[webkit-changes] [WebKit/WebKit] 17ee3e: ASAN_ILL | LayoutIntegration::BoxTree::rendererFor...
Yusuke Suzuki
noreply at github.com
Thu Jan 25 01:28:23 PST 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 17ee3e369461b4a63724a5e9078cd2880f7ec589
https://github.com/WebKit/WebKit/commit/17ee3e369461b4a63724a5e9078cd2880f7ec589
Author: Erica Li <lerica at apple.com>
Date: 2024-01-25 (Thu, 25 Jan 2024)
Changed paths:
A LayoutTests/mathml/mathml-posistioned-mtext-layout-crash-expected.txt
A LayoutTests/mathml/mathml-posistioned-mtext-layout-crash.html
M LayoutTests/platform/mac/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt
M Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp
Log Message:
-----------
ASAN_ILL | LayoutIntegration::BoxTree::rendererForLayoutBox; WebCore::TextBoxPainter::TextBoxPainter; WebCore::ModernTextBoxPainter::ModernTextBoxPainter
https://bugs.webkit.org/show_bug.cgi?id=266273
rdar://119187070
Reviewed by Alan Baradlay.
similar to rdar://104598552, add positioned child in RenderMathMLScripts also.
* LayoutTests/mathml/mathml-posistioned-mtext-layout-crash-expected.txt: Added.
* LayoutTests/mathml/mathml-posistioned-mtext-layout-crash.html: Added.
* LayoutTests/platform/mac/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt: re-baseline based on this fix.
* Source/WebCore/rendering/mathml/RenderMathMLScripts.cpp:
(WebCore::RenderMathMLScripts::layoutBlock):
Originally-landed-as: 267815.637 at safari-7617-branch (87a8ec698d64). rdar://121480015
Canonical link: https://commits.webkit.org/273482@main
Commit: 9c7c2339a3d70f61ca2722b61ec2d75aa3faca88
https://github.com/WebKit/WebKit/commit/9c7c2339a3d70f61ca2722b61ec2d75aa3faca88
Author: David Degazio <d_degazio at apple.com>
Date: 2024-01-25 (Thu, 25 Jan 2024)
Changed paths:
M Source/JavaScriptCore/dfg/DFGOperations.cpp
M Source/JavaScriptCore/ftl/FTLOperations.cpp
M Source/JavaScriptCore/runtime/ClonedArguments.cpp
M Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
M Source/JavaScriptCore/runtime/FunctionPrototype.cpp
Log Message:
-----------
Throw exception when ClonedArguments allocation fails
https://bugs.webkit.org/show_bug.cgi?id=264511
rdar://118039984
Reviewed by Mark Lam.
Currently, if we try and allocate a ClonedArguments object and run out of
memory, we silently return nullptr. This can result in the creation of an
empty JSValue being returned. This patch ensures that we check for and
propagate the null result, in addition to throwing an OutOfMemory error.
In cases where we can't throw an OutOfMemory error, specifically in
operationMaterializeObjectInOSR, we RELEASE_ASSERT that the result is
non-null to guarantee we crash instead of allowing the empty value to
escape.
* JSTests/stress/cloned-arguments-oom.js: Added.
(Allocator):
(Allocator.prototype.size):
(Allocator.prototype.allocate):
(createClonedArguments):
(0x0.map.size.new.Allocator):
(catch):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createEmpty):
(JSC::ClonedArguments::createWithInlineFrame):
(JSC::ClonedArguments::createWithMachineFrame):
(JSC::ClonedArguments::createByCopyingFrom):
* Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:
(JSC::JSC_DEFINE_COMMON_SLOW_PATH):
* Source/JavaScriptCore/runtime/FunctionPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
Originally-landed-as: 267815.638 at safari-7617-branch (dc9b30f37ba8). rdar://121478772
Canonical link: https://commits.webkit.org/273483@main
Commit: 89314de81d9bcf4a5011c3304179351e6c637ccd
https://github.com/WebKit/WebKit/commit/89314de81d9bcf4a5011c3304179351e6c637ccd
Author: Matthew Finkel <sysrqb at apple.com>
Date: 2024-01-25 (Thu, 25 Jan 2024)
Changed paths:
M Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in
Log Message:
-----------
Restrict access to Version.plist in the WebContent process on iOS
https://bugs.webkit.org/show_bug.cgi?id=262699
rdar://116545792
Reviewed by Per Arne Vollan.
Access to this file provides information about the device that should not be
accessible to web content. This patch explicitly prevents access to the file
from the Web content process. In a follow up patch I'm planning on improving
the path validation we use paths provided by javascript.
* Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in:
Originally-landed-as: 267815.640 at safari-7617-branch (36d57dc0f23f). rdar://121478523
Canonical link: https://commits.webkit.org/273484@main
Commit: 77a6809901292311fc674150434d829d3dd2bf0c
https://github.com/WebKit/WebKit/commit/77a6809901292311fc674150434d829d3dd2bf0c
Author: Andy Estes <aestes at apple.com>
Date: 2024-01-25 (Thu, 25 Jan 2024)
Changed paths:
M Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.cpp
M Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.h
M Source/WebCore/Modules/encryptedmedia/NavigatorEME.cpp
M Source/WebKit/UIProcess/MediaKeySystemPermissionRequestManagerProxy.cpp
M Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.cpp
M Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.h
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.h
M Source/WebKit/WebProcess/WebPage/WebPage.messages.in
M Source/WebKitLegacy/mac/WebCoreSupport/WebMediaKeySystemClient.mm
Log Message:
-----------
REGRESSION (233845 at main): Crash in MediaKeySystemRequest::~MediaKeySystemRequest
https://bugs.webkit.org/show_bug.cgi?id=266619
rdar://118004786
Reviewed by Jean-Yves Avenard.
In 233845 at main, NavigatorEME::requestMediaKeySystemAccess moved the task that creates the CDM
instance into a completion handler that's called asynchronously once the client allows media key
access. The completion handler captured a raw pointer to the document, leading to a crash if the
document is destroyed before the completion handler is called. Debug builds would also assert in
CompletionHandler::~CompletionHandler because ActiveDOMObject::queueTaskInEventLoop would not
invoke the task queued by MediaKeySystemRequest::allow - which captured a CompletionHandler - when
scriptExecutionContext is null.
Addressed the crash by capturing document as a WeakPtr and null-checking it prior to calling
Document::postTask in NavigatorEME::requestMediaKeySystemAccess's allow callback. Addressed the
assertion failure by removing the unnecessary asynchronous CompletionHandler from
Messages::WebPage::MediaKeySystemWasGranted.
* Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.cpp:
(WebCore::MediaKeySystemRequest::allow):
* Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.h:
* Source/WebCore/Modules/encryptedmedia/NavigatorEME.cpp:
(WebCore::NavigatorEME::requestMediaKeySystemAccess):
* Source/WebKit/UIProcess/MediaKeySystemPermissionRequestManagerProxy.cpp:
(WebKit::MediaKeySystemPermissionRequestManagerProxy::grantRequest):
* Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.cpp:
(WebKit::MediaKeySystemPermissionRequestManager::mediaKeySystemWasGranted):
* Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.h:
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::mediaKeySystemWasGranted):
* Source/WebKit/WebProcess/WebPage/WebPage.h:
* Source/WebKit/WebProcess/WebPage/WebPage.messages.in:
* Source/WebKitLegacy/mac/WebCoreSupport/WebMediaKeySystemClient.mm:
(WebMediaKeySystemClient::requestMediaKeySystem):
Originally-landed-as: 267815.655 at safari-7617-branch (2bee8872e3b9). rdar://121478083
Canonical link: https://commits.webkit.org/273485@main
Commit: 64714692967ad278155fcae66c5cb0f853b3bf34
https://github.com/WebKit/WebKit/commit/64714692967ad278155fcae66c5cb0f853b3bf34
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2024-01-25 (Thu, 25 Jan 2024)
Changed paths:
M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
M Source/JavaScriptCore/Sources.txt
A Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp
A Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h
M Source/JavaScriptCore/dfg/DFGGraph.cpp
M Source/JavaScriptCore/dfg/DFGPlan.cpp
M Source/JavaScriptCore/dfg/DFGPlan.h
Log Message:
-----------
[JSC] DFG constant property load should check the validity at the main thread
https://bugs.webkit.org/show_bug.cgi?id=267134
rdar://120443399
Reviewed by Mark Lam.
Consider the following case,
CheckStructure O, S1 | S3
GetByOffset O, offset
And S1 -> S2 -> S3 structure transition happens.
By changing object concurrently with the compiler, it is possible that we will constant fold the property with O + S2.
While we insert watchpoints into S1 and S3, we cannot notice the change of the property in S2.
If we change O to S3 before running code, CheckStructure passes and we can use a value loaded from O + S2.
1. If S1 and S3 transitions are both already watched by DFG / FTL, then we do not need to care about the issue.
CheckStructure ensures that O is S1 or S3. And both has watchpoints which fires when transition happens.
So, if we are transitioning from S1 to S2 while compiling, it already invalidates the code.
2. If there is only one Structure (S1), then we can keep the current optimization by checking this condition at the main thread.
CheckStructure ensures that O is S1. And this means that if the assumption is met at the main thread, then we can continue
using this code safely. To check this condition, we added DesiredObjectProperties, which records JSObject*, offset, value, and structure.
And at the end of compilation, in the main thread, we check this assumption is still met.
* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
* Source/JavaScriptCore/Sources.txt:
* Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp: Added.
(JSC::DFG::DesiredObjectProperties::addLazily):
(JSC::DFG::DesiredObjectProperties::areStillValidOnMainThread):
* Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h: Added.
* Source/JavaScriptCore/dfg/DFGGraph.cpp:
(JSC::DFG::Graph::tryGetConstantProperty):
* Source/JavaScriptCore/dfg/DFGPlan.cpp:
(JSC::DFG::Plan::cancel):
(JSC::DFG::Plan::isStillValidOnMainThread):
* Source/JavaScriptCore/dfg/DFGPlan.h:
Originally-landed-as: 272448.7 at safari-7618-branch (31601205b6f3). rdar://121477582
Canonical link: https://commits.webkit.org/273486@main
Commit: 66f60deae730514621d3f9c5e620aaa76e03f8f8
https://github.com/WebKit/WebKit/commit/66f60deae730514621d3f9c5e620aaa76e03f8f8
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2024-01-25 (Thu, 25 Jan 2024)
Changed paths:
M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
M Source/JavaScriptCore/Sources.txt
R Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp
R Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h
M Source/JavaScriptCore/dfg/DFGGraph.cpp
M Source/JavaScriptCore/dfg/DFGPlan.cpp
M Source/JavaScriptCore/dfg/DFGPlan.h
Log Message:
-----------
[JSC] Remove DFGDesiredObjectProperties
https://bugs.webkit.org/show_bug.cgi?id=267134
rdar://120443399
Reviewed by Mark Lam.
When we limit the structure only one, there is no way to change the property without firing
property replacement watchpoint while keeping object's structure as specified. So removing DFGDesiredObjectProperties.
* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
* Source/JavaScriptCore/Sources.txt:
* Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp: Removed.
* Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h: Removed.
* Source/JavaScriptCore/dfg/DFGGraph.cpp:
(JSC::DFG::Graph::tryGetConstantProperty):
* Source/JavaScriptCore/dfg/DFGPlan.cpp:
(JSC::DFG::Plan::cancel):
(JSC::DFG::Plan::isStillValidOnMainThread):
* Source/JavaScriptCore/dfg/DFGPlan.h:
Originally-landed-as: 272448.8 at safari-7618-branch (a8b53bc4d7b3). rdar://121473608
Canonical link: https://commits.webkit.org/273487@main
Compare: https://github.com/WebKit/WebKit/compare/eebb374f2bcd...66f60deae730
More information about the webkit-changes
mailing list