[webkit-changes] [WebKit/WebKit] 467a48: [WebAuthn] Ensure conditional mediation paused whe...

Sat Aug 3 02:54:46 PDT 2024

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 467a48b3e198a8ee382fb052d54c6992e9d1cfb7
      https://github.com/WebKit/WebKit/commit/467a48b3e198a8ee382fb052d54c6992e9d1cfb7
  Author: Pascoe <pascoe at apple.com>
  Date:   2024-08-03 (Sat, 03 Aug 2024)

  Changed paths:
    M Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm

  Log Message:
  -----------
  [WebAuthn] Ensure conditional mediation paused when another page is focused
https://bugs.webkit.org/show_bug.cgi?id=274998
rdar://128955691

Reviewed by Brent Fulgham.

In the situation where a page gets unpaused, the activeConditionalMediationProxy does not
get set. This later causes that page to fail to pause, which can cause an unrelated page
to have conditional mediation while the page that started it is not focused.

* Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm:
(WebKit::WebAuthenticatorCoordinatorProxy::pauseConditionalAssertion):
(WebKit::WebAuthenticatorCoordinatorProxy::unpauseConditionalAssertion):
(WebKit::WebAuthenticatorCoordinatorProxy::makeActiveConditionalAssertion):

Originally-landed-as: 272448.1062 at safari-7618-branch (2e232301da1e). rdar://132956983
Canonical link: https://commits.webkit.org/281798@main

  Commit: ff621791b629fa47447f8ce9264d54544486547a
      https://github.com/WebKit/WebKit/commit/ff621791b629fa47447f8ce9264d54544486547a
  Author: Nisha Jain <nisha_jain at apple.com>
  Date:   2024-08-03 (Sat, 03 Aug 2024)

  Changed paths:
    A LayoutTests/fast/css/font-size-adjust-from-style-invalid-value-expected.txt
    A LayoutTests/fast/css/font-size-adjust-from-style-invalid-value.html
    M Source/WebCore/css/ComputedStyleExtractor.cpp

  Log Message:
  -----------
  WebCore::fontSizeAdjustFromStyle; WebCore::ComputedStyleExtractor::valueForPropertyInStyle; WebCore::ComputedStyleExtractor::propertyValue
https://bugs.webkit.org/show_bug.cgi?id=272821
rdar://126112927

Reviewed by Sihui Liu and Darin Adler.

Crash happens in fontSizeAdjustFromStyle API due to invalid 'value' (float:NaN).
Added check to validate the 'value'.

* LayoutTests/fast/css/font-size-adjust-from-style-invalid-value-expected.txt: Added.
* LayoutTests/fast/css/font-size-adjust-from-style-invalid-value.html: Added.
* Source/WebCore/css/ComputedStyleExtractor.cpp:
(WebCore::fontSizeAdjustFromStyle):

Originally-landed-as: 272448.951 at safari-7618-branch (5e92cb84fde1). rdar://132957136
Canonical link: https://commits.webkit.org/281799@main

  Commit: e73dfba967ee3b8d87afc74425a343cac523845b
      https://github.com/WebKit/WebKit/commit/e73dfba967ee3b8d87afc74425a343cac523845b
  Author: Jer Noble <jer.noble at apple.com>
  Date:   2024-08-03 (Sat, 03 Aug 2024)

  Changed paths:
    M Source/WebCore/platform/audio/PlatformMediaSessionManager.cpp
    M Source/WebCore/platform/audio/PlatformMediaSessionManager.h
    M Source/WebCore/platform/audio/cocoa/MediaSessionManagerCocoa.mm

  Log Message:
  -----------
  Add support for CancellableTasks to PlatformMediaSessionManager
https://bugs.webkit.org/show_bug.cgi?id=275117
rdar://127612016

Reviewed by Andy Estes.

Pass a CancellableTask into callOnMainThread() rather than a raw Function,
to allow the task to be cancelled before executing.

* Source/WebCore/platform/audio/PlatformMediaSessionManager.cpp:
(WebCore::PlatformMediaSessionManager::~PlatformMediaSessionManager):
(WebCore::PlatformMediaSessionManager::sessionCanProduceAudioChanged):
(WebCore::PlatformMediaSessionManager::scheduleUpdateSessionState):
(WebCore::PlatformMediaSessionManager::enqueueTaskOnMainThread):
* Source/WebCore/platform/audio/PlatformMediaSessionManager.h:
* Source/WebCore/platform/audio/cocoa/MediaSessionManagerCocoa.mm:
(WebCore::MediaSessionManagerCocoa::scheduleSessionStatusUpdate):
(WebCore::MediaSessionManagerCocoa::sessionWillEndPlayback):

Originally-landed-as: 272448.1079 at safari-7618-branch (2131bc756e54). rdar://132957816
Canonical link: https://commits.webkit.org/281800@main

  Commit: 472726cd0306b8e15efddf187463cb78a4d8a272
      https://github.com/WebKit/WebKit/commit/472726cd0306b8e15efddf187463cb78a4d8a272
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-08-03 (Sat, 03 Aug 2024)

  Changed paths:
    M Source/WTF/wtf/Deque.h
    M Source/WebKit/Platform/IPC/Connection.cpp

  Log Message:
  -----------
  Sync IPC messages may get processed out of order with async messages sent with the DispatchMessageEvenWhenWaitingForSyncReply option
https://bugs.webkit.org/show_bug.cgi?id=274597
rdar://127810844

Reviewed by Geoffrey Garen and Ryosuke Niwa.

When doing a sendSync() call, the caller waits until the remote process responds to the sync IPC.
When receiving this sync IPC, the remote process may itself decide to send sync IPC back (or async
IPC with the DispatchMessageEvenWhenWaitingForSyncReply option) to the other process, *before*
responding to the sync IPC. In such cases, one would expect those intermediate IPC to be processed
*before* the reply to the sync message, to maintain ordering. Unfortunately, our IPC logic was racy
and it was possible that the order wasn't maintained to such cases. This could lead to logic bugs,
which sometimes translate into security bugs.

In particular, this impacted the following scenario, as proven in the radar:
1. The WebProcess sends a `WebPageProxy::ExecuteUndoRedo` sync IPC to the UIProcess
2. The UIProcess receives the `WebPageProxy::ExecuteUndoRedo` IPC
3. The UIProcess sends an `WebPage::UnapplyEditCommand` / `WebPage::ReapplyEditCommand` async
   IPC to the WebProcess with the DispatchMessageEvenWhenWaitingForSyncReply option.
4. The UIProcess calls the completion handler for the `WebPageProxy::ExecuteUndoRedo` sync IPC,
   thus finally responding to the WebProcess.
5. The WebProcess processes the `WebPage::UnapplyEditCommand` / `WebPage::ReapplyEditCommand`
   IPC
6. The WebProcess processes the reply to its `WebPageProxy::ExecuteUndoRedo` sync IPC and returns
   from its `sendSync()` call.

This is what normally happens. However, due to a race in our logic for handling sync IPC responses,
steps 5 & 6 would sometimes be swapped, leading to crashes.

The race was due to the logic in Connection::waitForSyncReply(), which runs on the main thread.
We would do the following:
  1. Call `m_syncState->dispatchMessages()` to dispatch sync messages and async messages sent with
     the DispatchMessageEvenWhenWaitingForSyncReply option
  2. Check if we received a response to our sync IPC, return it if we do
  3. Go back to step 1

This code is racy because messages are processed on the IPC receive queue and this code runs on the
main thread. This means that in between step 1 and step 2, we could receive messages that should
have been processed *before* processing the sync IPC reply.

To address the issue, whenever we receive a sync IPC reply on the IPC receive queue, we save (with
the reply) the identifiers of the IPC messages that were received *before* the sync reply and that
should be processed before to maintain ordering. When we process the sync reply later on, on the main
thread, we make sure to dispatch these messages *before* we return the sync reply.

This patch also fixes a bug in SyncMessageState::dispatchMessages() that could cause ordering issues.
The code wanted to merge 2 Deque containers and kept calling takeLast() on the second container
instead of takeFirst(). This was essentially reversing the order of messages in the second Deque.

* Source/WebKit/Platform/IPC/Connection.cpp:
(IPC::Connection::SyncMessageState::dispatchMessages):
(IPC::Connection::SyncMessageState::identifiersOfMessagesToDispatchWhileWaitingForSyncReply):
(IPC::Connection::waitForSyncReply):
(IPC::Connection::processIncomingSyncReply):

Originally-landed-as: 272448.1041 at safari-7618-branch (047893baba32). rdar://132957900
Canonical link: https://commits.webkit.org/281801@main

  Commit: 6e72e0b7776655d2f98d62318ba18d959b9f6a0d
      https://github.com/WebKit/WebKit/commit/6e72e0b7776655d2f98d62318ba18d959b9f6a0d
  Author: Tyler Wilcock <tyler_w at apple.com>
  Date:   2024-08-03 (Sat, 03 Aug 2024)

  Changed paths:
    M Source/WebCore/accessibility/AccessibilityObject.cpp
    M Source/WebCore/accessibility/AccessibilityObject.h
    M Source/WebCore/accessibility/cocoa/AccessibilityObjectCocoa.mm
    M Source/WebCore/accessibility/ios/AccessibilityObjectIOS.mm
    M Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp
    M Source/WebCore/accessibility/mac/AccessibilityObjectMac.mm
    M Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.h

  Log Message:
  -----------
  In AXIsolatedTree::resolveAppends(), m_unresolvedPendingAppends can be added to while being iterated, potentially causing memory safety issues
rdar://127694319

Reviewed by Andres Gonzalez.

Avoid this using std::exchange to put the HashMap on the stack before iterating over it. Anything subsequently added
to m_unresolvedPendingAppends will be processed in the next go-around of resolveAppends().

This patch also fixes several nullptr crashes found by ASAN in various tests.

* Source/WebCore/accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::anchorElementForNode):
* Source/WebCore/accessibility/AccessibilityObject.h:
* Source/WebCore/accessibility/cocoa/AccessibilityObjectCocoa.mm:
(WebCore::AccessibilityObject::contentForRange const):
* Source/WebCore/accessibility/ios/AccessibilityObjectIOS.mm:
(WebCore::attributedStringCreate):
* Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:
(WebCore::AXIsolatedTree::resolveAppends):
* Source/WebCore/accessibility/mac/AccessibilityObjectMac.mm:
(WebCore::attributedStringSetHeadingLevel):
(WebCore::attributedStringSetBlockquoteLevel):
(WebCore::attributedStringSetExpandedText):
(WebCore::shouldHaveAnySpellCheckAttribute):
(WebCore::attributedStringCreate):
* Source/WebCore/accessibility/mac/WebAccessibilityObjectWrapperBase.h:

Originally-landed-as: 272448.996 at safari-7618-branch (50eaa40540f2). rdar://132958115
Canonical link: https://commits.webkit.org/281802@main

Compare: https://github.com/WebKit/WebKit/compare/5c53ed9959e4...6e72e0b77766

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications