[webkit-changes] [WebKit/WebKit] a615ee: Cherry-pick 271942 at main (31a74b0f44c2). https://bu...
Aditya Keerthi
noreply at github.com
Tue Jan 23 07:46:30 PST 2024
Branch: refs/heads/webkitglib/2.42
Home: https://github.com/WebKit/WebKit
Commit: a615eea726cdbbc553375961be0fa5ab9b207291
https://github.com/WebKit/WebKit/commit/a615eea726cdbbc553375961be0fa5ab9b207291
Author: Vitaly Dyachkov <vitaly at igalia.com>
Date: 2023-12-16 (Sat, 16 Dec 2023)
Changed paths:
M Source/WebCore/accessibility/AXObjectCache.cpp
Log Message:
-----------
Cherry-pick 271942 at main (31a74b0f44c2). https://bugs.webkit.org/show_bug.cgi?id=266067
[GTK][Debug] `accessibility/aria-combobox-control-owns-elements.html` is a constant crash
https://bugs.webkit.org/show_bug.cgi?id=266067
Reviewed by Tyler Wilcock.
In `AXObjectCache::getOrCreate(Node*, IsRelationTarget)`, we might
update relatons while evaluating `isDescendantOfRelationTarget(*node)`.
If the node has relation attributes, associated `AccessibilityObject`
will be created and cached. In this case, we must return the cached object.
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::getOrCreate):
Canonical link: https://commits.webkit.org/271942@main
Commit: 2fea3c3decb7c318de82d3c63eb26834c84f8372
https://github.com/WebKit/WebKit/commit/2fea3c3decb7c318de82d3c63eb26834c84f8372
Author: Elliott Williams <emw at apple.com>
Date: 2023-12-16 (Sat, 16 Dec 2023)
Changed paths:
M Source/JavaScriptCore/offlineasm/generate_offset_extractor.rb
M Source/JavaScriptCore/offlineasm/generate_settings_extractor.rb
Log Message:
-----------
Cherry-pick 271640 at main (97b3a2dd3db7). https://bugs.webkit.org/show_bug.cgi?id=265729
[offlineasm] Incremental build failure when generator is interrupted
https://bugs.webkit.org/show_bug.cgi?id=265729
rdar://119079705
Reviewed by Alexey Proskuryakov.
offlineasm writes headers non-atomically, so if the script is
interrupted due to a build failure in a parallel task, it leaves a
partially-written header. The build system can't tell that this header
is incomplete, so its presence breaks subsequent rebuilds.
Fix by writing to a temporary file in the same directory (or
TARGET_TEMP_DIR in Xcode), and `rename`-ing once generation is complete.
* Source/JavaScriptCore/offlineasm/generate_offset_extractor.rb:
* Source/JavaScriptCore/offlineasm/generate_settings_extractor.rb:
Canonical link: https://commits.webkit.org/271640@main
Commit: a5a3b71329aa10f7e1c31c0c48135702e026261e
https://github.com/WebKit/WebKit/commit/a5a3b71329aa10f7e1c31c0c48135702e026261e
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-12-16 (Sat, 16 Dec 2023)
Changed paths:
M Source/JavaScriptCore/b3/B3ReduceStrength.cpp
M Source/JavaScriptCore/b3/testb3.h
M Source/JavaScriptCore/b3/testb3_1.cpp
M Source/JavaScriptCore/b3/testb3_7.cpp
Log Message:
-----------
Cherry-pick 271580 at main (ab0808f76fdb). https://bugs.webkit.org/show_bug.cgi?id=265730
Fix nullptr deref in B3::ReduceStrength's handling of Trunc for double constants.
https://bugs.webkit.org/show_bug.cgi?id=265730
rdar://116459635
Reviewed by Yusuke Suzuki.
We cannot run asInt64() on a ConstDoubleValue. This patch fixes this by handling
ConstDoubleValue separately and running asDouble() on it instead.
* Source/JavaScriptCore/b3/B3ReduceStrength.cpp:
Canonical link: https://commits.webkit.org/271580@main
Commit: 766e782517d4e6d0015a24f16a382da6a1c2bcc0
https://github.com/WebKit/WebKit/commit/766e782517d4e6d0015a24f16a382da6a1c2bcc0
Author: Jacek Piszczek <jacadcaps at runbox.com>
Date: 2023-12-16 (Sat, 16 Dec 2023)
Changed paths:
M Source/JavaScriptCore/runtime/UGPRPair.h
Log Message:
-----------
Cherry-pick 271440 at main (5d40427dff12). https://bugs.webkit.org/show_bug.cgi?id=265342
Fixed UGPRPair for big endian cpus
https://bugs.webkit.org/show_bug.cgi?id=265342
Reviewed by Yusuke Suzuki.
Fixes up the order at which the registers are packed into a UGPRPair on CPU(BIG_ENDIAN).
* Source/JavaScriptCore/runtime/UGPRPair.h:
(JSC::makeUGPRPair):
Canonical link: https://commits.webkit.org/271440@main
Commit: 96e017a6c83991b7a32fabb672972ee2a10edb15
https://github.com/WebKit/WebKit/commit/96e017a6c83991b7a32fabb672972ee2a10edb15
Author: Michael Catanzaro <mcatanzaro at redhat.com>
Date: 2023-12-16 (Sat, 16 Dec 2023)
Changed paths:
M Source/WebCore/platform/network/soup/SoupNetworkSession.cpp
M Source/WebKit/UIProcess/API/glib/WebKitNetworkSession.cpp
M Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp
Log Message:
-----------
Cherry-pick 271013 at main (bcd2223c9362). https://bugs.webkit.org/show_bug.cgi?id=195908
[SOUP] webkit_web_context_allow_tls_certificate_for_host() fails for IPv6 URIs produced by SoupURI
https://bugs.webkit.org/show_bug.cgi?id=195908
Reviewed by Carlos Garcia Campos.
Nowadays SoupURI has been replaced by GUri, but the underlying problem
remains: IPv6 addresses in URLs have to be surrounded by [] brackets,
and WTF::URL considers these brackets to be part of the host component,
but SoupURI and GUri do not. Alas!
Let's also clarify expected usage of the API. It might be even better to
accept input in both forms and normalize it, but GUri documents that the
brackets are not part of the host, so probably fine for us to do so too.
Finally, note this is a little awkward to test, so I have omitted tests.
We could change WebKitTestServer::run to allow selecting IPV6 and then
run all of TestSSL again twice, and skip them if IPv6 is not enabled. I
was a little tempted to attempt this, but decided I'm lazy and would
rather not spend time on it. This is already an edge case and it's not
the end of the world if it breaks again in the future.
* Source/WebCore/platform/network/soup/SoupNetworkSession.cpp:
(WebCore::hostForComparison):
(WebCore::SoupNetworkSession::checkTLSErrors):
* Source/WebKit/UIProcess/API/glib/WebKitNetworkSession.cpp:
* Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp:
Canonical link: https://commits.webkit.org/271013@main
Commit: 6eb578ba1c7bcbee4073a666ca4681a7be249c77
https://github.com/WebKit/WebKit/commit/6eb578ba1c7bcbee4073a666ca4681a7be249c77
Author: Olivier Blin <olivier.blin at softathome.com>
Date: 2023-12-16 (Sat, 16 Dec 2023)
Changed paths:
M Source/WTF/wtf/linux/RealTimeThreads.cpp
Log Message:
-----------
Cherry-pick 270841 at main (ffd338d9906b). https://bugs.webkit.org/show_bug.cgi?id=264940
[GTK][WPE] Fix Real-time Linux warning when RLIMIT_RTTIME is not defined
https://bugs.webkit.org/show_bug.cgi?id=264940
Reviewed by Michael Catanzaro.
* Source/WTF/wtf/linux/RealTimeThreads.cpp:
realTimeKitGetProperty() is unused when RLIMIT_RTTIME is not defined.
Canonical link: https://commits.webkit.org/270841@main
Commit: 1b743d0da670137daa34fcf3cd96fc34d255dd8f
https://github.com/WebKit/WebKit/commit/1b743d0da670137daa34fcf3cd96fc34d255dd8f
Author: Olivier Blin <olivier.blin at softathome.com>
Date: 2023-12-16 (Sat, 16 Dec 2023)
Changed paths:
M Source/WebCore/platform/GStreamer.cmake
Log Message:
-----------
Cherry-pick 270842 at main (85e79c913425). https://bugs.webkit.org/show_bug.cgi?id=264878
[GStreamer] Fix applying video decoder limit in unified build
https://bugs.webkit.org/show_bug.cgi?id=264878
Reviewed by Michael Catanzaro.
* Source/WebCore/platform/SourcesGStreamer.txt:
If GStreamerRegistryScanner.cpp is built in unified files, the local
COMPILE_DEFINITIONS are not applied, so VIDEO_DECODING_LIMIT is
ineffective. Apply the definitions to the whole WebCore instead.
Canonical link: https://commits.webkit.org/270842@main
Commit: 9dacb7123102d5bac8366a162eba223d5d9ff1c5
https://github.com/WebKit/WebKit/commit/9dacb7123102d5bac8366a162eba223d5d9ff1c5
Author: Vitaly Dyachkov <vitaly at igalia.com>
Date: 2023-12-16 (Sat, 16 Dec 2023)
Changed paths:
M Source/WebCore/loader/SubresourceLoader.cpp
Log Message:
-----------
Cherry-pick 270836 at main (131ac6d0af06). https://bugs.webkit.org/show_bug.cgi?id=180693
[GLIB] ASSERTION FAILED: response.httpStatusCode() < 300 || response.httpStatusCode() >= 400 || response.httpStatusCode() == 304 || !response.httpHeaderField(HTTPHeaderName::Location) running imported/w3c/web-platform-tests/cors/preflight-failure.htm
https://bugs.webkit.org/show_bug.cgi?id=180693
Reviewed by Carlos Garcia Campos.
Normally, we process redirect responses in
`ResourceLoader::willSendRequestInternal()`. Exceptions are the
redirections with no or empty "Location" header.
In that scenario, we handle the redirect response in
`SubresourceLoader::didReceiveResponse()` where we assert that this is
actually the case.
The assertion uses `String::operator!()` which returns true only if
the String is null but not empty.
* Source/WebCore/loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::didReceiveResponse):
Canonical link: https://commits.webkit.org/270836@main
Commit: 5b87ea9411250ba67e6b2f8f9e4191f3ae3881de
https://github.com/WebKit/WebKit/commit/5b87ea9411250ba67e6b2f8f9e4191f3ae3881de
Author: Yury Semikhatsky <yurys at chromium.org>
Date: 2023-12-18 (Mon, 18 Dec 2023)
Changed paths:
M Source/WebKit/UIProcess/API/wpe/WPEView.cpp
Log Message:
-----------
Cherry-pick 270493 at main (7d464f717df9). https://bugs.webkit.org/show_bug.cgi?id=264360
[WPE] frameDisplayed may be called after View has been deleted
https://bugs.webkit.org/show_bug.cgi?id=264360
Reviewed by Michael Catanzaro.
WKWPE::View is set as a client to wpe_view_backend in the view's
constructor. Since the backend may live longer than the view,
we reset clear the client in the view destuctor to avoid use
after free similar to the one mentioned in the bug.
* Source/WebKit/UIProcess/API/wpe/WPEView.cpp:
(WKWPE::View::~View):
Canonical link: https://commits.webkit.org/270493@main
Commit: 211b9254410c761ee0261496e2be06bb624ede39
https://github.com/WebKit/WebKit/commit/211b9254410c761ee0261496e2be06bb624ede39
Author: Michael Saboff <msaboff at apple.com>
Date: 2023-12-19 (Tue, 19 Dec 2023)
Changed paths:
M JSTests/stress/regexp-lookbehind.js
M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
Log Message:
-----------
Cherry-pick 272039 at main (f59e18069da6). https://bugs.webkit.org/show_bug.cgi?id=266373
[JSC] Assertion in JSC::Yarr::Interpreter<unsigned char>::InputStream::uncheckInput called from backtrackPatternCasedCharacter
https://bugs.webkit.org/show_bug.cgi?id=266373
rdar://119187095
Reviewed by Justin Michaud.
When backtracking a lookbehind atom to its starting position we need to set the input pointer to the starting position.
All other character based atoms had this right, except backtrackPatternCasedCharacter().
* JSTests/stress/regexp-lookbehind.js: Added a new test case.
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::backtrackPatternCasedCharacter):
Canonical link: https://commits.webkit.org/272039@main
Commit: a842d7eb30244855f778c0e400a59c4d18bd5fce
https://github.com/WebKit/WebKit/commit/a842d7eb30244855f778c0e400a59c4d18bd5fce
Author: Diego Pino Garcia <dpino at igalia.com>
Date: 2024-01-09 (Tue, 09 Jan 2024)
Changed paths:
M Source/WebCore/platform/glib/LowPowerModeNotifierGLib.cpp
Log Message:
-----------
Cherry-pick 272745 at main (652de27dad29). https://bugs.webkit.org/show_bug.cgi?id=266461
[GCC] Build fix for Debian 11 ARM64 after 272121 at main
https://bugs.webkit.org/show_bug.cgi?id=266461
Reviewed by Michael Catanzaro.
* Source/JavaScriptCore/assembler/ARM64Assembler.h: Remove 'constexpr'
keyword in conditional comparison.
* Source/WebCore/platform/glib/LowPowerModeNotifierGLib.cpp:
(WebCore::LowPowerModeNotifier::LowPowerModeNotifier): Mark argument as
UNUSED.
Canonical link: https://commits.webkit.org/272745@main
Commit: 5895d5715ec206110c1a0f4f64c987fccbd7d6bb
https://github.com/WebKit/WebKit/commit/5895d5715ec206110c1a0f4f64c987fccbd7d6bb
Author: Diego Pino Garcia <dpino at igalia.com>
Date: 2024-01-09 (Tue, 09 Jan 2024)
Changed paths:
A LayoutTests/fast/gradients/conic-stop-with-offset-zero-in-middle-expected.html
A LayoutTests/fast/gradients/conic-stop-with-offset-zero-in-middle.html
M Source/WebCore/platform/graphics/cairo/GradientCairo.cpp
Log Message:
-----------
Cherry-pick 272730 at main (814c148a788c). https://bugs.webkit.org/show_bug.cgi?id=266160
[cairo] freeze under WebCore::Cairo::fillRect at https://dev.orthologiq.net/
https://bugs.webkit.org/show_bug.cgi?id=266160
Reviewed by Fujii Hironori.
Stops with offset zero before last one must be ignored.
* LayoutTests/fast/gradients/conic-stop-with-offset-zero-in-middle-expected.html: Added.
* LayoutTests/fast/gradients/conic-stop-with-offset-zero-in-middle.html: Added.
* LayoutTests/platform/mac/TestExpectations: Mark new test as ImageOnlyFailure.
* Source/WebCore/platform/graphics/cairo/GradientCairo.cpp:
(WebCore::createConic):
Canonical link: https://commits.webkit.org/272730@main
Commit: 33bbbf32852df5696fc7706378ff9119159ee9f6
https://github.com/WebKit/WebKit/commit/33bbbf32852df5696fc7706378ff9119159ee9f6
Author: Patrick Griffis <pgriffis at igalia.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
Log Message:
-----------
Cherry-pick 273334 at main (b9361c774194). https://bugs.webkit.org/show_bug.cgi?id=238403
[GLib] Write bwrapinfo.json to disk for xdg-desktop-portal
https://bugs.webkit.org/show_bug.cgi?id=238403
Reviewed by Michael Catanzaro.
The Realtime portal in xdg-desktop-portal reads bwrapinfo.json
to get the child pid.
* Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp:
(WebKit::createBwrapInfo):
(WebKit::createFlatpakInfo):
(WebKit::bubblewrapSpawn):
Canonical link: https://commits.webkit.org/273334@main
Commit: 0765e4cd6c2e2b36f8b61174e6017fe88f74a4cd
https://github.com/WebKit/WebKit/commit/0765e4cd6c2e2b36f8b61174e6017fe88f74a4cd
Author: Youenn Fablet <youennf at gmail.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp
Log Message:
-----------
Cherry-pick 267815.569 at safari-7617-branch (5ebdf97c0a26). rdar://118039950
Use-after-free in processResponse in ServiceWorkerFetch.cpp
rdar://118039950
Reviewed by Chris Dumez.
Cancelling the stream can trigger GC when creating the DOMException JS wrapper.
This might collect the FetchResponse object.
To make sure the FetchResponse object stays live for the whole time, we protect it in the callback.
* Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp:
(WebCore::ServiceWorkerFetch::processResponse):
Canonical link: https://commits.webkit.org/267815.569@safari-7617-branch
Commit: 3fb6b3ec465bf922f8bd7a5fb6eac741821078da
https://github.com/WebKit/WebKit/commit/3fb6b3ec465bf922f8bd7a5fb6eac741821078da
Author: Nicole Rosario <nicole_rosario at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
A LayoutTests/ipc/argumentParser.js
A LayoutTests/ipc/fuzz_tools.js
A LayoutTests/ipc/media-player-invalid-test-expected.txt
A LayoutTests/ipc/media-player-invalid-test.html
M Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.cpp
M Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.h
M Source/WebCore/platform/mock/mediasource/MockSourceBufferPrivate.cpp
Log Message:
-----------
Cherry-pick 267815.570 at safari-7617-branch (fc6f62059d44). rdar://115982856
[CoreIPC] heap-use-after-free in WebCore::MockMediaSourcePrivate::markEndOfStream
rdar://115982856
Reviewed by Jean-Yves Avenard and Eric Carlson.
Error only hit in internal testing. Object was referenced after deletion. Updated `MockMediaPlayer` to use weak pointer for `m_player` instead of reference and added checks to methods to check that `m_player` exists before trying to read/write
* Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.cpp: added check that `m_player` exists before accessing
* Source/WebCore/platform/mock/mediasource/MockMediaSourcePrivate.h: changed `m_player` to weak pointer instead of a reference
* Source/WebCore/platform/mock/mediasource/MockSourceBufferPrivate.cpp:
(WebCore::MockSourceBufferPrivate::readyState const):
(WebCore::MockSourceBufferPrivate::setReadyState):
Canonical link: https://commits.webkit.org/267815.570@safari-7617-branch
Commit: da176efb653602a9ee7844831d002e498d5aede0
https://github.com/WebKit/WebKit/commit/da176efb653602a9ee7844831d002e498d5aede0
Author: Claudio Saavedra <csaavedra at igalia.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
A LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting-expected.txt
A LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting.html
M Source/WebCore/dom/ContainerNode.cpp
Log Message:
-----------
Cherry-pick 268451.4 at webkit-2023.9-embargoed (f554230ef55f). https://bugs.webkit.org/show_bug.cgi?id=263178
DOM: Make sure to set tree scope during parser insertion
https://bugs.webkit.org/show_bug.cgi?id=263178
rdar://116715621
Reviewed by Ryosuke Niwa.
It is possible for an element to be reparented, pg., to a shadow
tree before parsing has finished, so we need to make sure to set the
correct tree scope for a new element during parsing insertion,
otherwise it might end up associated to the wrong tree scope.
* LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting-expected.txt: Added.
* LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting.html: Added.
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::ContainerNode::parserInsertBefore):
Canonical link: https://commits.webkit.org/268451.4@webkit-2023.9-embargoed
Canonical link: https://commits.webkit.org/267815.571@safari-7617-branch
Commit: dab6e63f7e12a6699f1d13913e25a08e117f95c2
https://github.com/WebKit/WebKit/commit/dab6e63f7e12a6699f1d13913e25a08e117f95c2
Author: Kimmo Kinnunen <kkinnunen at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.mm
Log Message:
-----------
Cherry-pick 267815.586 at safari-7617-branch (e408ece1b8a7). https://bugs.webkit.org/show_bug.cgi?id=265129
GraphicsContextGLCocoa::setDrawingBufferColorSpace is missing makeContextCurrent()
https://bugs.webkit.org/show_bug.cgi?id=265129
rdar://118650182
Reviewed by Dan Glastonbury.
All public API entrypoints in GraphicsContextGLANGLE should call
the makeContextCurrent().
* Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.mm:
(WebCore::GraphicsContextGLCocoa::setDrawingBufferColorSpace):
Canonical link: https://commits.webkit.org/267815.586@safari-7617-branch
Commit: 721ce94bc2ab5bbc8f5cf608a2f95ba0136e49c6
https://github.com/WebKit/WebKit/commit/721ce94bc2ab5bbc8f5cf608a2f95ba0136e49c6
Author: Kimmo Kinnunen <kkinnunen at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/Surface.cpp
M Source/ThirdParty/ANGLE/src/libANGLE/Texture.cpp
M Source/ThirdParty/ANGLE/src/tests/gl_tests/PbufferTest.cpp
Log Message:
-----------
Cherry-pick 267815.587 at safari-7617-branch (db3f6a7dbf33). https://bugs.webkit.org/show_bug.cgi?id=265127
ANGLE eglBindTexImage ASSERT when overwriting a binding
https://bugs.webkit.org/show_bug.cgi?id=265127
rdar://118649807
Reviewed by Dan Glastonbury.
glBindTexture(GL_TEXTURE_2D, tex);
eglBindTexImage(.., pbuffer, ...);
- Would set the Surface::mBoundTexture of pbuffer
- Would set the Texture::mBoundSurface of tex
eglBindTexImage(.., pbuffer2, ...);
- Would set the Surface::mBoundTexture of pbuffer2
- Would set the Texture::mBoundSurface of tex
- Would fail to unset Surface::mBoundTexture of pbuffer
Fix by making the unset logic linear, avoiding
Surface -> Texture -> Surface call sequence.
* Source/ThirdParty/ANGLE/src/libANGLE/Surface.cpp:
(egl::Surface::bindTexImage):
* Source/ThirdParty/ANGLE/src/libANGLE/Texture.cpp:
(gl::Texture::bindTexImageFromSurface):
* Source/ThirdParty/ANGLE/src/tests/gl_tests/PbufferTest.cpp:
Canonical link: https://commits.webkit.org/267815.587@safari-7617-branch
Commit: c00bcc2634118112afb8adf7d1fa579cd08e27a8
https://github.com/WebKit/WebKit/commit/c00bcc2634118112afb8adf7d1fa579cd08e27a8
Author: Erica Li <lerica at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
A LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash-expected.txt
A LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash.html
Log Message:
-----------
Cherry-pick 267815.594 at safari-7617-branch (7ee16f6de094). https://bugs.webkit.org/show_bug.cgi?id=265107
[3a7d43b31aba54c5] ASAN_SEGV | Layout::LineBoxBuilder::constructInlineLevelBoxes; Layout::LineBoxBuilder::build; Layout::InlineFormattingContext::createDisplayContentForInlineContent
https://bugs.webkit.org/show_bug.cgi?id=265107
rdar://118424612
Reviewed by Alan Baradlay.
Bail out createDisplayContentForLineFromCachedContent when restoreTrimmedTrailingWhitespace failed.
* LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash-expected.txt: Added.
* LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash.html: Added.
* Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp:
(WebCore::Layout::InlineFormattingContext::createDisplayContentForLineFromCachedContent):
Canonical link: https://commits.webkit.org/267815.594@safari-7617-branch
Commit: 7ec344fb5d9132447fd7e93c7c0d01cda52fc2a8
https://github.com/WebKit/WebKit/commit/7ec344fb5d9132447fd7e93c7c0d01cda52fc2a8
Author: Nicole Rosario <nicole_rosario at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/fast/rendering/render-list-marker-select-expected.txt
A LayoutTests/fast/rendering/render-list-marker-select.html
M Source/WebCore/rendering/updating/RenderTreeBuilderList.cpp
Log Message:
-----------
Cherry-pick 267815.595 at safari-7617-branch (2a1f2e7acfe2). https://bugs.webkit.org/show_bug.cgi?id=264830
jsc_fuz/wktr: null ptr deref in WebCore::RenderMenuList::computeIntrinsicLogicalWidths
https://bugs.webkit.org/show_bug.cgi?id=264830
rdar://115721454
Reviewed by Alan Baradlay.
Null pointer dereference error caused by render tree being ordered incorrectly. RenderListMarker
was being placed inside RenderMenuList, where RenderListMarker and RenderMenuList should be on
the same level and in RenderListItem
* LayoutTests/fast/rendering/render-list-marker-select-expected.txt:
* LayoutTests/fast/rendering/render-list-marker-select.html:
* Source/WebCore/rendering/updating/RenderTreeBuilderList.cpp:
(WebCore::getParentOfFirstLineBox): added check to ensure RenderListMarker isn't placed inside
RenderMenuList but can be placed at same level (ie, sibling)
Canonical link: https://commits.webkit.org/267815.595@safari-7617-branch
Commit: f7405d0b0853072fb9d33f329c9365619f55e665
https://github.com/WebKit/WebKit/commit/f7405d0b0853072fb9d33f329c9365619f55e665
Author: David Kilzer <ddkilzer at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc
A Source/ThirdParty/libwebrtc/WebKit/01-WebRTC-Stack-buffer-overflow-in-webrtc-anonymous_namespace-SsDataLength.patch
Log Message:
-----------
Cherry-pick 267815.606 at safari-7617-branch (f2ba7a5d0dd0). https://bugs.webkit.org/show_bug.cgi?id=265727
[WebRTC] Stack-buffer-overflow in webrtc::anonymous_namespace::SsDataLength() in vp9 packetizer
https://bugs.webkit.org/show_bug.cgi?id=265727
<rdar://119074872>
Reviewed by Youenn Fablet.
* Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc:
(webrtc::anonymous_namespace::SsDataLength):
- Change debug assertion into runtime check.
* Source/ThirdParty/libwebrtc/WebKit/01-WebRTC-Stack-buffer-overflow-in-webrtc-anonymous_namespace-SsDataLength.patch: Add.
Canonical link: https://commits.webkit.org/267815.606@safari-7617-branch
Commit: a725227c9feb027843230442d37af3dba6b24afd
https://github.com/WebKit/WebKit/commit/a725227c9feb027843230442d37af3dba6b24afd
Author: David Kilzer <ddkilzer at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc
A Source/ThirdParty/libwebrtc/WebKit/0001-WebRTC-Out-of-bounds-crash-in-webrtc-anonymous_namespace-RemoveInactiveSpatialLayers.patch
Log Message:
-----------
Cherry-pick 267815.607 at safari-7617-branch (7fa29f992225). https://bugs.webkit.org/show_bug.cgi?id=265776
[WebRTC] Out-of-bounds crash in webrtc::anonymous_namespace::RemoveInactiveSpatialLayers() in vp9 packetizer
https://bugs.webkit.org/show_bug.cgi?id=265776
<rdar://119112931>
Reviewed by Youenn Fablet.
* Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/rtp_format_vp9.cc:
(webrtc::anonymous_namespace::RemoveInactiveSpatialLayers):
- Add sanity check for RTPVideoHeaderVP9::num_spatial_layers. This
matches the check in SsDataLength(), but that's called later when
initializing fields in RtpPacketizerVp9.
* Source/ThirdParty/libwebrtc/WebKit/0001-WebRTC-Out-of-bounds-crash-in-webrtc-anonymous_namespace-RemoveInactiveSpatialLayers.patch: Add.
Canonical link: https://commits.webkit.org/267815.607@safari-7617-branch
Commit: 1e49f24d12788c9c06ecd56ae88f948940aa561b
https://github.com/WebKit/WebKit/commit/1e49f24d12788c9c06ecd56ae88f948940aa561b
Author: Nisha Jain <nisha_jain at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
A LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt
A LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html
M Source/WebCore/platform/graphics/ShadowBlur.cpp
Log Message:
-----------
Cherry-pick 267815.608 at safari-7617-branch (e09e3cd2f3db). https://bugs.webkit.org/show_bug.cgi?id=264978
heap-buffer-overflow: crash under WebCore::ShadowBlur::blurLayerImage().
https://bugs.webkit.org/show_bug.cgi?id=264978
rdar://118004762.
Reviewed by Simon Fraser.
For very large box-shadow sizes due to floating point precision error,
ImageBuffer::getPixelBuffer returns 'PixelBuffer' size which
is not same as passed size.This causes buffer overflow/underflow
issue for these large sizes. In order to fix it now we use same
size as allocated 'PixelBuffer' size even though it could be slightly
different than original size.
* LayoutTests/fast/box-shadow/large-shadowblur-no-crash-expected.txt: Added test expected file.
* LayoutTests/fast/box-shadow/large-shadowblur-no-crash.html: Added test case.
* Source/WebCore/platform/graphics/ShadowBlur.cpp:
(WebCore::ShadowBlur::blurShadowBuffer): Using same size as allocated pixel buffer size.
Canonical link: https://commits.webkit.org/267815.608@safari-7617-branch
Commit: 5c0430703b0bb5fd378c1dc6c44e1ae0ba5dd1f7
https://github.com/WebKit/WebKit/commit/5c0430703b0bb5fd378c1dc6c44e1ae0ba5dd1f7
Author: Youenn Fablet <youennf at gmail.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp
M Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h
Log Message:
-----------
Cherry-pick 267815.610 at safari-7617-branch (8d4c34c20726). rdar://114943202
[macOS] WebContent crash in WTF::deallocateSendRightSafely under ~SharedVideoFrameWriter() (GUARD_TYPE_MACH_PORT :: INVALID_NAME)
rdar://114943202
Reviewed by Chris Dumez.
After https://bugs.webkit.org/show_bug.cgi?id=258379, we were creating the writer lazily but the creation can be triggered from multiple threads at once.
Given SharedVideoFrameWriter is expected to be used on a single thread/queue, we now protect it in RemoteDisplayListRecorderProxy with a lock.
* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.cpp:
(WebKit::RemoteDisplayListRecorderProxy::recordPaintVideoFrame):
(WebKit::RemoteDisplayListRecorderProxy::disconnect):
(WebKit::RemoteDisplayListRecorderProxy::ensureSharedVideoFrameWriter): Deleted.
* Source/WebKit/WebProcess/GPU/graphics/RemoteDisplayListRecorderProxy.h:
Canonical link: https://commits.webkit.org/267815.610@safari-7617-branch
Commit: 535413388bcb7f77bea473c1694fa797ddc039fb
https://github.com/WebKit/WebKit/commit/535413388bcb7f77bea473c1694fa797ddc039fb
Author: Erica Li <lerica at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
A LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash-expected.txt
A LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash.html
M Source/WebCore/svg/SVGAnimateMotionElement.cpp
M Source/WebCore/svg/SVGAnimateMotionElement.h
M Source/WebCore/svg/SVGMPathElement.cpp
M Source/WebCore/svg/SVGMPathElement.h
Log Message:
-----------
Cherry-pick 267815.611 at safari-7617-branch (ca57f6a1de59). https://bugs.webkit.org/show_bug.cgi?id=265562
[72857589b8bce60e] ASAN_ILL | WebCore::TreeScopeOrderedMap::getElementById; WebCore::TreeScope::getElementById; WebCore::SVGURIReference::targetElementFromIRIString.
https://bugs.webkit.org/show_bug.cgi?id=265562
rdar://118513775
Reviewed by Chris Dumez.
updateAnimationPath should be done after treescope is fully updated.
* LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash-expected.txt: Added.
* LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash.html: Added.
* Source/WebCore/svg/SVGAnimateMotionElement.cpp:
(WebCore::SVGAnimateMotionElement::childrenChanged):
* Source/WebCore/svg/SVGAnimateMotionElement.h:
* Source/WebCore/svg/SVGMPathElement.cpp:
(WebCore::SVGMPathElement::removedFromAncestor):
(WebCore::SVGMPathElement::targetPathChanged):
(WebCore::SVGMPathElement::notifyParentOfPathChange): Deleted.
* Source/WebCore/svg/SVGMPathElement.h:
Canonical link: https://commits.webkit.org/267815.611@safari-7617-branch
Commit: e2c7c0c1d3cc29f3269e2cffe4f13bc085b0189b
https://github.com/WebKit/WebKit/commit/e2c7c0c1d3cc29f3269e2cffe4f13bc085b0189b
Author: Youenn Fablet <youennf at gmail.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm
Log Message:
-----------
Cherry-pick 267815.612 at safari-7617-branch (61598c9bb40b). rdar://119047103
HSTS not partitioned for Fetch (according to privacytests.org)
rdar://119047103
Reviewed by Alex Christensen.
When downgrading in WKNetworkSessionDelegate to not use HSTS, we were downgrading by creating the downgraded request and triggering a synthetic redirection.
Fetch is exposing whether a redirection is done via Response.redirected, and this includes synthetic redirections.
This allows a web page to query the HSTS global cache.
To prevent this, we directly downgrade the request and continue the load with the downgraded request.
We do not need the synthetic redirection since the downgraded request should be exactly the same as the initial request.
* Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(downgradeRequest):
(-[WKNetworkSessionDelegate URLSession:task:willPerformHTTPRedirection:newRequest:completionHandler:]):
(-[WKNetworkSessionDelegate URLSession:task:_schemeUpgraded:completionHandler:]):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm:
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/267815.612@safari-7617-branch
Commit: 732bc2c5f597012648a931a93f4ea902e5fbd1f7
https://github.com/WebKit/WebKit/commit/732bc2c5f597012648a931a93f4ea902e5fbd1f7
Author: Rob Buis <rbuis at igalia.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
A LayoutTests/imported/w3c/web-platform-tests/css/css-contain/content-visibility/crashtests/scroll-skipped-content-fixed-container.html
M Source/WebCore/rendering/RenderBlock.cpp
Log Message:
-----------
Cherry-pick 270734.5 at webkit-embargoed (bd192edd0348). https://bugs.webkit.org/show_bug.cgi?id=264169
[Content-visibility] RenderTreeNeedsLayoutChecker asserts on fixed positioned box inside skipped subtree
https://bugs.webkit.org/show_bug.cgi?id=264169
rdar://117914028
Reviewed by Alan Baradlay.
Avoid simplified layout when laying out a content-visibility root with positioned children since
there is no guarentee the positioned children have been processed in a previous layout due to
lazy layout of skipped content.
* LayoutTests/imported/w3c/web-platform-tests/css/css-contain/content-visibility/crashtests/scroll-skipped-content-fixed-container.html: Added.
* Source/WebCore/rendering/RenderBlock.cpp:
(WebCore::RenderBlock::simplifiedLayout):
Canonical link: https://commits.webkit.org/270734.5@webkit-2023.11-embargoed
Canonical link: https://commits.webkit.org/267815.617@safari-7617-branch
Commit: afbfa5325958b7b04e4ececda5e476be0b4cf89d
https://github.com/WebKit/WebKit/commit/afbfa5325958b7b04e4ececda5e476be0b4cf89d
Author: Rob Buis <rbuis at igalia.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
A LayoutTests/mathml/operator-append-fixed-container-svg-crash-expected.txt
A LayoutTests/mathml/operator-append-fixed-container-svg-crash.html
A LayoutTests/mathml/token-append-fixed-container-svg-crash-expected.txt
A LayoutTests/mathml/token-append-fixed-container-svg-crash.html
M Source/WebCore/rendering/mathml/RenderMathMLOperator.cpp
M Source/WebCore/rendering/mathml/RenderMathMLToken.cpp
Log Message:
-----------
Cherry-pick 270734.4 at webkit-embargoed (f765915efb81). https://bugs.webkit.org/show_bug.cgi?id=264636
MathML does not always handle positioned objects correctly
https://bugs.webkit.org/show_bug.cgi?id=264636
Reviewed by Alan Baradlay.
For mo/mi elements positioned objects are not laid out at all so in this
case after layout the tree is still dirty. Fix this by calling layoutPositionedObjects
for tokens and operators.
* LayoutTests/mathml/operator-append-fixed-container-svg-crash-expected.txt: Added.
* LayoutTests/mathml/operator-append-fixed-container-svg-crash.html: Added.
* LayoutTests/mathml/token-append-fixed-container-svg-crash-expected.txt: Added.
* LayoutTests/mathml/token-append-fixed-container-svg-crash.html: Added.
* Source/WTF/wtf/Assertions.cpp:
* Source/WebCore/rendering/mathml/RenderMathMLOperator.cpp:
(WebCore::RenderMathMLOperator::layoutBlock):
* Source/WebCore/rendering/mathml/RenderMathMLToken.cpp:
(WebCore::RenderMathMLToken::layoutBlock):
Canonical link: https://commits.webkit.org/270734.4@webkit-2023.11-embargoed
Canonical link: https://commits.webkit.org/267815.618@safari-7617-branch
Commit: de238adfe0517f0f69519e4d131c3e7fe866c967
https://github.com/WebKit/WebKit/commit/de238adfe0517f0f69519e4d131c3e7fe866c967
Author: Youenn Fablet <youennf at gmail.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M LayoutTests/fullscreen/full-screen-enabled-expected.txt
M LayoutTests/fullscreen/full-screen-enabled-prefixed-expected.txt
M LayoutTests/fullscreen/full-screen-iframe-not-allowed-expected.txt
M LayoutTests/fullscreen/full-screen-iframe-without-allow-attribute-allowed-from-parent-expected.txt
M LayoutTests/fullscreen/full-screen-restrictions-expected.txt
M LayoutTests/http/tests/fullscreen/fullscreen-feature-policy-expected.txt
M LayoutTests/http/tests/media/media-stream/enumerate-devices-iframe-allow-attribute-expected.txt
A LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element-expected.txt
A LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element.html
A LayoutTests/http/tests/media/media-stream/resources/get-user-media-embed.html
M LayoutTests/http/tests/paymentrequest/payment-allow-attribute.https-expected.txt
M LayoutTests/http/tests/security/sandboxed-iframe-geolocation-getCurrentPosition-expected.txt
M LayoutTests/http/tests/security/sandboxed-iframe-geolocation-watchPosition-expected.txt
M LayoutTests/http/tests/ssl/media-stream/get-user-media-different-host-expected.txt
M LayoutTests/http/tests/ssl/media-stream/get-user-media-nested-expected.txt
M LayoutTests/http/tests/webrtc/enumerateDevicesInFrames-expected.txt
M LayoutTests/http/tests/webshare/webshare-allow-attribute-canShare.https-expected.txt
M LayoutTests/http/tests/webshare/webshare-allow-attribute-share.https-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allow-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allowfullscreen-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/mediacapture-streams/MediaStream-feature-policy-none.https-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/permissions-policy/payment-allowed-by-permissions-policy-attribute-redirect-on-load.https.sub-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/screen-wake-lock/wakelock-enabled-by-feature-policy-attribute-redirect-on-load.https.sub-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/web-share/disabled-by-permissions-policy-cross-origin.https.sub-expected.txt
M Source/WebCore/html/FeaturePolicy.cpp
M Source/WebCore/html/FeaturePolicy.h
Log Message:
-----------
Cherry-pick 267815.624 at safari-7617-branch (0ad98b606305). https://bugs.webkit.org/show_bug.cgi?id=265812
Cross-origin <embed> elements can request media permission, and prompts show main-frame URL
https://bugs.webkit.org/show_bug.cgi?id=265812
rdar://119149318
Reviewed by Chris Dumez.
We should apply feature policy for all elements, including embed and frame elements.
Since there are no allow attributes, we should use the default feature policy rules for those elements.
Update isFeaturePolicyAllowedByDocumentAndAllOwners accordingly.
Rebase tests according updated console log message.
* LayoutTests/fullscreen/full-screen-enabled-expected.txt:
* LayoutTests/fullscreen/full-screen-enabled-prefixed-expected.txt:
* LayoutTests/fullscreen/full-screen-iframe-not-allowed-expected.txt:
* LayoutTests/fullscreen/full-screen-iframe-without-allow-attribute-allowed-from-parent-expected.txt:
* LayoutTests/fullscreen/full-screen-restrictions-expected.txt:
* LayoutTests/http/tests/fullscreen/fullscreen-feature-policy-expected.txt:
* LayoutTests/http/tests/media/media-stream/enumerate-devices-iframe-allow-attribute-expected.txt:
* LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element-expected.txt: Added.
* LayoutTests/http/tests/media/media-stream/get-user-media-in-embed-element.html: Added.
* LayoutTests/http/tests/media/media-stream/resources/get-user-media-embed.html: Added.
* LayoutTests/http/tests/paymentrequest/payment-allow-attribute.https-expected.txt:
* LayoutTests/http/tests/security/sandboxed-iframe-geolocation-getCurrentPosition-expected.txt:
* LayoutTests/http/tests/security/sandboxed-iframe-geolocation-watchPosition-expected.txt:
* LayoutTests/http/tests/ssl/media-stream/get-user-media-different-host-expected.txt:
* LayoutTests/http/tests/ssl/media-stream/get-user-media-nested-expected.txt:
* LayoutTests/http/tests/webrtc/enumerateDevicesInFrames-expected.txt:
* LayoutTests/http/tests/webshare/webshare-allow-attribute-canShare.https-expected.txt:
* LayoutTests/http/tests/webshare/webshare-allow-attribute-share.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allow-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe-allowfullscreen-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mediacapture-streams/MediaStream-feature-policy-none.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/permissions-policy/payment-allowed-by-permissions-policy-attribute-redirect-on-load.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/screen-wake-lock/wakelock-enabled-by-feature-policy-attribute-redirect-on-load.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/web-share/disabled-by-permissions-policy-cross-origin.https.sub-expected.txt:
* Source/WebCore/html/FeaturePolicy.cpp:
(WebCore::isFeaturePolicyAllowedByDocumentAndAllOwners):
(WebCore::FeaturePolicy::parse):
* Source/WebCore/html/FeaturePolicy.h:
(WebCore::FeaturePolicy::defaultPolicy):
(WebCore::FeaturePolicy::parse):
Canonical link: https://commits.webkit.org/267815.624@safari-7617-branch
Commit: d9a850d44570cd37661ba0edfbb97e62443b4907
https://github.com/WebKit/WebKit/commit/d9a850d44570cd37661ba0edfbb97e62443b4907
Author: Scott Marcy <mscott at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/ipc/invalid-fullscreen-enum-expected.txt
A LayoutTests/ipc/invalid-fullscreen-enum.html
A LayoutTests/ipc/resources/1080i60_SMPTE_8CH_audible.mov
M Source/WebCore/platform/graphics/MediaPlayerEnums.h
M Source/WebKit/UIProcess/Cocoa/VideoFullscreenManagerProxy.mm
Log Message:
-----------
Cherry-pick 267815.636 at safari-7617-branch (cc4e54ad41c9). <bug>
rdar://115106974 (SEGV in -[NSView resizeSubviewsWithOldSize:])
Checks that the VideoFullscreenMode argument for two IPC calls is valid and invalidates the IPC message if not.
Reviewed by Alex Christensen (achristensen07).
If the VideoFullscreenMode value is not as expected it IPC message will be marked as invalid, which is supposed
to crash the content process thereby thwarting any attempted attack through this mechanism.
* LayoutTests/TestExpectations:
* LayoutTests/ipc/invalid-fullscreen-enum-expected.txt: Added.
* LayoutTests/ipc/invalid-fullscreen-enum.html: Added.
* LayoutTests/ipc/resources/1080i60_SMPTE_8CH_audible.mov: Added.
* Source/WebCore/platform/graphics/MediaPlayerEnums.h:
* Source/WebKit/UIProcess/Cocoa/VideoPresentationManagerProxy.mm:
(WebKit::VideoPresentationManagerProxy::setupFullscreenWithID):
(WebKit::VideoPresentationManagerProxy::exitFullscreenWithoutAnimationToMode):
Canonical link: https://commits.webkit.org/267815.636@safari-7617-branch
Commit: 19a6ed309179aeedaf2a0987d4090e07273e859c
https://github.com/WebKit/WebKit/commit/19a6ed309179aeedaf2a0987d4090e07273e859c
Author: Erica Li <lerica at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
A LayoutTests/mathml/mathml-posistioned-mtext-layout-crash-expected.txt
A LayoutTests/mathml/mathml-posistioned-mtext-layout-crash.html
M LayoutTests/platform/mac/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt
M Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp
Log Message:
-----------
Cherry-pick 267815.637 at safari-7617-branch (87a8ec698d64). https://bugs.webkit.org/show_bug.cgi?id=266273
ASAN_ILL | LayoutIntegration::BoxTree::rendererForLayoutBox; WebCore::TextBoxPainter::TextBoxPainter; WebCore::ModernTextBoxPainter::ModernTextBoxPainter
https://bugs.webkit.org/show_bug.cgi?id=266273
rdar://119187070
Reviewed by Alan Baradlay.
similar to rdar://104598552, add positioned child in RenderMathMLScripts also.
* LayoutTests/mathml/mathml-posistioned-mtext-layout-crash-expected.txt: Added.
* LayoutTests/mathml/mathml-posistioned-mtext-layout-crash.html: Added.
* LayoutTests/platform/mac/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt: re-baseline based on this fix.
* Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp:
(WebCore::RenderMathMLScripts::layoutBlock):
Canonical link: https://commits.webkit.org/267815.637@safari-7617-branch
Commit: 107f372478680a8ecbb68fab115028ecb96f4ac0
https://github.com/WebKit/WebKit/commit/107f372478680a8ecbb68fab115028ecb96f4ac0
Author: David Degazio <d_degazio at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/JavaScriptCore/dfg/DFGOperations.cpp
M Source/JavaScriptCore/ftl/FTLOperations.cpp
M Source/JavaScriptCore/runtime/ClonedArguments.cpp
M Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
M Source/JavaScriptCore/runtime/FunctionPrototype.cpp
Log Message:
-----------
Cherry-pick 267815.638 at safari-7617-branch (dc9b30f37ba8). https://bugs.webkit.org/show_bug.cgi?id=264511
Throw exception when ClonedArguments allocation fails
https://bugs.webkit.org/show_bug.cgi?id=264511
rdar://118039984
Reviewed by Mark Lam.
Currently, if we try and allocate a ClonedArguments object and run out of
memory, we silently return nullptr. This can result in the creation of an
empty JSValue being returned. This patch ensures that we check for and
propagate the null result, in addition to throwing an OutOfMemory error.
In cases where we can't throw an OutOfMemory error, specifically in
operationMaterializeObjectInOSR, we RELEASE_ASSERT that the result is
non-null to guarantee we crash instead of allowing the empty value to
escape.
* JSTests/stress/cloned-arguments-oom.js: Added.
(Allocator):
(Allocator.prototype.size):
(Allocator.prototype.allocate):
(createClonedArguments):
(0x0.map.size.new.Allocator):
(catch):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createEmpty):
(JSC::ClonedArguments::createWithInlineFrame):
(JSC::ClonedArguments::createWithMachineFrame):
(JSC::ClonedArguments::createByCopyingFrom):
* Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:
(JSC::JSC_DEFINE_COMMON_SLOW_PATH):
* Source/JavaScriptCore/runtime/FunctionPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
Canonical link: https://commits.webkit.org/267815.638@safari-7617-branch
Commit: 3063130fc1070ae4fe59ae05bc544f8db3a41921
https://github.com/WebKit/WebKit/commit/3063130fc1070ae4fe59ae05bc544f8db3a41921
Author: Matthew Finkel <sysrqb at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
Log Message:
-----------
Cherry-pick 267815.640 at safari-7617-branch (36d57dc0f23f). https://bugs.webkit.org/show_bug.cgi?id=262699
Restrict access to Version.plist in the WebContent process on iOS
https://bugs.webkit.org/show_bug.cgi?id=262699
rdar://116545792
Reviewed by Per Arne Vollan.
Access to this file provides information about the device that should not be
accessible to web content. This patch explicitly prevents access to the file
from the Web content process. In a follow up patch I'm planning on improving
the path validation we use paths provided by javascript.
* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
Canonical link: https://commits.webkit.org/267815.640@safari-7617-branch
Commit: 65aaef9a888dc17c47255a6fb753965f50a36df5
https://github.com/WebKit/WebKit/commit/65aaef9a888dc17c47255a6fb753965f50a36df5
Author: Chris Dumez <cdumez at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/loader/SubresourceLoader.cpp
M Source/WebCore/loader/SubresourceLoader.h
Log Message:
-----------
Cherry-pick 267815.652 at safari-7617-branch (ea99166b2dfe). https://bugs.webkit.org/show_bug.cgi?id=266589
Crash under SubresourceLoader::didReceiveBuffer()
https://bugs.webkit.org/show_bug.cgi?id=266589
rdar://116974951
Reviewed by Ryosuke Niwa.
Make sure we protect the CachedResource before calling non-trivial member
functions on it.
* Source/WebCore/loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::willSendRequestInternal):
(WebCore::SubresourceLoader::didSendData):
(WebCore::SubresourceLoader::didReceivePreviewResponse):
(WebCore::SubresourceLoader::didReceiveResponse):
(WebCore::SubresourceLoader::didReceiveBuffer):
(WebCore::SubresourceLoader::willCancel):
(WebCore::SubresourceLoader::didCancel):
(WebCore::SubresourceLoader::releaseResources):
* Source/WebCore/loader/SubresourceLoader.h:
Canonical link: https://commits.webkit.org/267815.652@safari-7617-branch
Commit: 7f99bc1e89a801a9802accc2f5df20b5929e4390
https://github.com/WebKit/WebKit/commit/7f99bc1e89a801a9802accc2f5df20b5929e4390
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.cpp
M Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.h
M Source/WebCore/Modules/encryptedmedia/NavigatorEME.cpp
M Source/WebKit/UIProcess/MediaKeySystemPermissionRequestManagerProxy.cpp
M Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.cpp
M Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.h
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.h
M Source/WebKit/WebProcess/WebPage/WebPage.messages.in
M Source/WebKitLegacy/mac/WebCoreSupport/WebMediaKeySystemClient.mm
Log Message:
-----------
Cherry-pick 2bee8872e3b9. https://bugs.webkit.org/show_bug.cgi?id=266619
REGRESSION (233845 at main): Crash in MediaKeySystemRequest::~MediaKeySystemRequest
https://bugs.webkit.org/show_bug.cgi?id=266619
rdar://118004786
Reviewed by Jean-Yves Avenard.
In 233845 at main, NavigatorEME::requestMediaKeySystemAccess moved the task that creates the CDM
instance into a completion handler that's called asynchronously once the client allows media key
access. The completion handler captured a raw pointer to the document, leading to a crash if the
document is destroyed before the completion handler is called. Debug builds would also assert in
CompletionHandler::~CompletionHandler because ActiveDOMObject::queueTaskInEventLoop would not
invoke the task queued by MediaKeySystemRequest::allow - which captured a CompletionHandler - when
scriptExecutionContext is null.
Addressed the crash by capturing document as a WeakPtr and null-checking it prior to calling
Document::postTask in NavigatorEME::requestMediaKeySystemAccess's allow callback. Addressed the
assertion failure by removing the unnecessary asynchronous CompletionHandler from
Messages::WebPage::MediaKeySystemWasGranted.
* Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.cpp:
(WebCore::MediaKeySystemRequest::allow):
* Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.h:
* Source/WebCore/Modules/encryptedmedia/NavigatorEME.cpp:
(WebCore::NavigatorEME::requestMediaKeySystemAccess):
* Source/WebKit/UIProcess/MediaKeySystemPermissionRequestManagerProxy.cpp:
(WebKit::MediaKeySystemPermissionRequestManagerProxy::grantRequest):
* Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.cpp:
(WebKit::MediaKeySystemPermissionRequestManager::mediaKeySystemWasGranted):
* Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.h:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::mediaKeySystemWasGranted):
* Source/WebKit/WebProcess/WebPage/WebPage.h:
* Source/WebKit/WebProcess/WebPage/WebPage.messages.in:
* Source/WebKitLegacy/mac/WebCoreSupport/WebMediaKeySystemClient.mm:
(WebMediaKeySystemClient::requestMediaKeySystem):
Canonical link: https://commits.webkit.org/267815.655@safari-7617-branch
Canonical link: https://commits.webkit.org/267815.660@safari-7617.2.4.11-branch
Commit: 09d092667bdce026c9ebd82da6724ac6682a0e58
https://github.com/WebKit/WebKit/commit/09d092667bdce026c9ebd82da6724ac6682a0e58
Author: Rose <83477269+AtariDreams at users.noreply.github.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/JavaScriptCore/yarr/RegularExpression.cpp
M Source/JavaScriptCore/yarr/RegularExpression.h
Log Message:
-----------
Cherry-pick 273319 at main (e657a3449fbf). https://bugs.webkit.org/show_bug.cgi?id=255527
startFrom parameter should be unsigned
https://bugs.webkit.org/show_bug.cgi?id=255527
Reviewed by Alexey Shvayka.
The value being passed as this argument always unsigned anyway, and when
used within the match function itself, it is always being passed to
another method or function, which takes an unsigned value, not a signed
one.
* Source/JavaScriptCore/yarr/RegularExpression.cpp:
(JSC::Yarr::RegularExpression::match const):
(JSC::Yarr::replace):
* Source/JavaScriptCore/yarr/RegularExpression.h:
Canonical link: https://commits.webkit.org/273319@main
Commit: c7823840e02d33df4925e8cc8d1405aa75aa3f93
https://github.com/WebKit/WebKit/commit/c7823840e02d33df4925e8cc8d1405aa75aa3f93
Author: Karl Dubost <karlcow at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/page/Quirks.cpp
Log Message:
-----------
Cherry-pick 266928 at main (56861d23fba2). https://bugs.webkit.org/show_bug.cgi?id=260134
Remove Quirk shouldAutoplayWebAudioForArbitraryUserGesture for bing.com
https://bugs.webkit.org/show_bug.cgi?id=260134
rdar://107430929
Reviewed by Jer Noble.
This quirk is not necessary anymore for bing.com.
The bing voice search is now working while the Site Specific Hacks is
disabled. Removing the quirk which was added with
https://bugs.webkit.org/show_bug.cgi?id=213118
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::shouldAutoplayWebAudioForArbitraryUserGesture const):
Canonical link: https://commits.webkit.org/266928@main
Commit: 33d9521648f8e52c4cc2107dce00740e46541a23
https://github.com/WebKit/WebKit/commit/33d9521648f8e52c4cc2107dce00740e46541a23
Author: Chris Dumez <cdumez at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/page/Quirks.cpp
Log Message:
-----------
Cherry-pick 273225 at main (9c0f02f12a3c). https://bugs.webkit.org/show_bug.cgi?id=267741
sfusd.edu: Trying to load SFUSD School Finder sometimes fails
https://bugs.webkit.org/show_bug.cgi?id=267741
rdar://116292738
Reviewed by Brent Fulgham.
Trying to load the following link often fails in Safari (and Firefox), works fine in Chrome:
https://www.sfusd.edu/schools/enroll/discover/school-finder
We see the following error in the JS console:
```
[Error] ReferenceError: Can't find variable: google
(anonymous function) (js_h2tB6IRXjTJGY_6Kj6g8zvcS1bzOjvsppQOjs7XaUWs.js:12:176)
```
This is caused by the google maps script being marked as async while one of the sync script
tries to access `window.google.maps`.
Add a quirk to ignore 'async' on scripts on sfusd.edu as a workaround while we reach out
to the site owners.
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::shouldBypassAsyncScriptDeferring const):
Canonical link: https://commits.webkit.org/273225@main
Commit: 5e0055e5e50bc14fcf807c5f8b7f1e15fca9f449
https://github.com/WebKit/WebKit/commit/5e0055e5e50bc14fcf807c5f8b7f1e15fca9f449
Author: Karl Dubost <karlcow at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/dom/Document+Fullscreen.idl
M Source/WebCore/dom/Element+Fullscreen.idl
M Source/WebCore/page/Quirks.cpp
M Source/WebCore/page/Quirks.h
Log Message:
-----------
Cherry-pick 266757 at main (c8e45de869f8). https://bugs.webkit.org/show_bug.cgi?id=255021
Remove Quirk shouldDisableElementFullscreenQuirk for nfl.com
https://bugs.webkit.org/show_bug.cgi?id=255021
rdar://107633365
Reviewed by Tim Nguyen.
This removes the fullscreen quirk for the nfl.com website.
It was required on iPad so that the controls of the video are
being displayed. It is not necessary anymore.
* Source/WebCore/dom/Document+Fullscreen.idl:
* Source/WebCore/dom/Element+Fullscreen.idl:
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::shouldDisableElementFullscreenQuirk const): Deleted.
* Source/WebCore/page/Quirks.h:
Canonical link: https://commits.webkit.org/266757@main
Commit: bfd85addcb7ede2908e8287f2b8360e0709391b5
https://github.com/WebKit/WebKit/commit/bfd85addcb7ede2908e8287f2b8360e0709391b5
Author: Karl Dubost <karlcow at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/page/Quirks.cpp
Log Message:
-----------
Cherry-pick 266774 at main (b890f0fda2ec). https://bugs.webkit.org/show_bug.cgi?id=260015
Remove Quirk shouldDispatchSimulatedMouseEvents for iqiyi.com
https://bugs.webkit.org/show_bug.cgi?id=260015
rdar://108958661
Reviewed by Brent Fulgham.
The quirk was introduced to allow interaction with the website on
first tap. After testing again, the current Quirk has no effect on
the usability of the site. The controls can be dragged for position
in the video or the volume of the audio, but they can be changed on
a simple tab both with/without the Quirk and fullscreen or not.
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::shouldDispatchSimulatedMouseEvents const):
Canonical link: https://commits.webkit.org/266774@main
Commit: 814a4ad65b947105b088548b40504af6f070ea3c
https://github.com/WebKit/WebKit/commit/814a4ad65b947105b088548b40504af6f070ea3c
Author: Karl Dubost <karlcow at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/page/Quirks.cpp
Log Message:
-----------
Cherry-pick 266866 at main (a2b298331caf). https://bugs.webkit.org/show_bug.cgi?id=255269
Remove Quirk shouldDispatchSimulatedMouseEvents for msn.com
https://bugs.webkit.org/show_bug.cgi?id=255269
rdar://107844725
Reviewed by Brent Fulgham.
After deactivating the Quirk, the videos on msn.com website can be
scrubbed. The quirk can be removed.
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::shouldDispatchSimulatedMouseEvents const):
Canonical link: https://commits.webkit.org/266866@main
Commit: 74685d0e6bf263d76e38e8ad1e600c43629133eb
https://github.com/WebKit/WebKit/commit/74685d0e6bf263d76e38e8ad1e600c43629133eb
Author: Chris Dumez <cdumez at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/page/Quirks.cpp
Log Message:
-----------
Cherry-pick 266898 at main (c6859d32429f). https://bugs.webkit.org/show_bug.cgi?id=260082
bankofamerica.com - Loading icon still present when navigating back after failing log in
https://bugs.webkit.org/show_bug.cgi?id=260082
rdar://104938789
Reviewed by Brent Fulgham.
On bankofamerica.com, if you attempt to log in with invalid credential and then
navigate back, the "log in" will still be shown as "Loading ...".
The reason this happens is that the page changes the "Log in" button text to
"Loading ..." right before the navigation but fails to reset it on "pagehide"
or "pageshow" event. Safari successfully caches the page in the back/forward
cache and thus the page still shows "Loading ..." after the back navigation.
The issue doesn't reproduce in Chrome because they do not cache pages as
aggressively as we do. In particular, they do not cache pages that have an
"unload" event handler, like this page. Safari has been caching such pages
for years.
Since this is a content issue that could easily be addressed by the site
developers, I am addressing this with a quirk. If we detect this particular
"sign in" button with the "loading" class on bankofamerica.com, and if the
page has an "unload" event handler, we now prevent the page from going into
the cache.
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::shouldBypassBackForwardCache const):
Canonical link: https://commits.webkit.org/266898@main
Commit: 44c6967b3bda55d50cd4ac80550f75637e0a7caa
https://github.com/WebKit/WebKit/commit/44c6967b3bda55d50cd4ac80550f75637e0a7caa
Author: Philippe Normand <philn at igalia.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/platform/mediastream/gstreamer/MockRealtimeAudioSourceGStreamer.cpp
Log Message:
-----------
Cherry-pick 273214 at main (6f5ada25d26e). https://bugs.webkit.org/show_bug.cgi?id=267627
REGRESSION(272776 at main): [GStreamer][Debug] ASSERTION FAILED: m_streamFormat in MockRealtimeAudioSourceGStreamer::render()
https://bugs.webkit.org/show_bug.cgi?id=267627
Reviewed by Xabier Rodriguez-Calvar.
Prevent an ASSERT in the mock audio source, that would happen in case the source is stopped while
rendering.
* Source/WebCore/platform/mediastream/gstreamer/MockRealtimeAudioSourceGStreamer.cpp:
(WebCore::MockRealtimeAudioSourceGStreamer::render):
Canonical link: https://commits.webkit.org/273214@main
Commit: f2926938a16fc4862c34d4a850b3d6d7d990c36e
https://github.com/WebKit/WebKit/commit/f2926938a16fc4862c34d4a850b3d6d7d990c36e
Author: Karl Dubost <karlcow at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/page/Quirks.cpp
Log Message:
-----------
Cherry-pick 266915 at main (de8fac440282). https://bugs.webkit.org/show_bug.cgi?id=220105
Remove Quirk isStorageAccessQuirkDomainAndElement for outlook.live.com (skype)
https://bugs.webkit.org/show_bug.cgi?id=220105
rdar://72728508
Reviewed by Brent Fulgham.
With Site Specific Hacks disabled, the process to login to skype from
outlook.live.com is working. They seem to fix it. Probably also the
class names being very specific, the quirk has probably not survived a
couple of redesign. We can remove it.
* Source/WebCore/page/Quirks.cpp:
(WebCore::isStorageAccessQuirkDomainAndElement):
Canonical link: https://commits.webkit.org/266915@main
Commit: 0360e2e9088641e6ae5f13fa60899f397f959bd0
https://github.com/WebKit/WebKit/commit/0360e2e9088641e6ae5f13fa60899f397f959bd0
Author: Karl Dubost <karlcow at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/html/HTMLMediaElement.cpp
M Source/WebCore/page/Quirks.cpp
M Source/WebCore/page/Quirks.h
Log Message:
-----------
Cherry-pick 266925 at main (44e22d905dd0). https://bugs.webkit.org/show_bug.cgi?id=254638
Remove Quirk shouldAdvertiseSupportForHLSSubtitleTypes on hulu.com
https://bugs.webkit.org/show_bug.cgi?id=254638
rdar://107347115
Reviewed by Brent Fulgham.
Enabling/Disabling the Quirks doesn't change the behavior of hulu.com.
The site plays videos normally. In the current circumstances the Quirk
seems not to be necessary anymore. It might be the results made in
rdar://110588102 too.
* Source/WebCore/html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::canPlayType const):
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::shouldAdvertiseSupportForHLSSubtitleTypes const): Deleted.
* Source/WebCore/page/Quirks.h:
Canonical link: https://commits.webkit.org/266925@main
Commit: 54bce49bc21e8311360a50f09c55781d66ba47cf
https://github.com/WebKit/WebKit/commit/54bce49bc21e8311360a50f09c55781d66ba47cf
Author: Youenn Fablet <youennf at gmail.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/html/FeaturePolicy.cpp
M Source/WebCore/page/Quirks.cpp
M Source/WebCore/page/Quirks.h
Log Message:
-----------
Cherry-pick 267266 at main (54bc44e65517). https://bugs.webkit.org/show_bug.cgi?id=260656
jsfiddles cannot get access to feature policy gated features like camera
https://bugs.webkit.org/show_bug.cgi?id=260656
rdar://114378082
Reviewed by Eric Carlson and Chris Dumez.
https://commits.webkit.org/265641@main tightened feature policy parsing and aligned it with spec.
This was known to not work for some websites, like jsfiddle.
Add a temporary quirk to fix jsfiddle.
Manually tested.
* Source/WebCore/html/FeaturePolicy.cpp:
(WebCore::updateList):
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::shouldStarBeFeaturePolicyDefaultValue const):
* Source/WebCore/page/Quirks.h:
Canonical link: https://commits.webkit.org/267266@main
Commit: 8a04ee8d817c08697c44e2b3ed48edc5767f9b4e
https://github.com/WebKit/WebKit/commit/8a04ee8d817c08697c44e2b3ed48edc5767f9b4e
Author: Karl Dubost <karlcow at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/page/Quirks.cpp
Log Message:
-----------
Cherry-pick 267288 at main (2ec1a7e6b1ca). https://bugs.webkit.org/show_bug.cgi?id=260695
Simplify Quirks for shouldSuppressAutocorrectionAndAutocapitalizationInHiddenEditableAreas
https://bugs.webkit.org/show_bug.cgi?id=260695
rdar://49864669
Reviewed by Wenson Hsieh.
Refactor a bit the two functions in one function.
Also add a reference to a bug with steps to reproduce to remove later.
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::shouldSuppressAutocorrectionAndAutocapitalizationInHiddenEditableAreas const):
(WebCore::shouldSuppressAutocorrectionAndAutocapitalizationInHiddenEditableAreasForHost): Deleted.
Canonical link: https://commits.webkit.org/267288@main
Commit: e740370141e85093b0fbedf5afdc43960508f278
https://github.com/WebKit/WebKit/commit/e740370141e85093b0fbedf5afdc43960508f278
Author: Karl Dubost <karlcow at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/page/Quirks.cpp
M Source/WebCore/page/Quirks.h
Log Message:
-----------
Cherry-pick 267907 at main (2d5d6f169a10). https://bugs.webkit.org/show_bug.cgi?id=260938
Create a helper for targeting domain names in Quirks.cpp
https://bugs.webkit.org/show_bug.cgi?id=260938
rdar://114737751
Reviewed by Timothy Hatcher.
Adds the helper isDomain() to give more regularity to the code and have
a uniform way of testing the domain name. There is probably more to do
to be able to address the other cases.
This also uses this new helper to convert the current domain matchings.
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::isDomain const):
(WebCore::Quirks::needsFormControlToBeMouseFocusable const):
(WebCore::Quirks::needsSeekingSupportDisabled const):
(WebCore::Quirks::needsPerDocumentAutoplayBehavior const):
(WebCore::Quirks::shouldAutoplayWebAudioForArbitraryUserGesture const):
(WebCore::Quirks::hasBrokenEncryptedMediaAPISupportQuirk const):
(WebCore::Quirks::shouldDisableContentChangeObserver const):
(WebCore::Quirks::shouldDisableContentChangeObserverTouchEventAdjustment const):
(WebCore::Quirks::shouldTooltipPreventFromProceedingWithClick const):
(WebCore::Quirks::isNeverRichlyEditableForTouchBar const):
(WebCore::Quirks::shouldDispatchSyntheticMouseEventsWhenModifyingSelection const):
(WebCore::Quirks::shouldDispatchSimulatedMouseEvents const):
(WebCore::Quirks::shouldDispatchedSimulatedMouseEventsAssumeDefaultPrevented const):
(WebCore::Quirks::simulatedMouseEventTypeForTarget const):
(WebCore::Quirks::shouldPreventPointerMediaQueryFromEvaluatingToCoarse const):
(WebCore::Quirks::shouldPreventDispatchOfTouchEvent const): Deleted.
(WebCore::Quirks::shouldSynthesizeTouchEvents const): Deleted.
(WebCore::Quirks::shouldAvoidResizingWhenInputViewBoundsChange const): Deleted.
(WebCore::Quirks::shouldDisablePointerEventsQuirk const): Deleted.
(WebCore::Quirks::needsDeferKeyDownAndKeyPressTimersUntilNextEditingCommand const): Deleted.
(WebCore::Quirks::needsGMailOverflowScrollQuirk const): Deleted.
(WebCore::Quirks::needsYouTubeOverflowScrollQuirk const): Deleted.
(WebCore::Quirks::needsFullscreenDisplayNoneQuirk const): Deleted.
(WebCore::Quirks::needsWeChatScrollingQuirk const): Deleted.
(WebCore::Quirks::shouldOmitHTMLDocumentSupportedPropertyNames): Deleted.
(WebCore::Quirks::shouldSilenceResizeObservers const): Deleted.
(WebCore::Quirks::shouldSilenceWindowResizeEvents const): Deleted.
(WebCore::Quirks::shouldSilenceMediaQueryListChangeEvents const): Deleted.
(WebCore::Quirks::shouldAvoidScrollingWhenFocusedContentIsVisible const): Deleted.
(WebCore::Quirks::shouldUseLegacySelectPopoverDismissalBehaviorInDataActivation const): Deleted.
(WebCore::Quirks::shouldIgnoreAriaForFastPathContentObservationCheck const): Deleted.
(WebCore::isWikipediaDomain): Deleted.
(WebCore::Quirks::shouldIgnoreViewportArgumentsToAvoidExcessiveZoom const): Deleted.
(WebCore::Quirks::shouldOpenAsAboutBlank const): Deleted.
(WebCore::Quirks::needsPreloadAutoQuirk const): Deleted.
(WebCore::Quirks::shouldBypassBackForwardCache const): Deleted.
(WebCore::Quirks::shouldBypassAsyncScriptDeferring const): Deleted.
(WebCore::Quirks::shouldMakeEventListenerPassive): Deleted.
(WebCore::Quirks::shouldEnableLegacyGetUserMediaQuirk const): Deleted.
(WebCore::Quirks::needsCanPlayAfterSeekedQuirk const): Deleted.
(WebCore::Quirks::shouldLayOutAtMinimumWindowWidthWhenIgnoringScalingConstraints const): Deleted.
(WebCore::Quirks::shouldAvoidPastingImagesAsWebContent const): Deleted.
(WebCore::isKinjaLoginAvatarElement): Deleted.
(WebCore::Quirks::isMicrosoftTeamsRedirectURL): Deleted.
(WebCore::isStorageAccessQuirkDomainAndElement): Deleted.
(WebCore::Quirks::hasStorageAccessForAllLoginDomains): Deleted.
(WebCore::Quirks::staticRadioPlayerURLString): Deleted.
(WebCore::Quirks::requestStorageAccessAndHandleClick const): Deleted.
(WebCore::Quirks::triggerOptionalStorageAccessQuirk const): Deleted.
(WebCore::Quirks::needsVP9FullRangeFlagQuirk const): Deleted.
(WebCore::Quirks::requiresUserGestureToPauseInPictureInPicture const): Deleted.
(WebCore::Quirks::requiresUserGestureToLoadInPictureInPicture const): Deleted.
(WebCore::Quirks::blocksReturnToFullscreenFromPictureInPictureQuirk const): Deleted.
(WebCore::Quirks::blocksEnteringStandardFullscreenFromPictureInPictureQuirk const): Deleted.
(WebCore::Quirks::shouldDisableEndFullscreenEventWhenEnteringPictureInPictureFromFullscreenQuirk const): Deleted.
(WebCore::Quirks::shouldDelayFullscreenEventWhenExitingPictureInPictureQuirk const): Deleted.
(WebCore::Quirks::shouldAllowNavigationToCustomProtocolWithoutUserGesture): Deleted.
(WebCore::Quirks::allowLayeredFullscreenVideos const): Deleted.
(WebCore::Quirks::shouldEnableApplicationCacheQuirk const): Deleted.
(WebCore::Quirks::shouldEnableFontLoadingAPIQuirk const): Deleted.
(WebCore::Quirks::needsVideoShouldMaintainAspectRatioQuirk const): Deleted.
(WebCore::Quirks::shouldExposeShowModalDialog const): Deleted.
(WebCore::Quirks::shouldNavigatorPluginsBeEmpty const): Deleted.
(WebCore::Quirks::shouldDisableLazyIframeLoadingQuirk const): Deleted.
(WebCore::Quirks::shouldDisableFetchMetadata const): Deleted.
(WebCore::Quirks::shouldDisablePushStateFilePathRestrictions const): Deleted.
(WebCore::Quirks::shouldDisablePopoverAttributeQuirk const): Deleted.
(WebCore::Quirks::needsConfigurableIndexedPropertiesQuirk const): Deleted.
(WebCore::Quirks::shouldEnableCanvas2DAdvancedPrivacyProtectionQuirk const): Deleted.
(WebCore::Quirks::advancedPrivacyProtectionSubstituteDataURLForText const): Deleted.
(WebCore::Quirks::needsResettingTransitionCancelsRunningTransitionQuirk const): Deleted.
(WebCore::Quirks::shouldStarBeFeaturePolicyDefaultValue const): Deleted.
* Source/WebCore/page/Quirks.h:
Canonical link: https://commits.webkit.org/267907@main
Commit: cf330016d67a74595e78d2716e9897de9e5d0291
https://github.com/WebKit/WebKit/commit/cf330016d67a74595e78d2716e9897de9e5d0291
Author: Aditya Keerthi <akeerthi at apple.com>
Date: 2024-01-23 (Tue, 23 Jan 2024)
Changed paths:
M Source/WebCore/html/HTMLAnchorElement.cpp
M Source/WebCore/page/Quirks.cpp
M Source/WebCore/page/Quirks.h
Log Message:
-----------
Cherry-pick 273247 at main (ff42f7668146). https://bugs.webkit.org/show_bug.cgi?id=267779
Cannot pick US state in dropdown on vote.gov
https://bugs.webkit.org/show_bug.cgi?id=267779
rdar://121240580
Reviewed by Wenson Hsieh.
vote.gov uses a custom state selection dropdown, which is a `<div>` containing
multiple anchor elements. Display of the dropdown is tied to focusing the associated
input element. When the "focusout" event is observed, the dropdown is hidden.
However, since the "focusout" event is observed prior to the "click" event, the site
compares the "focusout" event's `currentTarget` and `relatedTarget`. If the
`relatedTarget` is the anchor element, the logic ends up suppressing hiding the
dropdown, ensuring the "click" is dispatched on the right element.
For `focusout` events, the `relatedTarget` should be the element that gains
focus. In WebKit, `relatedTarget` is null in this scenario, as anchor elements
are not mouse focusable, following Cocoa platform convention.
Fix by adding a quirk to make anchor elements mouse focusable.
* Source/WebCore/html/HTMLAnchorElement.cpp:
(WebCore::HTMLAnchorElement::isMouseFocusable const):
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::needsAnchorElementsToBeMouseFocusable const):
* Source/WebCore/page/Quirks.h:
Canonical link: https://commits.webkit.org/273247@main
Compare: https://github.com/WebKit/WebKit/compare/6247bb871b43...cf330016d67a
More information about the webkit-changes
mailing list