[webkit-changes] [WebKit/WebKit] 64bcd9: jsc_fuz/wktr: heap-use-after-free in WebCore::IDBS...
aestes
noreply at github.com
Tue Jan 23 07:21:36 PST 2024
Branch: refs/heads/safari-7617-branch
Home: https://github.com/WebKit/WebKit
Commit: 64bcd93cbc55fa9d3e3a22d1e0be24feba267d65
https://github.com/WebKit/WebKit/commit/64bcd93cbc55fa9d3e3a22d1e0be24feba267d65
Author: nishajain61 <nisha_jain at apple.com>
Date: 2023-11-07 (Tue, 07 Nov 2023)
Changed paths:
A LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt
A LayoutTests/storage/indexeddb/abort-index-rename-crash.html
M Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryIndex.h
M Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h
Log Message:
-----------
jsc_fuz/wktr: heap-use-after-free in WebCore::IDBServer::MemoryObjectStore::takeIndexByIdentifier(unsigned long long) MemoryObjectStore.cpp:128.
https://bugs.webkit.org/show_bug.cgi?id=264180.
rdar://117463447.
Reviewed by Sihui Liu.
MemoryIndex now keeps WeakPtr to MemoryObjectStore 'm_objectStore' and checks it's validity before using it. Also RefPtr conversion from WekPtr using get() API as applicable.
* LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt: Added the test expected file.
* LayoutTests/storage/indexeddb/abort-index-rename-crash.html: Added the test case.
* Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp: Checks the validity of MemoryObjectStore pointer before using.
(WebCore::IDBServer::MemoryBackingStoreTransaction::objectStoreDeleted):
(WebCore::IDBServer::MemoryBackingStoreTransaction::indexRenamed):
(WebCore::IDBServer::MemoryBackingStoreTransaction::abort):
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp: Changed direct reference to WeakPtr. Also used RefPtr conversion using get() API as applicable.
(WebCore::IDBServer::MemoryIndex::objectStoreCleared):
(WebCore::IDBServer::MemoryIndex::clearIndexValueStore):
(WebCore::IDBServer::MemoryIndex::replaceIndexValueStore):
(WebCore::IDBServer::MemoryIndex::getResultForKeyRange const):
(WebCore::IDBServer::MemoryIndex::getAllRecords const):
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.h: Changed direct reference to WeakPtr.
(WebCore::IDBServer::MemoryIndex::objectStore):
* Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp: Used RefPtr conversion using get() API for MemoryIndex based MemoryObjectStore object.
(WebCore::IDBServer::MemoryIndexCursor::currentData):
* Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h:
Canonical link: https://commits.webkit.org/267815.545@safari-7617-branch
Commit: f524a15d06332c5be8af2a618cb16489e3d9e086
https://github.com/WebKit/WebKit/commit/f524a15d06332c5be8af2a618cb16489e3d9e086
Author: Antti Koivisto <antti at apple.com>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/fast/multicol/last-set-crash-expected.txt
A LayoutTests/fast/multicol/last-set-crash.html
M Source/WebCore/rendering/RenderMultiColumnFlow.cpp
M Source/WebCore/rendering/RenderMultiColumnFlow.h
Log Message:
-----------
WTFCrashWithSecurityImplication in WebCore::RenderFragmentedFlow::removeLineFragmentInfo()
https://bugs.webkit.org/show_bug.cgi?id=264327
rdar://114559559
Reviewed by Alan Baradlay.
* LayoutTests/TestExpectations:
Skip test on debug due to some assertion failures.
* LayoutTests/fast/multicol/last-set-crash-expected.txt: Added.
* LayoutTests/fast/multicol/last-set-crash.html: Added.
* Source/WebCore/rendering/RenderMultiColumnFlow.cpp:
(WebCore::RenderMultiColumnFlow::fragmentAtBlockOffset const):
Tree mutations may have made m_lastSetWorkedOn cache invalid by moving the multicolumn set under a different multicolumn flow.
Check for this.
* Source/WebCore/rendering/RenderMultiColumnFlow.h:
Also make it use WeakPtr.
Canonical link: https://commits.webkit.org/267815.546@safari-7617-branch
Commit: 37e44d2404d32ee50714f885c56b5572863e3ca5
https://github.com/WebKit/WebKit/commit/37e44d2404d32ee50714f885c56b5572863e3ca5
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M metadata/poison.txt
Log Message:
-----------
Poisoned commit
Unreviewed branch poisoning.
Insert revoked credential into repository to prevent
contributors from accidently publishing this branch
to their personal public forks.
* metadata/poison.txt: Add poison.
Canonical link: https://commits.webkit.org/267815.547@safari-7617-branch
Commit: 73353153c742d68d7b9c49d3d532438505e8ec48
https://github.com/WebKit/WebKit/commit/73353153c742d68d7b9c49d3d532438505e8ec48
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-617.2.1
Identifier: 267815.548 at safari-7617-branch
Commit: ade9f6187d76a4fa2d13bd0c2c766cf1eab438e1
https://github.com/WebKit/WebKit/commit/ade9f6187d76a4fa2d13bd0c2c766cf1eab438e1
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M Source/WebCore/platform/graphics/transforms/RotateTransformOperation.h
M Source/WebCore/platform/graphics/transforms/TransformOperation.h
M Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp
M Source/WebCore/platform/graphics/transforms/TransformationMatrix.h
Log Message:
-----------
Apply patch. rdar://117209302
Identifier: 267815.549 at safari-7617-branch
Commit: fddc17b4f325a2bee094931148f409f432d83736
https://github.com/WebKit/WebKit/commit/fddc17b4f325a2bee094931148f409f432d83736
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M Source/WebCore/page/ContextMenuController.cpp
M Source/WebCore/page/Page.cpp
M Source/WebCore/page/Page.h
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
Log Message:
-----------
Cherry-pick 38398649280b. rdar://117215059
AX: Sometimes unable to see play/pause animation context menu item when setting is toggled
https://bugs.webkit.org/show_bug.cgi?id=263735
rdar://117215059
Reviewed by Tyler Wilcock.
When deciding whether to add the "Play/Pause all animations" or "Play/Pause animation" context menu item, we had previously
used a softlink to reference _AXSReduceMotionAutoplayAnimatedImagesEnabled. The issue with using this from the web content
process, however, is that distributed notifications are not permitted as per the sandbox, so updates to this setting were
not reaching that process.
To resolve this, this patch now piggybacks onto our existing cross-process update for the animation setting using the
AccessibilityPreferencesChanged notification and WebPage::updateImageAnimationEnabled. A new flag, m_systemAllowsAnimationControls,
now maintains the state of this setting, and allows the Page to have an up-to-date view of the setting without relying on the
softlink.
* Source/WebCore/page/ContextMenuController.cpp:
(WebCore::ContextMenuController::populate):
* Source/WebCore/page/Page.cpp:
(WebCore::Page::setSystemAllowsAnimationControls):
* Source/WebCore/page/Page.h:
(WebCore::Page::systemAllowsAnimationControls const):
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::updateImageAnimationEnabled):
Canonical link: https://commits.webkit.org/269878@main
Identifier: 267815.550 at safari-7617-branch
Commit: 57af64e0ae96d6145913553d4a449ddc9620318f
https://github.com/WebKit/WebKit/commit/57af64e0ae96d6145913553d4a449ddc9620318f
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M Source/WebCore/platform/graphics/FontCascade.cpp
M Source/WebCore/platform/graphics/FontCascadeFonts.cpp
M Source/WebCore/platform/graphics/FontRanges.cpp
M Source/WebCore/platform/graphics/GlyphPage.h
Log Message:
-----------
Cherry-pick ef2295446d89. rdar://117905809
Use GlyphData.isValid() consistently for checking whether GlyphData is valid.
https://bugs.webkit.org/show_bug.cgi?id=264130
rdar://117905809
Reviewed by Tim Nguyen.
Replace GlyphData validity checks using .glyph and .font directly with .isValid().
Make .isValid() return false even if .glyph is non-zero and .font is null
(which should never happen) since a .font null check isn't expensive anyway.
* Source/WebCore/platform/graphics/FontCascade.cpp:
(WebCore::FontCascade::fontForCombiningCharacterSequence const):
* Source/WebCore/platform/graphics/FontCascadeFonts.cpp:
(WebCore::FontCascadeFonts::GlyphPageCacheEntry::setGlyphDataForCharacter):
(WebCore::FontCascadeFonts::glyphDataForSystemFallback):
(WebCore::FontCascadeFonts::glyphDataForVariant):
(WebCore::FontCascadeFonts::glyphDataForCharacter):
* Source/WebCore/platform/graphics/FontRanges.cpp:
(WebCore::FontRanges::glyphDataForCharacter const):
* Source/WebCore/platform/graphics/GlyphPage.h:
(WebCore::GlyphData::isValid const):
Canonical link: https://commits.webkit.org/270299@main
Identifier: 267815.551 at safari-7617-branch
Commit: bbdd51069d01d0f1768ca2623919857a03068c09
https://github.com/WebKit/WebKit/commit/bbdd51069d01d0f1768ca2623919857a03068c09
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-11-09 (Thu, 09 Nov 2023)
Changed paths:
A LayoutTests/fast/viewport/ios/full-screen-safe-area-insets-expected.txt
A LayoutTests/fast/viewport/ios/full-screen-safe-area-insets.html
A LayoutTests/fast/viewport/ios/resources/viewport-fit-contain.html
A LayoutTests/fast/viewport/ios/resources/viewport-fit-cover.html
A LayoutTests/fullscreen/full-screen-document-background-color-expected.txt
A LayoutTests/fullscreen/full-screen-document-background-color.html
M LayoutTests/fullscreen/full-screen-test.js
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/FullscreenManager.cpp
M Source/WebCore/page/LocalFrameView.cpp
M Source/WebCore/page/Page.cpp
M Source/WebCore/page/Page.h
M Source/WebCore/testing/Internals.cpp
M Source/WebCore/testing/Internals.h
M Source/WebCore/testing/Internals.idl
M Source/WebKit/UIProcess/API/ios/WKWebViewIOS.h
M Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm
M Source/WebKit/UIProcess/ios/WKScrollView.h
M Source/WebKit/UIProcess/ios/WKScrollView.mm
M Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenViewController.mm
M Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenWindowControllerIOS.mm
Log Message:
-----------
Cherry-pick 1d5314701b60. rdar://117304719
Cherry-pick 270199 at main (56d49b081448). rdar://117304719
[iOS] Element Fullscreen does not respect viewport-fit
https://bugs.webkit.org/show_bug.cgi?id=264012
rdar://117304719
Reviewed by Wenson Hsieh and Tim Horton.
Tests: fast/viewport/ios/full-screen-safe-area-insets.html
fullscreen/full-screen-document-background-color.html
When configuring the WKWebView during the enter fullscreen operation, various settings of the view
must be returned to their default state for the "automatic" avoid-safe-areas behavior to kick in.
For some calls made by clients, there is no way to reset those behaviors to default, and the
existing implementation merely overrode those settings with other non-default values. The end
result was that all fullscreen content was behaving as if `viewport-fit=cover` was specified, which
allowed some content to slip into the safe areas.
Additionally, when embedded content is taken fullscreen, the viewport settings of that embedded
iframe are not respected, and the embedded content uses the viewport settings of whatever page
embedded it. Also, the fullscreen element's background is not used in the overflow areas when
iframe content is in fullscreen.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::updateViewportArguments):
* Source/WebCore/dom/FullscreenManager.cpp:
(WebCore::FullscreenManager::dispatchFullscreenChangeOrErrorEvent):
(WebCore::FullscreenManager::deepestFullscreenDocument const):
* Source/WebCore/dom/FullscreenManager.h:
* Source/WebCore/page/LocalFrameView.cpp:
(WebCore::LocalFrameView::documentBackgroundColor const):
* Source/WebCore/page/Page.cpp:
(WebCore::viewportDocumentForFrame):
(WebCore::Page::viewportArguments const):
* Source/WebKit/UIProcess/API/ios/WKWebViewIOS.h:
* Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm:
(-[WKWebView _resetScrollViewInsetAdjustmentBehavior]):
(-[WKWebView _haveSetUnobscuredSafeAreaInsets]):
(-[WKWebView _resetUnobscuredSafeAreaInsets]):
(-[WKWebView _hasOverriddenLayoutParameters]):
(-[WKWebView _viewLayoutSizeOverride]):
(-[WKWebView _minimumUnobscuredSizeOverride]):
(-[WKWebView _maximumUnobscuredSizeOverride]):
(-[WKWebView _resetObscuredInsets]):
(-[WKWebView _clearOverrideLayoutParameters]):
* Source/WebKit/UIProcess/ios/WKContentView.mm:
(-[WKContentView setFrame:]):
* Source/WebKit/UIProcess/ios/WKScrollView.h:
* Source/WebKit/UIProcess/ios/WKScrollView.mm:
(-[WKScrollView _contentInsetWasExternallyOverridden]):
(-[WKScrollView _resetContentInset]):
(-[WKScrollView _resetContentInsetAdjustmentBehavior]):
* Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenViewController.mm:
(-[WKFullScreenViewController viewDidLayoutSubviews]):
(-[WKFullScreenViewController viewWillTransitionToSize:withTransitionCoordinator:]):
* Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenWindowControllerIOS.mm:
(WebKit::WKWebViewState::applyTo):
(WebKit::WKWebViewState::store):
(-[WKFullScreenWindowController enterFullScreen:]):
(-[WKFullScreenWindowController beganEnterFullScreenWithInitialFrame:finalFrame:]):
Canonical link: https://commits.webkit.org/270199@main
Identifier: 267815.552 at safari-7617-branch
Commit: dae531d205959f8686e79a92dd5ea8e6b50796a2
https://github.com/WebKit/WebKit/commit/dae531d205959f8686e79a92dd5ea8e6b50796a2
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-11-09 (Thu, 09 Nov 2023)
Changed paths:
M Source/WebCore/editing/FrameSelection.cpp
M Source/WebCore/page/Page.cpp
M Source/WebCore/page/Page.h
M Source/WebKit/Shared/WebPageCreationParameters.h
M Source/WebKit/Shared/WebPageCreationParameters.serialization.in
M Source/WebKit/UIProcess/PageClient.h
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/mac/PageClientImplMac.h
M Source/WebKit/UIProcess/mac/PageClientImplMac.mm
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.h
M Source/WebKit/WebProcess/WebPage/mac/WebPageMac.mm
Log Message:
-----------
Cherry-pick ee3805278f95. rdar://117909679
macOS: Text cursor in HTML note is black, regardless of set Accent Color
https://bugs.webkit.org/show_bug.cgi?id=264189
rdar://117909679
Reviewed by Aditya Keerthi and Tim Horton.
266070 at main changed the behavior of the caret color to more closely follow the spec, and improve
web compat. However, this behavior change also affected HTML Notes, which sets `color` on
an ancestor of the editable div. As a result, the caret color is black. However, it should match
the accent color of the app it is in, if it sets a custom accent color.
To fix, implement the same solution as 269314 at main effectively, but on macOS.
* Source/WebCore/editing/FrameSelection.cpp:
(WebCore::FrameSelection::paintCaret):
(WebCore::CaretBase::computeCaretColor):
(WebCore::CaretBase::paintCaret const):
(WebCore::DragCaretController::paintDragCaret const):
* Source/WebCore/editing/FrameSelection.h:
* Source/WebCore/page/Page.cpp:
(WebCore::Page::setAppUsesCustomAccentColor):
(WebCore::Page::appUsesCustomAccentColor const):
* Source/WebCore/page/Page.h:
* Source/WebCore/rendering/RenderThemeIOS.mm:
(WebCore::RenderThemeIOS::autocorrectionReplacementMarkerColor const):
* Source/WebCore/rendering/style/RenderStyle.h:
* Source/WebKit/Shared/WebPageCreationParameters.h:
* Source/WebKit/Shared/WebPageCreationParameters.serialization.in:
* Source/WebKit/UIProcess/PageClient.h:
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::creationParameters):
* Source/WebKit/UIProcess/mac/PageClientImplMac.h:
* Source/WebKit/UIProcess/mac/PageClientImplMac.mm:
(WebKit::cachedAppUsesCustomAccentColor):
(WebKit::PageClientImpl::appUsesCustomAccentColor):
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::m_historyItemClient):
(WebKit::WebPage::reinitializeWebPage):
* Source/WebKit/WebProcess/WebPage/WebPage.h:
* Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm:
(WebKit::WebPage::getPlatformEditorState const):
* Source/WebKit/WebProcess/WebPage/mac/WebPageMac.mm:
(WebKit::WebPage::setAppUsesCustomAccentColor):
Canonical link: https://commits.webkit.org/270325@main
Identifier: 267815.553 at safari-7617-branch
Commit: f834d52942dde0925821dc8d825ffb708b81c703
https://github.com/WebKit/WebKit/commit/f834d52942dde0925821dc8d825ffb708b81c703
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-11-09 (Thu, 09 Nov 2023)
Changed paths:
M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.h
M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm
M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.h
M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.mm
Log Message:
-----------
Cherry-pick 9e08e9d30f55. rdar://118121639
Cookies from AppSSO extension are getting stored in iframe even when CSP restricts page to be loaded in iframe
https://bugs.webkit.org/show_bug.cgi?id=264447
rdar://118121639
Reviewed by Brent Fulgham.
In https://bugs.webkit.org/show_bug.cgi?id=260100, we added CSP validation when setting cookies
in the response of an AppSSO request. However, in that patch, we consider CSP options that are
only relevant for i-frames in the redirect case. In NetworkResourceLoader::shouldInterruptLoadForXFrameOptions,
we do an early return in non-main frame cases, but do not in the check for AppSSO.
In SOAuthorizationCoordinator::tryAuthorize, it can be gleamed that a non-mainframe navigation implies
a SubFrameSOAuthorizationSession will be created. Therefore we only need to perform these i-frame specific
CSP checks whenever we have a SubFrameSOAuthorizationSession.
* Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm:
(WebKit::SOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):
* Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.h:
(WebKit::SOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):
* Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm:
(WebKit::SOAuthorizationSession::shouldInterruptLoadForXFrameOptions): Deleted.
(WebKit::SOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions): Deleted.
* Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.h:
* Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.mm:
(WebKit::SubFrameSOAuthorizationSession::shouldInterruptLoadForXFrameOptions):
(WebKit::SubFrameSOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):
Canonical link: https://commits.webkit.org/270422@main
Identifier: 267815.554 at safari-7617-branch
Commit: dc15bd8a960ad9bea065f6ba416365313e499943
https://github.com/WebKit/WebKit/commit/dc15bd8a960ad9bea065f6ba416365313e499943
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-11-09 (Thu, 09 Nov 2023)
Changed paths:
M Source/WebKit/UIProcess/API/ios/WKWebViewIOS.h
M Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm
M Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenWindowControllerIOS.mm
Log Message:
-----------
Cherry-pick e5bf2b80f8e5. rdar://118147164
[iOS] Non-fullscreen content peeks into top safe area in element fullscreen mode
https://bugs.webkit.org/show_bug.cgi?id=264455
rdar://118147164
Reviewed by Simon Fraser.
When entering fullscreen, certain properties of the WKWebView and scrollView are reset to
default values, as clients like Safari may have overridden them. One of these properties,
contentInset, is reset to zero by that machinery. However, this causes overflow content to
be visible above the safe area; instead, it should be reset to a correct initial value that
accounts for the page's adoption of safe areas, via -_initialContentOffsetForScrollView.
* Source/WebKit/UIProcess/API/ios/WKWebViewIOS.h:
* Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm:
(-[WKWebView _resetContentOffset]):
* Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenWindowControllerIOS.mm:
(-[WKFullScreenWindowController enterFullScreen:]):
Canonical link: https://commits.webkit.org/270424@main
Identifier: 267815.555 at safari-7617-branch
Commit: 42afccfaef8e18fee39d32229500347eb720c466
https://github.com/WebKit/WebKit/commit/42afccfaef8e18fee39d32229500347eb720c466
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-11-09 (Thu, 09 Nov 2023)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/fast/canvas/canvas-noise-injection-expected.txt
A LayoutTests/fast/canvas/canvas-noise-injection.html
M Source/WebCore/html/CanvasBase.cpp
M Source/WebCore/html/CanvasBase.h
M Source/WebCore/html/CanvasNoiseInjection.cpp
M Source/WebCore/html/CanvasNoiseInjection.h
M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.h
M Source/WebCore/testing/Internals.cpp
M Source/WebCore/testing/Internals.h
M Source/WebCore/testing/Internals.idl
Log Message:
-----------
Cherry-pick bde990fd62dd. rdar://115313154
Don't apply canvas noise on drawImage/putImageData rects
https://bugs.webkit.org/show_bug.cgi?id=263129
rdar://115313154
Reviewed by Simon Fraser.
When noise injection is enabled, the backing pixelbuffer of Canvas2D has noise
applied as an anti-fingerprinting protection. That operation is expensive and
the protection is not needed in situations where we are given an explicit
ImageData or specific types of Images because those data don't reveal any
identifying information about the machine when extracted via getImageData() or
toDataURL().
This patch abstracts the default DidDrawOptions into a static function that
includes DidDrawOption::ApplyPostProcessing, and a companion function that
doesn't include ApplyPostProcessing. These are static class functions because
they should both be updated if the default DidDrawOption OptionSet changes in
the future, and defining them separately seems error prone.
As described above, the noise injection post-processing is not applied after
certain drawImage operations where the image is a bitmap, and post-processing
is conditionally applied when the entire canvas is dirty.
* LayoutTests/TestExpectations:
* LayoutTests/fast/canvas/canvas-noise-injection-expected.txt:
* LayoutTests/fast/canvas/canvas-noise-injection.html:
* Source/WebCore/html/CanvasBase.cpp:
(WebCore::CanvasBase::didDraw):
* Source/WebCore/html/CanvasNoiseInjection.cpp:
(WebCore::CanvasNoiseInjection::clearDirtyRect):
* Source/WebCore/html/CanvasNoiseInjection.h:
* Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
(WebCore::CanvasRenderingContext2DBase::clearRect):
(WebCore::CanvasRenderingContext2DBase::drawImage):
(WebCore::CanvasRenderingContext2DBase::didDrawEntireCanvas):
(WebCore::CanvasRenderingContext2DBase::didDraw):
* Source/WebCore/html/canvas/CanvasRenderingContext2DBase.h:
(WebCore::CanvasRenderingContext2DBase::defaultDidDrawOptions):
(WebCore::CanvasRenderingContext2DBase::defaultDidDrawOptionsWithoutPostProcessing):
(WebCore::CanvasRenderingContext2DBase::didDraw): Deleted.
Canonical link: https://commits.webkit.org/270207@main
Identifier: 267815.556 at safari-7617-branch
Commit: 58e9a1ce6e660fde51c83dae28327c9b00ea71e7
https://github.com/WebKit/WebKit/commit/58e9a1ce6e660fde51c83dae28327c9b00ea71e7
Author: Russell Epstein <repstein at apple.com>
Date: 2023-11-10 (Fri, 10 Nov 2023)
Changed paths:
M LayoutTests/platform/mac-wk1/TestExpectations
M Source/WebCore/platform/RunLoopObserver.h
M Source/WebCore/platform/cf/RunLoopObserverCF.cpp
M Source/WebKitLegacy/mac/WebView/WebViewRenderingUpdateScheduler.h
M Source/WebKitLegacy/mac/WebView/WebViewRenderingUpdateScheduler.mm
Log Message:
-----------
Cherry-pick 927b1ffbab10. rdar://118024764
Unreviewed, reverting 269859 at main.
https://bugs.webkit.org/show_bug.cgi?id=264534
Caused CPU spins in some WebView client applications
Reverted changeset:
"REGRESSION (263917 at main): [ macOS ] 3 inspector/timeline/timeline-event-Timer tests are a consistent failure"
https://bugs.webkit.org/show_bug.cgi?id=260360
https://commits.webkit.org/269859@main
Canonical link: https://commits.webkit.org/270489@main
Canonical link: https://commits.webkit.org/267815.557@safari-7617-branch
Commit: 033fcc7cae10499853443bac30bfd9ae3f688dec
https://github.com/WebKit/WebKit/commit/033fcc7cae10499853443bac30bfd9ae3f688dec
Author: Russell Epstein <repstein at apple.com>
Date: 2023-11-10 (Fri, 10 Nov 2023)
Changed paths:
A LayoutTests/accessibility/custom-elements/shadow-element-text-expected.txt
A LayoutTests/accessibility/custom-elements/shadow-element-text.html
A LayoutTests/platform/glib/accessibility/custom-elements/shadow-element-text-expected.txt
M Source/WebCore/accessibility/AccessibilityNodeObject.cpp
Log Message:
-----------
Cherry-pick ecb40fdcddf8. rdar://118118138
AX: VoiceOver does not announce button in text if button is in shadow root
https://bugs.webkit.org/show_bug.cgi?id=264410
rdar://118118138
Reviewed by Tyler Wilcock.
In shadow DOM elements, if text was within nested elements, textUnderElement would not include it.
This patch resolves that by adding to our logic for when we decide whether or not to skip a child's
text. Instead of just checking whether the child's parent and the current node match, we also check
that the elements are either both in the DOM or Shadow DOM.
* LayoutTests/accessibility/custom-elements/shadow-element-text-expected.txt: Added.
* LayoutTests/accessibility/custom-elements/shadow-element-text.html: Added.
* LayoutTests/platform/glib/accessibility/custom-elements/shadow-element-text-expected.txt: Added.
* Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
(WebCore::AccessibilityNodeObject::textUnderElement const):
Canonical link: https://commits.webkit.org/270542@main
Canonical link: https://commits.webkit.org/267815.558@safari-7617-branch
Commit: 01a91d6ceb99639aa6b0f6efd97e36c9b4c66915
https://github.com/WebKit/WebKit/commit/01a91d6ceb99639aa6b0f6efd97e36c9b4c66915
Author: Russell Epstein <repstein at apple.com>
Date: 2023-11-10 (Fri, 10 Nov 2023)
Changed paths:
M Source/WebKit/WebProcess/GPU/GPUProcessConnection.cpp
M Source/WebKit/WebProcess/WebProcess.cpp
M Source/WebKit/WebProcess/WebProcess.h
Log Message:
-----------
Cherry-pick 0532f1c87a63. rdar://117840925
RELEASE_ASSERT() under GPUProcessConnection::create(IPC::Connection&)
https://bugs.webkit.org/show_bug.cgi?id=264612
rdar://117840925
Reviewed by Brent Fulgham.
When a WebProcess requests a connection to the GPUProcess, the UIProcess
needs to pass preferences for this WebProcess. Preferences are associated
with WebPages and thus we cannot initiate a connection to the GPUProcess
before a WebPage has been created.
I had tried to add an assertion to this effect in
GPUProcessConnection::create(). However, my assertion was a little
stricter than needed and could get hit in the wild. It is sufficient for
a process to have ever had a WebPage (The WebProcessProxy stores the
preferences locally), we don't need to have a living WebPage at the
moment when the connection gets requested.
* Source/WebKit/WebProcess/GPU/GPUProcessConnection.cpp:
(WebKit::GPUProcessConnection::create):
* Source/WebKit/WebProcess/WebProcess.cpp:
(WebKit::WebProcess::createWebPage):
* Source/WebKit/WebProcess/WebProcess.h:
(WebKit::WebProcess::hasEverHadAnyWebPages const):
(WebKit::WebProcess::hasWebPages const): Deleted.
Canonical link: https://commits.webkit.org/270569@main
Canonical link: https://commits.webkit.org/267815.559@safari-7617-branch
Commit: f49fc0217a7340a03b7aa183b11a8fd51748a412
https://github.com/WebKit/WebKit/commit/f49fc0217a7340a03b7aa183b11a8fd51748a412
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-11-10 (Fri, 10 Nov 2023)
Changed paths:
M Tools/Scripts/libraries/webkitcorepy/setup.py
M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py
M Tools/Scripts/libraries/webkitscmpy/MANIFEST.in
M Tools/Scripts/libraries/webkitscmpy/setup.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
Log Message:
-----------
Cherry-pick 270025 at main (db7018ee6d1d). rdar://117742552
[webkit*py] Fix excluded directories in published packages
https://bugs.webkit.org/show_bug.cgi?id=263970
rdar://117742552
Reviewed by Elliott Williams.
* Tools/Scripts/libraries/webkitscmpy/MANIFEST.in: Add json data files and testing directory.
* Tools/Scripts/libraries/webkitcorepy/setup.py: Bump version.
* Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py: Ditto.
* Tools/Scripts/libraries/webkitscmpy/setup.py: Include 'tests.hooks' directory, bump version.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Bump version.
Canonical link: https://commits.webkit.org/270025@main
Canonical link: https://commits.webkit.org/267815.560@safari-7617-branch
Commit: 03fee131ee16682260bd94949ad38236ceeb71e6
https://github.com/WebKit/WebKit/commit/03fee131ee16682260bd94949ad38236ceeb71e6
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-11-10 (Fri, 10 Nov 2023)
Changed paths:
M Tools/Scripts/libraries/webkitscmpy/setup.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
Log Message:
-----------
Cherry-pick 270059 at main (219eb0bb7b43). rdar://116915892
[AutoInstall] prefer wheels whenever possible (Follow-up fix)
https://bugs.webkit.org/show_bug.cgi?id=263119
rdar://116915892
Reviewed by Elliott Williams and Sam Sneddon.
Wheel installs of rapidfuzz aren't valid for all configurations, and
it doesn't take long to install manually.
* Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Opt out of wheel for rapidfuzz.
Canonical link: https://commits.webkit.org/270059@main
Canonical link: https://commits.webkit.org/267815.561@safari-7617-branch
Commit: 2c7b4d735beae5a071a24ac58eb14d486298e1fb
https://github.com/WebKit/WebKit/commit/2c7b4d735beae5a071a24ac58eb14d486298e1fb
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-11-10 (Fri, 10 Nov 2023)
Changed paths:
M Tools/Scripts/libraries/webkitbugspy/setup.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/__init__.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/bugzilla.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/issue.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/bugzilla.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/radar.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/bugzilla_unittest.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/radar_unittest.py
Log Message:
-----------
Cherry-pick 270193 at main (9c049cef55a9). rdar://113880142
[webkitbugspy] Set keywords on issues
https://bugs.webkit.org/show_bug.cgi?id=260184
rdar://113880142
Reviewed by Dewei Zhu.
Tools and services should be able to add and remove keywords from
radars and bugzillas.
* Tools/Scripts/libraries/webkitbugspy/setup.py: Bump version.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/__init__.py: Ditto.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/bugzilla.py:
(Tracker.set): Add ability to set keywords.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/issue.py:
(Issue.set_keywords): Set keywords in tracker implementation.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/bugzilla.py:
(Bugzilla._issue): Mock adding and setting keywords.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/radar.py:
(RadarModel.keywords): Pull from pre-constructed Keyword objects.
(RadarModel.remove_keyword): Remove a keyword from the issue.
(RadarModel.add_keyword): Add a keyword to the issue.
(RadarClient.keywords_for_name): List all keywords starting with a given string.
(Radar.__init__): Construct set of available keywords.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py:
(Tracker.__init__): Keep track of previously queries keywords.
(Tracker.set): Add and remove keywords from a radar.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/bugzilla_unittest.py:
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/radar_unittest.py:
Canonical link: https://commits.webkit.org/270193@main
Canonical link: https://commits.webkit.org/267815.562@safari-7617-branch
Commit: 8df98929a02a589586c9de4058337248c1bbffc9
https://github.com/WebKit/WebKit/commit/8df98929a02a589586c9de4058337248c1bbffc9
Author: Brianna Fan <bfan2 at apple.com>
Date: 2023-11-10 (Fri, 10 Nov 2023)
Changed paths:
M Tools/Scripts/hooks/prepare-commit-msg
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/revert.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/revert_unittest.py
Log Message:
-----------
Cherry-pick 270375 at main (a4e364130e7c). rdar://98992367
[git-webkit] `git revert` does not produce a meaningful commit message
https://bugs.webkit.org/show_bug.cgi?id=243947
rdar://problem/98992367
Reviewed by Jonathan Bedard.
Changes to logic so git revert is no longer a blank template.
Also prevents git-webkit revert from affecting future commits on main.
A better commit message for git revert is in the works!
* Tools/Scripts/hooks/prepare-commit-msg:
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/revert.py:
(Revert):
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/revert_unittest.py:
(TestRevert.test_github):
(TestRevert.test_github_two_step):
(test_update):
Canonical link: https://commits.webkit.org/270375@main
Canonical link: https://commits.webkit.org/267815.563@safari-7617-branch
Commit: 6cb696dca06798b6ec487528fe314ff35487fe9e
https://github.com/WebKit/WebKit/commit/6cb696dca06798b6ec487528fe314ff35487fe9e
Author: Brianna Fan <bfan2 at apple.com>
Date: 2023-11-10 (Fri, 10 Nov 2023)
Changed paths:
M Tools/Scripts/hooks/prepare-commit-msg
Log Message:
-----------
Cherry-pick 270395 at main (4d16e41d72b5). https://bugs.webkit.org/show_bug.cgi?id=264416
[git-webkit] update method name
https://bugs.webkit.org/show_bug.cgi?id=264416
Reviewed by Jonathan Bedard.
Updates method name when called to match def.
* Tools/Scripts/hooks/prepare-commit-msg:
Canonical link: https://commits.webkit.org/270395@main
Canonical link: https://commits.webkit.org/267815.564@safari-7617-branch
Commit: b47331a3371291586bf4b4d3a0c029aa44cac219
https://github.com/WebKit/WebKit/commit/b47331a3371291586bf4b4d3a0c029aa44cac219
Author: Russell Epstein <repstein at apple.com>
Date: 2023-11-13 (Mon, 13 Nov 2023)
Changed paths:
M Source/WebCore/rendering/TextBoxPainter.cpp
Log Message:
-----------
Cherry-pick f9ec06b716a3. rdar://117897402
Crash under TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::collectDecoratingBoxesForTextBox
https://bugs.webkit.org/show_bug.cgi?id=264728
rdar://117897402
Reviewed by Alan Baradlay.
* Source/WebCore/rendering/TextBoxPainter.cpp:
(WebCore::TextBoxPainter<TextBoxPath>::collectDecoratingBoxesForTextBox):
There appears to be some case where parentInlineBox is not found. Add null checking.
Canonical link: https://commits.webkit.org/270634@main
Canonical link: https://commits.webkit.org/267815.565@safari-7617-branch
Commit: af7c136e799e9ca15c14f3bb7ff17c4eaea4f869
https://github.com/WebKit/WebKit/commit/af7c136e799e9ca15c14f3bb7ff17c4eaea4f869
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2023-11-13 (Mon, 13 Nov 2023)
Changed paths:
R JSTests/stress/arrow-function-captured-arguments-aliased.js
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
M Source/JavaScriptCore/runtime/GetPutInfo.h
M Source/JavaScriptCore/runtime/ScopedArguments.h
M Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp
M Source/JavaScriptCore/runtime/ScopedArgumentsTable.h
M Source/JavaScriptCore/runtime/SymbolTable.cpp
M Source/JavaScriptCore/runtime/SymbolTable.h
Log Message:
-----------
Reverting https://commits.webkit.org/267815.345@safari-7617-branch
https://bugs.webkit.org/show_bug.cgi?id=264767
rdar://117838992
Reviewed by Michael Saboff.
* JSTests/stress/arrow-function-captured-arguments-aliased.js: Removed.
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/runtime/GetPutInfo.h:
(JSC::initializationModeName):
(JSC::isInitialization):
* Source/JavaScriptCore/runtime/ScopedArguments.h:
* Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp:
(JSC::ScopedArgumentsTable::tryCreate):
(JSC::ScopedArgumentsTable::tryClone):
(JSC::ScopedArgumentsTable::trySetLength):
(JSC::ScopedArgumentsTable::trySetWatchpointSet): Deleted.
* Source/JavaScriptCore/runtime/ScopedArgumentsTable.h:
* Source/JavaScriptCore/runtime/SymbolTable.cpp:
(JSC::SymbolTable::localToEntry):
(JSC::SymbolTable::cloneScopePart):
* Source/JavaScriptCore/runtime/SymbolTable.h:
Canonical link: https://commits.webkit.org/267815.566@safari-7617-branch
Commit: a595ddd8348df277766ac9bd8b31f8fb8d31a0e0
https://github.com/WebKit/WebKit/commit/a595ddd8348df277766ac9bd8b31f8fb8d31a0e0
Author: Vitor Roriz <vitor.roriz at apple.com>
Date: 2023-11-14 (Tue, 14 Nov 2023)
Changed paths:
A LayoutTests/fonts/font-cache-memory-pressure-crash-expected.txt
A LayoutTests/fonts/font-cache-memory-pressure-crash.html
M Source/WebCore/platform/graphics/FontCascadeFonts.cpp
Log Message:
-----------
Adding last resort font to System Font fallback set for PUA characters
https://bugs.webkit.org/show_bug.cgi?id=264737
rdar://117805319
Reviewed by Brent Fulgham.
Until now, when we are purging inactive font data, we would just clear
the glyph page cache if we had to purge system fallback font.
This means that we consider glyph page cache would only point to
fonts from system fonts fallback.
When we are handling unicode's in the Private-User-Area (PUA) block,
we shouldn't fallback to system fonts searching for a font that can render
it, per spec: https://www.w3.org/TR/css-fonts-4/#char-handling-issues
Instead, we render the glyph 0 with the last resort font. However, this
font is just added to the custom font cache, and its font pointer in the
Glyph Page cache is not cleared during memory pressure.
We should add this font to the system font fallback set, to make sure
that the associated font pointer is removed from the glyph page cache
during memory pressure.
* LayoutTests/fonts/font-cache-memory-pressure-crash.html: Added.
* Source/WebCore/platform/graphics/FontCascadeFonts.cpp:
(WebCore::FontCascadeFonts::glyphDataForVariant):
* LayoutTests/fonts/font-cache-memory-pressure-crash-expected.txt: Added.
Canonical link: https://commits.webkit.org/267815.567@safari-7617-branch
Commit: f4f2cd51180585cb8b1b0b3ab931b208890188de
https://github.com/WebKit/WebKit/commit/f4f2cd51180585cb8b1b0b3ab931b208890188de
Author: Russell Epstein <repstein at apple.com>
Date: 2023-11-14 (Tue, 14 Nov 2023)
Changed paths:
M Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.mm
Log Message:
-----------
Cherry-pick 270672 at main (923ed5177ec0). rdar://118083889
hideContentUntilPendingUpdate callbacks can be processed too late after the transaction and cause flickering.
https://bugs.webkit.org/show_bug.cgi?id=264531
<rdar://118083889>
Reviewed by Tim Horton.
The callbacks for DispatchAfterEnsuringDrawing get processed at the end of the transaction, after we've already told
the client that we've committed the transaction. In some cases, this can cause them to be included as a separate CA
commit, and cause flickering.
This adds a pre-transaction check for a callback for hideContentUntilPendingUpdate, and clears the reply id, so that we
re-attach the root layer as part of the main commit.
* Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.mm:
(WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTreeTransaction):
(WebKit::RemoteLayerTreeDrawingAreaProxy::hideContentUntilPendingUpdate):
Canonical link: https://commits.webkit.org/270672@main
Canonical link: https://commits.webkit.org/267815.568@safari-7617-branch
Commit: 5ebdf97c0a262d969ac46d810393df920269bdc4
https://github.com/WebKit/WebKit/commit/5ebdf97c0a262d969ac46d810393df920269bdc4
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-11-15 (Wed, 15 Nov 2023)
Changed paths:
M Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp
Log Message:
-----------
Use-after-free in processResponse in ServiceWorkerFetch.cpp
rdar://118039950
Reviewed by Chris Dumez.
Cancelling the stream can trigger GC when creating the DOMException JS wrapper.
This might collect the FetchResponse object.
To make sure the FetchResponse object stays live for the whole time, we protect it in the callback.
* Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp:
(WebCore::ServiceWorkerFetch::processResponse):
Canonical link: https://commits.webkit.org/267815.569@safari-7617-branch
Commit: fc6f62059d44a5a8fe66f28b74ceb23cb0dad447
https://github.com/WebKit/WebKit/commit/fc6f62059d44a5a8fe66f28b74ceb23cb0dad447
Author: Nicole Rosario <nicole_rosario at apple.com>
Date: 2023-11-15 (Wed, 15 Nov 2023)
Changed paths:
A LayoutTests/ipc/argumentParser.js
A LayoutTests/ipc/fuzz_tools.js
A LayoutTests/ipc/media-player-invalid-test-expected.txt
A LayoutTests/ipc/media-player-invalid-test.html
M Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.cpp
M Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.h
M Source/WebCore/platform/mock/mediasource/MockSourceBufferPrivate.cpp
Log Message:
-----------
[CoreIPC] heap-use-after-free in WebCore::MockMediaSourcePrivate::markEndOfStream
rdar://115982856
Reviewed by Jean-Yves Avenard and Eric Carlson.
Error only hit in internal testing. Object was referenced after deletion. Updated `MockMediaPlayer` to use weak pointer for `m_player` instead of reference and added checks to methods to check that `m_player` exists before trying to read/write
* Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.cpp: added check that `m_player` exists before accessing
* Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.h: changed `m_player` to weak pointer instead of a reference
* Source/WebCore/platform/mock/mediasource/MockSourceBufferPrivate.cpp:
(WebCore::MockSourceBufferPrivate::readyState const):
(WebCore::MockSourceBufferPrivate::setReadyState):
Canonical link: https://commits.webkit.org/267815.570@safari-7617-branch
Commit: c8a04244eba3b8f0a159a8f34517da2aaf5f2d97
https://github.com/WebKit/WebKit/commit/c8a04244eba3b8f0a159a8f34517da2aaf5f2d97
Author: Claudio Saavedra <csaavedra at igalia.com>
Date: 2023-11-16 (Thu, 16 Nov 2023)
Changed paths:
A LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting-expected.txt
A LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting.html
M Source/WebCore/dom/ContainerNode.cpp
Log Message:
-----------
Cherry-pick 268451.4 at webkit-2023.9-embargoed (f554230ef55f). rdar://116715621
DOM: Make sure to set tree scope during parser insertion
https://bugs.webkit.org/show_bug.cgi?id=263178
rdar://116715621
Reviewed by Ryosuke Niwa.
It is possible for an element to be reparented, pg., to a shadow
tree before parsing has finished, so we need to make sure to set the
correct tree scope for a new element during parsing insertion,
otherwise it might end up associated to the wrong tree scope.
* LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting-expected.txt: Added.
* LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting.html: Added.
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::ContainerNode::parserInsertBefore):
Canonical link: https://commits.webkit.org/268451.4@webkit-2023.9-embargoed
Canonical link: https://commits.webkit.org/267815.571@safari-7617-branch
Commit: 5ffbdced75c17e24789e73111bd7d84a58b13d61
https://github.com/WebKit/WebKit/commit/5ffbdced75c17e24789e73111bd7d84a58b13d61
Author: Ryan Haddad <ryanhaddad at apple.com>
Date: 2023-11-16 (Thu, 16 Nov 2023)
Changed paths:
M LayoutTests/platform/mac-wk2/TestExpectations
Log Message:
-----------
9 http/tests/webgpu/webgpu/api/operation layout tests failing / crashing
rdar://118523595
Unreviewed test gardening.
* LayoutTests/platform/mac-wk2/TestExpectations: Disable the tests.
Canonical link: https://commits.webkit.org/267815.572@safari-7617-branch
Commit: dc1fdd5e22583db440043b056474326a8d29e9de
https://github.com/WebKit/WebKit/commit/dc1fdd5e22583db440043b056474326a8d29e9de
Author: Pascoe <pascoe at apple.com>
Date: 2023-11-16 (Thu, 16 Nov 2023)
Changed paths:
M Tools/Scripts/VCSUtils.pm
Log Message:
-----------
Cherry-pick 268261 at main (4c4d08c5189c). rdar://115458379
Remove check for space in REAL_NAME
https://bugs.webkit.org/show_bug.cgi?id=261538
rdar://115458379
Reviewed by Jonathan Bedard.
Not all real names contain spaces.
* Tools/Scripts/VCSUtils.pm:
(changeLogName):
Remove check for space in name.
Canonical link: https://commits.webkit.org/268261@main
Canonical link: https://commits.webkit.org/267815.573@safari-7617-branch
Commit: 49ba637c4abb0596b9c1260f50a8dcfa4bacbcb9
https://github.com/WebKit/WebKit/commit/49ba637c4abb0596b9c1260f50a8dcfa4bacbcb9
Author: Justin Michaud <justin_michaud at apple.com>
Date: 2023-11-16 (Thu, 16 Nov 2023)
Changed paths:
M Source/JavaScriptCore/b3/B3LowerToAir.cpp
M Source/JavaScriptCore/b3/air/AirValidate.cpp
Log Message:
-----------
Extr can overflow when imm=64, allowing a random register to be read
rdar://118515062
Reviewed by Yusuke Suzuki.
Extr can overflow when imm=64, allowing a random register to be read.
* Source/JavaScriptCore/b3/B3LowerToAir.cpp:
* Source/JavaScriptCore/b3/air/AirValidate.cpp:
Canonical link: https://commits.webkit.org/267815.574@safari-7617-branch
Commit: 4c3430842100df9a75863cff220e5579922db08c
https://github.com/WebKit/WebKit/commit/4c3430842100df9a75863cff220e5579922db08c
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-11-16 (Thu, 16 Nov 2023)
Changed paths:
M Source/WebCore/loader/SubresourceLoader.cpp
M Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp
M Source/WebCore/loader/cache/CachedCSSStyleSheet.h
Log Message:
-----------
Crash under PAL::newTextCodec(PAL::TextEncoding const&)
https://bugs.webkit.org/show_bug.cgi?id=264979
rdar://118267012
Reviewed by Brent Fulgham.
There is evidence for crashes in the wild that the CachedCSSStyleSheet or
the TextResourceDecoder are being used after getting freed. To prevent this,
protect both these objects in the code path identified by the crashes.
This is a speculative fix but it should be very safe.
* Source/WebCore/loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::didFinishLoading):
* Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp:
(WebCore::CachedCSSStyleSheet::finishLoading):
(WebCore::CachedCSSStyleSheet::protectedDecoder const):
* Source/WebCore/loader/cache/CachedCSSStyleSheet.h:
Canonical link: https://commits.webkit.org/267815.575@safari-7617-branch
Commit: 680ce288888eba3803120b722cdb240a7b5fa23f
https://github.com/WebKit/WebKit/commit/680ce288888eba3803120b722cdb240a7b5fa23f
Author: Abrar Rahman Protyasha <a_protyasha at apple.com>
Date: 2023-11-17 (Fri, 17 Nov 2023)
Changed paths:
M Tools/WebKitTestRunner/WebKitTestRunner.xcodeproj/project.pbxproj
Log Message:
-----------
Unreviewed, fix iOS production builds after 270071 at main
Fix the following build error:
```
Undefined symbols for architecture arm64e:
"_JSContextGetGlobalObject", referenced from:
WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
WTR::hasTestWaitAttribute(OpaqueJSContext*) in WPTFunctions.o
"_JSObjectMake", referenced from:
WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
"_JSValueProtect", referenced from:
WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
"_JSValueToBoolean", referenced from:
WTR::hasTestWaitAttribute(OpaqueJSContext*) in WPTFunctions.o
"_JSValueUnprotect", referenced from:
WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
"WTR::setProperty(OpaqueJSContext const*, OpaqueJSValue*, char const*, bool)", referenced from:
WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
"WTR::objectProperty(OpaqueJSContext const*, OpaqueJSValue*, std::initializer_list<char const*>)", referenced from:
WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
WTR::hasTestWaitAttribute(OpaqueJSContext*) in WPTFunctions.o
"WTR::callConstructor(OpaqueJSContext*, char const*, std::initializer_list<OpaqueJSValue const*>)", referenced from:
WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
"WTR::call(OpaqueJSContext const*, OpaqueJSValue*, char const*, std::initializer_list<OpaqueJSValue const*>)", refe
renced from:
WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
WTR::hasTestWaitAttribute(OpaqueJSContext*) in WPTFunctions.o
"WTR::makeValue(OpaqueJSContext const*, char const*)", referenced from:
WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
WTR::hasTestWaitAttribute(OpaqueJSContext*) in WPTFunctions.o
"WTF::URL::host() const", referenced from:
WTR::isWebPlatformTestURL(WTF::URL const&) in WPTFunctions.o
"WTF::URL::port() const", referenced from:
WTR::isWebPlatformTestURL(WTF::URL const&) in WPTFunctions.o
ld: symbol(s) not found for architecture arm64e
clang: error: linker command failed with exit code 1 (use -v to see invocation)
```
...by removing `WPTFunctions.o` from the `WebKitTestRunner` binary
target. This is the correct thing to do because we pull in the symbols
in the `WPTFunctions` TU through the `WebKitTestRunnerLibrary` target
anyways, and because we don't link against WTF/JSC/etc. when building
the `WebKitTestRunner` binary on iOS.
* Tools/WebKitTestRunner/WebKitTestRunner.xcodeproj/project.pbxproj:
Canonical link: https://commits.webkit.org/267815.576@safari-7617-branch
Commit: b0a755e3442625316297f97cb763d966732ab6c8
https://github.com/WebKit/WebKit/commit/b0a755e3442625316297f97cb763d966732ab6c8
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-11-17 (Fri, 17 Nov 2023)
Changed paths:
M Source/JavaScriptCore/runtime/Structure.cpp
Log Message:
-----------
Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure
https://bugs.webkit.org/show_bug.cgi?id=265067
rdar://118548733
Reviewed by Justin Michaud and Mark Lam.
Like Array shift/unshift, flattenDictionaryStructure is the other code which can shrink butterfly for named properties (no other code does it).
Compiler threads rely on the fact that normally named property storage never shrunk. And we should catch this exceptional case by taking a cellLock
in the compiler thread. But flattenDictionaryStructure is not taking cellLock correctly.
This patch computes afterOutOfLineCapacity first to detect that whether this flattening will shrink the butterfly.
And if it is, then we take a cellLock. We do not need to take it if we do not shrink the butterfly.
* Source/JavaScriptCore/runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
Canonical link: https://commits.webkit.org/267815.577@safari-7617-branch
Commit: 0e322e7b896dde0d7061593c60b2e485c74a3e7e
https://github.com/WebKit/WebKit/commit/0e322e7b896dde0d7061593c60b2e485c74a3e7e
Author: Russell Epstein <repstein at apple.com>
Date: 2023-11-17 (Fri, 17 Nov 2023)
Changed paths:
M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
Log Message:
-----------
Revert b16d10297d26. rdar://118303187
Canonical link: https://commits.webkit.org/267815.578@safari-7617-branch
Commit: 8d60b5b0fc0bf03ecb035205cf864c57bf7598e2
https://github.com/WebKit/WebKit/commit/8d60b5b0fc0bf03ecb035205cf864c57bf7598e2
Author: Andy Estes <aestes at apple.com>
Date: 2023-11-19 (Sun, 19 Nov 2023)
Changed paths:
M Source/WebKit/UIProcess/Cocoa/GroupActivities/WKGroupSession.swift
Log Message:
-----------
Cherry-pick 267921 at main (849790f00ff0). rdar://115260515
[Cocoa] Fix warnings in WebKitSwift
https://bugs.webkit.org/show_bug.cgi?id=261389
rdar://115260515
Reviewed by Richard Robinson.
- Added availability annotations to public types.
- Replaced deprecated Task APIs with modern replacements.
- Removed the unnecessary WK prefix from Swift types.
* Source/WebKit/UIProcess/Cocoa/GroupActivities/WKGroupSession.swift:
(GroupSessionWrapper.activityWrapper):
(GroupSessionWrapper.activity):
(GroupSessionWrapper.wrapperSessionState(_:)):
(GroupSessionWrapper.state):
(GroupSessionWrapper.newActivityCallback):
(GroupSessionWrapper.stateChangedCallback):
(GroupSessionWrapper.activityChanged(_:)):
(GroupSessionWrapper.stateChanged(_:)):
(GroupSessionObserver.newSessionCallback):
(GroupSessionObserver.incomingSessionsTask):
(GroupSessionObserver.receivedSession(_:)):
(WKURLActivityWrapper.urlActivity): Deleted.
(WKURLActivityWrapper.fallbackURL): Deleted.
(WKGroupSessionWrapper.groupSession): Deleted.
(WKGroupSessionWrapper.cancellables): Deleted.
(WKGroupSessionWrapper.activity): Deleted.
(WKGroupSessionWrapper.uuid): Deleted.
(WKGroupSessionWrapper.wrapperSessionState(_:)): Deleted.
(WKGroupSessionWrapper.state): Deleted.
(WKGroupSessionWrapper.newActivityCallback): Deleted.
(WKGroupSessionWrapper.stateChangedCallback): Deleted.
(WKGroupSessionWrapper.join): Deleted.
(WKGroupSessionWrapper.leave): Deleted.
(WKGroupSessionWrapper.coordinate(_:)): Deleted.
(WKGroupSessionWrapper.activityChanged(_:)): Deleted.
(WKGroupSessionWrapper.stateChanged(_:)): Deleted.
(WKGroupSessionObserver.newSessionCallback): Deleted.
(WKGroupSessionObserver.incomingSessionsTask): Deleted.
(WKGroupSessionObserver.receivedSession(_:)): Deleted.
Canonical link: https://commits.webkit.org/267921@main
Canonical link: https://commits.webkit.org/267815.579@safari-7617-branch
Commit: fe2eff8251a9b7d202dc5273a96261f472f531e0
https://github.com/WebKit/WebKit/commit/fe2eff8251a9b7d202dc5273a96261f472f531e0
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-11-27 (Mon, 27 Nov 2023)
Changed paths:
A LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonce-hiding-move-document-expected.txt
A LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonce-hiding-move-document.html
M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonces-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonces.html
M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/w3c-import.log
M LayoutTests/imported/w3c/web-platform-tests/html/dom/reflection-metadata-expected.txt
M Source/WebCore/html/HTMLLinkElement.idl
M Source/WebCore/html/HTMLStyleElement.idl
Log Message:
-----------
Cherry-pick 9ea548224a00. rdar://118676659
Safari blocking JS reading nonce for <style> and <link>
https://bugs.webkit.org/show_bug.cgi?id=265173
rdar://118676659
Reviewed by Antti Koivisto.
Some leftover nonce IDL included [Reflect] and therefore those elements
had the older-but-now-bogus nonce semantics.
Tests have been synchronized and new tests in nonces.html are
upstreamed here:
https://github.com/web-platform-tests/wpt/pull/43280
The new test failures in WPT html/dom/reflection-metadata.html are
expected and match all other browsers. I filed an upstream issue on
that test here:
https://github.com/web-platform-tests/wpt/issues/43286
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonce-hiding-move-document-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonce-hiding-move-document.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonces-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonces.html:
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/w3c-import.log:
* LayoutTests/imported/w3c/web-platform-tests/html/dom/reflection-metadata-expected.txt:
* Source/WebCore/html/HTMLLinkElement.idl:
* Source/WebCore/html/HTMLStyleElement.idl:
Canonical link: https://commits.webkit.org/271046@main
Identifier: 267815.580 at safari-7617-branch
Commit: 18a4c97059d7a2c958e226374e611aceec58cbed
https://github.com/WebKit/WebKit/commit/18a4c97059d7a2c958e226374e611aceec58cbed
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-11-27 (Mon, 27 Nov 2023)
Changed paths:
A LayoutTests/fast/dom/dynamic-image-with-lazy-loading-leak-expected.txt
A LayoutTests/fast/dom/dynamic-image-with-lazy-loading-leak.html
M Source/WebCore/loader/ImageLoader.cpp
M Source/WebCore/loader/ImageLoader.h
Log Message:
-----------
Cherry-pick 78e4577732ca. rdar://117683012
Memory consumption/leak with img out of viewport and lazy loading
https://bugs.webkit.org/show_bug.cgi?id=263521
Reviewed by Chris Dumez.
This change fixes the problem with dangling of dynamically created (in JS)
HTMLImageElement when it is detached from the document before loading the resource
starts. It happened when img element was created (dynamically) with lazy loading
and the element was outside the viewport (the loading of resource is deferred until
the img element becomes visible). If the element was removed from document it
becomes dangling element and will never be deleted by GC.
* Source/WebCore/loader/ImageLoader.cpp:
(WebCore::ImageLoader::hasPendingActivity const):
To avoid leaking of the dynamically created element, the pending activity of
the element should check has the load of the resource actually started.
Similar check is done in case of static HTMLImageElement in
ImageLoader::updatedHasPendingEvent.
* Source/WebCore/loader/ImageLoader.h:
(WebCore::ImageLoader::hasPendingActivity const): Deleted.
Moved implementation to cpp file.
* LayoutTests/fast/dom/dynamic-image-with-lazy-loading-leak-expected.txt: Added.
* LayoutTests/fast/dom/dynamic-image-with-lazy-loading-leak.html: Added.
Canonical link: https://commits.webkit.org/270745@main
Identifier: 267815.581 at safari-7617-branch
Commit: 93db3d3b51385837c58ee23e605c8c8ccbdcfbea
https://github.com/WebKit/WebKit/commit/93db3d3b51385837c58ee23e605c8c8ccbdcfbea
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-11-27 (Mon, 27 Nov 2023)
Changed paths:
A LayoutTests/fast/text/text-indent-with-intrusive-float-expected.html
A LayoutTests/fast/text/text-indent-with-intrusive-float.html
M Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp
Log Message:
-----------
Cherry-pick b741d4c7aa56. rdar://118701491
(REGRESSION: 267587 at main) Text indent is incorrect when paragraph is affected by a floating element
https://bugs.webkit.org/show_bug.cgi?id=265216
<rdar://problem/118701491>
Reviewed by Antti Koivisto.
Before 267587 at main (which merged all the float constraints codepaths), we ignored the text-indent during the _initial_ constraint computation
and adjusted the line rect later.
At 267587 at main, we started adding the text-indent value twice to the line rect; first while computing the initial constraint and
the second time when we would normally add it.
* LayoutTests/fast/text/text-indent-with-intrusive-float-expected.html: Added.
* LayoutTests/fast/text/text-indent-with-intrusive-float.html: Added.
* Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp:
(WebCore::Layout::LineBuilder::initialConstraintsForLine const): Let's go back to "before 267587 at main" state.
(WebCore::Layout::LineBuilder::floatConstrainedRect const): Add some comment and change variable names to reflect what they mean.
Canonical link: https://commits.webkit.org/271080@main
Identifier: 267815.582 at safari-7617-branch
Commit: 38275fdf977520ef1e680e98220d488b288db590
https://github.com/WebKit/WebKit/commit/38275fdf977520ef1e680e98220d488b288db590
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-11-27 (Mon, 27 Nov 2023)
Changed paths:
R LayoutTests/fast/text/text-indent-with-intrusive-float-expected.html
R LayoutTests/fast/text/text-indent-with-intrusive-float.html
M Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp
Log Message:
-----------
Revert "Cherry-pick b741d4c7aa56. rdar://118701491"
This reverts commit 93db3d3b51385837c58ee23e605c8c8ccbdcfbea.
Identifier: 267815.583 at safari-7617-branch
Commit: 46ce31f93de5157cba523d2498923fe5c3acbffe
https://github.com/WebKit/WebKit/commit/46ce31f93de5157cba523d2498923fe5c3acbffe
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-11-27 (Mon, 27 Nov 2023)
Changed paths:
M Source/WebKit/UIProcess/mac/PageClientImplMac.mm
Log Message:
-----------
Cherry-pick 9ed78dcdcb4a. rdar://118249650
REGRESSION (270325 at main): Overrelease of NSColor under PageClientImpl::appUsesCustomAccentColor
https://bugs.webkit.org/show_bug.cgi?id=264845
<rdar://problem/118312264>
Reviewed by Aditya Keerthi, Chris Dumez and Simon Fraser.
* Source/WebKit/UIProcess/mac/PageClientImplMac.mm:
(WebKit::PageClientImpl::appUsesCustomAccentColor):
We don't own these colors, don't adopt them.
Canonical link: https://commits.webkit.org/270735@main
Identifier: 267815.584 at safari-7617-branch
Commit: 9af375238082c83527b954cddc166233b4446492
https://github.com/WebKit/WebKit/commit/9af375238082c83527b954cddc166233b4446492
Author: Alan Baradlay <zalan at apple.com>
Date: 2023-11-27 (Mon, 27 Nov 2023)
Changed paths:
A LayoutTests/fast/text/line-break-after-whitespace-with-min-max-assert-expected.txt
A LayoutTests/fast/text/line-break-after-whitespace-with-min-max-assert.html
M Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp
M Source/WebCore/layout/formattingContexts/inline/InlineLine.cpp
Log Message:
-----------
Cherry-pick 270942 at main (9d772d9e5412).
[IFC] Cached maximum inline content should be able to handle trailing line break (265074)
rdar://118858714
Reviewed by Antti Koivisto.
Restore trimmed trailing whitespace when followed by hard line break (<br>).
* Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp:
(WebCore::Layout::InlineFormattingContext::createDisplayContentForLineFromCachedContent):
Canonical link: https://commits.webkit.org/267815.585@safari-7617-branch
Commit: e408ece1b8a7e9a6214bcc3555b53341c52bd7b9
https://github.com/WebKit/WebKit/commit/e408ece1b8a7e9a6214bcc3555b53341c52bd7b9
Author: Kimmo Kinnunen <kkinnunen at apple.com>
Date: 2023-11-28 (Tue, 28 Nov 2023)
Changed paths:
M Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.mm
Log Message:
-----------
GraphicsContextGLCocoa::setDrawingBufferColorSpace is missing makeContextCurrent()
https://bugs.webkit.org/show_bug.cgi?id=265129
rdar://118650182
Reviewed by Dan Glastonbury.
All public API entrypoints in GraphicsContextGLANGLE should call
the makeContextCurrent().
* Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.mm:
(WebCore::GraphicsContextGLCocoa::setDrawingBufferColorSpace):
Canonical link: https://commits.webkit.org/267815.586@safari-7617-branch
Commit: db3f6a7dbf337db63c6b86f3de31954d819c9024
https://github.com/WebKit/WebKit/commit/db3f6a7dbf337db63c6b86f3de31954d819c9024
Author: Kimmo Kinnunen <kkinnunen at apple.com>
Date: 2023-11-28 (Tue, 28 Nov 2023)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/Surface.cpp
M Source/ThirdParty/ANGLE/src/libANGLE/Texture.cpp
M Source/ThirdParty/ANGLE/src/tests/gl_tests/PbufferTest.cpp
Log Message:
-----------
ANGLE eglBindTexImage ASSERT when overwriting a binding
https://bugs.webkit.org/show_bug.cgi?id=265127
rdar://118649807
Reviewed by Dan Glastonbury.
glBindTexture(GL_TEXTURE_2D, tex);
eglBindTexImage(.., pbuffer, ...);
- Would set the Surface::mBoundTexture of pbuffer
- Would set the Texture::mBoundSurface of tex
eglBindTexImage(.., pbuffer2, ...);
- Would set the Surface::mBoundTexture of pbuffer2
- Would set the Texture::mBoundSurface of tex
- Would fail to unset Surface::mBoundTexture of pbuffer
Fix by making the unset logic linear, avoiding
Surface -> Texture -> Surface call sequence.
* Source/ThirdParty/ANGLE/src/libANGLE/Surface.cpp:
(egl::Surface::bindTexImage):
* Source/ThirdParty/ANGLE/src/libANGLE/Texture.cpp:
(gl::Texture::bindTexImageFromSurface):
* Source/ThirdParty/ANGLE/src/tests/gl_tests/PbufferTest.cpp:
Canonical link: https://commits.webkit.org/267815.587@safari-7617-branch
Commit: 06c609f334b49e10380cf589f8ae47bb5a792f93
https://github.com/WebKit/WebKit/commit/06c609f334b49e10380cf589f8ae47bb5a792f93
Author: Elliott Williams <emw at apple.com>
Date: 2023-11-28 (Tue, 28 Nov 2023)
Changed paths:
M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py
Log Message:
-----------
Cherry-pick 270666 at main (0472cd19455a). rdar://118344315
[autoinstall] Recognize wheels which are purely precompiled shared libraries
https://bugs.webkit.org/show_bug.cgi?id=264755
rdar://118344315
Reviewed by Jonathan Bedard.
Some projects, like https://pypi.org/project/jq/, distribute wheels that
are currently unrecognized because they don't contain a file whose name
exactly matches the project name. (In jq's case, it has a
"jq.cpython-39-darwin.so" but not a "jq" in the wheel.)
Per PEP-491, wheels don't have to have files whose names match the
package name, so our check is overzealous. Remove it.
* Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py:
(Package.install):
Canonical link: https://commits.webkit.org/270666@main
Canonical link: https://commits.webkit.org/267815.588@safari-7617-branch
Commit: 951d2bdd58418f39550d4772322dbdcfb087941e
https://github.com/WebKit/WebKit/commit/951d2bdd58418f39550d4772322dbdcfb087941e
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-11-28 (Tue, 28 Nov 2023)
Changed paths:
M Tools/Scripts/libraries/webkitscmpy/setup.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/bitbucket.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/git_hub.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/pull_request.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/bitbucket.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/scm.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py
Log Message:
-----------
Cherry-pick 270736 at main (fca112b99b35). rdar://118406906
[webkitscmpy] Add commit status to pull-request
https://bugs.webkit.org/show_bug.cgi?id=264827
rdar://118406906
Reviewed by Elliott Williams.
Add commit status and associated mock support to webkitscmpy for future use.
* Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/bitbucket.py:
(BitBucket.__init__): Add "statuses" dictionary.
(BitBucket.request): Respond with mock commit status.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/git_hub.py:
(GitHub.__init__): Add "statuses" dictionary.
(GitHub._commit_response): Repond with mock commit status.
(GitHub.request): Handle commit URLs with trailing path arguments.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/pull_request.py:
(PullRequest.Status): Added.
(PullRequest.Status.Encoder): Added JSON decoder.
(PullRequest.statuses): Return all commit statuses on the current pull-request object.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/bitbucket.py:
(BitBucket.PRGenerator.statuses): Populate commit statuses in pull-request object.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py:
(GitHub.PRGenerator.statuses): Ditto.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/scm.py:
(Scm.PRGenerator.statuses):
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py:
Canonical link: https://commits.webkit.org/270736@main
Canonical link: https://commits.webkit.org/267815.589@safari-7617-branch
Commit: 55537835892be35c58996b1aa3679c3bff6e6cc0
https://github.com/WebKit/WebKit/commit/55537835892be35c58996b1aa3679c3bff6e6cc0
Author: Ben Schwartz <ben_schwartz at apple.com>
Date: 2023-11-28 (Tue, 28 Nov 2023)
Changed paths:
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py
Log Message:
-----------
Cherry-pick 270738 at main (6695e0a431f1). rdar://117214203
[webkitbugspy] Implement ability to perform Radar search queries.
rdar://117214203
https://bugs.webkit.org/show_bug.cgi?id=263383
Reviewed by Jonathan Bedard.
Allows callers to perform Radar search queries as part of `webkitbugspy.Radar`.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py:
(Tracker):
(Tracker.search): Perform Radar search from passed query parameters.
Canonical link: https://commits.webkit.org/270738@main
Canonical link: https://commits.webkit.org/267815.590@safari-7617-branch
Commit: b00ebd125dafb9130732e3a9d9991b9666a0771c
https://github.com/WebKit/WebKit/commit/b00ebd125dafb9130732e3a9d9991b9666a0771c
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-11-28 (Tue, 28 Nov 2023)
Changed paths:
M Tools/Scripts/libraries/webkitbugspy/setup.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/__init__.py
M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py
Log Message:
-----------
Cherry-pick 270922 at main (7812e1fae6d3). rdar://117502065
[webkitbugspy] Gracefully handle null duplicate
https://bugs.webkit.org/show_bug.cgi?id=263694
rdar://117502065
Reviewed by Elliott Williams.
* Tools/Scripts/libraries/webkitbugspy/setup.py: Bump version.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/__init__.py: Ditto.
* Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py:
(Tracker.populate): If the provided relationship object doesn't define a
related radar, skip that relationship.
Canonical link: https://commits.webkit.org/270922@main
Canonical link: https://commits.webkit.org/267815.591@safari-7617-branch
Commit: eabd2c6ea32ed9341e0f801728327973d79172a9
https://github.com/WebKit/WebKit/commit/eabd2c6ea32ed9341e0f801728327973d79172a9
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-11-28 (Tue, 28 Nov 2023)
Changed paths:
M Tools/Scripts/hooks/prepare-commit-msg
Log Message:
-----------
Cherry-pick 270921 at main (88a259f2f225). rdar://118144919
[git-webkit] Handle multiple bugs associated with a single branch
https://bugs.webkit.org/show_bug.cgi?id=264450
rdar://118144919
Reviewed by Elliott Williams.
Parse `git config` output backwards to prefer newer config values.
Except for bugs, only allow a single line to be passed to the template
via 'git config'. For bugs, we should only allow a single bug from each
tracker to be associated with the issue.
* Tools/Scripts/hooks/prepare-commit-msg:
Canonical link: https://commits.webkit.org/270921@main
Canonical link: https://commits.webkit.org/267815.592@safari-7617-branch
Commit: 59fa3df4b872d92507c0c17595a8a7472b35d218
https://github.com/WebKit/WebKit/commit/59fa3df4b872d92507c0c17595a8a7472b35d218
Author: Brianna Fan <bfan2 at apple.com>
Date: 2023-11-28 (Tue, 28 Nov 2023)
Changed paths:
M Tools/Scripts/hooks/prepare-commit-msg
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/revert.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/revert_unittest.py
Log Message:
-----------
Cherry-pick 270930 at main (cab7e2d834d9). rdar://117270674
[git-webkit revert] Commit message should present more useful information
https://bugs.webkit.org/show_bug.cgi?id=263456
rdar://117270674
Reviewed by Jonathan Bedard.
Commit message is formatted after webkit patch workflow.
Changed git-webkit revert logic to support these changes and future work.
* Tools/Scripts/hooks/prepare-commit-msg:
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/revert.py:
(Revert.parser):
(Revert.get_issue_info):
(Revert):
(Revert.create_revert_commit_msg):
(Revert.revert_commit):
(Revert.main):
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/revert_unittest.py:
Canonical link: https://commits.webkit.org/270930@main
Canonical link: https://commits.webkit.org/267815.593@safari-7617-branch
Commit: 7ee16f6de0944badbfb8a25bb01acd37838f17e2
https://github.com/WebKit/WebKit/commit/7ee16f6de0944badbfb8a25bb01acd37838f17e2
Author: Erica Li <lerica at apple.com>
Date: 2023-11-28 (Tue, 28 Nov 2023)
Changed paths:
A LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash-expected.txt
A LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash.html
M Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp
Log Message:
-----------
[3a7d43b31aba54c5] ASAN_SEGV | Layout::LineBoxBuilder::constructInlineLevelBoxes; Layout::LineBoxBuilder::build; Layout::InlineFormattingContext::createDisplayContentForInlineContent
https://bugs.webkit.org/show_bug.cgi?id=265107
rdar://118424612
Reviewed by Alan Baradlay.
Bail out createDisplayContentForLineFromCachedContent when restoreTrimmedTrailingWhitespace failed.
* LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash-expected.txt: Added.
* LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash.html: Added.
* Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp:
(WebCore::Layout::InlineFormattingContext::createDisplayContentForLineFromCachedContent):
Canonical link: https://commits.webkit.org/267815.594@safari-7617-branch
Commit: 2a1f2e7acfe29eba7ea3a6d210a3bcdfdc327739
https://github.com/WebKit/WebKit/commit/2a1f2e7acfe29eba7ea3a6d210a3bcdfdc327739
Author: Nicole Rosario <nicole_rosario at apple.com>
Date: 2023-11-28 (Tue, 28 Nov 2023)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/fast/rendering/render-list-marker-select-expected.txt
A LayoutTests/fast/rendering/render-list-marker-select.html
M Source/WebCore/rendering/updating/RenderTreeBuilderList.cpp
Log Message:
-----------
jsc_fuz/wktr: null ptr deref in WebCore::RenderMenuList::computeIntrinsicLogicalWidths
https://bugs.webkit.org/show_bug.cgi?id=264830
rdar://115721454
Reviewed by Alan Baradlay.
Null pointer dereference error caused by render tree being ordered incorrectly. RenderListMarker
was being placed inside RenderMenuList, where RenderListMarker and RenderMenuList should be on
the same level and in RenderListItem
* LayoutTests/fast/rendering/render-list-marker-select-expected.txt:
* LayoutTests/fast/rendering/render-list-marker-select.html:
* Source/WebCore/rendering/updating/RenderTreeBuilderList.cpp:
(WebCore::getParentOfFirstLineBox): added check to ensure RenderListMarker isn't placed inside
RenderMenuList but can be placed at same level (ie, sibling)
Canonical link: https://commits.webkit.org/267815.595@safari-7617-branch
Commit: 56db4a6608ff6087ec78e412bdb87beab54e4989
https://github.com/WebKit/WebKit/commit/56db4a6608ff6087ec78e412bdb87beab54e4989
Author: Michael Saboff <msaboff at apple.com>
Date: 2023-11-30 (Thu, 30 Nov 2023)
Changed paths:
M Source/WTF/wtf/PlatformEnableCocoa.h
M Source/WebKit/Configurations/WebContentService.Crashy.xcconfig
M Source/WebKit/Configurations/WebContentService.xcconfig
M Source/WebKit/Scripts/process-entitlements.sh
M Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.mm
M Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm
M Source/WebKit/UIProcess/Launcher/cocoa/ProcessLauncherCocoa.mm
M Source/WebKit/UIProcess/WebProcessPool.cpp
M Source/WebKit/UIProcess/WebProcessPool.h
M Source/WebKit/UIProcess/WebProcessProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.h
M Source/WebKit/WebKit.xcodeproj/project.pbxproj
M Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm
Log Message:
-----------
Cherry-pick 269395 at main (39451bfc571). rdar://118902452
Eliminate Test Code to crash a WebKit XPC service
https://bugs.webkit.org/show_bug.cgi?id=263045
rdar://115678493
Reviewed by Timothy Hatcher and Alex Christensen.
Remove WebContent.Crashy XPC process as it has served its purpose and is no longer needed.
* Source/WTF/wtf/PlatformEnableCocoa.h:
* Source/WebKit/Configurations/WebContentCrashyExtension.xcconfig: Removed.
* Source/WebKit/Configurations/WebContentService.Crashy.xcconfig: Removed.
* Source/WebKit/Configurations/WebContentService.xcconfig:
* Source/WebKit/Scripts/process-entitlements.sh:
* Source/WebKit/Shared/AuxiliaryProcessExtensions/WebContentExtension-Crashy-Info.plist: Removed.
* Source/WebKit/Shared/AuxiliaryProcessExtensions/com.apple.WebKit.appexpt:
* Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.mm:
(WebKit::XPCServiceInitializerDelegate::getExtraInitializationData):
* Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm:
(WebKit::WebProcessPool::platformInitialize):
(isInternalBuild): Deleted.
(canaryInBaseState): Deleted.
(WebKit::WebProcessPool::initializeShouldCrashWhenCreatingWebProcess): Deleted.
* Source/WebKit/UIProcess/Launcher/cocoa/ProcessLauncherCocoa.mm:
(WebKit::webContentServiceName):
* Source/WebKit/UIProcess/WebProcessPool.cpp:
(WebKit::WebProcessPool::createNewWebProcess):
(WebKit::WebProcessPool::forEachProcessForSession):
* Source/WebKit/UIProcess/WebProcessPool.h:
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::getLaunchOptions):
(WebKit::WebProcessProxy::createForWebContentCrashy): Deleted.
* Source/WebKit/UIProcess/WebProcessProxy.h:
(WebKit::WebProcessProxy::isCrashyProcess const): Deleted.
(WebKit::WebProcessProxy::setIsCrashyProcess): Deleted.
* Source/WebKit/WebKit.xcodeproj/project.pbxproj:
* Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::platformInitializeProcess):
(WebKit::deliberateCrashForTesting): Deleted.
Canonical link: https://commits.webkit.org/269395@main
Canonical link: https://commits.webkit.org/267815.596@safari-7617-branch
Commit: 0285858ad48343d201434f22bf0fb8e59eddadad
https://github.com/WebKit/WebKit/commit/0285858ad48343d201434f22bf0fb8e59eddadad
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-11-30 (Thu, 30 Nov 2023)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-617.2.2
Identifier: 267815.597 at safari-7617-branch
Commit: 464bf890aaf8aa1f96fbd56c7ab9fc443f5cf41e
https://github.com/WebKit/WebKit/commit/464bf890aaf8aa1f96fbd56c7ab9fc443f5cf41e
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-11-30 (Thu, 30 Nov 2023)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Revert "Versioning."
This reverts commit 0285858ad48343d201434f22bf0fb8e59eddadad.
Identifier: 267815.598 at safari-7617-branch
Commit: 38eae99cb36f1ab069262d4c89e24c75bfbe4796
https://github.com/WebKit/WebKit/commit/38eae99cb36f1ab069262d4c89e24c75bfbe4796
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-11-30 (Thu, 30 Nov 2023)
Changed paths:
M Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp
Log Message:
-----------
Apply patch. rdar://118701491
Identifier: 267815.599 at safari-7617-branch
Commit: ab2019dbf67e5e1f83a854aa1d631a9093e5f0d4
https://github.com/WebKit/WebKit/commit/ab2019dbf67e5e1f83a854aa1d631a9093e5f0d4
Author: Brianna Fan <bfan2 at apple.com>
Date: 2023-12-01 (Fri, 01 Dec 2023)
Changed paths:
M Tools/CISupport/ews-build/steps.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/pull_request.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py
Log Message:
-----------
Cherry-pick 271247 at main (4622c40ca092). rdar://118208532
webkitscmpy: Radar URLs in GitHub pick up surrounding punctuation
rdar://118208532
Reviewed by Jonathan Bedard.
Adds more punctuation to be ignored when constructing link.
* Tools/CISupport/ews-build/steps.py:
(UpdatePullRequest.escape_html):
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/pull_request.py:
(PullRequest.escape_html):
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py:
Canonical link: https://commits.webkit.org/271247@main
Canonical link: https://commits.webkit.org/267815.600@safari-7617-branch
Commit: 8f85372e680cb400b39dbf2bc3b4830cf411dc67
https://github.com/WebKit/WebKit/commit/8f85372e680cb400b39dbf2bc3b4830cf411dc67
Author: Russell Epstein <repstein at apple.com>
Date: 2023-12-01 (Fri, 01 Dec 2023)
Changed paths:
A LayoutTests/media/content/test-inband-captions.mp4
A LayoutTests/media/track/track-in-band-layout-expected.txt
A LayoutTests/media/track/track-in-band-layout.html
M LayoutTests/platform/glib/TestExpectations
M Source/WebCore/html/track/InbandGenericTextTrack.cpp
M Source/WebCore/html/track/TextTrackCueGeneric.cpp
M Source/WebCore/html/track/TextTrackCueGeneric.h
M Source/WebCore/html/track/VTTCue.h
M Source/WebCore/platform/graphics/InbandGenericCue.cpp
M Source/WebCore/platform/graphics/InbandGenericCue.h
M Source/WebCore/platform/graphics/avfoundation/InbandTextTrackPrivateAVF.cpp
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
Log Message:
-----------
Cherry-pick 53b6a4522e45. rdar://119024855
REGRESSION(265596 at main): [Cocoa] In-band captions generate large, line-wrapped cues
https://bugs.webkit.org/show_bug.cgi?id=265635
rdar://119024855
Reviewed by Eric Carlson.
When modernizing VTTCue, TextTrackCueGeneric was not sufficiently updated to take advantage
of the correct layout implemented by VTTCue. Specifically, TextTrackCueGeneric still queried
VTTCueBox::fontSizeFromCaptionUserPrefs(), which was no longer set, and caused the cue width
to be incorrectly set to zero.
Remove that dead method, and remove most of the implementation of
TextTrackCueGenericBoxElement::applyCSSProperties, relying instead upon VTTCueBoxElement's
implementation.
In order to correctly position TextTrackCueGeneric objects created from AVFoundation, set
the resulting cue's positionAlign() to "Center" by way of GenericCueData. This causes VTTCue
to position the cue relative to the cue's center point, which is the same way AVFoundation
represents the cue's position.
* LayoutTests/media/content/test-inband-captions.mp4: Added.
* LayoutTests/media/track/track-in-band-layout-expected.txt: Added.
* LayoutTests/media/track/track-in-band-layout.html: Added.
* Source/WebCore/html/track/InbandGenericTextTrack.cpp:
(WebCore::InbandGenericTextTrack::updateCueFromCueData):
* Source/WebCore/html/track/TextTrackCueGeneric.cpp:
(WebCore::TextTrackCueGenericBoxElement::applyCSSProperties):
(WebCore::TextTrackCueGeneric::setBaseFontSizeRelativeToVideoHeight):
(WebCore::TextTrackCueGeneric::setFontSizeMultiplier):
(WebCore::TextTrackCueGeneric::setFontSize): Deleted.
* Source/WebCore/html/track/TextTrackCueGeneric.h:
* Source/WebCore/html/track/VTTCue.h:
(WebCore::VTTCueBox::setFontSizeFromCaptionUserPrefs): Deleted.
(WebCore::VTTCueBox::fontSizeFromCaptionUserPrefs const): Deleted.
* Source/WebCore/platform/graphics/InbandGenericCue.cpp:
(WebCore::InbandGenericCue::toJSONString const):
* Source/WebCore/platform/graphics/InbandGenericCue.h:
(WebCore::GenericCueData::GenericCueData):
(WebCore::InbandGenericCue::positionAlign const):
(WebCore::InbandGenericCue::setPositionAlign):
* Source/WebCore/platform/graphics/avfoundation/InbandTextTrackPrivateAVF.cpp:
(WebCore::InbandTextTrackPrivateAVF::processAttributedStrings):
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
Canonical link: https://commits.webkit.org/271415@main
Canonical link: https://commits.webkit.org/267815.601@safari-7617-branch
Commit: fbe4e864f2f178cca10ced7c3fee6bd84297762f
https://github.com/WebKit/WebKit/commit/fbe4e864f2f178cca10ced7c3fee6bd84297762f
Author: Brianna Fan <bfan2 at apple.com>
Date: 2023-12-04 (Mon, 04 Dec 2023)
Changed paths:
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py
Log Message:
-----------
Cherry-pick 271425 at main (8bab728f7562). rdar://119050672
[git-webkit pr] Make Terminal prompting more intuitive
https://bugs.webkit.org/show_bug.cgi?id=265697
rdar://119050672
Reviewed by Jonathan Bedard.
Add explanation of "Retry" option and restore Yes/No.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py:
(PullRequest.pre_pr_checks):
Canonical link: https://commits.webkit.org/271425@main
Canonical link: https://commits.webkit.org/267815.602@safari-7617-branch
Commit: 762aaf1448a2f358e20eee8916bb1946763f5085
https://github.com/WebKit/WebKit/commit/762aaf1448a2f358e20eee8916bb1946763f5085
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-12-04 (Mon, 04 Dec 2023)
Changed paths:
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py
Log Message:
-----------
Cherry-pick 271474 at main (0a57a82da90d). rdar://119050672
[git-webkit pr] Make Terminal prompting more intuitive (Follow-up)
https://bugs.webkit.org/show_bug.cgi?id=265697
rdar://119050672
Unreviewed follow-up fix.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py:
(PullRequest.pre_pr_checks): Continue with upload if user says "Yes" to ignoring checker errors.
Canonical link: https://commits.webkit.org/271474@main
Canonical link: https://commits.webkit.org/267815.603@safari-7617-branch
Commit: be0cdb2167205e785d640be8b5c830ddd942abaa
https://github.com/WebKit/WebKit/commit/be0cdb2167205e785d640be8b5c830ddd942abaa
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-12-04 (Mon, 04 Dec 2023)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7617.2.2
Identifier: 267815.604 at safari-7617-branch
Commit: 347a7fcbc77405a30fe4af5a4b31ffb6fc20d576
https://github.com/WebKit/WebKit/commit/347a7fcbc77405a30fe4af5a4b31ffb6fc20d576
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-12-04 (Mon, 04 Dec 2023)
Changed paths:
M Source/WebCore/editing/FrameSelection.cpp
M Tools/TestWebKitAPI/Tests/ios/KeyboardInputTestsIOS.mm
Log Message:
-----------
Cherry-pick a20779d6520d. rdar://118401826
HTML notes is showing gray underline for autocorrection
https://bugs.webkit.org/show_bug.cgi?id=265050
rdar://118401826
Reviewed by Wenson Hsieh.
Before 266070 at main, the caret color on iOS was almost always blue (specifically, always except for
when the caret color was explicitly set by the CSS author). The change was needed on macOS because
otherwise some sites would have overlapping carets. The commit changed both macOS and iOS to be more
consistent, and more compliant with the CSS spec. However, while this did technically improve web
compatibility in iOS, it made things worse than they were before:
- The caret on iOS is now almost always black (it is on macOS too, but it is worse on iOS because
the caret was always blue previously)
- It has caused several issues in apps with custom tint colors (like https://bugs.webkit.org/show_bug.cgi?id=263123
and several others)
This specific bug is due to the fact that the correct underlines directly use the caret color. The
reason the commit that addressed the color of the caret itself on iOS and not this color as well
is because the two colors come from different paths, and the fix only fixed the actual caret
(insertion point) color.
To fix, and prevent similar bugs, undo the part of 266070 at main that changed the iOS behavior. This
restores the previous behavior, in addition to fixing this bug.
* Source/WebCore/editing/FrameSelection.cpp:
(WebCore::CaretBase::computeCaretColor):
Canonical link: https://commits.webkit.org/271278@main
Identifier: 267815.605 at safari-7617-branch
Commit: f2ba7a5d0dd0ff434e236bcde9df86cfed98d58b
https://github.com/WebKit/WebKit/commit/f2ba7a5d0dd0ff434e236bcde9df86cfed98d58b
Author: David Kilzer <ddkilzer at apple.com>
Date: 2023-12-04 (Mon, 04 Dec 2023)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc
A Source/ThirdParty/libwebrtc/WebKit/01-WebRTC-Stack-buffer-overflow-in-webrtc-anonymous_namespace-SsDataLength.patch
Log Message:
-----------
[WebRTC] Stack-buffer-overflow in webrtc::anonymous_namespace::SsDataLength() in vp9 packetizer
https://bugs.webkit.org/show_bug.cgi?id=265727
<rdar://119074872>
Reviewed by Youenn Fablet.
* Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc:
(webrtc::anonymous_namespace::SsDataLength):
- Change debug assertion into runtime check.
* Source/ThirdParty/libwebrtc/WebKit/01-WebRTC-Stack-buffer-overflow-in-webrtc-anonymous_namespace-SsDataLength.patch: Add.
Canonical link: https://commits.webkit.org/267815.606@safari-7617-branch
Commit: 7fa29f992225cad4da4ad899b5325a37e0cb22a5
https://github.com/WebKit/WebKit/commit/7fa29f992225cad4da4ad899b5325a37e0cb22a5
Author: David Kilzer <ddkilzer at apple.com>
Date: 2023-12-04 (Mon, 04 Dec 2023)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc
A Source/ThirdParty/libwebrtc/WebKit/0001-WebRTC-Out-of-bounds-crash-in-webrtc-anonymous_namespace-RemoveInactiveSpatialLayers.patch
Log Message:
-----------
[WebRTC] Out-of-bounds crash in webrtc::anonymous_namespace::RemoveInactiveSpatialLayers() in vp9 packetizer
https://bugs.webkit.org/show_bug.cgi?id=265776
<rdar://119112931>
Reviewed by Youenn Fablet.
* Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc:
(webrtc::anonymous_namespace::RemoveInactiveSpatialLayers):
- Add sanity check for RTPVideoHeaderVP9::num_spatial_layers. This
matches the check in SsDataLength(), but that's called later when
initializing fields in RtpPacketizerVp9.
* Source/ThirdParty/libwebrtc/WebKit/0001-WebRTC-Out-of-bounds-crash-in-webrtc-anonymous_namespace-RemoveInactiveSpatialLayers.patch: Add.
Canonical link: https://commits.webkit.org/267815.607@safari-7617-branch
Commit: e09e3cd2f3dbf6f63f88aa196a65d6ba903a4695
https://github.com/WebKit/WebKit/commit/e09e3cd2f3dbf6f63f88aa196a65d6ba903a4695
Author: Nisha Jain <nisha_jain at apple.com>
Date: 2023-12-04 (Mon, 04 Dec 2023)
Changed paths:
A LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt
A LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html
M Source/WebCore/platform/graphics/ShadowBlur.cpp
Log Message:
-----------
heap-buffer-overflow: crash under WebCore::ShadowBlur::blurLayerImage().
https://bugs.webkit.org/show_bug.cgi?id=264978
rdar://118004762.
Reviewed by Simon Fraser.
For very large box-shadow sizes due to floating point precision error,
ImageBuffer::getPixelBuffer returns 'PixelBuffer' size which
is not same as passed size.This causes buffer overflow/underflow
issue for these large sizes. In order to fix it now we use same
size as allocated 'PixelBuffer' size even though it could be slightly
different than original size.
* LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt: Added test expected file.
* LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html: Added test case.
* Source/WebCore/platform/graphics/ShadowBlur.cpp:
(WebCore::ShadowBlur::blurShadowBuffer): Using same size as allocated pixel buffer size.
Canonical link: https://commits.webkit.org/267815.608@safari-7617-branch
Commit: deb881141e09d62a0c29691af346d3a0c83929cf
https://github.com/WebKit/WebKit/commit/deb881141e09d62a0c29691af346d3a0c83929cf
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-12-05 (Tue, 05 Dec 2023)
Changed paths:
M Tools/TestWebKitAPI/Tests/ios/KeyboardInputTestsIOS.mm
Log Message:
-----------
Build fix for 267815.605 at safari-7617-branch (347a7fcbc774)
Unreviewed build fix.
* Tools/TestWebKitAPI/Tests/ios/KeyboardInputTestsIOS.mm:
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/267815.609@safari-7617-branch
Commit: 8d4c34c207267cc1c5653ffffbafb34cc4efeb92
https://github.com/WebKit/WebKit/commit/8d4c34c207267cc1c5653ffffbafb34cc4efeb92
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-12-05 (Tue, 05 Dec 2023)
Changed paths:
M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp
M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h
Log Message:
-----------
[macOS] WebContent crash in WTF::deallocateSendRightSafely under ~SharedVideoFrameWriter() (GUARD_TYPE_MACH_PORT :: INVALID_NAME)
rdar://114943202
Reviewed by Chris Dumez.
After https://bugs.webkit.org/show_bug.cgi?id=258379, we were creating the writer lazily but the creation can be triggered from multiple threads at once.
Given SharedVideoFrameWriter is expected to be used on a single thread/queue, we now protect it in RemoteDisplayListRecorderProxy with a lock.
* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp:
(WebKit::RemoteDisplayListRecorderProxy::recordPaintVideoFrame):
(WebKit::RemoteDisplayListRecorderProxy::disconnect):
(WebKit::RemoteDisplayListRecorderProxy::ensureSharedVideoFrameWriter): Deleted.
* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h:
Canonical link: https://commits.webkit.org/267815.610@safari-7617-branch
Commit: ca57f6a1de59bc5e5d52295c5d652b500b17f6e8
https://github.com/WebKit/WebKit/commit/ca57f6a1de59bc5e5d52295c5d652b500b17f6e8
Author: Erica Li <lerica at apple.com>
Date: 2023-12-05 (Tue, 05 Dec 2023)
Changed paths:
A LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash-expected.txt
A LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash.html
M Source/WebCore/svg/SVGAnimateMotionElement.cpp
M Source/WebCore/svg/SVGAnimateMotionElement.h
M Source/WebCore/svg/SVGMPathElement.cpp
M Source/WebCore/svg/SVGMPathElement.h
Log Message:
-----------
[72857589b8bce60e] ASAN_ILL | WebCore::TreeScopeOrderedMap::getElementById; WebCore::TreeScope::getElementById; WebCore::SVGURIReference::targetElementFromIRIString.
https://bugs.webkit.org/show_bug.cgi?id=265562
rdar://118513775
Reviewed by Chris Dumez.
updateAnimationPath should be done after treescope is fully updated.
* LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash-expected.txt: Added.
* LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash.html: Added.
* Source/WebCore/svg/SVGAnimateMotionElement.cpp:
(WebCore::SVGAnimateMotionElement::childrenChanged):
* Source/WebCore/svg/SVGAnimateMotionElement.h:
* Source/WebCore/svg/SVGMPathElement.cpp:
(WebCore::SVGMPathElement::removedFromAncestor):
(WebCore::SVGMPathElement::targetPathChanged):
(WebCore::SVGMPathElement::notifyParentOfPathChange): Deleted.
* Source/WebCore/svg/SVGMPathElement.h:
Canonical link: https://commits.webkit.org/267815.611@safari-7617-branch
Commit: 61598c9bb40b243f894dcc3573c228ac85e336f5
https://github.com/WebKit/WebKit/commit/61598c9bb40b243f894dcc3573c228ac85e336f5
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-12-06 (Wed, 06 Dec 2023)
Changed paths:
M Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm
Log Message:
-----------
HSTS not partitioned for Fetch (according to privacytests.org)
rdar://119047103
Reviewed by Alex Christensen.
When downgrading in WKNetworkSessionDelegate to not use HSTS, we were downgrading by creating the downgraded request and triggering a synthetic redirection.
Fetch is exposing whether a redirection is done via Response.redirected, and this includes synthetic redirections.
This allows a web page to query the HSTS global cache.
To prevent this, we directly downgrade the request and continue the load with the downgraded request.
We do not need the synthetic redirection since the downgraded request should be exactly the same as the initial request.
* Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(downgradeRequest):
(-[WKNetworkSessionDelegate URLSession:task:willPerformHTTPRedirection:newRequest:completionHandler:]):
(-[WKNetworkSessionDelegate URLSession:task:_schemeUpgraded:completionHandler:]):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm:
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/267815.612@safari-7617-branch
Commit: b8d1016eb121b4d7b62638a82ce43b47475ca3ec
https://github.com/WebKit/WebKit/commit/b8d1016eb121b4d7b62638a82ce43b47475ca3ec
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-12-06 (Wed, 06 Dec 2023)
Changed paths:
M Source/WebCore/platform/graphics/avfoundation/objc/LocalSampleBufferDisplayLayer.mm
M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp
M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.h
M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in
M Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayer.h
M Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayer.messages.in
M Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayerManager.cpp
M Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayerManager.h
M Source/WebKit/WebProcess/GPU/webrtc/SampleBufferDisplayLayer.cpp
Log Message:
-----------
Cherry-pick 57afaa96431b. rdar://112621697
REGRESSION (iOS 17 Beta): The camera preview is with a wrong resolution for a short time when the iOS User enables/disables the camera
https://bugs.webkit.org/show_bug.cgi?id=259364
rdar://112621697
Reviewed by Jer Noble.
The fencing mechanism to synchronize UIProcess and GPUProcess layering works properly only on main thread.
We therefore need to process the WebProcess to GPUProcess message in main thread and not in a queue.
We thus introduce a new GPUConnectionToWebProcess message that will be processed in main thread.
We then get the SampleBufferDisplayLayer (via a lock) to call updateSampleLayerBoundsAndPosition which synchronously updates the bounds.
* Source/WebCore/platform/graphics/avfoundation/objc/LocalSampleBufferDisplayLayer.mm:
(WebCore::LocalSampleBufferDisplayLayer::updateSampleLayerBoundsAndPosition):
* Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp:
(WebKit::GPUConnectionToWebProcess::updateSampleBufferDisplayLayerBoundsAndPosition):
* Source/WebKit/GPUProcess/GPUConnectionToWebProcess.h:
* Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in:
* Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayer.h:
* Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayer.messages.in:
* Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayerManager.cpp:
(WebKit::RemoteSampleBufferDisplayLayerManager::close):
(WebKit::RemoteSampleBufferDisplayLayerManager::dispatchMessage):
(WebKit::RemoteSampleBufferDisplayLayerManager::createLayer):
(WebKit::RemoteSampleBufferDisplayLayerManager::releaseLayer):
(WebKit::RemoteSampleBufferDisplayLayerManager::allowsExitUnderMemoryPressure const):
(WebKit::RemoteSampleBufferDisplayLayerManager::updateSampleBufferDisplayLayerBoundsAndPosition):
* Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayerManager.h:
* Source/WebKit/WebProcess/GPU/webrtc/SampleBufferDisplayLayer.cpp:
(WebKit::SampleBufferDisplayLayer::updateBoundsAndPosition):
Canonical link: https://commits.webkit.org/270548@main
Identifier: 267815.613 at safari-7617-branch
Commit: 20a9527d6c2ad1fbf5693b83b8f932a010a9f97c
https://github.com/WebKit/WebKit/commit/20a9527d6c2ad1fbf5693b83b8f932a010a9f97c
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-12-06 (Wed, 06 Dec 2023)
Changed paths:
A LayoutTests/webanimations/scheduling-of-accelerated-css-animation-without-css-animation-event-listeners-expected.txt
A LayoutTests/webanimations/scheduling-of-accelerated-css-animation-without-css-animation-event-listeners.html
M Source/WebCore/animation/KeyframeEffect.cpp
Log Message:
-----------
Cherry-pick 4a38bbbd7547. rdar://119244430
[web-animations] accelerated CSS Animation should not schedule animation resolution at iteration boundary if no CSS Animation event listener was registered (affects reddit.com)
https://bugs.webkit.org/show_bug.cgi?id=265936
rdar://119244430
Reviewed by Antti Koivisto.
While we don't need to schedule animation resolution for animations that are running accelerated
to resolve styles, we do need to schedule resolution in order to dispatch `animationiteration`
events in the case of CSS Animations.
However, it is unlikely that the content will be interested in such events. As a cheap optimization,
we can detect whether any CSS Animation event listener is registered for the document to which the
effect target belongs, and if that is not the case we don't need to schedule animation resolution.
* LayoutTests/webanimations/scheduling-of-accelerated-css-animation-without-css-animation-event-listeners-expected.txt: Added.
* LayoutTests/webanimations/scheduling-of-accelerated-css-animation-without-css-animation-event-listeners.html: Added.
* Source/WebCore/animation/KeyframeEffect.cpp:
(WebCore::KeyframeEffect::timeToNextTick const):
Canonical link: https://commits.webkit.org/271604@main
Identifier: 267815.614 at safari-7617-branch
Commit: dac245db0ce472b930c10ca9cfb87fc9f46844b6
https://github.com/WebKit/WebKit/commit/dac245db0ce472b930c10ca9cfb87fc9f46844b6
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-12-06 (Wed, 06 Dec 2023)
Changed paths:
M Source/WebCore/PAL/PAL.xcodeproj/project.pbxproj
M Source/WebCore/PAL/pal/PlatformMac.cmake
M Source/WebCore/PAL/pal/spi/ios/UIKitSPI.h
A Source/WebCore/PAL/pal/spi/mac/NSTextTableSPI.h
M Source/WebCore/editing/cocoa/AttributedString.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewGetContents.mm
M Tools/TestWebKitAPI/ios/UIKitSPI.h
Log Message:
-----------
Cherry-pick 3acbb664bd93. rdar://119035264
Borders, backgrounds, and other table cell properties are lost when pasting tables into TextEdit
https://bugs.webkit.org/show_bug.cgi?id=265712
rdar://119035264
Reviewed by Richard Robinson.
Even after the fixes in 266700 at main and 269265 at main, attributed string serialization is still lossy.
In the process of preserving table structure in `reconstructStyle` by recreating any
`NSTextTableBlock` instances that point to separate tables but (originally) belonged to the same
`NSTextTable` upon encoding, we end up discarding the decoded `NSTextTableBlock`, and only carry
over some aspects of the block (i.e., row and column information).
This causes us to lose information about the style and layout of these tables, on various bits of
state on `NSTextTableBlock` that are populated in `HTMLConverter::_fillInBlock`.
To fix this, we adopt a UIFoundation SPI, `-_takeValuesFromTextBlock:`, that allows us to copy
across the entire state of the `NSTextTableBlock` in a way that preserves style and layout
information, without changing the containing `NSTextTable`, or any of the row/column values.
* Source/WebCore/PAL/PAL.xcodeproj/project.pbxproj:
* Source/WebCore/PAL/pal/PlatformMac.cmake:
* Source/WebCore/PAL/pal/spi/ios/UIKitSPI.h:
* Source/WebCore/PAL/pal/spi/mac/NSTextTableSPI.h: Added.
* Source/WebCore/editing/cocoa/AttributedString.mm:
(WebCore::reconstructStyle):
Implement the main fix here, by using `-_takeValuesFromTextBlock:` to copy all layout and
presentational attributes from the original, decoded text block over to the new one that points to
the correct text table.
* Tools/TestRunnerShared/spi/UIKitSPIForTesting.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewGetContents.mm:
Canonical link: https://commits.webkit.org/271485@main
Identifier: 267815.615 at safari-7617-branch
Commit: 496b93071e4c723a80e1927d7fd7c276b881e740
https://github.com/WebKit/WebKit/commit/496b93071e4c723a80e1927d7fd7c276b881e740
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-12-06 (Wed, 06 Dec 2023)
Changed paths:
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewGetContents.mm
Log Message:
-----------
Follow-up fix for 267815.615 at safari-7617-branch (dac245db0ce4)
rdar://119035264
Unreviewed follow-up fix.
Fix the build.
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewGetContents.mm:
Canonical link: https://commits.webkit.org/267815.616@safari-7617-branch
Commit: bcce2ea1a9a814f77379ff23279b7717a1214b2c
https://github.com/WebKit/WebKit/commit/bcce2ea1a9a814f77379ff23279b7717a1214b2c
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-12-07 (Thu, 07 Dec 2023)
Changed paths:
A LayoutTests/imported/w3c/web-platform-tests/css/css-contain/content-visibility/crashtests/scroll-skipped-content-fixed-container.html
M Source/WebCore/rendering/RenderBlock.cpp
Log Message:
-----------
Cherry-pick 270734.5 at webkit-embargoed (bd192edd0348). rdar://117914028
[Content-visibility] RenderTreeNeedsLayoutChecker asserts on fixed positioned box inside skipped subtree
https://bugs.webkit.org/show_bug.cgi?id=264169
rdar://117914028
Reviewed by Alan Baradlay.
Avoid simplified layout when laying out a content-visibility root with positioned children since
there is no guarentee the positioned children have been processed in a previous layout due to
lazy layout of skipped content.
* LayoutTests/imported/w3c/web-platform-tests/css/css-contain/content-visibility/crashtests/scroll-skipped-content-fixed-container.html: Added.
* Source/WebCore/rendering/RenderBlock.cpp:
(WebCore::RenderBlock::simplifiedLayout):
Canonical link: https://commits.webkit.org/270734.5@webkit-2023.11-embargoed
Canonical link: https://commits.webkit.org/267815.617@safari-7617-branch
Commit: 968b887414d9f0040fef5d9d02dc2c8ea79249c6
https://github.com/WebKit/WebKit/commit/968b887414d9f0040fef5d9d02dc2c8ea79249c6
Author: Rob Buis <rbuis at igalia.com>
Date: 2023-12-07 (Thu, 07 Dec 2023)
Changed paths:
A LayoutTests/mathml/operator-append-fixed-container-svg-crash-expected.txt
A LayoutTests/mathml/operator-append-fixed-container-svg-crash.html
A LayoutTests/mathml/token-append-fixed-container-svg-crash-expected.txt
A LayoutTests/mathml/token-append-fixed-container-svg-crash.html
M Source/WebCore/rendering/mathml/RenderMathMLOperator.cpp
M Source/WebCore/rendering/mathml/RenderMathMLToken.cpp
Log Message:
-----------
Cherry-pick 270734.4 at webkit-embargoed (f765915efb81). rdar://116448289
MathML does not always handle positioned objects correctly
https://bugs.webkit.org/show_bug.cgi?id=264636
Reviewed by Alan Baradlay.
For mo/mi elements positioned objects are not laid out at all so in this
case after layout the tree is still dirty. Fix this by calling layoutPositionedObjects
for tokens and operators.
* LayoutTests/mathml/operator-append-fixed-container-svg-crash-expected.txt: Added.
* LayoutTests/mathml/operator-append-fixed-container-svg-crash.html: Added.
* LayoutTests/mathml/token-append-fixed-container-svg-crash-expected.txt: Added.
* LayoutTests/mathml/token-append-fixed-container-svg-crash.html: Added.
* Source/WTF/wtf/Assertions.cpp:
* Source/WebCore/rendering/mathml/RenderMathMLOperator.cpp:
(WebCore::RenderMathMLOperator::layoutBlock):
* Source/WebCore/rendering/mathml/RenderMathMLToken.cpp:
(WebCore::RenderMathMLToken::layoutBlock):
Canonical link: https://commits.webkit.org/270734.4@webkit-2023.11-embargoed
Canonical link: https://commits.webkit.org/267815.618@safari-7617-branch
Commit: 2ea6d778fe0fe33d6f28c79667c39a3997c77dd3
https://github.com/WebKit/WebKit/commit/2ea6d778fe0fe33d6f28c79667c39a3997c77dd3
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-12-07 (Thu, 07 Dec 2023)
Changed paths:
M Tools/TestWebKitAPI/Tests/WebCore/ApplicationManifestParser.cpp
Log Message:
-----------
Apply patch. rdar://119285549
Identifier: 267815.619 at safari-7617-branch
Commit: 038626919ce2425760f1ec5afb08c8750480b120
https://github.com/WebKit/WebKit/commit/038626919ce2425760f1ec5afb08c8750480b120
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-12-07 (Thu, 07 Dec 2023)
Changed paths:
A LayoutTests/webanimations/scheduling-of-animation-with-display-contents-expected.txt
A LayoutTests/webanimations/scheduling-of-animation-with-display-contents.html
A LayoutTests/webanimations/scheduling-of-animation-without-renderer-expected.txt
A LayoutTests/webanimations/scheduling-of-animation-without-renderer.html
M Source/WebCore/animation/KeyframeEffect.cpp
Log Message:
-----------
Cherry-pick 452ca171058f. rdar://119191813
[web-animations] effect targeting an element with `display: none` should not schedule immediate animation resolution (affects reddit.com)
https://bugs.webkit.org/show_bug.cgi?id=265934
rdar://119191813
Reviewed by Simon Fraser and Antti Koivisto.
Typically, effects that are in their active phase (ie. their current time is changing from frame
to frame (see https://drafts.csswg.org/web-animations-1/#animation-effect-active-phase for details)
will schedule immediate animation resolution. However there are exceptions, for instance we don't
schedule immediate animation resolution if the effect does not affect styles or if the effect is
running accelerated.
We now also handle the case where an effect's target does not have a renderer, as would be the case
if an element has a `display: none` style, making sure to also handle the `display: contents` case
where a renderer is not created for the target element, but will for its children.
This helps power usage on reddit.com which has JS-originated animations running infinitely that are
targeting elements in shadow roots that eventually lose their renderer.
* LayoutTests/webanimations/scheduling-of-animation-with-display-contents-expected.txt: Added.
* LayoutTests/webanimations/scheduling-of-animation-with-display-contents.html: Added.
* LayoutTests/webanimations/scheduling-of-animation-without-renderer-expected.txt: Added.
* LayoutTests/webanimations/scheduling-of-animation-without-renderer.html: Added.
* Source/WebCore/animation/KeyframeEffect.cpp:
(WebCore::KeyframeEffect::ticksContinouslyWhileActive const):
Canonical link: https://commits.webkit.org/271614@main
Identifier: 267815.620 at safari-7617-branch
Commit: 34dfc8d1af81023b307364bce6be4c4a2d3d082e
https://github.com/WebKit/WebKit/commit/34dfc8d1af81023b307364bce6be4c4a2d3d082e
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-12-07 (Thu, 07 Dec 2023)
Changed paths:
M Source/WebKit/UIProcess/API/gtk/PageClientImpl.cpp
M Source/WebKit/UIProcess/API/gtk/PageClientImpl.h
M Source/WebKit/UIProcess/API/wpe/PageClientImpl.cpp
M Source/WebKit/UIProcess/API/wpe/PageClientImpl.h
M Source/WebKit/UIProcess/CoordinatedGraphics/DrawingAreaProxyCoordinatedGraphics.cpp
M Source/WebKit/UIProcess/CoordinatedGraphics/DrawingAreaProxyCoordinatedGraphics.h
M Source/WebKit/UIProcess/DrawingAreaProxy.cpp
M Source/WebKit/UIProcess/DrawingAreaProxy.h
M Source/WebKit/UIProcess/PageClient.h
M Source/WebKit/UIProcess/ProvisionalPageProxy.cpp
M Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.h
M Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.mm
M Source/WebKit/UIProcess/RemoteLayerTree/ios/RemoteLayerTreeDrawingAreaProxyIOS.h
M Source/WebKit/UIProcess/RemoteLayerTree/ios/RemoteLayerTreeDrawingAreaProxyIOS.mm
M Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeDrawingAreaProxyMac.h
M Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeDrawingAreaProxyMac.mm
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/ios/PageClientImplIOS.h
M Source/WebKit/UIProcess/ios/PageClientImplIOS.mm
M Source/WebKit/UIProcess/ios/WKContentView.h
M Source/WebKit/UIProcess/ios/WKContentView.mm
M Source/WebKit/UIProcess/mac/PageClientImplMac.h
M Source/WebKit/UIProcess/mac/PageClientImplMac.mm
M Source/WebKit/UIProcess/mac/TiledCoreAnimationDrawingAreaProxy.h
M Source/WebKit/UIProcess/mac/TiledCoreAnimationDrawingAreaProxy.mm
M Source/WebKit/UIProcess/mac/WebViewImpl.h
M Source/WebKit/UIProcess/mac/WebViewImpl.mm
M Source/WebKit/UIProcess/playstation/PageClientImpl.cpp
M Source/WebKit/UIProcess/playstation/PageClientImpl.h
M Source/WebKit/UIProcess/wc/DrawingAreaProxyWC.cpp
M Source/WebKit/UIProcess/wc/DrawingAreaProxyWC.h
M Source/WebKit/UIProcess/win/PageClientImpl.cpp
M Source/WebKit/UIProcess/win/PageClientImpl.h
Log Message:
-----------
Apply patch. rdar://118700595
Identifier: 267815.621 at safari-7617-branch
Commit: 043ef42f31017917e34b2288f2aaa8e7581d5c30
https://github.com/WebKit/WebKit/commit/043ef42f31017917e34b2288f2aaa8e7581d5c30
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-12-07 (Thu, 07 Dec 2023)
Changed paths:
M Source/WebCore/html/HTMLMediaElement.cpp
Log Message:
-----------
Cherry-pick 9ebaa6b42015. rdar://118902468
[Media] Don't try to loop if current time or duration is zero
https://bugs.webkit.org/show_bug.cgi?id=265485
rdar://118902468
Reviewed by Jer Noble.
Don't loop if current time or duration is zero.
* Source/WebCore/html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::mediaPlayerTimeChanged):
Canonical link: https://commits.webkit.org/271256@main
Identifier: 267815.622 at safari-7617-branch
Commit: 430d474531c0feb483cf5ffdf968e7dbdcf3ad4e
https://github.com/WebKit/WebKit/commit/430d474531c0feb483cf5ffdf968e7dbdcf3ad4e
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-12-07 (Thu, 07 Dec 2023)
Changed paths:
A LayoutTests/js/structuredClone/structured-clone-validation-with-big-int-expected.txt
A LayoutTests/js/structuredClone/structured-clone-validation-with-big-int.html
M Source/JavaScriptCore/runtime/OptionsList.h
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
CloneSerializer/Deserializer's objectPool should match.
https://bugs.webkit.org/show_bug.cgi?id=265975
rdar://118868470
Reviewed by Chris Dumez and Sihui Liu
CloneSerializer and CloneDeserializer uses m_gcBuffer for multiple purposes:
1. As an object pool that ObjectReferenceTag refers back to i.e. the order of its
entries need to be consistent between CloneSerializer and CloneDeserializer.
2. As a keep alive buffer to protect some objects use in the serialization effort.
Purpose (2) conflicts with purpose (1), which can lead to bugs. This patch disambiguates
between these 2 purposes by introducing m_objectPool for purpose (1), and m_keepAliveBuffer
for purpose (2).
Changes made:
1. Renamed m_objectPool to m_objectPoolMap.
2. Renamed m_gcBuffer to m_objectPool: for tracking the list of objects that ObjectReferenceTag
can refer to.
3. Added m_keepAliveBuffer to CloneSerializer: for keeping miscellaneous objects alive from the GC.
4. Renamed some method names for clarity:
CloneSerializer::checkForDuplicate --> CloneSerializer::writeObjectReferenceIfDupe
CloneSerializer::recordObject --> CloneSerializer::addToObjectPool
CloneSerializer::startObjectInternal --> CloneSerializer::addToObjectPoolIfNotDupe
5. Used CloneSerializer::addToObjectPoolIfNotDupe instead of the following:
CloneSerializer::startObject
CloneSerializer::startArray
CloneSerializer::startSet
CloneSerializer::startMap
The clients of addToObjectPoolIfNotDupe now indicate what object types (indicated by their
SerializationTags) they are adding. This makes it easier to compare the serialization and
deserialization code and make sure that they are equivalent.
This enables us to audit the type of object being added and provide a sanity check that
it's also added on the deserializer side.
6. Introduced CloneDeserializer::addToObjectPool() so that we can tag which object type (as
indicated by its SerializationTag) we're adding to the m_objectPool (instead of calling
appendWithCrashOnOverflow() on it directly to add objects).
This enables us to audit the type of object being added and provide a sanity check that
it's also added on the serializer side.
7. Removed 3 calls to m_gcBuffer.appendWithCrashOnOverflow in the BigIntTag case in
CloneDeserializer::readBigInt(). This was a bug.
8. Removed the following calls to m_gcBuffer.appendWithCrashOnOverflow in CloneSerializer::serialize:
a. redundant adding of the JSMap object. It was already added by startMap(), now addToObjectPoolIfNotDupe().
b. keep alive of the JSMapIterator object. It does not need to be in m_objectPool.
c. keep alive of a map entry value.
d. redundant adding of the JSSet object. It was already added by startSet(), now addToObjectPoolIfNotDupe().
e. keep alive of the JSSetIterator object. It does not need to be in m_objectPool.
These were bugs.
9. Renamed the mapObjectStartState and setObjectStartState labels in the deserializer to match the
mapStartState and setStartState labels in the serializer. This makes it easier to check the
equivalency of the operations in the two.
10. Added a validator (see validateSerializedResult()) in the serializer.
The validator works by running a deserialization pass on the output of the serializer.
After that, it compares the m_objectPoolTags of the 2 passes, and their entries should
match. This ensures that the serializer and deserializer will catch any bugs in the
serialization / deserialization order of objects.
a. The validator is only enabled on Debug builds (not built in on Release builds).
b. The validator is only run when JSC::Options::validateSerializedValue() is true.
c. The validator is only run when the object graph to be serialized and deserialized
does not contain any complicated / complex objects. "complex" here means that
serialization of such objects cannot be validated this way.
d. The validator is only run when both serialization and deserialization passes succeeds.
With this validator, we can now fuzz the serializer / deserializer by creating HTML tests cases
where we build an object graph and call structureClone() on it. The HTML test will need to have
the following comment on its 1st line:
<!-- webkit-test-runner [ jscOptions=--validateSerializedValue=true ] -->
This will enable the validator when structured cloning is done on that object graph.
* LayoutTests/js/structuredClone/structured-clone-validation-with-big-int-expected.txt: Added.
* LayoutTests/js/structuredClone/structured-clone-validation-with-big-int.html: Added.
* Source/JavaScriptCore/runtime/OptionsList.h:
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::name):
(WTF::printInternal):
(WebCore::canBeAddedToObjectPool):
(WebCore::CloneBase::objectPoolTags const):
(WebCore::CloneBase::appendObjectPoolTag):
(WebCore::CloneSerializer::serialize):
(WebCore::CloneSerializer::sawComplexCase):
(WebCore::CloneSerializer::didSeeComplexCases const):
(WebCore::CloneSerializer::fillTransferMap):
(WebCore::CloneSerializer::writeObjectReferenceIfDupe):
(WebCore::CloneSerializer::addToObjectPool):
(WebCore::CloneSerializer::addToObjectPoolIfNotDupe):
(WebCore::CloneSerializer::dumpStringObject):
(WebCore::CloneSerializer::dumpArrayBufferView):
(WebCore::CloneSerializer::dumpIfTerminal):
(WebCore::CloneSerializer::writeObjectIndex):
(WebCore::CloneDeserializer::addToObjectPool):
(WebCore::CloneDeserializer::readBigInt):
(WebCore::CloneDeserializer::readTerminal):
(WebCore::CloneDeserializer::deserialize):
(WebCore::validateSerializedResult):
(WebCore::CloneSerializer::checkForDuplicate): Deleted.
(WebCore::CloneSerializer::recordObject): Deleted.
(WebCore::CloneSerializer::startObjectInternal): Deleted.
(WebCore::CloneSerializer::startObject): Deleted.
(WebCore::CloneSerializer::startArray): Deleted.
(WebCore::CloneSerializer::startSet): Deleted.
(WebCore::CloneSerializer::startMap): Deleted.
Canonical link: https://commits.webkit.org/267815.623@safari-7617-branch
Commit: 0ad98b6063053b340abd74b0e42686fff2b432c2
https://github.com/WebKit/WebKit/commit/0ad98b6063053b340abd74b0e42686fff2b432c2
Author: Youenn Fablet <youennf at gmail.com>
Date: 2023-12-08 (Fri, 08 Dec 2023)
Changed paths:
M LayoutTests/fullscreen/full-screen-enabled-expected.txt
M LayoutTests/fullscreen/full-screen-enabled-prefixed-expected.txt
M LayoutTests/fullscreen/full-screen-iframe-not-allowed-expected.txt
M LayoutTests/fullscreen/full-screen-iframe-without-allow-attribute-allowed-from-parent-expected.txt
M LayoutTests/fullscreen/full-screen-restrictions-expected.txt
M LayoutTests/http/tests/fullscreen/fullscreen-feature-policy-expected.txt
M LayoutTests/http/tests/media/media-stream/enumerate-devices-iframe-allow-attribute-expected.txt
A LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element-expected.txt
A LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element.html
A LayoutTests/http/tests/media/media-stream/resources/get-user-media-embed.html
M LayoutTests/http/tests/paymentrequest/payment-allow-attribute.https-expected.txt
M LayoutTests/http/tests/security/sandboxed-iframe-geolocation-getCurrentPosition-expected.txt
M LayoutTests/http/tests/security/sandboxed-iframe-geolocation-watchPosition-expected.txt
M LayoutTests/http/tests/ssl/media-stream/get-user-media-different-host-expected.txt
M LayoutTests/http/tests/ssl/media-stream/get-user-media-nested-expected.txt
M LayoutTests/http/tests/webrtc/enumerateDevicesInFrames-expected.txt
M LayoutTests/http/tests/webshare/webshare-allow-attribute-canShare.https-expected.txt
M LayoutTests/http/tests/webshare/webshare-allow-attribute-share.https-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allow-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allowfullscreen-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/mediacapture-streams/MediaStream-feature-policy-none.https-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/permissions-policy/payment-allowed-by-permissions-policy-attribute-redirect-on-load.https.sub-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/screen-wake-lock/wakelock-enabled-by-feature-policy-attribute-redirect-on-load.https.sub-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/web-share/disabled-by-permissions-policy-cross-origin.https.sub-expected.txt
M Source/WebCore/html/FeaturePolicy.cpp
M Source/WebCore/html/FeaturePolicy.h
Log Message:
-----------
Cross-origin <embed> elements can request media permission, and prompts show main-frame URL
https://bugs.webkit.org/show_bug.cgi?id=265812
rdar://119149318
Reviewed by Chris Dumez.
We should apply feature policy for all elements, including embed and frame elements.
Since there are no allow attributes, we should use the default feature policy rules for those elements.
Update isFeaturePolicyAllowedByDocumentAndAllOwners accordingly.
Rebase tests according updated console log message.
* LayoutTests/fullscreen/full-screen-enabled-expected.txt:
* LayoutTests/fullscreen/full-screen-enabled-prefixed-expected.txt:
* LayoutTests/fullscreen/full-screen-iframe-not-allowed-expected.txt:
* LayoutTests/fullscreen/full-screen-iframe-without-allow-attribute-allowed-from-parent-expected.txt:
* LayoutTests/fullscreen/full-screen-restrictions-expected.txt:
* LayoutTests/http/tests/fullscreen/fullscreen-feature-policy-expected.txt:
* LayoutTests/http/tests/media/media-stream/enumerate-devices-iframe-allow-attribute-expected.txt:
* LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element-expected.txt: Added.
* LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element.html: Added.
* LayoutTests/http/tests/media/media-stream/resources/get-user-media-embed.html: Added.
* LayoutTests/http/tests/paymentrequest/payment-allow-attribute.https-expected.txt:
* LayoutTests/http/tests/security/sandboxed-iframe-geolocation-getCurrentPosition-expected.txt:
* LayoutTests/http/tests/security/sandboxed-iframe-geolocation-watchPosition-expected.txt:
* LayoutTests/http/tests/ssl/media-stream/get-user-media-different-host-expected.txt:
* LayoutTests/http/tests/ssl/media-stream/get-user-media-nested-expected.txt:
* LayoutTests/http/tests/webrtc/enumerateDevicesInFrames-expected.txt:
* LayoutTests/http/tests/webshare/webshare-allow-attribute-canShare.https-expected.txt:
* LayoutTests/http/tests/webshare/webshare-allow-attribute-share.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allow-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allowfullscreen-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mediacapture-streams/MediaStream-feature-policy-none.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/permissions-policy/payment-allowed-by-permissions-policy-attribute-redirect-on-load.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/screen-wake-lock/wakelock-enabled-by-feature-policy-attribute-redirect-on-load.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/web-share/disabled-by-permissions-policy-cross-origin.https.sub-expected.txt:
* Source/WebCore/html/FeaturePolicy.cpp:
(WebCore::isFeaturePolicyAllowedByDocumentAndAllOwners):
(WebCore::FeaturePolicy::parse):
* Source/WebCore/html/FeaturePolicy.h:
(WebCore::FeaturePolicy::defaultPolicy):
(WebCore::FeaturePolicy::parse):
Canonical link: https://commits.webkit.org/267815.624@safari-7617-branch
Commit: aa738c8a36f74b032dc493278281ac9230a97c2c
https://github.com/WebKit/WebKit/commit/aa738c8a36f74b032dc493278281ac9230a97c2c
Author: Sihui Liu <sihui_liu at apple.com>
Date: 2023-12-08 (Fri, 08 Dec 2023)
Changed paths:
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
SEED ☂: Video - Playback does not start - [Includes Logs] - Netflix.com
https://bugs.webkit.org/show_bug.cgi?id=266111
rdar://118775332
Reviewed by Chris Dumez and Mark Lam.
rdar://116034413 changed the serialization format of script value but didn’t update version number. This was later fixed
by rdar://117020274, which upgraded version number to 15 and made sure data serialized in new format contains new
version nubmer. The problem is, builds between rdar://116034413 and rdar://117020274 could create serialized script data
in new format but with old version number 14. These data can be stored persistently in IndexedDB database, and could not
be deserialized successfully after rdar://117020274 because they have mismatched version number and format.
To fix this, when we see an error in deserializing data with version nubmer 14, we upgrade the version number and try
deserializing it again in new format. This patch tries deserialization again with a new deserializer instead of using
the old deserializer because it's more complicated to revert the internal states on a deserializer that fails.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::deserialize):
(WebCore::CloneDeserializer::takeBackingStores):
(WebCore::CloneDeserializer::takeDetachedOffscreenCanvases):
(WebCore::CloneDeserializer::takeDetachedRTCDataChannels):
(WebCore::CloneDeserializer::takeSerializedVideoChunks):
(WebCore::CloneDeserializer::takeSerializedVideoFrames):
(WebCore::CloneDeserializer::takeSerializedAudioChunks):
(WebCore::CloneDeserializer::takeSerializedAudioData):
(WebCore::CloneDeserializer::version const):
(WebCore::CloneDeserializer::upgradeVersion):
Canonical link: https://commits.webkit.org/267815.625@safari-7617-branch
Commit: 498c67b7417764ae5820281b3c7a9ba6f2984a85
https://github.com/WebKit/WebKit/commit/498c67b7417764ae5820281b3c7a9ba6f2984a85
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-12-11 (Mon, 11 Dec 2023)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-617.2.3
Identifier: 267815.626 at safari-7617-branch
Commit: 8e02aee069adf2fc35c5998cbbf42f5b3e4b6e79
https://github.com/WebKit/WebKit/commit/8e02aee069adf2fc35c5998cbbf42f5b3e4b6e79
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-12-11 (Mon, 11 Dec 2023)
Changed paths:
M Source/WebCore/rendering/PaintFrequencyTracker.h
M Source/WebCore/rendering/RenderLayer.cpp
Log Message:
-----------
Cherry-pick 42af8a3d2bb4. rdar://119493994
Don't make the decision to cache a DisplayList for a TextRun depend on the rendering update frame rate
https://bugs.webkit.org/show_bug.cgi?id=264654
rdar://118259180
Reviewed by Simon Fraser.
Caching a DisplayList for a TextRun should happen if this TextRun is displayed
very often (say >= 20) regardless of the current frame rate.
* Source/WebCore/rendering/PaintFrequencyTracker.h:
(WebCore::PaintFrequencyTracker::track):
(WebCore::PaintFrequencyTracker::begin): Deleted.
(WebCore::PaintFrequencyTracker::end): Deleted.
(WebCore::SinglePaintFrequencyTracking::SinglePaintFrequencyTracking): Deleted.
(WebCore::SinglePaintFrequencyTracking::~SinglePaintFrequencyTracking): Deleted.
* Source/WebCore/rendering/RenderLayer.cpp:
(WebCore::RenderLayer::paintLayerContents):
(WebCore::RenderLayer::calculateClipRects const):
Canonical link: https://commits.webkit.org/270781@main
Identifier: 267815.627 at safari-7617-branch
Commit: c52d8a98ec937b7f71236d2825b342fc70de8685
https://github.com/WebKit/WebKit/commit/c52d8a98ec937b7f71236d2825b342fc70de8685
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-12-11 (Mon, 11 Dec 2023)
Changed paths:
M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.h
Log Message:
-----------
Cherry-pick 83d967c4920f. rdar://118497211
2D Context get/putImageData cache copies cached image data twice
https://bugs.webkit.org/show_bug.cgi?id=264927
rdar://118497211
Reviewed by Cameron McCormack.
Store the PixelBuffer that was used for putImageData,
avoid copying the the ImageData redundantly.
Instead of copying during caching, copy with premultiply.
This way we omit one memcpy for caching and one premultiply for the real
putImageData.
To simplify the implementation, removes the conservative approach
where the caching would kick in at 3rd putImageData. Just cache
the first.
* Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
(WebCore::CanvasRenderingContext2DBase::cacheImageDataIfPossible):
(WebCore::CanvasRenderingContext2DBase::takeCachedImageDataIfPossible const):
(WebCore::CanvasRenderingContext2DBase::putImageData):
* Source/WebCore/html/canvas/CanvasRenderingContext2DBase.h:
Canonical link: https://commits.webkit.org/270975@main
Identifier: 267815.628 at safari-7617-branch
Commit: 87ffe53ed51b561b6c69d02afa28eab02e636c3d
https://github.com/WebKit/WebKit/commit/87ffe53ed51b561b6c69d02afa28eab02e636c3d
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
M Tools/Scripts/build-webkit
M Tools/Scripts/webkitdirs.pm
Log Message:
-----------
Cherry-pick 271986 at main (f36572812017). rdar://119615600
[build-webkit] Add --architecture argument
https://bugs.webkit.org/show_bug.cgi?id=266342
rdar://119615600
Reviewed by Ryan Haddad.
Add a '--architecture' argument to 'build-webkit' which allows
the caller to override the architecutre used by 'build-webkit',
and appropriately sets 'ONLY_ACTIVE_ARCH=NO' if '--architecture'
is specified.
* Tools/Scripts/build-webkit: Add documentation of '--architecture' option.
* Tools/Scripts/webkitdirs.pm:
(determineArchitecture): Parse the '--architecture' option and set didUserSpecifyArchitecture.
(XcodeOptions): Set ONLY_ACTIVE_ARCH=NO if '--architecutre' was passed.
Canonical link: https://commits.webkit.org/271986@main
Canonical link: https://commits.webkit.org/267815.629@safari-7617-branch
Commit: bc765d16baad4aa3e8d9642d7323b559a3dd716a
https://github.com/WebKit/WebKit/commit/bc765d16baad4aa3e8d9642d7323b559a3dd716a
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
M Source/WebCore/platform/graphics/Path.cpp
M Source/WebCore/platform/graphics/Path.h
M Source/WebCore/platform/graphics/PathImpl.h
M Source/WebCore/platform/graphics/PathStream.cpp
M Source/WebCore/platform/graphics/PathStream.h
M Source/WebCore/platform/graphics/cairo/PathCairo.cpp
M Source/WebCore/platform/graphics/cairo/PathCairo.h
M Source/WebCore/platform/graphics/cg/PathCG.cpp
M Source/WebCore/platform/graphics/cg/PathCG.h
Log Message:
-----------
Cherry-pick 268923 at main (4905aa0e3445). rdar://119608735
Reduce indirection in Path / PathStream
https://bugs.webkit.org/show_bug.cgi?id=262623
Reviewed by Simon Fraser.
Reduce indirection in Path / PathStream. PathStream now olds the vector of
segments directly instead of using another heap-allocated refcounted object
to hold the segment vector. This refcounted object was used to facilitate
sharing and copy on write. However, we can achieve the same thing by having
the Path objects sharing the same PathStream and cloning the PathStream only
on write.
Path::ensureImpl() was showing as a big source of fastMalloc() in profiles
and this should help with that.
* Source/WebCore/platform/graphics/Path.cpp:
(WebCore::Path::Path):
(WebCore::Path::operator== const):
(WebCore::Path::setImpl):
(WebCore::Path::asImpl):
(WebCore::Path::asImpl const):
(WebCore::Path::operator=): Deleted.
* Source/WebCore/platform/graphics/Path.h:
* Source/WebCore/platform/graphics/PathImpl.h:
* Source/WebCore/platform/graphics/PathStream.cpp:
(WebCore::PathStream::create):
(WebCore::PathStream::PathStream):
(WebCore::PathStream::copy const):
(WebCore::PathStream::lastIfMoveTo const):
(WebCore::PathStream::applySegments const):
(WebCore::PathStream::applyElements const):
(WebCore::PathStream::transform):
(WebCore::PathStream::singleSegment const):
(WebCore::PathStream::isClosed const):
(WebCore::PathStream::currentPoint const):
(WebCore::PathStream::fastBoundingRect const):
(WebCore::PathStream::boundingRect const):
(WebCore::PathStream::clone const): Deleted.
(WebCore::PathStream::operator== const): Deleted.
(WebCore::PathStream::segments const): Deleted.
* Source/WebCore/platform/graphics/PathStream.h:
* Source/WebCore/platform/graphics/cg/PathCG.cpp:
(WebCore::PathCG::create):
(WebCore::PathCG::copy const):
(WebCore::PathCG::clone const): Deleted.
(WebCore::PathCG::operator== const): Deleted.
* Source/WebCore/platform/graphics/cg/PathCG.h:
Canonical link: https://commits.webkit.org/268923@main
Canonical link: https://commits.webkit.org/267815.630@safari-7617-branch
Commit: 0ec30d83db605d88ae9a281c060f9a01a98972c4
https://github.com/WebKit/WebKit/commit/0ec30d83db605d88ae9a281c060f9a01a98972c4
Author: Carlos Garcia Campos <cgarcia at igalia.com>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
M Source/WebCore/platform/graphics/PathImpl.h
Log Message:
-----------
Cherry-pick 269805 at main (d64c4def18dd). rdar://119608829
[cairo] Crash in PathStream::copy() after 268923 at main
https://bugs.webkit.org/show_bug.cgi?id=263666
Reviewed by Chris Dumez.
This happens sometimes when threaded rendering in enabled. We need to
make PathImpl reference count thread safe. Fix spotted by Chris Dumez.
* Source/WebCore/platform/graphics/PathImpl.h:
Canonical link: https://commits.webkit.org/269805@main
Canonical link: https://commits.webkit.org/267815.631@safari-7617-branch
Commit: b4db56f94d3a8de9fbde9e2a37fe90c029605386
https://github.com/WebKit/WebKit/commit/b4db56f94d3a8de9fbde9e2a37fe90c029605386
Author: Kimmo Kinnunen <kkinnunen at apple.com>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
M Source/WebCore/platform/graphics/Path.cpp
M Source/WebCore/platform/graphics/PathImpl.cpp
M Source/WebCore/platform/graphics/PathImpl.h
M Source/WebCore/platform/graphics/PathSegment.cpp
M Source/WebCore/platform/graphics/PathSegment.h
M Source/WebCore/platform/graphics/PathSegmentData.cpp
M Source/WebCore/platform/graphics/PathSegmentData.h
M Source/WebCore/platform/graphics/PathStream.cpp
M Source/WebCore/platform/graphics/PathStream.h
M Source/WebCore/platform/graphics/cairo/PathCairo.cpp
M Source/WebCore/platform/graphics/cairo/PathCairo.h
M Source/WebCore/platform/graphics/cg/PathCG.cpp
M Source/WebCore/platform/graphics/cg/PathCG.h
Log Message:
-----------
Cherry-pick 271199 at main (d132cc11f0bf). rdar://119538536
PathSegments cannot be used with anything else than PathImpl
https://bugs.webkit.org/show_bug.cgi?id=265247
rdar://118717060
Reviewed by Said Abou-Hallawa.
PathImpl and PathSegment were coupled:
PathImpl::appendSegment would call into PathSegment::addToImpl
PathSegment::addToImpl would call into PathImpl
This would be more complex than needed and also limit the PathSegments
to be only used with PathImpl.
Instead:
- PathSegment is the data that is being held -- no actions toward any
class that does actual work on the data.
- PathImpl knows how to use the path segment types: PathImpl::add()
for each path segment type.
- PathImpl knows how to use the PathSegment variant:
PathImpl::addSegment() for the PathSegment, doing generic add() over
the variants.
- Make each member function for adding segments PathImpl::add(). This
way generic algorithms over the variants are consistent to write.
- The PathImpl::add() parameters are by-value to avoid introducing
indirection, the arguments are always used.
Construct PathCG, PathCairo from PathStream without applySegments, as
the PathStream segment list can be just iterated.
This works towards being able to play back a PathSegment list to a
CGContext.
* Source/WebCore/platform/graphics/PathImpl.cpp:
(WebCore::PathImpl::appendSegment): Deleted.
* Source/WebCore/platform/graphics/PathImpl.h:
(WebCore::addPathSegment):
* Source/WebCore/platform/graphics/PathSegment.cpp:
(WebCore::PathSegment::addToImpl const): Deleted.
* Source/WebCore/platform/graphics/PathSegment.h:
(WebCore::PathSegment::addTo const):
* Source/WebCore/platform/graphics/PathSegmentData.cpp:
(WebCore::PathMoveTo::addToImpl const): Deleted.
(WebCore::PathLineTo::addToImpl const): Deleted.
(WebCore::PathQuadCurveTo::addToImpl const): Deleted.
(WebCore::PathBezierCurveTo::addToImpl const): Deleted.
(WebCore::PathArcTo::addToImpl const): Deleted.
(WebCore::PathArc::addToImpl const): Deleted.
(WebCore::PathEllipse::addToImpl const): Deleted.
(WebCore::PathEllipseInRect::addToImpl const): Deleted.
(WebCore::PathRect::addToImpl const): Deleted.
(WebCore::PathRoundedRect::addToImpl const): Deleted.
(WebCore::PathDataLine::addToImpl const): Deleted.
(WebCore::PathDataQuadCurve::addToImpl const): Deleted.
(WebCore::PathDataBezierCurve::addToImpl const): Deleted.
(WebCore::PathDataArc::addToImpl const): Deleted.
(WebCore::PathCloseSubpath::addToImpl const): Deleted.
* Source/WebCore/platform/graphics/PathSegmentData.h:
* Source/WebCore/platform/graphics/cairo/PathCairo.cpp:
(WebCore::PathCairo::create):
* Source/WebCore/platform/graphics/cg/PathCG.cpp:
(WebCore::PathCG::create):
Canonical link: https://commits.webkit.org/271199@main
Canonical link: https://commits.webkit.org/267815.632@safari-7617-branch
Commit: c10cd41406cbb5e072c402117b601ca289929388
https://github.com/WebKit/WebKit/commit/c10cd41406cbb5e072c402117b601ca289929388
Author: Kimmo Kinnunen <kkinnunen at apple.com>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
M Source/WebCore/platform/graphics/cg/GraphicsContextCG.cpp
M Source/WebCore/platform/graphics/cg/PathCG.cpp
M Source/WebCore/platform/graphics/cg/PathCG.h
Log Message:
-----------
Cherry-pick 271354 at main (a8f57b13f2c7). rdar://119334889
GraphicsContextCG should clip the paths via CGContext in GPUP mode
https://bugs.webkit.org/show_bug.cgi?id=252833
rdar://105835901
Reviewed by Said Abou-Hallawa.
Construct the clipped path directly into the CGContext.
Instead of creating a CGPath object, add the path info upon need to
the CGContext.
Removes some of CG work in GPUP receive side where time is spent
just copying the CGPath objects.
The implementation has now duplicated logic:
- Add path segments to CGPath via PathCG
- Add path segments to CGContext path
The implementation of both are stored next to each other so that
they keep in sync.
* Source/WebCore/platform/graphics/cg/GraphicsContextCG.cpp:
(WebCore::setCGContextPath):
(WebCore::drawPathWithCGContext):
(WebCore::GraphicsContextCG::drawNativeImageInternal):
(WebCore::GraphicsContextCG::drawPattern):
(WebCore::GraphicsContextCG::drawPath):
(WebCore::GraphicsContextCG::fillPath):
(WebCore::GraphicsContextCG::strokePath):
(WebCore::GraphicsContextCG::fillRect):
(WebCore::GraphicsContextCG::fillRectWithRoundedHole):
(WebCore::GraphicsContextCG::clipOut):
(WebCore::GraphicsContextCG::clipPath):
(WebCore::GraphicsContextCG::beginTransparencyLayer):
(WebCore::GraphicsContextCG::drawLinesForText):
* Source/WebCore/platform/graphics/cg/PathCG.cpp:
(WebCore::addToContextPath):
(WebCore::copyClosingSubpathsApplierFunction):
(WebCore::addToCGContextPath):
* Source/WebCore/platform/graphics/cg/PathCG.h:
Canonical link: https://commits.webkit.org/271354@main
Canonical link: https://commits.webkit.org/267815.633@safari-7617-branch
Commit: ab7a534d3ca16ed784727d74b3f73e82c17f93ce
https://github.com/WebKit/WebKit/commit/ab7a534d3ca16ed784727d74b3f73e82c17f93ce
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
A LayoutTests/imported/w3c/web-platform-tests/css/css-conditional/at-supports-048-expected.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-conditional/at-supports-048-ref.html
A LayoutTests/imported/w3c/web-platform-tests/css/css-conditional/at-supports-048.html
M Source/WebCore/css/parser/CSSParserImpl.cpp
Log Message:
-----------
Cherry-pick 0dd51c9b2c6d. rdar://113652033
[CSS] Fix @supports nested with declarations
https://bugs.webkit.org/show_bug.cgi?id=259752
rdar://113652033
Reviewed by Antti Koivisto.
Unfortunately, the parser code use local member variables (m_parsedProperties/m_parsedRules)
to store parsing results instead of using return values and the programming language builtin stack.
This patch uses the existing stack mecanism CSSParserImpl::runInNewNestingContext()
to isolate the parsing of the @supports(...) prelude declaration
from the rest of the parsing (specifically, from declarations before or after this @supports rule at the same nesting level)
This fixes code like:
div {
color: green;
@supports() {
}
}
where the `color: green` declaration was being ignored.
* LayoutTests/imported/w3c/web-platform-tests/css/css-conditional/at-supports-048-expected.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-conditional/at-supports-048-ref.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-conditional/at-supports-048.html: Added.
* Source/WebCore/css/parser/CSSParserImpl.cpp:
(WebCore::CSSParserImpl::supportsDeclaration):
Canonical link: https://commits.webkit.org/271989@main
Identifier: 267815.633 at safari-7617-branch
Commit: 65769b3c0f55c541c6142e7f6c57a46ba430986d
https://github.com/WebKit/WebKit/commit/65769b3c0f55c541c6142e7f6c57a46ba430986d
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
A LayoutTests/platform/glib/svg/text/textLength-tspan-in-textPath-expected.txt
A LayoutTests/platform/ios/svg/text/textLength-tspan-in-textPath-expected.txt
A LayoutTests/platform/mac/svg/text/textLength-tspan-in-textPath-expected.png
A LayoutTests/platform/mac/svg/text/textLength-tspan-in-textPath-expected.txt
A LayoutTests/svg/text/textLength-tspan-in-textPath.html
M Source/WebCore/rendering/svg/SVGTextLayoutEngine.cpp
Log Message:
-----------
Cherry-pick 79238bc8e2d6. rdar://117911214
REGRESSION(264666 at main): Layout of the <tspan> elements inside a <textPath> is incorrect
https://bugs.webkit.org/show_bug.cgi?id=264184
Reviewed by Said Abou-Hallawa.
Revision 264666 at main broke <tspan textLength="..."> behavior on <textPath> elements.
The logic added to fix the intra-character spacing, wasn't intended for text path
layout, where each character by definition is placed in its own box. Fix the MDN
regression by disabling the new code paths for text-on-path layout.
Covered by new test in svg/text/textLength-tspan-in-textPath.html.
Unfortunately it's hard to make a cross-platform reftest, given the
nature of the kind of test, and the missing way to layout text along
a path in HTML/CSS.
* LayoutTests/platform/glib/svg/text/textLength-tspan-in-textPath-expected.txt: Added.
* LayoutTests/platform/ios/svg/text/textLength-tspan-in-textPath-expected.txt: Added.
* LayoutTests/platform/mac/svg/text/textLength-tspan-in-textPath-expected.png: Added.
* LayoutTests/platform/mac/svg/text/textLength-tspan-in-textPath-expected.txt: Added.
* LayoutTests/svg/text/textLength-tspan-in-textPath.html: Added.
* Source/WebCore/rendering/svg/SVGTextLayoutEngine.cpp:
(WebCore::SVGTextLayoutEngine::layoutTextOnLineOrPath):
Canonical link: https://commits.webkit.org/271996@main
Identifier: 267815.634 at safari-7617-branch
Commit: cc4e54ad41c9fced0dad42590b30e7774598dfa0
https://github.com/WebKit/WebKit/commit/cc4e54ad41c9fced0dad42590b30e7774598dfa0
Author: Scott Marcy <mscott at apple.com>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/ipc/invalid-fullscreen-enum-expected.txt
A LayoutTests/ipc/invalid-fullscreen-enum.html
A LayoutTests/ipc/resources/1080i60_SMPTE_8CH_audible.mov
M Source/WebCore/platform/graphics/MediaPlayerEnums.h
M Source/WebKit/UIProcess/Cocoa/VideoPresentationManagerProxy.mm
Log Message:
-----------
rdar://115106974 (SEGV in -[NSView resizeSubviewsWithOldSize:])
Checks that the VideoFullscreenMode argument for two IPC calls is valid and invalidates the IPC message if not.
Reviewed by Alex Christensen (achristensen07).
If the VideoFullscreenMode value is not as expected it IPC message will be marked as invalid, which is supposed
to crash the content process thereby thwarting any attempted attack through this mechanism.
* LayoutTests/TestExpectations:
* LayoutTests/ipc/invalid-fullscreen-enum-expected.txt: Added.
* LayoutTests/ipc/invalid-fullscreen-enum.html: Added.
* LayoutTests/ipc/resources/1080i60_SMPTE_8CH_audible.mov: Added.
* Source/WebCore/platform/graphics/MediaPlayerEnums.h:
* Source/WebKit/UIProcess/Cocoa/VideoPresentationManagerProxy.mm:
(WebKit::VideoPresentationManagerProxy::setupFullscreenWithID):
(WebKit::VideoPresentationManagerProxy::exitFullscreenWithoutAnimationToMode):
Canonical link: https://commits.webkit.org/267815.636@safari-7617-branch
Commit: 87a8ec698d64cf46709ab93606307b2cb5352ca1
https://github.com/WebKit/WebKit/commit/87a8ec698d64cf46709ab93606307b2cb5352ca1
Author: Erica Li <lerica at apple.com>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
A LayoutTests/mathml/mathml-posistioned-mtext-layout-crash-expected.txt
A LayoutTests/mathml/mathml-posistioned-mtext-layout-crash.html
M LayoutTests/platform/mac/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt
M Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp
Log Message:
-----------
ASAN_ILL | LayoutIntegration::BoxTree::rendererForLayoutBox; WebCore::TextBoxPainter::TextBoxPainter; WebCore::ModernTextBoxPainter::ModernTextBoxPainter
https://bugs.webkit.org/show_bug.cgi?id=266273
rdar://119187070
Reviewed by Alan Baradlay.
similar to rdar://104598552, add positioned child in RenderMathMLScripts also.
* LayoutTests/mathml/mathml-posistioned-mtext-layout-crash-expected.txt: Added.
* LayoutTests/mathml/mathml-posistioned-mtext-layout-crash.html: Added.
* LayoutTests/platform/mac/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt: re-baseline based on this fix.
* Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp:
(WebCore::RenderMathMLScripts::layoutBlock):
Canonical link: https://commits.webkit.org/267815.637@safari-7617-branch
Commit: dc9b30f37ba893960ffdaa3d60ace0cc63dcd605
https://github.com/WebKit/WebKit/commit/dc9b30f37ba893960ffdaa3d60ace0cc63dcd605
Author: David Degazio <d_degazio at apple.com>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
M Source/JavaScriptCore/dfg/DFGOperations.cpp
M Source/JavaScriptCore/ftl/FTLOperations.cpp
M Source/JavaScriptCore/runtime/ClonedArguments.cpp
M Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
M Source/JavaScriptCore/runtime/FunctionPrototype.cpp
Log Message:
-----------
Throw exception when ClonedArguments allocation fails
https://bugs.webkit.org/show_bug.cgi?id=264511
rdar://118039984
Reviewed by Mark Lam.
Currently, if we try and allocate a ClonedArguments object and run out of
memory, we silently return nullptr. This can result in the creation of an
empty JSValue being returned. This patch ensures that we check for and
propagate the null result, in addition to throwing an OutOfMemory error.
In cases where we can't throw an OutOfMemory error, specifically in
operationMaterializeObjectInOSR, we RELEASE_ASSERT that the result is
non-null to guarantee we crash instead of allowing the empty value to
escape.
* JSTests/stress/cloned-arguments-oom.js: Added.
(Allocator):
(Allocator.prototype.size):
(Allocator.prototype.allocate):
(createClonedArguments):
(0x0.map.size.new.Allocator):
(catch):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createEmpty):
(JSC::ClonedArguments::createWithInlineFrame):
(JSC::ClonedArguments::createWithMachineFrame):
(JSC::ClonedArguments::createByCopyingFrom):
* Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:
(JSC::JSC_DEFINE_COMMON_SLOW_PATH):
* Source/JavaScriptCore/runtime/FunctionPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
Canonical link: https://commits.webkit.org/267815.638@safari-7617-branch
Commit: 2d703bbbc2552ff4d1d8c3a1d7071800d3433d36
https://github.com/WebKit/WebKit/commit/2d703bbbc2552ff4d1d8c3a1d7071800d3433d36
Author: Jean-Yves Avenard <jya at apple.com>
Date: 2023-12-15 (Fri, 15 Dec 2023)
Changed paths:
M Source/WebCore/platform/graphics/cocoa/WebCoreDecompressionSession.h
M Source/WebCore/platform/graphics/cocoa/WebCoreDecompressionSession.mm
Log Message:
-----------
Concurrent access to WebCoreDecompressionSession::m_timebase
rdar://117145111
Reviewed by Youenn Fablet.
There are 4 queues at play when the WebCoreDecompressionSession is in use.
m_timebase and m_timerSource were accessed concurrently on at least two different
queues.
Add various WTF_GUARDED_BY_LOCK as needed, and make some members atomic.
* Source/WebCore/platform/graphics/cocoa/WebCoreDecompressionSession.h:
* Source/WebCore/platform/graphics/cocoa/WebCoreDecompressionSession.mm:
(WebCore::WebCoreDecompressionSession::invalidate):
(WebCore::WebCoreDecompressionSession::setTimebase):
(WebCore::WebCoreDecompressionSession::setTimebaseWithLockHeld):
(WebCore::WebCoreDecompressionSession::timebase const):
(WebCore::WebCoreDecompressionSession::maybeBecomeReadyForMoreMediaData):
(WebCore::WebCoreDecompressionSession::enqueueSample):
(WebCore::WebCoreDecompressionSession::shouldDecodeSample):
(WebCore::WebCoreDecompressionSession::ensureDecompressionSessionForSample):
(WebCore::WebCoreDecompressionSession::decodeSample):
(WebCore::WebCoreDecompressionSession::decodeSampleSync):
(WebCore::WebCoreDecompressionSession::automaticDequeue):
(WebCore::WebCoreDecompressionSession::enqueueDecodedSample):
(WebCore::WebCoreDecompressionSession::requestMediaDataWhenReady):
(WebCore::WebCoreDecompressionSession::stopRequestingMediaData):
(WebCore::WebCoreDecompressionSession::notifyWhenHasAvailableVideoFrame):
(WebCore::WebCoreDecompressionSession::imageForTime):
(WebCore::WebCoreDecompressionSession::flush):
(WebCore::WebCoreDecompressionSession::resetQosTier):
(WebCore::WebCoreDecompressionSession::increaseQosTier):
(WebCore::WebCoreDecompressionSession::decreaseQosTier):
(WebCore::WebCoreDecompressionSession::updateQosWithDecodeTimeStatistics):
Canonical link: https://commits.webkit.org/267815.639@safari-7617-branch
Commit: 36d57dc0f23f31be58323a88ba34a4fbf18e3998
https://github.com/WebKit/WebKit/commit/36d57dc0f23f31be58323a88ba34a4fbf18e3998
Author: Matthew Finkel <sysrqb at apple.com>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
Log Message:
-----------
Restrict access to Version.plist in the WebContent process on iOS
https://bugs.webkit.org/show_bug.cgi?id=262699
rdar://116545792
Reviewed by Per Arne Vollan.
Access to this file provides information about the device that should not be
accessible to web content. This patch explicitly prevents access to the file
from the Web content process. In a follow up patch I'm planning on improving
the path validation we use paths provided by javascript.
* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
Canonical link: https://commits.webkit.org/267815.640@safari-7617-branch
Commit: 8c08880ef0f2a61a88378e35a3d0ee56310f140c
https://github.com/WebKit/WebKit/commit/8c08880ef0f2a61a88378e35a3d0ee56310f140c
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Tools/Scripts/upload-file-to-url
Log Message:
-----------
Cherry-pick 271772 at main (a98d81e4f8ce). rdar://119407808
[ews-build.webkit.org] Bump S3 upload timeout to 10 minutes
https://bugs.webkit.org/show_bug.cgi?id=266118
rdar://119407808
Reviewed by Ryan Haddad.
* Tools/Scripts/upload-file-to-url:
(upload): Bump timeout to 10 minutes.
Canonical link: https://commits.webkit.org/271772@main
Canonical link: https://commits.webkit.org/267815.641@safari-7617-branch
Commit: 64c48fc75ad0488d1cd950c4378a156643964fff
https://github.com/WebKit/WebKit/commit/64c48fc75ad0488d1cd950c4378a156643964fff
Author: Aakash Jain <aakash_jain at apple.com>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Tools/Scripts/upload-file-to-url
Log Message:
-----------
Cherry-pick 271774 at main (31db174057c2). https://bugs.webkit.org/show_bug.cgi?id=266119
Add retry to upload-file-to-url
https://bugs.webkit.org/show_bug.cgi?id=266119
Reviewed by Elliott Williams.
* Tools/Scripts/upload-file-to-url:
Canonical link: https://commits.webkit.org/271774@main
Canonical link: https://commits.webkit.org/267815.642@safari-7617-branch
Commit: e58292b8210f2b820de4d26ba3dd1a945e77e7ae
https://github.com/WebKit/WebKit/commit/e58292b8210f2b820de4d26ba3dd1a945e77e7ae
Author: Aakash Jain <aakash_jain at apple.com>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Tools/CISupport/ews-build/steps.py
M Tools/CISupport/ews-build/steps_unittest.py
M Tools/Scripts/upload-file-to-url
Log Message:
-----------
Cherry-pick 271800 at main (e9e0f310a265). https://bugs.webkit.org/show_bug.cgi?id=266119
[ews] Add retry to upload-file-to-url (follow-up fix)
https://bugs.webkit.org/show_bug.cgi?id=266119
Unreviewed follow-up fix.
Also increase the timeout for buildbot step.
* Tools/CISupport/ews-build/steps.py:
(UploadFileToS3.__init__):
* Tools/CISupport/ews-build/steps_unittest.py:
* Tools/Scripts/upload-file-to-url:
(upload):
Canonical link: https://commits.webkit.org/271800@main
Canonical link: https://commits.webkit.org/267815.643@safari-7617-branch
Commit: 721c6b53a0ab410d33e941067e9c452b49ef1d49
https://github.com/WebKit/WebKit/commit/721c6b53a0ab410d33e941067e9c452b49ef1d49
Author: Aakash Jain <aakash_jain at apple.com>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Tools/Scripts/upload-file-to-url
Log Message:
-----------
Cherry-pick 271937 at main (952dc0fc914b). https://bugs.webkit.org/show_bug.cgi?id=266142
upload-file-to-url should print file size in MB
https://bugs.webkit.org/show_bug.cgi?id=266142
Reviewed by Jonathan Bedard.
Files being uploaded are several hundred MBs, so better to print the size in MB.
* Tools/Scripts/upload-file-to-url:
Canonical link: https://commits.webkit.org/271937@main
Canonical link: https://commits.webkit.org/267815.644@safari-7617-branch
Commit: 299d3eac8533a02e91093941782aa682a872b3b5
https://github.com/WebKit/WebKit/commit/299d3eac8533a02e91093941782aa682a872b3b5
Author: Aakash Jain <aakash_jain at apple.com>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Tools/Scripts/upload-file-to-url
Log Message:
-----------
Cherry-pick 272052 at main (3be6d4ae5ddb). https://bugs.webkit.org/show_bug.cgi?id=266419
upload-file-to-s3 should retry when the request fails with status_code 503
https://bugs.webkit.org/show_bug.cgi?id=266419
Reviewed by Jonathan Bedard.
We added retry in 271774 at main to upload-file-to-s3.
However, that doesn't retry in the case when the request fails with non 200 status_code.
We should retry in those cases as well.
* Tools/Scripts/upload-file-to-url:
(upload):
Canonical link: https://commits.webkit.org/272052@main
Canonical link: https://commits.webkit.org/267815.645@safari-7617-branch
Commit: 14e3b5ddf6d7ea1eb5bab15f19ebd67cb78881c7
https://github.com/WebKit/WebKit/commit/14e3b5ddf6d7ea1eb5bab15f19ebd67cb78881c7
Author: Aakash Jain <aakash_jain at apple.com>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Tools/Scripts/upload-file-to-url
Log Message:
-----------
Cherry-pick 272057 at main (a0cb037063a2). https://bugs.webkit.org/show_bug.cgi?id=266411
upload-file-to-s3 fails because of webkitpy autoinstaller failing with error No archives for six-1.16 found
https://bugs.webkit.org/show_bug.cgi?id=266411
Reviewed by Jonathan Bedard.
Ignore webkitpy errors while trying to import. We are only importing it to auto-install
requests module, which might already be present.
* Tools/Scripts/upload-file-to-url:
Canonical link: https://commits.webkit.org/272057@main
Canonical link: https://commits.webkit.org/267815.646@safari-7617-branch
Commit: 3bfb2161ce5836d7cc181fd675ae10631ca5c518
https://github.com/WebKit/WebKit/commit/3bfb2161ce5836d7cc181fd675ae10631ca5c518
Author: Aakash Jain <aakash_jain at apple.com>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Tools/Scripts/upload-file-to-url
Log Message:
-----------
Cherry-pick 272179 at main (aeb80393640e). https://bugs.webkit.org/show_bug.cgi?id=266419
upload-file-to-s3 should retry when the request fails with status_code 503 (follow-up fix)
https://bugs.webkit.org/show_bug.cgi?id=266419
Unreviewed follow-up fix.
* Tools/Scripts/upload-file-to-url:
Canonical link: https://commits.webkit.org/272179@main
Canonical link: https://commits.webkit.org/267815.647@safari-7617-branch
Commit: c6ed9ecc4f54bcaf777308a5c02c554afe75b846
https://github.com/WebKit/WebKit/commit/c6ed9ecc4f54bcaf777308a5c02c554afe75b846
Author: Sam Sneddon <gsnedders at apple.com>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py
M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
Log Message:
-----------
Cherry-pick 271534 at main (47c33f8d6a47). rdar://119145927
Update rapidfuzz to 3.4.0
https://bugs.webkit.org/show_bug.cgi?id=265809
rdar://problem/119145927
Reviewed by Jonathan Bedard.
We keep on finding bots which need rapidfuzz to be reinstalled because
the macOS universal2 wheel was broken
(c.f. https://github.com/WebKit/WebKit/pull/19835). Let's mitigate this
entire problem by just forcing rapidfuzz to be re-installed everywhere
by upgrading it.
I also found that 268494 at main (ca3f26ebbb57) added pyparsing as an
implicit_dep, which should actually be on packaging, as that's where the
requirement actually is.
* Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py:
* Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py:
(AutoInstall):
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py:
Canonical link: https://commits.webkit.org/271534@main
Canonical link: https://commits.webkit.org/267815.648@safari-7617-branch
Commit: 554522e69d2308e21042d90b49d9ecfcdbb3b5f8
https://github.com/WebKit/WebKit/commit/554522e69d2308e21042d90b49d9ecfcdbb3b5f8
Author: Brianna Fan <bfan2 at apple.com>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Tools/Scripts/hooks/prepare-commit-msg
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/branch.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/revert.py
Log Message:
-----------
Cherry-pick 271587 at main (627b31c8383b). rdar://92702616
[git-webkit] Support reverting multiple commits at once
https://bugs.webkit.org/show_bug.cgi?id=239796
rdar://problem/92702616
Reviewed by Jonathan Bedard.
Allows for multiple commits to be passed in as args.
Includes all reverted commit identifiers in the revert message.
Fixes bug in issue creation, adds support for radar importer.
* Tools/Scripts/hooks/prepare-commit-msg:
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/revert.py:
(Revert)
(Revert.parser):
(Revert.get_issue_info):
(Revert.create_revert_commit_msg):
(Revert.revert_commit):
(Revert.main):
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/revert_unittest.py:
(TestRevert.test_github):
(TestRevert.test_github_two_step):
(TestRevert.test_args):
(test_update):
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/branch.py:
(Branch):
(Branch.create_radar):
(Branch.main):
Canonical link: https://commits.webkit.org/271587@main
Canonical link: https://commits.webkit.org/267815.649@safari-7617-branch
Commit: e5773c94689a24e68404a074380c40cc5f862b9a
https://github.com/WebKit/WebKit/commit/e5773c94689a24e68404a074380c40cc5f862b9a
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/git_hub.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/git_unittest.py
Log Message:
-----------
Cherry-pick 271687 at main (912bf757dabd). rdar://118993239
[webkitscmpy] Collect diff from GitHub remote repository
https://bugs.webkit.org/show_bug.cgi?id=265590
rdar://118993239
Reviewed by Dewei Zhu.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/git_hub.py:
(GitHub.commit): 'HEAD' in GitHub means "latest commit on the default branch".
(GitHub._diff_response): Return a response with a mock text diff.
(GitHub.request): Respect the 'application/vnd.github.diff' header.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py:
(GitHub):
(GitHub.diff): Given a commit or commit range, return a line-by-line diff of
the provided range. If the caller requests it, include the commit messages for
the specified commits in the same patch format used by 'git format-patch'.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/git_unittest.py:
Canonical link: https://commits.webkit.org/271687@main
Canonical link: https://commits.webkit.org/267815.650@safari-7617-branch
Commit: f118dd795ffbf2b36140d46f938a52db4056947a
https://github.com/WebKit/WebKit/commit/f118dd795ffbf2b36140d46f938a52db4056947a
Author: Jonathan Bedard <jbedard at apple.com>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/bitbucket.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/bitbucket.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/scm.py
M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/git_unittest.py
Log Message:
-----------
Cherry-pick 271688 at main (6eed9f3aec5d). rdar://119055886
[webkitscmpy] Collect diff from Bitbucket remote repository
https://bugs.webkit.org/show_bug.cgi?id=265705
rdar://119055886
Reviewed by Dewei Zhu.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/bitbucket.py:
(BitBucket.commit): 'HEAD' in Bitbucket means "latest commit on the default branch".
(BitBucket.request): Return a response with a mock diff.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/bitbucket.py:
(BitBucket.json_to_diff): Convert Bitbucket json diff to text diff.
(BitBucket.commits): Return a list of commits to caller.
(BitBucket.diff): Given a commit or commit range, return a line-by-line diff of
the provided range. If the caller requests it, include the commit messages for
the specified commits in the same patch format used by 'git format-patch'.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py:
(GitHub): Move EMAIL_RE to base class.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/scm.py:
(Scm): Move EMAIL_RE from GitHub.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/git_unittest.py:
Canonical link: https://commits.webkit.org/271688@main
Canonical link: https://commits.webkit.org/267815.651@safari-7617-branch
Commit: ea99166b2dfe347f54df0c882bd0c2708ac9656e
https://github.com/WebKit/WebKit/commit/ea99166b2dfe347f54df0c882bd0c2708ac9656e
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Source/WebCore/loader/SubresourceLoader.cpp
M Source/WebCore/loader/SubresourceLoader.h
Log Message:
-----------
Crash under SubresourceLoader::didReceiveBuffer()
https://bugs.webkit.org/show_bug.cgi?id=266589
rdar://116974951
Reviewed by Ryosuke Niwa.
Make sure we protect the CachedResource before calling non-trivial member
functions on it.
* Source/WebCore/loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::willSendRequestInternal):
(WebCore::SubresourceLoader::didSendData):
(WebCore::SubresourceLoader::didReceivePreviewResponse):
(WebCore::SubresourceLoader::didReceiveResponse):
(WebCore::SubresourceLoader::didReceiveBuffer):
(WebCore::SubresourceLoader::willCancel):
(WebCore::SubresourceLoader::didCancel):
(WebCore::SubresourceLoader::releaseResources):
* Source/WebCore/loader/SubresourceLoader.h:
Canonical link: https://commits.webkit.org/267815.652@safari-7617-branch
Commit: f45fcd2ff3ac1bebee77f2ec5806b6daf0f411f6
https://github.com/WebKit/WebKit/commit/f45fcd2ff3ac1bebee77f2ec5806b6daf0f411f6
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Source/WebKit/NetworkProcess/cache/NetworkCacheSubresourcesEntry.h
Log Message:
-----------
Cherry-pick 3096c561acce. rdar://119362503
Samesite=Lax is not always working in Safari
https://bugs.webkit.org/show_bug.cgi?id=265634
rdar://119362503
Reviewed by Brent Fulgham and Alex Christensen.
We were not setting isSameSite correctly when reading it from disk cache, which was then triggering different cookies being sent between
speculative loads and the actual would be loads.
Websites could use Vary Cookie headers to handle that case, but they do not tend to.
* Source/WebKit/NetworkProcess/cache/NetworkCacheSubresourcesEntry.h:
(WebKit::NetworkCache::SubresourceInfo::SubresourceInfo):
Canonical link: https://commits.webkit.org/272062@main
Identifier: 267815.653 at safari-7617-branch
Commit: 9aa763d0e5c239b9a0e5dfcba8ee220844d31d55
https://github.com/WebKit/WebKit/commit/9aa763d0e5c239b9a0e5dfcba8ee220844d31d55
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Source/WebCore/page/Quirks.cpp
Log Message:
-----------
Cherry-pick 1bfda19669ab. rdar://11847946
Mitigate crashes under Quirks::advancedPrivacyProtectionSubstituteDataURLForScriptWithFeatures()
https://bugs.webkit.org/show_bug.cgi?id=266380
rdar://118479646
Reviewed by Yusuke Suzuki.
Even after the mitigations in 269984 at main, we're still sometimes crashing when attempting to
determine whether or not we should apply hard-coded canvas fingerprinting mitigations when advanced
privacy protections are enabled. From discussing with JSC folks, this seems to be due to the way in
which we're currently trying to walk the stack by traversing `callerFrame()`s:
```
while (!codeBlock) {
callFrame = callFrame->callerFrame();
if (!callFrame)
break;
codeBlock = callFrame->codeBlock();
}
```
Instead of implementing it this way, the JSC team recommended using `StackVisitor::visit` instead to
walk the stack, which is the de-facto mechanism used to perform similar stack traversals elsewhere
in the codebase. In addition, I'm also rearranging this check, so that we only ever attempt this
relatively more expensive stack walk in the case where the `lastDrawnText`, `canvasWidth` and
`canvasHeight` all match their expected values for the quirk.
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::advancedPrivacyProtectionSubstituteDataURLForScriptWithFeatures const):
In my manual testing, I found that the source code length on some of the affected sites has been
changed slightly; adjust this quirk to match.
Canonical link: https://commits.webkit.org/272093@main
Identifier: 267815.654 at safari-7617-branch
Commit: 2bee8872e3b9fb535e1c062b5ac8be2ac12204ca
https://github.com/WebKit/WebKit/commit/2bee8872e3b9fb535e1c062b5ac8be2ac12204ca
Author: Andy Estes <aestes at apple.com>
Date: 2023-12-19 (Tue, 19 Dec 2023)
Changed paths:
M Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.cpp
M Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.h
M Source/WebCore/Modules/encryptedmedia/NavigatorEME.cpp
M Source/WebKit/UIProcess/MediaKeySystemPermissionRequestManagerProxy.cpp
M Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.cpp
M Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.h
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.h
M Source/WebKit/WebProcess/WebPage/WebPage.messages.in
M Source/WebKitLegacy/mac/WebCoreSupport/WebMediaKeySystemClient.mm
Log Message:
-----------
REGRESSION (233845 at main): Crash in MediaKeySystemRequest::~MediaKeySystemRequest
https://bugs.webkit.org/show_bug.cgi?id=266619
rdar://118004786
Reviewed by Jean-Yves Avenard.
In 233845 at main, NavigatorEME::requestMediaKeySystemAccess moved the task that creates the CDM
instance into a completion handler that's called asynchronously once the client allows media key
access. The completion handler captured a raw pointer to the document, leading to a crash if the
document is destroyed before the completion handler is called. Debug builds would also assert in
CompletionHandler::~CompletionHandler because ActiveDOMObject::queueTaskInEventLoop would not
invoke the task queued by MediaKeySystemRequest::allow - which captured a CompletionHandler - when
scriptExecutionContext is null.
Addressed the crash by capturing document as a WeakPtr and null-checking it prior to calling
Document::postTask in NavigatorEME::requestMediaKeySystemAccess's allow callback. Addressed the
assertion failure by removing the unnecessary asynchronous CompletionHandler from
Messages::WebPage::MediaKeySystemWasGranted.
* Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.cpp:
(WebCore::MediaKeySystemRequest::allow):
* Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.h:
* Source/WebCore/Modules/encryptedmedia/NavigatorEME.cpp:
(WebCore::NavigatorEME::requestMediaKeySystemAccess):
* Source/WebKit/UIProcess/MediaKeySystemPermissionRequestManagerProxy.cpp:
(WebKit::MediaKeySystemPermissionRequestManagerProxy::grantRequest):
* Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.cpp:
(WebKit::MediaKeySystemPermissionRequestManager::mediaKeySystemWasGranted):
* Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.h:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::mediaKeySystemWasGranted):
* Source/WebKit/WebProcess/WebPage/WebPage.h:
* Source/WebKit/WebProcess/WebPage/WebPage.messages.in:
* Source/WebKitLegacy/mac/WebCoreSupport/WebMediaKeySystemClient.mm:
(WebMediaKeySystemClient::requestMediaKeySystem):
Canonical link: https://commits.webkit.org/267815.655@safari-7617-branch
Compare: https://github.com/WebKit/WebKit/compare/8e5aa6126d64...2bee8872e3b9
More information about the webkit-changes
mailing list