[webkit-changes] [WebKit/WebKit] f2c0d9: Versioning.
fantasai
noreply at github.com
Wed Jul 31 14:06:38 PDT 2024
Branch: refs/heads/safari-7618.3.11.12-branch
Home: https://github.com/WebKit/WebKit
Commit: f2c0d9109b998b8ecbd8644ed0a15da4df747288
https://github.com/WebKit/WebKit/commit/f2c0d9109b998b8ecbd8644ed0a15da4df747288
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-07-02 (Tue, 02 Jul 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7618.3.11.12.1
Canonical link: https://commits.webkit.org/272448.1100@safari-7618.3.11.12-branch
Commit: f3f3a87a2ce9655f103df65615b68a2799df3606
https://github.com/WebKit/WebKit/commit/f3f3a87a2ce9655f103df65615b68a2799df3606
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-07-03 (Wed, 03 Jul 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7618.3.11.12.2
Canonical link: https://commits.webkit.org/272448.1101@safari-7618.3.11.12-branch
Commit: 5c7eed73639e0f435bf4c6b6da2b961bb6166d99
https://github.com/WebKit/WebKit/commit/5c7eed73639e0f435bf4c6b6da2b961bb6166d99
Author: Wenson Hsieh <wenson_hsieh at apple.com>
Date: 2024-07-03 (Wed, 03 Jul 2024)
Changed paths:
M Source/WebKit/UIProcess/ios/WKContentViewInteraction.h
M Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm
Log Message:
-----------
Cherry-pick bf0c0decaac7. rdar://130610141
Cherry-pick 703a5b6bfcf1. rdar://130610141
REGRESSION (iOS 17.2): Infinite recursion in -[WKContentView(WKInteraction) inputViewForWebView]
https://bugs.webkit.org/show_bug.cgi?id=275171
rdar://127722998
Reviewed by Richard Robinson.
The changes in rdar://116751305&104994662 seem to have made it possible for `-inputViewForWebView`
to trigger infinite recursion, due to a new `-[UITextInputAssistantItem leadingBarButtonGroups]`
KVO listener in UIKit. Underneath this new KVO logic, UIKit calls into some internal methods which
ultimately call back into `-[WKContentView inputViewForWebView]`. In order of stack depth (growing
downwards), the reentrant calls to update the input accessory view look like this:
```
-[WKContentView(WKInteraction) _updateAccessory]
-[WKContentView(WKInteraction) formAccessoryView]
-[WKFormAccessoryView _initForUniversalControlBar:] // <--- Setting up WKFormAccessoryView
… (KVO triggered by setting leading/trailing bar button groups)
-[UISystemInputAssistantViewController observeValueForKeyPath:ofObject:change:context:]
-[TUISystemInputAssistantView setInputAssistantItem:force:]
… (UIKit internals)
-[UIKeyboardSceneDelegate expectedInputViewSetIsCustom]
-[WKContentView(WKInteraction) inputViewForWebView]
-[WKContentView(WKInteraction) _updateAccessory]
-[WKContentView(WKInteraction) formAccessoryView]
-[WKFormAccessoryView _initForUniversalControlBar:] // <--- Setting up WKFormAccessoryView (reentrancy!)
```
While I wasn't able to reproduce the crash at all, we can at least harden against this scenario by
making `-_updateAccessory` robust against reentrancy. Achieve this by adding a new ivar that's only
set during the scope of `-_updateAccessory`, and return early if it's set.
* Source/WebKit/UIProcess/ios/WKContentViewInteraction.h:
* Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm:
(-[WKContentView setUpInteraction]):
(-[WKContentView _updateAccessory]):
Canonical link: https://commits.webkit.org/279845@main
Canonical link: https://commits.webkit.org/272448.1102@safari-7618.3.11.12-branch
Commit: 710eaf1c464a82d7596ad6294c7460f00574b719
https://github.com/WebKit/WebKit/commit/710eaf1c464a82d7596ad6294c7460f00574b719
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-07-03 (Wed, 03 Jul 2024)
Changed paths:
A LayoutTests/editing/pasteboard/dom-paste/dom-paste-in-child-frame-does-not-crash-expected.txt
A LayoutTests/editing/pasteboard/dom-paste/dom-paste-in-child-frame-does-not-crash.html
M Source/WebCore/dom/DOMPasteAccess.h
M Source/WebKit/UIProcess/API/gtk/PageClientImpl.cpp
M Source/WebKit/UIProcess/API/gtk/PageClientImpl.h
M Source/WebKit/UIProcess/API/wpe/PageClientImpl.cpp
M Source/WebKit/UIProcess/API/wpe/PageClientImpl.h
M Source/WebKit/UIProcess/PageClient.h
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/ios/PageClientImplIOS.h
M Source/WebKit/UIProcess/ios/PageClientImplIOS.mm
M Source/WebKit/UIProcess/ios/WKContentViewInteraction.h
M Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm
M Source/WebKit/UIProcess/mac/PageClientImplMac.h
M Source/WebKit/UIProcess/mac/PageClientImplMac.mm
M Source/WebKit/UIProcess/mac/WebViewImpl.h
M Source/WebKit/UIProcess/mac/WebViewImpl.mm
M Source/WebKit/UIProcess/playstation/PageClientImpl.cpp
M Source/WebKit/UIProcess/playstation/PageClientImpl.h
M Source/WebKit/UIProcess/win/PageClientImpl.cpp
M Source/WebKit/UIProcess/win/PageClientImpl.h
Log Message:
-----------
Cherry-pick 5b8bfc5e1fae. rdar://130078654
Apply patch. rdar://130078654
Canonical link: https://commits.webkit.org/272448.1103@safari-7618.3.11.12-branch
Commit: e8b0490a3a0a277747645fd864a4b560f0ec9256
https://github.com/WebKit/WebKit/commit/e8b0490a3a0a277747645fd864a4b560f0ec9256
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2024-07-05 (Fri, 05 Jul 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7618.3.11.12.3
Canonical link: https://commits.webkit.org/272448.1104@safari-7618.3.11.12-branch
Commit: 4527e7716311d3f46de1b0041477f4ed7a0a75c4
https://github.com/WebKit/WebKit/commit/4527e7716311d3f46de1b0041477f4ed7a0a75c4
Author: Michael Saboff <msaboff at apple.com>
Date: 2024-07-05 (Fri, 05 Jul 2024)
Changed paths:
A JSTests/stress/regexp-backreference-backtrack-interpreter.js
M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
Log Message:
-----------
Cherry-pick 51993233d76f. rdar://115244009
Crash in JavaScriptCore: JSC::Yarr::Interpreter<unsigned char>::matchDisjunction()
rdar://115244009
https://bugs.webkit.org/show_bug.cgi?id=276154
Reviewed by Yusuke Suzuki.
When processing back references, if the referenced capture was empty then the back reference succeeds without comparing
the characters at the back reference atom with the captured characters. This was handled with early exits in the
function matchBackReference(), before setting match info like the start position, match size or match count. This
info is used when backtracking or when matching more in the case of a non-greedy quantified back reference.
The fix is to move the setting the initial match information before we do any checks for an empty match or a match comparing
characters. Also added code to properly handle duplicate named capture groups in the function backtrackBackReference().
Added a new regression test.
* JSTests/stress/regexp-backreference-backtrack-interpreter.js: Added.
(arrayToString):
(objectToString):
(dumpValue):
(compareArray):
(compareGroups):
(testRegExp):
(testRegExpSyntaxError):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::matchBackReference):
(JSC::Yarr::Interpreter::backtrackBackReference):
Canonical link: https://commits.webkit.org/272448.1104@safari-7618-branch
Canonical link: https://commits.webkit.org/272448.1105@safari-7618.3.11.12-branch
Commit: 16b8f16e78bda7d00c2ec8be40806fcdc7b5a3e5
https://github.com/WebKit/WebKit/commit/16b8f16e78bda7d00c2ec8be40806fcdc7b5a3e5
Author: Mohsin Qureshi <mohsinq at apple.com>
Date: 2024-07-05 (Fri, 05 Jul 2024)
Changed paths:
R JSTests/stress/regexp-backreference-backtrack-interpreter.js
M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
Log Message:
-----------
Revert 51993233d76f. rdar://115244009
Canonical link: https://commits.webkit.org/272448.1106@safari-7618.3.11.12-branch
Commit: 32d036155586f3ce8700c97c5b8c8d28e8846e98
https://github.com/WebKit/WebKit/commit/32d036155586f3ce8700c97c5b8c8d28e8846e98
Author: Alex Christensen <achristensen at apple.com>
Date: 2024-07-09 (Tue, 09 Jul 2024)
Changed paths:
A LayoutTests/security/decode-buffer-size-expected.txt
A LayoutTests/security/decode-buffer-size.html
M Source/WebCore/PAL/pal/text/TextCodecLatin1.cpp
M Source/WebCore/PAL/pal/text/TextCodecUTF8.cpp
Log Message:
-----------
Cherry-pick dfa712ddc5a1. rdar://130946877
Integer truncation in TextCodecUTF8::decode leading to OOB writes
rdar://130946877
Reviewed by Darin Adler.
If the length plus the length of the previously attempted partial UTF-8 sequence
is greater than can fit into an unsigned, we will truncate the length and write
the long length, which isn't ideal.
The Latin-1 codec appears to have a similar issue but it doesn't keep state, so
I think it's unreachable. To make it more clear in code inspection that it is
unreachable, I added a check to be extra safe.
* LayoutTests/security/decode-buffer-size-expected.txt: Added.
* LayoutTests/security/decode-buffer-size.html: Added.
* Source/WebCore/PAL/pal/text/TextCodecLatin1.cpp:
(PAL::TextCodecLatin1::decode):
* Source/WebCore/PAL/pal/text/TextCodecUTF8.cpp:
(PAL::TextCodecUTF8::decode):
Canonical link: https://commits.webkit.org/272448.1108@safari-7618-branch
Canonical link: https://commits.webkit.org/272448.1107@safari-7618.3.11.12-branch
Commit: 2ad9d114a7e4b0638d7bb5eebb5615913485430b
https://github.com/WebKit/WebKit/commit/2ad9d114a7e4b0638d7bb5eebb5615913485430b
Author: Chris Dumez <cdumez at apple.com>
Date: 2024-07-09 (Tue, 09 Jul 2024)
Changed paths:
M Source/WebCore/platform/SharedBuffer.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/LoadAlternateHTMLString.mm
M Tools/TestWebKitAPI/cocoa/HTTPServer.h
M Tools/TestWebKitAPI/cocoa/HTTPServer.mm
Log Message:
-----------
Cherry-pick 0d4ba4017ef3. rdar://131369305
Integer truncation in FragmentedSharedBuffer::tryCreateArrayBuffer can lead to a buffer overflow
https://bugs.webkit.org/show_bug.cgi?id=276381
rdar://131369305
Reviewed by Alex Christensen.
Make sure the size fits in an `unsigned` type before casting it.
Including an API test that Alex Christensen wrote.
* Source/WebCore/platform/SharedBuffer.cpp:
(WebCore::FragmentedSharedBuffer::tryCreateArrayBuffer const):
Canonical link: https://commits.webkit.org/272448.1109@safari-7618-branch
Canonical link: https://commits.webkit.org/272448.1108@safari-7618.3.11.12-branch
Commit: 45ca1e8a082543489b3599f1774e4da2ad527c7f
https://github.com/WebKit/WebKit/commit/45ca1e8a082543489b3599f1774e4da2ad527c7f
Author: Dan Robson <dtr_bugzilla at apple.com>
Date: 2024-07-10 (Wed, 10 Jul 2024)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7618.3.11.12.4
Canonical link: https://commits.webkit.org/272448.1109@safari-7618.3.11.12-branch
Commit: 5adf11329e3e3a1894749e69bf6b683a4988d34f
https://github.com/WebKit/WebKit/commit/5adf11329e3e3a1894749e69bf6b683a4988d34f
Author: Elika Etemad <fantasai.bugs at inkedblade.net>
Date: 2024-07-10 (Wed, 10 Jul 2024)
Changed paths:
A LayoutTests/fast/overflow/flexbox-abspos-overflow-expected.html
A LayoutTests/fast/overflow/flexbox-abspos-overflow.html
A LayoutTests/fast/overflow/flexbox-multiline-overflow-expected.html
A LayoutTests/fast/overflow/flexbox-multiline-overflow.html
M LayoutTests/imported/w3c/web-platform-tests/css/css-flexbox/negative-overflow-002-expected.txt
M LayoutTests/platform/ios/imported/w3c/web-platform-tests/css/css-flexbox/negative-overflow-002-expected.txt
M Source/WebCore/rendering/RenderFlexibleBox.cpp
Log Message:
-----------
Cherry-pick efacbbdcc425. rdar://131201271
Fix error in flexbox alignment overflow calculations.
https://bugs.webkit.org/show_bug.cgi?id=276382
rdar://131201271
Reviewed by Alan Baradlay.
This patch fixes the logic in contentAlignmentStartOverflow correctly
clamp overflow, by handling reversed flows properly rather than returning
an overly-large value in some cases. It also fixes the error where we only
account for the last flex line.
* LayoutTests/fast/overflow/flexbox-abspos-overflow-expected.html: Added.
* LayoutTests/fast/overflow/flexbox-abspos-overflow.html: Added.
* LayoutTests/fast/overflow/flexbox-multiline-overflow-expected.html: Added.
* LayoutTests/fast/overflow/flexbox-multiline-overflow.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/css/css-flexbox/negative-overflow-002-expected.txt: Partial revert of 273737 at main
* LayoutTests/platform/ios/imported/w3c/web-platform-tests/css/css-flexbox/negative-overflow-002-expected.txt: Partial revert of 273737 at main
* Source/WebCore/rendering/RenderFlexibleBox.cpp:
(WebCore::RenderFlexibleBox::layoutBlock): Shift reset for m_justifyContentStartOverflow out of the flex line loop.
(WebCore::contentAlignmentStartOverflow): Fix logic to correctly account for reversing.
(WebCore::RenderFlexibleBox::layoutAndPlaceChildren): Update call to pass reversing parameter.
(WebCore::RenderFlexibleBox::alignFlexLines): Update call to pass reversing parameter, and fix multiline handling.
Canonical link: https://commits.webkit.org/280812@main
Canonical link: https://commits.webkit.org/272448.1110@safari-7618.3.11.12-branch
Compare: https://github.com/WebKit/WebKit/compare/f2c0d9109b99%5E...5adf11329e3e
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list