[webkit-changes] [WebKit/WebKit] 374e38: Versioning.
MyahCobbs
noreply at github.com
Wed Oct 25 14:38:06 PDT 2023
Branch: refs/heads/safari-7615.4.1.10-branch
Home: https://github.com/WebKit/WebKit
Commit: 374e384b5e839c20f12afe854e12ac175dcb0119
https://github.com/WebKit/WebKit/commit/374e384b5e839c20f12afe854e12ac175dcb0119
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-10-24 (Tue, 24 Oct 2023)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
Commit: aad636ead9d4d21b796c61a955490019757768d1
https://github.com/WebKit/WebKit/commit/aad636ead9d4d21b796c61a955490019757768d1
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-10-24 (Tue, 24 Oct 2023)
Changed paths:
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 58238f2ad1a0. rdar://116494411
CloneDeserializer should always purifyNaN all double values it reads.
https://bugs.webkit.org/show_bug.cgi?id=261801
rdar://115756664
Reviewed by Yusuke Suzuki.
CloneDeserializer::read() will now invoke purifyNaN() on any double values that it reads.
As a result, we can remove the 2 purifyNaN calls in its client that are now redundant.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::read):
(WebCore::CloneDeserializer::readTerminal):
Canonical link: https://commits.webkit.org/265870.574@safari-7616-branch
Identifier: 259548.944 at safari-7615.4.1.10-branch
Commit: 8379fec23d6bc1a20c5f8bb2cea337eb1a821305
https://github.com/WebKit/WebKit/commit/8379fec23d6bc1a20c5f8bb2cea337eb1a821305
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-10-24 (Tue, 24 Oct 2023)
Changed paths:
M Source/JavaScriptCore/heap/PreciseAllocation.cpp
M Source/JavaScriptCore/heap/PreciseAllocation.h
Log Message:
-----------
Cherry-pick 6ea412c32f09. rdar://117030110
Adjust PreciseAllocation alignment offset to also factor in cache line alignment requirements.
https://bugs.webkit.org/show_bug.cgi?id=262011
rdar://115959633
Reviewed by Keith Miller.
We should ensure that the JSObject header word and its butterfly are always in the same cache line.
See radar for details.
All JSObjects are either allocated out of a MarkedBlock or as a PreciseAllocation. All MarkedBlock
allocations are aligned on 16 byte boundaries (the MarkedBlock::atomSize). This means that it’s
impossible to get this condition with a MarkedBlock allocated object.
For PreciseAllocations, each allocation is preceded by a PreciseAllocation header (which is currently
96 bytes in size), and a 8 to 16 byte padding depending on what is need to get the resultant object
start address to start on an odd 8 byte boundary (i.e. but 3 is set). With PreciseAllocations,
depending on the size of the allocation and what memory slot the allocation comes from, there is a
way to get the JSObject header and butterfly to span across a cache line boundary.
This patch prevents this by dynamically adjusting the alignment padding at the start of the
PreciseAllocation to ensure that the start address of the JSObject always lands at a spot where the
header and butterfly does not span a cache line boundary.
* Source/JavaScriptCore/heap/PreciseAllocation.cpp:
(JSC::dataCacheLineSize):
(JSC::isAlignedForPreciseAllocation):
(JSC::isCacheAlignedForPreciseAllocation):
(JSC::PreciseAllocation::tryCreate):
(JSC::PreciseAllocation::tryReallocate):
(JSC::PreciseAllocation::tryCreateForLowerTier):
(JSC::PreciseAllocation::reuseForLowerTier):
(JSC::PreciseAllocation::PreciseAllocation):
* Source/JavaScriptCore/heap/PreciseAllocation.h:
(JSC::PreciseAllocation::headerSize):
(JSC::PreciseAllocation::basePointer const):
Canonical link: https://commits.webkit.org/267815.112@safari-7617-branch
Identifier: 259548.945 at safari-7615.4.1.10-branch
Commit: f907ab380a9a40efdd3354f8273ea10f230f115a
https://github.com/WebKit/WebKit/commit/f907ab380a9a40efdd3354f8273ea10f230f115a
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-10-24 (Tue, 24 Oct 2023)
Changed paths:
M Source/JavaScriptCore/runtime/ArrayBufferView.h
M Source/JavaScriptCore/runtime/DataView.cpp
M Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h
M Source/JavaScriptCore/runtime/JSDataView.cpp
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
Log Message:
-----------
Cherry-pick ac9f4e07603c. rdar://117030239
[JSC] Add extra hardening about incorrectly configured shared growable typed array view
https://bugs.webkit.org/show_bug.cgi?id=262338
rdar://116168654
Reviewed by Mark Lam.
This is adding extra hardening against wrongly configured shared growable typed array view materialization from SerializedScriptValue.
This pattern must not happen from normal execution. This happens only when the current process gets a bug which can emit arbitrary serialized
data. And since SharedArrayBuffer cannot be sent to the other process, this issue is confined in the current process. Given that the attacker
is already getting a way to create arbitrary serialized data, probably this does not add much additionally, but just adding hardening for now
as an extra safety.
* Source/JavaScriptCore/runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::verifySubRangeLength):
* Source/JavaScriptCore/runtime/DataView.cpp:
(JSC::DataView::wrappedAs):
* Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::tryCreate):
(JSC::GenericTypedArrayView<Adaptor>::wrappedAs):
* Source/JavaScriptCore/runtime/JSDataView.cpp:
(JSC::JSDataView::create):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::create):
Canonical link: https://commits.webkit.org/267815.120@safari-7617-branch
Identifier: 259548.946 at safari-7615.4.1.10-branch
Commit: a1060619ebb29eabaee8eb6f2171accde3446c5a
https://github.com/WebKit/WebKit/commit/a1060619ebb29eabaee8eb6f2171accde3446c5a
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-10-24 (Tue, 24 Oct 2023)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/test/resize_test.cc
M Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/common/vp9_alloccommon.c
M Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_encoder.c
Log Message:
-----------
Cherry-pick 505f26eea3a5. rdar://116494487
VP9 additional changes related to CVE-2023-5217
rdar://116293231
Reviewed by Jean-Yves Avenard.
Cherry-picking patches that do hardening of VP9 encoder reconfiguration:
- 02ab555e992c191e5c509ed87b3cc48ed915b447
- 263682c9a29395055f3b3afe2d97be1828a6223f
I had to update CHECK_MEM_ERROR call site since we need to pass cm currently, while they do pass cm->error upstream.
While we do not think we are exercising this code path of reconfiguring while encoding,
it is future proof and low risk to cherry-pick these changes.
* Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/test/resize_test.cc:
* Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/common/vp9_alloccommon.c:
(free_seg_map):
(vp9_free_context_buffers):
(vp9_alloc_context_buffers):
* Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_encoder.c:
(free_copy_partition_data):
(vp9_change_config):
Canonical link: https://commits.webkit.org/267815.170@safari-7617-branch
Identifier: 259548.947 at safari-7615.4.1.10-branch
Commit: f69c6bd749ddad4009785ce2bbc5c90c55103aff
https://github.com/WebKit/WebKit/commit/f69c6bd749ddad4009785ce2bbc5c90c55103aff
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-10-24 (Tue, 24 Oct 2023)
Changed paths:
M LayoutTests/fast/storage/serialized-script-value.html
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 401705903095. rdar://117030146
An Array index in CloneSerializer and CloneDeserializer can be confused for NonIndexPropertiesTag.
https://bugs.webkit.org/show_bug.cgi?id=262616
rdar://116034413
Reviewed by Keith Miller, Sihui Liu and Chris Dumez.
CloneSerializer and CloneDeserializer were previously using NonIndexPropertiesTag as the terminator of
the indexed property section of an Array. However, NonIndexPropertiesTag's encoding is 0xFFFFFFFD,
which is less than MAX_ARRAY_INDEX (0xFFFFFFFE) i.e. an index of 0xFFFFFFFD can be confused for the
NonIndexPropertiesTag, resulting type confusion.
This patch changes the structure of a serialized Array to always terminate its indexed property section
with a TerminatorTag (0xFFFFFFFF) first before looking for either a NonIndexPropertiesTag or another
TerminatorTag. The presence of a NonIndexPropertiesTag after the 1st TerminatorTag indicates the
presence of a non-indexed properties section. The presense of a TerminatorTag immediately after the
1st TerminatorTag indicates that the non-indexed properties section is empty.
Also updated the comment describing the shape of a serialized Array, and rebased a test.
* LayoutTests/fast/storage/serialized-script-value.html:
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::deserialize):
Canonical link: https://commits.webkit.org/267815.202@safari-7617-branch
Identifier: 259548.948 at safari-7615.4.1.10-branch
Commit: 330329f9efcacc89b01fc14e843ee96a471da5bf
https://github.com/WebKit/WebKit/commit/330329f9efcacc89b01fc14e843ee96a471da5bf
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-10-24 (Tue, 24 Oct 2023)
Changed paths:
A LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash-expected.txt
A LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash.html
M Source/WebCore/html/HTMLPlugInImageElement.cpp
Log Message:
-----------
Cherry-pick c34793cc5793. rdar://117030934
Assertion hit under Document::dispatchPagehideEvent()
https://bugs.webkit.org/show_bug.cgi?id=263204
rdar://116715579
Reviewed by Ryosuke Niwa.
Delay the load if we're not allowed to run script right now. Scheduling a load will
cancel / stop any pending load, which may cause events to be fired and script to run.
The synchronous code path is kept when we're allowed to run script to avoid breaking
tests such as:
- imported/w3c/web-platform-tests/css/css-writing-modes/abs-pos-non-replaced-icb-vlr-*.xht
- imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/sandbox_004.htm
- imported/blink/svg/dom/viewspec-*.html
- fast/css/acid2.html
* LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash-expected.txt: Added.
* LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash.html: Added.
* Source/WebCore/html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::requestObject):
Canonical link: https://commits.webkit.org/267815.354@safari-7617-branch
Identifier: 259548.949 at safari-7615.4.1.10-branch
Compare: https://github.com/WebKit/WebKit/compare/374e384b5e83%5E...330329f9efca
More information about the webkit-changes
mailing list