[webkit-changes] [WebKit/WebKit] f62bee: Cherry-pick 283286.128 at safari-7620-branch (24ac271...
Charlie Wolfe
noreply at github.com
Wed Dec 11 13:19:03 PST 2024
Branch: refs/heads/webkitglib/2.46
Home: https://github.com/WebKit/WebKit
Commit: f62bee2d7053e57b1fe7a2f3ed3651d7dd124ebb
https://github.com/WebKit/WebKit/commit/f62bee2d7053e57b1fe7a2f3ed3651d7dd124ebb
Author: Youenn Fablet <youenn at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A LayoutTests/http/tests/media/hls/range-request-cross-origin-expected.txt
A LayoutTests/http/tests/media/hls/range-request-cross-origin-worker.js
A LayoutTests/http/tests/media/hls/range-request-cross-origin.html
A LayoutTests/http/tests/media/resources/hls/range-request-playlist-cross-origin.m3u8
A LayoutTests/http/tests/media/resources/hls/range-request-playlists/stream-cross-origin.m3u8
A LayoutTests/http/wpt/resources/test.mp4
A LayoutTests/http/wpt/service-workers/media-range-request-expected.txt
A LayoutTests/http/wpt/service-workers/media-range-request-worker.js
A LayoutTests/http/wpt/service-workers/media-range-request.html
M Source/WebCore/loader/MediaResourceLoader.cpp
M Source/WebCore/loader/MediaResourceLoader.h
Log Message:
-----------
Cherry-pick 283286.128 at safari-7620-branch (24ac271f7d48). https://bugs.webkit.org/show_bug.cgi?id=276861
CVE-2022-31736 - Leaking size of cross-origin resources by using Range Requests and Service Workers
rdar://135680688
https://bugs.webkit.org/show_bug.cgi?id=276861
Reviewed by Jer Noble.
We want to restrict byte range responses of a single URL served from multiple origins.
While https://html.spec.whatwg.org/multipage/media.html#verify-a-media-response fixes this, it is not adapted for HLS content which can load different range requests from different origins for the same media element.
Instead, we implement a check dedicated to checking successive range request media loads to the same URL.
We store, per URL, whether these loads are served with service worker content or opaque response content.
We restrict the checks so that validation can only fail if at least one of the load is served by a serviced worker, which should reduce any potential compat issue.
If they are served with both service worker and opaque response content, they need to all be same origin.
This allows the following cases to load properly:
- All loads are served with content that is visible to the service worker (same-origin, synthetic or CORS enabled).
- All loads are coming from the same origin.
This does not allow mixing content that is visible to the service worker and loads that are opaque.
We add a test exercising the failing case.
We also add an HLS test doing range requests from different origins as part of the same media element streaming, all served by service worker.
* LayoutTests/http/tests/media/hls/range-request-cross-origin-expected.txt: Added.
* LayoutTests/http/tests/media/hls/range-request-cross-origin-worker.js: Added.
* LayoutTests/http/tests/media/hls/range-request-cross-origin.html: Added.
* LayoutTests/http/tests/media/resources/hls/range-request-playlist-cross-origin.m3u8: Added.
* LayoutTests/http/tests/media/resources/hls/range-request-playlists/stream-cross-origin.m3u8: Added.
* LayoutTests/http/wpt/resources/test.mp4: Added.
* LayoutTests/http/wpt/service-workers/media-range-request-expected.txt: Added.
* LayoutTests/http/wpt/service-workers/media-range-request-worker.js: Added.
(self.onfetch.event.event.request.url.includes):
(self.onfetch.event.videoRequestCount.shouldUseSyntheticResponse.event.respondWith.new.Response.new.Uint8Array):
* LayoutTests/http/wpt/service-workers/media-range-request.html: Added.
* Source/WebCore/loader/MediaResourceLoader.cpp:
(WebCore::MediaResourceLoader::verifyMediaResponse):
(WebCore::MediaResource::responseReceived):
* Source/WebCore/loader/MediaResourceLoader.h:
Canonical link: https://commits.webkit.org/282416.338@webkitglib/2.46
Commit: 69487aefa8c1d6fbae7e3edbd290c331264e8e13
https://github.com/WebKit/WebKit/commit/69487aefa8c1d6fbae7e3edbd290c331264e8e13
Author: David Kilzer <ddkilzer at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WTF/wtf/URL.h
M Source/WTF/wtf/URLParser.h
M Source/WebKit/WebProcess/Plugins/PDF/UnifiedPDF/UnifiedPDFPlugin.mm
Log Message:
-----------
Cherry-pick 283286.184 at safari-7620-branch (227f601688f4). https://bugs.webkit.org/show_bug.cgi?id=280805
[WTF] Add LIFETIME_BOUND to URL.h and URLParser.h methods
<https://bugs.webkit.org/show_bug.cgi?id=280805>
<rdar://137177574>
Reviewed by Darin Adler.
* Source/WTF/wtf/URL.h:
* Source/WTF/wtf/URLParser.h:
- Add LIFETIME_BOUND attributes to methods that return pointers or
references to inner data.
* Source/WebKit/WebProcess/Plugins/PDF/UnifiedPDF/UnifiedPDFPlugin.mm:
(WebKit::UnifiedPDFPlugin::revealFragmentIfNeeded):
- WTF::URL::fragmentIdentifier() returns a StringView, so we must keep
the URL object alive to fix the use-after-free. Remove unneeded
`fragment` variable in favor of `fragmentView`.
Canonical link: https://commits.webkit.org/282416.339@webkitglib/2.46
Commit: edaed5b8f04dccb50513e2fc7e724e9f67a14e21
https://github.com/WebKit/WebKit/commit/edaed5b8f04dccb50513e2fc7e724e9f67a14e21
Author: David Kilzer <ddkilzer at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/JavaScriptCore/tools/VMInspector.cpp
M Source/WTF/wtf/text/CString.h
M Source/WTF/wtf/text/StringConcatenate.h
M Source/WTF/wtf/text/TextStream.cpp
M Source/WTF/wtf/text/TextStream.h
M Source/WebCore/platform/graphics/BitmapImage.h
M Source/WebCore/platform/graphics/BitmapImageSource.cpp
M Source/WebCore/platform/graphics/BitmapImageSource.h
M Source/WebCore/platform/graphics/ImageFrameAnimator.cpp
M Source/WebCore/platform/graphics/ImageFrameAnimator.h
M Source/WebCore/platform/graphics/ImageFrameWorkQueue.cpp
Log Message:
-----------
Cherry-pick 283286.185 at safari-7620-branch (fb73615833e6). https://bugs.webkit.org/show_bug.cgi?id=280809
[WTF] Add LIFETIME_BOUND to CString.h methods
<https://bugs.webkit.org/show_bug.cgi?id=280809>
<rdar://137179585>
Reviewed by Darin Adler.
* Source/JavaScriptCore/tools/VMInspector.cpp:
(JSC::VMInspector::dumpRegisters):
- Fix use-after-free by storing CString on the stack instead of the
const char* pointer.
* Source/WTF/wtf/text/CString.h:
- Add LIFETIME_BOUND attributes to methods that return pointers or
references to inner data.
* Source/WTF/wtf/text/StringConcatenate.h:
(WTF::StringTypeAdapter<CString, void>): Add.
* Source/WTF/wtf/text/TextStream.cpp:
(WTF::TextStream::operator<<): Add.
* Source/WTF/wtf/text/TextStream.h:
(WTF::TextStream::operator<<): Add.
- Add support for CString objects.
* Source/WebCore/platform/graphics/BitmapImage.h:
(WebCore::BitmapImage::sourceUTF8 const):
* Source/WebCore/platform/graphics/BitmapImageSource.cpp:
(WebCore::BitmapImageSource::destroyDecodedData):
(WebCore::BitmapImageSource::stopDecodingWorkQueue):
(WebCore::BitmapImageSource::decode):
(WebCore::BitmapImageSource::imageFrameDecodeAtIndexHasFinished):
(WebCore::BitmapImageSource::requestNativeImageAtIndex):
(WebCore::BitmapImageSource::requestNativeImageAtIndexIfNeeded):
(WebCore::BitmapImageSource::nativeImageAtIndexCacheIfNeeded):
(WebCore::BitmapImageSource::sourceUTF8 const):
* Source/WebCore/platform/graphics/BitmapImageSource.h:
(WebCore::BitmapImageSource::sourceUTF8 const):
* Source/WebCore/platform/graphics/ImageFrameAnimator.cpp:
(WebCore::ImageFrameAnimator::startAnimation):
(WebCore::ImageFrameAnimator::advanceAnimation):
(WebCore::ImageFrameAnimator::sourceUTF8 const):
* Source/WebCore/platform/graphics/ImageFrameAnimator.h:
(WebCore::ImageFrameAnimator::sourceUTF8 const):
* Source/WebCore/platform/graphics/ImageFrameWorkQueue.cpp:
(WebCore::ImageFrameWorkQueue::start):
(WebCore::ImageFrameWorkQueue::stop):
- Change return type of sourceUTF8() methods to CString to keep the
string alive until it's needed for logging. This fixes the
use-after-free in the original BitmapImage::sourceUTF8() method.
- Add call to CString::data() when logging.
Canonical link: https://commits.webkit.org/282416.340@webkitglib/2.46
Commit: 554089784c827c2385bfed3ea2f51faf6c077e40
https://github.com/WebKit/WebKit/commit/554089784c827c2385bfed3ea2f51faf6c077e40
Author: David Kilzer <ddkilzer at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WTF/wtf/Vector.h
M Source/WebCore/Modules/mediastream/RTCRtpSFrameTransformer.cpp
M Source/WebCore/Modules/mediastream/SFrameUtils.cpp
M Source/WebCore/Modules/mediastream/SFrameUtils.h
Log Message:
-----------
Cherry-pick 283286.203 at safari-7620-branch (dbe14535006e). https://bugs.webkit.org/show_bug.cgi?id=280802
[WTF] Add LIFETIME_BOUND to Vector.h methods
<https://bugs.webkit.org/show_bug.cgi?id=280802>
<rdar://137175142>
Reviewed by Darin Adler.
Change SFrameCompatibilityPrefixBuffer into a Vector<uint8_t>.
* Source/WTF/wtf/Vector.h:
- Add LIFETIME_BOUND attributes to methods in Vector.h that return
pointers or references to inner data.
* Source/WebCore/Modules/mediastream/RTCRtpSFrameTransformer.cpp:
(WebCore::RTCRtpSFrameTransformer::encryptFrame):
- Extract std::span from SFrameCompatibilityPrefixBuffer, which is now a
std::variant.
- Switch to use size() methods on std::span.
- Switch to use memcpySpan() instead of memcpy().
* Source/WebCore/Modules/mediastream/SFrameUtils.cpp:
(WebCore::computeH264PrefixBuffer):
(WebCore::computeVP8PrefixBuffer):
- Update return expressions for std::variant construction.
* Source/WebCore/Modules/mediastream/SFrameUtils.h:
(WebCore::SFrameCompatibilityPrefixBuffer):
- Replace struct SFrameCompatibilityPrefixBuffer with std::variant.
Canonical link: https://commits.webkit.org/282416.341@webkitglib/2.46
Commit: c25dc9a58614c576862adb97a3a52074a4a501ce
https://github.com/WebKit/WebKit/commit/c25dc9a58614c576862adb97a3a52074a4a501ce
Author: Kimmo Kinnunen <kkinnunen at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WebCore/platform/graphics/Region.cpp
M Source/WebCore/platform/graphics/Region.h
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
M Tools/TestWebKitAPI/CMakeLists.txt
M Tools/TestWebKitAPI/Test.h
M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
A Tools/TestWebKitAPI/Tests/WebCore/RegionTests.cpp
Log Message:
-----------
Cherry-pick 283286.236 at safari-7620-branch (c5f45c2aa95e). https://bugs.webkit.org/show_bug.cgi?id=281040
Add more validation to Region IPC decoding
https://bugs.webkit.org/show_bug.cgi?id=281040
rdar://136142756
Reviewed by Antti Koivisto.
Region::Shape algorithm is sensitive to the array structure. Validate
the data correctly.
Instead of encoding the bounds and the Shape data, just encode the
shape data. It fully defines the Region.
Use <=> in place of nextY - Y in order to avoid signed integer wrapping
and ensuring that the algorithm works correctly with negative Ys.
* Source/WebCore/platform/graphics/Region.cpp:
(WebCore::Region::rects const):
(WebCore::Region::Shape::Shape):
(WebCore::operator<<):
(WebCore::Region::Shape::shapeOperation):
(WebCore::segmentsForSpanSegmentIndices):
(WebCore::Region::Shape::isValidShape):
(WebCore::m_spans): Deleted.
(WebCore::Region::Shape::appendSegment): Deleted.
(WebCore::Region::Shape::dump const): Deleted.
(WebCore::Region::dump const): Deleted.
(WebCore::Region::Shape::isValid const): Deleted.
* Source/WebCore/platform/graphics/Region.h:
(WebCore::Region::Shape::createForTesting):
(WebCore::Region::Shape::dataForTesting const):
(WebCore::Region::createForTesting):
(WebCore::Region::dataForTesting const):
(WebCore::Region::Region):
(WebCore::Region::data const):
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
* Tools/TestWebKitAPI/CMakeLists.txt:
* Tools/TestWebKitAPI/Test.h:
(WTF::operator<<):
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WebCore/RegionTests.cpp: Added.
(convertToString):
(convertToTrimmedString):
(WebCore::operator<<):
(TestWebKitAPI::TEST(r, ShapeEmptyIsRepresentable)):
(TestWebKitAPI::TEST(RegionTests, ShapeEmptyIsEmpty)):
(TestWebKitAPI::TEST(RegionTests, IsValidShapeFalse)):
(TestWebKitAPI::TEST(RegionTests, UniteTests1)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatIndividual)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatDisjoint)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestJointXMergeable)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestJointYMergeable)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestJointX)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestJointY)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestEvenSegments)):
(TestWebKitAPI::TEST(RegionTests, ShapeFormatTestSortedSpan)):
(TestWebKitAPI::randomRect):
(TestWebKitAPI::TEST(RegionTests, FuzzOperationsIsValidShape)):
(TestWebKitAPI::TEST(RegionTests, IsValidShape1)):
(TestWebKitAPI::TEST(RegionTests, IsValidShape2)):
Canonical link: https://commits.webkit.org/282416.342@webkitglib/2.46
Commit: 8b684039eb85a73ec07fa6e5b592561adf855c0f
https://github.com/WebKit/WebKit/commit/8b684039eb85a73ec07fa6e5b592561adf855c0f
Author: Nitin Mahendru <nitinmahendru at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A LayoutTests/storage/filesystemaccess/filesystem-directory-handle-rename-expected.txt
A LayoutTests/storage/filesystemaccess/filesystem-directory-handle-rename.html
M Source/WTF/wtf/FileSystem.cpp
M Source/WTF/wtf/FileSystem.h
M Tools/TestWebKitAPI/Tests/WTF/FileSystem.cpp
Log Message:
-----------
Cherry-pick 283286.251 at safari-7620-branch (30ab479e8242). https://bugs.webkit.org/show_bug.cgi?id=281280
std::filesystem::copy should not be used to recursively copy parent into it's child.
https://bugs.webkit.org/show_bug.cgi?id=281280
rdar://137177339
Reviewed by Sihui Liu and Alex Christensen.
The added test case filesystem-directory-handle-rename.html will cause std::filesystem::copy to be
called with top OPFS FileSystem directory being copied into itself under a subdirectory with name `\u0480`.
This will cause a recursive directory tree to be generated inside the root storage directory.
If FileSystem::directorySize() is called over that directory, it will abort with `Too many open files`.
The Unicode `\u0480` has no significance but just a weird character to use for the file name.
If you see this, It should raise questions. Thus the choice.
The same error will happen if we choose "anyRandomAsciiName".
The fix added here will prevent std::filesystem::copy to be called in case source is ancestor of destination.
* LayoutTests/storage/filesystemaccess/filesystem-directory-handle-rename.html: Added.
* Source/WTF/wtf/FileSystem.cpp:
(WTF::FileSystemImpl::isAncestor):
* Source/WTF/wtf/FileSystem.h:
* Source/WebKit/NetworkProcess/storage/FileSystemStorageHandle.cpp:
(WebKit::FileSystemStorageHandle::move):
* Tools/TestWebKitAPI/Tests/WTF/FileSystem.cpp:
(TestWebKitAPI::TEST_F(FileSystemTest, isAncestor)):
Canonical link: https://commits.webkit.org/282416.343@webkitglib/2.46
Commit: 0667b7d549d53d0a9c74dd59f2408182429a8e51
https://github.com/WebKit/WebKit/commit/0667b7d549d53d0a9c74dd59f2408182429a8e51
Author: David Kilzer <ddkilzer at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/JavaScriptCore/tools/FunctionAllowlist.cpp
Log Message:
-----------
Cherry-pick 283286.315 at safari-7620-branch (98b6fa893826). https://bugs.webkit.org/show_bug.cgi?id=281675
Potential unsigned integer underflow in JSC::FunctionAllowlist::FunctionAllowlist constructor
<https://bugs.webkit.org/show_bug.cgi?id=281675>
<rdar://138127490>
Reviewed by Darin Adler.
* Source/JavaScriptCore/tools/FunctionAllowlist.cpp:
(JSC::FunctionAllowlist::FunctionAllowlist):
- Check that `length` returned from strlen() is non-zero before checking
the end of the C-string for a newline character.
Canonical link: https://commits.webkit.org/282416.344@webkitglib/2.46
Commit: a1a9523b4b0478a19377c4257aac5ce56bb996d5
https://github.com/WebKit/WebKit/commit/a1a9523b4b0478a19377c4257aac5ce56bb996d5
Author: Nitin Mahendru <nitinmahendru at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A LayoutTests/security/contentSecurityPolicy/block-javascripturl-non-inline-csp-expected.txt
A LayoutTests/security/contentSecurityPolicy/block-javascripturl-non-inline-csp.html
A LayoutTests/security/contentSecurityPolicy/resources/csp-javascript-url.js
A LayoutTests/security/contentSecurityPolicy/resources/no-csp.html
M Source/WebCore/loader/FrameLoader.cpp
Log Message:
-----------
Cherry-pick 283286.352 at safari-7620-branch (378ba1584ade). https://bugs.webkit.org/show_bug.cgi?id=281477
`javascript: url` navigation to another browsing context (created from `window.open`) misses checking the source's CSP
rdar://137941234
https://bugs.webkit.org/show_bug.cgi?id=281477
Reviewed by Alex Christensen.
A change in window.location.href causes a navigation. Were were not checking the CSP in
that flow. This change adds that.
* LayoutTests/security/contentSecurityPolicy/block-javascripturl-non-inline-csp-expected.txt: Added.
* LayoutTests/security/contentSecurityPolicy/block-javascripturl-non-inline-csp.html: Added.
* LayoutTests/security/contentSecurityPolicy/resources/csp-javascript-url.js: Added.
(sleep):
(sleep.500.then):
* LayoutTests/security/contentSecurityPolicy/resources/no-csp.html: Added.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadWithNavigationAction):
Canonical link: https://commits.webkit.org/282416.345@webkitglib/2.46
Commit: 0a7bf5435b6439673e04dda64c1cb34d27e9d011
https://github.com/WebKit/WebKit/commit/0a7bf5435b6439673e04dda64c1cb34d27e9d011
Author: Rupin Mittal <rupin at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A LayoutTests/http/tests/security/document-cached-font-loading-expected.txt
A LayoutTests/http/tests/security/document-cached-font-loading.html
A LayoutTests/http/tests/security/resources/document-cached-font-loading-helper.html
A LayoutTests/http/tests/security/resources/font.ttf
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/DocumentFontLoader.cpp
M Source/WebCore/dom/DocumentFontLoader.h
Log Message:
-----------
Cherry-pick 283286.365 at safari-7620-branch (e7b7957de026). https://bugs.webkit.org/show_bug.cgi?id=281912
DocumentFontLoader::fontLoadingTimerFired() must keep a Ref of Document on the stack
https://bugs.webkit.org/show_bug.cgi?id=281912
rdar://138215892
Reviewed by Chris Dumez.
DocumentFontLoader::fontLoadingTimerFired() calls CachedResourceLoader::loadDone(),
which holds a RefPtr to the Document. It seems that in certain cases (like the
reproduction case in the radar), this is the only Ref keeping the Document alive.
So when the function ends, the Document is destroyed. Then, when fontLoadingTimerFired()
calls Document::frame() with it's WeakRef m_document, there is a crash since the
Document has been destroyed.
Since Document owns DocumentFontLoader, we make DocumentFontLoader forward its refcounting
to its owning Document. Then we ensure that the Document is alive by holding a RefPtr to
the DocumentFontLoader itself at the beginning of fontLoadingTimerFired().
* LayoutTests/http/tests/security/document-cached-font-loading-expected.txt: Added.
* LayoutTests/http/tests/security/document-cached-font-loading.html: Added.
* LayoutTests/http/tests/security/resources/document-cached-font-loading-helper.html: Added.
* LayoutTests/http/tests/security/resources/font.ttf: Added.
This is the test created based on the reproduction case in the Radar.
* Source/WebCore/dom/DocumentFontLoader.cpp:
(WebCore::DocumentFontLoader::fontLoadingTimerFired):
Canonical link: https://commits.webkit.org/282416.346@webkitglib/2.46
Commit: f91af249d30d434350e882bde617654d5d9f6395
https://github.com/WebKit/WebKit/commit/f91af249d30d434350e882bde617654d5d9f6395
Author: Dan Hecht <dan.hecht at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A JSTests/wasm/stress/compile-unreachable-catch.js
M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
M Source/JavaScriptCore/wasm/WasmBBQJIT.h
Log Message:
-----------
Cherry-pick 283286.367 at safari-7620-branch (6146215d9220). https://bugs.webkit.org/show_bug.cgi?id=282180
[JSC] BBQJIT::addCatchToUnreachable should unbind all temps
https://bugs.webkit.org/show_bug.cgi?id=282180
rdar://138178927
Reviewed by David Degazio.
BBQJIT::addCatchToUnreachable() and BBQJIT::addCatchAllToUnreachable()
are used after a control flow instruction is reached that makes the
end of the block unreachable, so they both avoid emitting code to
flush temps. However, they still need to unbind temps, otherwise
temps that are used within the catch will refer to stale bindings.
This issue occurs when catch or catch_all follows return_call or
unreachable bytecodes as these do not themselves flush the temps
back to their canonical locations (whereas uncondtional branch will since
the temps can still be live).
* JSTests/wasm/stress/compile-unreachable-catch.js: Added.
(async runOne):
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addCatchToUnreachable):
(JSC::Wasm::BBQJITImpl::BBQJIT::addCatchAllToUnreachable):
(JSC::Wasm::BBQJITImpl::BBQJIT::addEndToUnreachable):
(JSC::Wasm::BBQJITImpl::BBQJIT::unbindAllRegisters):
* Source/JavaScriptCore/wasm/WasmBBQJIT.h:
Canonical link: https://commits.webkit.org/282416.347@webkitglib/2.46
Commit: a2618d4a5fdb2a60cb6d42c49278fc52904c2274
https://github.com/WebKit/WebKit/commit/a2618d4a5fdb2a60cb6d42c49278fc52904c2274
Author: Zak Ridouh <zakr at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
M Source/WebKit/UIProcess/WebPageProxy.messages.in
Log Message:
-----------
Cherry-pick 283286.409 at safari-7620-branch (d52d0ebc7afb). https://bugs.webkit.org/show_bug.cgi?id=282487
[CoreIPC] Reject frame size updates if site isolation is disabled
https://bugs.webkit.org/show_bug.cgi?id=282487
<rdar://135006098>
Reviewed by Sihui Liu and Ryosuke Niwa.
We should reject frame size update requests in the UI process if site
isolation is disabled, instead of just `ASSERT` in debug builds.
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::updateFrameSize):
Canonical link: https://commits.webkit.org/282416.348@webkitglib/2.46
Commit: a5a7d17cc50687bf390c59b7df96a38efc82e2d2
https://github.com/WebKit/WebKit/commit/a5a7d17cc50687bf390c59b7df96a38efc82e2d2
Author: Keith Miller <keith_miller at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A JSTests/stress/put-by-val-alias-out-of-bounds.js
M Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
M Source/JavaScriptCore/dfg/DFGClobberize.h
M Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
M Source/JavaScriptCore/dfg/DFGHeapLocation.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Log Message:
-----------
Cherry-pick 283286.410 at safari-7620-branch (903f38de509c). https://bugs.webkit.org/show_bug.cgi?id=282450
TypedArray OutOfBounds gets ArrayModes need to report this to `def`
https://bugs.webkit.org/show_bug.cgi?id=282450
rdar://138178696
Reviewed by Yusuke Suzuki.
Now that TypedArrays don't force an OSR exit on an out of bounds access we could
incorrectly convert a PutByVal to a PutByValAlias. In particular, if we have something
like:
```
18 1 28: D at 69:<!3:-> GetByVal(KnownCell:D at 49, Int32:D at 64, Check:Untyped:D at 139, JS|MustGen|VarArgs|PureInt|UseAsInt, BoolInt32|NonBoolInt32|Other, Int32Array+OriginalNonArray+OutOfBounds+AsIs+Read, R:TypedArrayProperties,MiscFields, Exits, bc#60, ExitValid) predicting BoolInt32|Other
19 1 28: D at 70:<!0:-> MovHint(Check:Untyped:D at 69, MustGen, loc9, W:SideState, ClobbersExit, bc#60, ExitInvalid)
20 1 28: D at 72:< 1:-> JSConstant(JS|PureInt|UseAsInt, NonBoolInt32, Int32: 65535, bc#66, ExitValid)
21 1 28: D at 140:< 1:-> ValueToInt32(NotCellNorBigInt:D at 69, Int32|PureInt|UseAsInt, Int32, Exits, bc#66, ExitValid)
22 1 28: D at 73:< 2:-> ArithBitAnd(KnownInt32:D at 140, Int32:D at 72, Int32|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Int32, Exits, bc#66, ExitValid)
23 1 28: D at 86:<!0:-> Phantom(Check:Untyped:D at 69, MustGen, bc#66, ExitValid)
24 1 28: D at 74:<!0:-> MovHint(Check:Untyped:D at 73, MustGen, loc9, W:SideState, ClobbersExit, bc#66, ExitInvalid)
25 1 28: D at 76:<!0:-> PutByVal(KnownCell:D at 49, Int32:D at 64, Int32:D at 73, Check:Untyped:D at 139, MustGen|VarArgs, Int32Array+OriginalNonArray+InBounds+AsIs+Write, R:MiscFields, W:TypedArrayProperties, Exits, ClobbersExit, bc#72, ExitValid)
```
The above PutByVal will be converted to a PutByValAlias since it appears to `def` write the same HeapLocation `GetByVal` says it defs.
TypedArrays should now report that the HeapLocation they're writing to is OutOfBoundsSaneChain. We don't have to actually check the
prototype chain for typed arrays since they don't consult it for indexed properties.
* JSTests/stress/put-by-val-alias-out-of-bounds.js: Added.
(test):
* Source/JavaScriptCore/dfg/DFGCSEPhase.cpp:
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGHeapLocation.cpp:
(WTF::printInternal): Deleted.
* Source/JavaScriptCore/dfg/DFGHeapLocation.h:
(JSC::DFG::indexedPropertyLocToOutOfBoundsSaneChain):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
Canonical link: https://commits.webkit.org/282416.349@webkitglib/2.46
Commit: ed447a4089a9e6e3d598d857f52f62755c43c7fd
https://github.com/WebKit/WebKit/commit/ed447a4089a9e6e3d598d857f52f62755c43c7fd
Author: Daniel Liu <danlliu at umich.edu>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A JSTests/stress/string-add-conversion-unused.js
M Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
Log Message:
-----------
Cherry-pick 299278ffc3f1. https://bugs.webkit.org/show_bug.cgi?id=282661
DFG ToString should only care about Other uses when it can be Other
https://bugs.webkit.org/show_bug.cgi?id=282661
rdar://138325184
Reviewed by Yusuke Suzuki.
DFG's ToString should only backpropagate a UseAsOther when the use
has the potential to be Other. Otherwise, we end up with a mismatch
in expected value formats.
* Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
Canonical link: https://commits.webkit.org/282416.350@webkitglib/2.46
Commit: 017d39de1545f678a45672f2686082958dd22070
https://github.com/WebKit/WebKit/commit/017d39de1545f678a45672f2686082958dd22070
Author: Keith Miller <keith_miller at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WTF/wtf/LockAlgorithm.h
Log Message:
-----------
Cherry-pick 4d456933d70e. https://bugs.webkit.org/show_bug.cgi?id=282865
LockAlgorithm::unlockFast is too fast
https://bugs.webkit.org/show_bug.cgi?id=282865
rdar://139548123
Reviewed by Yusuke Suzuki.
Right now it has relaxed ordering but that's not correct since it means writes to the critical section
could happen after the lock is unlocked. This could lead to arbitrary crashes or other general badness.
* Source/WTF/wtf/LockAlgorithm.h:
(WTF::LockAlgorithm::unlockFast):
Canonical link: https://commits.webkit.org/283286.466@safari-7620-branch
Canonical link: https://commits.webkit.org/282416.351@webkitglib/2.46
Commit: 87545f00621bb9623abb7f5719c1c5b3ea48c980
https://github.com/WebKit/WebKit/commit/87545f00621bb9623abb7f5719c1c5b3ea48c980
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
A JSTests/wasm/stress/wasm-bbq-catch-unbind.js
M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
Log Message:
-----------
Cherry-pick 39727612b542. https://bugs.webkit.org/show_bug.cgi?id=282825
[JSC] Aborted in JSC::Wasm::BBQJITImpl::BBQJIT::bind
https://bugs.webkit.org/show_bug.cgi?id=282825
rdar://139502479
Reviewed by David Degazio.
This patch adds unbinding for all registers for addCatch and addCatchAll
too since they also should not carry any bindings from the other blocks.
* JSTests/wasm/stress/wasm-bbq-catch-unbind.js: Added.
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addCatch):
(JSC::Wasm::BBQJITImpl::BBQJIT::addCatchAll):
Canonical link: https://commits.webkit.org/282416.352@webkitglib/2.46
Commit: 624da0c97614bbfbd5c65a3e2c5dd917d8171515
https://github.com/WebKit/WebKit/commit/624da0c97614bbfbd5c65a3e2c5dd917d8171515
Author: Charlie Wolfe <charliew at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/loader/FrameLoader.h
M Source/WebCore/loader/cache/CachedResourceLoader.cpp
M Source/WebCore/page/SecurityPolicy.h
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/SOAuthorizationTests.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKHTTPCookieStore.mm
Log Message:
-----------
Cherry-pick b7402f10b17c. https://bugs.webkit.org/show_bug.cgi?id=283309
sameSiteInfo.isSameSite may not match URLs used in Data Isolation checks
https://bugs.webkit.org/show_bug.cgi?id=283309
rdar://140129837
Reviewed by Sihui Liu.
This patch fixes an issue where a WebContent process can send IPC with URLs that are not same-site, but
contains `sameSiteInfo` that indicates that the request is same-site. This can lead to requesting cookies
for a URL that was not considered in the data isolation check.
To lower risk, we reject cookie access instead of terminating the sender process. More details provided
below.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::setOriginalURLForDownloadRequest):
(WebCore::FrameLoader::updateRequestAndAddExtraFields):
(WebCore::FrameLoader::addSameSiteInfoToRequestIfNeeded):
* Source/WebCore/loader/FrameLoader.h:
These quirks were added when cookies were SameSite=Lax by default, which is no longer the case, so it can
be removed. Keeping this would mean certain requests would unexpectedly be considered same-site, and
would fail the check being added in the network process.
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestResource):
This is an existing bug that was revealed by this change, and is needed to fix
`http/tests/cache/disk-cache/disk-cache-vary-cookie.html`.
* Source/WebCore/page/SecurityPolicy.h:
Export `shouldInheritSecurityOriginFromOwner` so that it can be used in the network process.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::shouldTreatAsSameSite const):
Add a network process side same-site check, similar to `FrameLoader::addSameSiteInfoToRequestIfNeeded`.
(WebKit::NetworkConnectionToWebProcess::cookiesForDOM):
(WebKit::NetworkConnectionToWebProcess::setCookiesFromDOM):
(WebKit::NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue):
(WebKit::NetworkConnectionToWebProcess::getRawCookies):
(WebKit::NetworkConnectionToWebProcess::cookiesForDOMAsync):
(WebKit::NetworkConnectionToWebProcess::setCookieFromDOMAsync):
Validate all cookie messages that contain `sameSiteInfo`.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm:
(InvalidSameSiteInfoCookieRequestHeaderFieldValue)):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/SOAuthorizationTests.mm:
(TestWebKitAPI::TEST(SOAuthorizationSubFrame, InterceptionSucceedWithCookie)):
Fix this test, which was trying to a cookie from example.com on a page with an empty main frame URL.
Canonical link: https://commits.webkit.org/282416.353@webkitglib/2.46
Commit: bac2623a6e48a36da85fc94f71828e5a47a4c99e
https://github.com/WebKit/WebKit/commit/bac2623a6e48a36da85fc94f71828e5a47a4c99e
Author: Ryosuke Niwa <rniwa at webkit.org>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WebCore/platform/Timer.cpp
Log Message:
-----------
Cherry-pick d542dd305ab0. https://bugs.webkit.org/show_bug.cgi?id=283383
Disable the release assert in Timer::Timer
https://bugs.webkit.org/show_bug.cgi?id=283383
<rdar://140233024>
Reviewed by Chris Dumez.
Removed the release assert for now.
* Source/WebCore/platform/Timer.cpp:
(WebCore::TimerBase::TimerBase):
Canonical link: https://commits.webkit.org/282416.354@webkitglib/2.46
Commit: 9dc912cbc0fa366854935011585a1e25385a2062
https://github.com/WebKit/WebKit/commit/9dc912cbc0fa366854935011585a1e25385a2062
Author: Charlie Wolfe <charliew at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/WebCore/page/Page.cpp
M Source/WebCore/page/Page.h
M Source/WebCore/page/ResourceUsageOverlay.cpp
M Source/WebCore/page/ResourceUsageOverlay.h
Log Message:
-----------
Cherry-pick 283286.393 at safari-7620-branch (7af554d1d875). https://bugs.webkit.org/show_bug.cgi?id=282350
Use-after-free in `ResourceUsageOverlay::initialize()`
https://bugs.webkit.org/show_bug.cgi?id=282350
rdar://138880313
Reviewed by David Kilzer and Chris Dumez.
The ResourceUsageOverlay constructor uses callOnMainThread to call ResourceUsageOverlay::initialize(),
so the page owning ResourceUsageOverlay may be destroyed when the lambda executes. ResourceUsageOverlay
should hold a WeakPtr to m_page.
ResourceUsageOverlay also needs to be made ref counted to avoid a UAF on `this` in the lambda.
* Source/WebCore/page/Page.cpp:
(WebCore::Page::setResourceUsageOverlayVisible):
* Source/WebCore/page/Page.h:
* Source/WebCore/page/ResourceUsageOverlay.cpp:
(WebCore::ResourceUsageOverlay::create):
(WebCore::ResourceUsageOverlay::ResourceUsageOverlay):
(WebCore::ResourceUsageOverlay::~ResourceUsageOverlay):
(WebCore::ResourceUsageOverlay::initialize):
(WebCore::ResourceUsageOverlay::mouseEvent):
* Source/WebCore/page/ResourceUsageOverlay.h:
Canonical link: https://commits.webkit.org/282416.355@webkitglib/2.46
Compare: https://github.com/WebKit/WebKit/compare/0ea2b918562b...9dc912cbc0fa
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list