ef076d154f343a26555d919b2b6c27c6dc0f9.

Identifier: 259548.905 at safari-7615.3.12.10-branch


  Commit: 1e73b880d77c62d899e9c931533bf7a0169465d9
      https://github.com/WebKit/WebKit/commit/1e73b880d77c62d899e9c931533bf7a0169465d9
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp
    M Source/WebCore/Modules/mediarecorder/MediaRecorder.h

  Log Message:
  -----------
  Revert "Cherry-pick f255dd40b82e. rdar://115118374"

This reverts commit 868236e65c1f72013a6c795d2329327392e59048.

Identifier: 259548.906 at safari-7615.3.12.10-branch


  Commit: 2eb00ed465109e426c614ef25767e7ff978cc947
      https://github.com/WebKit/WebKit/commit/2eb00ed465109e426c614ef25767e7ff978cc947
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/Region.cpp

  Log Message:
  -----------
  Revert "Cherry-pick ca4f7c9b9939. rdar://115117566"

This reverts commit 50726bc7ea63d985cceb5644b9df39c12aec4ca1.

Identifier: 259548.907 at safari-7615.3.12.10-branch


  Commit: 8b4c67c3ae5a422f4e104346a09c772a6bdfee84
      https://github.com/WebKit/WebKit/commit/8b4c67c3ae5a422f4e104346a09c772a6bdfee84
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    R JSTests/stress/same-offset-different-property-name-multiple-get-by-variants.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGGraph.cpp
    M Source/JavaScriptCore/dfg/DFGGraph.h

  Log Message:
  -----------
  Revert "Cherry-pick 965be685c2ff. rdar://115117939"

This reverts commit 792ed78d229e23b18ef2145d6d428ab1d340e6e7.

Identifier: 259548.908 at safari-7615.3.12.10-branch


  Commit: 6fb4b8b8c1629e826ef9cae90d90234f7e092843
      https://github.com/WebKit/WebKit/commit/6fb4b8b8c1629e826ef9cae90d90234f7e092843
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp
    M Source/WebCore/workers/service/ServiceWorkerGlobalScope.h

  Log Message:
  -----------
  Revert "Cherry-pick 76715edd316d. rdar://115118161"

This reverts commit 9b3803f40e2de20340db6c8255cfa978cc8d0940.

Identifier: 259548.909 at safari-7615.3.12.10-branch


  Commit: b562f311131fc0ac27b0113450586774b28eecaf
      https://github.com/WebKit/WebKit/commit/b562f311131fc0ac27b0113450586774b28eecaf
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Source/WebCore/platform/mac/ScrollbarsControllerMac.mm

  Log Message:
  -----------
  Revert "Cherry-pick bf54ee3c4df6. rdar://115118171"

This reverts commit 24e85d20f500fb322fb0e469384e00375fe1c189.

Identifier: 259548.910 at safari-7615.3.12.10-branch


  Commit: 025e9f546d7315faa4406e5ad990374989cf8482
      https://github.com/WebKit/WebKit/commit/025e9f546d7315faa4406e5ad990374989cf8482
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7616.1.27.10.14

Identifier: 259548.911 at safari-7615.3.12.10-branch


  Commit: 4123060b88256fc5ea5a55e350c5c681fd9696b5
      https://github.com/WebKit/WebKit/commit/4123060b88256fc5ea5a55e350c5c681fd9696b5
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.12.10.4

Identifier: 259548.912 at safari-7615.3.12.10-branch


  Commit: 507d4c4e70d48e5c5021004a240a2a88a0619b50
      https://github.com/WebKit/WebKit/commit/507d4c4e70d48e5c5021004a240a2a88a0619b50
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2023-09-14 (Thu, 14 Sep 2023)

  Changed paths:
    A JSTests/stress/getbyoffset-cse-consistency.js
    A JSTests/stress/multigetbyoffset-cse-consistency.js
    M Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGHeapLocation.h

  Log Message:
  -----------
  Cherry-pick 47e039ffd689. rdar://115399657

    clobberize needs to be more precise with the *ByOffset nodes
    https://bugs.webkit.org/show_bug.cgi?id=261544
    rdar://115399657

    Reviewed by Yusuke Suzuki and Mark Lam.

    CSE phase uses clobberize to figure out if it's safe to merge two operations that
    def the same HeapLocation. Since HeapLocation does not currently have a way to
    track the offset used by the various *ByOffset nodes it can get confused and
    think that two ByOffset instructions produce the same value even if they don't
    use the same offset. This patch solves this by adding a new field to HeapLocation,
    which takes the metadata associated with the corresponding *ByOffset node. If two
    *ByOffset operations don't share the same metadata then they cannot be CSEed.

    * Source/JavaScriptCore/dfg/DFGCSEPhase.cpp:
    * Source/JavaScriptCore/dfg/DFGClobberize.h:
    (JSC::DFG::clobberize):
    * Source/JavaScriptCore/dfg/DFGHeapLocation.h:
    (JSC::DFG::HeapLocation::HeapLocation):
    (JSC::DFG::HeapLocation::extraState const):
    (JSC::DFG::HeapLocation::hash const):

    Canonical link: https://commits.webkit.org/265870.558@safari-7616-branch

Identifier: 259548.913 at safari-7615.3.12.10-branch


  Commit: f0ea657d7fd027429d9fb96452477d665916e90c
      https://github.com/WebKit/WebKit/commit/f0ea657d7fd027429d9fb96452477d665916e90c
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.12.10.5

Identifier: 259548.914 at safari-7615.3.12.10-branch


  Commit: e570d78b88a366ae349a31acf2575e7993f08824
      https://github.com/WebKit/WebKit/commit/e570d78b88a366ae349a31acf2575e7993f08824
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    A LayoutTests/fast/forms/ua-shadow-select-all-behavior-expected.txt
    A LayoutTests/fast/forms/ua-shadow-select-all-behavior.html
    A LayoutTests/fast/forms/ua-shadow-select-all-crash-expected.txt
    A LayoutTests/fast/forms/ua-shadow-select-all-crash.html
    M LayoutTests/platform/mac-wk1/TestExpectations
    M Source/WebCore/editing/VisibleSelection.cpp

  Log Message:
  -----------
  Cherry-pick 786e20b52145. rdar://115117993

    VisibleSelection::nonBoundaryShadowTreeRootNode should return null when its anchor is a shadow root
    https://bugs.webkit.org/show_bug.cgi?id=249862
    rdar://103683388

    Reviewed by Ryosuke Niwa.

    Cherry-pick the following fix from Blink:
    https://src.chromium.org/viewvc/blink?view=revision&revision=188788

    While WebKit doesn't crash in release with the Blink test case, it does
    hit the `ASSERT(!isShadowRoot());` assertion inside `Node::nonBoundaryShadowTreeRootNode()`
    on debug builds. Also, our selection behavior was vastly different from Chrome and Firefox.
    We would end up with a caret while Blink and Gecko would end up with a proper range
    selection. This patch aligns our behavior with Blink.

    * LayoutTests/fast/forms/ua-shadow-select-all-behavior-expected.txt: Added.
    * LayoutTests/fast/forms/ua-shadow-select-all-behavior.html: Added.
    * LayoutTests/fast/forms/ua-shadow-select-all-crash.html: Added.
    * LayoutTests/fast/forms/ua-shadow-select-all-crash-expected.txt: Added.
    * Source/WebCore/editing/VisibleSelection.cpp:
    (WebCore::VisibleSelection::nonBoundaryShadowTreeRootNode const):

    Canonical link: https://commits.webkit.org/266505@main

Identifier: 259548.915 at safari-7615.3.12.10-branch


  Commit: 33945879631e9381af300106c5979d2dbe9fd8a3
      https://github.com/WebKit/WebKit/commit/33945879631e9381af300106c5979d2dbe9fd8a3
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    M Source/WebKit/UIProcess/Media/cocoa/AudioSessionRoutingArbitratorProxyCocoa.mm

  Log Message:
  -----------
  Cherry-pick 9052a0395b9b. rdar://115117683

    heap-use-after-free in WebKit::AudioSessionRoutingArbitratorProxy::logger
    https://bugs.webkit.org/show_bug.cgi?id=259836
    rdar://112774591

    Reviewed by Simon Fraser.

    Move the ALWAYS_LOG() inside the `if (weakThis)` scope since this macro will
    call `this->logger()`.

    * Source/WebKit/UIProcess/Media/cocoa/AudioSessionRoutingArbitratorProxyCocoa.mm:
    (WebKit::AudioSessionRoutingArbitratorProxy::beginRoutingArbitrationWithCategory):

    Canonical link: https://commits.webkit.org/265870.234@safari-7616-branch

Identifier: 259548.916 at safari-7615.3.12.10-branch


  Commit: 79a05f1aac54ab42f93e213606bd06dfd7b1ed88
      https://github.com/WebKit/WebKit/commit/79a05f1aac54ab42f93e213606bd06dfd7b1ed88
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    M Source/WebCore/platform/mac/ScrollbarsControllerMac.mm

  Log Message:
  -----------
  Cherry-pick bf54ee3c4df6. rdar://115118171

    Use-after-free under WebCore::Scrollbar::supportsUpdateOnSecondaryThread()
    https://bugs.webkit.org/show_bug.cgi?id=259890
    rdar://113037440

    Reviewed by Ryosuke Niwa.

    Use a WeakPtr for _scrollbar instead of a raw pointer and add a null-check
    in [WebScrollbarPartAnimation setCurrentProgress:].

    * Source/WebCore/platform/mac/ScrollbarsControllerMac.mm:
    (-[WebScrollbarPartAnimation setCurrentProgress:]):
    (-[WebScrollerImpDelegate setUpAlphaAnimation:scrollerPainter:part:animateAlphaTo:duration:]):
    (-[WebScrollerImpDelegate scrollerImp:animateUIStateTransitionWithDuration:]):
    (-[WebScrollerImpDelegate scrollerImp:animateExpansionTransitionWithDuration:]):

    Canonical link: https://commits.webkit.org/265870.236@safari-7616-branch

Identifier: 259548.917 at safari-7615.3.12.10-branch


  Commit: 5fa15e8d43220df42884750170ed3849d8a0417c
      https://github.com/WebKit/WebKit/commit/5fa15e8d43220df42884750170ed3849d8a0417c
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    M Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp
    M Source/WebCore/workers/service/ServiceWorkerGlobalScope.h

  Log Message:
  -----------
  Cherry-pick 76715edd316d. rdar://115118161

    Potential use-after-free of the VM under ~FetchEvent()
    https://bugs.webkit.org/show_bug.cgi?id=259896
    rdar://113148936

    Reviewed by Brent Fulgham.

    The VM gets destroyed in between the call for WorkerGlobalScope::prepareForDestruction()
    and the call for the WorkerGlobalScope destructor. The crash trace indicates that
    the ServiceWorkerGlobalScope destructor destroys FetchEvent objects which end up needing
    the VM in their destructor.

    This is a speculative fix as I cannot reproduce the issue. Brady already imported the
    test case at 266608 at main.

    * Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp:
    (WebCore::ServiceWorkerGlobalScope::prepareForDestruction):
    * Source/WebCore/workers/service/ServiceWorkerGlobalScope.h:

    Canonical link: https://commits.webkit.org/265870.237@safari-7616-branch

Identifier: 259548.918 at safari-7615.3.12.10-branch


  Commit: de7738b47381099fcf2a09f446c8903a3795da7f
      https://github.com/WebKit/WebKit/commit/de7738b47381099fcf2a09f446c8903a3795da7f
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    A JSTests/stress/same-offset-different-property-name-multiple-get-by-variants.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGGraph.cpp
    M Source/JavaScriptCore/dfg/DFGGraph.h

  Log Message:
  -----------
  Cherry-pick 965be685c2ff. rdar://115117939

    [JSC] DFG AI GetById adhoc folding should insert watchpoints for structures
    https://bugs.webkit.org/show_bug.cgi?id=260678
    rdar://114072069

    Reviewed by Keith Miller.

    For DFG AI GetById's variants, they are tuples of StructureSet and offset.
    So, we should not obtain constant property just with offset since we first need to
    ensure that the base object is having a structure in StructureSet.
    Let's say [S0, 0] [S1, 1] variants are produced. In that case, we should not load
    a value from offset 1 when object is S0. But previously we were doing that since
    only thing we checked is that base is S0 or S1.
    This patch just extends DFG AI GetById handling to use existing tryGetConstantProperty
    mechanism with StructureSet. This properly inserts replacement watchpoints too, so that
    we can guarantee that the loaded value is inferred constant (if it gets different, then
    watchpoint fires). And we correctly check that the current object's structure is meeting
    the requirement against *variant*'s structure set.

    * JSTests/stress/same-offset-different-property-name-multiple-get-by-variants.js: Added.
    (main.const.object1):
    (main.const.object2):
    (main.const.object3):
    (main.get opt):
    (main):
    * Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
    (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
    * Source/JavaScriptCore/dfg/DFGGraph.cpp:
    (JSC::DFG::Graph::inferredValueForProperty):
    * Source/JavaScriptCore/dfg/DFGGraph.h:

    Canonical link: https://commits.webkit.org/265870.440@safari-7616-branch

Identifier: 259548.919 at safari-7615.3.12.10-branch


  Commit: 3b5eaf84fcdcfab616c94c373cd4d518780b812a
      https://github.com/WebKit/WebKit/commit/3b5eaf84fcdcfab616c94c373cd4d518780b812a
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/Region.cpp

  Log Message:
  -----------
  Cherry-pick ca4f7c9b9939. rdar://115117566

    WebContent may get killed due to invalid RemoteLayerTreeDrawingAreaProxy_CommitLayerTree IPC message
    https://bugs.webkit.org/show_bug.cgi?id=260757
    rdar://113860744

    Reviewed by Aditya Keerthi.

    The fuzzer found a case where the RemoteLayerTreeDrawingAreaProxy_CommitLayerTree
    IPC message may fail decoding because its contains an invalid IntRect. After some
    investigation, I found that we didn't handle overflows in the arithmetics in
    Region::Shape::bounds(), which means that we could end up with an IntRect that
    had a negative width or height.

    In the fuzzer case, we ended up with the following values:
    minX=-2147483648, minY=3, maxX=62, maxY=2306

    We would compute the width doing `62 - (-2147483648)` which would overflow and end
    up with a negative width. We now use checkedDifference<int32_t>() to detect
    overflows and clamp to std::numeric_limits<int32_t>::max() when it happens.

    * Source/WebCore/platform/graphics/Region.cpp:
    (WebCore::Region::Shape::bounds const):

    Canonical link: https://commits.webkit.org/265870.452@safari-7616-branch

Identifier: 259548.920 at safari-7615.3.12.10-branch


  Commit: 4ddf36297402d7bcc2dc6bea29ac58113970c402
      https://github.com/WebKit/WebKit/commit/4ddf36297402d7bcc2dc6bea29ac58113970c402
  Author: Jer Noble <jer.noble at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    M Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp
    M Source/WebCore/Modules/mediarecorder/MediaRecorder.h

  Log Message:
  -----------
  Cherry-pick f255dd40b82e. rdar://115118374

    CRASH in MediaRecorderPrivate::startRecording()
    https://bugs.webkit.org/show_bug.cgi?id=260736
    rdar://113544631

    Reviewed by Brent Fulgham and Eric Carlson.

    MediaRecorder can be destroyed before the completion handler passed to
    MediaRecorderPrivate::startRecording() is called. Detect this state by
    passing a WeakPtr into the completion handler lambda. Because MediaRecoder
    has multiple base classes which are CanMakeWeakPtr subclasses, disambiguate
    which subclass's WeakPtr implementation to use in the MediaRecoder class
    declaration.

    * Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:
    (WebCore::MediaRecorder::startRecording):
    * Source/WebCore/Modules/mediarecorder/MediaRecorder.h:

    Canonical link: https://commits.webkit.org/265870.463@safari-7616-branch

Identifier: 259548.921 at safari-7615.3.12.10-branch


  Commit: 648cf5654b22bc51cd53bedeada467f06c1743b3
      https://github.com/WebKit/WebKit/commit/648cf5654b22bc51cd53bedeada467f06c1743b3
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    A LayoutTests/webaudio/audioworklet-bad-array-type-expected.txt
    A LayoutTests/webaudio/audioworklet-bad-array-type.html
    A LayoutTests/webaudio/bad-array-type-processor.js
    M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp

  Log Message:
  -----------
  Cherry-pick 3be781681be0. rdar://115356129

    Bad jsCast<>() in copyDataFromJSArrayToBuses() in AudioWorkletProcessor.cpp
    https://bugs.webkit.org/show_bug.cgi?id=261289
    rdar://115042475

    Reviewed by Ryosuke Niwa.

    Use jsDynamicCast<>() instead of jsCast<>() in AudioWorkletProcessor.cpp for
    safety.

    * LayoutTests/webaudio/audioworklet-bad-array-type-expected.txt: Added.
    * LayoutTests/webaudio/audioworklet-bad-array-type.html: Added.
    * LayoutTests/webaudio/bad-array-type-processor.js: Added.
    (CustomProcessor.prototype.process):
    (CustomProcessor):
    * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
    (WebCore::toJSArray):
    (WebCore::toJSObject):
    (WebCore::copyDataFromJSArrayToBuses):
    (WebCore::AudioWorkletProcessor::process):

    Canonical link: https://commits.webkit.org/265870.534@safari-7616-branch

Identifier: 259548.922 at safari-7615.3.12.10-branch


  Commit: b448c1f4df8f262f3442e5a33985c42b9efb5be3
      https://github.com/WebKit/WebKit/commit/b448c1f4df8f262f3442e5a33985c42b9efb5be3
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm

  Log Message:
  -----------
  Cherry-pick 8e677b301cae. rdar://115118584

    Main frame URL is wrong after server-side redirect to a page serving the COOP header
    https://bugs.webkit.org/show_bug.cgi?id=260046
    rdar://111855179

    Reviewed by Brent Fulgham and Alex Christensen.

    In the poc, the page is opening a popup (without opener) to the same origin URL1.
    This URL1 does a server-side redirect to URL2 which serves the `COOP: same-origin`
    HTTP header. After the navigation, Safari was displaying URL1 instead of URL2 in
    the URL bar.

    It is important to note that that 2 process-swap occur here. The first occurs when
    we do the navigation to URL1 in a popup that doesn't have an opener (in the
    decidePolicyForNavigationAction). The second one occurs when we receive the
    COOP header from URL2 (on navigation response).

    In ProvisionalPageProxy::didCreateMainFrame(), we have code which does the following:
    ```
    if (previousMainFrame && !previousMainFrame->provisionalURL().isEmpty()) {
            // In case of a process swap after response policy, the didStartProvisionalLoad already happened but the new main frame doesn't know about it
            // so we need to tell it so it can update its provisional URL.
            m_mainFrame->didStartProvisionalLoad(previousMainFrame->provisionalURL());
        }
    ```

    During the second process-swap, we forward the provisional URL from the committed
    frame to the provisional one. This is because the didStartProvisionalLoad IPC was
    handled by the committed main frame, before we decided to process-swap on resource
    response later on. As a result, the provisional main frame doesn't know yet about
    the provisional load and we have to let it know about it so it sets its provisional
    URL.

    This worked fine in the usual case where the COOP process-swap doesn't follow
    another process swap. However, in this case, the provisional URL got updated by
    an earlier server side redirect which got handled by a provisional frame, not the
    committed one. As a result, the committed frame didn't know about the latest
    provisional URL, only the original one before the server side redirect.

    To address the issue, whenever a provisional main frame receives a server-side
    redirect, we now let the committed main frame know about it too so that the
    committed frame's provisional URL always stays up-to-date. As a result, when
    ProvisionalPageProxy::didCreateMainFrame() forwards the committed frame's URL to
    the new provisional frame, it is now accurate.

    * Source/WebKit/UIProcess/WebPageProxy.cpp:
    (WebKit::WebPageProxy::didReceiveServerRedirectForProvisionalLoadForFrameShared):
    * Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:

    Canonical link: https://commits.webkit.org/265870.357@safari-7616-branch

Identifier: 259548.923 at safari-7615.3.12.110-branch


  Commit: e6679e96603c14bf1d15d7049791f5fff9e9f235
      https://github.com/WebKit/WebKit/commit/e6679e96603c14bf1d15d7049791f5fff9e9f235
  Author: Michael Saboff <msaboff at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    A JSTests/stress/regexp-vflag-property-of-strings.js
    M Source/JavaScriptCore/yarr/YarrPattern.cpp

  Log Message:
  -----------
  Cherry-pick b5b70c4574a7. rdar://115117991

    CrashOnOverflow in CharacterClassConstructor::compareUTF32Strings
    https://bugs.webkit.org/show_bug.cgi?id=260173
    rdar://113872060

    Reviewed by Ryosuke Niwa.

    Fixed and simplified the the sort comparison function compareUTF32Strings() to properly handle
    zero length strings.

    Added relevant tests.

    * JSTests/stress/regexp-vflag-property-of-strings.js:
    * Source/JavaScriptCore/yarr/YarrPattern.cpp:
    (JSC::Yarr::CharacterClassConstructor::compareUTF32Strings):

    Canonical link: https://commits.webkit.org/265870.381@safari-7616-branch

Identifier: 259548.924 at safari-7615.3.12.110-branch


  Commit: 5e0a52e051428772e7ad9676aecaeb1d459dd823
      https://github.com/WebKit/WebKit/commit/5e0a52e051428772e7ad9676aecaeb1d459dd823
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    A JSTests/stress/date-set-time-purify-nan.js
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  Cherry-pick aa32244a89e7. rdar://115117919

    [JSC] Purify NaN for Date#setTime DFG / FTL implementations
    https://bugs.webkit.org/show_bug.cgi?id=260497
    rdar://114177456

    Reviewed by Mark Lam.

    Date#setTime should purify NaN, otherwise, it can put arbitrary NaN boxed values, and cause type-confusion.
    We can just use canonical NaN when the input is NaN.

    * JSTests/stress/date-set-time-purify-nan.js: Added.
    (opt):
    (main):
    * Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
    (JSC::DFG::SpeculativeJIT::compileDateSet):
    * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
    (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):

    Canonical link: https://commits.webkit.org/265870.404@safari-7616-branch

Identifier: 259548.925 at safari-7615.3.12.110-branch


  Commit: 1e5cfca79733110eaf11d6ab04402f31d5980a3d
      https://github.com/WebKit/WebKit/commit/1e5cfca79733110eaf11d6ab04402f31d5980a3d
  Author: Wenson Hsieh <wenson_hsieh at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    M Source/WebCore/html/HTMLInputElement.cpp
    M Source/WebCore/html/HTMLInputElement.h
    M Source/WebKit/Platform/spi/ios/UIKitSPI.h
    M Source/WebKit/Shared/FocusedElementInformation.h
    M Source/WebKit/Shared/FocusedElementInformation.serialization.in
    M Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm
    M Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm
    M Tools/TestWebKitAPI/Tests/ios/AutocorrectionTestsIOS.mm
    M Tools/TestWebKitAPI/ios/UIKitSPI.h

  Log Message:
  -----------
  Cherry-pick 5cfdf9b1cbac. rdar://115117725

    [iOS] Keyboard should not learn autocorrections after revealing password in Gmail login flow
    https://bugs.webkit.org/show_bug.cgi?id=260864
    rdar://111393742

    Reviewed by Aditya Keerthi.

    When focusing and editing secure inputs (i.e. input type="password"), we set `isSecureTextEntry` on
    `UITextInputTraits` to `YES`, which disables autocorrection learning when the user types in this
    field, suppresses the keyboard in screen recordings, and more.

    However, some webpages (e.g. Gmail login) offer the ability to reveal the password as plain text as
    a convenience to the user — this typically works by changing the input type from `"password"` to
    just `"text"`. This currently causes all of the secure text entry behaviors to be disabled, which
    includes disabling correction learning; this is undesirable, since the password may be offered as an
    autocorrection candidate when editing in other plain text fields in the future, in non-secure
    contexts.

    Because the user opted to reveal the input, it doesn't really make sense to treat the input as fully
    secure (for instance, there's no reason to suppress keyboard visibility in screen recordings if the
    password text itself is fully visible). However, we need to (at least) prevent the keyboard from
    learning suggestions when typing in this field. To achieve this, we add a flag on `HTMLInputElement`
    to remember whether it was ever a password field; if so, we set the `-learnsCorrections` property on
    text input traits to `NO`.

    Test: AutocorrectionTests.DoNotLearnCorrectionsAfterChangingInputTypeFromPassword

    * Source/WebCore/html/HTMLInputElement.cpp:
    (WebCore::HTMLInputElement::runPostTypeUpdateTasks):

    Set `m_hasEverBeenPasswordField` here.

    * Source/WebCore/html/HTMLInputElement.h:
    (WebCore::HTMLInputElement::hasEverBeenPasswordField const):
    * Source/WebKit/Platform/spi/ios/UIKitSPI.h:
    * Source/WebKit/Shared/FocusedElementInformation.h:
    * Source/WebKit/Shared/FocusedElementInformation.serialization.in:
    * Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm:
    (-[WKContentView _updateTextInputTraits:]):

    Consult `hasEverBeenPasswordField` on the focused element information, and disable learning from
    corrections if it's set.

    * Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm:

    Propagate `hasEverBeenPasswordField` state to the UI process when focusing an input element.

    (WebKit::WebPage::focusedElementInformation):
    * Tools/TestWebKitAPI/Tests/ios/AutocorrectionTestsIOS.mm:

    Add an API test to exercise the change.

    * Tools/TestWebKitAPI/ios/UIKitSPI.h:

    Canonical link: https://commits.webkit.org/265870.476@safari-7616-branch

Identifier: 259548.926 at safari-7615.3.12.110-branch


  Commit: e6cb6ef7711d6f7b652b91e30050f7ac84cdce79
      https://github.com/WebKit/WebKit/commit/e6cb6ef7711d6f7b652b91e30050f7ac84cdce79
  Author: Antti Koivisto <antti at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    A LayoutTests/fast/css/style-scope-destruction-crash-expected.txt
    A LayoutTests/fast/css/style-scope-destruction-crash.html
    M Source/WebCore/rendering/PathOperation.cpp
    M Source/WebCore/rendering/PathOperation.h
    M Source/WebCore/style/StyleScope.cpp

  Log Message:
  -----------
  Cherry-pick 382b02a5fc10. rdar://115118348

    heap-use-after-free | Style::Scope::removeStyleSheetCandidateNode; WebCore::SVGStyleElement::~SVGStyleElement; WebCore::ContainerNode::~ContainerNode
    https://bugs.webkit.org/show_bug.cgi?id=260896
    rdar://114231775

    Reviewed by Alan Baradlay.

    * LayoutTests/fast/css/style-scope-destruction-crash-expected.txt: Added.
    * LayoutTests/fast/css/style-scope-destruction-crash.html: Added.
    * Source/WebCore/rendering/PathOperation.cpp:
    (WebCore::ReferencePathOperation::ReferencePathOperation):
    (WebCore::ReferencePathOperation::element const): Deleted.

    Get rid of the unused element field. This creates a RenderStyle -> DOM ownership cycle which
    allows this crash to happen.

    * Source/WebCore/rendering/PathOperation.h:
    * Source/WebCore/style/StyleScope.cpp:
    (WebCore::Style::Scope::~Scope):

    Ensure we revoke weak pointers at the start of the destructor to avoid this class of problems.

    Canonical link: https://commits.webkit.org/265870.481@safari-7616-branch

Identifier: 259548.927 at safari-7615.3.12.110-branch


  Commit: 58c22ddc96ea16fff6b1b8ce3fbce0d04d7cc041
      https://github.com/WebKit/WebKit/commit/58c22ddc96ea16fff6b1b8ce3fbce0d04d7cc041
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    A JSTests/stress/regress-114860483.js
    M Source/JavaScriptCore/runtime/JSObject.cpp
    M Source/JavaScriptCore/runtime/JSObjectInlines.h

  Log Message:
  -----------
  Cherry-pick 049d074c4b1b. rdar://115356049

    JSObject::anyObjectInChainMayInterceptIndexedAccesses and JSObject::didBecomePrototype need to account for JSGlobalProxy
    https://bugs.webkit.org/show_bug.cgi?id=261287
    rdar://114860483

    Reviewed by Yusuke Suzuki.

    Since JSObject::anyObjectInChainMayInterceptIndexedAccesses() walks up the [[Prototype]] chain,
    whenever an indexed property is defined on a JSGlobalObject, we should add MayHaveIndexedAccessors
    flag to JSGlobalProxy instead.

    Currently, mayInterceptIndexedAccesses() is never queried on JSGlobalObject instances.

    This change also fixes mayBePrototype() to be queried from JSGlobalProxy rather than JSGlobalObject,
    which is correct given setPrototypeDirect() used to call didBecomePrototype() only on the proxy.
    However, for extra robustness, this we propagate didBecomePrototype() to the global object as well.

    * JSTests/stress/regress-114860483.js: Added.
    * Source/JavaScriptCore/runtime/JSObjectInlines.h:
    (JSC::JSObject::didBecomePrototype):
    * Source/JavaScriptCore/runtime/JSObject.cpp:
    (JSC::JSObject::notifyPresenceOfIndexedAccessors):

    Canonical link: https://commits.webkit.org/265870.535@safari-7616-branch

Identifier: 259548.928 at safari-7615.3.12.110-branch


  Commit: 5cd0140ab8bdf422bdcf5512ffb6bcbe58947a5b
      https://github.com/WebKit/WebKit/commit/5cd0140ab8bdf422bdcf5512ffb6bcbe58947a5b
  Author: Ryosuke Niwa <rniwa at webkit.org>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    A LayoutTests/animations/resolve-animation-should-not-execute-scripts-expected.txt
    A LayoutTests/animations/resolve-animation-should-not-execute-scripts.html
    M LayoutTests/platform/ios/imported/w3c/web-platform-tests/screen-orientation/active-lock-expected.txt
    M Source/WebCore/Modules/paymentrequest/PaymentRequest.cpp
    M Source/WebCore/Modules/paymentrequest/PaymentResponse.cpp
    M Source/WebCore/Modules/webaudio/OfflineAudioContext.cpp
    M Source/WebCore/animation/WebAnimation.cpp
    M Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp
    M Source/WebCore/dom/TaskSource.h
    M Source/WebCore/page/ScreenOrientation.cpp

  Log Message:
  -----------
  Cherry-pick 6d865c4bf3da. rdar://115356270

    ScriptDisallowedScope bypass via a `then` getter in Document::updateStyleIfNeeded
    https://bugs.webkit.org/show_bug.cgi?id=261256
    <rdar://114545310>

    Reviewed by Ryosuke Niwa.

    This PR addresses several bugs:
    1. There is a ScriptDisallowedScope bypass via DeferredPromise::callFunction.
    2. WebAnimation::resolve() tries to execute scripts by rejecting promises during updateStyle.
    3. WebAnimation::cancel() and WebAnimation::resetPendingTasks() also tries to execute scripts by
    rejecting promises during updateStyle.
    4. PaymentRequest and PaymentResponse try to reject promises during active DOM object suspension
    as well as the script execution context is being stopped.
    5. WebAudio tries to reject promises during active DOM object suspension.

    For (1), this PR adds a release assertion in DeferredPromise::callFunction like the one we have in
    ScriptController::canExecuteScripts. Note this has to be a thread safe variant since this code can be
    executed in a worker thread.

    For (2), this PR makes WebAnimation::resolve call updateFinishedState with SynchronouslyNotify::No
    instead of SynchronouslyNotify::Yes. Note that in the spec [1], the only scenario in which this flag
    is set to yes is when the author script calls finish() on an Animation object.

    For (3), (4), and (5), this PR makes these actions asynchronous by scheduling a task / microtask
    instead of synchronously rejecting promises.

    [1] https://drafts.csswg.org/web-animations-1/#update-an-animations-finished-state

    Based on original patch by Ryosuke Niwa.

    * LayoutTests/animations/resolve-animation-should-not-execute-scripts-expected.txt: Added.
    * LayoutTests/animations/resolve-animation-should-not-execute-scripts.html: Added.

    * Source/WebCore/Modules/paymentrequest/PaymentRequest.cpp:
    (WebCore::PaymentRequest::~PaymentRequest): Now allows pending activity to exist when the associated
    script execution context had been stopped.
    (WebCore::PaymentRequest::stop): Don't try to settle the promise in the middle of stopping this
    active DOM object.
    (WebCore::PaymentRequest::suspend): Ditto for suspension. Schedule a task to settle promise instead.

    * Source/WebCore/Modules/paymentrequest/PaymentResponse.cpp:
    (WebCore::PaymentResponse::~PaymentResponse): Now allows pending activity to exist when
    the associated script execution context had been stopped.
    (WebCore::PaymentResponse::suspend): Don't try to settle the promise in the middle of stopping this
    active DOM object.

    * Source/WebCore/Modules/webaudio/OfflineAudioContext.cpp:
    (WebCore::OfflineAudioContext::uninitialize): Don't reject the promise when the active DOM objects
    had already been stopped.

    * Source/WebCore/animation/WebAnimation.cpp:
    (WebCore::WebAnimation::cancel): Reject the finished promise in a newly scheduled task instead of
    synchronously rejecting it, which would result in script execution.
    (WebCore::WebAnimation::resolve): Resolve the promise asynchronously.

    * Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp:
    (WebCore::DeferredPromise::callFunction): Added a release assertion.
    * Source/WebCore/dom/TaskSource.h:

    Canonical link: https://commits.webkit.org/265870.536@safari-7616-branch

Identifier: 259548.929 at safari-7615.3.12.110-branch


  Commit: c20b0d48d07c35dbcc2af413fedc7eebe560441e
      https://github.com/WebKit/WebKit/commit/c20b0d48d07c35dbcc2af413fedc7eebe560441e
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.12.110.1

Identifier: 259548.930 at safari-7615.3.12.110-branch


  Commit: 4cab6603a8ce89064e73ef4421a3624af53f2c57
      https://github.com/WebKit/WebKit/commit/4cab6603a8ce89064e73ef4421a3624af53f2c57
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-15 (Fri, 15 Sep 2023)

  Changed paths:
    R JSTests/stress/date-set-time-purify-nan.js
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  Revert "Cherry-pick aa32244a89e7. rdar://115117919"

This reverts commit 5e0a52e051428772e7ad9676aecaeb1d459dd823.

Identifier: 259548.931 at safari-7615.3.12.110-branch


  Commit: 1fe3c68813c1ba72e35a618e708207384e27eb65
      https://github.com/WebKit/WebKit/commit/1fe3c68813c1ba72e35a618e708207384e27eb65
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-18 (Mon, 18 Sep 2023)

  Changed paths:
    M Source/JavaScriptCore/runtime/JSObjectInlines.h

  Log Message:
  -----------
  Unreviewed build fix. rdar://115356049

Identifier: 259548.932 at safari-7615.3.12.110-branch


  Commit: f04c47a02dfa2107c1721aee1b8def9dda15b3dd
      https://github.com/WebKit/WebKit/commit/f04c47a02dfa2107c1721aee1b8def9dda15b3dd
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-19 (Tue, 19 Sep 2023)

  Changed paths:
    M Source/JavaScriptCore/runtime/JSObjectInlines.h

  Log Message:
  -----------
  Unreviewed build fix. rdar://115356049

Identifier: 259548.933 at safari-7615.3.12.110-branch


  Commit: d2440f97bb6b275e5528f69d4bd3573e891b418f
      https://github.com/WebKit/WebKit/commit/d2440f97bb6b275e5528f69d4bd3573e891b418f
  Author: Andres Gonzalez <andresg_22 at apple.com>
  Date:   2023-09-19 (Tue, 19 Sep 2023)

  Changed paths:
    M Source/WebCore/accessibility/AXObjectCache.cpp

  Log Message:
  -----------
  Cherry-pick 0f4469003671. rdar://115355939

    AX: Heap-use-after-free in WebCore::AXObjectCache::get(WebCore::Node*)+0x41c
    rdar://113770369

    Reviewed by Ryosuke Niwa.

    This UAF is most likely caused by a mutation in the WeakListHashSet while iterating over it. This patch avoids the problem by copying the set to a Vector and iterating over the Vector.
    The same technique is applied to another iteration over a WeakListHashsSet, m_deferredNodeAddedOrRemovedList, in the same method.

    * Source/WebCore/accessibility/AXObjectCache.cpp:
    (WebCore::AXObjectCache::performDeferredCacheUpdate):

    Canonical link: https://commits.webkit.org/265870.560@safari-7616-branch

Identifier: 259548.934 at safari-7615.3.12.110-branch


  Commit: f463b02b2f3717d2cbbc2642c5a9d43d78b2f8cc
      https://github.com/WebKit/WebKit/commit/f463b02b2f3717d2cbbc2642c5a9d43d78b2f8cc
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-19 (Tue, 19 Sep 2023)

  Changed paths:
    M Source/WebCore/accessibility/AXObjectCache.cpp

  Log Message:
  -----------
  Revert "Cherry-pick 0f4469003671. rdar://115355939"

This reverts commit d2440f97bb6b275e5528f69d4bd3573e891b418f.

Identifier: 259548.935 at safari-7615.3.12.110-branch


  Commit: 7b18539dbbdc9811775b74a178ec58bdc9bc47d2
      https://github.com/WebKit/WebKit/commit/7b18539dbbdc9811775b74a178ec58bdc9bc47d2
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-20 (Wed, 20 Sep 2023)

  Changed paths:
    M Source/WebCore/rendering/PathOperation.h

  Log Message:
  -----------
  Unreviewed build fix. rdar://115356049

Identifier: 259548.936 at safari-7615.3.12.110-branch


  Commit: 1623bbffa872735d1cd33ff648866246611b1183
      https://github.com/WebKit/WebKit/commit/1623bbffa872735d1cd33ff648866246611b1183
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-20 (Wed, 20 Sep 2023)

  Changed paths:
    M Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp

  Log Message:
  -----------
  Unreviewed build fix. rdar://115356270

Identifier: 259548.937 at safari-7615.3.12.110-branch


  Commit: 779dea5f3ecc5133409ecc20640d6d444d93fd52
      https://github.com/WebKit/WebKit/commit/779dea5f3ecc5133409ecc20640d6d444d93fd52
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-21 (Thu, 21 Sep 2023)

  Changed paths:
    R JSTests/stress/regexp-vflag-property-of-strings.js
    M Source/JavaScriptCore/yarr/YarrPattern.cpp

  Log Message:
  -----------
  Revert "Cherry-pick b5b70c4574a7. rdar://115117991"

This reverts commit e6679e96603c14bf1d15d7049791f5fff9e9f235.

Identifier: 259548.938 at safari-7615.3.12.110-branch


  Commit: dcc13173274a45c4570463c15febfeadabb10ad9
      https://github.com/WebKit/WebKit/commit/dcc13173274a45c4570463c15febfeadabb10ad9
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-09-21 (Thu, 21 Sep 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  Unreviewed build fix. rdar://115118584.

Identifier: 259548.939 at safari-7615.3.12.110-branch


  Commit: f5cdbf27a712da3f4e6a192bc5d6de90cab8d6a3
      https://github.com/WebKit/WebKit/commit/f5cdbf27a712da3f4e6a192bc5d6de90cab8d6a3
  Author: Tommy McHugh <thomas_mchugh at apple.com>
  Date:   2023-09-25 (Mon, 25 Sep 2023)

  Changed paths:
    M LayoutTests/accessibility-isolated-tree/TestExpectations
    A LayoutTests/accessibility/aria-labelledby-on-password-input-expected.txt
    A LayoutTests/accessibility/aria-labelledby-on-password-input.html
    M LayoutTests/platform/glib/TestExpectations
    M Source/WebCore/accessibility/AccessibilityNodeObject.cpp

  Log Message:
  -----------
  Cherry-pick 3b6d017ba868. rdar://112151034

    AX: Don't include password input value in aria-labelledby description
    https://bugs.webkit.org/show_bug.cgi?id=248717
    rdar://problem/102815043

    Reviewed by Tyler Wilcock.

    accessibleNameForNode is erroneously returning the raw password input value when
    an element has an aria-labelledby attribute to an input element with a password type.
    This patch fixes that by checking HTMLInputElement::isPasswordField before returning
    the input's value and when there is a password field returning a masked value matching
    the length of the true value.

    * LayoutTests/accessibility-isolated-tree/TestExpectations:
    * LayoutTests/accessibility/aria-labelledby-on-password-input-expected.txt: Added.
    * LayoutTests/accessibility/aria-labelledby-on-password-input.html: Added.
    * LayoutTests/platform/glib/TestExpectations:
    * Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
    (WebCore::accessibleNameForNode):

    Canonical link: https://commits.webkit.org/262433@main

Identifier: 259548.940 at safari-7615.3.12.110-branch


  Commit: a157cdadd583606960fc6c967718d8118e3b75e7
      https://github.com/WebKit/WebKit/commit/a157cdadd583606960fc6c967718d8118e3b75e7
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-10-04 (Wed, 04 Oct 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.12.110.2

Canonical link: https://commits.webkit.org/259548.941@safari-7615.3.12.110-branch


  Commit: fa74de80a6ace9cefdc975851bd12480850beab1
      https://github.com/WebKit/WebKit/commit/fa74de80a6ace9cefdc975851bd12480850beab1
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-10-04 (Wed, 04 Oct 2023)

  Changed paths:
    M Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/encoder/onyx_if.c

  Log Message:
  -----------
  Cherry-pick c453beba71d4. rdar://116481519

    Cherry-pick 2213bac36f8b. rdar://116233358

        Cherry-pick https://chromium.googlesource.com/webm/libvpx.git/+/51057f4ba894e13f9bba278905bacf6aaaecd992
        https://bugs.webkit.org/show_bug.cgi?id=262365
        rdar://116233358

        Reviewed by Mark Lam.

        * Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/encoder/onyx_if.c:
        (vp8_change_config):

        Canonical link: https://commits.webkit.org/267815.127@safari-7617-branch

    Canonical link: https://commits.webkit.org/265870.337@safari-7616.1.27.10-branch


Compare: https://github.com/WebKit/WebKit/compare/9f8622da9762%5E...fa74de80a6ac


More information about the webkit-changes mailing list