[webkit-changes] [WebKit/WebKit] 32bbe7: Cherry-pick 268964 at main (3f64447f2aa9). https://bu...

Sammy Gill noreply at github.com
Fri Jan 26 04:01:51 PST 2024


  Branch: refs/heads/webkitglib/2.42
  Home:   https://github.com/WebKit/WebKit
  Commit: 32bbe7e94a21ddf2bf74fcaaa197bca0f95ca245
      https://github.com/WebKit/WebKit/commit/32bbe7e94a21ddf2bf74fcaaa197bca0f95ca245
  Author: Ahmad Saleem <ahmad.saleem792+github at gmail.com>
  Date:   2024-01-25 (Thu, 25 Jan 2024)

  Changed paths:
    M Source/WebCore/html/canvas/CanvasPath.cpp
    M Source/WebCore/platform/graphics/cg/PathCG.cpp
    M Source/WebCore/platform/graphics/transforms/AffineTransform.cpp
    M Source/WebCore/platform/graphics/transforms/AffineTransform.h
    M Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp
    M Source/WebCore/platform/graphics/transforms/TransformationMatrix.h

  Log Message:
  -----------
  Cherry-pick 268964 at main (3f64447f2aa9). https://bugs.webkit.org/show_bug.cgi?id=262718

    Introduce 'rotateRadians' helper function and use across WebKit

    https://bugs.webkit.org/show_bug.cgi?id=262718

    Reviewed by Chris Dumez.

    Merge: https://src.chromium.org/viewvc/blink?view=revision&revision=167603 &
    https://src.chromium.org/viewvc/blink?revision=168929&view=revision

    Currently, rotate function takes an argument in only degrees.
    In many cases, rotate function is often required radian value instead of degree value.
    If we add new rotateRadians function, we will be able to reduce unnecessary operations.

     Before : rad -> rad2deg -> deg2rad -> calc sinNcos
     After  : rad                       -> calc sinNcos

    As a result, we can reduce two multiplication and two division.

    Additionally, we can use it across WebCore source instead of 'rotate(rad2deg)'.

    * Source/WebCore/platform/graphics/transforms/AffineTransform.cpp:
    (AffineTransform::rotate):
    (AffineTransform::rotateRadians):
    (AffineTransform::rotateFromVector):
    (AffineTransform::decompose):
    * Source/WebCore/platform/graphics/transforms/AffineTransform.h: new 'rotateRadians' function
    * Source/WebCore/platform/graphics/cg/PathCG.cpp:
    (PathCG::addEllipse):
    * Source/WebCore/html/canvas/CanvasPath.cpp:
    (CanvasPath::addEllipse):
    * Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp:
    (TransformationMatrix::rotateFromVector):
    (TransformationMatrix::rotate):
    (TransformationMatrix::rotateRadians):
    * Source/WebCore/platform/graphics/transforms/TransformationMatrix.h: new 'rotateRadians' function

    Canonical link: https://commits.webkit.org/268964@main


  Commit: 45dfc447957ae9284dacc33cd99be2d36880166c
      https://github.com/WebKit/WebKit/commit/45dfc447957ae9284dacc33cd99be2d36880166c
  Author: Matt Woodrow <mattwoodrow at apple.com>
  Date:   2024-01-25 (Thu, 25 Jan 2024)

  Changed paths:
    M Source/WebCore/platform/graphics/transforms/RotateTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/TransformOperation.h
    M Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp
    M Source/WebCore/platform/graphics/transforms/TransformationMatrix.h

  Log Message:
  -----------
  Cherry-pick 270294 at main (84aabd280f9a). https://bugs.webkit.org/show_bug.cgi?id=263569

    REGRESSION (266237 at main): Poster circle animation is not continuous
    https://bugs.webkit.org/show_bug.cgi?id=263569
    <rdar://117209302>

    Reviewed by Simon Fraser.

    This is the same as the existing hasBig3DRotation rotation issue, where CA animates the shortest path between 3d rotations,
    because we represent them as matrices.

    Previously our computed matrices for rotate(180deg) didn’t have integer values, due to a float rounding issue during deg->rad.

    The new change computes the rotation matrix exactly, and now there’s no longer a defined direction for a 180deg rotation and
    we sometimes end up with a ‘backwards’ rotation.

    This adds an option to not do the snapping when we compute matrices for CA, so that the existing behavior is preserved.

    * Source/WebCore/platform/graphics/transforms/RotateTransformOperation.h:
    * Source/WebCore/platform/graphics/transforms/TransformOperation.h:
    (WebCore::TransformOperation::applyUnrounded const):
    * Source/WebCore/platform/graphics/transforms/TransformationMatrix.cpp:
    (WebCore::TransformationMatrix::rotate3d):
    (WebCore::TransformationMatrix::rotate):
    (WebCore::TransformationMatrix::rotateRadians):
    * Source/WebCore/platform/graphics/transforms/TransformationMatrix.h:

    Canonical link: https://commits.webkit.org/270294@main


  Commit: 549cfbd671b3f61fb2ac7a30b4434a2850b7ae2a
      https://github.com/WebKit/WebKit/commit/549cfbd671b3f61fb2ac7a30b4434a2850b7ae2a
  Author: Ryosuke Niwa <rniwa at webkit.org>
  Date:   2024-01-25 (Thu, 25 Jan 2024)

  Changed paths:
    M Source/WebCore/dom/EventPath.cpp

  Log Message:
  -----------
  Cherry-pick 270295 at main (6fa5837d95d9). https://bugs.webkit.org/show_bug.cgi?id=264380

    nullptr crash in EventPath::eventTargetRespectingTargetRules via EventPath::buildPath
    https://bugs.webkit.org/show_bug.cgi?id=264276
    <rdar://117902151>

    Reviewed by Chris Dumez.

    Add a nullptr check where the crash occurs. Also add a debug assert since this node
    should never be nullptr in theory.

    * Source/WebCore/dom/EventPath.cpp:
    (WebCore::EventPath::buildPath):

    Canonical link: https://commits.webkit.org/270295@main


  Commit: 53d71b7ffd1d9c2ff7eda0499d16f7f4114dbb52
      https://github.com/WebKit/WebKit/commit/53d71b7ffd1d9c2ff7eda0499d16f7f4114dbb52
  Author: Jean-Yves Avenard <jya at apple.com>
  Date:   2024-01-25 (Thu, 25 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/assembler/testmasm.cpp

  Log Message:
  -----------
  Cherry-pick 270371 at main (1755d48a638b). https://bugs.webkit.org/show_bug.cgi?id=264380

    Fix compilation failures on ARM64 linux
    https://bugs.webkit.org/show_bug.cgi?id=264380
    rdar://118093158

    Reviewed by Yusuke Suzuki.

    Fixing a few "error: comparison of unsigned expression in ‘>= 0’ is always true [-Werror=type-limits]"
    and "error: suggest parentheses around ‘-’ in operand of ‘&’ [-Werror=parentheses]".

    * Source/JavaScriptCore/assembler/testmasm.cpp:
    (JSC::testExtractUnsignedBitfield64):
    (JSC::testInsertUnsignedBitfieldInZero32):
    (JSC::testInsertUnsignedBitfieldInZero64):
    (JSC::testInsertBitField32):
    (JSC::testInsertBitField64):
    (JSC::testExtractInsertBitfieldAtLowEnd32):
    (JSC::testExtractInsertBitfieldAtLowEnd64):
    (JSC::testClearBitField32):
    (JSC::testClearBitField64):
    (JSC::testInsertSignedBitfieldInZero32):
    (JSC::testInsertSignedBitfieldInZero64):
    (JSC::testExtractSignedBitfield32):
    (JSC::testExtractSignedBitfield64):
    (JSC::testExtractRegister32):
    (JSC::testExtractRegister64):
    (JSC::testZeroExtend48ToWord):

    Canonical link: https://commits.webkit.org/270371@main


  Commit: 7d947bce6fbef4a3cc43d7db98a2221243e02fb1
      https://github.com/WebKit/WebKit/commit/7d947bce6fbef4a3cc43d7db98a2221243e02fb1
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-01-25 (Thu, 25 Jan 2024)

  Changed paths:
    M Source/WebCore/page/csp/ContentSecurityPolicy.cpp

  Log Message:
  -----------
  Cherry-pick 270393 at main (de7073050171). https://bugs.webkit.org/show_bug.cgi?id=264372

    Crash under ContentSecurityPolicy::reportViolation()
    https://bugs.webkit.org/show_bug.cgi?id=264372
    rdar://117727308

    Reviewed by David Kilzer.

    The code was doing an early return in this case:
    ```
    if (!usesReportTo && !is<Document>(m_scriptExecutionContext))
        return;
    ```
    Then proceeding to downcast m_scriptExecutionContext to a Document.
    This meant we would do a bad cast in the case where usesReportTo is
    true.

    * Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
    (WebCore::ContentSecurityPolicy::reportViolation const):

    Canonical link: https://commits.webkit.org/270393@main


  Commit: 958bda05b0b856f9cf2990e9cd64e7b16bc51602
      https://github.com/WebKit/WebKit/commit/958bda05b0b856f9cf2990e9cd64e7b16bc51602
  Author: Jean-Yves Avenard <jya at apple.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M Source/WebCore/dom/TreeScope.cpp
    M Source/WebCore/dom/TreeScopeOrderedMap.cpp

  Log Message:
  -----------
  Cherry-pick 270421 at main (f738f4311526). https://bugs.webkit.org/show_bug.cgi?id=264442

    Compilation failure using gcc (GCC) 13.2.1 20231011 (Red Hat 13.2.1-4)
    https://bugs.webkit.org/show_bug.cgi?id=264442
    rdar://118141764

    Reviewed by Alex Christensen.

    Fix compilation error "error: possibly dangling reference to a temporary [-Werror=dangling-reference]"
    No change in observable behaviour.

    * Source/WebCore/dom/TreeScope.cpp:
    (WebCore::TreeScope::findAnchor):
    * Source/WebCore/dom/TreeScopeOrderedMap.cpp:
    (WebCore::TreeScopeOrderedMap::get const):

    Canonical link: https://commits.webkit.org/270421@main


  Commit: 60a14f2bc6ebb7b60e1bd8a4b47d820bff115c2b
      https://github.com/WebKit/WebKit/commit/60a14f2bc6ebb7b60e1bd8a4b47d820bff115c2b
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    A JSTests/stress/dfg-add-int32-var-with-const-double.js
    M Source/JavaScriptCore/dfg/DFGGraph.h

  Log Message:
  -----------
  Cherry-pick 270481 at main (79a659d55c63). https://bugs.webkit.org/show_bug.cgi?id=264278

    [JSC] Fix addImmediateShouldSpeculateInt32 for case int32 + constant double
    https://bugs.webkit.org/show_bug.cgi?id=264278
    rdar://117563215

    Reviewed by Yusuke Suzuki.

    Current fixup phase would convert the DFG node

        ValueAdd(Int32, DoubleConstant)

    to

        ArithAdd(Int32, JSConstant(DoubleConstant))

    if the node is OK to be truncated to Int32. This is
    wrong. For example, let Int32 be -1 and DoubleConstant
    be 0.1 where

        ToInt32(-1 + 0.1) == 0

    but

        -1 + ToInt32(0.1) == -1

    . So, we should not speculate that node with Int32 in this case.

    * JSTests/stress/dfg-int32-add-non-int-double.js: Added.
    (foo):
    * Source/JavaScriptCore/dfg/DFGGraph.h:

    Canonical link: https://commits.webkit.org/270481@main


  Commit: eb16a5121592036ad32f109c6237de2cd35f9bb4
      https://github.com/WebKit/WebKit/commit/eb16a5121592036ad32f109c6237de2cd35f9bb4
  Author: Marek Vasut <marex at denx.de>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp

  Log Message:
  -----------
  Cherry-pick 270593 at main (76bc3f4aa793). https://bugs.webkit.org/show_bug.cgi?id=264398

    [GStreamer] Ignore early EOS only when not looping
    https://bugs.webkit.org/show_bug.cgi?id=264398

    Reviewed by Philippe Normand.

    When playing video in a loop using HTML5 video element, the Gstreamer
    debug log sometimes contains the following message, which prevents the
    WPE from correctly stopping the playback before restarting it for the
    next loop and the playback ends up paused forever:

    ```
    webkitmediaplayer MediaPlayerPrivateGStreamer.cpp:1851:handleMessage:<video-1> EOS received but position {23823333333/1000000000 = 23.823333333} is still in the finite playable limits [{0/1 = 0}, {23828333333/1000000000 = 23.828333333}], ignoring it
    ```

    Ignore early EOS only when not looping, otherwise unconditionally
    indicate the stream has ended.

    * Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
    (WebCore::MediaPlayerPrivateGStreamer::handleMessage):

    Canonical link: https://commits.webkit.org/270593@main


  Commit: 97ea7037cd8b4287b341f071b9efd308034cd4ba
      https://github.com/WebKit/WebKit/commit/97ea7037cd8b4287b341f071b9efd308034cd4ba
  Author: Philippe Normand <philn at igalia.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M Source/WebCore/platform/encryptedmedia/CDMProxy.cpp

  Log Message:
  -----------
  Cherry-pick 270627 at main (d0b51b0807c8). https://bugs.webkit.org/show_bug.cgi?id=264705

    [GStreamer][EME][Debug] Flaky assertions on weak pointer
    https://bugs.webkit.org/show_bug.cgi?id=264705

    Reviewed by Xabier Rodriguez-Calvar.

    Replace ASSERTs on WeakPtr by runtime checks, the pointer can be null, it's a valid scenario, so it
    shouldn't be in an ASSERT.

    * Source/WebCore/platform/encryptedmedia/CDMProxy.cpp:
    (WebCore::CDMInstanceProxy::startedWaitingForKey):
    (WebCore::CDMInstanceProxy::stoppedWaitingForKey):

    Canonical link: https://commits.webkit.org/270627@main


  Commit: ee916310d051471df88eee07a636780cd3032598
      https://github.com/WebKit/WebKit/commit/ee916310d051471df88eee07a636780cd3032598
  Author: Philippe Normand <philn at igalia.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h

  Log Message:
  -----------
  Cherry-pick 270629 at main (9c761fded496). https://bugs.webkit.org/show_bug.cgi?id=264707

    [GStreamer] MediaPlayer's codecs hashmap needs protection
    https://bugs.webkit.org/show_bug.cgi?id=264707

    Reviewed by Xabier Rodriguez-Calvar.

    The m_codecs HashMap can be accessed from multiple threads, so it needs to be protected by a mutex.

    * Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
    (WebCore::MediaPlayerPrivateGStreamer::setupCodecProbe):
    (WebCore::MediaPlayerPrivateGStreamer::codecForStreamId):
    * Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h:

    Canonical link: https://commits.webkit.org/270629@main


  Commit: b00dfb7a1840c2e423ab9da0fa1c7ca39ccee8b8
      https://github.com/WebKit/WebKit/commit/b00dfb7a1840c2e423ab9da0fa1c7ca39ccee8b8
  Author: Antti Koivisto <antti at apple.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M Source/WebCore/rendering/TextBoxPainter.cpp

  Log Message:
  -----------
  Cherry-pick 270634 at main (f9ec06b716a3). https://bugs.webkit.org/show_bug.cgi?id=264728

    Crash under TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::collectDecoratingBoxesForTextBox
    https://bugs.webkit.org/show_bug.cgi?id=264728
    rdar://117897402

    Reviewed by Alan Baradlay.

    * Source/WebCore/rendering/TextBoxPainter.cpp:
    (WebCore::TextBoxPainter<TextBoxPath>::collectDecoratingBoxesForTextBox):

    There appears to be some case where parentInlineBox is not found. Add null checking.

    Canonical link: https://commits.webkit.org/270634@main


  Commit: 9ffd7a92e89c4004e299f333a2c617493325231f
      https://github.com/WebKit/WebKit/commit/9ffd7a92e89c4004e299f333a2c617493325231f
  Author: David Kilzer <ddkilzer at apple.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/receive_statistics_impl.cc
    M Source/ThirdParty/libwebrtc/Source/webrtc/test/fuzzers/utils/rtp_replayer.cc

  Log Message:
  -----------
  Cherry-pick 270656 at main (01dea93c203e). https://bugs.webkit.org/show_bug.cgi?id=264718

    Avoid divide-by-zero in webrtc::StreamStatisticianImpl::BitrateReceived
    https://bugs.webkit.org/show_bug.cgi?id=264718
    <rdar://117912996>

    Reviewed by Youenn Fablet.

    Merge upstream 7dbf55437f109cb13d131d91ba645029686fa247 by
    Harald Alvestrand <hta at webrtc.org>.

    * Source/ThirdParty/libwebrtc/Source/webrtc/modules/rtp_rtcp/source/receive_statistics_impl.cc:
    * Source/ThirdParty/libwebrtc/Source/webrtc/test/fuzzers/utils/rtp_replayer.cc:

    --

    Ensure payload type frequency does not cause divide-by-zero

    This CL does 2 things:
    - Change the DCHECK for payload_type_frequency to a CHECK (so that
    this error will be a crash not a divide-by-zero)
    - Change the replay helper that was used by the fuzzer to set the
    frequency of the packets to the video value (90K).

    Bug: chromium:1466826
    Change-Id: I39941f250b1782b36a3bcddfd347a016591466ec
    Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/312700
    Commit-Queue: Harald Alvestrand <hta at webrtc.org>
    Reviewed-by: Danil Chapovalov <danilchap at webrtc.org>
    Cr-Commit-Position: refs/heads/main@{#40468}
    Canonical link: https://commits.webkit.org/270656@main


  Commit: 4e521e2a3b223800bdc3931dab7e104a9e34c897
      https://github.com/WebKit/WebKit/commit/4e521e2a3b223800bdc3931dab7e104a9e34c897
  Author: Yury Semikhatsky <yurys at chromium.org>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/inspector/InjectedScript.cpp
    M Source/JavaScriptCore/inspector/InjectedScriptBase.cpp
    M Source/JavaScriptCore/inspector/InjectedScriptModule.cpp

  Log Message:
  -----------
  Cherry-pick 270739 at main (a4eed62b176c). https://bugs.webkit.org/show_bug.cgi?id=165875

    ScriptFunctionCall::call() can return an empty JSValue if the watchdog timer fires, callers should check for this
    https://bugs.webkit.org/show_bug.cgi?id=165875

    Reviewed by Devin Rousso.

    ScriptFunctionCall::call() may return empty JSValue from several places,
    the callers now check for emptiness first before accessing the value.

    Unfortunately, I don't have a reliable repro which could be converted
    to a layout test like the one in https://github.com/WebKit/WebKit/commit/11d211bca821fa4803d6da95c857a04b7f32c46a
    even though the symptoms are similar.

    * Source/JavaScriptCore/inspector/InjectedScript.cpp:
    (Inspector::InjectedScript::wrapObject const):
    (Inspector::InjectedScript::wrapJSONString const):
    (Inspector::InjectedScript::wrapTable const):
    (Inspector::InjectedScript::previewValue const):
    (Inspector::InjectedScript::createCommandLineAPIObject const):

    Canonical link: https://commits.webkit.org/270739@main


  Commit: 60afb603bffe5715c37ccc8574eafcaaaece1e52
      https://github.com/WebKit/WebKit/commit/60afb603bffe5715c37ccc8574eafcaaaece1e52
  Author: Przemyslaw Gorszkowski <pgorszkowski at igalia.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    A LayoutTests/fast/dom/dynamic-image-with-lazy-loading-leak-expected.txt
    A LayoutTests/fast/dom/dynamic-image-with-lazy-loading-leak.html
    M Source/WebCore/loader/ImageLoader.cpp
    M Source/WebCore/loader/ImageLoader.h

  Log Message:
  -----------
  Cherry-pick 270745 at main (78e4577732ca). https://bugs.webkit.org/show_bug.cgi?id=263521

    Memory consumption/leak with img out of viewport and lazy loading
    https://bugs.webkit.org/show_bug.cgi?id=263521

    Reviewed by Chris Dumez.

    This change fixes the problem with dangling of dynamically created (in JS)
    HTMLImageElement when it is detached from the document before loading the resource
    starts. It happened when img element was created (dynamically) with lazy loading
    and the element was outside the viewport (the loading of resource is deferred until
    the img element becomes visible). If the element was removed from document it
    becomes dangling element and will never be deleted by GC.

    * Source/WebCore/loader/ImageLoader.cpp:
    (WebCore::ImageLoader::hasPendingActivity const):

    To avoid leaking of the dynamically created element, the pending activity of
    the element should check has the load of the resource actually started.
    Similar check is done in case of static HTMLImageElement in
    ImageLoader::updatedHasPendingEvent.

    * Source/WebCore/loader/ImageLoader.h:
    (WebCore::ImageLoader::hasPendingActivity const): Deleted.

    Moved implementation to cpp file.

     * LayoutTests/fast/dom/dynamic-image-with-lazy-loading-leak-expected.txt: Added.
     * LayoutTests/fast/dom/dynamic-image-with-lazy-loading-leak.html: Added.

    Canonical link: https://commits.webkit.org/270745@main


  Commit: 00ff125e5b0ce6369b7fb40fc1edd0378389bfe9
      https://github.com/WebKit/WebKit/commit/00ff125e5b0ce6369b7fb40fc1edd0378389bfe9
  Author: Vitaly Dyachkov <vitaly at igalia.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M LayoutTests/platform/glib/TestExpectations
    M Source/WebCore/dom/Node.h
    M Source/WebCore/dom/Position.h

  Log Message:
  -----------
  Cherry-pick 270763 at main (3855bdaf1c1b). https://bugs.webkit.org/show_bug.cgi?id=164053

    ASSERTION FAILED: !((anchorType == PositionIsBeforeChildren || anchorType == PositionIsAfterChildren) && (is<Text>(*m_anchorNode) || editingIgnoresContent(*m_anchorNode))) in WebCore::Position::Position
    https://bugs.webkit.org/show_bug.cgi?id=164053

    Reviewed by Ryosuke Niwa.

    Since `firstPositionInNode()` and `lastPositionInNode()` take any node
    as their argument, including `Comment`, we should use
    `PositionIsOffsetInAnchor` for any `CharacterData`, not only for `Text`.

    * LayoutTests/platform/glib/TestExpectations:
    * Source/WebCore/dom/Node.h:
    (WebCore::Node::isCharacterData const):
    * Source/WebCore/dom/Position.h:
    (WebCore::firstPositionInNode):
    (WebCore::lastPositionInNode):

    Canonical link: https://commits.webkit.org/270763@main


  Commit: 20a9a771a25121f1661cd26d87c78c97c368f7ac
      https://github.com/WebKit/WebKit/commit/20a9a771a25121f1661cd26d87c78c97c368f7ac
  Author: Vitaly Dyachkov <vitaly at igalia.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M Source/WebCore/page/LocalFrameView.cpp
    M Source/WebCore/page/LocalFrameView.h
    M Source/WebCore/platform/ScrollableArea.cpp

  Log Message:
  -----------
  Cherry-pick 270820 at main (50aa99222474). https://bugs.webkit.org/show_bug.cgi?id=259912

    [WPE][Debug] ASSERTION FAILED: inProgrammaticScroll == (options.type == ScrollType::Programmatic)
    https://bugs.webkit.org/show_bug.cgi?id=259912

    Reviewed by Simon Fraser.

    In `AsyncScrollingCoordinator::requestScrollToPosition()` we assert
    that the `scrollableArea`'s `currentScrollType()` matches the
    `ScrollPositionChangeOptions`'s type.

    In some circumstances, this method can be called as a result of
    calling `ScrollableArea::scrollToPositionWithAnimation()`, which
    currently doesn't set its `currentScrollType` from `options` argument.

    `LocalFrameView`, which is a subclass of `ScrollableArea`, adds a method
    whose only job is to set/restore `currentScrollType` and call parent's
    method. We can move this logic to the `ScrollableArea` class. There's
    actually a FIXME about this.

    * Source/WebCore/page/LocalFrameView.cpp:
    (WebCore::LocalFrameView::scrollToPositionWithAnimation): Deleted.
    * Source/WebCore/page/LocalFrameView.h:
    * Source/WebCore/platform/ScrollableArea.cpp:
    (WebCore::ScrollableArea::scrollToPositionWithAnimation):

    Canonical link: https://commits.webkit.org/270820@main


  Commit: 8923374e248da31f63b59b7e104614d128c85055
      https://github.com/WebKit/WebKit/commit/8923374e248da31f63b59b7e104614d128c85055
  Author: Olivier Blin <olivier.blin at softathome.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp

  Log Message:
  -----------
  Cherry-pick 270877 at main (734a5ac349df). https://bugs.webkit.org/show_bug.cgi?id=264941

    [GStreamer] Avoid using decoding limits for all configurations
    https://bugs.webkit.org/show_bug.cgi?id=264941

    Reviewed by Philippe Normand.

    When VIDEO_DECODING_LIMIT support is enabled, after a first call of
    isContentTypeSupported() with Configuration::Decoding, the video
    limits are remembered in a static variable.

    They were then used for all subsequent isContentTypeSupported() calls,
    regardless of the configuration.

    This should be limited to Configuration::Decoding.

    * Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:
    (WebCore::GStreamerRegistryScanner::isContentTypeSupported const):

    Canonical link: https://commits.webkit.org/270877@main


  Commit: 1df901ec8621c3e41267f13a195714228cdcbc0e
      https://github.com/WebKit/WebKit/commit/1df901ec8621c3e41267f13a195714228cdcbc0e
  Author: Olivier Blin <olivier.blin at softathome.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M Source/WebCore/platform/audio/gstreamer/AudioSourceProviderGStreamer.h

  Log Message:
  -----------
  Cherry-pick 270898 at main (579a9e5c3ee4). https://bugs.webkit.org/show_bug.cgi?id=265039

    Fix AudioSourceProviderGStreamer build with !ENABLE(MEDIA_STREAM)
    https://bugs.webkit.org/show_bug.cgi?id=265039

    Reviewed by Philippe Normand.

    * Source/WebCore/platform/audio/gstreamer/AudioSourceProviderGStreamer.h:
    WebAudioSourceProvider.h always needs to be included since
    AudioSourceProviderGStreamer inherits from WebAudioSourceProvider.

    Canonical link: https://commits.webkit.org/270898@main


  Commit: ab51672c66ca0a4a74d418cab0e5fce6104201aa
      https://github.com/WebKit/WebKit/commit/ab51672c66ca0a4a74d418cab0e5fce6104201aa
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    A LayoutTests/http/wpt/workers/font-loading-error.any-expected.txt
    A LayoutTests/http/wpt/workers/font-loading-error.any.html
    A LayoutTests/http/wpt/workers/font-loading-error.any.js
    A LayoutTests/http/wpt/workers/font-loading-error.any.worker-expected.txt
    A LayoutTests/http/wpt/workers/font-loading-error.any.worker.html
    M Source/WebCore/dom/DocumentFontLoader.cpp
    M Source/WebCore/workers/WorkerFontLoadRequest.cpp

  Log Message:
  -----------
  Cherry-pick 271213 at main (b1f4d8147c3c). https://bugs.webkit.org/show_bug.cgi?id=265000

    FontFace with data: URI crashes Worker
    https://bugs.webkit.org/show_bug.cgi?id=265000
    rdar://118546120

    Reviewed by Alex Christensen.

    Make sure to reject the promise when font loading fails in a worker.
    Align implementation with spec on data URL font loading by allowing them.

    * LayoutTests/http/wpt/workers/font-loading-error.any-expected.txt: Added.
    * LayoutTests/http/wpt/workers/font-loading-error.any.html: Added.
    * LayoutTests/http/wpt/workers/font-loading-error.any.js: Added.
    (promise_test.async return):
    (promise_test):
    * LayoutTests/http/wpt/workers/font-loading-error.any.worker-expected.txt: Added.
    * LayoutTests/http/wpt/workers/font-loading-error.any.worker.html: Added.
    * Source/WebCore/dom/DocumentFontLoader.cpp:
    (WebCore::DocumentFontLoader::cachedFont):
    * Source/WebCore/workers/WorkerFontLoadRequest.cpp:
    (WebCore::WorkerFontLoadRequest::load):
    (WebCore::WorkerFontLoadRequest::didFail):

    Canonical link: https://commits.webkit.org/271213@main


  Commit: 92db624c4fa87d9ff0e67e8ab4785b8a9780e033
      https://github.com/WebKit/WebKit/commit/92db624c4fa87d9ff0e67e8ab4785b8a9780e033
  Author: Philippe Normand <philn at igalia.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp

  Log Message:
  -----------
  Cherry-pick 271374 at main (0143c180fd5a). https://bugs.webkit.org/show_bug.cgi?id=264663

    [GStreamer][MSE] media/media-source/media-source-webm-configuration-framerate.html is flaky crash
    https://bugs.webkit.org/show_bug.cgi?id=264663

    Reviewed by Xabier Rodriguez-Calvar.

    Check the m_source GRefPtr is non-null when handling the stream-collection message. It might be
    cleared while the player is getting disposed. The whole method cannot be called from a WeakPtr
    player without causing deadlocks, sadly.

    * LayoutTests/platform/glib/TestExpectations:
    * Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
    (WebCore::MediaPlayerPrivateGStreamer::handleStreamCollectionMessage):

    Canonical link: https://commits.webkit.org/271374@main


  Commit: 0a74b85dcbbb8c2f41a6f40a0aa70a18d133088e
      https://github.com/WebKit/WebKit/commit/0a74b85dcbbb8c2f41a6f40a0aa70a18d133088e
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    A JSTests/stress/out-of-memory-while-describing-symbol-for-error.js
    M Source/JavaScriptCore/runtime/ExceptionHelpers.cpp
    M Source/JavaScriptCore/runtime/Symbol.cpp
    M Source/JavaScriptCore/runtime/Symbol.h

  Log Message:
  -----------
  Cherry-pick 271458 at main (d1f1209a4e20). https://bugs.webkit.org/show_bug.cgi?id=265775

    Gracefully handle OOM while trying to describing a Symbol when creating an Error.
    https://bugs.webkit.org/show_bug.cgi?id=265775
    rdar://119046215

    Reviewed by Yusuke Suzuki.

    If trying to describe a Symbol via stringifying it results in an OutOfMemoryError,
    just simply describe is as a generic "Symbol" instead.

    * JSTests/stress/out-of-memory-while-describing-symbol-for-error.js: Added.
    (catch):
    * Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:
    (JSC::errorDescriptionForValue):
    * Source/JavaScriptCore/runtime/Symbol.cpp:
    (JSC::Symbol::tryGetDescriptiveString const):
    * Source/JavaScriptCore/runtime/Symbol.h:

    Canonical link: https://commits.webkit.org/271458@main


  Commit: 035bf46b6b11c32f0af0c6b21e0ec5639e69a595
      https://github.com/WebKit/WebKit/commit/035bf46b6b11c32f0af0c6b21e0ec5639e69a595
  Author: Ahmad Saleem <ahmad.saleem792+github at gmail.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M Source/WebCore/platform/LayoutUnit.h
    M Tools/TestWebKitAPI/Tests/WebCore/LayoutUnitTests.cpp

  Log Message:
  -----------
  Cherry-pick 271550 at main (2c3e402a8ea0). https://bugs.webkit.org/show_bug.cgi?id=265825

    Avoid integer overflow in LayoutUnit's unary minus operator

    https://bugs.webkit.org/show_bug.cgi?id=265825

    Reviewed by Alan Baradlay.

    Merge: https://chromium.googlesource.com/chromium/src.git/+/ef6bea224f0266018c3b4fc63262769020b9a4c2

    This PR fixes potential 'integer overflow' leading to crashes (in debug or fuzzer)
    environments.

    * Source/WebCore/platform/LayoutUnit.h:
    (operator-):
    * Tools/TestWebKitAPI/Tests/WebCore/LayoutUnitTests.cpp: Add Test Case 'LayoutUnitUnaryMinus'

    Canonical link: https://commits.webkit.org/271550@main


  Commit: a5b4a520cb59549573a0c746289bc34d2ce02da4
      https://github.com/WebKit/WebKit/commit/a5b4a520cb59549573a0c746289bc34d2ce02da4
  Author: Matt Woodrow <mattwoodrow at apple.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    A LayoutTests/compositing/layer-creation/overlap-transformed-clip-expected.html
    A LayoutTests/compositing/layer-creation/overlap-transformed-clip.html
    M Source/WebCore/rendering/RenderLayer.cpp
    M Source/WebCore/rendering/RenderLayer.h
    M Source/WebCore/rendering/RenderLayerBacking.cpp

  Log Message:
  -----------
  Cherry-pick 271894 at main (cc12d007e2e9). https://bugs.webkit.org/show_bug.cgi?id=265480

    Second div within a rotated and overflow:hidden parent div does not render.
    https://bugs.webkit.org/show_bug.cgi?id=265480
    <rdar://118901069>

    Reviewed by Simon Fraser.

    RenderLayerCompositor::addToOverlapMap takes layer overlap bounds in the root coordinate space, computes
    the clip in the root coordinate space and intersect them.

    RenderLayer::calculateClipRects was only ever applying an offset when converting clips to an ancestor coordinate
    space, which is incorrect if there is a non-tranlation transform (like the rotation in the testcase).

    The incorrect clip resulted in an empty overlap area, and us drawing the green div into the backing store behind
    the composited (3d transformed) div.

    This makes calculateClipRects transform the clip quad, not just the top-left point.

    * LayoutTests/compositing/layer-creation/overlap-transformed-clip-expected.html: Added.
    * LayoutTests/compositing/layer-creation/overlap-transformed-clip.html: Added.
    * Source/WebCore/rendering/RenderLayer.cpp:
    (WebCore::RenderLayer::calculateClipRects const):
    * Source/WebCore/rendering/RenderLayer.h:
    * Source/WebCore/rendering/RenderLayerBacking.cpp:
    (WebCore::intersectsWithAncestor):

    Canonical link: https://commits.webkit.org/271894@main


  Commit: e42893ffc38ff8adc0d9a0d36862075dfbc5a5ee
      https://github.com/WebKit/WebKit/commit/e42893ffc38ff8adc0d9a0d36862075dfbc5a5ee
  Author: Nikolas Zimmermann <nzimmermann at igalia.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    A LayoutTests/platform/glib/svg/text/textLength-tspan-in-textPath-expected.txt
    A LayoutTests/platform/ios/svg/text/textLength-tspan-in-textPath-expected.txt
    A LayoutTests/platform/mac/svg/text/textLength-tspan-in-textPath-expected.png
    A LayoutTests/platform/mac/svg/text/textLength-tspan-in-textPath-expected.txt
    A LayoutTests/svg/text/textLength-tspan-in-textPath.html
    M Source/WebCore/rendering/svg/SVGTextLayoutEngine.cpp

  Log Message:
  -----------
  Cherry-pick 271996 at main (79238bc8e2d6). https://bugs.webkit.org/show_bug.cgi?id=264184

    REGRESSION(264666 at main): Layout of the <tspan> elements inside a <textPath> is incorrect
    https://bugs.webkit.org/show_bug.cgi?id=264184

    Reviewed by Said Abou-Hallawa.

    Revision 264666 at main broke <tspan textLength="..."> behavior on <textPath> elements.
    The logic added to fix the intra-character spacing, wasn't intended for text path
    layout, where each character by definition is placed in its own box. Fix the MDN
    regression by disabling the new code paths for text-on-path layout.

    Covered by new test in svg/text/textLength-tspan-in-textPath.html.

    Unfortunately it's hard to make a cross-platform reftest, given the
    nature of the kind of test, and the missing way to layout text along
    a path in HTML/CSS.

    * LayoutTests/platform/glib/svg/text/textLength-tspan-in-textPath-expected.txt: Added.
    * LayoutTests/platform/ios/svg/text/textLength-tspan-in-textPath-expected.txt: Added.
    * LayoutTests/platform/mac/svg/text/textLength-tspan-in-textPath-expected.png: Added.
    * LayoutTests/platform/mac/svg/text/textLength-tspan-in-textPath-expected.txt: Added.
    * LayoutTests/svg/text/textLength-tspan-in-textPath.html: Added.
    * Source/WebCore/rendering/svg/SVGTextLayoutEngine.cpp:
    (WebCore::SVGTextLayoutEngine::layoutTextOnLineOrPath):

    Canonical link: https://commits.webkit.org/271996@main


  Commit: 3116070d07a535db5814cf22e27329c42c23ac9f
      https://github.com/WebKit/WebKit/commit/3116070d07a535db5814cf22e27329c42c23ac9f
  Author: Eric Carlson <eric.carlson at apple.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M Source/WebCore/html/track/VTTScanner.cpp
    M Source/WebCore/html/track/VTTScanner.h

  Log Message:
  -----------
  Cherry-pick 272005 at main (976e6341b4a8). https://bugs.webkit.org/show_bug.cgi?id=266355

    VTTScanner should copy the string it is parsing
    https://bugs.webkit.org/show_bug.cgi?id=266355
    rdar://119621360

    Reviewed by Chris Dumez.

    Store the String to be parsed in a member variable instead of only storing pointers to the
    start and end of the String to avoid crashes like the one caused by caused by 270868 at main.

    * Source/WebCore/html/track/VTTScanner.cpp:
    (WebCore::VTTScanner::VTTScanner):
    * Source/WebCore/html/track/VTTScanner.h:

    Canonical link: https://commits.webkit.org/272005@main


  Commit: 6afbe913b5b663f45938c9e026b0aa52bf746b52
      https://github.com/WebKit/WebKit/commit/6afbe913b5b663f45938c9e026b0aa52bf746b52
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/llint/LLIntOpcode.h
    M Source/JavaScriptCore/llint/LowLevelInterpreter.cpp

  Log Message:
  -----------
  Cherry-pick 272012 at main (aa62ce7b9059). https://bugs.webkit.org/show_bug.cgi?id=266294

    BYTECODE_HELPER_ID LLint opcodes need look up for wide versions.
    https://bugs.webkit.org/show_bug.cgi?id=266294
    rdar://119563251

    Reviewed by Justin Michaud.

    FOR_EACH_BYTECODE_HELPER_ID was mistakenly lumped in with FOR_EACH_LLINT_NATIVE_HELPER, which
    does not populate their entries in g_opcodeMapWide16 and g_opcodeMapWide32.  This patch fixes
    that.

    This was causing CLoop runs to crash on nullptr derefs on these non-initialized entries.

    * Source/JavaScriptCore/llint/LLIntOpcode.h:
    * Source/JavaScriptCore/llint/LowLevelInterpreter.cpp:
    (JSC::CLoop::execute):

    Canonical link: https://commits.webkit.org/272012@main


  Commit: 78b6821d76ed2889788e1215b883247a74267894
      https://github.com/WebKit/WebKit/commit/78b6821d76ed2889788e1215b883247a74267894
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    M Source/WebKit/NetworkProcess/cache/NetworkCacheSubresourcesEntry.h

  Log Message:
  -----------
  Cherry-pick 272062 at main (3096c561acce). https://bugs.webkit.org/show_bug.cgi?id=265634

    Samesite=Lax is not always working in Safari
    https://bugs.webkit.org/show_bug.cgi?id=265634
    rdar://119362503

    Reviewed by Brent Fulgham and Alex Christensen.

    We were not setting isSameSite correctly when reading it from disk cache, which was then triggering different cookies being sent between
    speculative loads and the actual would be loads.
    Websites could use Vary Cookie headers to handle that case, but they do not tend to.

    * Source/WebKit/NetworkProcess/cache/NetworkCacheSubresourcesEntry.h:
    (WebKit::NetworkCache::SubresourceInfo::SubresourceInfo):

    Canonical link: https://commits.webkit.org/272062@main


  Commit: 9d55c4dceb7e18a287613a1ceb1c1d7d35e3b751
      https://github.com/WebKit/WebKit/commit/9d55c4dceb7e18a287613a1ceb1c1d7d35e3b751
  Author: Sammy Gill <sammy.gill at apple.com>
  Date:   2024-01-26 (Fri, 26 Jan 2024)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/css/css-contain/contain-inline-size-grid-stretches-auto-rows-expected.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-contain/contain-inline-size-grid-stretches-auto-rows.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-contain/contain-size-grid-stretches-auto-rows-expected.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-contain/contain-size-grid-stretches-auto-rows.html
    M Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp

  Log Message:
  -----------
  Cherry-pick 272085 at main (cf2a9868136a). https://bugs.webkit.org/show_bug.cgi?id=260201

    REGRESSION(261003 at main): [css-contain][css-grid] Size containment is not allowing the track sizing algorithm to distribute extra space to auto tracks
    https://bugs.webkit.org/show_bug.cgi?id=260201
    rdar://problem/113915953

    Reviewed by Brent Fulgham.

    Size containment is supposed to size a box as if it had no content, so
    for the purposes of grid layout this would mean that we would want to
    skip parts of the algorithm that take into consideration the content.

    The "Stretch auto Tracks," portion of the grid track sizing algorithm
    should not be skipped, however, as it has nothing to do with the content
    of the grid. We should be able to distribute any definite free space
    that we computed up to this point.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-contain/contain-inline-size-grid-stretches-auto-rows-expected.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-contain/contain-inline-size-grid-stretches-auto-rows.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-contain/contain-size-grid-stretches-auto-rows-expected.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-contain/contain-size-grid-stretches-auto-rows.html: Added.
    * Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp:
    (WebCore::GridTrackSizingAlgorithm::run):

    Canonical link: https://commits.webkit.org/272085@main


Compare: https://github.com/WebKit/WebKit/compare/e136566934c0...9d55c4dceb7e


More information about the webkit-changes mailing list