[webkit-changes] [WebKit/WebKit] d9acfd: [CSSOM] Fix insertion of rule inside non nested st...

Fri Aug 2 21:23:01 PDT 2024

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: d9acfd1b770df4d87991f92cbd2dcf9526cb0d9c
      https://github.com/WebKit/WebKit/commit/d9acfd1b770df4d87991f92cbd2dcf9526cb0d9c
  Author: Matthieu Dubet <m_dubet at apple.com>
  Date:   2024-08-02 (Fri, 02 Aug 2024)

  Changed paths:
    A LayoutTests/fast/css/cssom-insertrule-crash-expected.html
    A LayoutTests/fast/css/cssom-insertrule-crash.html
    M Source/WebCore/css/CSSGroupingRule.cpp
    M Source/WebCore/css/CSSStyleRule.cpp
    M Source/WebCore/css/CSSStyleSheet.cpp
    M Source/WebCore/css/CSSStyleSheet.h
    M Source/WebCore/css/StyleSheetContents.cpp
    M Source/WebCore/css/StyleSheetContents.h
    M Source/WebCore/css/parser/CSSParserImpl.cpp

  Log Message:
  -----------
  [CSSOM] Fix insertion of rule inside non nested style rule
https://bugs.webkit.org/show_bug.cgi?id=275129
rdar://126112807

Reviewed by Antti Koivisto.

The CSS parser should not change the "hasNestingRules" status
of a stylesheet (which makes the CoW mechanism fails and a bunch of other issues).

This patch changes when the CoW will copy the rules to allow mutation
and makes the cache mechanism internal to StyleSheetContent class.

* LayoutTests/fast/css/cssom-insertrule-crash-expected.html: Added.
* LayoutTests/fast/css/cssom-insertrule-crash.html: Added.
* Source/WebCore/css/CSSGroupingRule.cpp:
(WebCore::CSSGroupingRule::prepareChildStyleRuleForNesting):
* Source/WebCore/css/CSSStyleRule.cpp:
(WebCore::CSSStyleRule::insertRule):
* Source/WebCore/css/CSSStyleSheet.cpp:
(WebCore::CSSStyleSheet::prepareChildStyleRuleForNesting):
* Source/WebCore/css/CSSStyleSheet.h:
* Source/WebCore/css/StyleSheetContents.cpp:
(WebCore::StyleSheetContents::StyleSheetContents):
(WebCore::StyleSheetContents::isCacheable const):
(WebCore::StyleSheetContents::hasNestingRules):
* Source/WebCore/css/StyleSheetContents.h:
* Source/WebCore/css/parser/CSSParserImpl.cpp:
(WebCore::CSSParserImpl::consumeNestedGroupRules):
(WebCore::CSSParserImpl::consumeStyleRule):

Originally-landed-as: 272448.1086 at safari-7618-branch (d3f4fe14288c). rdar://132959061
Canonical link: https://commits.webkit.org/281785@main

  Commit: d9047878322f6a875050f942e56cc38c5f82088a
      https://github.com/WebKit/WebKit/commit/d9047878322f6a875050f942e56cc38c5f82088a
  Author: Erica Li <lerica at apple.com>
  Date:   2024-08-02 (Fri, 02 Aug 2024)

  Changed paths:
    A LayoutTests/fast/scrolling/scrollIntoView-destroy-renderer-for-meter-element-crash-expected.txt
    A LayoutTests/fast/scrolling/scrollIntoView-destroy-renderer-for-meter-element-crash.html
    M Source/WebCore/dom/Element.cpp

  Log Message:
  -----------
  ASAN_ILL | WebCore::RenderMeter::~RenderMeter;
https://bugs.webkit.org/show_bug.cgi?id=275944
rdar://126113504

Reviewed by Alan Baradlay.

The test case produces a crash case where the checkedPtr renderer within Element::scrollIntoView
will be destroryed, even we called updateLayoutIgnorePendingStylesheets right before it.
During LocalFrameView::scrollRectToVisible, layout is triggered because:
    1. pre-layout: willDoLayout() -> adjustScrollbarsForLayout() turns the vertical scrollbar to be on
    2. during/after layout the scrollbar is updated ONLY when content size has changed: LocalFrameView::setContentsSize
    3. when content size is unchanged the vertical scrollbar remains on,
    4. LocalFrameView::scrollRectToVisible -> updateScrollbars checked the scrollbar has changed,
       decided to trigger layout with updateContentsSize().
The fix is to make renderer as WeakPtr instead of CheckedPtr.

This patch also fixes build failuer for CHECKED_POINTER_DEBUG in SU branch.

* LayoutTests/fast/scrolling/scrollIntoView-destroy-renderer-for-meter-element-crash-expected.txt: Added.
* LayoutTests/fast/scrolling/scrollIntoView-destroy-renderer-for-meter-element-crash.html: Added.
* Source/WebCore/dom/Element.cpp:
(WebCore::listBoxElementScrollIntoView):
(WebCore::Element::scrollIntoView):
* Source/WebCore/dom/TreeScope.cpp:
(WebCore::TreeScope::registerCheckedPtr const): Deleted.
(WebCore::TreeScope::copyCheckedPtr const): Deleted.
(WebCore::TreeScope::moveCheckedPtr const): Deleted.
(WebCore::TreeScope::unregisterCheckedPtr const): Deleted.

Originally-landed-as: 272448.1097 at safari-7618.3.11.10-branch (a7082f8505ae). rdar://132944916
Canonical link: https://commits.webkit.org/281786@main

  Commit: eeccf9681be2753e654655d799635ca94f48845a
      https://github.com/WebKit/WebKit/commit/eeccf9681be2753e654655d799635ca94f48845a
  Author: Sammy Gill <sammy.gill at apple.com>
  Date:   2024-08-02 (Fri, 02 Aug 2024)

  Changed paths:
    A LayoutTests/fast/css/grid-template-rule-no-crash-expected.txt
    A LayoutTests/fast/css/grid-template-rule-no-crash.html
    M Source/WebCore/css/ShorthandSerializer.cpp

  Log Message:
  -----------
  Bad downcast in ShorthandSerializer::serializeGridTemplate
https://bugs.webkit.org/show_bug.cgi?id=275863
rdar://121949510

Reviewed by Brent Fulgham and Tim Nguyen.

When attempting to parse the more complex version of the grid-template syntax,
the ShorthandSerializer assumes that the value for the grid-template-rows longhand
will be a CSSValueList. This may not be true as demonstrated in the testcase which
ends up returning a CSSSubgridValue for the longhand value.

Instead of just blindly downcasting, let's replace the erroneous
isLonghandValueNone(rowsIndex) with !rowTrackSizes->isValueList() to make sure we return
a null string if the value of grid-template-rows is not a CSSValueList and as a result
cannot be expressed in the shorthand, which is similar to what we do for the
grid-template-columns case. Also rephrase the comment to just say this instead of the
lengthy and confusing description.

* LayoutTests/fast/css/grid-template-rule-no-crash-expected.txt: Added.
* LayoutTests/fast/css/grid-template-rule-no-crash.html: Added.
* Source/WebCore/css/ShorthandSerializer.cpp:
(WebCore::ShorthandSerializer::serializeGridTemplate const):

Originally-landed-as: 272448.1096 at safari-7618-branch (32cdb1b7a376). rdar://132953407
Canonical link: https://commits.webkit.org/281787@main

  Commit: 0fb943e26c18e22794acd8d70df013944f50b9dd
      https://github.com/WebKit/WebKit/commit/0fb943e26c18e22794acd8d70df013944f50b9dd
  Author: Matthew Finkel <m_finkel at apple.com>
  Date:   2024-08-02 (Fri, 02 Aug 2024)

  Changed paths:
    A LayoutTests/http/tests/local/blob/resolve-response-with-custom-then-expected.txt
    A LayoutTests/http/tests/local/blob/resolve-response-with-custom-then.html
    M Source/WebCore/Modules/fetch/FetchBodyOwner.cpp
    M Source/WebCore/Modules/fetch/FetchBodyOwner.h

  Log Message:
  -----------
  Extend the lifetime of the Fetch body owner
https://bugs.webkit.org/show_bug.cgi?id=275122
rdar://128250783

Reviewed by Youenn Fablet and Simon Fraser.

This patch extends the lifetime of the FetchBodyOwner while we resolve the
body. In some cases, the body can be prematurely freed if its only reference
is held by a JavaScript object.

* LayoutTests/http/tests/local/blob/resolve-response-with-custom-then-expected.txt: Added.
* LayoutTests/http/tests/local/blob/resolve-response-with-custom-then.html: Added.
* Source/WebCore/Modules/fetch/FetchBodyOwner.cpp:
(WebCore::FetchBodyOwner::blobLoadingSucceeded):
(WebCore::FetchBodyOwner::BlobLoader::didSucceed):
* Source/WebCore/Modules/fetch/FetchBodyOwner.h:

Originally-landed-as: 272448.1095 at safari-7618-branch (2ba62228e7b8). rdar://132954026
Canonical link: https://commits.webkit.org/281788@main

  Commit: 0b2843995193ff7b5bab822c5456a69de24a326c
      https://github.com/WebKit/WebKit/commit/0b2843995193ff7b5bab822c5456a69de24a326c
  Author: Jer Noble <jer.noble at apple.com>
  Date:   2024-08-02 (Fri, 02 Aug 2024)

  Changed paths:
    A LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt
    A LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html
    M Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp

  Log Message:
  -----------
  Add check in AudioBufferSourceNode::renderFromBuffer() when detune is set to large negative value
https://bugs.webkit.org/show_bug.cgi?id=275273
rdar://125617842

Reviewed by Eric Carlson.

* LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt: Added.
* LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html: Added.
* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
(WebCore::AudioBufferSourceNode::renderFromBuffer):

Originally-landed-as: 272448.1080 at safari-7618-branch (64c9479d6f29). rdar://132954227
Canonical link: https://commits.webkit.org/281789@main

Compare: https://github.com/WebKit/WebKit/compare/adfe4b971f3b...0b2843995193

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications