[webkit-changes] [WebKit/WebKit] 8600f7: Versioning.
youennf
noreply at github.com
Wed Dec 11 11:11:06 PST 2024
Branch: refs/heads/safari-7620.1.16.10-branch
Home: https://github.com/WebKit/WebKit
Commit: 8600f7e4a76088995b4272dcf08ea34c1c8ea7e9
https://github.com/WebKit/WebKit/commit/8600f7e4a76088995b4272dcf08ea34c1c8ea7e9
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-06 (Wed, 06 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.10.1
Canonical link: https://commits.webkit.org/283286.442@safari-7620.1.16.10-branch
Commit: d6b783be87f255d38b8db17767fd22263b5e0229
https://github.com/WebKit/WebKit/commit/d6b783be87f255d38b8db17767fd22263b5e0229
Author: Kiet Ho <kiet.ho at apple.com>
Date: 2024-11-06 (Wed, 06 Nov 2024)
Changed paths:
A LayoutTests/fast/dom/view-transition-lifetime-crash-expected.txt
A LayoutTests/fast/dom/view-transition-lifetime-crash.html
M Source/WebCore/Modules/screen-wake-lock/WakeLockManager.cpp
M Source/WebCore/Modules/screen-wake-lock/WakeLockManager.h
M Source/WebCore/Modules/screen-wake-lock/WakeLockSentinel.cpp
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/ViewTransition.cpp
M Source/WebCore/dom/ViewTransition.h
M Source/WebCore/dom/VisibilityChangeClient.h
Log Message:
-----------
Cherry-pick c8d323b1851e. rdar://138799302
REGRESSION (283084 at main): Document::visibilityStateChanged does not hold reference to callback clients
rdar://138799302
https://bugs.webkit.org/show_bug.cgi?id=282360
Reviewed by Tim Nguyen, Ryosuke Niwa, and Chris Dumez.
Document::visibilityStateChanged() invokes visibility state callback clients, but does not
hold a reference to them before invoking. The client could then accidentally free itself
and cause an UAF. One possible route that leads to an UAF is through ViewTransition,
which the test case demonstrates:
* The ViewTransition C++ objects are allocated by document.startViewTransition().
After the call, each object has a ref count of at least 2 (one in the JS wrapper
that wraps the C++ object, one in Document::m_activeViewTransition)
* The GC is invoked, which releases the JS wrappers and decreases the ref count to 1
* The document visibility state is changed. This invokes ViewTransition::visibilityStateChanged
on each object, which calls ::skipViewTransition, which calls ::clearViewTransition.
::clearViewTransition sets Document::m_activeViewTransition to null, so the object ref
count is 0 and it's deallocated. ::clearViewTransition then continues to modify the
(already deallocated) object, leading to an UAF.
Fix this by holding a reference to the callback clients before invoking it. This involves
making VisibilityChangeClient ref counted. Then Document::visibilityStateChanged()
would hold a reference to the client before invoking it. As WakeLockManager
(which inherits VisibilityChangeClient) wasn't ref counted, this patch also makes it
ref counted.
It's also observed that the JS wrapper should not be deallocated by the GC before the
view transition has completed. This commit fixes this by implementing
ViewTransition::virtualHasPendingActivity(), which the GC consults to determine whether
to deallocate the wrapper or not.
* LayoutTests/fast/dom/view-transition-lifetime-crash-expected.txt: Added.
* LayoutTests/fast/dom/view-transition-lifetime-crash.html: Added.
* Source/WebCore/Modules/screen-wake-lock/WakeLockManager.cpp:
(WebCore::WakeLockManager::ref const): Delegated ref() to the document.
(WebCore::WakeLockManager::deref const): Delegated deref() to the document.
* Source/WebCore/Modules/screen-wake-lock/WakeLockManager.h: Made WakeLockManager ref counted by declaring ref() and deref().
* Source/WebCore/Modules/screen-wake-lock/WakeLockSentinel.cpp:
(WebCore::WakeLockSentinel::release): Hold a reference to the document's WakeLockManager before using it.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::visibilityStateChanged): Hold a reference to the visibility state callback client before calling it.
(WebCore::Document::wakeLockManager): Used makeUniqueWithoutRefCountedCheck to create new WakeLockManager.
* Source/WebCore/dom/ViewTransition.cpp:
(WebCore::ViewTransition::virtualHasPendingActivity const): Added implementation.
* Source/WebCore/dom/ViewTransition.h:
* Source/WebCore/dom/VisibilityChangeClient.h: Made VisibilityChangeClient ref counted.
Canonical link: https://commits.webkit.org/286136@main
Commit: 95592e593a068e068e9b186ebb26980ceb429ec5
https://github.com/WebKit/WebKit/commit/95592e593a068e068e9b186ebb26980ceb429ec5
Author: Dan Hecht <dan.hecht at apple.com>
Date: 2024-11-06 (Wed, 06 Nov 2024)
Changed paths:
M Source/JavaScriptCore/wasm/WasmModuleInformation.h
M Source/JavaScriptCore/wasm/WasmParser.h
M Source/JavaScriptCore/wasm/WasmSectionParser.cpp
M Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp
M Source/JavaScriptCore/wasm/WasmTypeDefinition.h
M Source/JavaScriptCore/wasm/WasmTypeDefinitionInlines.h
Log Message:
-----------
Cherry-pick 3ec2959867b0. rdar://139266352
[JSC] Fix ref-counting issues with Wasm GC types
https://bugs.webkit.org/show_bug.cgi?id=282576
rdar://139244985
Reviewed by Yusuke Suzuki.
While parsing the wasm type section there are windows where
reference counts to a Wasm GC TypeDefinitions are not held
by the parser. During these windows, a
TypeInformation::tryCleanup() could free these
types out from under the parser. Close these windows.
Also add asserts to help verify and document.
The windows were:
1. parseRecursionGroup() needs to hold ref counts to each
element until it constructs the recursion group, which
takes ownership.
2. parseRecursionGroup() needs to create its projections
and hold references while they are being linked together.
3. While replacing placeholders, we need to be careful to
continue holding a ref count until the unrolling cache
takes ownership.
Also, RTT::tryCreateRTT() was missing an adoptRef which
I think would cause these to leak.
After parsing, everythng is owned by the parser's
WasmModuleInformation either directly, indirectly through
the TypeDefinition tree of (manual kept) ref counts, or
indirectly via the TypeInformation caches (which tie the
lifetime of the value to the key).
In addition to the added asserts, I also ran the
javascriptcore test with more instrumentation added
to TypeDefinition::deref() to help ensure references are no
longer dropped at the wrong times.
* Source/JavaScriptCore/wasm/WasmModuleInformation.h:
* Source/JavaScriptCore/wasm/WasmParser.h:
(JSC::Wasm::ParserBase::parseValueType):
* Source/JavaScriptCore/wasm/WasmSectionParser.cpp:
(JSC::Wasm::SectionParser::parseType):
(JSC::Wasm::SectionParser::parseRecursionGroup):
(JSC::Wasm::SectionParser::parseSubtype):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp:
(JSC::Wasm::TypeDefinition::substitute):
(JSC::Wasm::substituteParent):
(JSC::Wasm::TypeDefinition::replacePlaceholders const):
(JSC::Wasm::TypeDefinition::unroll const):
(JSC::Wasm::RTT::tryCreateRTT):
(JSC::Wasm::TypeInformation::addCachedUnrolling):
(JSC::Wasm::TypeInformation::tryCleanup):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:
(JSC::Wasm::TypeDefinition::unownedIndex const):
(JSC::Wasm::TypeDefinition::index const): Deleted.
* Source/JavaScriptCore/wasm/WasmTypeDefinitionInlines.h:
(JSC::Wasm::TypeDefinition::index const):
(JSC::Wasm::TypeInformation::get):
Canonical link: https://commits.webkit.org/286140@main
Commit: 878d9bc480d4bfeede2476471c5bb7bb7743366f
https://github.com/WebKit/WebKit/commit/878d9bc480d4bfeede2476471c5bb7bb7743366f
Author: Daniel Liu <danlliu at umich.edu>
Date: 2024-11-06 (Wed, 06 Nov 2024)
Changed paths:
A JSTests/stress/string-add-conversion-unused.js
M Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
Log Message:
-----------
Cherry-pick 299278ffc3f1. rdar://139373680
DFG ToString should only care about Other uses when it can be Other
https://bugs.webkit.org/show_bug.cgi?id=282661
rdar://138325184
Reviewed by Yusuke Suzuki.
DFG's ToString should only backpropagate a UseAsOther when the use
has the potential to be Other. Otherwise, we end up with a mismatch
in expected value formats.
* Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
Canonical link: https://commits.webkit.org/283286.438@safari-7620-branch
Commit: 60ee026bd2fe1a9d1749ab5c11499c1d15eefd68
https://github.com/WebKit/WebKit/commit/60ee026bd2fe1a9d1749ab5c11499c1d15eefd68
Author: Chris Dumez <cdumez at apple.com>
Date: 2024-11-06 (Wed, 06 Nov 2024)
Changed paths:
M Source/WebKit/UIProcess/Downloads/DownloadProxy.cpp
M Source/WebKit/UIProcess/Downloads/DownloadProxy.h
M Source/WebKit/UIProcess/Downloads/DownloadProxyMap.cpp
M Source/WebKit/UIProcess/Downloads/DownloadProxyMap.h
M Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp
Log Message:
-----------
Cherry-pick 786ff813716f. rdar://138845738
Cherry-pick 9f69376c782b. rdar://138845738
Cherry-pick 286182 at main (9f69376c782b). rdar://138845738
Crash under DownloadProxy::~DownloadProxy()
https://bugs.webkit.org/show_bug.cgi?id=282611
rdar://138845738
Reviewed by Geoffrey Garen.
DownloadProxy is ref-counted and thus can outlive its DownloadProxyMap.
As a result, DownloadProxy cannot hold a CheckedRef to its DownloadProxyMap.
Switching to a WeakPtr instead.
* Source/WebKit/UIProcess/Downloads/DownloadProxy.cpp:
(WebKit::DownloadProxy::cancel):
(WebKit::DownloadProxy::didFinish):
(WebKit::DownloadProxy::didFail):
* Source/WebKit/UIProcess/Downloads/DownloadProxy.h:
* Source/WebKit/UIProcess/Downloads/DownloadProxyMap.cpp:
(WebKit::DownloadProxyMap::ref const):
(WebKit::DownloadProxyMap::deref const):
* Source/WebKit/UIProcess/Downloads/DownloadProxyMap.h:
* Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp:
(WebKit::NetworkProcessProxy::createDownloadProxy):
Canonical link: https://commits.webkit.org/286182@main
Commit: a2bbec32ef7378ee533a0d5aecaa2d7190e8a7e6
https://github.com/WebKit/WebKit/commit/a2bbec32ef7378ee533a0d5aecaa2d7190e8a7e6
Author: Timothy Hatcher <timothy at apple.com>
Date: 2024-11-06 (Wed, 06 Nov 2024)
Changed paths:
M Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIEventCocoa.mm
M Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIWebNavigationEventCocoa.mm
M Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIWebRequestEventCocoa.mm
M Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIWindowsEventCocoa.mm
M Source/WebKit/WebProcess/Extensions/Cocoa/_WKWebExtensionWebRequestFilter.h
M Source/WebKit/WebProcess/Extensions/Cocoa/_WKWebExtensionWebRequestFilter.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIAlarms.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIWebNavigation.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIWebRequest.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIWindows.mm
Log Message:
-----------
Cherry-pick 0628c831bdfb. rdar://139395506
Crash under WebExtensionCallbackHandler::call() when removing event listener.
https://webkit.org/b/282723
rdar://139326901
Reviewed by Brian Weinstein.
Make a copy of the listeners vector before iterating over it.
* Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIEventCocoa.mm:
(WebKit::WebExtensionAPIEvent::invokeListeners):
(WebKit::WebExtensionAPIEvent::invokeListenersWithArgument):
* Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIWebNavigationEventCocoa.mm:
(WebKit::WebExtensionAPIWebNavigationEvent::invokeListenersWithArgument):
* Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIWebRequestEventCocoa.mm:
(WebKit::WebExtensionAPIWebRequestEvent::invokeListenersWithArgument):
* Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIWindowsEventCocoa.mm:
(WebKit::WebExtensionAPIWindowsEvent::invokeListenersWithArgument):
* Source/WebKit/WebProcess/Extensions/Cocoa/_WKWebExtensionWebRequestFilter.h:
* Source/WebKit/WebProcess/Extensions/Cocoa/_WKWebExtensionWebRequestFilter.mm:
(toWebExtensionWebRequestResourceType): Drive-by rename.
(_WKWebExtensionWebRequestResourceTypeFromResourceLoadInfo): Deleted.
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIAlarms.mm:
(TestWebKitAPI::TEST(WKWebExtensionAPIAlarms, RemoveListenerDuringEvent)): Added.
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIWebNavigation.mm:
(TestWebKitAPI::TEST(WKWebExtensionAPIWebNavigation, RemoveListenerDuringEvent)): Added.
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIWebRequest.mm:
(TestWebKitAPI::TEST(WKWebExtensionAPIWebRequest, RemoveListenerDuringEvent)): Added.
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIWindows.mm:
(TestWebKitAPI::TEST(WKWebExtensionAPIWindows, RemoveListenerDuringEvent)): Added.
Canonical link: https://commits.webkit.org/286260@main
Commit: 62a787ce9d804d9738991496c4296c12f8bf20e4
https://github.com/WebKit/WebKit/commit/62a787ce9d804d9738991496c4296c12f8bf20e4
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-07 (Thu, 07 Nov 2024)
Changed paths:
R LayoutTests/fast/dom/view-transition-lifetime-crash-expected.txt
R LayoutTests/fast/dom/view-transition-lifetime-crash.html
M Source/WebCore/Modules/screen-wake-lock/WakeLockManager.cpp
M Source/WebCore/Modules/screen-wake-lock/WakeLockManager.h
M Source/WebCore/Modules/screen-wake-lock/WakeLockSentinel.cpp
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/ViewTransition.cpp
M Source/WebCore/dom/ViewTransition.h
M Source/WebCore/dom/VisibilityChangeClient.h
Log Message:
-----------
Revert c8d323b1851e. rdar://138799302
This reverts commit d6b783be87f255d38b8db17767fd22263b5e0229.
Commit: 935acac6d7dceddbe413f137a5a4c21fc255e779
https://github.com/WebKit/WebKit/commit/935acac6d7dceddbe413f137a5a4c21fc255e779
Author: Kiet Ho <kiet.ho at apple.com>
Date: 2024-11-07 (Thu, 07 Nov 2024)
Changed paths:
A LayoutTests/fast/dom/view-transition-lifetime-crash-expected.txt
A LayoutTests/fast/dom/view-transition-lifetime-crash.html
M Source/WebCore/Modules/screen-wake-lock/WakeLockManager.cpp
M Source/WebCore/Modules/screen-wake-lock/WakeLockManager.h
M Source/WebCore/Modules/screen-wake-lock/WakeLockSentinel.cpp
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/ViewTransition.cpp
M Source/WebCore/dom/ViewTransition.h
M Source/WebCore/dom/VisibilityChangeClient.h
Log Message:
-----------
Cherry-pick 430e2dd31ad1. rdar://138799302
Cherry-pick c8d323b1851e. rdar://139301982
REGRESSION (283084 at main): Document::visibilityStateChanged does not hold reference to callback clients
rdar://138799302
https://bugs.webkit.org/show_bug.cgi?id=282360
Reviewed by Tim Nguyen, Ryosuke Niwa, and Chris Dumez.
Document::visibilityStateChanged() invokes visibility state callback clients, but does not
hold a reference to them before invoking. The client could then accidentally free itself
and cause an UAF. One possible route that leads to an UAF is through ViewTransition,
which the test case demonstrates:
* The ViewTransition C++ objects are allocated by document.startViewTransition().
After the call, each object has a ref count of at least 2 (one in the JS wrapper
that wraps the C++ object, one in Document::m_activeViewTransition)
* The GC is invoked, which releases the JS wrappers and decreases the ref count to 1
* The document visibility state is changed. This invokes ViewTransition::visibilityStateChanged
on each object, which calls ::skipViewTransition, which calls ::clearViewTransition.
::clearViewTransition sets Document::m_activeViewTransition to null, so the object ref
count is 0 and it's deallocated. ::clearViewTransition then continues to modify the
(already deallocated) object, leading to an UAF.
Fix this by holding a reference to the callback clients before invoking it. This involves
making VisibilityChangeClient ref counted. Then Document::visibilityStateChanged()
would hold a reference to the client before invoking it. As WakeLockManager
(which inherits VisibilityChangeClient) wasn't ref counted, this patch also makes it
ref counted.
It's also observed that the JS wrapper should not be deallocated by the GC before the
view transition has completed. This commit fixes this by implementing
ViewTransition::virtualHasPendingActivity(), which the GC consults to determine whether
to deallocate the wrapper or not.
* LayoutTests/fast/dom/view-transition-lifetime-crash-expected.txt: Added.
* LayoutTests/fast/dom/view-transition-lifetime-crash.html: Added.
* Source/WebCore/Modules/screen-wake-lock/WakeLockManager.cpp:
(WebCore::WakeLockManager::ref const): Delegated ref() to the document.
(WebCore::WakeLockManager::deref const): Delegated deref() to the document.
* Source/WebCore/Modules/screen-wake-lock/WakeLockManager.h: Made WakeLockManager ref counted by declaring ref() and deref().
* Source/WebCore/Modules/screen-wake-lock/WakeLockSentinel.cpp:
(WebCore::WakeLockSentinel::release): Hold a reference to the document's WakeLockManager before using it.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::visibilityStateChanged): Hold a reference to the visibility state callback client before calling it.
(WebCore::Document::wakeLockManager): Used makeUniqueWithoutRefCountedCheck to create new WakeLockManager.
* Source/WebCore/dom/ViewTransition.cpp:
(WebCore::ViewTransition::virtualHasPendingActivity const): Added implementation.
* Source/WebCore/dom/ViewTransition.h:
* Source/WebCore/dom/VisibilityChangeClient.h: Made VisibilityChangeClient ref counted.
Canonical link: https://commits.webkit.org/286136@main
Canonical link: https://commits.webkit.org/283286.444@safari-7620-branch
Commit: 91c5b2e06b9c35a0e8d776425da004cd490f54c6
https://github.com/WebKit/WebKit/commit/91c5b2e06b9c35a0e8d776425da004cd490f54c6
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2024-11-07 (Thu, 07 Nov 2024)
Changed paths:
A JSTests/stress/oom-test-for-replace-all.js
A JSTests/wasm/stress/omg-tail-call-clobber-pinned-registers.js
M Source/JavaScriptCore/wasm/WasmFunctionParser.h
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
M Source/JavaScriptCore/wasm/WasmOMGPlan.cpp
M Source/JavaScriptCore/wasm/WasmOSREntryPlan.cpp
Log Message:
-----------
Cherry-pick f35184a412c9. rdar://139362369
[JSC] Wasm TailCall should say "pinned registers can be clobbered" in OMG https://bugs.webkit.org/show_bug.cgi?id=282635 rdar://138178964
Reviewed by Keith Miller and David Degazio.
We need to say that pinned registers are clobbered for transitive tail-calls
in OMG to correctly restore wasm instance.
* JSTests/wasm/stress/omg-tail-call-clobber-pinned-registers.js: Added.
* Source/JavaScriptCore/wasm/WasmFunctionParser.h:
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::addCall):
(JSC::Wasm::OMGIRGenerator::addCallRef):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp:
(JSC::Wasm::OMGIRGenerator::addCall):
* Source/JavaScriptCore/wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::dumpDisassembly):
* Source/JavaScriptCore/wasm/WasmOSREntryPlan.cpp:
(JSC::Wasm::OSREntryPlan::dumpDisassembly):
Canonical link: https://commits.webkit.org/286193@main
Canonical link: https://commits.webkit.org/283286.450@safari-7620.1.16.10-branch
Commit: 67161339da87b3139bb0c1c297c3292c22ae9544
https://github.com/WebKit/WebKit/commit/67161339da87b3139bb0c1c297c3292c22ae9544
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2024-11-07 (Thu, 07 Nov 2024)
Changed paths:
M Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIEventCocoa.mm
M Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIWebNavigationEventCocoa.mm
M Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIWebRequestEventCocoa.mm
M Source/WebKit/WebProcess/Extensions/API/Cocoa/WebExtensionAPIWindowsEventCocoa.mm
M Source/WebKit/WebProcess/Extensions/Cocoa/_WKWebExtensionWebRequestFilter.h
M Source/WebKit/WebProcess/Extensions/Cocoa/_WKWebExtensionWebRequestFilter.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIAlarms.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIWebNavigation.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIWebRequest.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtensionAPIWindows.mm
Log Message:
-----------
Revert 0628c831bdfb. rdar://139395506
This reverts commit a2bbec32ef7378ee533a0d5aecaa2d7190e8a7e6.
Canonical link: https://commits.webkit.org/283286.451@safari-7620.1.16.10-branch
Commit: f627ad7ddb31fb34b4e7f7ddb3577e326761a6dd
https://github.com/WebKit/WebKit/commit/f627ad7ddb31fb34b4e7f7ddb3577e326761a6dd
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2024-11-08 (Fri, 08 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.10.2
Canonical link: https://commits.webkit.org/283286.452@safari-7620.1.16.10-branch
Commit: 97f6a887dde13fb425a4be5751730946adb8c053
https://github.com/WebKit/WebKit/commit/97f6a887dde13fb425a4be5751730946adb8c053
Author: Russell Epstein <repstein at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.10.3
Canonical link: https://commits.webkit.org/283286.453@safari-7620.1.16.10-branch
Commit: 8799b558188efbeae182f22cc66bac216a911d05
https://github.com/WebKit/WebKit/commit/8799b558188efbeae182f22cc66bac216a911d05
Author: Keith Miller <keith_miller at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M Source/WTF/wtf/LockAlgorithm.h
Log Message:
-----------
Cherry-pick 4d456933d70e. rdar://139645285
LockAlgorithm::unlockFast is too fast
https://bugs.webkit.org/show_bug.cgi?id=282865
rdar://139548123
Reviewed by Yusuke Suzuki.
Right now it has relaxed ordering but that's not correct since it means writes to the critical section
could happen after the lock is unlocked. This could lead to arbitrary crashes or other general badness.
* Source/WTF/wtf/LockAlgorithm.h:
(WTF::LockAlgorithm::unlockFast):
Canonical link: https://commits.webkit.org/283286.466@safari-7620-branch
Canonical link: https://commits.webkit.org/283286.454@safari-7620.1.16.10-branch
Commit: fb95ff6901e67c1190b923a53f776d3373fefa52
https://github.com/WebKit/WebKit/commit/fb95ff6901e67c1190b923a53f776d3373fefa52
Author: Nitin Mahendru <nitinmahendru at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https-expected.txt
M LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html
M LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https-expected.txt
M LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https.html
M Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp
M Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.h
M Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp
M Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h
Log Message:
-----------
Cherry-pick fbc1283a4a99. rdar://138281493
Unreviewed, reverting "[WebAuthn] Implement batching for checking allowCredentials (48851c3d135a)"
https://bugs.webkit.org/show_bug.cgi?id=282880
rdar://138281493
Fix Login Issues with newer Yubikeys.
Reverted change:
Cherry-pick 52a47cb. rdar://133711978
[WebAuthn] Implement batching for checking allowCredentials
rdar://133711978
https://bugs.webkit.org/show_bug.cgi?id=277979
Reviewed by Brent Fulgham.
This change implements checking the allowCredentials in batches as supported by
the authenticator during getAssertion. This is accomplished with smaller up=0,
get requests to determine if credentials are present on the authenticator.
Then if a credential is detected as present, it is included in the allowCredentials list
in the real request. If no credentials matched, then we already know the call will not
be able to succeed, so we just include the last batch.
Added layout tests for the new behaviors.
* LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https-expected.txt:
* LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html:
* LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https-expected.txt:
* LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https.html:
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:
(WebKit::CtapAuthenticator::makeCredential):
(WebKit::CtapAuthenticator::continueSlientlyCheckCredentials):
(WebKit::CtapAuthenticator::continueMakeCredentialAfterCheckExcludedCredentials):
(WebKit::CtapAuthenticator::getAssertion):
(WebKit::CtapAuthenticator::continueGetAssertionAfterCheckAllowCredentials):
(WebKit::CtapAuthenticator::continueCheckExcludedCredentialsAfterResponseRecieved): Deleted.
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h:
Canonical link: https://commits.webkit.org/282246@main
Canonical link: https://commits.webkit.org/283286.467@safari-7620-branch
Canonical link: https://commits.webkit.org/283286.455@safari-7620.1.16.10-branch
Commit: 104d9e972cd5764fe8b4349d867e8a80e9c0e20a
https://github.com/WebKit/WebKit/commit/104d9e972cd5764fe8b4349d867e8a80e9c0e20a
Author: Nitin Mahendru <nitinmahendru at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https-expected.txt
M LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html
M LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https-expected.txt
M LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html
M LayoutTests/http/wpt/webauthn/resources/util.js
M Source/WebCore/Modules/webauthn/fido/AuthenticatorGetInfoResponse.cpp
M Source/WebCore/Modules/webauthn/fido/AuthenticatorGetInfoResponse.h
M Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp
M Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.h
M Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp
M Source/WebCore/Modules/webauthn/fido/FidoConstants.h
M Source/WebCore/testing/MockWebAuthenticationConfiguration.h
M Source/WebCore/testing/MockWebAuthenticationConfiguration.idl
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
M Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp
M Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp
M Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h
Log Message:
-----------
Cherry-pick aaafcd1e5687. rdar://138281493
Unreviewed, reverting [WebAuthn] Implement batching for checking excludeCredentials
https://bugs.webkit.org/show_bug.cgi?id=282878
rdar://138281493
Revert to Fix rdar://138281493 Unable to enter PIN for Yubikey
Reverted change:
Cherry-pick f56198757e4b. rdar://133307666
[WebAuthn] Implement batching for checking excludeCredentials
rdar://133307666
https://bugs.webkit.org/show_bug.cgi?id=277695
Reviewed by Charlie Wolfe.
This change starts to implement checking the excludeCredential list in batches as
supported by the authenticator during a makeCredential. This is accomplished by using
smaller, up=0, get requests to detect if a credential is present on the authenticator.
Then if a credential is detected, only that credential may be included with the actual
makeCredential request to get the proper error code back from the authenticator. If none
matched, we don't need to include a excludeCredentials list to the authenticator since
we already know those credentials aren't present.
This patch only implements this logic for makeCredential, getAssertion will be done in
another patch.
Added layout tests to test matching exclude list with batching, non-matching exclude list with
batching, and a security key that supports batches greater than 1.
* LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https-expected.txt:
* LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html:
* LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https-expected.txt:
* LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html:
* LayoutTests/http/wpt/webauthn/resources/util.js:
* Source/WebCore/Modules/webauthn/fido/AuthenticatorGetInfoResponse.cpp:
(fido::AuthenticatorGetInfoResponse::setMaxCredentialCountInList):
(fido::AuthenticatorGetInfoResponse::setMaxCredentialIDLength):
(fido::encodeAsCBOR):
* Source/WebCore/Modules/webauthn/fido/AuthenticatorGetInfoResponse.h:
* Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.cpp:
(fido::encodeSilentGetAssertion):
* Source/WebCore/Modules/webauthn/fido/DeviceRequestConverter.h:
* Source/WebCore/Modules/webauthn/fido/DeviceResponseConverter.cpp:
(fido::readCTAPGetInfoResponse):
* Source/WebCore/Modules/webauthn/fido/FidoConstants.h:
* Source/WebCore/testing/MockWebAuthenticationConfiguration.h:
* Source/WebCore/testing/MockWebAuthenticationConfiguration.idl:
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
* Source/WebKit/UIProcess/WebAuthentication/Mock/MockHidConnection.cpp:
(WebKit::MockHidConnection::feedReports):
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:
(WebKit::CtapAuthenticator::makeCredential):
(WebKit::CtapAuthenticator::continueCheckExcludedCredentialsAfterResponseRecieved):
(WebKit::CtapAuthenticator::continueMakeCredentialAfterCheckExcludedCredentials):
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.h:
Canonical link: https://commits.webkit.org/282019@main
Canonical link: https://commits.webkit.org/280938.236@safari-7619-branch
Canonical link: https://commits.webkit.org/283286.468@safari-7620-branch
Canonical link: https://commits.webkit.org/283286.456@safari-7620.1.16.10-branch
Commit: 6f8c75580aeb93e66603fc9bf0f82c331d0ad35f
https://github.com/WebKit/WebKit/commit/6f8c75580aeb93e66603fc9bf0f82c331d0ad35f
Author: David Kilzer <ddkilzer at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_library_cache.mm
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_utils.mm
Log Message:
-----------
Cherry-pick 8826887be8c6. rdar://139660591
[ANGLE] Fix leaks in NewMetalLibraryFromMetallib() on every call
<https://bugs.webkit.org/show_bug.cgi?id=282890>
<rdar://139586222>
Reviewed by Kimmo Kinnunen.
* Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_library_cache.mm:
(rx::(anonymous)::NewMetalLibraryFromMetallib):
- Use adoptObjCObj() to fix leak of id<MTLLibrary>.
- Call dispatch_release() to fix leak of dispatch_data_t.
* Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_utils.mm:
(rx::mtl::CreateShaderLibraryFromBinary):
- Use DISPATCH_DATA_DESTRUCTOR_DEFAULT instead of empty block.
- Replace ANGLE_MTL_AUTORELEASE with adoptObjCObj() to avoid unneeded
autorelease of id<MTLLibrary> object.
Canonical link: https://commits.webkit.org/286425@main
Commit: 66f9820bd796a58a2db1f04de0b796d819055e3c
https://github.com/WebKit/WebKit/commit/66f9820bd796a58a2db1f04de0b796d819055e3c
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
A JSTests/wasm/stress/wasm-bbq-catch-unbind.js
M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
Log Message:
-----------
Cherry-pick 39727612b542. rdar://139502479
[JSC] Aborted in JSC::Wasm::BBQJITImpl::BBQJIT::bind
https://bugs.webkit.org/show_bug.cgi?id=282825
rdar://139502479
Reviewed by David Degazio.
This patch adds unbinding for all registers for addCatch and addCatchAll
too since they also should not carry any bindings from the other blocks.
* JSTests/wasm/stress/wasm-bbq-catch-unbind.js: Added.
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addCatch):
(JSC::Wasm::BBQJITImpl::BBQJIT::addCatchAll):
Canonical link: https://commits.webkit.org/283286.470@safari-7620-branch
Commit: bedd61cf20637c148d9b47376ecad29d4a5e01bc
https://github.com/WebKit/WebKit/commit/bedd61cf20637c148d9b47376ecad29d4a5e01bc
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_library_cache.mm
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_utils.mm
Log Message:
-----------
Revert 8826887be8c6. rdar://139660591
This reverts commit 6f8c75580aeb93e66603fc9bf0f82c331d0ad35f.
Commit: 70b592dbd8c54b0772e7522c1efbd014df284c41
https://github.com/WebKit/WebKit/commit/70b592dbd8c54b0772e7522c1efbd014df284c41
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-11 (Mon, 11 Nov 2024)
Changed paths:
M Source/WTF/wtf/LockAlgorithm.h
Log Message:
-----------
Revert 4d456933d70e. rdar://139645285
This reverts commit 8799b558188efbeae182f22cc66bac216a911d05.
Commit: 8e5f4c7314e1c070e085a988d9894411545cbaf1
https://github.com/WebKit/WebKit/commit/8e5f4c7314e1c070e085a988d9894411545cbaf1
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-12 (Tue, 12 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.10.4
Canonical link: https://commits.webkit.org/283286.461@safari-7620.1.16.10-branch
Commit: 558ba4a0e54b2aad1c5397ab0056c73d169a241f
https://github.com/WebKit/WebKit/commit/558ba4a0e54b2aad1c5397ab0056c73d169a241f
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-13 (Wed, 13 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.10.5
Canonical link: https://commits.webkit.org/283286.462@safari-7620.1.16.10-branch
Commit: 752066c7a7cd36bdf72eb81ffb5afb4664afc4ff
https://github.com/WebKit/WebKit/commit/752066c7a7cd36bdf72eb81ffb5afb4664afc4ff
Author: Daniel Liu <danlliu at umich.edu>
Date: 2024-11-13 (Wed, 13 Nov 2024)
Changed paths:
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Log Message:
-----------
Cherry-pick ded4d02c0a93. rdar://139822639
Don't allocate DFG register after a slow path
https://bugs.webkit.org/show_bug.cgi?id=283063
rdar://139747120
Reviewed by Yusuke Suzuki.
Allocating a DFG register after a slow path means that if the slow path
is taken, we end up with an incorrect global state.
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
Canonical link: https://commits.webkit.org/283286.475@safari-7620-branch
Commit: 3e09afa7f822796d942ed1d912c732b1fe578758
https://github.com/WebKit/WebKit/commit/3e09afa7f822796d942ed1d912c732b1fe578758
Author: Russell Epstein <repstein at apple.com>
Date: 2024-11-14 (Thu, 14 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.10.6
Canonical link: https://commits.webkit.org/283286.464@safari-7620.1.16.10-branch
Commit: b260bd82cbdd25a3c63c326757df5168d3c0ed17
https://github.com/WebKit/WebKit/commit/b260bd82cbdd25a3c63c326757df5168d3c0ed17
Author: Richard Robinson <richard_robinson2 at apple.com>
Date: 2024-11-14 (Thu, 14 Nov 2024)
Changed paths:
M Source/WebCore/platform/graphics/Font.cpp
M Source/WebCore/platform/graphics/SystemFallbackFontCache.cpp
M Source/WebCore/platform/graphics/SystemFallbackFontCache.h
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WritingTools.mm
Log Message:
-----------
Cherry-pick 48d994887c94. rdar://139852476
[Writing Tools] Outlook.app quits unexpectedly with Writing Tools
https://bugs.webkit.org/show_bug.cgi?id=283098
rdar://139513909
Reviewed by Wenson Hsieh and Abrar Rahman Protyasha.
The `SystemFallbackFontCache` system depends on using a `WebCore::Timer`. In the destructor of `Font`,
a font cache is accessed and the font is removed from the cache. Notably, even if there is no cache,
one is erroneously created anyways.
The `AttributedString` type uses the `Font` type and therefore indirectly uses a `WebCore::Timer`.
Therefore, any use of `AttributedString` in the UI process is unsafe, as it is not allowed to use a
`WebCore::Timer` in the UI process.
This issue manifests in the implementation of Writing Tools, which uses AttributedStrings in the UI
process. This issue was always present, however it turned into a crash once a release assert was a
dded in `WebCore::Timer`.
To fix this, ensure that a new font cache is not created in the destructor of Font.
* Source/WebCore/platform/graphics/Font.cpp:
(WebCore::Font::~Font):
* Source/WebCore/platform/graphics/SystemFallbackFontCache.cpp:
(WebCore::SystemFallbackFontCache::forCurrentThreadIfExists):
* Source/WebCore/platform/graphics/SystemFallbackFontCache.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WritingTools.mm:
(TEST(WritingTools, AttributedStringWithWebKitLegacy)):
Canonical link: https://commits.webkit.org/286579@main
Canonical link: https://commits.webkit.org/283286.465@safari-7620.1.16.10-branch
Commit: ca617ef2bbcebc9e0f6eb97f5189c39ce7cb6cea
https://github.com/WebKit/WebKit/commit/ca617ef2bbcebc9e0f6eb97f5189c39ce7cb6cea
Author: Charlie Wolfe <charliew at apple.com>
Date: 2024-11-14 (Thu, 14 Nov 2024)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Source/WebKit/NetworkProcess/NetworkProcess.cpp
M Source/WebKit/NetworkProcess/NetworkProcess.h
M Source/WebKit/NetworkProcess/NetworkSession.cpp
M Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp
M Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm
Log Message:
-----------
Cherry-pick 2815b4e29829. rdar://139887841
Data Isolation bypass via attacker controlled firstPartyForCookies
https://bugs.webkit.org/show_bug.cgi?id=283095
rdar://139818629
Reviewed by Matthew Finkel and Alex Christensen.
`NetworkProcess::allowsFirstPartyForCookies` unconditionally allows cookie access for about:blank or
empty firstPartyForCookies URLs. We tried to remove this in rdar://105733798 and rdar://107270673, but
we needed to revert both because there were rare and subtle bugs where certain requests would incorrectly
have about:blank set as their firstPartyForCookies, causing us to kill the WCP.
This patch is a lower risk change that removes the unconditional cookie access for requests that have an
empty firstPartyForCookies, but will not kill the WCP that is incorrectly sending an empty
firstPartyForCookies.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::createSocketChannel):
(WebKit::NetworkConnectionToWebProcess::scheduleResourceLoad):
(WebKit::NetworkConnectionToWebProcess::cookiesForDOM):
(WebKit::NetworkConnectionToWebProcess::setCookiesFromDOM):
(WebKit::NetworkConnectionToWebProcess::cookiesEnabled):
(WebKit::NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue):
(WebKit::NetworkConnectionToWebProcess::getRawCookies):
(WebKit::NetworkConnectionToWebProcess::cookiesForDOMAsync):
(WebKit::NetworkConnectionToWebProcess::setCookieFromDOMAsync):
(WebKit::NetworkConnectionToWebProcess::domCookiesForHost):
(WebKit::NetworkConnectionToWebProcess::establishSWContextConnection):
* Source/WebKit/NetworkProcess/NetworkProcess.cpp:
(WebKit::NetworkProcess::allowsFirstPartyForCookies):
* Source/WebKit/NetworkProcess/NetworkProcess.h:
* Source/WebKit/NetworkProcess/NetworkSession.cpp:
(WebKit::NetworkSession::addAllowedFirstPartyForCookies):
* Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp:
(WebKit::WebSWServerConnection::scheduleJobInServer):
* Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServerConnection.cpp:
(WebKit::WebSharedWorkerServerConnection::requestSharedWorker):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm:
(EmptyFirstPartyForCookiesCookieRequestHeaderFieldValue)):
Canonical link: https://commits.webkit.org/283286.477@safari-7620-branch
Commit: f235b01eb6e734254fb4f3b19976e92dd2e6a280
https://github.com/WebKit/WebKit/commit/f235b01eb6e734254fb4f3b19976e92dd2e6a280
Author: Per Arne Vollan <pvollan at apple.com>
Date: 2024-11-14 (Thu, 14 Nov 2024)
Changed paths:
M Source/WebKit/Shared/AuxiliaryProcessExtensions/NetworkingExtension-Info.plist
Log Message:
-----------
Cherry-pick 5e0585ea7336. rdar://139903559
[iOS] The Networking process should use the same localization as the UI process
https://bugs.webkit.org/show_bug.cgi?id=283029
rdar://139264528
Reviewed by Chris Dumez.
Use the same property list key/value for this as we do for the WebContent process.
* Source/WebKit/Shared/AuxiliaryProcessExtensions/NetworkingExtension-Info.plist:
Canonical link: https://commits.webkit.org/286539@main
Commit: 67635daa733ea5250391d2dba5fd0ddca688a47b
https://github.com/WebKit/WebKit/commit/67635daa733ea5250391d2dba5fd0ddca688a47b
Author: Youenn Fablet <youenn at apple.com>
Date: 2024-11-14 (Thu, 14 Nov 2024)
Changed paths:
M LayoutTests/TestExpectations
M Source/WebCore/platform/mediastream/mac/CoreAudioSharedUnit.cpp
Log Message:
-----------
Cherry-pick 2d1b510c05b1. rdar://139901838
iOS 18.2 - WebRTC audio input device issues
rdar://139797608
Reviewed by Jean-Yves Avenard.
When stopping capture, if audio rendering is ongoing with VPIO, we were setting kAUVoiceIOProperty_MuteOutput to 1.
This is new in CrystalC code base and is in preparation of supporting voice activity detection.
We were correctly setting kAUVoiceIOProperty_MuteOutput back to 0 if we were keeping the same VPIO unit when restarting.
It appears kAUVoiceIOProperty_MuteOutput is sticky so we would need to set kAUVoiceIOProperty_MuteOutput back to 0 on the new unit.
Instead, we are removing the setting of kAUVoiceIOProperty_MuteOutput.
Setting kAUVoiceIOProperty_MuteOutput is useful to enable muted talker detection, which is a future feature, not available in this branch.
There is no such issue in WebKit trunk since, after the fork to this branch, we added explicit mute setting via [AVAudioApplication setInputMuted:error:].
Marking http/wpt/mediasession/voiceActivityDetection.html as failing since we no longer instruct the mock audio unit that the output is muted.
Manually tested on iOS.
* LayoutTests/TestExpectations:
* Source/WebCore/platform/mediastream/mac/CoreAudioSharedUnit.cpp:
(WebCore::CoreAudioSharedUnit::isProducingMicrophoneSamplesChanged):
Canonical link: https://commits.webkit.org/283286.478@safari-7620-branch
Commit: b99ab165e234c1ac484e3c40791e48d14519ce9b
https://github.com/WebKit/WebKit/commit/b99ab165e234c1ac484e3c40791e48d14519ce9b
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-14 (Thu, 14 Nov 2024)
Changed paths:
M Source/WebCore/platform/graphics/Font.cpp
M Source/WebCore/platform/graphics/SystemFallbackFontCache.cpp
M Source/WebCore/platform/graphics/SystemFallbackFontCache.h
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WritingTools.mm
Log Message:
-----------
Revert 48d994887c94. rdar://139852476
This reverts commit b260bd82cbdd25a3c63c326757df5168d3c0ed17.
Commit: 7c54a3520745b1d6d77c1d97da1f37b0d08ea462
https://github.com/WebKit/WebKit/commit/7c54a3520745b1d6d77c1d97da1f37b0d08ea462
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-15 (Fri, 15 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.10.7
Canonical link: https://commits.webkit.org/283286.470@safari-7620.1.16.10-branch
Commit: e792146f78cb1b059159befbea138c597a8effa1
https://github.com/WebKit/WebKit/commit/e792146f78cb1b059159befbea138c597a8effa1
Author: Matthieu Dubet <m_dubet at apple.com>
Date: 2024-11-15 (Fri, 15 Nov 2024)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-descendant-003-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-descendant-003.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-002-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-002.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-003-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-003.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-004-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-004.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-005-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-005.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-006-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-006.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-not-001-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-not-001.html
M Source/WebCore/css/SelectorChecker.cpp
Log Message:
-----------
Cherry-pick 33507394bab5. rdar://139908140
[CSS] Don't combine :not() with :host
https://bugs.webkit.org/show_bug.cgi?id=282960
rdar://139198548
Reviewed by Tim Nguyen.
As a featureless element, only :host matches the shadow host.
Functional pseudoclasses pass the behavior to their arguments,
so :is(:host) matches the same as :host (the shadow host).
This fixes a regression introduced in 281963 at main.
Before 281963, :host combination with a functional pseudoclass
(or anything but a pseudo-element more generally)
was early returning "not match".
281963 has removed the early return for all functional pseudoclass
(to allow :is() combined with :host, but also :not()).
Properly supporting :host combining with :not() is tricky
and will be handled in a followup patch.
* LayoutTests/TestExpectations:
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-descendant-003-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-descendant-003.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-002-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-002.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-003-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-003.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-004-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-004.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-005-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-005.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-006-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-multiple-006.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-not-001-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-scoping/host-not-001.html: Added.
* Source/WebCore/css/SelectorChecker.cpp:
(WebCore::SelectorChecker::checkOne const):
Canonical link: https://commits.webkit.org/286611@main
Commit: 8914dc85b26503128a4a74d9ec0c85a585725b26
https://github.com/WebKit/WebKit/commit/8914dc85b26503128a4a74d9ec0c85a585725b26
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-15 (Fri, 15 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.10.8
Canonical link: https://commits.webkit.org/283286.472@safari-7620.1.16.10-branch
Commit: 3d55faddb73cf1ea48125763f03e04e5513d9abd
https://github.com/WebKit/WebKit/commit/3d55faddb73cf1ea48125763f03e04e5513d9abd
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-16 (Sat, 16 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.10.9
Canonical link: https://commits.webkit.org/283286.473@safari-7620.1.16.10-branch
Commit: e8db9573d7dfdcd34779b95e52b3126ab0636192
https://github.com/WebKit/WebKit/commit/e8db9573d7dfdcd34779b95e52b3126ab0636192
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-19 (Tue, 19 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.10.10
Canonical link: https://commits.webkit.org/283286.474@safari-7620.1.16.10-branch
Commit: 605dfc06a112afa4834b5c073354f82784233288
https://github.com/WebKit/WebKit/commit/605dfc06a112afa4834b5c073354f82784233288
Author: Charlie Wolfe <charliew at apple.com>
Date: 2024-11-19 (Tue, 19 Nov 2024)
Changed paths:
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/loader/FrameLoader.h
M Source/WebCore/loader/cache/CachedResourceLoader.cpp
M Source/WebCore/page/SecurityPolicy.h
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/SOAuthorizationTests.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKHTTPCookieStore.mm
Log Message:
-----------
Cherry-pick b7402f10b17c. rdar://140129837
sameSiteInfo.isSameSite may not match URLs used in Data Isolation checks
https://bugs.webkit.org/show_bug.cgi?id=283309
rdar://140129837
Reviewed by Sihui Liu.
This patch fixes an issue where a WebContent process can send IPC with URLs that are not same-site, but
contains `sameSiteInfo` that indicates that the request is same-site. This can lead to requesting cookies
for a URL that was not considered in the data isolation check.
To lower risk, we reject cookie access instead of terminating the sender process. More details provided
below.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::setOriginalURLForDownloadRequest):
(WebCore::FrameLoader::updateRequestAndAddExtraFields):
(WebCore::FrameLoader::addSameSiteInfoToRequestIfNeeded):
* Source/WebCore/loader/FrameLoader.h:
These quirks were added when cookies were SameSite=Lax by default, which is no longer the case, so it can
be removed. Keeping this would mean certain requests would unexpectedly be considered same-site, and
would fail the check being added in the network process.
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestResource):
This is an existing bug that was revealed by this change, and is needed to fix
`http/tests/cache/disk-cache/disk-cache-vary-cookie.html`.
* Source/WebCore/page/SecurityPolicy.h:
Export `shouldInheritSecurityOriginFromOwner` so that it can be used in the network process.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::shouldTreatAsSameSite const):
Add a network process side same-site check, similar to `FrameLoader::addSameSiteInfoToRequestIfNeeded`.
(WebKit::NetworkConnectionToWebProcess::cookiesForDOM):
(WebKit::NetworkConnectionToWebProcess::setCookiesFromDOM):
(WebKit::NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue):
(WebKit::NetworkConnectionToWebProcess::getRawCookies):
(WebKit::NetworkConnectionToWebProcess::cookiesForDOMAsync):
(WebKit::NetworkConnectionToWebProcess::setCookieFromDOMAsync):
Validate all cookie messages that contain `sameSiteInfo`.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm:
(InvalidSameSiteInfoCookieRequestHeaderFieldValue)):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/SOAuthorizationTests.mm:
(TestWebKitAPI::TEST(SOAuthorizationSubFrame, InterceptionSucceedWithCookie)):
Fix this test, which was trying to a cookie from example.com on a page with an empty main frame URL.
Canonical link: https://commits.webkit.org/283286.501@safari-7620-branch
Commit: a58e1d7439d8a5717eb5eeb1c7861b327f7cb79e
https://github.com/WebKit/WebKit/commit/a58e1d7439d8a5717eb5eeb1c7861b327f7cb79e
Author: Ryosuke Niwa <rniwa at webkit.org>
Date: 2024-11-19 (Tue, 19 Nov 2024)
Changed paths:
M Source/WebCore/platform/Timer.cpp
Log Message:
-----------
Cherry-pick d542dd305ab0. rdar://140233024
Disable the release assert in Timer::Timer
https://bugs.webkit.org/show_bug.cgi?id=283383
<rdar://140233024>
Reviewed by Chris Dumez.
Removed the release assert for now.
* Source/WebCore/platform/Timer.cpp:
(WebCore::TimerBase::TimerBase):
Canonical link: https://commits.webkit.org/283286.502@safari-7620-branch
Commit: 24371a327d61b26e9c9713762de168942a600890
https://github.com/WebKit/WebKit/commit/24371a327d61b26e9c9713762de168942a600890
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-11-21 (Thu, 21 Nov 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7620.1.16.10.11
Canonical link: https://commits.webkit.org/283286.477@safari-7620.1.16.10-branch
Commit: 67bb03b4ca7a613861e70b6f04edef058de7498d
https://github.com/WebKit/WebKit/commit/67bb03b4ca7a613861e70b6f04edef058de7498d
Author: Youenn Fablet <youenn at apple.com>
Date: 2024-11-21 (Thu, 21 Nov 2024)
Changed paths:
M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
Log Message:
-----------
Cherry-pick fc73a0b209cf. rdar://140305310
J718/22C5142a: FaceTime video flipped upside-down in Safari call
rdar://140305310
Reviewed by Eric Carlson.
Rotation is incorrect on some iPads when this flag is on.
We temporarily disable the flag until we fix that issue for those iPads.
* Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml:
Canonical link: https://commits.webkit.org/283286.516@safari-7620-branch
Compare: https://github.com/WebKit/WebKit/compare/8600f7e4a760%5E...67bb03b4ca7a
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list