[webkit-changes] [WebKit/WebKit] a615ee: Cherry-pick 271942 at main (31a74b0f44c2). https://bu...

Aditya Keerthi noreply at github.com
Tue Jan 23 07:46:30 PST 2024


  Branch: refs/heads/webkitglib/2.42
  Home:   https://github.com/WebKit/WebKit
  Commit: a615eea726cdbbc553375961be0fa5ab9b207291
      https://github.com/WebKit/WebKit/commit/a615eea726cdbbc553375961be0fa5ab9b207291
  Author: Vitaly Dyachkov <vitaly at igalia.com>
  Date:   2023-12-16 (Sat, 16 Dec 2023)

  Changed paths:
    M Source/WebCore/accessibility/AXObjectCache.cpp

  Log Message:
  -----------
  Cherry-pick 271942 at main (31a74b0f44c2). https://bugs.webkit.org/show_bug.cgi?id=266067

    [GTK][Debug] `accessibility/aria-combobox-control-owns-elements.html` is a constant crash
    https://bugs.webkit.org/show_bug.cgi?id=266067

    Reviewed by Tyler Wilcock.

    In `AXObjectCache::getOrCreate(Node*, IsRelationTarget)`, we might
    update relatons while evaluating `isDescendantOfRelationTarget(*node)`.

    If the node has relation attributes, associated `AccessibilityObject`
    will be created and cached. In this case, we must return the cached object.

    * Source/WebCore/accessibility/AXObjectCache.cpp:
    (WebCore::AXObjectCache::getOrCreate):

    Canonical link: https://commits.webkit.org/271942@main


  Commit: 2fea3c3decb7c318de82d3c63eb26834c84f8372
      https://github.com/WebKit/WebKit/commit/2fea3c3decb7c318de82d3c63eb26834c84f8372
  Author: Elliott Williams <emw at apple.com>
  Date:   2023-12-16 (Sat, 16 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/offlineasm/generate_offset_extractor.rb
    M Source/JavaScriptCore/offlineasm/generate_settings_extractor.rb

  Log Message:
  -----------
  Cherry-pick 271640 at main (97b3a2dd3db7). https://bugs.webkit.org/show_bug.cgi?id=265729

    [offlineasm] Incremental build failure when generator is interrupted
    https://bugs.webkit.org/show_bug.cgi?id=265729
    rdar://119079705

    Reviewed by Alexey Proskuryakov.

    offlineasm writes headers non-atomically, so if the script is
    interrupted due to a build failure in a parallel task, it leaves a
    partially-written header. The build system can't tell that this header
    is incomplete, so its presence breaks subsequent rebuilds.

    Fix by writing to a temporary file in the same directory (or
    TARGET_TEMP_DIR in Xcode), and `rename`-ing once generation is complete.

    * Source/JavaScriptCore/offlineasm/generate_offset_extractor.rb:
    * Source/JavaScriptCore/offlineasm/generate_settings_extractor.rb:

    Canonical link: https://commits.webkit.org/271640@main


  Commit: a5a3b71329aa10f7e1c31c0c48135702e026261e
      https://github.com/WebKit/WebKit/commit/a5a3b71329aa10f7e1c31c0c48135702e026261e
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2023-12-16 (Sat, 16 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/b3/B3ReduceStrength.cpp
    M Source/JavaScriptCore/b3/testb3.h
    M Source/JavaScriptCore/b3/testb3_1.cpp
    M Source/JavaScriptCore/b3/testb3_7.cpp

  Log Message:
  -----------
  Cherry-pick 271580 at main (ab0808f76fdb). https://bugs.webkit.org/show_bug.cgi?id=265730

    Fix nullptr deref in B3::ReduceStrength's handling of Trunc for double constants.
    https://bugs.webkit.org/show_bug.cgi?id=265730
    rdar://116459635

    Reviewed by Yusuke Suzuki.

    We cannot run asInt64() on a ConstDoubleValue.  This patch fixes this by handling
    ConstDoubleValue separately and running asDouble() on it instead.

    * Source/JavaScriptCore/b3/B3ReduceStrength.cpp:

    Canonical link: https://commits.webkit.org/271580@main


  Commit: 766e782517d4e6d0015a24f16a382da6a1c2bcc0
      https://github.com/WebKit/WebKit/commit/766e782517d4e6d0015a24f16a382da6a1c2bcc0
  Author: Jacek Piszczek <jacadcaps at runbox.com>
  Date:   2023-12-16 (Sat, 16 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/runtime/UGPRPair.h

  Log Message:
  -----------
  Cherry-pick 271440 at main (5d40427dff12). https://bugs.webkit.org/show_bug.cgi?id=265342

    Fixed UGPRPair for big endian cpus
    https://bugs.webkit.org/show_bug.cgi?id=265342

    Reviewed by Yusuke Suzuki.

    Fixes up the order at which the registers are packed into a  UGPRPair on CPU(BIG_ENDIAN).

    * Source/JavaScriptCore/runtime/UGPRPair.h:
    (JSC::makeUGPRPair):

    Canonical link: https://commits.webkit.org/271440@main


  Commit: 96e017a6c83991b7a32fabb672972ee2a10edb15
      https://github.com/WebKit/WebKit/commit/96e017a6c83991b7a32fabb672972ee2a10edb15
  Author: Michael Catanzaro <mcatanzaro at redhat.com>
  Date:   2023-12-16 (Sat, 16 Dec 2023)

  Changed paths:
    M Source/WebCore/platform/network/soup/SoupNetworkSession.cpp
    M Source/WebKit/UIProcess/API/glib/WebKitNetworkSession.cpp
    M Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp

  Log Message:
  -----------
  Cherry-pick 271013 at main (bcd2223c9362). https://bugs.webkit.org/show_bug.cgi?id=195908

    [SOUP] webkit_web_context_allow_tls_certificate_for_host() fails for IPv6 URIs produced by SoupURI
    https://bugs.webkit.org/show_bug.cgi?id=195908

    Reviewed by Carlos Garcia Campos.

    Nowadays SoupURI has been replaced by GUri, but the underlying problem
    remains: IPv6 addresses in URLs have to be surrounded by [] brackets,
    and WTF::URL considers these brackets to be part of the host component,
    but SoupURI and GUri do not. Alas!

    Let's also clarify expected usage of the API. It might be even better to
    accept input in both forms and normalize it, but GUri documents that the
    brackets are not part of the host, so probably fine for us to do so too.

    Finally, note this is a little awkward to test, so I have omitted tests.
    We could change WebKitTestServer::run to allow selecting IPV6 and then
    run all of TestSSL again twice, and skip them if IPv6 is not enabled. I
    was a little tempted to attempt this, but decided I'm lazy and would
    rather not spend time on it. This is already an edge case and it's not
    the end of the world if it breaks again in the future.

    * Source/WebCore/platform/network/soup/SoupNetworkSession.cpp:
    (WebCore::hostForComparison):
    (WebCore::SoupNetworkSession::checkTLSErrors):
    * Source/WebKit/UIProcess/API/glib/WebKitNetworkSession.cpp:
    * Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp:

    Canonical link: https://commits.webkit.org/271013@main


  Commit: 6eb578ba1c7bcbee4073a666ca4681a7be249c77
      https://github.com/WebKit/WebKit/commit/6eb578ba1c7bcbee4073a666ca4681a7be249c77
  Author: Olivier Blin <olivier.blin at softathome.com>
  Date:   2023-12-16 (Sat, 16 Dec 2023)

  Changed paths:
    M Source/WTF/wtf/linux/RealTimeThreads.cpp

  Log Message:
  -----------
  Cherry-pick 270841 at main (ffd338d9906b). https://bugs.webkit.org/show_bug.cgi?id=264940

    [GTK][WPE] Fix Real-time Linux warning when RLIMIT_RTTIME is not defined
    https://bugs.webkit.org/show_bug.cgi?id=264940

    Reviewed by Michael Catanzaro.

    * Source/WTF/wtf/linux/RealTimeThreads.cpp:
    realTimeKitGetProperty() is unused when RLIMIT_RTTIME is not defined.

    Canonical link: https://commits.webkit.org/270841@main


  Commit: 1b743d0da670137daa34fcf3cd96fc34d255dd8f
      https://github.com/WebKit/WebKit/commit/1b743d0da670137daa34fcf3cd96fc34d255dd8f
  Author: Olivier Blin <olivier.blin at softathome.com>
  Date:   2023-12-16 (Sat, 16 Dec 2023)

  Changed paths:
    M Source/WebCore/platform/GStreamer.cmake

  Log Message:
  -----------
  Cherry-pick 270842 at main (85e79c913425). https://bugs.webkit.org/show_bug.cgi?id=264878

    [GStreamer] Fix applying video decoder limit in unified build
    https://bugs.webkit.org/show_bug.cgi?id=264878

    Reviewed by Michael Catanzaro.

    * Source/WebCore/platform/SourcesGStreamer.txt:
    If GStreamerRegistryScanner.cpp is built in unified files, the local
    COMPILE_DEFINITIONS are not applied, so VIDEO_DECODING_LIMIT is
    ineffective. Apply the definitions to the whole WebCore instead.

    Canonical link: https://commits.webkit.org/270842@main


  Commit: 9dacb7123102d5bac8366a162eba223d5d9ff1c5
      https://github.com/WebKit/WebKit/commit/9dacb7123102d5bac8366a162eba223d5d9ff1c5
  Author: Vitaly Dyachkov <vitaly at igalia.com>
  Date:   2023-12-16 (Sat, 16 Dec 2023)

  Changed paths:
    M Source/WebCore/loader/SubresourceLoader.cpp

  Log Message:
  -----------
  Cherry-pick 270836 at main (131ac6d0af06). https://bugs.webkit.org/show_bug.cgi?id=180693

    [GLIB] ASSERTION FAILED: response.httpStatusCode() < 300 || response.httpStatusCode() >= 400 || response.httpStatusCode() == 304 || !response.httpHeaderField(HTTPHeaderName::Location) running imported/w3c/web-platform-tests/cors/preflight-failure.htm
    https://bugs.webkit.org/show_bug.cgi?id=180693

    Reviewed by Carlos Garcia Campos.

    Normally, we process redirect responses in
    `ResourceLoader::willSendRequestInternal()`. Exceptions are the
    redirections with no or empty "Location" header.

    In that scenario, we handle the redirect response in
    `SubresourceLoader::didReceiveResponse()` where we assert that this is
    actually the case.

    The assertion uses `String::operator!()` which returns true only if
    the String is null but not empty.

    * Source/WebCore/loader/SubresourceLoader.cpp:
    (WebCore::SubresourceLoader::didReceiveResponse):

    Canonical link: https://commits.webkit.org/270836@main


  Commit: 5b87ea9411250ba67e6b2f8f9e4191f3ae3881de
      https://github.com/WebKit/WebKit/commit/5b87ea9411250ba67e6b2f8f9e4191f3ae3881de
  Author: Yury Semikhatsky <yurys at chromium.org>
  Date:   2023-12-18 (Mon, 18 Dec 2023)

  Changed paths:
    M Source/WebKit/UIProcess/API/wpe/WPEView.cpp

  Log Message:
  -----------
  Cherry-pick 270493 at main (7d464f717df9). https://bugs.webkit.org/show_bug.cgi?id=264360

    [WPE] frameDisplayed may be called after View has been deleted
    https://bugs.webkit.org/show_bug.cgi?id=264360

    Reviewed by Michael Catanzaro.

    WKWPE::View is set as a client to wpe_view_backend in the view's
    constructor. Since the backend may live longer than the view,
    we reset clear the client in the view destuctor to avoid use
    after free similar to the one mentioned in the bug.

    * Source/WebKit/UIProcess/API/wpe/WPEView.cpp:
    (WKWPE::View::~View):

    Canonical link: https://commits.webkit.org/270493@main


  Commit: 211b9254410c761ee0261496e2be06bb624ede39
      https://github.com/WebKit/WebKit/commit/211b9254410c761ee0261496e2be06bb624ede39
  Author: Michael Saboff <msaboff at apple.com>
  Date:   2023-12-19 (Tue, 19 Dec 2023)

  Changed paths:
    M JSTests/stress/regexp-lookbehind.js
    M Source/JavaScriptCore/yarr/YarrInterpreter.cpp

  Log Message:
  -----------
  Cherry-pick 272039 at main (f59e18069da6). https://bugs.webkit.org/show_bug.cgi?id=266373

    [JSC] Assertion in JSC::Yarr::Interpreter<unsigned char>::InputStream::uncheckInput called from backtrackPatternCasedCharacter
    https://bugs.webkit.org/show_bug.cgi?id=266373
    rdar://119187095

    Reviewed by Justin Michaud.

    When backtracking a lookbehind atom to its starting position we need to set the input pointer to the starting position.
    All other character based atoms had this right, except backtrackPatternCasedCharacter().

    * JSTests/stress/regexp-lookbehind.js: Added a new test case.
    * Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
    (JSC::Yarr::Interpreter::backtrackPatternCasedCharacter):

    Canonical link: https://commits.webkit.org/272039@main


  Commit: a842d7eb30244855f778c0e400a59c4d18bd5fce
      https://github.com/WebKit/WebKit/commit/a842d7eb30244855f778c0e400a59c4d18bd5fce
  Author: Diego Pino Garcia <dpino at igalia.com>
  Date:   2024-01-09 (Tue, 09 Jan 2024)

  Changed paths:
    M Source/WebCore/platform/glib/LowPowerModeNotifierGLib.cpp

  Log Message:
  -----------
  Cherry-pick 272745 at main (652de27dad29). https://bugs.webkit.org/show_bug.cgi?id=266461

    [GCC] Build fix for Debian 11 ARM64 after 272121 at main
    https://bugs.webkit.org/show_bug.cgi?id=266461

    Reviewed by Michael Catanzaro.

    * Source/JavaScriptCore/assembler/ARM64Assembler.h: Remove 'constexpr'
      keyword in conditional comparison.
    * Source/WebCore/platform/glib/LowPowerModeNotifierGLib.cpp:
    (WebCore::LowPowerModeNotifier::LowPowerModeNotifier): Mark argument as
    UNUSED.

    Canonical link: https://commits.webkit.org/272745@main


  Commit: 5895d5715ec206110c1a0f4f64c987fccbd7d6bb
      https://github.com/WebKit/WebKit/commit/5895d5715ec206110c1a0f4f64c987fccbd7d6bb
  Author: Diego Pino Garcia <dpino at igalia.com>
  Date:   2024-01-09 (Tue, 09 Jan 2024)

  Changed paths:
    A LayoutTests/fast/gradients/conic-stop-with-offset-zero-in-middle-expected.html
    A LayoutTests/fast/gradients/conic-stop-with-offset-zero-in-middle.html
    M Source/WebCore/platform/graphics/cairo/GradientCairo.cpp

  Log Message:
  -----------
  Cherry-pick 272730 at main (814c148a788c). https://bugs.webkit.org/show_bug.cgi?id=266160

    [cairo] freeze under WebCore::Cairo::fillRect at https://dev.orthologiq.net/
    https://bugs.webkit.org/show_bug.cgi?id=266160

    Reviewed by Fujii Hironori.

    Stops with offset zero before last one must be ignored.

    * LayoutTests/fast/gradients/conic-stop-with-offset-zero-in-middle-expected.html: Added.
    * LayoutTests/fast/gradients/conic-stop-with-offset-zero-in-middle.html: Added.
    * LayoutTests/platform/mac/TestExpectations: Mark new test as ImageOnlyFailure.
    * Source/WebCore/platform/graphics/cairo/GradientCairo.cpp:
    (WebCore::createConic):

    Canonical link: https://commits.webkit.org/272730@main


  Commit: 33bbbf32852df5696fc7706378ff9119159ee9f6
      https://github.com/WebKit/WebKit/commit/33bbbf32852df5696fc7706378ff9119159ee9f6
  Author: Patrick Griffis <pgriffis at igalia.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp

  Log Message:
  -----------
  Cherry-pick 273334 at main (b9361c774194). https://bugs.webkit.org/show_bug.cgi?id=238403

    [GLib] Write bwrapinfo.json to disk for xdg-desktop-portal
    https://bugs.webkit.org/show_bug.cgi?id=238403

    Reviewed by Michael Catanzaro.

    The Realtime portal in xdg-desktop-portal reads bwrapinfo.json
    to get the child pid.

    * Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp:
    (WebKit::createBwrapInfo):
    (WebKit::createFlatpakInfo):
    (WebKit::bubblewrapSpawn):

    Canonical link: https://commits.webkit.org/273334@main


  Commit: 0765e4cd6c2e2b36f8b61174e6017fe88f74a4cd
      https://github.com/WebKit/WebKit/commit/0765e4cd6c2e2b36f8b61174e6017fe88f74a4cd
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp

  Log Message:
  -----------
  Cherry-pick 267815.569 at safari-7617-branch (5ebdf97c0a26). rdar://118039950

Use-after-free in processResponse in ServiceWorkerFetch.cpp
rdar://118039950

Reviewed by Chris Dumez.

Cancelling the stream can trigger GC when creating the DOMException JS wrapper.
This might collect the FetchResponse object.
To make sure the FetchResponse object stays live for the whole time, we protect it in the callback.

* Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp:
(WebCore::ServiceWorkerFetch::processResponse):

Canonical link: https://commits.webkit.org/267815.569@safari-7617-branch


  Commit: 3fb6b3ec465bf922f8bd7a5fb6eac741821078da
      https://github.com/WebKit/WebKit/commit/3fb6b3ec465bf922f8bd7a5fb6eac741821078da
  Author: Nicole Rosario <nicole_rosario at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    A LayoutTests/ipc/argumentParser.js
    A LayoutTests/ipc/fuzz_tools.js
    A LayoutTests/ipc/media-player-invalid-test-expected.txt
    A LayoutTests/ipc/media-player-invalid-test.html
    M Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.cpp
    M Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.h
    M Source/WebCore/platform/mock/mediasource/MockSourceBufferPrivate.cpp

  Log Message:
  -----------
  Cherry-pick 267815.570 at safari-7617-branch (fc6f62059d44). rdar://115982856

[CoreIPC] heap-use-after-free in WebCore::MockMediaSourcePrivate::markEndOfStream
rdar://115982856

Reviewed by Jean-Yves Avenard and Eric Carlson.

Error only hit in internal testing. Object was referenced after deletion. Updated `MockMediaPlayer` to use weak pointer for `m_player` instead of reference and added checks to methods to check that `m_player` exists before trying to read/write

* Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.cpp: added check that `m_player` exists before accessing
* Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.h: changed `m_player` to weak pointer instead of a reference
* Source/WebCore/platform/mock/mediasource/MockSourceBufferPrivate.cpp:
(WebCore::MockSourceBufferPrivate::readyState const):
(WebCore::MockSourceBufferPrivate::setReadyState):

Canonical link: https://commits.webkit.org/267815.570@safari-7617-branch


  Commit: da176efb653602a9ee7844831d002e498d5aede0
      https://github.com/WebKit/WebKit/commit/da176efb653602a9ee7844831d002e498d5aede0
  Author: Claudio Saavedra <csaavedra at igalia.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    A LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting-expected.txt
    A LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting.html
    M Source/WebCore/dom/ContainerNode.cpp

  Log Message:
  -----------
  Cherry-pick 268451.4 at webkit-2023.9-embargoed (f554230ef55f). https://bugs.webkit.org/show_bug.cgi?id=263178

DOM: Make sure to set tree scope during parser insertion
https://bugs.webkit.org/show_bug.cgi?id=263178
rdar://116715621

Reviewed by Ryosuke Niwa.

It is possible for an element to be reparented, pg., to a shadow
tree before parsing has finished, so we need to make sure to set the
correct tree scope for a new element during parsing insertion,
otherwise it might end up associated to the wrong tree scope.

* LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting-expected.txt: Added.
* LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting.html: Added.
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::ContainerNode::parserInsertBefore):

Canonical link: https://commits.webkit.org/268451.4@webkit-2023.9-embargoed

Canonical link: https://commits.webkit.org/267815.571@safari-7617-branch


  Commit: dab6e63f7e12a6699f1d13913e25a08e117f95c2
      https://github.com/WebKit/WebKit/commit/dab6e63f7e12a6699f1d13913e25a08e117f95c2
  Author: Kimmo Kinnunen <kkinnunen at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.mm

  Log Message:
  -----------
  Cherry-pick 267815.586 at safari-7617-branch (e408ece1b8a7). https://bugs.webkit.org/show_bug.cgi?id=265129

GraphicsContextGLCocoa::setDrawingBufferColorSpace is missing makeContextCurrent()
https://bugs.webkit.org/show_bug.cgi?id=265129
rdar://118650182

Reviewed by Dan Glastonbury.

All public API entrypoints in GraphicsContextGLANGLE should call
the makeContextCurrent().

* Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.mm:
(WebCore::GraphicsContextGLCocoa::setDrawingBufferColorSpace):

Canonical link: https://commits.webkit.org/267815.586@safari-7617-branch


  Commit: 721ce94bc2ab5bbc8f5cf608a2f95ba0136e49c6
      https://github.com/WebKit/WebKit/commit/721ce94bc2ab5bbc8f5cf608a2f95ba0136e49c6
  Author: Kimmo Kinnunen <kkinnunen at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/ThirdParty/ANGLE/src/libANGLE/Surface.cpp
    M Source/ThirdParty/ANGLE/src/libANGLE/Texture.cpp
    M Source/ThirdParty/ANGLE/src/tests/gl_tests/PbufferTest.cpp

  Log Message:
  -----------
  Cherry-pick 267815.587 at safari-7617-branch (db3f6a7dbf33). https://bugs.webkit.org/show_bug.cgi?id=265127

ANGLE eglBindTexImage ASSERT when overwriting a binding
https://bugs.webkit.org/show_bug.cgi?id=265127
rdar://118649807

Reviewed by Dan Glastonbury.

glBindTexture(GL_TEXTURE_2D, tex);
eglBindTexImage(.., pbuffer, ...);
  - Would set the Surface::mBoundTexture of pbuffer
  - Would set the Texture::mBoundSurface of tex
eglBindTexImage(.., pbuffer2, ...);
  - Would set the Surface::mBoundTexture of pbuffer2
  - Would set the Texture::mBoundSurface of tex
  - Would fail to unset Surface::mBoundTexture of pbuffer

Fix by making the unset logic linear, avoiding
Surface -> Texture -> Surface call sequence.

* Source/ThirdParty/ANGLE/src/libANGLE/Surface.cpp:
(egl::Surface::bindTexImage):
* Source/ThirdParty/ANGLE/src/libANGLE/Texture.cpp:
(gl::Texture::bindTexImageFromSurface):
* Source/ThirdParty/ANGLE/src/tests/gl_tests/PbufferTest.cpp:

Canonical link: https://commits.webkit.org/267815.587@safari-7617-branch


  Commit: c00bcc2634118112afb8adf7d1fa579cd08e27a8
      https://github.com/WebKit/WebKit/commit/c00bcc2634118112afb8adf7d1fa579cd08e27a8
  Author: Erica Li <lerica at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    A LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash-expected.txt
    A LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash.html

  Log Message:
  -----------
  Cherry-pick 267815.594 at safari-7617-branch (7ee16f6de094). https://bugs.webkit.org/show_bug.cgi?id=265107

[3a7d43b31aba54c5] ASAN_SEGV | Layout::LineBoxBuilder::constructInlineLevelBoxes; Layout::LineBoxBuilder::build; Layout::InlineFormattingContext::createDisplayContentForInlineContent
https://bugs.webkit.org/show_bug.cgi?id=265107
rdar://118424612

Reviewed by Alan Baradlay.

Bail out createDisplayContentForLineFromCachedContent when restoreTrimmedTrailingWhitespace failed.

* LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash-expected.txt: Added.
* LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash.html: Added.
* Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp:
(WebCore::Layout::InlineFormattingContext::createDisplayContentForLineFromCachedContent):

Canonical link: https://commits.webkit.org/267815.594@safari-7617-branch


  Commit: 7ec344fb5d9132447fd7e93c7c0d01cda52fc2a8
      https://github.com/WebKit/WebKit/commit/7ec344fb5d9132447fd7e93c7c0d01cda52fc2a8
  Author: Nicole Rosario <nicole_rosario at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/fast/rendering/render-list-marker-select-expected.txt
    A LayoutTests/fast/rendering/render-list-marker-select.html
    M Source/WebCore/rendering/updating/RenderTreeBuilderList.cpp

  Log Message:
  -----------
  Cherry-pick 267815.595 at safari-7617-branch (2a1f2e7acfe2). https://bugs.webkit.org/show_bug.cgi?id=264830

jsc_fuz/wktr: null ptr deref in WebCore::RenderMenuList::computeIntrinsicLogicalWidths
https://bugs.webkit.org/show_bug.cgi?id=264830
rdar://115721454

Reviewed by Alan Baradlay.

Null pointer dereference error caused by render tree being ordered incorrectly. RenderListMarker
was being placed inside RenderMenuList, where RenderListMarker and RenderMenuList should be on
the same level and in RenderListItem

* LayoutTests/fast/rendering/render-list-marker-select-expected.txt:
* LayoutTests/fast/rendering/render-list-marker-select.html:
* Source/WebCore/rendering/updating/RenderTreeBuilderList.cpp:
(WebCore::getParentOfFirstLineBox): added check to ensure RenderListMarker isn't placed inside
RenderMenuList but can be placed at same level (ie, sibling)

Canonical link: https://commits.webkit.org/267815.595@safari-7617-branch


  Commit: f7405d0b0853072fb9d33f329c9365619f55e665
      https://github.com/WebKit/WebKit/commit/f7405d0b0853072fb9d33f329c9365619f55e665
  Author: David Kilzer <ddkilzer at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc
    A Source/ThirdParty/libwebrtc/WebKit/01-WebRTC-Stack-buffer-overflow-in-webrtc-anonymous_namespace-SsDataLength.patch

  Log Message:
  -----------
  Cherry-pick 267815.606 at safari-7617-branch (f2ba7a5d0dd0). https://bugs.webkit.org/show_bug.cgi?id=265727

[WebRTC] Stack-buffer-overflow in webrtc::anonymous_namespace::SsDataLength() in vp9 packetizer
https://bugs.webkit.org/show_bug.cgi?id=265727
<rdar://119074872>

Reviewed by Youenn Fablet.

* Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc:
(webrtc::anonymous_namespace::SsDataLength):
- Change debug assertion into runtime check.

* Source/ThirdParty/libwebrtc/WebKit/01-WebRTC-Stack-buffer-overflow-in-webrtc-anonymous_namespace-SsDataLength.patch: Add.

Canonical link: https://commits.webkit.org/267815.606@safari-7617-branch


  Commit: a725227c9feb027843230442d37af3dba6b24afd
      https://github.com/WebKit/WebKit/commit/a725227c9feb027843230442d37af3dba6b24afd
  Author: David Kilzer <ddkilzer at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc
    A Source/ThirdParty/libwebrtc/WebKit/0001-WebRTC-Out-of-bounds-crash-in-webrtc-anonymous_namespace-RemoveInactiveSpatialLayers.patch

  Log Message:
  -----------
  Cherry-pick 267815.607 at safari-7617-branch (7fa29f992225). https://bugs.webkit.org/show_bug.cgi?id=265776

[WebRTC] Out-of-bounds crash in webrtc::anonymous_namespace::RemoveInactiveSpatialLayers() in vp9 packetizer
https://bugs.webkit.org/show_bug.cgi?id=265776
<rdar://119112931>

Reviewed by Youenn Fablet.

* Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc:
(webrtc::anonymous_namespace::RemoveInactiveSpatialLayers):
- Add sanity check for RTPVideoHeaderVP9::num_spatial_layers.  This
  matches the check in SsDataLength(), but that's called later when
  initializing fields in RtpPacketizerVp9.

* Source/ThirdParty/libwebrtc/WebKit/0001-WebRTC-Out-of-bounds-crash-in-webrtc-anonymous_namespace-RemoveInactiveSpatialLayers.patch: Add.

Canonical link: https://commits.webkit.org/267815.607@safari-7617-branch


  Commit: 1e49f24d12788c9c06ecd56ae88f948940aa561b
      https://github.com/WebKit/WebKit/commit/1e49f24d12788c9c06ecd56ae88f948940aa561b
  Author: Nisha Jain <nisha_jain at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    A LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt
    A LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html
    M Source/WebCore/platform/graphics/ShadowBlur.cpp

  Log Message:
  -----------
  Cherry-pick 267815.608 at safari-7617-branch (e09e3cd2f3db). https://bugs.webkit.org/show_bug.cgi?id=264978

heap-buffer-overflow: crash under WebCore::ShadowBlur::blurLayerImage().
https://bugs.webkit.org/show_bug.cgi?id=264978
rdar://118004762.

Reviewed by Simon Fraser.

For very large box-shadow sizes due to floating point precision error,
ImageBuffer::getPixelBuffer returns 'PixelBuffer' size which
is not same as passed size.This causes buffer overflow/underflow
issue for these large sizes. In order to fix it now we use same
size as allocated 'PixelBuffer' size even though it could be slightly
different than original size.

* LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt: Added test expected file.
* LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html: Added test case.
* Source/WebCore/platform/graphics/ShadowBlur.cpp:
(WebCore::ShadowBlur::blurShadowBuffer): Using same size as allocated pixel buffer size.

Canonical link: https://commits.webkit.org/267815.608@safari-7617-branch


  Commit: 5c0430703b0bb5fd378c1dc6c44e1ae0ba5dd1f7
      https://github.com/WebKit/WebKit/commit/5c0430703b0bb5fd378c1dc6c44e1ae0ba5dd1f7
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp
    M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h

  Log Message:
  -----------
  Cherry-pick 267815.610 at safari-7617-branch (8d4c34c20726). rdar://114943202

[macOS] WebContent crash in WTF::deallocateSendRightSafely under ~SharedVideoFrameWriter() (GUARD_TYPE_MACH_PORT :: INVALID_NAME)
rdar://114943202

Reviewed by Chris Dumez.

After https://bugs.webkit.org/show_bug.cgi?id=258379, we were creating the writer lazily but the creation can be triggered from multiple threads at once.
Given SharedVideoFrameWriter is expected to be used on a single thread/queue, we now protect it in RemoteDisplayListRecorderProxy with a lock.

* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp:
(WebKit::RemoteDisplayListRecorderProxy::recordPaintVideoFrame):
(WebKit::RemoteDisplayListRecorderProxy::disconnect):
(WebKit::RemoteDisplayListRecorderProxy::ensureSharedVideoFrameWriter): Deleted.
* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h:

Canonical link: https://commits.webkit.org/267815.610@safari-7617-branch


  Commit: 535413388bcb7f77bea473c1694fa797ddc039fb
      https://github.com/WebKit/WebKit/commit/535413388bcb7f77bea473c1694fa797ddc039fb
  Author: Erica Li <lerica at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    A LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash-expected.txt
    A LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash.html
    M Source/WebCore/svg/SVGAnimateMotionElement.cpp
    M Source/WebCore/svg/SVGAnimateMotionElement.h
    M Source/WebCore/svg/SVGMPathElement.cpp
    M Source/WebCore/svg/SVGMPathElement.h

  Log Message:
  -----------
  Cherry-pick 267815.611 at safari-7617-branch (ca57f6a1de59). https://bugs.webkit.org/show_bug.cgi?id=265562

[72857589b8bce60e] ASAN_ILL | WebCore::TreeScopeOrderedMap::getElementById; WebCore::TreeScope::getElementById; WebCore::SVGURIReference::targetElementFromIRIString.
https://bugs.webkit.org/show_bug.cgi?id=265562
rdar://118513775

Reviewed by Chris Dumez.

updateAnimationPath should be done after treescope is fully updated.

* LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash-expected.txt: Added.
* LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash.html: Added.
* Source/WebCore/svg/SVGAnimateMotionElement.cpp:
(WebCore::SVGAnimateMotionElement::childrenChanged):
* Source/WebCore/svg/SVGAnimateMotionElement.h:
* Source/WebCore/svg/SVGMPathElement.cpp:
(WebCore::SVGMPathElement::removedFromAncestor):
(WebCore::SVGMPathElement::targetPathChanged):
(WebCore::SVGMPathElement::notifyParentOfPathChange): Deleted.
* Source/WebCore/svg/SVGMPathElement.h:

Canonical link: https://commits.webkit.org/267815.611@safari-7617-branch


  Commit: e2c7c0c1d3cc29f3269e2cffe4f13bc085b0189b
      https://github.com/WebKit/WebKit/commit/e2c7c0c1d3cc29f3269e2cffe4f13bc085b0189b
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm

  Log Message:
  -----------
  Cherry-pick 267815.612 at safari-7617-branch (61598c9bb40b). rdar://119047103

HSTS not partitioned for Fetch (according to privacytests.org)
rdar://119047103

Reviewed by Alex Christensen.

When downgrading in WKNetworkSessionDelegate to not use HSTS, we were downgrading by creating the downgraded request and triggering a synthetic redirection.
Fetch is exposing whether a redirection is done via Response.redirected, and this includes synthetic redirections.
This allows a web page to query the HSTS global cache.

To prevent this, we directly downgrade the request and continue the load with the downgraded request.
We do not need the synthetic redirection since the downgraded request should be exactly the same as the initial request.

* Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(downgradeRequest):
(-[WKNetworkSessionDelegate URLSession:task:willPerformHTTPRedirection:newRequest:completionHandler:]):
(-[WKNetworkSessionDelegate URLSession:task:_schemeUpgraded:completionHandler:]):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm:
(TestWebKitAPI::TEST):

Canonical link: https://commits.webkit.org/267815.612@safari-7617-branch


  Commit: 732bc2c5f597012648a931a93f4ea902e5fbd1f7
      https://github.com/WebKit/WebKit/commit/732bc2c5f597012648a931a93f4ea902e5fbd1f7
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/css/css-contain/content-visibility/crashtests/scroll-skipped-content-fixed-container.html
    M Source/WebCore/rendering/RenderBlock.cpp

  Log Message:
  -----------
  Cherry-pick 270734.5 at webkit-embargoed (bd192edd0348). https://bugs.webkit.org/show_bug.cgi?id=264169

[Content-visibility] RenderTreeNeedsLayoutChecker asserts on fixed positioned box inside skipped subtree
https://bugs.webkit.org/show_bug.cgi?id=264169
rdar://117914028

Reviewed by Alan Baradlay.

Avoid simplified layout when laying out a content-visibility root with positioned children since
there is no guarentee the positioned children have been processed in a previous layout due to
lazy layout of skipped content.

* LayoutTests/imported/w3c/web-platform-tests/css/css-contain/content-visibility/crashtests/scroll-skipped-content-fixed-container.html: Added.
* Source/WebCore/rendering/RenderBlock.cpp:
(WebCore::RenderBlock::simplifiedLayout):

Canonical link: https://commits.webkit.org/270734.5@webkit-2023.11-embargoed

Canonical link: https://commits.webkit.org/267815.617@safari-7617-branch


  Commit: afbfa5325958b7b04e4ececda5e476be0b4cf89d
      https://github.com/WebKit/WebKit/commit/afbfa5325958b7b04e4ececda5e476be0b4cf89d
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    A LayoutTests/mathml/operator-append-fixed-container-svg-crash-expected.txt
    A LayoutTests/mathml/operator-append-fixed-container-svg-crash.html
    A LayoutTests/mathml/token-append-fixed-container-svg-crash-expected.txt
    A LayoutTests/mathml/token-append-fixed-container-svg-crash.html
    M Source/WebCore/rendering/mathml/RenderMathMLOperator.cpp
    M Source/WebCore/rendering/mathml/RenderMathMLToken.cpp

  Log Message:
  -----------
  Cherry-pick 270734.4 at webkit-embargoed (f765915efb81). https://bugs.webkit.org/show_bug.cgi?id=264636

MathML does not always handle positioned objects correctly
https://bugs.webkit.org/show_bug.cgi?id=264636

Reviewed by Alan Baradlay.

For mo/mi elements positioned objects are not laid out at all so in this
case after layout the tree is still dirty. Fix this by calling layoutPositionedObjects
for tokens and operators.

* LayoutTests/mathml/operator-append-fixed-container-svg-crash-expected.txt: Added.
* LayoutTests/mathml/operator-append-fixed-container-svg-crash.html: Added.
* LayoutTests/mathml/token-append-fixed-container-svg-crash-expected.txt: Added.
* LayoutTests/mathml/token-append-fixed-container-svg-crash.html: Added.
* Source/WTF/wtf/Assertions.cpp:
* Source/WebCore/rendering/mathml/RenderMathMLOperator.cpp:
(WebCore::RenderMathMLOperator::layoutBlock):
* Source/WebCore/rendering/mathml/RenderMathMLToken.cpp:
(WebCore::RenderMathMLToken::layoutBlock):

Canonical link: https://commits.webkit.org/270734.4@webkit-2023.11-embargoed

Canonical link: https://commits.webkit.org/267815.618@safari-7617-branch


  Commit: de238adfe0517f0f69519e4d131c3e7fe866c967
      https://github.com/WebKit/WebKit/commit/de238adfe0517f0f69519e4d131c3e7fe866c967
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M LayoutTests/fullscreen/full-screen-enabled-expected.txt
    M LayoutTests/fullscreen/full-screen-enabled-prefixed-expected.txt
    M LayoutTests/fullscreen/full-screen-iframe-not-allowed-expected.txt
    M LayoutTests/fullscreen/full-screen-iframe-without-allow-attribute-allowed-from-parent-expected.txt
    M LayoutTests/fullscreen/full-screen-restrictions-expected.txt
    M LayoutTests/http/tests/fullscreen/fullscreen-feature-policy-expected.txt
    M LayoutTests/http/tests/media/media-stream/enumerate-devices-iframe-allow-attribute-expected.txt
    A LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element-expected.txt
    A LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element.html
    A LayoutTests/http/tests/media/media-stream/resources/get-user-media-embed.html
    M LayoutTests/http/tests/paymentrequest/payment-allow-attribute.https-expected.txt
    M LayoutTests/http/tests/security/sandboxed-iframe-geolocation-getCurrentPosition-expected.txt
    M LayoutTests/http/tests/security/sandboxed-iframe-geolocation-watchPosition-expected.txt
    M LayoutTests/http/tests/ssl/media-stream/get-user-media-different-host-expected.txt
    M LayoutTests/http/tests/ssl/media-stream/get-user-media-nested-expected.txt
    M LayoutTests/http/tests/webrtc/enumerateDevicesInFrames-expected.txt
    M LayoutTests/http/tests/webshare/webshare-allow-attribute-canShare.https-expected.txt
    M LayoutTests/http/tests/webshare/webshare-allow-attribute-share.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allow-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allowfullscreen-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/mediacapture-streams/MediaStream-feature-policy-none.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/permissions-policy/payment-allowed-by-permissions-policy-attribute-redirect-on-load.https.sub-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/screen-wake-lock/wakelock-enabled-by-feature-policy-attribute-redirect-on-load.https.sub-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/web-share/disabled-by-permissions-policy-cross-origin.https.sub-expected.txt
    M Source/WebCore/html/FeaturePolicy.cpp
    M Source/WebCore/html/FeaturePolicy.h

  Log Message:
  -----------
  Cherry-pick 267815.624 at safari-7617-branch (0ad98b606305). https://bugs.webkit.org/show_bug.cgi?id=265812

Cross-origin <embed> elements can request media permission, and prompts show main-frame URL
https://bugs.webkit.org/show_bug.cgi?id=265812
rdar://119149318

Reviewed by Chris Dumez.

We should apply feature policy for all elements, including embed and frame elements.
Since there are no allow attributes, we should use the default feature policy rules for those elements.
Update isFeaturePolicyAllowedByDocumentAndAllOwners accordingly.

Rebase tests according updated console log message.

* LayoutTests/fullscreen/full-screen-enabled-expected.txt:
* LayoutTests/fullscreen/full-screen-enabled-prefixed-expected.txt:
* LayoutTests/fullscreen/full-screen-iframe-not-allowed-expected.txt:
* LayoutTests/fullscreen/full-screen-iframe-without-allow-attribute-allowed-from-parent-expected.txt:
* LayoutTests/fullscreen/full-screen-restrictions-expected.txt:
* LayoutTests/http/tests/fullscreen/fullscreen-feature-policy-expected.txt:
* LayoutTests/http/tests/media/media-stream/enumerate-devices-iframe-allow-attribute-expected.txt:
* LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element-expected.txt: Added.
* LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element.html: Added.
* LayoutTests/http/tests/media/media-stream/resources/get-user-media-embed.html: Added.
* LayoutTests/http/tests/paymentrequest/payment-allow-attribute.https-expected.txt:
* LayoutTests/http/tests/security/sandboxed-iframe-geolocation-getCurrentPosition-expected.txt:
* LayoutTests/http/tests/security/sandboxed-iframe-geolocation-watchPosition-expected.txt:
* LayoutTests/http/tests/ssl/media-stream/get-user-media-different-host-expected.txt:
* LayoutTests/http/tests/ssl/media-stream/get-user-media-nested-expected.txt:
* LayoutTests/http/tests/webrtc/enumerateDevicesInFrames-expected.txt:
* LayoutTests/http/tests/webshare/webshare-allow-attribute-canShare.https-expected.txt:
* LayoutTests/http/tests/webshare/webshare-allow-attribute-share.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allow-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allowfullscreen-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mediacapture-streams/MediaStream-feature-policy-none.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/permissions-policy/payment-allowed-by-permissions-policy-attribute-redirect-on-load.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/screen-wake-lock/wakelock-enabled-by-feature-policy-attribute-redirect-on-load.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/web-share/disabled-by-permissions-policy-cross-origin.https.sub-expected.txt:
* Source/WebCore/html/FeaturePolicy.cpp:
(WebCore::isFeaturePolicyAllowedByDocumentAndAllOwners):
(WebCore::FeaturePolicy::parse):
* Source/WebCore/html/FeaturePolicy.h:
(WebCore::FeaturePolicy::defaultPolicy):
(WebCore::FeaturePolicy::parse):

Canonical link: https://commits.webkit.org/267815.624@safari-7617-branch


  Commit: d9a850d44570cd37661ba0edfbb97e62443b4907
      https://github.com/WebKit/WebKit/commit/d9a850d44570cd37661ba0edfbb97e62443b4907
  Author: Scott Marcy <mscott at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/ipc/invalid-fullscreen-enum-expected.txt
    A LayoutTests/ipc/invalid-fullscreen-enum.html
    A LayoutTests/ipc/resources/1080i60_SMPTE_8CH_audible.mov
    M Source/WebCore/platform/graphics/MediaPlayerEnums.h
    M Source/WebKit/UIProcess/Cocoa/VideoFullscreenManagerProxy.mm

  Log Message:
  -----------
  Cherry-pick 267815.636 at safari-7617-branch (cc4e54ad41c9). <bug>

    rdar://115106974 (SEGV in -[NSView resizeSubviewsWithOldSize:])

    Checks that the VideoFullscreenMode argument for two IPC calls is valid and invalidates the IPC message if not.

    Reviewed by Alex Christensen (achristensen07).

    If the VideoFullscreenMode value is not as expected it IPC message will be marked as invalid, which is supposed
    to crash the content process thereby thwarting any attempted attack through this mechanism.

    * LayoutTests/TestExpectations:
    * LayoutTests/ipc/invalid-fullscreen-enum-expected.txt: Added.
    * LayoutTests/ipc/invalid-fullscreen-enum.html: Added.
    * LayoutTests/ipc/resources/1080i60_SMPTE_8CH_audible.mov: Added.
    * Source/WebCore/platform/graphics/MediaPlayerEnums.h:
    * Source/WebKit/UIProcess/Cocoa/VideoPresentationManagerProxy.mm:
    (WebKit::VideoPresentationManagerProxy::setupFullscreenWithID):
    (WebKit::VideoPresentationManagerProxy::exitFullscreenWithoutAnimationToMode):

    Canonical link: https://commits.webkit.org/267815.636@safari-7617-branch


  Commit: 19a6ed309179aeedaf2a0987d4090e07273e859c
      https://github.com/WebKit/WebKit/commit/19a6ed309179aeedaf2a0987d4090e07273e859c
  Author: Erica Li <lerica at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    A LayoutTests/mathml/mathml-posistioned-mtext-layout-crash-expected.txt
    A LayoutTests/mathml/mathml-posistioned-mtext-layout-crash.html
    M LayoutTests/platform/mac/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt
    M Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp

  Log Message:
  -----------
  Cherry-pick 267815.637 at safari-7617-branch (87a8ec698d64). https://bugs.webkit.org/show_bug.cgi?id=266273

    ASAN_ILL | LayoutIntegration::BoxTree::rendererForLayoutBox; WebCore::TextBoxPainter::TextBoxPainter; WebCore::ModernTextBoxPainter::ModernTextBoxPainter
    https://bugs.webkit.org/show_bug.cgi?id=266273
    rdar://119187070

    Reviewed by Alan Baradlay.

    similar to rdar://104598552, add positioned child in RenderMathMLScripts also.

    * LayoutTests/mathml/mathml-posistioned-mtext-layout-crash-expected.txt: Added.
    * LayoutTests/mathml/mathml-posistioned-mtext-layout-crash.html: Added.
    * LayoutTests/platform/mac/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt: re-baseline based on this fix.
    * Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp:
    (WebCore::RenderMathMLScripts::layoutBlock):

    Canonical link: https://commits.webkit.org/267815.637@safari-7617-branch


  Commit: 107f372478680a8ecbb68fab115028ecb96f4ac0
      https://github.com/WebKit/WebKit/commit/107f372478680a8ecbb68fab115028ecb96f4ac0
  Author: David Degazio <d_degazio at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/ftl/FTLOperations.cpp
    M Source/JavaScriptCore/runtime/ClonedArguments.cpp
    M Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
    M Source/JavaScriptCore/runtime/FunctionPrototype.cpp

  Log Message:
  -----------
  Cherry-pick 267815.638 at safari-7617-branch (dc9b30f37ba8). https://bugs.webkit.org/show_bug.cgi?id=264511

    Throw exception when ClonedArguments allocation fails
    https://bugs.webkit.org/show_bug.cgi?id=264511
    rdar://118039984

    Reviewed by Mark Lam.

    Currently, if we try and allocate a ClonedArguments object and run out of
    memory, we silently return nullptr. This can result in the creation of an
    empty JSValue being returned. This patch ensures that we check for and
    propagate the null result, in addition to throwing an OutOfMemory error.
    In cases where we can't throw an OutOfMemory error, specifically in
    operationMaterializeObjectInOSR, we RELEASE_ASSERT that the result is
    non-null to guarantee we crash instead of allowing the empty value to
    escape.

    * JSTests/stress/cloned-arguments-oom.js: Added.
    (Allocator):
    (Allocator.prototype.size):
    (Allocator.prototype.allocate):
    (createClonedArguments):
    (0x0.map.size.new.Allocator):
    (catch):
    * Source/JavaScriptCore/dfg/DFGOperations.cpp:
    (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
    * Source/JavaScriptCore/ftl/FTLOperations.cpp:
    (JSC::FTL::JSC_DEFINE_JIT_OPERATION):
    * Source/JavaScriptCore/runtime/ClonedArguments.cpp:
    (JSC::ClonedArguments::createEmpty):
    (JSC::ClonedArguments::createWithInlineFrame):
    (JSC::ClonedArguments::createWithMachineFrame):
    (JSC::ClonedArguments::createByCopyingFrom):
    * Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:
    (JSC::JSC_DEFINE_COMMON_SLOW_PATH):
    * Source/JavaScriptCore/runtime/FunctionPrototype.cpp:
    (JSC::JSC_DEFINE_CUSTOM_GETTER):

    Canonical link: https://commits.webkit.org/267815.638@safari-7617-branch


  Commit: 3063130fc1070ae4fe59ae05bc544f8db3a41921
      https://github.com/WebKit/WebKit/commit/3063130fc1070ae4fe59ae05bc544f8db3a41921
  Author: Matthew Finkel <sysrqb at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in

  Log Message:
  -----------
  Cherry-pick 267815.640 at safari-7617-branch (36d57dc0f23f). https://bugs.webkit.org/show_bug.cgi?id=262699

    Restrict access to Version.plist in the WebContent process on iOS
    https://bugs.webkit.org/show_bug.cgi?id=262699
    rdar://116545792

    Reviewed by Per Arne Vollan.

    Access to this file provides information about the device that should not be
    accessible to web content. This patch explicitly prevents access to the file
    from the Web content process. In a follow up patch I'm planning on improving
    the path validation we use paths provided by javascript.

    * Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:

    Canonical link: https://commits.webkit.org/267815.640@safari-7617-branch


  Commit: 65aaef9a888dc17c47255a6fb753965f50a36df5
      https://github.com/WebKit/WebKit/commit/65aaef9a888dc17c47255a6fb753965f50a36df5
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/loader/SubresourceLoader.cpp
    M Source/WebCore/loader/SubresourceLoader.h

  Log Message:
  -----------
  Cherry-pick 267815.652 at safari-7617-branch (ea99166b2dfe). https://bugs.webkit.org/show_bug.cgi?id=266589

    Crash under SubresourceLoader::didReceiveBuffer()
    https://bugs.webkit.org/show_bug.cgi?id=266589
    rdar://116974951

    Reviewed by Ryosuke Niwa.

    Make sure we protect the CachedResource before calling non-trivial member
    functions on it.

    * Source/WebCore/loader/SubresourceLoader.cpp:
    (WebCore::SubresourceLoader::willSendRequestInternal):
    (WebCore::SubresourceLoader::didSendData):
    (WebCore::SubresourceLoader::didReceivePreviewResponse):
    (WebCore::SubresourceLoader::didReceiveResponse):
    (WebCore::SubresourceLoader::didReceiveBuffer):
    (WebCore::SubresourceLoader::willCancel):
    (WebCore::SubresourceLoader::didCancel):
    (WebCore::SubresourceLoader::releaseResources):
    * Source/WebCore/loader/SubresourceLoader.h:

    Canonical link: https://commits.webkit.org/267815.652@safari-7617-branch


  Commit: 7f99bc1e89a801a9802accc2f5df20b5929e4390
      https://github.com/WebKit/WebKit/commit/7f99bc1e89a801a9802accc2f5df20b5929e4390
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.cpp
    M Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.h
    M Source/WebCore/Modules/encryptedmedia/NavigatorEME.cpp
    M Source/WebKit/UIProcess/MediaKeySystemPermissionRequestManagerProxy.cpp
    M Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.cpp
    M Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.h
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp
    M Source/WebKit/WebProcess/WebPage/WebPage.h
    M Source/WebKit/WebProcess/WebPage/WebPage.messages.in
    M Source/WebKitLegacy/mac/WebCoreSupport/WebMediaKeySystemClient.mm

  Log Message:
  -----------
  Cherry-pick 2bee8872e3b9. https://bugs.webkit.org/show_bug.cgi?id=266619

    REGRESSION (233845 at main): Crash in MediaKeySystemRequest::~MediaKeySystemRequest
    https://bugs.webkit.org/show_bug.cgi?id=266619
    rdar://118004786

    Reviewed by Jean-Yves Avenard.

    In 233845 at main, NavigatorEME::requestMediaKeySystemAccess moved the task that creates the CDM
    instance into a completion handler that's called asynchronously once the client allows media key
    access. The completion handler captured a raw pointer to the document, leading to a crash if the
    document is destroyed before the completion handler is called. Debug builds would also assert in
    CompletionHandler::~CompletionHandler because ActiveDOMObject::queueTaskInEventLoop would not
    invoke the task queued by MediaKeySystemRequest::allow - which captured a CompletionHandler - when
    scriptExecutionContext is null.

    Addressed the crash by capturing document as a WeakPtr and null-checking it prior to calling
    Document::postTask in NavigatorEME::requestMediaKeySystemAccess's allow callback. Addressed the
    assertion failure by removing the unnecessary asynchronous CompletionHandler from
    Messages::WebPage::MediaKeySystemWasGranted.

    * Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.cpp:
    (WebCore::MediaKeySystemRequest::allow):
    * Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.h:
    * Source/WebCore/Modules/encryptedmedia/NavigatorEME.cpp:
    (WebCore::NavigatorEME::requestMediaKeySystemAccess):
    * Source/WebKit/UIProcess/MediaKeySystemPermissionRequestManagerProxy.cpp:
    (WebKit::MediaKeySystemPermissionRequestManagerProxy::grantRequest):
    * Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.cpp:
    (WebKit::MediaKeySystemPermissionRequestManager::mediaKeySystemWasGranted):
    * Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.h:
    * Source/WebKit/WebProcess/WebPage/WebPage.cpp:
    (WebKit::WebPage::mediaKeySystemWasGranted):
    * Source/WebKit/WebProcess/WebPage/WebPage.h:
    * Source/WebKit/WebProcess/WebPage/WebPage.messages.in:
    * Source/WebKitLegacy/mac/WebCoreSupport/WebMediaKeySystemClient.mm:
    (WebMediaKeySystemClient::requestMediaKeySystem):

    Canonical link: https://commits.webkit.org/267815.655@safari-7617-branch

    Canonical link: https://commits.webkit.org/267815.660@safari-7617.2.4.11-branch


  Commit: 09d092667bdce026c9ebd82da6724ac6682a0e58
      https://github.com/WebKit/WebKit/commit/09d092667bdce026c9ebd82da6724ac6682a0e58
  Author: Rose <83477269+AtariDreams at users.noreply.github.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/yarr/RegularExpression.cpp
    M Source/JavaScriptCore/yarr/RegularExpression.h

  Log Message:
  -----------
  Cherry-pick 273319 at main (e657a3449fbf). https://bugs.webkit.org/show_bug.cgi?id=255527

    startFrom parameter should be unsigned
    https://bugs.webkit.org/show_bug.cgi?id=255527

    Reviewed by Alexey Shvayka.

    The value being passed as this argument always unsigned anyway, and when
    used within the match function itself, it is always being passed to
    another method or function, which takes an unsigned value, not a signed
    one.

    * Source/JavaScriptCore/yarr/RegularExpression.cpp:
      (JSC::Yarr::RegularExpression::match const):
      (JSC::Yarr::replace):
    * Source/JavaScriptCore/yarr/RegularExpression.h:

    Canonical link: https://commits.webkit.org/273319@main


  Commit: c7823840e02d33df4925e8cc8d1405aa75aa3f93
      https://github.com/WebKit/WebKit/commit/c7823840e02d33df4925e8cc8d1405aa75aa3f93
  Author: Karl Dubost <karlcow at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/page/Quirks.cpp

  Log Message:
  -----------
  Cherry-pick 266928 at main (56861d23fba2). https://bugs.webkit.org/show_bug.cgi?id=260134

    Remove Quirk shouldAutoplayWebAudioForArbitraryUserGesture for bing.com
    https://bugs.webkit.org/show_bug.cgi?id=260134
    rdar://107430929

    Reviewed by Jer Noble.

    This quirk is not necessary anymore for bing.com.
    The bing voice search is now working while the Site Specific Hacks is
    disabled. Removing the quirk which was added with
    https://bugs.webkit.org/show_bug.cgi?id=213118

    * Source/WebCore/page/Quirks.cpp:
    (WebCore::Quirks::shouldAutoplayWebAudioForArbitraryUserGesture const):

    Canonical link: https://commits.webkit.org/266928@main


  Commit: 33d9521648f8e52c4cc2107dce00740e46541a23
      https://github.com/WebKit/WebKit/commit/33d9521648f8e52c4cc2107dce00740e46541a23
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/page/Quirks.cpp

  Log Message:
  -----------
  Cherry-pick 273225 at main (9c0f02f12a3c). https://bugs.webkit.org/show_bug.cgi?id=267741

    sfusd.edu: Trying to load SFUSD School Finder sometimes fails
    https://bugs.webkit.org/show_bug.cgi?id=267741
    rdar://116292738

    Reviewed by Brent Fulgham.

    Trying to load the following link often fails in Safari (and Firefox), works fine in Chrome:
    https://www.sfusd.edu/schools/enroll/discover/school-finder

    We see the following error in the JS console:
    ```
    [Error] ReferenceError: Can't find variable: google
    	(anonymous function) (js_h2tB6IRXjTJGY_6Kj6g8zvcS1bzOjvsppQOjs7XaUWs.js:12:176)
    ```

    This is caused by the google maps script being marked as async while one of the sync script
    tries to access `window.google.maps`.

    Add a quirk to ignore 'async' on scripts on sfusd.edu as a workaround while we reach out
    to the site owners.

    * Source/WebCore/page/Quirks.cpp:
    (WebCore::Quirks::shouldBypassAsyncScriptDeferring const):

    Canonical link: https://commits.webkit.org/273225@main


  Commit: 5e0055e5e50bc14fcf807c5f8b7f1e15fca9f449
      https://github.com/WebKit/WebKit/commit/5e0055e5e50bc14fcf807c5f8b7f1e15fca9f449
  Author: Karl Dubost <karlcow at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/dom/Document+Fullscreen.idl
    M Source/WebCore/dom/Element+Fullscreen.idl
    M Source/WebCore/page/Quirks.cpp
    M Source/WebCore/page/Quirks.h

  Log Message:
  -----------
  Cherry-pick 266757 at main (c8e45de869f8). https://bugs.webkit.org/show_bug.cgi?id=255021

    Remove Quirk shouldDisableElementFullscreenQuirk for nfl.com
    https://bugs.webkit.org/show_bug.cgi?id=255021
    rdar://107633365

    Reviewed by Tim Nguyen.

    This removes the fullscreen quirk for the nfl.com website.
    It was required on iPad so that the controls of the video are
    being displayed. It is not necessary anymore.

    * Source/WebCore/dom/Document+Fullscreen.idl:
    * Source/WebCore/dom/Element+Fullscreen.idl:
    * Source/WebCore/page/Quirks.cpp:
    (WebCore::Quirks::shouldDisableElementFullscreenQuirk const): Deleted.
    * Source/WebCore/page/Quirks.h:

    Canonical link: https://commits.webkit.org/266757@main


  Commit: bfd85addcb7ede2908e8287f2b8360e0709391b5
      https://github.com/WebKit/WebKit/commit/bfd85addcb7ede2908e8287f2b8360e0709391b5
  Author: Karl Dubost <karlcow at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/page/Quirks.cpp

  Log Message:
  -----------
  Cherry-pick 266774 at main (b890f0fda2ec). https://bugs.webkit.org/show_bug.cgi?id=260015

    Remove Quirk shouldDispatchSimulatedMouseEvents for iqiyi.com
    https://bugs.webkit.org/show_bug.cgi?id=260015
    rdar://108958661

    Reviewed by Brent Fulgham.

    The quirk was introduced to allow interaction with the website on
    first tap. After testing again, the current Quirk has no effect on
    the usability of the site. The controls can be dragged for position
    in the video or the volume of the audio, but they can be changed on
    a simple tab both with/without the Quirk and fullscreen or not.

    * Source/WebCore/page/Quirks.cpp:
    (WebCore::Quirks::shouldDispatchSimulatedMouseEvents const):

    Canonical link: https://commits.webkit.org/266774@main


  Commit: 814a4ad65b947105b088548b40504af6f070ea3c
      https://github.com/WebKit/WebKit/commit/814a4ad65b947105b088548b40504af6f070ea3c
  Author: Karl Dubost <karlcow at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/page/Quirks.cpp

  Log Message:
  -----------
  Cherry-pick 266866 at main (a2b298331caf). https://bugs.webkit.org/show_bug.cgi?id=255269

    Remove Quirk shouldDispatchSimulatedMouseEvents for msn.com
    https://bugs.webkit.org/show_bug.cgi?id=255269
    rdar://107844725

    Reviewed by Brent Fulgham.

    After deactivating the Quirk, the videos on msn.com website can be
    scrubbed. The quirk can be removed.

    * Source/WebCore/page/Quirks.cpp:
    (WebCore::Quirks::shouldDispatchSimulatedMouseEvents const):

    Canonical link: https://commits.webkit.org/266866@main


  Commit: 74685d0e6bf263d76e38e8ad1e600c43629133eb
      https://github.com/WebKit/WebKit/commit/74685d0e6bf263d76e38e8ad1e600c43629133eb
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/page/Quirks.cpp

  Log Message:
  -----------
  Cherry-pick 266898 at main (c6859d32429f). https://bugs.webkit.org/show_bug.cgi?id=260082

    bankofamerica.com - Loading icon still present when navigating back after failing log in
    https://bugs.webkit.org/show_bug.cgi?id=260082
    rdar://104938789

    Reviewed by Brent Fulgham.

    On bankofamerica.com, if you attempt to log in with invalid credential and then
    navigate back, the "log in" will still be shown as "Loading ...".

    The reason this happens is that the page changes the "Log in" button text to
    "Loading ..." right before the navigation but fails to reset it on "pagehide"
    or "pageshow" event. Safari successfully caches the page in the back/forward
    cache and thus the page still shows "Loading ..." after the back navigation.

    The issue doesn't reproduce in Chrome because they do not cache pages as
    aggressively as we do. In particular, they do not cache pages that have an
    "unload" event handler, like this page. Safari has been caching such pages
    for years.

    Since this is a content issue that could easily be addressed by the site
    developers, I am addressing this with a quirk. If we detect this particular
    "sign in" button with the "loading" class on bankofamerica.com, and if the
    page has an "unload" event handler, we now prevent the page from going into
    the cache.

    * Source/WebCore/page/Quirks.cpp:
    (WebCore::Quirks::shouldBypassBackForwardCache const):

    Canonical link: https://commits.webkit.org/266898@main


  Commit: 44c6967b3bda55d50cd4ac80550f75637e0a7caa
      https://github.com/WebKit/WebKit/commit/44c6967b3bda55d50cd4ac80550f75637e0a7caa
  Author: Philippe Normand <philn at igalia.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/platform/mediastream/gstreamer/MockRealtimeAudioSourceGStreamer.cpp

  Log Message:
  -----------
  Cherry-pick 273214 at main (6f5ada25d26e). https://bugs.webkit.org/show_bug.cgi?id=267627

    REGRESSION(272776 at main): [GStreamer][Debug] ASSERTION FAILED: m_streamFormat in MockRealtimeAudioSourceGStreamer::render()
    https://bugs.webkit.org/show_bug.cgi?id=267627

    Reviewed by Xabier Rodriguez-Calvar.

    Prevent an ASSERT in the mock audio source, that would happen in case the source is stopped while
    rendering.

    * Source/WebCore/platform/mediastream/gstreamer/MockRealtimeAudioSourceGStreamer.cpp:
    (WebCore::MockRealtimeAudioSourceGStreamer::render):

    Canonical link: https://commits.webkit.org/273214@main


  Commit: f2926938a16fc4862c34d4a850b3d6d7d990c36e
      https://github.com/WebKit/WebKit/commit/f2926938a16fc4862c34d4a850b3d6d7d990c36e
  Author: Karl Dubost <karlcow at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/page/Quirks.cpp

  Log Message:
  -----------
  Cherry-pick 266915 at main (de8fac440282). https://bugs.webkit.org/show_bug.cgi?id=220105

    Remove Quirk isStorageAccessQuirkDomainAndElement for outlook.live.com (skype)
    https://bugs.webkit.org/show_bug.cgi?id=220105
    rdar://72728508

    Reviewed by Brent Fulgham.

    With Site Specific Hacks disabled, the process to login to skype from
    outlook.live.com is working. They seem to fix it. Probably also the
    class names being very specific, the quirk has probably not survived a
    couple of redesign. We can remove it.

    * Source/WebCore/page/Quirks.cpp:
    (WebCore::isStorageAccessQuirkDomainAndElement):

    Canonical link: https://commits.webkit.org/266915@main


  Commit: 0360e2e9088641e6ae5f13fa60899f397f959bd0
      https://github.com/WebKit/WebKit/commit/0360e2e9088641e6ae5f13fa60899f397f959bd0
  Author: Karl Dubost <karlcow at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/html/HTMLMediaElement.cpp
    M Source/WebCore/page/Quirks.cpp
    M Source/WebCore/page/Quirks.h

  Log Message:
  -----------
  Cherry-pick 266925 at main (44e22d905dd0). https://bugs.webkit.org/show_bug.cgi?id=254638

    Remove Quirk shouldAdvertiseSupportForHLSSubtitleTypes on hulu.com
    https://bugs.webkit.org/show_bug.cgi?id=254638
    rdar://107347115

    Reviewed by Brent Fulgham.

    Enabling/Disabling the Quirks doesn't change the behavior of hulu.com.
    The site plays videos normally. In the current circumstances the Quirk
    seems not to be necessary anymore. It might be the results made in
    rdar://110588102 too.

    * Source/WebCore/html/HTMLMediaElement.cpp:
    (WebCore::HTMLMediaElement::canPlayType const):
    * Source/WebCore/page/Quirks.cpp:
    (WebCore::Quirks::shouldAdvertiseSupportForHLSSubtitleTypes const): Deleted.
    * Source/WebCore/page/Quirks.h:

    Canonical link: https://commits.webkit.org/266925@main


  Commit: 54bce49bc21e8311360a50f09c55781d66ba47cf
      https://github.com/WebKit/WebKit/commit/54bce49bc21e8311360a50f09c55781d66ba47cf
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/html/FeaturePolicy.cpp
    M Source/WebCore/page/Quirks.cpp
    M Source/WebCore/page/Quirks.h

  Log Message:
  -----------
  Cherry-pick 267266 at main (54bc44e65517). https://bugs.webkit.org/show_bug.cgi?id=260656

    jsfiddles cannot get access to feature policy gated features like camera
    https://bugs.webkit.org/show_bug.cgi?id=260656
    rdar://114378082

    Reviewed by Eric Carlson and Chris Dumez.

    https://commits.webkit.org/265641@main tightened feature policy parsing and aligned it with spec.
    This was known to not work for some websites, like jsfiddle.
    Add a temporary quirk to fix jsfiddle.
    Manually tested.

    * Source/WebCore/html/FeaturePolicy.cpp:
    (WebCore::updateList):
    * Source/WebCore/page/Quirks.cpp:
    (WebCore::Quirks::shouldStarBeFeaturePolicyDefaultValue const):
    * Source/WebCore/page/Quirks.h:

    Canonical link: https://commits.webkit.org/267266@main


  Commit: 8a04ee8d817c08697c44e2b3ed48edc5767f9b4e
      https://github.com/WebKit/WebKit/commit/8a04ee8d817c08697c44e2b3ed48edc5767f9b4e
  Author: Karl Dubost <karlcow at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/page/Quirks.cpp

  Log Message:
  -----------
  Cherry-pick 267288 at main (2ec1a7e6b1ca). https://bugs.webkit.org/show_bug.cgi?id=260695

    Simplify Quirks for shouldSuppressAutocorrectionAndAutocapitalizationInHiddenEditableAreas
    https://bugs.webkit.org/show_bug.cgi?id=260695
    rdar://49864669

    Reviewed by Wenson Hsieh.

    Refactor a bit the two functions in one function.
    Also add a reference to a bug with steps to reproduce to remove later.

    * Source/WebCore/page/Quirks.cpp:
    (WebCore::Quirks::shouldSuppressAutocorrectionAndAutocapitalizationInHiddenEditableAreas const):
    (WebCore::shouldSuppressAutocorrectionAndAutocapitalizationInHiddenEditableAreasForHost): Deleted.

    Canonical link: https://commits.webkit.org/267288@main


  Commit: e740370141e85093b0fbedf5afdc43960508f278
      https://github.com/WebKit/WebKit/commit/e740370141e85093b0fbedf5afdc43960508f278
  Author: Karl Dubost <karlcow at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/page/Quirks.cpp
    M Source/WebCore/page/Quirks.h

  Log Message:
  -----------
  Cherry-pick 267907 at main (2d5d6f169a10). https://bugs.webkit.org/show_bug.cgi?id=260938

    Create a helper for targeting domain names in Quirks.cpp
    https://bugs.webkit.org/show_bug.cgi?id=260938
    rdar://114737751

    Reviewed by Timothy Hatcher.

    Adds the helper isDomain() to give more regularity to the code and have
    a uniform way of testing the domain name. There is probably more to do
    to be able to address the other cases.

    This also uses this new helper to convert the current domain matchings.

    * Source/WebCore/page/Quirks.cpp:
    (WebCore::Quirks::isDomain const):
    (WebCore::Quirks::needsFormControlToBeMouseFocusable const):
    (WebCore::Quirks::needsSeekingSupportDisabled const):
    (WebCore::Quirks::needsPerDocumentAutoplayBehavior const):
    (WebCore::Quirks::shouldAutoplayWebAudioForArbitraryUserGesture const):
    (WebCore::Quirks::hasBrokenEncryptedMediaAPISupportQuirk const):
    (WebCore::Quirks::shouldDisableContentChangeObserver const):
    (WebCore::Quirks::shouldDisableContentChangeObserverTouchEventAdjustment const):
    (WebCore::Quirks::shouldTooltipPreventFromProceedingWithClick const):
    (WebCore::Quirks::isNeverRichlyEditableForTouchBar const):
    (WebCore::Quirks::shouldDispatchSyntheticMouseEventsWhenModifyingSelection const):
    (WebCore::Quirks::shouldDispatchSimulatedMouseEvents const):
    (WebCore::Quirks::shouldDispatchedSimulatedMouseEventsAssumeDefaultPrevented const):
    (WebCore::Quirks::simulatedMouseEventTypeForTarget const):
    (WebCore::Quirks::shouldPreventPointerMediaQueryFromEvaluatingToCoarse const):
    (WebCore::Quirks::shouldPreventDispatchOfTouchEvent const): Deleted.
    (WebCore::Quirks::shouldSynthesizeTouchEvents const): Deleted.
    (WebCore::Quirks::shouldAvoidResizingWhenInputViewBoundsChange const): Deleted.
    (WebCore::Quirks::shouldDisablePointerEventsQuirk const): Deleted.
    (WebCore::Quirks::needsDeferKeyDownAndKeyPressTimersUntilNextEditingCommand const): Deleted.
    (WebCore::Quirks::needsGMailOverflowScrollQuirk const): Deleted.
    (WebCore::Quirks::needsYouTubeOverflowScrollQuirk const): Deleted.
    (WebCore::Quirks::needsFullscreenDisplayNoneQuirk const): Deleted.
    (WebCore::Quirks::needsWeChatScrollingQuirk const): Deleted.
    (WebCore::Quirks::shouldOmitHTMLDocumentSupportedPropertyNames): Deleted.
    (WebCore::Quirks::shouldSilenceResizeObservers const): Deleted.
    (WebCore::Quirks::shouldSilenceWindowResizeEvents const): Deleted.
    (WebCore::Quirks::shouldSilenceMediaQueryListChangeEvents const): Deleted.
    (WebCore::Quirks::shouldAvoidScrollingWhenFocusedContentIsVisible const): Deleted.
    (WebCore::Quirks::shouldUseLegacySelectPopoverDismissalBehaviorInDataActivation const): Deleted.
    (WebCore::Quirks::shouldIgnoreAriaForFastPathContentObservationCheck const): Deleted.
    (WebCore::isWikipediaDomain): Deleted.
    (WebCore::Quirks::shouldIgnoreViewportArgumentsToAvoidExcessiveZoom const): Deleted.
    (WebCore::Quirks::shouldOpenAsAboutBlank const): Deleted.
    (WebCore::Quirks::needsPreloadAutoQuirk const): Deleted.
    (WebCore::Quirks::shouldBypassBackForwardCache const): Deleted.
    (WebCore::Quirks::shouldBypassAsyncScriptDeferring const): Deleted.
    (WebCore::Quirks::shouldMakeEventListenerPassive): Deleted.
    (WebCore::Quirks::shouldEnableLegacyGetUserMediaQuirk const): Deleted.
    (WebCore::Quirks::needsCanPlayAfterSeekedQuirk const): Deleted.
    (WebCore::Quirks::shouldLayOutAtMinimumWindowWidthWhenIgnoringScalingConstraints const): Deleted.
    (WebCore::Quirks::shouldAvoidPastingImagesAsWebContent const): Deleted.
    (WebCore::isKinjaLoginAvatarElement): Deleted.
    (WebCore::Quirks::isMicrosoftTeamsRedirectURL): Deleted.
    (WebCore::isStorageAccessQuirkDomainAndElement): Deleted.
    (WebCore::Quirks::hasStorageAccessForAllLoginDomains): Deleted.
    (WebCore::Quirks::staticRadioPlayerURLString): Deleted.
    (WebCore::Quirks::requestStorageAccessAndHandleClick const): Deleted.
    (WebCore::Quirks::triggerOptionalStorageAccessQuirk const): Deleted.
    (WebCore::Quirks::needsVP9FullRangeFlagQuirk const): Deleted.
    (WebCore::Quirks::requiresUserGestureToPauseInPictureInPicture const): Deleted.
    (WebCore::Quirks::requiresUserGestureToLoadInPictureInPicture const): Deleted.
    (WebCore::Quirks::blocksReturnToFullscreenFromPictureInPictureQuirk const): Deleted.
    (WebCore::Quirks::blocksEnteringStandardFullscreenFromPictureInPictureQuirk const): Deleted.
    (WebCore::Quirks::shouldDisableEndFullscreenEventWhenEnteringPictureInPictureFromFullscreenQuirk const): Deleted.
    (WebCore::Quirks::shouldDelayFullscreenEventWhenExitingPictureInPictureQuirk const): Deleted.
    (WebCore::Quirks::shouldAllowNavigationToCustomProtocolWithoutUserGesture): Deleted.
    (WebCore::Quirks::allowLayeredFullscreenVideos const): Deleted.
    (WebCore::Quirks::shouldEnableApplicationCacheQuirk const): Deleted.
    (WebCore::Quirks::shouldEnableFontLoadingAPIQuirk const): Deleted.
    (WebCore::Quirks::needsVideoShouldMaintainAspectRatioQuirk const): Deleted.
    (WebCore::Quirks::shouldExposeShowModalDialog const): Deleted.
    (WebCore::Quirks::shouldNavigatorPluginsBeEmpty const): Deleted.
    (WebCore::Quirks::shouldDisableLazyIframeLoadingQuirk const): Deleted.
    (WebCore::Quirks::shouldDisableFetchMetadata const): Deleted.
    (WebCore::Quirks::shouldDisablePushStateFilePathRestrictions const): Deleted.
    (WebCore::Quirks::shouldDisablePopoverAttributeQuirk const): Deleted.
    (WebCore::Quirks::needsConfigurableIndexedPropertiesQuirk const): Deleted.
    (WebCore::Quirks::shouldEnableCanvas2DAdvancedPrivacyProtectionQuirk const): Deleted.
    (WebCore::Quirks::advancedPrivacyProtectionSubstituteDataURLForText const): Deleted.
    (WebCore::Quirks::needsResettingTransitionCancelsRunningTransitionQuirk const): Deleted.
    (WebCore::Quirks::shouldStarBeFeaturePolicyDefaultValue const): Deleted.
    * Source/WebCore/page/Quirks.h:

    Canonical link: https://commits.webkit.org/267907@main


  Commit: cf330016d67a74595e78d2716e9897de9e5d0291
      https://github.com/WebKit/WebKit/commit/cf330016d67a74595e78d2716e9897de9e5d0291
  Author: Aditya Keerthi <akeerthi at apple.com>
  Date:   2024-01-23 (Tue, 23 Jan 2024)

  Changed paths:
    M Source/WebCore/html/HTMLAnchorElement.cpp
    M Source/WebCore/page/Quirks.cpp
    M Source/WebCore/page/Quirks.h

  Log Message:
  -----------
  Cherry-pick 273247 at main (ff42f7668146). https://bugs.webkit.org/show_bug.cgi?id=267779

    Cannot pick US state in dropdown on vote.gov
    https://bugs.webkit.org/show_bug.cgi?id=267779
    rdar://121240580

    Reviewed by Wenson Hsieh.

    vote.gov uses a custom state selection dropdown, which is a `<div>` containing
    multiple anchor elements. Display of the dropdown is tied to focusing the associated
    input element. When the "focusout" event is observed, the dropdown is hidden.

    However, since the "focusout" event is observed prior to the "click" event, the site
    compares the "focusout" event's `currentTarget` and `relatedTarget`. If the
    `relatedTarget` is the anchor element, the logic ends up suppressing hiding the
    dropdown, ensuring the "click" is dispatched on the right element.

    For `focusout` events, the `relatedTarget` should be the element that gains
    focus. In WebKit, `relatedTarget` is null in this scenario, as anchor elements
    are not mouse focusable, following Cocoa platform convention.

    Fix by adding a quirk to make anchor elements mouse focusable.

    * Source/WebCore/html/HTMLAnchorElement.cpp:
    (WebCore::HTMLAnchorElement::isMouseFocusable const):
    * Source/WebCore/page/Quirks.cpp:
    (WebCore::Quirks::needsAnchorElementsToBeMouseFocusable const):
    * Source/WebCore/page/Quirks.h:

    Canonical link: https://commits.webkit.org/273247@main


Compare: https://github.com/WebKit/WebKit/compare/6247bb871b43...cf330016d67a


More information about the webkit-changes mailing list