[webkit-changes] [WebKit/WebKit] 64bcd9: jsc_fuz/wktr: heap-use-after-free in WebCore::IDBS...

aestes noreply at github.com
Tue Jan 23 07:21:36 PST 2024


  Branch: refs/heads/safari-7617-branch
  Home:   https://github.com/WebKit/WebKit
  Commit: 64bcd93cbc55fa9d3e3a22d1e0be24feba267d65
      https://github.com/WebKit/WebKit/commit/64bcd93cbc55fa9d3e3a22d1e0be24feba267d65
  Author: nishajain61 <nisha_jain at apple.com>
  Date:   2023-11-07 (Tue, 07 Nov 2023)

  Changed paths:
    A LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt
    A LayoutTests/storage/indexeddb/abort-index-rename-crash.html
    M Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp
    M Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp
    M Source/WebCore/Modules/indexeddb/server/MemoryIndex.h
    M Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp
    M Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h

  Log Message:
  -----------
  jsc_fuz/wktr: heap-use-after-free in WebCore::IDBServer::MemoryObjectStore::takeIndexByIdentifier(unsigned long long) MemoryObjectStore.cpp:128.
https://bugs.webkit.org/show_bug.cgi?id=264180.
rdar://117463447.

Reviewed by Sihui Liu.

MemoryIndex now keeps WeakPtr to MemoryObjectStore 'm_objectStore' and checks it's validity before using it. Also RefPtr conversion from WekPtr using get() API as applicable.

* LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt: Added the test expected file.
* LayoutTests/storage/indexeddb/abort-index-rename-crash.html: Added the test case.
* Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp: Checks the validity of MemoryObjectStore pointer before using.
(WebCore::IDBServer::MemoryBackingStoreTransaction::objectStoreDeleted):
(WebCore::IDBServer::MemoryBackingStoreTransaction::indexRenamed):
(WebCore::IDBServer::MemoryBackingStoreTransaction::abort):
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp: Changed direct reference to WeakPtr. Also used RefPtr conversion using get() API as applicable.
(WebCore::IDBServer::MemoryIndex::objectStoreCleared):
(WebCore::IDBServer::MemoryIndex::clearIndexValueStore):
(WebCore::IDBServer::MemoryIndex::replaceIndexValueStore):
(WebCore::IDBServer::MemoryIndex::getResultForKeyRange const):
(WebCore::IDBServer::MemoryIndex::getAllRecords const):
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.h: Changed direct reference to WeakPtr.
(WebCore::IDBServer::MemoryIndex::objectStore):
* Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp: Used RefPtr conversion using get() API for MemoryIndex based MemoryObjectStore object.
(WebCore::IDBServer::MemoryIndexCursor::currentData):
* Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h:

Canonical link: https://commits.webkit.org/267815.545@safari-7617-branch


  Commit: f524a15d06332c5be8af2a618cb16489e3d9e086
      https://github.com/WebKit/WebKit/commit/f524a15d06332c5be8af2a618cb16489e3d9e086
  Author: Antti Koivisto <antti at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/fast/multicol/last-set-crash-expected.txt
    A LayoutTests/fast/multicol/last-set-crash.html
    M Source/WebCore/rendering/RenderMultiColumnFlow.cpp
    M Source/WebCore/rendering/RenderMultiColumnFlow.h

  Log Message:
  -----------
  WTFCrashWithSecurityImplication in WebCore::RenderFragmentedFlow::removeLineFragmentInfo()
https://bugs.webkit.org/show_bug.cgi?id=264327
rdar://114559559

Reviewed by Alan Baradlay.

* LayoutTests/TestExpectations:

Skip test on debug due to some assertion failures.

* LayoutTests/fast/multicol/last-set-crash-expected.txt: Added.
* LayoutTests/fast/multicol/last-set-crash.html: Added.
* Source/WebCore/rendering/RenderMultiColumnFlow.cpp:
(WebCore::RenderMultiColumnFlow::fragmentAtBlockOffset const):

Tree mutations may have made m_lastSetWorkedOn cache invalid by moving the multicolumn set under a different multicolumn flow.
Check for this.

* Source/WebCore/rendering/RenderMultiColumnFlow.h:

Also make it use WeakPtr.

Canonical link: https://commits.webkit.org/267815.546@safari-7617-branch


  Commit: 37e44d2404d32ee50714f885c56b5572863e3ca5
      https://github.com/WebKit/WebKit/commit/37e44d2404d32ee50714f885c56b5572863e3ca5
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    M metadata/poison.txt

  Log Message:
  -----------
  Poisoned commit

Unreviewed branch poisoning.

Insert revoked credential into repository to prevent
contributors from accidently publishing this branch
to their personal public forks.

* metadata/poison.txt: Add poison.

Canonical link: https://commits.webkit.org/267815.547@safari-7617-branch


  Commit: 73353153c742d68d7b9c49d3d532438505e8ec48
      https://github.com/WebKit/WebKit/commit/73353153c742d68d7b9c49d3d532438505e8ec48
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-617.2.1

Identifier: 267815.548 at safari-7617-branch


  Commit: ade9f6187d76a4fa2d13bd0c2c766cf1eab438e1
      https://github.com/WebKit/WebKit/commit/ade9f6187d76a4fa2d13bd0c2c766cf1eab438e1
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/transforms/RotateTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/TransformOperation.h
    M Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp
    M Source/WebCore/platform/graphics/transforms/TransformationMatrix.h

  Log Message:
  -----------
  Apply patch. rdar://117209302

Identifier: 267815.549 at safari-7617-branch


  Commit: fddc17b4f325a2bee094931148f409f432d83736
      https://github.com/WebKit/WebKit/commit/fddc17b4f325a2bee094931148f409f432d83736
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    M Source/WebCore/page/ContextMenuController.cpp
    M Source/WebCore/page/Page.cpp
    M Source/WebCore/page/Page.h
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp

  Log Message:
  -----------
  Cherry-pick 38398649280b. rdar://117215059

    AX: Sometimes unable to see play/pause animation context menu item when setting is toggled
    https://bugs.webkit.org/show_bug.cgi?id=263735
    rdar://117215059

    Reviewed by Tyler Wilcock.

    When deciding whether to add the "Play/Pause all animations" or "Play/Pause animation" context menu item, we had previously
    used a softlink to reference _AXSReduceMotionAutoplayAnimatedImagesEnabled. The issue with using this from the web content
    process, however, is that distributed notifications are not permitted as per the sandbox, so updates to this setting were
    not reaching that process.

    To resolve this, this patch now piggybacks onto our existing cross-process update for the animation setting using the
    AccessibilityPreferencesChanged notification and WebPage::updateImageAnimationEnabled. A new flag, m_systemAllowsAnimationControls,
    now maintains the state of this setting, and allows the Page to have an up-to-date view of the setting without relying on the
    softlink.

    * Source/WebCore/page/ContextMenuController.cpp:
    (WebCore::ContextMenuController::populate):
    * Source/WebCore/page/Page.cpp:
    (WebCore::Page::setSystemAllowsAnimationControls):
    * Source/WebCore/page/Page.h:
    (WebCore::Page::systemAllowsAnimationControls const):
    * Source/WebKit/WebProcess/WebPage/WebPage.cpp:
    (WebKit::WebPage::updateImageAnimationEnabled):

    Canonical link: https://commits.webkit.org/269878@main

Identifier: 267815.550 at safari-7617-branch


  Commit: 57af64e0ae96d6145913553d4a449ddc9620318f
      https://github.com/WebKit/WebKit/commit/57af64e0ae96d6145913553d4a449ddc9620318f
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-08 (Wed, 08 Nov 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/FontCascade.cpp
    M Source/WebCore/platform/graphics/FontCascadeFonts.cpp
    M Source/WebCore/platform/graphics/FontRanges.cpp
    M Source/WebCore/platform/graphics/GlyphPage.h

  Log Message:
  -----------
  Cherry-pick ef2295446d89. rdar://117905809

    Use GlyphData.isValid() consistently for checking whether GlyphData is valid.
    https://bugs.webkit.org/show_bug.cgi?id=264130
    rdar://117905809

    Reviewed by Tim Nguyen.

    Replace GlyphData validity checks using .glyph and .font directly with .isValid().
    Make .isValid() return false even if .glyph is non-zero and .font is null
    (which should never happen) since a .font null check isn't expensive anyway.

    * Source/WebCore/platform/graphics/FontCascade.cpp:
    (WebCore::FontCascade::fontForCombiningCharacterSequence const):
    * Source/WebCore/platform/graphics/FontCascadeFonts.cpp:
    (WebCore::FontCascadeFonts::GlyphPageCacheEntry::setGlyphDataForCharacter):
    (WebCore::FontCascadeFonts::glyphDataForSystemFallback):
    (WebCore::FontCascadeFonts::glyphDataForVariant):
    (WebCore::FontCascadeFonts::glyphDataForCharacter):
    * Source/WebCore/platform/graphics/FontRanges.cpp:
    (WebCore::FontRanges::glyphDataForCharacter const):
    * Source/WebCore/platform/graphics/GlyphPage.h:
    (WebCore::GlyphData::isValid const):

    Canonical link: https://commits.webkit.org/270299@main

Identifier: 267815.551 at safari-7617-branch


  Commit: bbdd51069d01d0f1768ca2623919857a03068c09
      https://github.com/WebKit/WebKit/commit/bbdd51069d01d0f1768ca2623919857a03068c09
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-09 (Thu, 09 Nov 2023)

  Changed paths:
    A LayoutTests/fast/viewport/ios/full-screen-safe-area-insets-expected.txt
    A LayoutTests/fast/viewport/ios/full-screen-safe-area-insets.html
    A LayoutTests/fast/viewport/ios/resources/viewport-fit-contain.html
    A LayoutTests/fast/viewport/ios/resources/viewport-fit-cover.html
    A LayoutTests/fullscreen/full-screen-document-background-color-expected.txt
    A LayoutTests/fullscreen/full-screen-document-background-color.html
    M LayoutTests/fullscreen/full-screen-test.js
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/dom/FullscreenManager.cpp
    M Source/WebCore/page/LocalFrameView.cpp
    M Source/WebCore/page/Page.cpp
    M Source/WebCore/page/Page.h
    M Source/WebCore/testing/Internals.cpp
    M Source/WebCore/testing/Internals.h
    M Source/WebCore/testing/Internals.idl
    M Source/WebKit/UIProcess/API/ios/WKWebViewIOS.h
    M Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm
    M Source/WebKit/UIProcess/ios/WKScrollView.h
    M Source/WebKit/UIProcess/ios/WKScrollView.mm
    M Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenViewController.mm
    M Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenWindowControllerIOS.mm

  Log Message:
  -----------
  Cherry-pick 1d5314701b60. rdar://117304719

    Cherry-pick 270199 at main (56d49b081448). rdar://117304719

        [iOS] Element Fullscreen does not respect viewport-fit
        https://bugs.webkit.org/show_bug.cgi?id=264012
        rdar://117304719

        Reviewed by Wenson Hsieh and Tim Horton.

        Tests: fast/viewport/ios/full-screen-safe-area-insets.html
               fullscreen/full-screen-document-background-color.html

        When configuring the WKWebView during the enter fullscreen operation, various settings of the view
        must be returned to their default state for the "automatic" avoid-safe-areas behavior to kick in.
        For some calls made by clients, there is no way to reset those behaviors to default, and the
        existing implementation merely overrode those settings with other non-default values. The end
        result was that all fullscreen content was behaving as if `viewport-fit=cover` was specified, which
        allowed some content to slip into the safe areas.

        Additionally, when embedded content is taken fullscreen, the viewport settings of that embedded
        iframe are not respected, and the embedded content uses the viewport settings of whatever page
        embedded it. Also, the fullscreen element's background is not used in the overflow areas when
        iframe content is in fullscreen.

        * Source/WebCore/dom/Document.cpp:
        (WebCore::Document::updateViewportArguments):
        * Source/WebCore/dom/FullscreenManager.cpp:
        (WebCore::FullscreenManager::dispatchFullscreenChangeOrErrorEvent):
        (WebCore::FullscreenManager::deepestFullscreenDocument const):
        * Source/WebCore/dom/FullscreenManager.h:
        * Source/WebCore/page/LocalFrameView.cpp:
        (WebCore::LocalFrameView::documentBackgroundColor const):
        * Source/WebCore/page/Page.cpp:
        (WebCore::viewportDocumentForFrame):
        (WebCore::Page::viewportArguments const):
        * Source/WebKit/UIProcess/API/ios/WKWebViewIOS.h:
        * Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm:
        (-[WKWebView _resetScrollViewInsetAdjustmentBehavior]):
        (-[WKWebView _haveSetUnobscuredSafeAreaInsets]):
        (-[WKWebView _resetUnobscuredSafeAreaInsets]):
        (-[WKWebView _hasOverriddenLayoutParameters]):
        (-[WKWebView _viewLayoutSizeOverride]):
        (-[WKWebView _minimumUnobscuredSizeOverride]):
        (-[WKWebView _maximumUnobscuredSizeOverride]):
        (-[WKWebView _resetObscuredInsets]):
        (-[WKWebView _clearOverrideLayoutParameters]):
        * Source/WebKit/UIProcess/ios/WKContentView.mm:
        (-[WKContentView setFrame:]):
        * Source/WebKit/UIProcess/ios/WKScrollView.h:
        * Source/WebKit/UIProcess/ios/WKScrollView.mm:
        (-[WKScrollView _contentInsetWasExternallyOverridden]):
        (-[WKScrollView _resetContentInset]):
        (-[WKScrollView _resetContentInsetAdjustmentBehavior]):
        * Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenViewController.mm:
        (-[WKFullScreenViewController viewDidLayoutSubviews]):
        (-[WKFullScreenViewController viewWillTransitionToSize:withTransitionCoordinator:]):
        * Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenWindowControllerIOS.mm:
        (WebKit::WKWebViewState::applyTo):
        (WebKit::WKWebViewState::store):
        (-[WKFullScreenWindowController enterFullScreen:]):
        (-[WKFullScreenWindowController beganEnterFullScreenWithInitialFrame:finalFrame:]):

        Canonical link: https://commits.webkit.org/270199@main

Identifier: 267815.552 at safari-7617-branch


  Commit: dae531d205959f8686e79a92dd5ea8e6b50796a2
      https://github.com/WebKit/WebKit/commit/dae531d205959f8686e79a92dd5ea8e6b50796a2
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-09 (Thu, 09 Nov 2023)

  Changed paths:
    M Source/WebCore/editing/FrameSelection.cpp
    M Source/WebCore/page/Page.cpp
    M Source/WebCore/page/Page.h
    M Source/WebKit/Shared/WebPageCreationParameters.h
    M Source/WebKit/Shared/WebPageCreationParameters.serialization.in
    M Source/WebKit/UIProcess/PageClient.h
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Source/WebKit/UIProcess/mac/PageClientImplMac.h
    M Source/WebKit/UIProcess/mac/PageClientImplMac.mm
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp
    M Source/WebKit/WebProcess/WebPage/WebPage.h
    M Source/WebKit/WebProcess/WebPage/mac/WebPageMac.mm

  Log Message:
  -----------
  Cherry-pick ee3805278f95. rdar://117909679

    macOS: Text cursor in HTML note is black, regardless of set Accent Color
    https://bugs.webkit.org/show_bug.cgi?id=264189
    rdar://117909679

    Reviewed by Aditya Keerthi and Tim Horton.

    266070 at main changed the behavior of the caret color to more closely follow the spec, and improve
    web compat. However, this behavior change also affected HTML Notes, which sets `color` on
    an ancestor of the editable div. As a result, the caret color is black. However, it should match
    the accent color of the app it is in, if it sets a custom accent color.

    To fix, implement the same solution as 269314 at main effectively, but on macOS.

    * Source/WebCore/editing/FrameSelection.cpp:
    (WebCore::FrameSelection::paintCaret):
    (WebCore::CaretBase::computeCaretColor):
    (WebCore::CaretBase::paintCaret const):
    (WebCore::DragCaretController::paintDragCaret const):
    * Source/WebCore/editing/FrameSelection.h:
    * Source/WebCore/page/Page.cpp:
    (WebCore::Page::setAppUsesCustomAccentColor):
    (WebCore::Page::appUsesCustomAccentColor const):
    * Source/WebCore/page/Page.h:
    * Source/WebCore/rendering/RenderThemeIOS.mm:
    (WebCore::RenderThemeIOS::autocorrectionReplacementMarkerColor const):
    * Source/WebCore/rendering/style/RenderStyle.h:
    * Source/WebKit/Shared/WebPageCreationParameters.h:
    * Source/WebKit/Shared/WebPageCreationParameters.serialization.in:
    * Source/WebKit/UIProcess/PageClient.h:
    * Source/WebKit/UIProcess/WebPageProxy.cpp:
    (WebKit::WebPageProxy::creationParameters):
    * Source/WebKit/UIProcess/mac/PageClientImplMac.h:
    * Source/WebKit/UIProcess/mac/PageClientImplMac.mm:
    (WebKit::cachedAppUsesCustomAccentColor):
    (WebKit::PageClientImpl::appUsesCustomAccentColor):
    * Source/WebKit/WebProcess/WebPage/WebPage.cpp:
    (WebKit::m_historyItemClient):
    (WebKit::WebPage::reinitializeWebPage):
    * Source/WebKit/WebProcess/WebPage/WebPage.h:
    * Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm:
    (WebKit::WebPage::getPlatformEditorState const):
    * Source/WebKit/WebProcess/WebPage/mac/WebPageMac.mm:
    (WebKit::WebPage::setAppUsesCustomAccentColor):

    Canonical link: https://commits.webkit.org/270325@main

Identifier: 267815.553 at safari-7617-branch


  Commit: f834d52942dde0925821dc8d825ffb708b81c703
      https://github.com/WebKit/WebKit/commit/f834d52942dde0925821dc8d825ffb708b81c703
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-09 (Thu, 09 Nov 2023)

  Changed paths:
    M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.h
    M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm
    M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.h
    M Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.mm

  Log Message:
  -----------
  Cherry-pick 9e08e9d30f55. rdar://118121639

    Cookies from AppSSO extension are getting stored in iframe even when CSP restricts page to be loaded in iframe
    https://bugs.webkit.org/show_bug.cgi?id=264447
    rdar://118121639

    Reviewed by Brent Fulgham.

    In https://bugs.webkit.org/show_bug.cgi?id=260100, we added CSP validation when setting cookies
    in the response of an AppSSO request. However, in that patch, we consider CSP options that are
    only relevant for i-frames in the redirect case. In NetworkResourceLoader::shouldInterruptLoadForXFrameOptions,
    we do an early return in non-main frame cases, but do not in the check for AppSSO.

    In SOAuthorizationCoordinator::tryAuthorize, it can be gleamed that a non-mainframe navigation implies
    a SubFrameSOAuthorizationSession will be created. Therefore we only need to perform these i-frame specific
    CSP checks whenever we have a SubFrameSOAuthorizationSession.

    * Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm:
    (WebKit::SOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):
    * Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.h:
    (WebKit::SOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):
    * Source/WebKit/UIProcess/Cocoa/SOAuthorization/SOAuthorizationSession.mm:
    (WebKit::SOAuthorizationSession::shouldInterruptLoadForXFrameOptions): Deleted.
    (WebKit::SOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions): Deleted.
    * Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.h:
    * Source/WebKit/UIProcess/Cocoa/SOAuthorization/SubFrameSOAuthorizationSession.mm:
    (WebKit::SubFrameSOAuthorizationSession::shouldInterruptLoadForXFrameOptions):
    (WebKit::SubFrameSOAuthorizationSession::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):

    Canonical link: https://commits.webkit.org/270422@main

Identifier: 267815.554 at safari-7617-branch


  Commit: dc15bd8a960ad9bea065f6ba416365313e499943
      https://github.com/WebKit/WebKit/commit/dc15bd8a960ad9bea065f6ba416365313e499943
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-09 (Thu, 09 Nov 2023)

  Changed paths:
    M Source/WebKit/UIProcess/API/ios/WKWebViewIOS.h
    M Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm
    M Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenWindowControllerIOS.mm

  Log Message:
  -----------
  Cherry-pick e5bf2b80f8e5. rdar://118147164

    [iOS] Non-fullscreen content peeks into top safe area in element fullscreen mode
    https://bugs.webkit.org/show_bug.cgi?id=264455
    rdar://118147164

    Reviewed by Simon Fraser.

    When entering fullscreen, certain properties of the WKWebView and scrollView are reset to
    default values, as clients like Safari may have overridden them. One of these properties,
    contentInset, is reset to zero by that machinery. However, this causes overflow content to
    be visible above the safe area; instead, it should be reset to a correct initial value that
    accounts for the page's adoption of safe areas, via -_initialContentOffsetForScrollView.

    * Source/WebKit/UIProcess/API/ios/WKWebViewIOS.h:
    * Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm:
    (-[WKWebView _resetContentOffset]):
    * Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenWindowControllerIOS.mm:
    (-[WKFullScreenWindowController enterFullScreen:]):

    Canonical link: https://commits.webkit.org/270424@main

Identifier: 267815.555 at safari-7617-branch


  Commit: 42afccfaef8e18fee39d32229500347eb720c466
      https://github.com/WebKit/WebKit/commit/42afccfaef8e18fee39d32229500347eb720c466
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-09 (Thu, 09 Nov 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/fast/canvas/canvas-noise-injection-expected.txt
    A LayoutTests/fast/canvas/canvas-noise-injection.html
    M Source/WebCore/html/CanvasBase.cpp
    M Source/WebCore/html/CanvasBase.h
    M Source/WebCore/html/CanvasNoiseInjection.cpp
    M Source/WebCore/html/CanvasNoiseInjection.h
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.h
    M Source/WebCore/testing/Internals.cpp
    M Source/WebCore/testing/Internals.h
    M Source/WebCore/testing/Internals.idl

  Log Message:
  -----------
  Cherry-pick bde990fd62dd. rdar://115313154

    Don't apply canvas noise on drawImage/putImageData rects
    https://bugs.webkit.org/show_bug.cgi?id=263129
    rdar://115313154

    Reviewed by Simon Fraser.

    When noise injection is enabled, the backing pixelbuffer of Canvas2D has noise
    applied as an anti-fingerprinting protection. That operation is expensive and
    the protection is not needed in situations where we are given an explicit
    ImageData or specific types of Images because those data don't reveal any
    identifying information about the machine when extracted via getImageData() or
    toDataURL().

    This patch abstracts the default DidDrawOptions into a static function that
    includes DidDrawOption::ApplyPostProcessing, and a companion function that
    doesn't include ApplyPostProcessing. These are static class functions because
    they should both be updated if the default DidDrawOption OptionSet changes in
    the future, and defining them separately seems error prone.

    As described above, the noise injection post-processing is not applied after
    certain drawImage operations where the image is a bitmap, and post-processing
    is conditionally applied when the entire canvas is dirty.

    * LayoutTests/TestExpectations:
    * LayoutTests/fast/canvas/canvas-noise-injection-expected.txt:
    * LayoutTests/fast/canvas/canvas-noise-injection.html:
    * Source/WebCore/html/CanvasBase.cpp:
    (WebCore::CanvasBase::didDraw):
    * Source/WebCore/html/CanvasNoiseInjection.cpp:
    (WebCore::CanvasNoiseInjection::clearDirtyRect):
    * Source/WebCore/html/CanvasNoiseInjection.h:
    * Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
    (WebCore::CanvasRenderingContext2DBase::clearRect):
    (WebCore::CanvasRenderingContext2DBase::drawImage):
    (WebCore::CanvasRenderingContext2DBase::didDrawEntireCanvas):
    (WebCore::CanvasRenderingContext2DBase::didDraw):
    * Source/WebCore/html/canvas/CanvasRenderingContext2DBase.h:
    (WebCore::CanvasRenderingContext2DBase::defaultDidDrawOptions):
    (WebCore::CanvasRenderingContext2DBase::defaultDidDrawOptionsWithoutPostProcessing):
    (WebCore::CanvasRenderingContext2DBase::didDraw): Deleted.

    Canonical link: https://commits.webkit.org/270207@main

Identifier: 267815.556 at safari-7617-branch


  Commit: 58e9a1ce6e660fde51c83dae28327c9b00ea71e7
      https://github.com/WebKit/WebKit/commit/58e9a1ce6e660fde51c83dae28327c9b00ea71e7
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-10 (Fri, 10 Nov 2023)

  Changed paths:
    M LayoutTests/platform/mac-wk1/TestExpectations
    M Source/WebCore/platform/RunLoopObserver.h
    M Source/WebCore/platform/cf/RunLoopObserverCF.cpp
    M Source/WebKitLegacy/mac/WebView/WebViewRenderingUpdateScheduler.h
    M Source/WebKitLegacy/mac/WebView/WebViewRenderingUpdateScheduler.mm

  Log Message:
  -----------
  Cherry-pick 927b1ffbab10. rdar://118024764

    Unreviewed, reverting 269859 at main.
    https://bugs.webkit.org/show_bug.cgi?id=264534

    Caused CPU spins in some WebView client applications

    Reverted changeset:

    "REGRESSION (263917 at main): [ macOS ] 3 inspector/timeline/timeline-event-Timer tests are a consistent failure"
    https://bugs.webkit.org/show_bug.cgi?id=260360
    https://commits.webkit.org/269859@main

    Canonical link: https://commits.webkit.org/270489@main

Canonical link: https://commits.webkit.org/267815.557@safari-7617-branch


  Commit: 033fcc7cae10499853443bac30bfd9ae3f688dec
      https://github.com/WebKit/WebKit/commit/033fcc7cae10499853443bac30bfd9ae3f688dec
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-10 (Fri, 10 Nov 2023)

  Changed paths:
    A LayoutTests/accessibility/custom-elements/shadow-element-text-expected.txt
    A LayoutTests/accessibility/custom-elements/shadow-element-text.html
    A LayoutTests/platform/glib/accessibility/custom-elements/shadow-element-text-expected.txt
    M Source/WebCore/accessibility/AccessibilityNodeObject.cpp

  Log Message:
  -----------
  Cherry-pick ecb40fdcddf8. rdar://118118138

    AX: VoiceOver does not announce button in text if button is in shadow root
    https://bugs.webkit.org/show_bug.cgi?id=264410
    rdar://118118138

    Reviewed by Tyler Wilcock.

    In shadow DOM elements, if text was within nested elements, textUnderElement would not include it.

    This patch resolves that by adding to our logic for when we decide whether or not to skip a child's
    text. Instead of just checking whether the child's parent and the current node match, we also check
    that the elements are either both in the DOM or Shadow DOM.

    * LayoutTests/accessibility/custom-elements/shadow-element-text-expected.txt: Added.
    * LayoutTests/accessibility/custom-elements/shadow-element-text.html: Added.
    * LayoutTests/platform/glib/accessibility/custom-elements/shadow-element-text-expected.txt: Added.
    * Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
    (WebCore::AccessibilityNodeObject::textUnderElement const):

    Canonical link: https://commits.webkit.org/270542@main

Canonical link: https://commits.webkit.org/267815.558@safari-7617-branch


  Commit: 01a91d6ceb99639aa6b0f6efd97e36c9b4c66915
      https://github.com/WebKit/WebKit/commit/01a91d6ceb99639aa6b0f6efd97e36c9b4c66915
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-10 (Fri, 10 Nov 2023)

  Changed paths:
    M Source/WebKit/WebProcess/GPU/GPUProcessConnection.cpp
    M Source/WebKit/WebProcess/WebProcess.cpp
    M Source/WebKit/WebProcess/WebProcess.h

  Log Message:
  -----------
  Cherry-pick 0532f1c87a63. rdar://117840925

    RELEASE_ASSERT() under GPUProcessConnection::create(IPC::Connection&)
    https://bugs.webkit.org/show_bug.cgi?id=264612
    rdar://117840925

    Reviewed by Brent Fulgham.

    When a WebProcess requests a connection to the GPUProcess, the UIProcess
    needs to pass preferences for this WebProcess. Preferences are associated
    with WebPages and thus we cannot initiate a connection to the GPUProcess
    before a WebPage has been created.

    I had tried to add an assertion to this effect in
    GPUProcessConnection::create(). However, my assertion was a little
    stricter than needed and could get hit in the wild. It is sufficient for
    a process to have ever had a WebPage (The WebProcessProxy stores the
    preferences locally), we don't need to have a living WebPage at the
    moment when the connection gets requested.

    * Source/WebKit/WebProcess/GPU/GPUProcessConnection.cpp:
    (WebKit::GPUProcessConnection::create):
    * Source/WebKit/WebProcess/WebProcess.cpp:
    (WebKit::WebProcess::createWebPage):
    * Source/WebKit/WebProcess/WebProcess.h:
    (WebKit::WebProcess::hasEverHadAnyWebPages const):
    (WebKit::WebProcess::hasWebPages const): Deleted.

    Canonical link: https://commits.webkit.org/270569@main

Canonical link: https://commits.webkit.org/267815.559@safari-7617-branch


  Commit: f49fc0217a7340a03b7aa183b11a8fd51748a412
      https://github.com/WebKit/WebKit/commit/f49fc0217a7340a03b7aa183b11a8fd51748a412
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-11-10 (Fri, 10 Nov 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitcorepy/setup.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/MANIFEST.in
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py

  Log Message:
  -----------
  Cherry-pick 270025 at main (db7018ee6d1d). rdar://117742552

    [webkit*py] Fix excluded directories in published packages
    https://bugs.webkit.org/show_bug.cgi?id=263970
    rdar://117742552

    Reviewed by Elliott Williams.

    * Tools/Scripts/libraries/webkitscmpy/MANIFEST.in: Add json data files and testing directory.
    * Tools/Scripts/libraries/webkitcorepy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/setup.py: Include 'tests.hooks' directory, bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Bump version.

    Canonical link: https://commits.webkit.org/270025@main

Canonical link: https://commits.webkit.org/267815.560@safari-7617-branch


  Commit: 03fee131ee16682260bd94949ad38236ceeb71e6
      https://github.com/WebKit/WebKit/commit/03fee131ee16682260bd94949ad38236ceeb71e6
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-11-10 (Fri, 10 Nov 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py

  Log Message:
  -----------
  Cherry-pick 270059 at main (219eb0bb7b43). rdar://116915892

    [AutoInstall] prefer wheels whenever possible (Follow-up fix)
    https://bugs.webkit.org/show_bug.cgi?id=263119
    rdar://116915892

    Reviewed by Elliott Williams and Sam Sneddon.

    Wheel installs of rapidfuzz aren't valid for all configurations, and
    it doesn't take long to install manually.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Opt out of wheel for rapidfuzz.

    Canonical link: https://commits.webkit.org/270059@main

Canonical link: https://commits.webkit.org/267815.561@safari-7617-branch


  Commit: 2c7b4d735beae5a071a24ac58eb14d486298e1fb
      https://github.com/WebKit/WebKit/commit/2c7b4d735beae5a071a24ac58eb14d486298e1fb
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-11-10 (Fri, 10 Nov 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitbugspy/setup.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/__init__.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/bugzilla.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/issue.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/bugzilla.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/radar.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/bugzilla_unittest.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/radar_unittest.py

  Log Message:
  -----------
  Cherry-pick 270193 at main (9c049cef55a9). rdar://113880142

    [webkitbugspy] Set keywords on issues
    https://bugs.webkit.org/show_bug.cgi?id=260184
    rdar://113880142

    Reviewed by Dewei Zhu.

    Tools and services should be able to add and remove keywords from
    radars and bugzillas.

    * Tools/Scripts/libraries/webkitbugspy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/bugzilla.py:
    (Tracker.set): Add ability to set keywords.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/issue.py:
    (Issue.set_keywords): Set keywords in tracker implementation.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/bugzilla.py:
    (Bugzilla._issue): Mock adding and setting keywords.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/radar.py:
    (RadarModel.keywords): Pull from pre-constructed Keyword objects.
    (RadarModel.remove_keyword): Remove a keyword from the issue.
    (RadarModel.add_keyword): Add a keyword to the issue.
    (RadarClient.keywords_for_name): List all keywords starting with a given string.
    (Radar.__init__): Construct set of available keywords.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py:
    (Tracker.__init__): Keep track of previously queries keywords.
    (Tracker.set): Add and remove keywords from a radar.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/bugzilla_unittest.py:
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/radar_unittest.py:

    Canonical link: https://commits.webkit.org/270193@main

Canonical link: https://commits.webkit.org/267815.562@safari-7617-branch


  Commit: 8df98929a02a589586c9de4058337248c1bbffc9
      https://github.com/WebKit/WebKit/commit/8df98929a02a589586c9de4058337248c1bbffc9
  Author: Brianna Fan <bfan2 at apple.com>
  Date:   2023-11-10 (Fri, 10 Nov 2023)

  Changed paths:
    M Tools/Scripts/hooks/prepare-commit-msg
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/revert.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/revert_unittest.py

  Log Message:
  -----------
  Cherry-pick 270375 at main (a4e364130e7c). rdar://98992367

    [git-webkit] `git revert` does not produce a meaningful commit message
    https://bugs.webkit.org/show_bug.cgi?id=243947
    rdar://problem/98992367

    Reviewed by Jonathan Bedard.

    Changes to logic so git revert is no longer a blank template.
    Also prevents git-webkit revert from affecting future commits on main.
    A better commit message for git revert is in the works!

    * Tools/Scripts/hooks/prepare-commit-msg:
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/revert.py:
    (Revert):
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/revert_unittest.py:
    (TestRevert.test_github):
    (TestRevert.test_github_two_step):
    (test_update):

    Canonical link: https://commits.webkit.org/270375@main

Canonical link: https://commits.webkit.org/267815.563@safari-7617-branch


  Commit: 6cb696dca06798b6ec487528fe314ff35487fe9e
      https://github.com/WebKit/WebKit/commit/6cb696dca06798b6ec487528fe314ff35487fe9e
  Author: Brianna Fan <bfan2 at apple.com>
  Date:   2023-11-10 (Fri, 10 Nov 2023)

  Changed paths:
    M Tools/Scripts/hooks/prepare-commit-msg

  Log Message:
  -----------
  Cherry-pick 270395 at main (4d16e41d72b5). https://bugs.webkit.org/show_bug.cgi?id=264416

    [git-webkit] update method name
    https://bugs.webkit.org/show_bug.cgi?id=264416

    Reviewed by Jonathan Bedard.

    Updates method name when called to match def.

    * Tools/Scripts/hooks/prepare-commit-msg:

    Canonical link: https://commits.webkit.org/270395@main

Canonical link: https://commits.webkit.org/267815.564@safari-7617-branch


  Commit: b47331a3371291586bf4b4d3a0c029aa44cac219
      https://github.com/WebKit/WebKit/commit/b47331a3371291586bf4b4d3a0c029aa44cac219
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-13 (Mon, 13 Nov 2023)

  Changed paths:
    M Source/WebCore/rendering/TextBoxPainter.cpp

  Log Message:
  -----------
  Cherry-pick f9ec06b716a3. rdar://117897402

    Crash under TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::collectDecoratingBoxesForTextBox
    https://bugs.webkit.org/show_bug.cgi?id=264728
    rdar://117897402

    Reviewed by Alan Baradlay.

    * Source/WebCore/rendering/TextBoxPainter.cpp:
    (WebCore::TextBoxPainter<TextBoxPath>::collectDecoratingBoxesForTextBox):

    There appears to be some case where parentInlineBox is not found. Add null checking.

    Canonical link: https://commits.webkit.org/270634@main

Canonical link: https://commits.webkit.org/267815.565@safari-7617-branch


  Commit: af7c136e799e9ca15c14f3bb7ff17c4eaea4f869
      https://github.com/WebKit/WebKit/commit/af7c136e799e9ca15c14f3bb7ff17c4eaea4f869
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2023-11-13 (Mon, 13 Nov 2023)

  Changed paths:
    R JSTests/stress/arrow-function-captured-arguments-aliased.js
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
    M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
    M Source/JavaScriptCore/runtime/GetPutInfo.h
    M Source/JavaScriptCore/runtime/ScopedArguments.h
    M Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp
    M Source/JavaScriptCore/runtime/ScopedArgumentsTable.h
    M Source/JavaScriptCore/runtime/SymbolTable.cpp
    M Source/JavaScriptCore/runtime/SymbolTable.h

  Log Message:
  -----------
  Reverting https://commits.webkit.org/267815.345@safari-7617-branch
https://bugs.webkit.org/show_bug.cgi?id=264767
rdar://117838992

Reviewed by Michael Saboff.

* JSTests/stress/arrow-function-captured-arguments-aliased.js: Removed.
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/runtime/GetPutInfo.h:
(JSC::initializationModeName):
(JSC::isInitialization):
* Source/JavaScriptCore/runtime/ScopedArguments.h:
* Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp:
(JSC::ScopedArgumentsTable::tryCreate):
(JSC::ScopedArgumentsTable::tryClone):
(JSC::ScopedArgumentsTable::trySetLength):
(JSC::ScopedArgumentsTable::trySetWatchpointSet): Deleted.
* Source/JavaScriptCore/runtime/ScopedArgumentsTable.h:
* Source/JavaScriptCore/runtime/SymbolTable.cpp:
(JSC::SymbolTable::localToEntry):
(JSC::SymbolTable::cloneScopePart):
* Source/JavaScriptCore/runtime/SymbolTable.h:

Canonical link: https://commits.webkit.org/267815.566@safari-7617-branch


  Commit: a595ddd8348df277766ac9bd8b31f8fb8d31a0e0
      https://github.com/WebKit/WebKit/commit/a595ddd8348df277766ac9bd8b31f8fb8d31a0e0
  Author: Vitor Roriz <vitor.roriz at apple.com>
  Date:   2023-11-14 (Tue, 14 Nov 2023)

  Changed paths:
    A LayoutTests/fonts/font-cache-memory-pressure-crash-expected.txt
    A LayoutTests/fonts/font-cache-memory-pressure-crash.html
    M Source/WebCore/platform/graphics/FontCascadeFonts.cpp

  Log Message:
  -----------
  Adding last resort font to System Font fallback set for PUA characters
https://bugs.webkit.org/show_bug.cgi?id=264737
rdar://117805319

Reviewed by Brent Fulgham.

Until now, when we are purging inactive font data, we would just clear
the glyph page cache if we had to purge system fallback font.
This means that we consider glyph page cache would only point to
fonts from system fonts fallback.

When we are handling unicode's in the Private-User-Area (PUA) block,
we shouldn't fallback to system fonts searching for a font that can render
it, per spec: https://www.w3.org/TR/css-fonts-4/#char-handling-issues
Instead, we render the glyph 0 with the last resort font. However, this
font is just added to the custom font cache, and its font pointer in the
Glyph Page cache is not cleared during memory pressure.

We should add this font to the system font fallback set, to make sure
that the associated font pointer is removed from the glyph page cache
during memory pressure.

* LayoutTests/fonts/font-cache-memory-pressure-crash.html: Added.
* Source/WebCore/platform/graphics/FontCascadeFonts.cpp:
(WebCore::FontCascadeFonts::glyphDataForVariant):
* LayoutTests/fonts/font-cache-memory-pressure-crash-expected.txt: Added.

Canonical link: https://commits.webkit.org/267815.567@safari-7617-branch


  Commit: f4f2cd51180585cb8b1b0b3ab931b208890188de
      https://github.com/WebKit/WebKit/commit/f4f2cd51180585cb8b1b0b3ab931b208890188de
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-14 (Tue, 14 Nov 2023)

  Changed paths:
    M Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.mm

  Log Message:
  -----------
  Cherry-pick 270672 at main (923ed5177ec0). rdar://118083889

    hideContentUntilPendingUpdate callbacks can be processed too late after the transaction and cause flickering.
    https://bugs.webkit.org/show_bug.cgi?id=264531
    <rdar://118083889>

    Reviewed by Tim Horton.

    The callbacks for DispatchAfterEnsuringDrawing get processed at the end of the transaction, after we've already told
    the client that we've committed the transaction. In some cases, this can cause them to be included as a separate CA
    commit, and cause flickering.

    This adds a pre-transaction check for a callback for hideContentUntilPendingUpdate, and clears the reply id, so that we
    re-attach the root layer as part of the main commit.

    * Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.mm:
    (WebKit::RemoteLayerTreeDrawingAreaProxy::commitLayerTreeTransaction):
    (WebKit::RemoteLayerTreeDrawingAreaProxy::hideContentUntilPendingUpdate):

    Canonical link: https://commits.webkit.org/270672@main

Canonical link: https://commits.webkit.org/267815.568@safari-7617-branch


  Commit: 5ebdf97c0a262d969ac46d810393df920269bdc4
      https://github.com/WebKit/WebKit/commit/5ebdf97c0a262d969ac46d810393df920269bdc4
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-11-15 (Wed, 15 Nov 2023)

  Changed paths:
    M Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp

  Log Message:
  -----------
  Use-after-free in processResponse in ServiceWorkerFetch.cpp
rdar://118039950

Reviewed by Chris Dumez.

Cancelling the stream can trigger GC when creating the DOMException JS wrapper.
This might collect the FetchResponse object.
To make sure the FetchResponse object stays live for the whole time, we protect it in the callback.

* Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp:
(WebCore::ServiceWorkerFetch::processResponse):

Canonical link: https://commits.webkit.org/267815.569@safari-7617-branch


  Commit: fc6f62059d44a5a8fe66f28b74ceb23cb0dad447
      https://github.com/WebKit/WebKit/commit/fc6f62059d44a5a8fe66f28b74ceb23cb0dad447
  Author: Nicole Rosario <nicole_rosario at apple.com>
  Date:   2023-11-15 (Wed, 15 Nov 2023)

  Changed paths:
    A LayoutTests/ipc/argumentParser.js
    A LayoutTests/ipc/fuzz_tools.js
    A LayoutTests/ipc/media-player-invalid-test-expected.txt
    A LayoutTests/ipc/media-player-invalid-test.html
    M Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.cpp
    M Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.h
    M Source/WebCore/platform/mock/mediasource/MockSourceBufferPrivate.cpp

  Log Message:
  -----------
  [CoreIPC] heap-use-after-free in WebCore::MockMediaSourcePrivate::markEndOfStream
rdar://115982856

Reviewed by Jean-Yves Avenard and Eric Carlson.

Error only hit in internal testing. Object was referenced after deletion. Updated `MockMediaPlayer` to use weak pointer for `m_player` instead of reference and added checks to methods to check that `m_player` exists before trying to read/write

* Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.cpp: added check that `m_player` exists before accessing
* Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.h: changed `m_player` to weak pointer instead of a reference
* Source/WebCore/platform/mock/mediasource/MockSourceBufferPrivate.cpp:
(WebCore::MockSourceBufferPrivate::readyState const):
(WebCore::MockSourceBufferPrivate::setReadyState):

Canonical link: https://commits.webkit.org/267815.570@safari-7617-branch


  Commit: c8a04244eba3b8f0a159a8f34517da2aaf5f2d97
      https://github.com/WebKit/WebKit/commit/c8a04244eba3b8f0a159a8f34517da2aaf5f2d97
  Author: Claudio Saavedra <csaavedra at igalia.com>
  Date:   2023-11-16 (Thu, 16 Nov 2023)

  Changed paths:
    A LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting-expected.txt
    A LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting.html
    M Source/WebCore/dom/ContainerNode.cpp

  Log Message:
  -----------
  Cherry-pick 268451.4 at webkit-2023.9-embargoed (f554230ef55f). rdar://116715621

    DOM: Make sure to set tree scope during parser insertion
    https://bugs.webkit.org/show_bug.cgi?id=263178
    rdar://116715621

    Reviewed by Ryosuke Niwa.

    It is possible for an element to be reparented, pg., to a shadow
    tree before parsing has finished, so we need to make sure to set the
    correct tree scope for a new element during parsing insertion,
    otherwise it might end up associated to the wrong tree scope.

    * LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting-expected.txt: Added.
    * LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting.html: Added.
    * Source/WebCore/dom/ContainerNode.cpp:
    (WebCore::ContainerNode::parserInsertBefore):

    Canonical link: https://commits.webkit.org/268451.4@webkit-2023.9-embargoed

Canonical link: https://commits.webkit.org/267815.571@safari-7617-branch


  Commit: 5ffbdced75c17e24789e73111bd7d84a58b13d61
      https://github.com/WebKit/WebKit/commit/5ffbdced75c17e24789e73111bd7d84a58b13d61
  Author: Ryan Haddad <ryanhaddad at apple.com>
  Date:   2023-11-16 (Thu, 16 Nov 2023)

  Changed paths:
    M LayoutTests/platform/mac-wk2/TestExpectations

  Log Message:
  -----------
  9 http/tests/webgpu/webgpu/api/operation layout tests failing / crashing
rdar://118523595

Unreviewed test gardening.

* LayoutTests/platform/mac-wk2/TestExpectations: Disable the tests.

Canonical link: https://commits.webkit.org/267815.572@safari-7617-branch


  Commit: dc1fdd5e22583db440043b056474326a8d29e9de
      https://github.com/WebKit/WebKit/commit/dc1fdd5e22583db440043b056474326a8d29e9de
  Author: Pascoe <pascoe at apple.com>
  Date:   2023-11-16 (Thu, 16 Nov 2023)

  Changed paths:
    M Tools/Scripts/VCSUtils.pm

  Log Message:
  -----------
  Cherry-pick 268261 at main (4c4d08c5189c). rdar://115458379

    Remove check for space in REAL_NAME
    https://bugs.webkit.org/show_bug.cgi?id=261538
    rdar://115458379

    Reviewed by Jonathan Bedard.

    Not all real names contain spaces.

    * Tools/Scripts/VCSUtils.pm:
    (changeLogName):
    Remove check for space in name.

    Canonical link: https://commits.webkit.org/268261@main

Canonical link: https://commits.webkit.org/267815.573@safari-7617-branch


  Commit: 49ba637c4abb0596b9c1260f50a8dcfa4bacbcb9
      https://github.com/WebKit/WebKit/commit/49ba637c4abb0596b9c1260f50a8dcfa4bacbcb9
  Author: Justin Michaud <justin_michaud at apple.com>
  Date:   2023-11-16 (Thu, 16 Nov 2023)

  Changed paths:
    M Source/JavaScriptCore/b3/B3LowerToAir.cpp
    M Source/JavaScriptCore/b3/air/AirValidate.cpp

  Log Message:
  -----------
  Extr can overflow when imm=64, allowing a random register to be read
rdar://118515062

Reviewed by Yusuke Suzuki.

Extr can overflow when imm=64, allowing a random register to be read.

* Source/JavaScriptCore/b3/B3LowerToAir.cpp:
* Source/JavaScriptCore/b3/air/AirValidate.cpp:

Canonical link: https://commits.webkit.org/267815.574@safari-7617-branch


  Commit: 4c3430842100df9a75863cff220e5579922db08c
      https://github.com/WebKit/WebKit/commit/4c3430842100df9a75863cff220e5579922db08c
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-11-16 (Thu, 16 Nov 2023)

  Changed paths:
    M Source/WebCore/loader/SubresourceLoader.cpp
    M Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp
    M Source/WebCore/loader/cache/CachedCSSStyleSheet.h

  Log Message:
  -----------
  Crash under PAL::newTextCodec(PAL::TextEncoding const&)
https://bugs.webkit.org/show_bug.cgi?id=264979
rdar://118267012

Reviewed by Brent Fulgham.

There is evidence for crashes in the wild that the CachedCSSStyleSheet or
the TextResourceDecoder are being used after getting freed. To prevent this,
protect both these objects in the code path identified by the crashes.

This is a speculative fix but it should be very safe.

* Source/WebCore/loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::didFinishLoading):
* Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp:
(WebCore::CachedCSSStyleSheet::finishLoading):
(WebCore::CachedCSSStyleSheet::protectedDecoder const):
* Source/WebCore/loader/cache/CachedCSSStyleSheet.h:

Canonical link: https://commits.webkit.org/267815.575@safari-7617-branch


  Commit: 680ce288888eba3803120b722cdb240a7b5fa23f
      https://github.com/WebKit/WebKit/commit/680ce288888eba3803120b722cdb240a7b5fa23f
  Author: Abrar Rahman Protyasha <a_protyasha at apple.com>
  Date:   2023-11-17 (Fri, 17 Nov 2023)

  Changed paths:
    M Tools/WebKitTestRunner/WebKitTestRunner.xcodeproj/project.pbxproj

  Log Message:
  -----------
  Unreviewed, fix iOS production builds after 270071 at main

Fix the following build error:
```
Undefined symbols for architecture arm64e:
  "_JSContextGetGlobalObject", referenced from:
      WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
      WTR::hasTestWaitAttribute(OpaqueJSContext*) in WPTFunctions.o
  "_JSObjectMake", referenced from:
      WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
  "_JSValueProtect", referenced from:
      WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
  "_JSValueToBoolean", referenced from:
      WTR::hasTestWaitAttribute(OpaqueJSContext*) in WPTFunctions.o
  "_JSValueUnprotect", referenced from:
      WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
  "WTR::setProperty(OpaqueJSContext const*, OpaqueJSValue*, char const*, bool)", referenced from:
      WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
  "WTR::objectProperty(OpaqueJSContext const*, OpaqueJSValue*, std::initializer_list<char const*>)", referenced from:
      WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o

 WTR::hasTestWaitAttribute(OpaqueJSContext*) in WPTFunctions.o
  "WTR::callConstructor(OpaqueJSContext*, char const*, std::initializer_list<OpaqueJSValue const*>)", referenced from:
      WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
  "WTR::call(OpaqueJSContext const*, OpaqueJSValue*, char const*, std::initializer_list<OpaqueJSValue const*>)", refe
renced from:
      WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
      WTR::hasTestWaitAttribute(OpaqueJSContext*) in WPTFunctions.o
  "WTR::makeValue(OpaqueJSContext const*, char const*)", referenced from:
      WTR::sendTestRenderedEvent(OpaqueJSContext*) in WPTFunctions.o
      WTR::hasTestWaitAttribute(OpaqueJSContext*) in WPTFunctions.o
  "WTF::URL::host() const", referenced from:
      WTR::isWebPlatformTestURL(WTF::URL const&) in WPTFunctions.o
  "WTF::URL::port() const", referenced from:
      WTR::isWebPlatformTestURL(WTF::URL const&) in WPTFunctions.o
ld: symbol(s) not found for architecture arm64e
clang: error: linker command failed with exit code 1 (use -v to see invocation)
```

...by removing `WPTFunctions.o` from the `WebKitTestRunner` binary
target. This is the correct thing to do because we pull in the symbols
in the `WPTFunctions` TU through the `WebKitTestRunnerLibrary` target
anyways, and because we don't link against WTF/JSC/etc. when building
the `WebKitTestRunner` binary on iOS.

* Tools/WebKitTestRunner/WebKitTestRunner.xcodeproj/project.pbxproj:

Canonical link: https://commits.webkit.org/267815.576@safari-7617-branch


  Commit: b0a755e3442625316297f97cb763d966732ab6c8
      https://github.com/WebKit/WebKit/commit/b0a755e3442625316297f97cb763d966732ab6c8
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-11-17 (Fri, 17 Nov 2023)

  Changed paths:
    M Source/JavaScriptCore/runtime/Structure.cpp

  Log Message:
  -----------
  Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure
https://bugs.webkit.org/show_bug.cgi?id=265067
rdar://118548733

Reviewed by Justin Michaud and Mark Lam.

Like Array shift/unshift, flattenDictionaryStructure is the other code which can shrink butterfly for named properties (no other code does it).
Compiler threads rely on the fact that normally named property storage never shrunk. And we should catch this exceptional case by taking a cellLock
in the compiler thread. But flattenDictionaryStructure is not taking cellLock correctly.

This patch computes afterOutOfLineCapacity first to detect that whether this flattening will shrink the butterfly.
And if it is, then we take a cellLock. We do not need to take it if we do not shrink the butterfly.

* Source/JavaScriptCore/runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):

Canonical link: https://commits.webkit.org/267815.577@safari-7617-branch


  Commit: 0e322e7b896dde0d7061593c60b2e485c74a3e7e
      https://github.com/WebKit/WebKit/commit/0e322e7b896dde0d7061593c60b2e485c74a3e7e
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-11-17 (Fri, 17 Nov 2023)

  Changed paths:
    M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml

  Log Message:
  -----------
  Revert b16d10297d26. rdar://118303187

Canonical link: https://commits.webkit.org/267815.578@safari-7617-branch


  Commit: 8d60b5b0fc0bf03ecb035205cf864c57bf7598e2
      https://github.com/WebKit/WebKit/commit/8d60b5b0fc0bf03ecb035205cf864c57bf7598e2
  Author: Andy Estes <aestes at apple.com>
  Date:   2023-11-19 (Sun, 19 Nov 2023)

  Changed paths:
    M Source/WebKit/UIProcess/Cocoa/GroupActivities/WKGroupSession.swift

  Log Message:
  -----------
  Cherry-pick 267921 at main (849790f00ff0). rdar://115260515

    [Cocoa] Fix warnings in WebKitSwift
    https://bugs.webkit.org/show_bug.cgi?id=261389
    rdar://115260515

    Reviewed by Richard Robinson.

    - Added availability annotations to public types.
    - Replaced deprecated Task APIs with modern replacements.
    - Removed the unnecessary WK prefix from Swift types.

    * Source/WebKit/UIProcess/Cocoa/GroupActivities/WKGroupSession.swift:
    (GroupSessionWrapper.activityWrapper):
    (GroupSessionWrapper.activity):
    (GroupSessionWrapper.wrapperSessionState(_:)):
    (GroupSessionWrapper.state):
    (GroupSessionWrapper.newActivityCallback):
    (GroupSessionWrapper.stateChangedCallback):
    (GroupSessionWrapper.activityChanged(_:)):
    (GroupSessionWrapper.stateChanged(_:)):
    (GroupSessionObserver.newSessionCallback):
    (GroupSessionObserver.incomingSessionsTask):
    (GroupSessionObserver.receivedSession(_:)):
    (WKURLActivityWrapper.urlActivity): Deleted.
    (WKURLActivityWrapper.fallbackURL): Deleted.
    (WKGroupSessionWrapper.groupSession): Deleted.
    (WKGroupSessionWrapper.cancellables): Deleted.
    (WKGroupSessionWrapper.activity): Deleted.
    (WKGroupSessionWrapper.uuid): Deleted.
    (WKGroupSessionWrapper.wrapperSessionState(_:)): Deleted.
    (WKGroupSessionWrapper.state): Deleted.
    (WKGroupSessionWrapper.newActivityCallback): Deleted.
    (WKGroupSessionWrapper.stateChangedCallback): Deleted.
    (WKGroupSessionWrapper.join): Deleted.
    (WKGroupSessionWrapper.leave): Deleted.
    (WKGroupSessionWrapper.coordinate(_:)): Deleted.
    (WKGroupSessionWrapper.activityChanged(_:)): Deleted.
    (WKGroupSessionWrapper.stateChanged(_:)): Deleted.
    (WKGroupSessionObserver.newSessionCallback): Deleted.
    (WKGroupSessionObserver.incomingSessionsTask): Deleted.
    (WKGroupSessionObserver.receivedSession(_:)): Deleted.

    Canonical link: https://commits.webkit.org/267921@main

Canonical link: https://commits.webkit.org/267815.579@safari-7617-branch


  Commit: fe2eff8251a9b7d202dc5273a96261f472f531e0
      https://github.com/WebKit/WebKit/commit/fe2eff8251a9b7d202dc5273a96261f472f531e0
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-11-27 (Mon, 27 Nov 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonce-hiding-move-document-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonce-hiding-move-document.html
    M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonces-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonces.html
    M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/w3c-import.log
    M LayoutTests/imported/w3c/web-platform-tests/html/dom/reflection-metadata-expected.txt
    M Source/WebCore/html/HTMLLinkElement.idl
    M Source/WebCore/html/HTMLStyleElement.idl

  Log Message:
  -----------
  Cherry-pick 9ea548224a00. rdar://118676659

    Safari blocking JS reading nonce for <style> and <link>
    https://bugs.webkit.org/show_bug.cgi?id=265173
    rdar://118676659

    Reviewed by Antti Koivisto.

    Some leftover nonce IDL included [Reflect] and therefore those elements
    had the older-but-now-bogus nonce semantics.

    Tests have been synchronized and new tests in nonces.html are
    upstreamed here:
    https://github.com/web-platform-tests/wpt/pull/43280

    The new test failures in WPT html/dom/reflection-metadata.html are
    expected and match all other browsers. I filed an upstream issue on
    that test here:
    https://github.com/web-platform-tests/wpt/issues/43286

    * LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonce-hiding-move-document-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonce-hiding-move-document.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonces-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/nonces.html:
    * LayoutTests/imported/w3c/web-platform-tests/content-security-policy/nonce-hiding/w3c-import.log:
    * LayoutTests/imported/w3c/web-platform-tests/html/dom/reflection-metadata-expected.txt:
    * Source/WebCore/html/HTMLLinkElement.idl:
    * Source/WebCore/html/HTMLStyleElement.idl:

    Canonical link: https://commits.webkit.org/271046@main

Identifier: 267815.580 at safari-7617-branch


  Commit: 18a4c97059d7a2c958e226374e611aceec58cbed
      https://github.com/WebKit/WebKit/commit/18a4c97059d7a2c958e226374e611aceec58cbed
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-11-27 (Mon, 27 Nov 2023)

  Changed paths:
    A LayoutTests/fast/dom/dynamic-image-with-lazy-loading-leak-expected.txt
    A LayoutTests/fast/dom/dynamic-image-with-lazy-loading-leak.html
    M Source/WebCore/loader/ImageLoader.cpp
    M Source/WebCore/loader/ImageLoader.h

  Log Message:
  -----------
  Cherry-pick 78e4577732ca. rdar://117683012

    Memory consumption/leak with img out of viewport and lazy loading
    https://bugs.webkit.org/show_bug.cgi?id=263521

    Reviewed by Chris Dumez.

    This change fixes the problem with dangling of dynamically created (in JS)
    HTMLImageElement when it is detached from the document before loading the resource
    starts. It happened when img element was created (dynamically) with lazy loading
    and the element was outside the viewport (the loading of resource is deferred until
    the img element becomes visible). If the element was removed from document it
    becomes dangling element and will never be deleted by GC.

    * Source/WebCore/loader/ImageLoader.cpp:
    (WebCore::ImageLoader::hasPendingActivity const):

    To avoid leaking of the dynamically created element, the pending activity of
    the element should check has the load of the resource actually started.
    Similar check is done in case of static HTMLImageElement in
    ImageLoader::updatedHasPendingEvent.

    * Source/WebCore/loader/ImageLoader.h:
    (WebCore::ImageLoader::hasPendingActivity const): Deleted.

    Moved implementation to cpp file.

     * LayoutTests/fast/dom/dynamic-image-with-lazy-loading-leak-expected.txt: Added.
     * LayoutTests/fast/dom/dynamic-image-with-lazy-loading-leak.html: Added.

    Canonical link: https://commits.webkit.org/270745@main

Identifier: 267815.581 at safari-7617-branch


  Commit: 93db3d3b51385837c58ee23e605c8c8ccbdcfbea
      https://github.com/WebKit/WebKit/commit/93db3d3b51385837c58ee23e605c8c8ccbdcfbea
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-11-27 (Mon, 27 Nov 2023)

  Changed paths:
    A LayoutTests/fast/text/text-indent-with-intrusive-float-expected.html
    A LayoutTests/fast/text/text-indent-with-intrusive-float.html
    M Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp

  Log Message:
  -----------
  Cherry-pick b741d4c7aa56. rdar://118701491

    (REGRESSION: 267587 at main) Text indent is incorrect when paragraph is affected by a floating element
    https://bugs.webkit.org/show_bug.cgi?id=265216
    <rdar://problem/118701491>

    Reviewed by Antti Koivisto.

    Before 267587 at main (which merged all the float constraints codepaths), we ignored the text-indent during the _initial_ constraint computation
    and adjusted the line rect later.
    At 267587 at main, we started adding the text-indent value twice to the line rect; first while computing the initial constraint and
    the second time when we would normally add it.

    * LayoutTests/fast/text/text-indent-with-intrusive-float-expected.html: Added.
    * LayoutTests/fast/text/text-indent-with-intrusive-float.html: Added.
    * Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp:
    (WebCore::Layout::LineBuilder::initialConstraintsForLine const): Let's go back to "before 267587 at main" state.
    (WebCore::Layout::LineBuilder::floatConstrainedRect const): Add some comment and change variable names to reflect what they mean.

    Canonical link: https://commits.webkit.org/271080@main

Identifier: 267815.582 at safari-7617-branch


  Commit: 38275fdf977520ef1e680e98220d488b288db590
      https://github.com/WebKit/WebKit/commit/38275fdf977520ef1e680e98220d488b288db590
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-11-27 (Mon, 27 Nov 2023)

  Changed paths:
    R LayoutTests/fast/text/text-indent-with-intrusive-float-expected.html
    R LayoutTests/fast/text/text-indent-with-intrusive-float.html
    M Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp

  Log Message:
  -----------
  Revert "Cherry-pick b741d4c7aa56. rdar://118701491"

This reverts commit 93db3d3b51385837c58ee23e605c8c8ccbdcfbea.

Identifier: 267815.583 at safari-7617-branch


  Commit: 46ce31f93de5157cba523d2498923fe5c3acbffe
      https://github.com/WebKit/WebKit/commit/46ce31f93de5157cba523d2498923fe5c3acbffe
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-11-27 (Mon, 27 Nov 2023)

  Changed paths:
    M Source/WebKit/UIProcess/mac/PageClientImplMac.mm

  Log Message:
  -----------
  Cherry-pick 9ed78dcdcb4a. rdar://118249650

    REGRESSION (270325 at main): Overrelease of NSColor under PageClientImpl::appUsesCustomAccentColor
    https://bugs.webkit.org/show_bug.cgi?id=264845
    <rdar://problem/118312264>

    Reviewed by Aditya Keerthi, Chris Dumez and Simon Fraser.

    * Source/WebKit/UIProcess/mac/PageClientImplMac.mm:
    (WebKit::PageClientImpl::appUsesCustomAccentColor):
    We don't own these colors, don't adopt them.

    Canonical link: https://commits.webkit.org/270735@main

Identifier: 267815.584 at safari-7617-branch


  Commit: 9af375238082c83527b954cddc166233b4446492
      https://github.com/WebKit/WebKit/commit/9af375238082c83527b954cddc166233b4446492
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2023-11-27 (Mon, 27 Nov 2023)

  Changed paths:
    A LayoutTests/fast/text/line-break-after-whitespace-with-min-max-assert-expected.txt
    A LayoutTests/fast/text/line-break-after-whitespace-with-min-max-assert.html
    M Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp
    M Source/WebCore/layout/formattingContexts/inline/InlineLine.cpp

  Log Message:
  -----------
  Cherry-pick 270942 at main (9d772d9e5412).
[IFC] Cached maximum inline content should be able to handle trailing line break (265074)
rdar://118858714

Reviewed by Antti Koivisto.

Restore trimmed trailing whitespace when followed by hard line break (<br>).

* Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp:
(WebCore::Layout::InlineFormattingContext::createDisplayContentForLineFromCachedContent):

Canonical link: https://commits.webkit.org/267815.585@safari-7617-branch


  Commit: e408ece1b8a7e9a6214bcc3555b53341c52bd7b9
      https://github.com/WebKit/WebKit/commit/e408ece1b8a7e9a6214bcc3555b53341c52bd7b9
  Author: Kimmo Kinnunen <kkinnunen at apple.com>
  Date:   2023-11-28 (Tue, 28 Nov 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.mm

  Log Message:
  -----------
  GraphicsContextGLCocoa::setDrawingBufferColorSpace is missing makeContextCurrent()
https://bugs.webkit.org/show_bug.cgi?id=265129
rdar://118650182

Reviewed by Dan Glastonbury.

All public API entrypoints in GraphicsContextGLANGLE should call
the makeContextCurrent().

* Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.mm:
(WebCore::GraphicsContextGLCocoa::setDrawingBufferColorSpace):

Canonical link: https://commits.webkit.org/267815.586@safari-7617-branch


  Commit: db3f6a7dbf337db63c6b86f3de31954d819c9024
      https://github.com/WebKit/WebKit/commit/db3f6a7dbf337db63c6b86f3de31954d819c9024
  Author: Kimmo Kinnunen <kkinnunen at apple.com>
  Date:   2023-11-28 (Tue, 28 Nov 2023)

  Changed paths:
    M Source/ThirdParty/ANGLE/src/libANGLE/Surface.cpp
    M Source/ThirdParty/ANGLE/src/libANGLE/Texture.cpp
    M Source/ThirdParty/ANGLE/src/tests/gl_tests/PbufferTest.cpp

  Log Message:
  -----------
  ANGLE eglBindTexImage ASSERT when overwriting a binding
https://bugs.webkit.org/show_bug.cgi?id=265127
rdar://118649807

Reviewed by Dan Glastonbury.

glBindTexture(GL_TEXTURE_2D, tex);
eglBindTexImage(.., pbuffer, ...);
  - Would set the Surface::mBoundTexture of pbuffer
  - Would set the Texture::mBoundSurface of tex
eglBindTexImage(.., pbuffer2, ...);
  - Would set the Surface::mBoundTexture of pbuffer2
  - Would set the Texture::mBoundSurface of tex
  - Would fail to unset Surface::mBoundTexture of pbuffer

Fix by making the unset logic linear, avoiding
Surface -> Texture -> Surface call sequence.

* Source/ThirdParty/ANGLE/src/libANGLE/Surface.cpp:
(egl::Surface::bindTexImage):
* Source/ThirdParty/ANGLE/src/libANGLE/Texture.cpp:
(gl::Texture::bindTexImageFromSurface):
* Source/ThirdParty/ANGLE/src/tests/gl_tests/PbufferTest.cpp:

Canonical link: https://commits.webkit.org/267815.587@safari-7617-branch


  Commit: 06c609f334b49e10380cf589f8ae47bb5a792f93
      https://github.com/WebKit/WebKit/commit/06c609f334b49e10380cf589f8ae47bb5a792f93
  Author: Elliott Williams <emw at apple.com>
  Date:   2023-11-28 (Tue, 28 Nov 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py

  Log Message:
  -----------
  Cherry-pick 270666 at main (0472cd19455a). rdar://118344315

    [autoinstall] Recognize wheels which are purely precompiled shared libraries
    https://bugs.webkit.org/show_bug.cgi?id=264755
    rdar://118344315

    Reviewed by Jonathan Bedard.

    Some projects, like https://pypi.org/project/jq/, distribute wheels that
    are currently unrecognized because they don't contain a file whose name
    exactly matches the project name. (In jq's case, it has a
    "jq.cpython-39-darwin.so" but not a "jq" in the wheel.)

    Per PEP-491, wheels don't have to have files whose names match the
    package name, so our check is overzealous. Remove it.

    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py:
    (Package.install):

    Canonical link: https://commits.webkit.org/270666@main

Canonical link: https://commits.webkit.org/267815.588@safari-7617-branch


  Commit: 951d2bdd58418f39550d4772322dbdcfb087941e
      https://github.com/WebKit/WebKit/commit/951d2bdd58418f39550d4772322dbdcfb087941e
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-11-28 (Tue, 28 Nov 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/bitbucket.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/git_hub.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/pull_request.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/bitbucket.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/scm.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py

  Log Message:
  -----------
  Cherry-pick 270736 at main (fca112b99b35). rdar://118406906

    [webkitscmpy] Add commit status to pull-request
    https://bugs.webkit.org/show_bug.cgi?id=264827
    rdar://118406906

    Reviewed by Elliott Williams.

    Add commit status and associated mock support to webkitscmpy for future use.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/bitbucket.py:
    (BitBucket.__init__): Add "statuses" dictionary.
    (BitBucket.request): Respond with mock commit status.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/git_hub.py:
    (GitHub.__init__): Add "statuses" dictionary.
    (GitHub._commit_response): Repond with mock commit status.
    (GitHub.request): Handle commit URLs with trailing path arguments.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/pull_request.py:
    (PullRequest.Status): Added.
    (PullRequest.Status.Encoder): Added JSON decoder.
    (PullRequest.statuses): Return all commit statuses on the current pull-request object.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/bitbucket.py:
    (BitBucket.PRGenerator.statuses): Populate commit statuses in pull-request object.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py:
    (GitHub.PRGenerator.statuses): Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/scm.py:
    (Scm.PRGenerator.statuses):
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py:

    Canonical link: https://commits.webkit.org/270736@main

Canonical link: https://commits.webkit.org/267815.589@safari-7617-branch


  Commit: 55537835892be35c58996b1aa3679c3bff6e6cc0
      https://github.com/WebKit/WebKit/commit/55537835892be35c58996b1aa3679c3bff6e6cc0
  Author: Ben Schwartz <ben_schwartz at apple.com>
  Date:   2023-11-28 (Tue, 28 Nov 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py

  Log Message:
  -----------
  Cherry-pick 270738 at main (6695e0a431f1). rdar://117214203

    [webkitbugspy] Implement ability to perform Radar search queries.
    rdar://117214203
    https://bugs.webkit.org/show_bug.cgi?id=263383

    Reviewed by Jonathan Bedard.

    Allows callers to perform Radar search queries as part of `webkitbugspy.Radar`.

    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py:
    (Tracker):
    (Tracker.search): Perform Radar search from passed query parameters.

    Canonical link: https://commits.webkit.org/270738@main

Canonical link: https://commits.webkit.org/267815.590@safari-7617-branch


  Commit: b00ebd125dafb9130732e3a9d9991b9666a0771c
      https://github.com/WebKit/WebKit/commit/b00ebd125dafb9130732e3a9d9991b9666a0771c
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-11-28 (Tue, 28 Nov 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitbugspy/setup.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/__init__.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py

  Log Message:
  -----------
  Cherry-pick 270922 at main (7812e1fae6d3). rdar://117502065

    [webkitbugspy] Gracefully handle null duplicate
    https://bugs.webkit.org/show_bug.cgi?id=263694
    rdar://117502065

    Reviewed by Elliott Williams.

    * Tools/Scripts/libraries/webkitbugspy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py:
    (Tracker.populate): If the provided relationship object doesn't define a
    related radar, skip that relationship.

    Canonical link: https://commits.webkit.org/270922@main

Canonical link: https://commits.webkit.org/267815.591@safari-7617-branch


  Commit: eabd2c6ea32ed9341e0f801728327973d79172a9
      https://github.com/WebKit/WebKit/commit/eabd2c6ea32ed9341e0f801728327973d79172a9
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-11-28 (Tue, 28 Nov 2023)

  Changed paths:
    M Tools/Scripts/hooks/prepare-commit-msg

  Log Message:
  -----------
  Cherry-pick 270921 at main (88a259f2f225). rdar://118144919

    [git-webkit] Handle multiple bugs associated with a single branch
    https://bugs.webkit.org/show_bug.cgi?id=264450
    rdar://118144919

    Reviewed by Elliott Williams.

    Parse `git config` output backwards to prefer newer config values.
    Except for bugs, only allow a single line to be passed to the template
    via 'git config'. For bugs, we should only allow a single bug from each
    tracker to be associated with the issue.

    * Tools/Scripts/hooks/prepare-commit-msg:

    Canonical link: https://commits.webkit.org/270921@main

Canonical link: https://commits.webkit.org/267815.592@safari-7617-branch


  Commit: 59fa3df4b872d92507c0c17595a8a7472b35d218
      https://github.com/WebKit/WebKit/commit/59fa3df4b872d92507c0c17595a8a7472b35d218
  Author: Brianna Fan <bfan2 at apple.com>
  Date:   2023-11-28 (Tue, 28 Nov 2023)

  Changed paths:
    M Tools/Scripts/hooks/prepare-commit-msg
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/revert.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/revert_unittest.py

  Log Message:
  -----------
  Cherry-pick 270930 at main (cab7e2d834d9). rdar://117270674

    [git-webkit revert] Commit message should present more useful information
    https://bugs.webkit.org/show_bug.cgi?id=263456
    rdar://117270674

    Reviewed by Jonathan Bedard.

    Commit message is formatted after webkit patch workflow.
    Changed git-webkit revert logic to support these changes and future work.

    * Tools/Scripts/hooks/prepare-commit-msg:
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/revert.py:
    (Revert.parser):
    (Revert.get_issue_info):
    (Revert):
    (Revert.create_revert_commit_msg):
    (Revert.revert_commit):
    (Revert.main):
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/revert_unittest.py:

    Canonical link: https://commits.webkit.org/270930@main

Canonical link: https://commits.webkit.org/267815.593@safari-7617-branch


  Commit: 7ee16f6de0944badbfb8a25bb01acd37838f17e2
      https://github.com/WebKit/WebKit/commit/7ee16f6de0944badbfb8a25bb01acd37838f17e2
  Author: Erica Li <lerica at apple.com>
  Date:   2023-11-28 (Tue, 28 Nov 2023)

  Changed paths:
    A LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash-expected.txt
    A LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash.html
    M Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp

  Log Message:
  -----------
  [3a7d43b31aba54c5] ASAN_SEGV | Layout::LineBoxBuilder::constructInlineLevelBoxes; Layout::LineBoxBuilder::build; Layout::InlineFormattingContext::createDisplayContentForInlineContent
https://bugs.webkit.org/show_bug.cgi?id=265107
rdar://118424612

Reviewed by Alan Baradlay.

Bail out createDisplayContentForLineFromCachedContent when restoreTrimmedTrailingWhitespace failed.

* LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash-expected.txt: Added.
* LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash.html: Added.
* Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp:
(WebCore::Layout::InlineFormattingContext::createDisplayContentForLineFromCachedContent):

Canonical link: https://commits.webkit.org/267815.594@safari-7617-branch


  Commit: 2a1f2e7acfe29eba7ea3a6d210a3bcdfdc327739
      https://github.com/WebKit/WebKit/commit/2a1f2e7acfe29eba7ea3a6d210a3bcdfdc327739
  Author: Nicole Rosario <nicole_rosario at apple.com>
  Date:   2023-11-28 (Tue, 28 Nov 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/fast/rendering/render-list-marker-select-expected.txt
    A LayoutTests/fast/rendering/render-list-marker-select.html
    M Source/WebCore/rendering/updating/RenderTreeBuilderList.cpp

  Log Message:
  -----------
  jsc_fuz/wktr: null ptr deref in WebCore::RenderMenuList::computeIntrinsicLogicalWidths
https://bugs.webkit.org/show_bug.cgi?id=264830
rdar://115721454

Reviewed by Alan Baradlay.

Null pointer dereference error caused by render tree being ordered incorrectly. RenderListMarker
was being placed inside RenderMenuList, where RenderListMarker and RenderMenuList should be on
the same level and in RenderListItem

* LayoutTests/fast/rendering/render-list-marker-select-expected.txt:
* LayoutTests/fast/rendering/render-list-marker-select.html:
* Source/WebCore/rendering/updating/RenderTreeBuilderList.cpp:
(WebCore::getParentOfFirstLineBox): added check to ensure RenderListMarker isn't placed inside
RenderMenuList but can be placed at same level (ie, sibling)

Canonical link: https://commits.webkit.org/267815.595@safari-7617-branch


  Commit: 56db4a6608ff6087ec78e412bdb87beab54e4989
      https://github.com/WebKit/WebKit/commit/56db4a6608ff6087ec78e412bdb87beab54e4989
  Author: Michael Saboff <msaboff at apple.com>
  Date:   2023-11-30 (Thu, 30 Nov 2023)

  Changed paths:
    M Source/WTF/wtf/PlatformEnableCocoa.h
    M Source/WebKit/Configurations/WebContentService.Crashy.xcconfig
    M Source/WebKit/Configurations/WebContentService.xcconfig
    M Source/WebKit/Scripts/process-entitlements.sh
    M Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.mm
    M Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm
    M Source/WebKit/UIProcess/Launcher/cocoa/ProcessLauncherCocoa.mm
    M Source/WebKit/UIProcess/WebProcessPool.cpp
    M Source/WebKit/UIProcess/WebProcessPool.h
    M Source/WebKit/UIProcess/WebProcessProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.h
    M Source/WebKit/WebKit.xcodeproj/project.pbxproj
    M Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm

  Log Message:
  -----------
  Cherry-pick 269395 at main (39451bfc571). rdar://118902452

    Eliminate Test Code to crash a WebKit XPC service
    https://bugs.webkit.org/show_bug.cgi?id=263045
    rdar://115678493

    Reviewed by Timothy Hatcher and Alex Christensen.

    Remove WebContent.Crashy XPC process as it has served its purpose and is no longer needed.

    * Source/WTF/wtf/PlatformEnableCocoa.h:
    * Source/WebKit/Configurations/WebContentCrashyExtension.xcconfig: Removed.
    * Source/WebKit/Configurations/WebContentService.Crashy.xcconfig: Removed.
    * Source/WebKit/Configurations/WebContentService.xcconfig:
    * Source/WebKit/Scripts/process-entitlements.sh:
    * Source/WebKit/Shared/AuxiliaryProcessExtensions/WebContentExtension-Crashy-Info.plist: Removed.
    * Source/WebKit/Shared/AuxiliaryProcessExtensions/com.apple.WebKit.appexpt:
    * Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.mm:
    (WebKit::XPCServiceInitializerDelegate::getExtraInitializationData):
    * Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm:
    (WebKit::WebProcessPool::platformInitialize):
    (isInternalBuild): Deleted.
    (canaryInBaseState): Deleted.
    (WebKit::WebProcessPool::initializeShouldCrashWhenCreatingWebProcess): Deleted.
    * Source/WebKit/UIProcess/Launcher/cocoa/ProcessLauncherCocoa.mm:
    (WebKit::webContentServiceName):
    * Source/WebKit/UIProcess/WebProcessPool.cpp:
    (WebKit::WebProcessPool::createNewWebProcess):
    (WebKit::WebProcessPool::forEachProcessForSession):
    * Source/WebKit/UIProcess/WebProcessPool.h:
    * Source/WebKit/UIProcess/WebProcessProxy.cpp:
    (WebKit::WebProcessProxy::getLaunchOptions):
    (WebKit::WebProcessProxy::createForWebContentCrashy): Deleted.
    * Source/WebKit/UIProcess/WebProcessProxy.h:
    (WebKit::WebProcessProxy::isCrashyProcess const): Deleted.
    (WebKit::WebProcessProxy::setIsCrashyProcess): Deleted.
    * Source/WebKit/WebKit.xcodeproj/project.pbxproj:
    * Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:
    (WebKit::WebProcess::platformInitializeProcess):
    (WebKit::deliberateCrashForTesting): Deleted.

    Canonical link: https://commits.webkit.org/269395@main

Canonical link: https://commits.webkit.org/267815.596@safari-7617-branch


  Commit: 0285858ad48343d201434f22bf0fb8e59eddadad
      https://github.com/WebKit/WebKit/commit/0285858ad48343d201434f22bf0fb8e59eddadad
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-11-30 (Thu, 30 Nov 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-617.2.2

Identifier: 267815.597 at safari-7617-branch


  Commit: 464bf890aaf8aa1f96fbd56c7ab9fc443f5cf41e
      https://github.com/WebKit/WebKit/commit/464bf890aaf8aa1f96fbd56c7ab9fc443f5cf41e
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-11-30 (Thu, 30 Nov 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Revert "Versioning."

This reverts commit 0285858ad48343d201434f22bf0fb8e59eddadad.

Identifier: 267815.598 at safari-7617-branch


  Commit: 38eae99cb36f1ab069262d4c89e24c75bfbe4796
      https://github.com/WebKit/WebKit/commit/38eae99cb36f1ab069262d4c89e24c75bfbe4796
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-11-30 (Thu, 30 Nov 2023)

  Changed paths:
    M Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp

  Log Message:
  -----------
  Apply patch. rdar://118701491

Identifier: 267815.599 at safari-7617-branch


  Commit: ab2019dbf67e5e1f83a854aa1d631a9093e5f0d4
      https://github.com/WebKit/WebKit/commit/ab2019dbf67e5e1f83a854aa1d631a9093e5f0d4
  Author: Brianna Fan <bfan2 at apple.com>
  Date:   2023-12-01 (Fri, 01 Dec 2023)

  Changed paths:
    M Tools/CISupport/ews-build/steps.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/pull_request.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py

  Log Message:
  -----------
  Cherry-pick 271247 at main (4622c40ca092). rdar://118208532

    webkitscmpy: Radar URLs in GitHub pick up surrounding punctuation
    rdar://118208532

    Reviewed by Jonathan Bedard.

    Adds more punctuation to be ignored when constructing link.

    * Tools/CISupport/ews-build/steps.py:
    (UpdatePullRequest.escape_html):
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/pull_request.py:
    (PullRequest.escape_html):
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py:

    Canonical link: https://commits.webkit.org/271247@main

Canonical link: https://commits.webkit.org/267815.600@safari-7617-branch


  Commit: 8f85372e680cb400b39dbf2bc3b4830cf411dc67
      https://github.com/WebKit/WebKit/commit/8f85372e680cb400b39dbf2bc3b4830cf411dc67
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-12-01 (Fri, 01 Dec 2023)

  Changed paths:
    A LayoutTests/media/content/test-inband-captions.mp4
    A LayoutTests/media/track/track-in-band-layout-expected.txt
    A LayoutTests/media/track/track-in-band-layout.html
    M LayoutTests/platform/glib/TestExpectations
    M Source/WebCore/html/track/InbandGenericTextTrack.cpp
    M Source/WebCore/html/track/TextTrackCueGeneric.cpp
    M Source/WebCore/html/track/TextTrackCueGeneric.h
    M Source/WebCore/html/track/VTTCue.h
    M Source/WebCore/platform/graphics/InbandGenericCue.cpp
    M Source/WebCore/platform/graphics/InbandGenericCue.h
    M Source/WebCore/platform/graphics/avfoundation/InbandTextTrackPrivateAVF.cpp
    M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in

  Log Message:
  -----------
  Cherry-pick 53b6a4522e45. rdar://119024855

    REGRESSION(265596 at main): [Cocoa] In-band captions generate large, line-wrapped cues
    https://bugs.webkit.org/show_bug.cgi?id=265635
    rdar://119024855

    Reviewed by Eric Carlson.

    When modernizing VTTCue, TextTrackCueGeneric was not sufficiently updated to take advantage
    of the correct layout implemented by VTTCue. Specifically, TextTrackCueGeneric still queried
    VTTCueBox::fontSizeFromCaptionUserPrefs(), which was no longer set, and caused the cue width
    to be incorrectly set to zero.

    Remove that dead method, and remove most of the implementation of
    TextTrackCueGenericBoxElement::applyCSSProperties, relying instead upon VTTCueBoxElement's
    implementation.

    In order to correctly position TextTrackCueGeneric objects created from AVFoundation, set
    the resulting cue's positionAlign() to "Center" by way of GenericCueData. This causes VTTCue
    to position the cue relative to the cue's center point, which is the same way AVFoundation
    represents the cue's position.

    * LayoutTests/media/content/test-inband-captions.mp4: Added.
    * LayoutTests/media/track/track-in-band-layout-expected.txt: Added.
    * LayoutTests/media/track/track-in-band-layout.html: Added.
    * Source/WebCore/html/track/InbandGenericTextTrack.cpp:
    (WebCore::InbandGenericTextTrack::updateCueFromCueData):
    * Source/WebCore/html/track/TextTrackCueGeneric.cpp:
    (WebCore::TextTrackCueGenericBoxElement::applyCSSProperties):
    (WebCore::TextTrackCueGeneric::setBaseFontSizeRelativeToVideoHeight):
    (WebCore::TextTrackCueGeneric::setFontSizeMultiplier):
    (WebCore::TextTrackCueGeneric::setFontSize): Deleted.
    * Source/WebCore/html/track/TextTrackCueGeneric.h:
    * Source/WebCore/html/track/VTTCue.h:
    (WebCore::VTTCueBox::setFontSizeFromCaptionUserPrefs): Deleted.
    (WebCore::VTTCueBox::fontSizeFromCaptionUserPrefs const): Deleted.
    * Source/WebCore/platform/graphics/InbandGenericCue.cpp:
    (WebCore::InbandGenericCue::toJSONString const):
    * Source/WebCore/platform/graphics/InbandGenericCue.h:
    (WebCore::GenericCueData::GenericCueData):
    (WebCore::InbandGenericCue::positionAlign const):
    (WebCore::InbandGenericCue::setPositionAlign):
    * Source/WebCore/platform/graphics/avfoundation/InbandTextTrackPrivateAVF.cpp:
    (WebCore::InbandTextTrackPrivateAVF::processAttributedStrings):
    * Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:

    Canonical link: https://commits.webkit.org/271415@main

Canonical link: https://commits.webkit.org/267815.601@safari-7617-branch


  Commit: fbe4e864f2f178cca10ced7c3fee6bd84297762f
      https://github.com/WebKit/WebKit/commit/fbe4e864f2f178cca10ced7c3fee6bd84297762f
  Author: Brianna Fan <bfan2 at apple.com>
  Date:   2023-12-04 (Mon, 04 Dec 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py

  Log Message:
  -----------
  Cherry-pick 271425 at main (8bab728f7562). rdar://119050672

    [git-webkit pr] Make Terminal prompting more intuitive
    https://bugs.webkit.org/show_bug.cgi?id=265697
    rdar://119050672

    Reviewed by Jonathan Bedard.

    Add explanation of "Retry" option and restore Yes/No.

    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py:
    (PullRequest.pre_pr_checks):

    Canonical link: https://commits.webkit.org/271425@main

Canonical link: https://commits.webkit.org/267815.602@safari-7617-branch


  Commit: 762aaf1448a2f358e20eee8916bb1946763f5085
      https://github.com/WebKit/WebKit/commit/762aaf1448a2f358e20eee8916bb1946763f5085
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-12-04 (Mon, 04 Dec 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py

  Log Message:
  -----------
  Cherry-pick 271474 at main (0a57a82da90d). rdar://119050672

    [git-webkit pr] Make Terminal prompting more intuitive (Follow-up)
    https://bugs.webkit.org/show_bug.cgi?id=265697
    rdar://119050672

    Unreviewed follow-up fix.

    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py:
    (PullRequest.pre_pr_checks): Continue with upload if user says "Yes" to ignoring checker errors.

    Canonical link: https://commits.webkit.org/271474@main

Canonical link: https://commits.webkit.org/267815.603@safari-7617-branch


  Commit: be0cdb2167205e785d640be8b5c830ddd942abaa
      https://github.com/WebKit/WebKit/commit/be0cdb2167205e785d640be8b5c830ddd942abaa
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-12-04 (Mon, 04 Dec 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7617.2.2

Identifier: 267815.604 at safari-7617-branch


  Commit: 347a7fcbc77405a30fe4af5a4b31ffb6fc20d576
      https://github.com/WebKit/WebKit/commit/347a7fcbc77405a30fe4af5a4b31ffb6fc20d576
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-12-04 (Mon, 04 Dec 2023)

  Changed paths:
    M Source/WebCore/editing/FrameSelection.cpp
    M Tools/TestWebKitAPI/Tests/ios/KeyboardInputTestsIOS.mm

  Log Message:
  -----------
  Cherry-pick a20779d6520d. rdar://118401826

    HTML notes is showing gray underline for autocorrection
    https://bugs.webkit.org/show_bug.cgi?id=265050
    rdar://118401826

    Reviewed by Wenson Hsieh.

    Before 266070 at main, the caret color on iOS was almost always blue (specifically, always except for
    when the caret color was explicitly set by the CSS author). The change was needed on macOS because
    otherwise some sites would have overlapping carets. The commit changed both macOS and iOS to be more
    consistent, and more compliant with the CSS spec. However, while this did technically improve web
    compatibility in iOS, it made things worse than they were before:

    - The caret on iOS is now almost always black (it is on macOS too, but it is worse on iOS because
    the caret was always blue previously)

    - It has caused several issues in apps with custom tint colors (like https://bugs.webkit.org/show_bug.cgi?id=263123
    and several others)

    This specific bug is due to the fact that the correct underlines directly use the caret color. The
    reason the commit that addressed the color of the caret itself on iOS and not this color as well
    is because the two colors come from different paths, and the fix only fixed the actual caret
    (insertion point) color.

    To fix, and prevent similar bugs, undo the part of 266070 at main that changed the iOS behavior. This
    restores the previous behavior, in addition to fixing this bug.

    * Source/WebCore/editing/FrameSelection.cpp:
    (WebCore::CaretBase::computeCaretColor):

    Canonical link: https://commits.webkit.org/271278@main

Identifier: 267815.605 at safari-7617-branch


  Commit: f2ba7a5d0dd0ff434e236bcde9df86cfed98d58b
      https://github.com/WebKit/WebKit/commit/f2ba7a5d0dd0ff434e236bcde9df86cfed98d58b
  Author: David Kilzer <ddkilzer at apple.com>
  Date:   2023-12-04 (Mon, 04 Dec 2023)

  Changed paths:
    M Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc
    A Source/ThirdParty/libwebrtc/WebKit/01-WebRTC-Stack-buffer-overflow-in-webrtc-anonymous_namespace-SsDataLength.patch

  Log Message:
  -----------
  [WebRTC] Stack-buffer-overflow in webrtc::anonymous_namespace::SsDataLength() in vp9 packetizer
https://bugs.webkit.org/show_bug.cgi?id=265727
<rdar://119074872>

Reviewed by Youenn Fablet.

* Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc:
(webrtc::anonymous_namespace::SsDataLength):
- Change debug assertion into runtime check.

* Source/ThirdParty/libwebrtc/WebKit/01-WebRTC-Stack-buffer-overflow-in-webrtc-anonymous_namespace-SsDataLength.patch: Add.

Canonical link: https://commits.webkit.org/267815.606@safari-7617-branch


  Commit: 7fa29f992225cad4da4ad899b5325a37e0cb22a5
      https://github.com/WebKit/WebKit/commit/7fa29f992225cad4da4ad899b5325a37e0cb22a5
  Author: David Kilzer <ddkilzer at apple.com>
  Date:   2023-12-04 (Mon, 04 Dec 2023)

  Changed paths:
    M Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc
    A Source/ThirdParty/libwebrtc/WebKit/0001-WebRTC-Out-of-bounds-crash-in-webrtc-anonymous_namespace-RemoveInactiveSpatialLayers.patch

  Log Message:
  -----------
  [WebRTC] Out-of-bounds crash in webrtc::anonymous_namespace::RemoveInactiveSpatialLayers() in vp9 packetizer
https://bugs.webkit.org/show_bug.cgi?id=265776
<rdar://119112931>

Reviewed by Youenn Fablet.

* Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc:
(webrtc::anonymous_namespace::RemoveInactiveSpatialLayers):
- Add sanity check for RTPVideoHeaderVP9::num_spatial_layers.  This
  matches the check in SsDataLength(), but that's called later when
  initializing fields in RtpPacketizerVp9.

* Source/ThirdParty/libwebrtc/WebKit/0001-WebRTC-Out-of-bounds-crash-in-webrtc-anonymous_namespace-RemoveInactiveSpatialLayers.patch: Add.

Canonical link: https://commits.webkit.org/267815.607@safari-7617-branch


  Commit: e09e3cd2f3dbf6f63f88aa196a65d6ba903a4695
      https://github.com/WebKit/WebKit/commit/e09e3cd2f3dbf6f63f88aa196a65d6ba903a4695
  Author: Nisha Jain <nisha_jain at apple.com>
  Date:   2023-12-04 (Mon, 04 Dec 2023)

  Changed paths:
    A LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt
    A LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html
    M Source/WebCore/platform/graphics/ShadowBlur.cpp

  Log Message:
  -----------
  heap-buffer-overflow: crash under WebCore::ShadowBlur::blurLayerImage().
https://bugs.webkit.org/show_bug.cgi?id=264978
rdar://118004762.

Reviewed by Simon Fraser.

For very large box-shadow sizes due to floating point precision error,
ImageBuffer::getPixelBuffer returns 'PixelBuffer' size which
is not same as passed size.This causes buffer overflow/underflow
issue for these large sizes. In order to fix it now we use same
size as allocated 'PixelBuffer' size even though it could be slightly
different than original size.

* LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt: Added test expected file.
* LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html: Added test case.
* Source/WebCore/platform/graphics/ShadowBlur.cpp:
(WebCore::ShadowBlur::blurShadowBuffer): Using same size as allocated pixel buffer size.

Canonical link: https://commits.webkit.org/267815.608@safari-7617-branch


  Commit: deb881141e09d62a0c29691af346d3a0c83929cf
      https://github.com/WebKit/WebKit/commit/deb881141e09d62a0c29691af346d3a0c83929cf
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-12-05 (Tue, 05 Dec 2023)

  Changed paths:
    M Tools/TestWebKitAPI/Tests/ios/KeyboardInputTestsIOS.mm

  Log Message:
  -----------
  Build fix for 267815.605 at safari-7617-branch (347a7fcbc774)

Unreviewed build fix.

* Tools/TestWebKitAPI/Tests/ios/KeyboardInputTestsIOS.mm:
(TestWebKitAPI::TEST):

Canonical link: https://commits.webkit.org/267815.609@safari-7617-branch


  Commit: 8d4c34c207267cc1c5653ffffbafb34cc4efeb92
      https://github.com/WebKit/WebKit/commit/8d4c34c207267cc1c5653ffffbafb34cc4efeb92
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-12-05 (Tue, 05 Dec 2023)

  Changed paths:
    M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp
    M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h

  Log Message:
  -----------
  [macOS] WebContent crash in WTF::deallocateSendRightSafely under ~SharedVideoFrameWriter() (GUARD_TYPE_MACH_PORT :: INVALID_NAME)
rdar://114943202

Reviewed by Chris Dumez.

After https://bugs.webkit.org/show_bug.cgi?id=258379, we were creating the writer lazily but the creation can be triggered from multiple threads at once.
Given SharedVideoFrameWriter is expected to be used on a single thread/queue, we now protect it in RemoteDisplayListRecorderProxy with a lock.

* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp:
(WebKit::RemoteDisplayListRecorderProxy::recordPaintVideoFrame):
(WebKit::RemoteDisplayListRecorderProxy::disconnect):
(WebKit::RemoteDisplayListRecorderProxy::ensureSharedVideoFrameWriter): Deleted.
* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h:

Canonical link: https://commits.webkit.org/267815.610@safari-7617-branch


  Commit: ca57f6a1de59bc5e5d52295c5d652b500b17f6e8
      https://github.com/WebKit/WebKit/commit/ca57f6a1de59bc5e5d52295c5d652b500b17f6e8
  Author: Erica Li <lerica at apple.com>
  Date:   2023-12-05 (Tue, 05 Dec 2023)

  Changed paths:
    A LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash-expected.txt
    A LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash.html
    M Source/WebCore/svg/SVGAnimateMotionElement.cpp
    M Source/WebCore/svg/SVGAnimateMotionElement.h
    M Source/WebCore/svg/SVGMPathElement.cpp
    M Source/WebCore/svg/SVGMPathElement.h

  Log Message:
  -----------
  [72857589b8bce60e] ASAN_ILL | WebCore::TreeScopeOrderedMap::getElementById; WebCore::TreeScope::getElementById; WebCore::SVGURIReference::targetElementFromIRIString.
https://bugs.webkit.org/show_bug.cgi?id=265562
rdar://118513775

Reviewed by Chris Dumez.

updateAnimationPath should be done after treescope is fully updated.

* LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash-expected.txt: Added.
* LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash.html: Added.
* Source/WebCore/svg/SVGAnimateMotionElement.cpp:
(WebCore::SVGAnimateMotionElement::childrenChanged):
* Source/WebCore/svg/SVGAnimateMotionElement.h:
* Source/WebCore/svg/SVGMPathElement.cpp:
(WebCore::SVGMPathElement::removedFromAncestor):
(WebCore::SVGMPathElement::targetPathChanged):
(WebCore::SVGMPathElement::notifyParentOfPathChange): Deleted.
* Source/WebCore/svg/SVGMPathElement.h:

Canonical link: https://commits.webkit.org/267815.611@safari-7617-branch


  Commit: 61598c9bb40b243f894dcc3573c228ac85e336f5
      https://github.com/WebKit/WebKit/commit/61598c9bb40b243f894dcc3573c228ac85e336f5
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-12-06 (Wed, 06 Dec 2023)

  Changed paths:
    M Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm

  Log Message:
  -----------
  HSTS not partitioned for Fetch (according to privacytests.org)
rdar://119047103

Reviewed by Alex Christensen.

When downgrading in WKNetworkSessionDelegate to not use HSTS, we were downgrading by creating the downgraded request and triggering a synthetic redirection.
Fetch is exposing whether a redirection is done via Response.redirected, and this includes synthetic redirections.
This allows a web page to query the HSTS global cache.

To prevent this, we directly downgrade the request and continue the load with the downgraded request.
We do not need the synthetic redirection since the downgraded request should be exactly the same as the initial request.

* Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(downgradeRequest):
(-[WKNetworkSessionDelegate URLSession:task:willPerformHTTPRedirection:newRequest:completionHandler:]):
(-[WKNetworkSessionDelegate URLSession:task:_schemeUpgraded:completionHandler:]):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm:
(TestWebKitAPI::TEST):

Canonical link: https://commits.webkit.org/267815.612@safari-7617-branch


  Commit: b8d1016eb121b4d7b62638a82ce43b47475ca3ec
      https://github.com/WebKit/WebKit/commit/b8d1016eb121b4d7b62638a82ce43b47475ca3ec
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-12-06 (Wed, 06 Dec 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/avfoundation/objc/LocalSampleBufferDisplayLayer.mm
    M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp
    M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.h
    M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in
    M Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayer.h
    M Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayer.messages.in
    M Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayerManager.cpp
    M Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayerManager.h
    M Source/WebKit/WebProcess/GPU/webrtc/SampleBufferDisplayLayer.cpp

  Log Message:
  -----------
  Cherry-pick 57afaa96431b. rdar://112621697

    REGRESSION (iOS 17 Beta): The camera preview is with a wrong resolution for a short time when the iOS User enables/disables the camera
    https://bugs.webkit.org/show_bug.cgi?id=259364
    rdar://112621697

    Reviewed by Jer Noble.

    The fencing mechanism to synchronize UIProcess and GPUProcess layering works properly only on main thread.
    We therefore need to process the WebProcess to GPUProcess message in main thread and not in a queue.
    We thus introduce a new GPUConnectionToWebProcess message that will be processed in main thread.
    We then get the SampleBufferDisplayLayer (via a lock) to call updateSampleLayerBoundsAndPosition which synchronously updates the bounds.

    * Source/WebCore/platform/graphics/avfoundation/objc/LocalSampleBufferDisplayLayer.mm:
    (WebCore::LocalSampleBufferDisplayLayer::updateSampleLayerBoundsAndPosition):
    * Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp:
    (WebKit::GPUConnectionToWebProcess::updateSampleBufferDisplayLayerBoundsAndPosition):
    * Source/WebKit/GPUProcess/GPUConnectionToWebProcess.h:
    * Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in:
    * Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayer.h:
    * Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayer.messages.in:
    * Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayerManager.cpp:
    (WebKit::RemoteSampleBufferDisplayLayerManager::close):
    (WebKit::RemoteSampleBufferDisplayLayerManager::dispatchMessage):
    (WebKit::RemoteSampleBufferDisplayLayerManager::createLayer):
    (WebKit::RemoteSampleBufferDisplayLayerManager::releaseLayer):
    (WebKit::RemoteSampleBufferDisplayLayerManager::allowsExitUnderMemoryPressure const):
    (WebKit::RemoteSampleBufferDisplayLayerManager::updateSampleBufferDisplayLayerBoundsAndPosition):
    * Source/WebKit/GPUProcess/webrtc/RemoteSampleBufferDisplayLayerManager.h:
    * Source/WebKit/WebProcess/GPU/webrtc/SampleBufferDisplayLayer.cpp:
    (WebKit::SampleBufferDisplayLayer::updateBoundsAndPosition):

    Canonical link: https://commits.webkit.org/270548@main

Identifier: 267815.613 at safari-7617-branch


  Commit: 20a9527d6c2ad1fbf5693b83b8f932a010a9f97c
      https://github.com/WebKit/WebKit/commit/20a9527d6c2ad1fbf5693b83b8f932a010a9f97c
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-12-06 (Wed, 06 Dec 2023)

  Changed paths:
    A LayoutTests/webanimations/scheduling-of-accelerated-css-animation-without-css-animation-event-listeners-expected.txt
    A LayoutTests/webanimations/scheduling-of-accelerated-css-animation-without-css-animation-event-listeners.html
    M Source/WebCore/animation/KeyframeEffect.cpp

  Log Message:
  -----------
  Cherry-pick 4a38bbbd7547. rdar://119244430

    [web-animations] accelerated CSS Animation should not schedule animation resolution at iteration boundary if no CSS Animation event listener was registered (affects reddit.com)
    https://bugs.webkit.org/show_bug.cgi?id=265936
    rdar://119244430

    Reviewed by Antti Koivisto.

    While we don't need to schedule animation resolution for animations that are running accelerated
    to resolve styles, we do need to schedule resolution in order to dispatch `animationiteration`
    events in the case of CSS Animations.

    However, it is unlikely that the content will be interested in such events. As a cheap optimization,
    we can detect whether any CSS Animation event listener is registered for the document to which the
    effect target belongs, and if that is not the case we don't need to schedule animation resolution.

    * LayoutTests/webanimations/scheduling-of-accelerated-css-animation-without-css-animation-event-listeners-expected.txt: Added.
    * LayoutTests/webanimations/scheduling-of-accelerated-css-animation-without-css-animation-event-listeners.html: Added.
    * Source/WebCore/animation/KeyframeEffect.cpp:
    (WebCore::KeyframeEffect::timeToNextTick const):

    Canonical link: https://commits.webkit.org/271604@main

Identifier: 267815.614 at safari-7617-branch


  Commit: dac245db0ce472b930c10ca9cfb87fc9f46844b6
      https://github.com/WebKit/WebKit/commit/dac245db0ce472b930c10ca9cfb87fc9f46844b6
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-12-06 (Wed, 06 Dec 2023)

  Changed paths:
    M Source/WebCore/PAL/PAL.xcodeproj/project.pbxproj
    M Source/WebCore/PAL/pal/PlatformMac.cmake
    M Source/WebCore/PAL/pal/spi/ios/UIKitSPI.h
    A Source/WebCore/PAL/pal/spi/mac/NSTextTableSPI.h
    M Source/WebCore/editing/cocoa/AttributedString.mm
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewGetContents.mm
    M Tools/TestWebKitAPI/ios/UIKitSPI.h

  Log Message:
  -----------
  Cherry-pick 3acbb664bd93. rdar://119035264

    Borders, backgrounds, and other table cell properties are lost when pasting tables into TextEdit
    https://bugs.webkit.org/show_bug.cgi?id=265712
    rdar://119035264

    Reviewed by Richard Robinson.

    Even after the fixes in 266700 at main and 269265 at main, attributed string serialization is still lossy.
    In the process of preserving table structure in `reconstructStyle` by recreating any
    `NSTextTableBlock` instances that point to separate tables but (originally) belonged to the same
    `NSTextTable` upon encoding, we end up discarding the decoded `NSTextTableBlock`, and only carry
    over some aspects of the block (i.e., row and column information).

    This causes us to lose information about the style and layout of these tables, on various bits of
    state on `NSTextTableBlock` that are populated in `HTMLConverter::_fillInBlock`.

    To fix this, we adopt a UIFoundation SPI, `-_takeValuesFromTextBlock:`, that allows us to copy
    across the entire state of the `NSTextTableBlock` in a way that preserves style and layout
    information, without changing the containing `NSTextTable`, or any of the row/column values.

    * Source/WebCore/PAL/PAL.xcodeproj/project.pbxproj:
    * Source/WebCore/PAL/pal/PlatformMac.cmake:
    * Source/WebCore/PAL/pal/spi/ios/UIKitSPI.h:
    * Source/WebCore/PAL/pal/spi/mac/NSTextTableSPI.h: Added.
    * Source/WebCore/editing/cocoa/AttributedString.mm:
    (WebCore::reconstructStyle):

    Implement the main fix here, by using `-_takeValuesFromTextBlock:` to copy all layout and
    presentational attributes from the original, decoded text block over to the new one that points to
    the correct text table.

    * Tools/TestRunnerShared/spi/UIKitSPIForTesting.h:
    * Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewGetContents.mm:

    Canonical link: https://commits.webkit.org/271485@main

Identifier: 267815.615 at safari-7617-branch


  Commit: 496b93071e4c723a80e1927d7fd7c276b881e740
      https://github.com/WebKit/WebKit/commit/496b93071e4c723a80e1927d7fd7c276b881e740
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-12-06 (Wed, 06 Dec 2023)

  Changed paths:
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewGetContents.mm

  Log Message:
  -----------
  Follow-up fix for 267815.615 at safari-7617-branch (dac245db0ce4)
rdar://119035264

Unreviewed follow-up fix.

Fix the build.

* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewGetContents.mm:

Canonical link: https://commits.webkit.org/267815.616@safari-7617-branch


  Commit: bcce2ea1a9a814f77379ff23279b7717a1214b2c
      https://github.com/WebKit/WebKit/commit/bcce2ea1a9a814f77379ff23279b7717a1214b2c
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2023-12-07 (Thu, 07 Dec 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/css/css-contain/content-visibility/crashtests/scroll-skipped-content-fixed-container.html
    M Source/WebCore/rendering/RenderBlock.cpp

  Log Message:
  -----------
  Cherry-pick 270734.5 at webkit-embargoed (bd192edd0348). rdar://117914028

    [Content-visibility] RenderTreeNeedsLayoutChecker asserts on fixed positioned box inside skipped subtree
    https://bugs.webkit.org/show_bug.cgi?id=264169
    rdar://117914028

    Reviewed by Alan Baradlay.

    Avoid simplified layout when laying out a content-visibility root with positioned children since
    there is no guarentee the positioned children have been processed in a previous layout due to
    lazy layout of skipped content.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-contain/content-visibility/crashtests/scroll-skipped-content-fixed-container.html: Added.
    * Source/WebCore/rendering/RenderBlock.cpp:
    (WebCore::RenderBlock::simplifiedLayout):

    Canonical link: https://commits.webkit.org/270734.5@webkit-2023.11-embargoed

Canonical link: https://commits.webkit.org/267815.617@safari-7617-branch


  Commit: 968b887414d9f0040fef5d9d02dc2c8ea79249c6
      https://github.com/WebKit/WebKit/commit/968b887414d9f0040fef5d9d02dc2c8ea79249c6
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2023-12-07 (Thu, 07 Dec 2023)

  Changed paths:
    A LayoutTests/mathml/operator-append-fixed-container-svg-crash-expected.txt
    A LayoutTests/mathml/operator-append-fixed-container-svg-crash.html
    A LayoutTests/mathml/token-append-fixed-container-svg-crash-expected.txt
    A LayoutTests/mathml/token-append-fixed-container-svg-crash.html
    M Source/WebCore/rendering/mathml/RenderMathMLOperator.cpp
    M Source/WebCore/rendering/mathml/RenderMathMLToken.cpp

  Log Message:
  -----------
  Cherry-pick 270734.4 at webkit-embargoed (f765915efb81). rdar://116448289

    MathML does not always handle positioned objects correctly
    https://bugs.webkit.org/show_bug.cgi?id=264636

    Reviewed by Alan Baradlay.

    For mo/mi elements positioned objects are not laid out at all so in this
    case after layout the tree is still dirty. Fix this by calling layoutPositionedObjects
    for tokens and operators.

    * LayoutTests/mathml/operator-append-fixed-container-svg-crash-expected.txt: Added.
    * LayoutTests/mathml/operator-append-fixed-container-svg-crash.html: Added.
    * LayoutTests/mathml/token-append-fixed-container-svg-crash-expected.txt: Added.
    * LayoutTests/mathml/token-append-fixed-container-svg-crash.html: Added.
    * Source/WTF/wtf/Assertions.cpp:
    * Source/WebCore/rendering/mathml/RenderMathMLOperator.cpp:
    (WebCore::RenderMathMLOperator::layoutBlock):
    * Source/WebCore/rendering/mathml/RenderMathMLToken.cpp:
    (WebCore::RenderMathMLToken::layoutBlock):

    Canonical link: https://commits.webkit.org/270734.4@webkit-2023.11-embargoed

Canonical link: https://commits.webkit.org/267815.618@safari-7617-branch


  Commit: 2ea6d778fe0fe33d6f28c79667c39a3997c77dd3
      https://github.com/WebKit/WebKit/commit/2ea6d778fe0fe33d6f28c79667c39a3997c77dd3
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-07 (Thu, 07 Dec 2023)

  Changed paths:
    M Tools/TestWebKitAPI/Tests/WebCore/ApplicationManifestParser.cpp

  Log Message:
  -----------
  Apply patch. rdar://119285549

Identifier: 267815.619 at safari-7617-branch


  Commit: 038626919ce2425760f1ec5afb08c8750480b120
      https://github.com/WebKit/WebKit/commit/038626919ce2425760f1ec5afb08c8750480b120
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-07 (Thu, 07 Dec 2023)

  Changed paths:
    A LayoutTests/webanimations/scheduling-of-animation-with-display-contents-expected.txt
    A LayoutTests/webanimations/scheduling-of-animation-with-display-contents.html
    A LayoutTests/webanimations/scheduling-of-animation-without-renderer-expected.txt
    A LayoutTests/webanimations/scheduling-of-animation-without-renderer.html
    M Source/WebCore/animation/KeyframeEffect.cpp

  Log Message:
  -----------
  Cherry-pick 452ca171058f. rdar://119191813

    [web-animations] effect targeting an element with `display: none` should not schedule immediate animation resolution (affects reddit.com)
    https://bugs.webkit.org/show_bug.cgi?id=265934
    rdar://119191813

    Reviewed by Simon Fraser and Antti Koivisto.

    Typically, effects that are in their active phase (ie. their current time is changing from frame
    to frame (see https://drafts.csswg.org/web-animations-1/#animation-effect-active-phase for details)
    will schedule immediate animation resolution. However there are exceptions, for instance we don't
    schedule immediate animation resolution if the effect does not affect styles or if the effect is
    running accelerated.

    We now also handle the case where an effect's target does not have a renderer, as would be the case
    if an element has a `display: none` style, making sure to also handle the `display: contents` case
    where a renderer is not created for the target element, but will for its children.

    This helps power usage on reddit.com which has JS-originated animations running infinitely that are
    targeting elements in shadow roots that eventually lose their renderer.

    * LayoutTests/webanimations/scheduling-of-animation-with-display-contents-expected.txt: Added.
    * LayoutTests/webanimations/scheduling-of-animation-with-display-contents.html: Added.
    * LayoutTests/webanimations/scheduling-of-animation-without-renderer-expected.txt: Added.
    * LayoutTests/webanimations/scheduling-of-animation-without-renderer.html: Added.
    * Source/WebCore/animation/KeyframeEffect.cpp:
    (WebCore::KeyframeEffect::ticksContinouslyWhileActive const):

    Canonical link: https://commits.webkit.org/271614@main

Identifier: 267815.620 at safari-7617-branch


  Commit: 34dfc8d1af81023b307364bce6be4c4a2d3d082e
      https://github.com/WebKit/WebKit/commit/34dfc8d1af81023b307364bce6be4c4a2d3d082e
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-07 (Thu, 07 Dec 2023)

  Changed paths:
    M Source/WebKit/UIProcess/API/gtk/PageClientImpl.cpp
    M Source/WebKit/UIProcess/API/gtk/PageClientImpl.h
    M Source/WebKit/UIProcess/API/wpe/PageClientImpl.cpp
    M Source/WebKit/UIProcess/API/wpe/PageClientImpl.h
    M Source/WebKit/UIProcess/CoordinatedGraphics/DrawingAreaProxyCoordinatedGraphics.cpp
    M Source/WebKit/UIProcess/CoordinatedGraphics/DrawingAreaProxyCoordinatedGraphics.h
    M Source/WebKit/UIProcess/DrawingAreaProxy.cpp
    M Source/WebKit/UIProcess/DrawingAreaProxy.h
    M Source/WebKit/UIProcess/PageClient.h
    M Source/WebKit/UIProcess/ProvisionalPageProxy.cpp
    M Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.h
    M Source/WebKit/UIProcess/RemoteLayerTree/RemoteLayerTreeDrawingAreaProxy.mm
    M Source/WebKit/UIProcess/RemoteLayerTree/ios/RemoteLayerTreeDrawingAreaProxyIOS.h
    M Source/WebKit/UIProcess/RemoteLayerTree/ios/RemoteLayerTreeDrawingAreaProxyIOS.mm
    M Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeDrawingAreaProxyMac.h
    M Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteLayerTreeDrawingAreaProxyMac.mm
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Source/WebKit/UIProcess/ios/PageClientImplIOS.h
    M Source/WebKit/UIProcess/ios/PageClientImplIOS.mm
    M Source/WebKit/UIProcess/ios/WKContentView.h
    M Source/WebKit/UIProcess/ios/WKContentView.mm
    M Source/WebKit/UIProcess/mac/PageClientImplMac.h
    M Source/WebKit/UIProcess/mac/PageClientImplMac.mm
    M Source/WebKit/UIProcess/mac/TiledCoreAnimationDrawingAreaProxy.h
    M Source/WebKit/UIProcess/mac/TiledCoreAnimationDrawingAreaProxy.mm
    M Source/WebKit/UIProcess/mac/WebViewImpl.h
    M Source/WebKit/UIProcess/mac/WebViewImpl.mm
    M Source/WebKit/UIProcess/playstation/PageClientImpl.cpp
    M Source/WebKit/UIProcess/playstation/PageClientImpl.h
    M Source/WebKit/UIProcess/wc/DrawingAreaProxyWC.cpp
    M Source/WebKit/UIProcess/wc/DrawingAreaProxyWC.h
    M Source/WebKit/UIProcess/win/PageClientImpl.cpp
    M Source/WebKit/UIProcess/win/PageClientImpl.h

  Log Message:
  -----------
  Apply patch. rdar://118700595

Identifier: 267815.621 at safari-7617-branch


  Commit: 043ef42f31017917e34b2288f2aaa8e7581d5c30
      https://github.com/WebKit/WebKit/commit/043ef42f31017917e34b2288f2aaa8e7581d5c30
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-12-07 (Thu, 07 Dec 2023)

  Changed paths:
    M Source/WebCore/html/HTMLMediaElement.cpp

  Log Message:
  -----------
  Cherry-pick 9ebaa6b42015. rdar://118902468

    [Media] Don't try to loop if current time or duration is zero
    https://bugs.webkit.org/show_bug.cgi?id=265485
    rdar://118902468

    Reviewed by Jer Noble.

    Don't loop if current time or duration is zero.

    * Source/WebCore/html/HTMLMediaElement.cpp:
    (WebCore::HTMLMediaElement::mediaPlayerTimeChanged):

    Canonical link: https://commits.webkit.org/271256@main

Identifier: 267815.622 at safari-7617-branch


  Commit: 430d474531c0feb483cf5ffdf968e7dbdcf3ad4e
      https://github.com/WebKit/WebKit/commit/430d474531c0feb483cf5ffdf968e7dbdcf3ad4e
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2023-12-07 (Thu, 07 Dec 2023)

  Changed paths:
    A LayoutTests/js/structuredClone/structured-clone-validation-with-big-int-expected.txt
    A LayoutTests/js/structuredClone/structured-clone-validation-with-big-int.html
    M Source/JavaScriptCore/runtime/OptionsList.h
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  CloneSerializer/Deserializer's objectPool should match.
https://bugs.webkit.org/show_bug.cgi?id=265975
rdar://118868470

Reviewed by Chris Dumez and Sihui Liu

CloneSerializer and CloneDeserializer uses m_gcBuffer for multiple purposes:
1. As an object pool that ObjectReferenceTag refers back to i.e. the order of its
   entries need to be consistent between CloneSerializer and CloneDeserializer.
2. As a keep alive buffer to protect some objects use in the serialization effort.

Purpose (2) conflicts with purpose (1), which can lead to bugs.  This patch disambiguates
between these 2 purposes by introducing m_objectPool for purpose (1), and m_keepAliveBuffer
for purpose (2).

Changes made:
1. Renamed m_objectPool to m_objectPoolMap.
2. Renamed m_gcBuffer to m_objectPool: for tracking the list of objects that ObjectReferenceTag
   can refer to.
3. Added m_keepAliveBuffer to CloneSerializer: for keeping miscellaneous objects alive from the GC.

4. Renamed some method names for clarity:
       CloneSerializer::checkForDuplicate --> CloneSerializer::writeObjectReferenceIfDupe
       CloneSerializer::recordObject --> CloneSerializer::addToObjectPool
       CloneSerializer::startObjectInternal --> CloneSerializer::addToObjectPoolIfNotDupe

5. Used CloneSerializer::addToObjectPoolIfNotDupe instead of the following:
       CloneSerializer::startObject
       CloneSerializer::startArray
       CloneSerializer::startSet
       CloneSerializer::startMap

   The clients of addToObjectPoolIfNotDupe now indicate what object types (indicated by their
   SerializationTags) they are adding.  This makes it easier to compare the serialization and
   deserialization code and make sure that they are equivalent.

   This enables us to audit the type of object being added and provide a sanity check that
   it's also added on the deserializer side.

6. Introduced CloneDeserializer::addToObjectPool() so that we can tag which object type (as
   indicated by its SerializationTag) we're adding to the m_objectPool (instead of calling
   appendWithCrashOnOverflow() on it directly to add objects).

   This enables us to audit the type of object being added and provide a sanity check that
   it's also added on the serializer side.

7. Removed 3 calls to m_gcBuffer.appendWithCrashOnOverflow in the BigIntTag case in
   CloneDeserializer::readBigInt().  This was a bug.

8. Removed the following calls to m_gcBuffer.appendWithCrashOnOverflow in CloneSerializer::serialize:
   a. redundant adding of the JSMap object.  It was already added by startMap(), now addToObjectPoolIfNotDupe().
   b. keep alive of the JSMapIterator object.  It does not need to be in m_objectPool.
   c. keep alive of a map entry value.
   d. redundant adding of the JSSet object.  It was already added by startSet(), now addToObjectPoolIfNotDupe().
   e. keep alive of the JSSetIterator object.  It does not need to be in m_objectPool.

   These were bugs.

9. Renamed the mapObjectStartState and setObjectStartState labels in the deserializer to match the
   mapStartState and setStartState labels in the serializer.  This makes it easier to check the
   equivalency of the operations in the two.

10. Added a validator (see validateSerializedResult()) in the serializer.

   The validator works by running a deserialization pass on the output of the serializer.
   After that, it compares the m_objectPoolTags of the 2 passes, and their entries should
   match.  This ensures that the serializer and deserializer will catch any bugs in the
   serialization / deserialization order of objects.

   a. The validator is only enabled on Debug builds (not built in on Release builds).
   b. The validator is only run when JSC::Options::validateSerializedValue() is true.
   c. The validator is only run when the object graph to be serialized and deserialized
      does not contain any complicated / complex objects.  "complex" here means that
      serialization of such objects cannot be validated this way.
   d. The validator is only run when both serialization and deserialization passes succeeds.

   With this validator, we can now fuzz the serializer / deserializer by creating HTML tests cases
   where we build an object graph and call structureClone() on it.  The HTML test will need to have
   the following comment on its 1st line:

       <!-- webkit-test-runner [ jscOptions=--validateSerializedValue=true ] -->

   This will enable the validator when structured cloning is done on that object graph.

* LayoutTests/js/structuredClone/structured-clone-validation-with-big-int-expected.txt: Added.
* LayoutTests/js/structuredClone/structured-clone-validation-with-big-int.html: Added.
* Source/JavaScriptCore/runtime/OptionsList.h:
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::name):
(WTF::printInternal):
(WebCore::canBeAddedToObjectPool):
(WebCore::CloneBase::objectPoolTags const):
(WebCore::CloneBase::appendObjectPoolTag):
(WebCore::CloneSerializer::serialize):
(WebCore::CloneSerializer::sawComplexCase):
(WebCore::CloneSerializer::didSeeComplexCases const):
(WebCore::CloneSerializer::fillTransferMap):
(WebCore::CloneSerializer::writeObjectReferenceIfDupe):
(WebCore::CloneSerializer::addToObjectPool):
(WebCore::CloneSerializer::addToObjectPoolIfNotDupe):
(WebCore::CloneSerializer::dumpStringObject):
(WebCore::CloneSerializer::dumpArrayBufferView):
(WebCore::CloneSerializer::dumpIfTerminal):
(WebCore::CloneSerializer::writeObjectIndex):
(WebCore::CloneDeserializer::addToObjectPool):
(WebCore::CloneDeserializer::readBigInt):
(WebCore::CloneDeserializer::readTerminal):
(WebCore::CloneDeserializer::deserialize):
(WebCore::validateSerializedResult):
(WebCore::CloneSerializer::checkForDuplicate): Deleted.
(WebCore::CloneSerializer::recordObject): Deleted.
(WebCore::CloneSerializer::startObjectInternal): Deleted.
(WebCore::CloneSerializer::startObject): Deleted.
(WebCore::CloneSerializer::startArray): Deleted.
(WebCore::CloneSerializer::startSet): Deleted.
(WebCore::CloneSerializer::startMap): Deleted.

Canonical link: https://commits.webkit.org/267815.623@safari-7617-branch


  Commit: 0ad98b6063053b340abd74b0e42686fff2b432c2
      https://github.com/WebKit/WebKit/commit/0ad98b6063053b340abd74b0e42686fff2b432c2
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-12-08 (Fri, 08 Dec 2023)

  Changed paths:
    M LayoutTests/fullscreen/full-screen-enabled-expected.txt
    M LayoutTests/fullscreen/full-screen-enabled-prefixed-expected.txt
    M LayoutTests/fullscreen/full-screen-iframe-not-allowed-expected.txt
    M LayoutTests/fullscreen/full-screen-iframe-without-allow-attribute-allowed-from-parent-expected.txt
    M LayoutTests/fullscreen/full-screen-restrictions-expected.txt
    M LayoutTests/http/tests/fullscreen/fullscreen-feature-policy-expected.txt
    M LayoutTests/http/tests/media/media-stream/enumerate-devices-iframe-allow-attribute-expected.txt
    A LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element-expected.txt
    A LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element.html
    A LayoutTests/http/tests/media/media-stream/resources/get-user-media-embed.html
    M LayoutTests/http/tests/paymentrequest/payment-allow-attribute.https-expected.txt
    M LayoutTests/http/tests/security/sandboxed-iframe-geolocation-getCurrentPosition-expected.txt
    M LayoutTests/http/tests/security/sandboxed-iframe-geolocation-watchPosition-expected.txt
    M LayoutTests/http/tests/ssl/media-stream/get-user-media-different-host-expected.txt
    M LayoutTests/http/tests/ssl/media-stream/get-user-media-nested-expected.txt
    M LayoutTests/http/tests/webrtc/enumerateDevicesInFrames-expected.txt
    M LayoutTests/http/tests/webshare/webshare-allow-attribute-canShare.https-expected.txt
    M LayoutTests/http/tests/webshare/webshare-allow-attribute-share.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allow-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allowfullscreen-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/mediacapture-streams/MediaStream-feature-policy-none.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/permissions-policy/payment-allowed-by-permissions-policy-attribute-redirect-on-load.https.sub-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/screen-wake-lock/wakelock-enabled-by-feature-policy-attribute-redirect-on-load.https.sub-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/web-share/disabled-by-permissions-policy-cross-origin.https.sub-expected.txt
    M Source/WebCore/html/FeaturePolicy.cpp
    M Source/WebCore/html/FeaturePolicy.h

  Log Message:
  -----------
  Cross-origin <embed> elements can request media permission, and prompts show main-frame URL
https://bugs.webkit.org/show_bug.cgi?id=265812
rdar://119149318

Reviewed by Chris Dumez.

We should apply feature policy for all elements, including embed and frame elements.
Since there are no allow attributes, we should use the default feature policy rules for those elements.
Update isFeaturePolicyAllowedByDocumentAndAllOwners accordingly.

Rebase tests according updated console log message.

* LayoutTests/fullscreen/full-screen-enabled-expected.txt:
* LayoutTests/fullscreen/full-screen-enabled-prefixed-expected.txt:
* LayoutTests/fullscreen/full-screen-iframe-not-allowed-expected.txt:
* LayoutTests/fullscreen/full-screen-iframe-without-allow-attribute-allowed-from-parent-expected.txt:
* LayoutTests/fullscreen/full-screen-restrictions-expected.txt:
* LayoutTests/http/tests/fullscreen/fullscreen-feature-policy-expected.txt:
* LayoutTests/http/tests/media/media-stream/enumerate-devices-iframe-allow-attribute-expected.txt:
* LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element-expected.txt: Added.
* LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element.html: Added.
* LayoutTests/http/tests/media/media-stream/resources/get-user-media-embed.html: Added.
* LayoutTests/http/tests/paymentrequest/payment-allow-attribute.https-expected.txt:
* LayoutTests/http/tests/security/sandboxed-iframe-geolocation-getCurrentPosition-expected.txt:
* LayoutTests/http/tests/security/sandboxed-iframe-geolocation-watchPosition-expected.txt:
* LayoutTests/http/tests/ssl/media-stream/get-user-media-different-host-expected.txt:
* LayoutTests/http/tests/ssl/media-stream/get-user-media-nested-expected.txt:
* LayoutTests/http/tests/webrtc/enumerateDevicesInFrames-expected.txt:
* LayoutTests/http/tests/webshare/webshare-allow-attribute-canShare.https-expected.txt:
* LayoutTests/http/tests/webshare/webshare-allow-attribute-share.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allow-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allowfullscreen-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mediacapture-streams/MediaStream-feature-policy-none.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/permissions-policy/payment-allowed-by-permissions-policy-attribute-redirect-on-load.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/screen-wake-lock/wakelock-enabled-by-feature-policy-attribute-redirect-on-load.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/web-share/disabled-by-permissions-policy-cross-origin.https.sub-expected.txt:
* Source/WebCore/html/FeaturePolicy.cpp:
(WebCore::isFeaturePolicyAllowedByDocumentAndAllOwners):
(WebCore::FeaturePolicy::parse):
* Source/WebCore/html/FeaturePolicy.h:
(WebCore::FeaturePolicy::defaultPolicy):
(WebCore::FeaturePolicy::parse):

Canonical link: https://commits.webkit.org/267815.624@safari-7617-branch


  Commit: aa738c8a36f74b032dc493278281ac9230a97c2c
      https://github.com/WebKit/WebKit/commit/aa738c8a36f74b032dc493278281ac9230a97c2c
  Author: Sihui Liu <sihui_liu at apple.com>
  Date:   2023-12-08 (Fri, 08 Dec 2023)

  Changed paths:
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  SEED ☂: Video - Playback does not start - [Includes Logs] - Netflix.com
https://bugs.webkit.org/show_bug.cgi?id=266111
rdar://118775332

Reviewed by Chris Dumez and Mark Lam.

rdar://116034413 changed the serialization format of script value but didn’t update version number. This was later fixed
by rdar://117020274, which upgraded version number to 15 and made sure data serialized in new format contains new
version nubmer. The problem is, builds between rdar://116034413 and rdar://117020274 could create serialized script data
in new format but with old version number 14. These data can be stored persistently in IndexedDB database, and could not
be deserialized successfully after rdar://117020274 because they have mismatched version number and format.

To fix this, when we see an error in deserializing data with version nubmer 14, we upgrade the version number and try
deserializing it again in new format. This patch tries deserialization again with a new deserializer instead of using
the old deserializer because it's more complicated to revert the internal states on a deserializer that fails.

* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::deserialize):
(WebCore::CloneDeserializer::takeBackingStores):
(WebCore::CloneDeserializer::takeDetachedOffscreenCanvases):
(WebCore::CloneDeserializer::takeDetachedRTCDataChannels):
(WebCore::CloneDeserializer::takeSerializedVideoChunks):
(WebCore::CloneDeserializer::takeSerializedVideoFrames):
(WebCore::CloneDeserializer::takeSerializedAudioChunks):
(WebCore::CloneDeserializer::takeSerializedAudioData):
(WebCore::CloneDeserializer::version const):
(WebCore::CloneDeserializer::upgradeVersion):

Canonical link: https://commits.webkit.org/267815.625@safari-7617-branch


  Commit: 498c67b7417764ae5820281b3c7a9ba6f2984a85
      https://github.com/WebKit/WebKit/commit/498c67b7417764ae5820281b3c7a9ba6f2984a85
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-11 (Mon, 11 Dec 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-617.2.3

Identifier: 267815.626 at safari-7617-branch


  Commit: 8e02aee069adf2fc35c5998cbbf42f5b3e4b6e79
      https://github.com/WebKit/WebKit/commit/8e02aee069adf2fc35c5998cbbf42f5b3e4b6e79
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-11 (Mon, 11 Dec 2023)

  Changed paths:
    M Source/WebCore/rendering/PaintFrequencyTracker.h
    M Source/WebCore/rendering/RenderLayer.cpp

  Log Message:
  -----------
  Cherry-pick 42af8a3d2bb4. rdar://119493994

    Don't make the decision to cache a DisplayList for a TextRun depend on the rendering update frame rate
    https://bugs.webkit.org/show_bug.cgi?id=264654
    rdar://118259180

    Reviewed by Simon Fraser.

    Caching a DisplayList for a TextRun should happen if this TextRun is displayed
    very often (say >= 20) regardless of the current frame rate.

    * Source/WebCore/rendering/PaintFrequencyTracker.h:
    (WebCore::PaintFrequencyTracker::track):
    (WebCore::PaintFrequencyTracker::begin): Deleted.
    (WebCore::PaintFrequencyTracker::end): Deleted.
    (WebCore::SinglePaintFrequencyTracking::SinglePaintFrequencyTracking): Deleted.
    (WebCore::SinglePaintFrequencyTracking::~SinglePaintFrequencyTracking): Deleted.
    * Source/WebCore/rendering/RenderLayer.cpp:
    (WebCore::RenderLayer::paintLayerContents):
    (WebCore::RenderLayer::calculateClipRects const):

    Canonical link: https://commits.webkit.org/270781@main

Identifier: 267815.627 at safari-7617-branch


  Commit: c52d8a98ec937b7f71236d2825b342fc70de8685
      https://github.com/WebKit/WebKit/commit/c52d8a98ec937b7f71236d2825b342fc70de8685
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-11 (Mon, 11 Dec 2023)

  Changed paths:
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.h

  Log Message:
  -----------
  Cherry-pick 83d967c4920f. rdar://118497211

    2D Context get/putImageData cache copies cached image data twice
    https://bugs.webkit.org/show_bug.cgi?id=264927
    rdar://118497211

    Reviewed by Cameron McCormack.

    Store the PixelBuffer that was used for putImageData,
    avoid copying the the ImageData redundantly.

    Instead of copying during caching, copy with premultiply.
    This way we omit one memcpy for caching and one premultiply for the real
    putImageData.

    To simplify the implementation, removes the conservative approach
    where the caching would kick in at 3rd putImageData. Just cache
    the first.

    * Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
    (WebCore::CanvasRenderingContext2DBase::cacheImageDataIfPossible):
    (WebCore::CanvasRenderingContext2DBase::takeCachedImageDataIfPossible const):
    (WebCore::CanvasRenderingContext2DBase::putImageData):
    * Source/WebCore/html/canvas/CanvasRenderingContext2DBase.h:

    Canonical link: https://commits.webkit.org/270975@main

Identifier: 267815.628 at safari-7617-branch


  Commit: 87ffe53ed51b561b6c69d02afa28eab02e636c3d
      https://github.com/WebKit/WebKit/commit/87ffe53ed51b561b6c69d02afa28eab02e636c3d
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    M Tools/Scripts/build-webkit
    M Tools/Scripts/webkitdirs.pm

  Log Message:
  -----------
  Cherry-pick 271986 at main (f36572812017). rdar://119615600

    [build-webkit] Add --architecture argument
    https://bugs.webkit.org/show_bug.cgi?id=266342
    rdar://119615600

    Reviewed by Ryan Haddad.

    Add a '--architecture' argument to 'build-webkit' which allows
    the caller to override the architecutre used by 'build-webkit',
    and appropriately sets 'ONLY_ACTIVE_ARCH=NO' if '--architecture'
    is specified.

    * Tools/Scripts/build-webkit: Add documentation of '--architecture' option.
    * Tools/Scripts/webkitdirs.pm:
    (determineArchitecture): Parse the '--architecture' option and set didUserSpecifyArchitecture.
    (XcodeOptions): Set ONLY_ACTIVE_ARCH=NO if '--architecutre' was passed.

    Canonical link: https://commits.webkit.org/271986@main

Canonical link: https://commits.webkit.org/267815.629@safari-7617-branch


  Commit: bc765d16baad4aa3e8d9642d7323b559a3dd716a
      https://github.com/WebKit/WebKit/commit/bc765d16baad4aa3e8d9642d7323b559a3dd716a
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-12-14 (Thu, 14 Dec 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/Path.cpp
    M Source/WebCore/platform/graphics/Path.h
    M Source/WebCore/platform/graphics/PathImpl.h
    M Source/WebCore/platform/graphics/PathStream.cpp
    M Source/WebCore/platform/graphics/PathStream.h
    M Source/WebCore/platform/graphics/cairo/PathCairo.cpp
    M Source/WebCore/platform/graphics/cairo/PathCairo.h
    M Source/WebCore/platform/graphics/cg/PathCG.cpp
    M Source/WebCore/platform/graphics/cg/PathCG.h

  Log Message:
  -----------
  Cherry-pick 268923 at main (4905aa0e3445). rdar://119608735

    Reduce indirection in Path / PathStream
    https://bugs.webkit.org/show_bug.cgi?id=262623

    Reviewed by Simon Fraser.

    Reduce indirection in Path / PathStream. PathStream now olds the vector of
    segments directly instead of using another heap-allocated refcounted object
    to hold the segment vector. This refcounted object was used to facilitate
    sharing and copy on write. However, we can achieve the same thing by having
    the Path objects sharing the same PathStream and cloning the PathStream only
    on write.

    Path::ensureImpl() was showing as a big source of fastMalloc() in profiles
    and this should help with that.

    * Source/WebCore/platform/graphics/Path.cpp:
    (WebCore::Path::Path):
    (WebCore::Path::operator== const):
    (WebCore::Path::setImpl):
    (WebCore::Path::asImpl):
    (WebCore::Path::asImpl const):
    (WebCore::Path::operator=): Deleted.
    * Source/WebCore/platform/graphics/Path.h:
    * Source/WebCore/platform/graphics/PathImpl.h:
    * Source/WebCore/platform/graphics/PathStream.cpp:
    (WebCore::PathStream::create):
    (WebCore::PathStream::PathStream):
    (WebCore::PathStream::copy const):
    (WebCore::PathStream::lastIfMoveTo const):
    (WebCore::PathStream::applySegments const):
    (WebCore::PathStream::applyElements const):
    (WebCore::PathStream::transform):
    (WebCore::PathStream::singleSegment const):
    (WebCore::PathStream::isClosed const):
    (WebCore::PathStream::currentPoint const):
    (WebCore::PathStream::fastBoundingRect const):
    (WebCore::PathStream::boundingRect const):
    (WebCore::PathStream::clone const): Deleted.
    (WebCore::PathStream::operator== const): Deleted.
    (WebCore::PathStream::segments const): Deleted.
    * Source/WebCore/platform/graphics/PathStream.h:
    * Source/WebCore/platform/graphics/cg/PathCG.cpp:
    (WebCore::PathCG::create):
    (WebCore::PathCG::copy const):
    (WebCore::PathCG::clone const): Deleted.
    (WebCore::PathCG::operator== const): Deleted.
    * Source/WebCore/platform/graphics/cg/PathCG.h:

    Canonical link: https://commits.webkit.org/268923@main

Canonical link: https://commits.webkit.org/267815.630@safari-7617-branch


  Commit: 0ec30d83db605d88ae9a281c060f9a01a98972c4
      https://github.com/WebKit/WebKit/commit/0ec30d83db605d88ae9a281c060f9a01a98972c4
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2023-12-14 (Thu, 14 Dec 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/PathImpl.h

  Log Message:
  -----------
  Cherry-pick 269805 at main (d64c4def18dd). rdar://119608829

    [cairo] Crash in PathStream::copy() after 268923 at main
    https://bugs.webkit.org/show_bug.cgi?id=263666

    Reviewed by Chris Dumez.

    This happens sometimes when threaded rendering in enabled. We need to
    make PathImpl reference count thread safe. Fix spotted by Chris Dumez.

    * Source/WebCore/platform/graphics/PathImpl.h:

    Canonical link: https://commits.webkit.org/269805@main

Canonical link: https://commits.webkit.org/267815.631@safari-7617-branch


  Commit: b4db56f94d3a8de9fbde9e2a37fe90c029605386
      https://github.com/WebKit/WebKit/commit/b4db56f94d3a8de9fbde9e2a37fe90c029605386
  Author: Kimmo Kinnunen <kkinnunen at apple.com>
  Date:   2023-12-14 (Thu, 14 Dec 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/Path.cpp
    M Source/WebCore/platform/graphics/PathImpl.cpp
    M Source/WebCore/platform/graphics/PathImpl.h
    M Source/WebCore/platform/graphics/PathSegment.cpp
    M Source/WebCore/platform/graphics/PathSegment.h
    M Source/WebCore/platform/graphics/PathSegmentData.cpp
    M Source/WebCore/platform/graphics/PathSegmentData.h
    M Source/WebCore/platform/graphics/PathStream.cpp
    M Source/WebCore/platform/graphics/PathStream.h
    M Source/WebCore/platform/graphics/cairo/PathCairo.cpp
    M Source/WebCore/platform/graphics/cairo/PathCairo.h
    M Source/WebCore/platform/graphics/cg/PathCG.cpp
    M Source/WebCore/platform/graphics/cg/PathCG.h

  Log Message:
  -----------
  Cherry-pick 271199 at main (d132cc11f0bf). rdar://119538536

    PathSegments cannot be used with anything else than PathImpl
    https://bugs.webkit.org/show_bug.cgi?id=265247
    rdar://118717060

    Reviewed by Said Abou-Hallawa.

    PathImpl and PathSegment were coupled:
    PathImpl::appendSegment would call into PathSegment::addToImpl
    PathSegment::addToImpl would call into PathImpl

    This would be more complex than needed and also limit the PathSegments
    to be only used with PathImpl.

    Instead:
      - PathSegment is the data that is being held -- no actions toward any
        class that does actual work on the data.
      - PathImpl knows how to use the path segment types: PathImpl::add()
        for each path segment type.
      - PathImpl knows how to use the PathSegment variant:
        PathImpl::addSegment() for the PathSegment, doing generic add() over
        the variants.
      - Make each member function for adding segments PathImpl::add(). This
        way generic algorithms over the variants are consistent to write.
      - The PathImpl::add() parameters are by-value to avoid introducing
        indirection, the arguments are always used.

    Construct PathCG, PathCairo from PathStream without applySegments, as
    the PathStream segment list can be just iterated.

    This works towards being able to play back a PathSegment list to a
    CGContext.

    * Source/WebCore/platform/graphics/PathImpl.cpp:
    (WebCore::PathImpl::appendSegment): Deleted.
    * Source/WebCore/platform/graphics/PathImpl.h:
    (WebCore::addPathSegment):
    * Source/WebCore/platform/graphics/PathSegment.cpp:
    (WebCore::PathSegment::addToImpl const): Deleted.
    * Source/WebCore/platform/graphics/PathSegment.h:
    (WebCore::PathSegment::addTo const):
    * Source/WebCore/platform/graphics/PathSegmentData.cpp:
    (WebCore::PathMoveTo::addToImpl const): Deleted.
    (WebCore::PathLineTo::addToImpl const): Deleted.
    (WebCore::PathQuadCurveTo::addToImpl const): Deleted.
    (WebCore::PathBezierCurveTo::addToImpl const): Deleted.
    (WebCore::PathArcTo::addToImpl const): Deleted.
    (WebCore::PathArc::addToImpl const): Deleted.
    (WebCore::PathEllipse::addToImpl const): Deleted.
    (WebCore::PathEllipseInRect::addToImpl const): Deleted.
    (WebCore::PathRect::addToImpl const): Deleted.
    (WebCore::PathRoundedRect::addToImpl const): Deleted.
    (WebCore::PathDataLine::addToImpl const): Deleted.
    (WebCore::PathDataQuadCurve::addToImpl const): Deleted.
    (WebCore::PathDataBezierCurve::addToImpl const): Deleted.
    (WebCore::PathDataArc::addToImpl const): Deleted.
    (WebCore::PathCloseSubpath::addToImpl const): Deleted.
    * Source/WebCore/platform/graphics/PathSegmentData.h:
    * Source/WebCore/platform/graphics/cairo/PathCairo.cpp:
    (WebCore::PathCairo::create):
    * Source/WebCore/platform/graphics/cg/PathCG.cpp:
    (WebCore::PathCG::create):

    Canonical link: https://commits.webkit.org/271199@main

Canonical link: https://commits.webkit.org/267815.632@safari-7617-branch


  Commit: c10cd41406cbb5e072c402117b601ca289929388
      https://github.com/WebKit/WebKit/commit/c10cd41406cbb5e072c402117b601ca289929388
  Author: Kimmo Kinnunen <kkinnunen at apple.com>
  Date:   2023-12-14 (Thu, 14 Dec 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/cg/GraphicsContextCG.cpp
    M Source/WebCore/platform/graphics/cg/PathCG.cpp
    M Source/WebCore/platform/graphics/cg/PathCG.h

  Log Message:
  -----------
  Cherry-pick 271354 at main (a8f57b13f2c7). rdar://119334889

    GraphicsContextCG should clip the paths via CGContext in GPUP mode
    https://bugs.webkit.org/show_bug.cgi?id=252833
    rdar://105835901

    Reviewed by Said Abou-Hallawa.

    Construct the clipped path directly into the CGContext.
    Instead of creating a CGPath object, add the path info upon need to
    the CGContext.

    Removes some of CG work in GPUP receive side where time is spent
    just copying the CGPath objects.

    The implementation has now duplicated logic:
     - Add path segments to CGPath via PathCG
     - Add path segments to CGContext path

    The implementation of both are stored next to each other so that
    they keep in sync.

    * Source/WebCore/platform/graphics/cg/GraphicsContextCG.cpp:
    (WebCore::setCGContextPath):
    (WebCore::drawPathWithCGContext):
    (WebCore::GraphicsContextCG::drawNativeImageInternal):
    (WebCore::GraphicsContextCG::drawPattern):
    (WebCore::GraphicsContextCG::drawPath):
    (WebCore::GraphicsContextCG::fillPath):
    (WebCore::GraphicsContextCG::strokePath):
    (WebCore::GraphicsContextCG::fillRect):
    (WebCore::GraphicsContextCG::fillRectWithRoundedHole):
    (WebCore::GraphicsContextCG::clipOut):
    (WebCore::GraphicsContextCG::clipPath):
    (WebCore::GraphicsContextCG::beginTransparencyLayer):
    (WebCore::GraphicsContextCG::drawLinesForText):
    * Source/WebCore/platform/graphics/cg/PathCG.cpp:
    (WebCore::addToContextPath):
    (WebCore::copyClosingSubpathsApplierFunction):
    (WebCore::addToCGContextPath):
    * Source/WebCore/platform/graphics/cg/PathCG.h:

    Canonical link: https://commits.webkit.org/271354@main

Canonical link: https://commits.webkit.org/267815.633@safari-7617-branch


  Commit: ab7a534d3ca16ed784727d74b3f73e82c17f93ce
      https://github.com/WebKit/WebKit/commit/ab7a534d3ca16ed784727d74b3f73e82c17f93ce
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-14 (Thu, 14 Dec 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/css/css-conditional/at-supports-048-expected.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-conditional/at-supports-048-ref.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-conditional/at-supports-048.html
    M Source/WebCore/css/parser/CSSParserImpl.cpp

  Log Message:
  -----------
  Cherry-pick 0dd51c9b2c6d. rdar://113652033

    [CSS] Fix @supports nested with declarations
    https://bugs.webkit.org/show_bug.cgi?id=259752
    rdar://113652033

    Reviewed by Antti Koivisto.

    Unfortunately, the parser code use local member variables (m_parsedProperties/m_parsedRules)
    to store parsing results instead of using return values and the programming language builtin stack.

    This patch uses the existing stack mecanism CSSParserImpl::runInNewNestingContext()
    to isolate the parsing of the @supports(...) prelude declaration
    from the rest of the parsing (specifically, from declarations before or after this @supports rule at the same nesting level)

    This fixes code like:

    div {
      color: green;
      @supports() {

      }
    }

    where the `color: green` declaration was being ignored.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-conditional/at-supports-048-expected.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-conditional/at-supports-048-ref.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-conditional/at-supports-048.html: Added.
    * Source/WebCore/css/parser/CSSParserImpl.cpp:
    (WebCore::CSSParserImpl::supportsDeclaration):

    Canonical link: https://commits.webkit.org/271989@main

Identifier: 267815.633 at safari-7617-branch


  Commit: 65769b3c0f55c541c6142e7f6c57a46ba430986d
      https://github.com/WebKit/WebKit/commit/65769b3c0f55c541c6142e7f6c57a46ba430986d
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-14 (Thu, 14 Dec 2023)

  Changed paths:
    A LayoutTests/platform/glib/svg/text/textLength-tspan-in-textPath-expected.txt
    A LayoutTests/platform/ios/svg/text/textLength-tspan-in-textPath-expected.txt
    A LayoutTests/platform/mac/svg/text/textLength-tspan-in-textPath-expected.png
    A LayoutTests/platform/mac/svg/text/textLength-tspan-in-textPath-expected.txt
    A LayoutTests/svg/text/textLength-tspan-in-textPath.html
    M Source/WebCore/rendering/svg/SVGTextLayoutEngine.cpp

  Log Message:
  -----------
  Cherry-pick 79238bc8e2d6. rdar://117911214

    REGRESSION(264666 at main): Layout of the <tspan> elements inside a <textPath> is incorrect
    https://bugs.webkit.org/show_bug.cgi?id=264184

    Reviewed by Said Abou-Hallawa.

    Revision 264666 at main broke <tspan textLength="..."> behavior on <textPath> elements.
    The logic added to fix the intra-character spacing, wasn't intended for text path
    layout, where each character by definition is placed in its own box. Fix the MDN
    regression by disabling the new code paths for text-on-path layout.

    Covered by new test in svg/text/textLength-tspan-in-textPath.html.

    Unfortunately it's hard to make a cross-platform reftest, given the
    nature of the kind of test, and the missing way to layout text along
    a path in HTML/CSS.

    * LayoutTests/platform/glib/svg/text/textLength-tspan-in-textPath-expected.txt: Added.
    * LayoutTests/platform/ios/svg/text/textLength-tspan-in-textPath-expected.txt: Added.
    * LayoutTests/platform/mac/svg/text/textLength-tspan-in-textPath-expected.png: Added.
    * LayoutTests/platform/mac/svg/text/textLength-tspan-in-textPath-expected.txt: Added.
    * LayoutTests/svg/text/textLength-tspan-in-textPath.html: Added.
    * Source/WebCore/rendering/svg/SVGTextLayoutEngine.cpp:
    (WebCore::SVGTextLayoutEngine::layoutTextOnLineOrPath):

    Canonical link: https://commits.webkit.org/271996@main

Identifier: 267815.634 at safari-7617-branch


  Commit: cc4e54ad41c9fced0dad42590b30e7774598dfa0
      https://github.com/WebKit/WebKit/commit/cc4e54ad41c9fced0dad42590b30e7774598dfa0
  Author: Scott Marcy <mscott at apple.com>
  Date:   2023-12-14 (Thu, 14 Dec 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/ipc/invalid-fullscreen-enum-expected.txt
    A LayoutTests/ipc/invalid-fullscreen-enum.html
    A LayoutTests/ipc/resources/1080i60_SMPTE_8CH_audible.mov
    M Source/WebCore/platform/graphics/MediaPlayerEnums.h
    M Source/WebKit/UIProcess/Cocoa/VideoPresentationManagerProxy.mm

  Log Message:
  -----------
  rdar://115106974 (SEGV in -[NSView resizeSubviewsWithOldSize:])

Checks that the VideoFullscreenMode argument for two IPC calls is valid and invalidates the IPC message if not.

Reviewed by Alex Christensen (achristensen07).

If the VideoFullscreenMode value is not as expected it IPC message will be marked as invalid, which is supposed
to crash the content process thereby thwarting any attempted attack through this mechanism.

* LayoutTests/TestExpectations:
* LayoutTests/ipc/invalid-fullscreen-enum-expected.txt: Added.
* LayoutTests/ipc/invalid-fullscreen-enum.html: Added.
* LayoutTests/ipc/resources/1080i60_SMPTE_8CH_audible.mov: Added.
* Source/WebCore/platform/graphics/MediaPlayerEnums.h:
* Source/WebKit/UIProcess/Cocoa/VideoPresentationManagerProxy.mm:
(WebKit::VideoPresentationManagerProxy::setupFullscreenWithID):
(WebKit::VideoPresentationManagerProxy::exitFullscreenWithoutAnimationToMode):

Canonical link: https://commits.webkit.org/267815.636@safari-7617-branch


  Commit: 87a8ec698d64cf46709ab93606307b2cb5352ca1
      https://github.com/WebKit/WebKit/commit/87a8ec698d64cf46709ab93606307b2cb5352ca1
  Author: Erica Li <lerica at apple.com>
  Date:   2023-12-14 (Thu, 14 Dec 2023)

  Changed paths:
    A LayoutTests/mathml/mathml-posistioned-mtext-layout-crash-expected.txt
    A LayoutTests/mathml/mathml-posistioned-mtext-layout-crash.html
    M LayoutTests/platform/mac/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt
    M Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp

  Log Message:
  -----------
  ASAN_ILL | LayoutIntegration::BoxTree::rendererForLayoutBox; WebCore::TextBoxPainter::TextBoxPainter; WebCore::ModernTextBoxPainter::ModernTextBoxPainter
https://bugs.webkit.org/show_bug.cgi?id=266273
rdar://119187070

Reviewed by Alan Baradlay.

similar to rdar://104598552, add positioned child in RenderMathMLScripts also.

* LayoutTests/mathml/mathml-posistioned-mtext-layout-crash-expected.txt: Added.
* LayoutTests/mathml/mathml-posistioned-mtext-layout-crash.html: Added.
* LayoutTests/platform/mac/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt: re-baseline based on this fix.
* Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp:
(WebCore::RenderMathMLScripts::layoutBlock):

Canonical link: https://commits.webkit.org/267815.637@safari-7617-branch


  Commit: dc9b30f37ba893960ffdaa3d60ace0cc63dcd605
      https://github.com/WebKit/WebKit/commit/dc9b30f37ba893960ffdaa3d60ace0cc63dcd605
  Author: David Degazio <d_degazio at apple.com>
  Date:   2023-12-14 (Thu, 14 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/ftl/FTLOperations.cpp
    M Source/JavaScriptCore/runtime/ClonedArguments.cpp
    M Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
    M Source/JavaScriptCore/runtime/FunctionPrototype.cpp

  Log Message:
  -----------
  Throw exception when ClonedArguments allocation fails
https://bugs.webkit.org/show_bug.cgi?id=264511
rdar://118039984

Reviewed by Mark Lam.

Currently, if we try and allocate a ClonedArguments object and run out of
memory, we silently return nullptr. This can result in the creation of an
empty JSValue being returned. This patch ensures that we check for and
propagate the null result, in addition to throwing an OutOfMemory error.
In cases where we can't throw an OutOfMemory error, specifically in
operationMaterializeObjectInOSR, we RELEASE_ASSERT that the result is
non-null to guarantee we crash instead of allowing the empty value to
escape.

* JSTests/stress/cloned-arguments-oom.js: Added.
(Allocator):
(Allocator.prototype.size):
(Allocator.prototype.allocate):
(createClonedArguments):
(0x0.map.size.new.Allocator):
(catch):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createEmpty):
(JSC::ClonedArguments::createWithInlineFrame):
(JSC::ClonedArguments::createWithMachineFrame):
(JSC::ClonedArguments::createByCopyingFrom):
* Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:
(JSC::JSC_DEFINE_COMMON_SLOW_PATH):
* Source/JavaScriptCore/runtime/FunctionPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):

Canonical link: https://commits.webkit.org/267815.638@safari-7617-branch


  Commit: 2d703bbbc2552ff4d1d8c3a1d7071800d3433d36
      https://github.com/WebKit/WebKit/commit/2d703bbbc2552ff4d1d8c3a1d7071800d3433d36
  Author: Jean-Yves Avenard <jya at apple.com>
  Date:   2023-12-15 (Fri, 15 Dec 2023)

  Changed paths:
    M Source/WebCore/platform/graphics/cocoa/WebCoreDecompressionSession.h
    M Source/WebCore/platform/graphics/cocoa/WebCoreDecompressionSession.mm

  Log Message:
  -----------
  Concurrent access to WebCoreDecompressionSession::m_timebase
rdar://117145111

Reviewed by Youenn Fablet.

There are 4 queues at play when the WebCoreDecompressionSession is in use.
m_timebase and m_timerSource were accessed concurrently on at least two different
queues.

Add various WTF_GUARDED_BY_LOCK as needed, and make some members atomic.

* Source/WebCore/platform/graphics/cocoa/WebCoreDecompressionSession.h:
* Source/WebCore/platform/graphics/cocoa/WebCoreDecompressionSession.mm:
(WebCore::WebCoreDecompressionSession::invalidate):
(WebCore::WebCoreDecompressionSession::setTimebase):
(WebCore::WebCoreDecompressionSession::setTimebaseWithLockHeld):
(WebCore::WebCoreDecompressionSession::timebase const):
(WebCore::WebCoreDecompressionSession::maybeBecomeReadyForMoreMediaData):
(WebCore::WebCoreDecompressionSession::enqueueSample):
(WebCore::WebCoreDecompressionSession::shouldDecodeSample):
(WebCore::WebCoreDecompressionSession::ensureDecompressionSessionForSample):
(WebCore::WebCoreDecompressionSession::decodeSample):
(WebCore::WebCoreDecompressionSession::decodeSampleSync):
(WebCore::WebCoreDecompressionSession::automaticDequeue):
(WebCore::WebCoreDecompressionSession::enqueueDecodedSample):
(WebCore::WebCoreDecompressionSession::requestMediaDataWhenReady):
(WebCore::WebCoreDecompressionSession::stopRequestingMediaData):
(WebCore::WebCoreDecompressionSession::notifyWhenHasAvailableVideoFrame):
(WebCore::WebCoreDecompressionSession::imageForTime):
(WebCore::WebCoreDecompressionSession::flush):
(WebCore::WebCoreDecompressionSession::resetQosTier):
(WebCore::WebCoreDecompressionSession::increaseQosTier):
(WebCore::WebCoreDecompressionSession::decreaseQosTier):
(WebCore::WebCoreDecompressionSession::updateQosWithDecodeTimeStatistics):

Canonical link: https://commits.webkit.org/267815.639@safari-7617-branch


  Commit: 36d57dc0f23f31be58323a88ba34a4fbf18e3998
      https://github.com/WebKit/WebKit/commit/36d57dc0f23f31be58323a88ba34a4fbf18e3998
  Author: Matthew Finkel <sysrqb at apple.com>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in

  Log Message:
  -----------
  Restrict access to Version.plist in the WebContent process on iOS
https://bugs.webkit.org/show_bug.cgi?id=262699
rdar://116545792

Reviewed by Per Arne Vollan.

Access to this file provides information about the device that should not be
accessible to web content. This patch explicitly prevents access to the file
from the Web content process. In a follow up patch I'm planning on improving
the path validation we use paths provided by javascript.

* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:

Canonical link: https://commits.webkit.org/267815.640@safari-7617-branch


  Commit: 8c08880ef0f2a61a88378e35a3d0ee56310f140c
      https://github.com/WebKit/WebKit/commit/8c08880ef0f2a61a88378e35a3d0ee56310f140c
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Tools/Scripts/upload-file-to-url

  Log Message:
  -----------
  Cherry-pick 271772 at main (a98d81e4f8ce). rdar://119407808

    [ews-build.webkit.org] Bump S3 upload timeout to 10 minutes
    https://bugs.webkit.org/show_bug.cgi?id=266118
    rdar://119407808

    Reviewed by Ryan Haddad.

    * Tools/Scripts/upload-file-to-url:
    (upload): Bump timeout to 10 minutes.

    Canonical link: https://commits.webkit.org/271772@main

Canonical link: https://commits.webkit.org/267815.641@safari-7617-branch


  Commit: 64c48fc75ad0488d1cd950c4378a156643964fff
      https://github.com/WebKit/WebKit/commit/64c48fc75ad0488d1cd950c4378a156643964fff
  Author: Aakash Jain <aakash_jain at apple.com>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Tools/Scripts/upload-file-to-url

  Log Message:
  -----------
  Cherry-pick 271774 at main (31db174057c2). https://bugs.webkit.org/show_bug.cgi?id=266119

    Add retry to upload-file-to-url
    https://bugs.webkit.org/show_bug.cgi?id=266119

    Reviewed by Elliott Williams.

    * Tools/Scripts/upload-file-to-url:

    Canonical link: https://commits.webkit.org/271774@main

Canonical link: https://commits.webkit.org/267815.642@safari-7617-branch


  Commit: e58292b8210f2b820de4d26ba3dd1a945e77e7ae
      https://github.com/WebKit/WebKit/commit/e58292b8210f2b820de4d26ba3dd1a945e77e7ae
  Author: Aakash Jain <aakash_jain at apple.com>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Tools/CISupport/ews-build/steps.py
    M Tools/CISupport/ews-build/steps_unittest.py
    M Tools/Scripts/upload-file-to-url

  Log Message:
  -----------
  Cherry-pick 271800 at main (e9e0f310a265). https://bugs.webkit.org/show_bug.cgi?id=266119

    [ews] Add retry to upload-file-to-url (follow-up fix)
    https://bugs.webkit.org/show_bug.cgi?id=266119

    Unreviewed follow-up fix.

    Also increase the timeout for buildbot step.

    * Tools/CISupport/ews-build/steps.py:
    (UploadFileToS3.__init__):
    * Tools/CISupport/ews-build/steps_unittest.py:
    * Tools/Scripts/upload-file-to-url:
    (upload):

    Canonical link: https://commits.webkit.org/271800@main

Canonical link: https://commits.webkit.org/267815.643@safari-7617-branch


  Commit: 721c6b53a0ab410d33e941067e9c452b49ef1d49
      https://github.com/WebKit/WebKit/commit/721c6b53a0ab410d33e941067e9c452b49ef1d49
  Author: Aakash Jain <aakash_jain at apple.com>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Tools/Scripts/upload-file-to-url

  Log Message:
  -----------
  Cherry-pick 271937 at main (952dc0fc914b). https://bugs.webkit.org/show_bug.cgi?id=266142

    upload-file-to-url should print file size in MB
    https://bugs.webkit.org/show_bug.cgi?id=266142

    Reviewed by Jonathan Bedard.

    Files being uploaded are several hundred MBs, so better to print the size in MB.

    * Tools/Scripts/upload-file-to-url:

    Canonical link: https://commits.webkit.org/271937@main

Canonical link: https://commits.webkit.org/267815.644@safari-7617-branch


  Commit: 299d3eac8533a02e91093941782aa682a872b3b5
      https://github.com/WebKit/WebKit/commit/299d3eac8533a02e91093941782aa682a872b3b5
  Author: Aakash Jain <aakash_jain at apple.com>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Tools/Scripts/upload-file-to-url

  Log Message:
  -----------
  Cherry-pick 272052 at main (3be6d4ae5ddb). https://bugs.webkit.org/show_bug.cgi?id=266419

    upload-file-to-s3 should retry when the request fails with status_code 503
    https://bugs.webkit.org/show_bug.cgi?id=266419

    Reviewed by Jonathan Bedard.

    We added retry in 271774 at main to upload-file-to-s3.
    However, that doesn't retry in the case when the request fails with non 200 status_code.
    We should retry in those cases as well.

    * Tools/Scripts/upload-file-to-url:
    (upload):

    Canonical link: https://commits.webkit.org/272052@main

Canonical link: https://commits.webkit.org/267815.645@safari-7617-branch


  Commit: 14e3b5ddf6d7ea1eb5bab15f19ebd67cb78881c7
      https://github.com/WebKit/WebKit/commit/14e3b5ddf6d7ea1eb5bab15f19ebd67cb78881c7
  Author: Aakash Jain <aakash_jain at apple.com>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Tools/Scripts/upload-file-to-url

  Log Message:
  -----------
  Cherry-pick 272057 at main (a0cb037063a2). https://bugs.webkit.org/show_bug.cgi?id=266411

    upload-file-to-s3 fails because of webkitpy autoinstaller failing with error No archives for six-1.16 found
    https://bugs.webkit.org/show_bug.cgi?id=266411

    Reviewed by Jonathan Bedard.

    Ignore webkitpy errors while trying to import. We are only importing it to auto-install
    requests module, which might already be present.

    * Tools/Scripts/upload-file-to-url:

    Canonical link: https://commits.webkit.org/272057@main

Canonical link: https://commits.webkit.org/267815.646@safari-7617-branch


  Commit: 3bfb2161ce5836d7cc181fd675ae10631ca5c518
      https://github.com/WebKit/WebKit/commit/3bfb2161ce5836d7cc181fd675ae10631ca5c518
  Author: Aakash Jain <aakash_jain at apple.com>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Tools/Scripts/upload-file-to-url

  Log Message:
  -----------
  Cherry-pick 272179 at main (aeb80393640e). https://bugs.webkit.org/show_bug.cgi?id=266419

    upload-file-to-s3 should retry when the request fails with status_code 503 (follow-up fix)
    https://bugs.webkit.org/show_bug.cgi?id=266419

    Unreviewed follow-up fix.

    * Tools/Scripts/upload-file-to-url:

    Canonical link: https://commits.webkit.org/272179@main

Canonical link: https://commits.webkit.org/267815.647@safari-7617-branch


  Commit: c6ed9ecc4f54bcaf777308a5c02c554afe75b846
      https://github.com/WebKit/WebKit/commit/c6ed9ecc4f54bcaf777308a5c02c554afe75b846
  Author: Sam Sneddon <gsnedders at apple.com>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py

  Log Message:
  -----------
  Cherry-pick 271534 at main (47c33f8d6a47). rdar://119145927

    Update rapidfuzz to 3.4.0
    https://bugs.webkit.org/show_bug.cgi?id=265809
    rdar://problem/119145927

    Reviewed by Jonathan Bedard.

    We keep on finding bots which need rapidfuzz to be reinstalled because
    the macOS universal2 wheel was broken
    (c.f. https://github.com/WebKit/WebKit/pull/19835). Let's mitigate this
    entire problem by just forcing rapidfuzz to be re-installed everywhere
    by upgrading it.

    I also found that 268494 at main (ca3f26ebbb57) added pyparsing as an
    implicit_dep, which should actually be on packaging, as that's where the
    requirement actually is.

    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py:
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py:
    (AutoInstall):
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py:

    Canonical link: https://commits.webkit.org/271534@main

Canonical link: https://commits.webkit.org/267815.648@safari-7617-branch


  Commit: 554522e69d2308e21042d90b49d9ecfcdbb3b5f8
      https://github.com/WebKit/WebKit/commit/554522e69d2308e21042d90b49d9ecfcdbb3b5f8
  Author: Brianna Fan <bfan2 at apple.com>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Tools/Scripts/hooks/prepare-commit-msg
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/branch.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/revert.py

  Log Message:
  -----------
  Cherry-pick 271587 at main (627b31c8383b). rdar://92702616

    [git-webkit] Support reverting multiple commits at once
    https://bugs.webkit.org/show_bug.cgi?id=239796
    rdar://problem/92702616

    Reviewed by Jonathan Bedard.

    Allows for multiple commits to be passed in as args.
    Includes all reverted commit identifiers in the revert message.
    Fixes bug in issue creation, adds support for radar importer.

    * Tools/Scripts/hooks/prepare-commit-msg:
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/revert.py:
    (Revert)
    (Revert.parser):
    (Revert.get_issue_info):
    (Revert.create_revert_commit_msg):
    (Revert.revert_commit):
    (Revert.main):
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/revert_unittest.py:
    (TestRevert.test_github):
    (TestRevert.test_github_two_step):
    (TestRevert.test_args):
    (test_update):
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/branch.py:
    (Branch):
    (Branch.create_radar):
    (Branch.main):

    Canonical link: https://commits.webkit.org/271587@main

Canonical link: https://commits.webkit.org/267815.649@safari-7617-branch


  Commit: e5773c94689a24e68404a074380c40cc5f862b9a
      https://github.com/WebKit/WebKit/commit/e5773c94689a24e68404a074380c40cc5f862b9a
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/git_hub.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/git_unittest.py

  Log Message:
  -----------
  Cherry-pick 271687 at main (912bf757dabd). rdar://118993239

    [webkitscmpy] Collect diff from GitHub remote repository
    https://bugs.webkit.org/show_bug.cgi?id=265590
    rdar://118993239

    Reviewed by Dewei Zhu.

    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/git_hub.py:
    (GitHub.commit): 'HEAD' in GitHub means "latest commit on the default branch".
    (GitHub._diff_response): Return a response with a mock text diff.
    (GitHub.request): Respect the 'application/vnd.github.diff' header.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py:
    (GitHub):
    (GitHub.diff): Given a commit or commit range, return a line-by-line diff of
    the provided range. If the caller requests it, include the commit messages for
    the specified commits in the same patch format used by 'git format-patch'.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/git_unittest.py:

    Canonical link: https://commits.webkit.org/271687@main

Canonical link: https://commits.webkit.org/267815.650@safari-7617-branch


  Commit: f118dd795ffbf2b36140d46f938a52db4056947a
      https://github.com/WebKit/WebKit/commit/f118dd795ffbf2b36140d46f938a52db4056947a
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/bitbucket.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/bitbucket.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/scm.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/git_unittest.py

  Log Message:
  -----------
  Cherry-pick 271688 at main (6eed9f3aec5d). rdar://119055886

    [webkitscmpy] Collect diff from Bitbucket remote repository
    https://bugs.webkit.org/show_bug.cgi?id=265705
    rdar://119055886

    Reviewed by Dewei Zhu.

    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/bitbucket.py:
    (BitBucket.commit): 'HEAD' in Bitbucket means "latest commit on the default branch".
    (BitBucket.request): Return a response with a mock diff.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/bitbucket.py:
    (BitBucket.json_to_diff): Convert Bitbucket json diff to text diff.
    (BitBucket.commits): Return a list of commits to caller.
    (BitBucket.diff): Given a commit or commit range, return a line-by-line diff of
    the provided range. If the caller requests it, include the commit messages for
    the specified commits in the same patch format used by 'git format-patch'.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py:
    (GitHub): Move EMAIL_RE to base class.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/scm.py:
    (Scm): Move EMAIL_RE from GitHub.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/git_unittest.py:

    Canonical link: https://commits.webkit.org/271688@main

Canonical link: https://commits.webkit.org/267815.651@safari-7617-branch


  Commit: ea99166b2dfe347f54df0c882bd0c2708ac9656e
      https://github.com/WebKit/WebKit/commit/ea99166b2dfe347f54df0c882bd0c2708ac9656e
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Source/WebCore/loader/SubresourceLoader.cpp
    M Source/WebCore/loader/SubresourceLoader.h

  Log Message:
  -----------
  Crash under SubresourceLoader::didReceiveBuffer()
https://bugs.webkit.org/show_bug.cgi?id=266589
rdar://116974951

Reviewed by Ryosuke Niwa.

Make sure we protect the CachedResource before calling non-trivial member
functions on it.

* Source/WebCore/loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::willSendRequestInternal):
(WebCore::SubresourceLoader::didSendData):
(WebCore::SubresourceLoader::didReceivePreviewResponse):
(WebCore::SubresourceLoader::didReceiveResponse):
(WebCore::SubresourceLoader::didReceiveBuffer):
(WebCore::SubresourceLoader::willCancel):
(WebCore::SubresourceLoader::didCancel):
(WebCore::SubresourceLoader::releaseResources):
* Source/WebCore/loader/SubresourceLoader.h:

Canonical link: https://commits.webkit.org/267815.652@safari-7617-branch


  Commit: f45fcd2ff3ac1bebee77f2ec5806b6daf0f411f6
      https://github.com/WebKit/WebKit/commit/f45fcd2ff3ac1bebee77f2ec5806b6daf0f411f6
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Source/WebKit/NetworkProcess/cache/NetworkCacheSubresourcesEntry.h

  Log Message:
  -----------
  Cherry-pick 3096c561acce. rdar://119362503

    Samesite=Lax is not always working in Safari
    https://bugs.webkit.org/show_bug.cgi?id=265634
    rdar://119362503

    Reviewed by Brent Fulgham and Alex Christensen.

    We were not setting isSameSite correctly when reading it from disk cache, which was then triggering different cookies being sent between
    speculative loads and the actual would be loads.
    Websites could use Vary Cookie headers to handle that case, but they do not tend to.

    * Source/WebKit/NetworkProcess/cache/NetworkCacheSubresourcesEntry.h:
    (WebKit::NetworkCache::SubresourceInfo::SubresourceInfo):

    Canonical link: https://commits.webkit.org/272062@main

Identifier: 267815.653 at safari-7617-branch


  Commit: 9aa763d0e5c239b9a0e5dfcba8ee220844d31d55
      https://github.com/WebKit/WebKit/commit/9aa763d0e5c239b9a0e5dfcba8ee220844d31d55
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Source/WebCore/page/Quirks.cpp

  Log Message:
  -----------
  Cherry-pick 1bfda19669ab. rdar://11847946

    Mitigate crashes under Quirks::advancedPrivacyProtectionSubstituteDataURLForScriptWithFeatures()
    https://bugs.webkit.org/show_bug.cgi?id=266380
    rdar://118479646

    Reviewed by Yusuke Suzuki.

    Even after the mitigations in 269984 at main, we're still sometimes crashing when attempting to
    determine whether or not we should apply hard-coded canvas fingerprinting mitigations when advanced
    privacy protections are enabled. From discussing with JSC folks, this seems to be due to the way in
    which we're currently trying to walk the stack by traversing `callerFrame()`s:

    ```
    while (!codeBlock) {
        callFrame = callFrame->callerFrame();
        if (!callFrame)
            break;
        codeBlock = callFrame->codeBlock();
    }
    ```

    Instead of implementing it this way, the JSC team recommended using `StackVisitor::visit` instead to
    walk the stack, which is the de-facto mechanism used to perform similar stack traversals elsewhere
    in the codebase. In addition, I'm also rearranging this check, so that we only ever attempt this
    relatively more expensive stack walk in the case where the `lastDrawnText`, `canvasWidth` and
    `canvasHeight` all match their expected values for the quirk.

    * Source/WebCore/page/Quirks.cpp:
    (WebCore::Quirks::advancedPrivacyProtectionSubstituteDataURLForScriptWithFeatures const):

    In my manual testing, I found that the source code length on some of the affected sites has been
    changed slightly; adjust this quirk to match.

    Canonical link: https://commits.webkit.org/272093@main

Identifier: 267815.654 at safari-7617-branch


  Commit: 2bee8872e3b9fb535e1c062b5ac8be2ac12204ca
      https://github.com/WebKit/WebKit/commit/2bee8872e3b9fb535e1c062b5ac8be2ac12204ca
  Author: Andy Estes <aestes at apple.com>
  Date:   2023-12-19 (Tue, 19 Dec 2023)

  Changed paths:
    M Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.cpp
    M Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.h
    M Source/WebCore/Modules/encryptedmedia/NavigatorEME.cpp
    M Source/WebKit/UIProcess/MediaKeySystemPermissionRequestManagerProxy.cpp
    M Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.cpp
    M Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.h
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp
    M Source/WebKit/WebProcess/WebPage/WebPage.h
    M Source/WebKit/WebProcess/WebPage/WebPage.messages.in
    M Source/WebKitLegacy/mac/WebCoreSupport/WebMediaKeySystemClient.mm

  Log Message:
  -----------
  REGRESSION (233845 at main): Crash in MediaKeySystemRequest::~MediaKeySystemRequest
https://bugs.webkit.org/show_bug.cgi?id=266619
rdar://118004786

Reviewed by Jean-Yves Avenard.

In 233845 at main, NavigatorEME::requestMediaKeySystemAccess moved the task that creates the CDM
instance into a completion handler that's called asynchronously once the client allows media key
access. The completion handler captured a raw pointer to the document, leading to a crash if the
document is destroyed before the completion handler is called. Debug builds would also assert in
CompletionHandler::~CompletionHandler because ActiveDOMObject::queueTaskInEventLoop would not
invoke the task queued by MediaKeySystemRequest::allow - which captured a CompletionHandler - when
scriptExecutionContext is null.

Addressed the crash by capturing document as a WeakPtr and null-checking it prior to calling
Document::postTask in NavigatorEME::requestMediaKeySystemAccess's allow callback. Addressed the
assertion failure by removing the unnecessary asynchronous CompletionHandler from
Messages::WebPage::MediaKeySystemWasGranted.

* Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.cpp:
(WebCore::MediaKeySystemRequest::allow):
* Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.h:
* Source/WebCore/Modules/encryptedmedia/NavigatorEME.cpp:
(WebCore::NavigatorEME::requestMediaKeySystemAccess):
* Source/WebKit/UIProcess/MediaKeySystemPermissionRequestManagerProxy.cpp:
(WebKit::MediaKeySystemPermissionRequestManagerProxy::grantRequest):
* Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.cpp:
(WebKit::MediaKeySystemPermissionRequestManager::mediaKeySystemWasGranted):
* Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.h:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::mediaKeySystemWasGranted):
* Source/WebKit/WebProcess/WebPage/WebPage.h:
* Source/WebKit/WebProcess/WebPage/WebPage.messages.in:
* Source/WebKitLegacy/mac/WebCoreSupport/WebMediaKeySystemClient.mm:
(WebMediaKeySystemClient::requestMediaKeySystem):

Canonical link: https://commits.webkit.org/267815.655@safari-7617-branch


Compare: https://github.com/WebKit/WebKit/compare/8e5aa6126d64...2bee8872e3b9


More information about the webkit-changes mailing list