Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b46a8fcd809a9c84aa92538e942e1fa0c789ed27
https://github.com/WebKit/WebKit/commit/b46a8fcd809a9c84aa92538e942e1fa0c789ed27
Author: Youenn Fablet <youennf at gmail.com>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
M Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp
Log Message:
-----------
Use-after-free in processResponse in ServiceWorkerFetch.cpp
rdar://118039950
Reviewed by Chris Dumez.
Cancelling the stream can trigger GC when creating the DOMException JS wrapper.
This might collect the FetchResponse object.
To make sure the FetchResponse object stays live for the whole time, we protect it in the callback.
* Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp:
(WebCore::ServiceWorkerFetch::processResponse):
Originally-landed-as: 267815.569 at safari-7617-branch (5ebdf97c0a26). rdar://121481543
Canonical link: https://commits.webkit.org/273420@main
Commit: dc6de2647a918167eeaf607fb54ca0f651b32979
https://github.com/WebKit/WebKit/commit/dc6de2647a918167eeaf607fb54ca0f651b32979
Author: Claudio Saavedra <csaavedra at igalia.com>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
A LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting-expected.txt
A LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting.html
M Source/WebCore/dom/ContainerNode.cpp
Log Message:
-----------
DOM: Make sure to set tree scope during parser insertion
https://bugs.webkit.org/show_bug.cgi?id=263178
rdar://116715621
Reviewed by Ryosuke Niwa.
It is possible for an element to be reparented, pg., to a shadow
tree before parsing has finished, so we need to make sure to set the
correct tree scope for a new element during parsing insertion,
otherwise it might end up associated to the wrong tree scope.
* LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting-expected.txt: Added.
* LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting.html: Added.
* Source/WebCore/dom/ContainerNode.cpp:
(WebCore::ContainerNode::parserInsertBefore):
Originally-landed-as: 268451.4 at webkit-2023.9-embargoed (f554230ef55f). rdar://121481452
Canonical link: https://commits.webkit.org/273421@main
Commit: 0023fa29b365fd4f1f7c79ff3bd84786e96a1ea9
https://github.com/WebKit/WebKit/commit/0023fa29b365fd4f1f7c79ff3bd84786e96a1ea9
Author: Kimmo Kinnunen <kkinnunen at apple.com>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
M Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.mm
Log Message:
-----------
GraphicsContextGLCocoa::setDrawingBufferColorSpace is missing makeContextCurrent()
https://bugs.webkit.org/show_bug.cgi?id=265129
rdar://118650182
Reviewed by Dan Glastonbury.
All public API entrypoints in GraphicsContextGLANGLE should call
the makeContextCurrent().
* Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.mm:
(WebCore::GraphicsContextGLCocoa::setDrawingBufferColorSpace):
Originally-landed-as: 267815.586 at safari-7617-branch (e408ece1b8a7). rdar://121481426
Canonical link: https://commits.webkit.org/273422@main
Commit: f0b62299b0c73fae19a498524298a672479afdf9
https://github.com/WebKit/WebKit/commit/f0b62299b0c73fae19a498524298a672479afdf9
Author: Kimmo Kinnunen <kkinnunen at apple.com>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/Surface.cpp
M Source/ThirdParty/ANGLE/src/libANGLE/Texture.cpp
M Source/ThirdParty/ANGLE/src/tests/gl_tests/PbufferTest.cpp
Log Message:
-----------
ANGLE eglBindTexImage ASSERT when overwriting a binding
https://bugs.webkit.org/show_bug.cgi?id=265127
rdar://118649807
Reviewed by Dan Glastonbury.
glBindTexture(GL_TEXTURE_2D, tex);
eglBindTexImage(.., pbuffer, ...);
- Would set the Surface::mBoundTexture of pbuffer
- Would set the Texture::mBoundSurface of tex
eglBindTexImage(.., pbuffer2, ...);
- Would set the Surface::mBoundTexture of pbuffer2
- Would set the Texture::mBoundSurface of tex
- Would fail to unset Surface::mBoundTexture of pbuffer
Fix by making the unset logic linear, avoiding
Surface -> Texture -> Surface call sequence.
* Source/ThirdParty/ANGLE/src/libANGLE/Surface.cpp:
(egl::Surface::bindTexImage):
* Source/ThirdParty/ANGLE/src/libANGLE/Texture.cpp:
(gl::Texture::bindTexImageFromSurface):
* Source/ThirdParty/ANGLE/src/tests/gl_tests/PbufferTest.cpp:
Originally-landed-as: 267815.587 at safari-7617-branch (db3f6a7dbf33). rdar://121481385
Canonical link: https://commits.webkit.org/273423@main
Commit: 568df84631eb4f205057cb9634fa404e2787d08c
https://github.com/WebKit/WebKit/commit/568df84631eb4f205057cb9634fa404e2787d08c
Author: Erica Li <lerica at apple.com>
Date: 2024-01-24 (Wed, 24 Jan 2024)
Changed paths:
A LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash-expected.txt
A LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash.html
M Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp
Log Message:
-----------
[3a7d43b31aba54c5] ASAN_SEGV | Layout::LineBoxBuilder::constructInlineLevelBoxes; Layout::LineBoxBuilder::build; Layout::InlineFormattingContext::createDisplayContentForInlineContent
https://bugs.webkit.org/show_bug.cgi?id=265107
rdar://118424612
Reviewed by Alan Baradlay.
Bail out createDisplayContentForLineFromCachedContent when restoreTrimmedTrailingWhitespace failed.
* LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash-expected.txt: Added.
* LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash.html: Added.
* Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp:
(WebCore::Layout::InlineFormattingContext::createDisplayContentForLineFromCachedContent):
Originally-landed-as: 267815.594 at safari-7617-branch (7ee16f6de094). rdar://121481331
Canonical link: https://commits.webkit.org/273424@main
Compare: https://github.com/WebKit/WebKit/compare/f62dc2ae6c6b...568df84631eb