[webkit-changes] [WebKit/WebKit] fb9cb1: Cherry-pick 272448.472 at safari-7618-branch (7fdb5ce...
Alan Baradlay
noreply at github.com
Mon Mar 11 02:17:09 PDT 2024
Branch: refs/heads/webkitglib/2.44
Home: https://github.com/WebKit/WebKit
Commit: fb9cb17cdb0d6281e68ef1709762d985c04130f2
https://github.com/WebKit/WebKit/commit/fb9cb17cdb0d6281e68ef1709762d985c04130f2
Author: Mark Lam <mark.lam at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/JavaScriptCore/Scripts/process-entitlements.sh
M Source/JavaScriptCore/jit/ExecutableAllocator.cpp
M Source/WebKit/Scripts/process-entitlements.sh
Log Message:
-----------
Cherry-pick 272448.472 at safari-7618-branch (7fdb5ce499c7). https://bugs.webkit.org/show_bug.cgi?id=267886
Clean up some JSC entitlements.
https://bugs.webkit.org/show_bug.cgi?id=267886
rdar://121395716
Reviewed by Justin Michaud, Per Arne Vollan, and Alexey Shvaika.
* Source/JavaScriptCore/Scripts/process-entitlements.sh:
* Source/JavaScriptCore/jit/ExecutableAllocator.cpp:
(JSC::isJITEnabled):
(JSC::ExecutableAllocator::disableJIT):
* Source/WebKit/Scripts/process-entitlements.sh:
Canonical link: https://commits.webkit.org/272448.472@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.45@webkitglib/2.44
Commit: 3ee62b21bc6bd6e65a60587d6417bf50ccd5852a
https://github.com/WebKit/WebKit/commit/3ee62b21bc6bd6e65a60587d6417bf50ccd5852a
Author: Jean-Yves Avenard <jya at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp
Log Message:
-----------
Cherry-pick 272448.473 at safari-7618-branch (00b3f3ccf06e). https://bugs.webkit.org/show_bug.cgi?id=268731
Block "setMediaOverridesForTesting" media IPC endpoints when not testing and instead reset values
https://bugs.webkit.org/show_bug.cgi?id=268731
rdar://122218365
Reviewed by Youenn Fablet.
The fix in https://commits.webkit.org/272448.445@safari-7618-branch was insufficient as
the setMediaOverridesForTesting IPC endpoints is also used to reset the flags to their default.
So rather than disabling the IPC endpoints altogether we restrict its use to only reset
the default values (which are all unset).
* Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp:
(WebKit::GPUConnectionToWebProcess::setMediaOverridesForTesting):
* Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in:
Canonical link: https://commits.webkit.org/272448.473@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.46@webkitglib/2.44
Commit: 891762765dc6693bf3fd623ab9ad8647d7c5a9c5
https://github.com/WebKit/WebKit/commit/891762765dc6693bf3fd623ab9ad8647d7c5a9c5
Author: Mark Lam <mark.lam at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WTF/wtf/PlatformUse.h
Log Message:
-----------
Cherry-pick 272448.493 at safari-7618-branch (3b4b355b9810). https://bugs.webkit.org/show_bug.cgi?id=268788
Clean up JIT permissions configuration.
https://bugs.webkit.org/show_bug.cgi?id=268788
rdar://122141946
Reviewed by Alexey Shvayka.
* Source/WTF/wtf/PlatformUse.h:
Canonical link: https://commits.webkit.org/272448.493@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.47@webkitglib/2.44
Commit: e5cffbd4257d094055971bb9dbdd213874440645
https://github.com/WebKit/WebKit/commit/e5cffbd4257d094055971bb9dbdd213874440645
Author: Mark Lam <mark.lam at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/JavaScriptCore/Scripts/process-entitlements.sh
M Source/WebKit/Scripts/process-entitlements.sh
Log Message:
-----------
Cherry-pick 272448.494 at safari-7618-branch (0ebcda9ff537). https://bugs.webkit.org/show_bug.cgi?id=268792
Refine application of new JIT entitlement for build fix.
https://bugs.webkit.org/show_bug.cgi?id=268792
rdar://122352736
Reviewed by Tim Horton.
* Source/JavaScriptCore/Scripts/process-entitlements.sh:
* Source/WebKit/Scripts/process-entitlements.sh:
Canonical link: https://commits.webkit.org/272448.494@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.48@webkitglib/2.44
Commit: cf0035a96f0d01e4072f57e30cf4c473853156fe
https://github.com/WebKit/WebKit/commit/cf0035a96f0d01e4072f57e30cf4c473853156fe
Author: Matthew Finkel <sysrqb at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/http/tests/security/file-system-access-via-dataTransfer-expected.txt
A LayoutTests/http/tests/security/file-system-access-via-dataTransfer.html
M Source/WebCore/Modules/entriesapi/DOMFileSystem.cpp
Log Message:
-----------
Cherry-pick 272448.2 at safari-7618-branch (18fd76f8a016). https://bugs.webkit.org/show_bug.cgi?id=266703
Ensure Filesystem root path is not empty
https://bugs.webkit.org/show_bug.cgi?id=266703
rdar://119813501
Reviewed by Chris Dumez.
When the root path is empty, then the file's name can define an arbitrary
filesystem path. This change ensures that the path is non-empty, therefore the
virtual filesystem must be defined under a directory that the user selected.
* LayoutTests/http/tests/security/file-system-access-via-dataTransfer-expected.txt: Added.
* LayoutTests/http/tests/security/file-system-access-via-dataTransfer.html: Added.
* Source/WebCore/Modules/entriesapi/DOMFileSystem.cpp:
(WebCore::DOMFileSystem::getEntry):
(WebCore::DOMFileSystem::getFile):
Canonical link: https://commits.webkit.org/272448.2@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.49@webkitglib/2.44
Commit: 9969ea40eb0fdedaaaab54af56a4dc5832787884
https://github.com/WebKit/WebKit/commit/9969ea40eb0fdedaaaab54af56a4dc5832787884
Author: Michael Saboff <msaboff at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A JSTests/stress/arrow-function-captured-arguments-aliased.js
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
M Source/JavaScriptCore/runtime/GetPutInfo.h
M Source/JavaScriptCore/runtime/ScopedArguments.cpp
M Source/JavaScriptCore/runtime/ScopedArguments.h
M Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp
M Source/JavaScriptCore/runtime/ScopedArgumentsTable.h
M Source/JavaScriptCore/runtime/SymbolTable.h
Log Message:
-----------
Cherry-pick 272448.5 at safari-7618-branch (97894699773c). https://bugs.webkit.org/show_bug.cgi?id=261934
Scoped Arguments needs to alias between named and unnamed accesses and across nested scopes
https://bugs.webkit.org/show_bug.cgi?id=261934
rdar://114925088
rdar://117838992
Reviewed by Yusuke Suzuki.
Fixed issue where an access to a named argument and a seperate access via its argument[i] counterpart weren't recognized throughout
all JIT tiers as accesses to the same scoped value. The DFG bytecode parser can unknowingly constant fold the read access.
Added aliasing via the SymbolTable and its ScopedArgumentsTable for both types of accesses of such values.
related objects
Added watchpoints for scoped arguments, and shared the watchpoint from the SymbolTableEntry for the named parameter with the
ScopedArgument entry for the matching index. Tagged op_put_to_scope bytecodes with a new ScopedArgumentInitialization
initialization type in GetPutInfo to signify this shared watchpoint case. Since currently all tiers write to scoped arguments
via ScopedArguments::setIndexQuickly(), that is where we fire its watchpoint.
Added a new test.
* JSTests/stress/arrow-function-captured-arguments-aliased.js: Added.
(createOptAll):
(createOpt500):
(createOpt2000):
(createOpt5000):
(main):
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/runtime/GetPutInfo.h:
(JSC::initializationModeName):
(JSC::isInitialization):
* Source/JavaScriptCore/runtime/ScopedArguments.cpp:
(JSC::ScopedArguments::unmapArgument):
* Source/JavaScriptCore/runtime/ScopedArguments.h:
* Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp:
(JSC::ScopedArgumentsTable::tryCreate):
(JSC::ScopedArgumentsTable::tryClone):
(JSC::ScopedArgumentsTable::trySetLength):
(JSC::ScopedArgumentsTable::trySetWatchpointSet):
* Source/JavaScriptCore/runtime/ScopedArgumentsTable.h:
* Source/JavaScriptCore/runtime/SymbolTable.cpp:
(JSC::SymbolTable::cloneScopePart):
* Source/JavaScriptCore/runtime/SymbolTable.h:
Canonical link: https://commits.webkit.org/272448.5@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.50@webkitglib/2.44
Commit: 9d294ccb0b0197e090e8f196affc5409c77e7b1d
https://github.com/WebKit/WebKit/commit/9d294ccb0b0197e090e8f196affc5409c77e7b1d
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A JSTests/stress/attribute-custom-accessor.js
M Source/JavaScriptCore/bytecode/PropertyCondition.cpp
Log Message:
-----------
Cherry-pick 272448.6 at safari-7618-branch (24d1c08b9dfa). https://bugs.webkit.org/show_bug.cgi?id=266695
[JSC] PropertyCondition::isValidValueForAttributes should handle custom accessor and custom value
https://bugs.webkit.org/show_bug.cgi?id=266695
rdar://119854137
Reviewed by Mark Lam.
PropertyCondition::isValidValueForAttributes only handled accessors and values. And it
didn't handle custom accessor / custom values. This patch changes it so that we can
check custom accessor / custom value cases correctly.
* JSTests/stress/attribute-custom-accessor.js: Added.
(async asyncSleep):
(setHasBeenDictionary):
(watchToJSONForReplacements):
(async watchLastMatchForReplacements.getLastMatch):
(async watchLastMatchForReplacements):
(const.target.toJSON):
(opt):
(async main):
* Source/JavaScriptCore/bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isValidValueForAttributes):
Canonical link: https://commits.webkit.org/272448.6@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.51@webkitglib/2.44
Commit: f25f53fda80ea5dc14dc099221db8acffd3a32cc
https://github.com/WebKit/WebKit/commit/f25f53fda80ea5dc14dc099221db8acffd3a32cc
Author: Youenn Fablet <youennf at gmail.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/test/encode_api_test.cc
M Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/encoder/encodeframe.c
Log Message:
-----------
Cherry-pick 272448.9 at safari-7618-branch (965fd49504ed). rdar://119595026
Potential 'overflow' issue commited to upstream libwebrtc
rdar://119595026
Reviewed by Jean-Yves Avenard.
Cherry-picking of https://github.com/webmproject/libvpx/commit/193b1511956f1732a8d54041a26ca9633a92abf9
* Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/test/encode_api_test.cc:
* Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/encoder/encodeframe.c:
(encode_mb_row):
Canonical link: https://commits.webkit.org/272448.9@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.52@webkitglib/2.44
Commit: 2c491b0134f2115d102dd85b7c6d2be859fee121
https://github.com/WebKit/WebKit/commit/2c491b0134f2115d102dd85b7c6d2be859fee121
Author: Youenn Fablet <youennf at gmail.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M LayoutTests/http/tests/blink/sendbeacon/beacon-cross-origin.https-expected.txt
M LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-expected.txt
M LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https.html
M LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-expected.txt
M LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https.html
M LayoutTests/http/tests/navigation/ping-attribute/resources/secure-anchor-cross-origin.html
M LayoutTests/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-expected.txt
A LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe-expected.txt
A LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe.html
M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt
M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt
A LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe-expected.txt
A LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https-expected.txt
A LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https.html
M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt
M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt
A LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-beacon.html
M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html
M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html
M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html
A LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-ping.html
M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html
M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html
M LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt
R LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt
R LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt
R LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt
M LayoutTests/platform/ios/TestExpectations
M LayoutTests/platform/mac-wk1/TestExpectations
M LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt
M LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt
M LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt
M Source/WebCore/loader/cache/CachedResourceLoader.cpp
Log Message:
-----------
Cherry-pick 272448.10 at safari-7618-branch (b856378e0a55). rdar://116054889
Plaintext Ping requests not blocked by mixed-content checks (262117)
rdar://116054889
Reviewed by Alex Christensen.
Enforce mixed content checks for beacons and poings, like we do for regular xhr/fetch.
This aligns the behavior with Chrome and Firefox.
We have to change some tests so that preloads kick in deterministically.
Preloads might not kick in if an early JS resource is already in the cache.
We therefore clear the memory cache to ensure dump-securitypolicyviolation-and-notify-done.js gets fetched again, which will trigger both preload and resource load.
Otherwise, we will get only one CONSOLE MESSAGE for the actual blocked load.
We also have to change some tests so that they use HTTPS and not HTTP.
* LayoutTests/http/tests/blink/sendbeacon/beacon-cross-origin.https-expected.txt:
* LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-expected.txt:
* LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https.html:
* LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-expected.txt:
* LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https.html:
* LayoutTests/http/tests/navigation/ping-attribute/resources/secure-anchor-cross-origin.html:
* LayoutTests/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-expected.txt:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe-expected.txt: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe.html: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe-expected.txt: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https-expected.txt: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https.html: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-beacon.html: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-ping.html: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html:
* LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html:
* LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt: Removed.
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt: Removed.
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt: Removed.
* LayoutTests/platform/ios/TestExpectations:
* LayoutTests/platform/mac-wk1/TestExpectations:
* LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt:
* LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt:
* LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt:
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::checkInsecureContent const):
Canonical link: https://commits.webkit.org/272448.10@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.53@webkitglib/2.44
Commit: a430b08533483b9996110a1c926b7b28f0e7289d
https://github.com/WebKit/WebKit/commit/a430b08533483b9996110a1c926b7b28f0e7289d
Author: Alan Baradlay <zalan at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/fast/ruby/ruby-base-content-should-not-wrap-expected.html
A LayoutTests/fast/ruby/ruby-base-content-should-not-wrap.html
M Source/WebCore/layout/formattingContexts/inline/InlineFormattingUtils.cpp
Log Message:
-----------
Cherry-pick 2c41110b8852. https://bugs.webkit.org/show_bug.cgi?id=269235
[IFC][Ruby] Ruby base content may wrap even when style says no
https://bugs.webkit.org/show_bug.cgi?id=269235
<rdar://122811940>
Reviewed by Antti Koivisto.
There's no soft wrap opportunity between 2 adjacent non-whitespace characters when style says nowrap.
* LayoutTests/fast/ruby/ruby-base-content-should-not-wrap-expected.html: Added.
* LayoutTests/fast/ruby/ruby-base-content-should-not-wrap.html: Added.
* Source/WebCore/layout/formattingContexts/inline/InlineFormattingUtils.cpp:
(WebCore::Layout::isAtSoftWrapOpportunity):
Canonical link: https://commits.webkit.org/272448.537@safari-7618-branch
Identifier: 272448.559 at safari-7618.1.15.10-branch
Canonical link: https://commits.webkit.org/274313.54@webkitglib/2.44
Commit: 88dc13476135a2e67d641ed3e8d2fb2d968f8a52
https://github.com/WebKit/WebKit/commit/88dc13476135a2e67d641ed3e8d2fb2d968f8a52
Author: Justin Michaud <justin_michaud at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/JavaScriptCore/Scripts/process-entitlements.sh
Log Message:
-----------
Cherry-pick 8179ae2db1bf. <bug>
Clean up JSC shell entitlements to fix RAMificaton.
rdar://122826926
Reviewed by Yusuke Suzuki.
In https://commits.webkit.org/272448.472@safari-7618-branch, we switched
to the new allow-jit entitlement. This broke RAMiciation runs because
the JSC binary doesn't have the com.apple.developer.web-browser-engine.webcontent
entitlement. This patch adds it.
* Source/JavaScriptCore/Scripts/process-entitlements.sh:
Canonical link: https://commits.webkit.org/272448.538@safari-7618-branch
Identifier: 272448.571 at safari-7618.1.15.10-branch
Canonical link: https://commits.webkit.org/274313.55@webkitglib/2.44
Commit: b44ec3533719afd748f0d3d60ab5fd8965641f29
https://github.com/WebKit/WebKit/commit/b44ec3533719afd748f0d3d60ab5fd8965641f29
Author: Chris Dumez <cdumez at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https-expected.html
A LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html
A LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html.headers
A LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https-expected.html
A LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html
A LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html.headers
A LayoutTests/http/wpt/content-security-policy/resources/dummy.js
M Source/WebCore/html/parser/HTMLConstructionSite.cpp
Log Message:
-----------
Cherry-pick 272448.25 at safari-7618-branch (d43f7eafe9c4). https://bugs.webkit.org/show_bug.cgi?id=267241
Bug in the HTML parser makes it possible to bypass `nonce` attribute hiding
https://bugs.webkit.org/show_bug.cgi?id=267241
rdar://120056084
Reviewed by Ryosuke Niwa.
Per the HTML specification [1], the `nonce` attribute is supposed to get hidden by
the user agent once the element gets connected to the document. This means that we
remove the `nonce` attribute and store its value in an internal field.
The intention is that elements only expose their nonce via their `nonce` property
to scripts, and not to side-channels like CSS attribute selectors.
The HTML specification [2] also says that when encountering a duplicate <body> or
<html> tag, we should merge the attributes from the duplicate element to the original
once. When this happened, we could move the `nonce` attribute from a duplicate <body>
/ <html> to the original element and it would not get hidden since the original element
is already connected to the document.
To address the issue, we now add special handling for the `nonce` attribute upon merging:
1. We discard the duplicate element's `nonce` attribute if the original element [[nonce]]
internal field is already set (meaning the element already has a nonce).
2. If the original element doesn't have a `nonce` we do merge the attribute and then call
the logic to hide the `nonce` right away.
[1] https://html.spec.whatwg.org/multipage/urls-and-fetching.html#nonce-attributes:include-2
[2] https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-inbody
* LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https-expected.html: Added.
* LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html: Added.
* LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html.headers: Added.
* LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https-expected.html: Added.
* LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html: Added.
* LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html.headers: Added.
* LayoutTests/http/wpt/content-security-policy/resources/dummy.js: Added.
Add test coverage.
* Source/WebCore/html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):
Canonical link: https://commits.webkit.org/272448.25@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.56@webkitglib/2.44
Commit: 2b28f8e04865b48b808be6cda2245138de93cc5f
https://github.com/WebKit/WebKit/commit/2b28f8e04865b48b808be6cda2245138de93cc5f
Author: Alan Baradlay <zalan at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break-expected.txt
A LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break.html
M Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp
Log Message:
-----------
Cherry-pick 272448.26 at safari-7618-branch (6eed83460548). https://bugs.webkit.org/show_bug.cgi?id=267270
Out-of-flow line break box does not initiate render layer
https://bugs.webkit.org/show_bug.cgi?id=267270
rdar://120662818
Reviewed by Antti Koivisto.
1. Let's not assume that an out-of-flow box is a type of RenderBox (e.g. line break)
2. Not all out-of-flow positioned boxes trigger layers.
* LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break-expected.txt: Added.
* LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break.html: Added.
* Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp:
(WebCore::LayoutIntegration::LineLayout::shiftLinesBy):
Canonical link: https://commits.webkit.org/272448.26@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.57@webkitglib/2.44
Commit: dafa1ea85b17155cf5596631f6315bd0e7df872c
https://github.com/WebKit/WebKit/commit/dafa1ea85b17155cf5596631f6315bd0e7df872c
Author: Alan Baradlay <zalan at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/fast/text/out-of-flow-line-break-crash-expected.txt
A LayoutTests/fast/text/out-of-flow-line-break-crash.html
M Source/WebCore/layout/formattingContexts/inline/InlineItemsBuilder.cpp
M Source/WebCore/layout/formattingContexts/inline/TextOnlySimpleLineBuilder.cpp
Log Message:
-----------
Cherry-pick 272448.28 at safari-7618-branch (2658caa71663). https://bugs.webkit.org/show_bug.cgi?id=267268
[IFC] Do not treat out-of-flow line break as text content
https://bugs.webkit.org/show_bug.cgi?id=267268
rdar://120662940
Reviewed by Antti Koivisto.
Out-of-flow line break is not eligible for simplified (text-only) line building.
* LayoutTests/fast/text/out-of-flow-line-break-crash-expected.txt: Added.
* LayoutTests/fast/text/out-of-flow-line-break-crash.html: Added.
* Source/WebCore/layout/formattingContexts/inline/InlineItemsBuilder.cpp:
(WebCore::Layout::isTextOrLineBreak):
* Source/WebCore/layout/formattingContexts/inline/TextOnlySimpleLineBuilder.cpp:
(WebCore::Layout::TextOnlySimpleLineBuilder::placeNonWrappingInlineTextContent):
Canonical link: https://commits.webkit.org/272448.28@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.58@webkitglib/2.44
Commit: f5995f4872fef3f5f501d0ac9e113610971b99ba
https://github.com/WebKit/WebKit/commit/f5995f4872fef3f5f501d0ac9e113610971b99ba
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 272448.74 at safari-7618-branch (7bd07231e704). https://bugs.webkit.org/show_bug.cgi?id=267036
Should crash when deserializing JSArray object containing named property length
https://bugs.webkit.org/show_bug.cgi?id=267036
rdar://120410983
Reviewed by Sihui Liu and Mark Lam.
`length` is treated as a special property in JSArray. There shouldn't
be any named property `length` in JSArray. So, should crash when
deserializing JSArray object containing named property `length`.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::objectStartVisitMember):
(WebCore::CloneDeserializer::objectEndVisitMember):
(WebCore::CloneDeserializer::deserialize):
Canonical link: https://commits.webkit.org/272448.74@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.59@webkitglib/2.44
Commit: 9f83080fb196b4cce89d943f759743521fd61ffe
https://github.com/WebKit/WebKit/commit/9f83080fb196b4cce89d943f759743521fd61ffe
Author: Erica Li <lerica at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash-expected.txt
A LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash.html
M LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt
M Source/WebCore/rendering/RenderInline.cpp
Log Message:
-----------
Cherry-pick 272448.75 at safari-7618-branch (2534e02e1983). https://bugs.webkit.org/show_bug.cgi?id=266567.
ASAN_SEGV | Hard null deref |LayoutIntegration::BoxTree::layoutBoxForRenderer; LayoutIntegration::LineLayout::enclosingBorderBoxRectFor; WebCore::RenderInline::linesBoundingBox.
https://bugs.webkit.org/show_bug.cgi?id=266567.
rdar://114586645.
Reviewed by Alan Baradlay.
similar to 107979394, apply handling for repainting a freshly inserted sticky inline box.
* LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash-expected.txt: Added.
* LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash.html: Added.
* LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt: re-baseline for rdar://119187070.
* Source/WebCore/rendering/RenderInline.cpp:
(WebCore::RenderInline::linesBoundingBox const):
Canonical link: https://commits.webkit.org/272448.75@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.60@webkitglib/2.44
Commit: b99816d88b90129cb7300a41a6a8c3884f93035f
https://github.com/WebKit/WebKit/commit/b99816d88b90129cb7300a41a6a8c3884f93035f
Author: Alan Baradlay <zalan at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/fast/dynamic/move-inline-level-element-between-blocks-crash-expected.txt
A LayoutTests/fast/dynamic/move-inline-level-element-between-blocks-crash.html
M Source/WebCore/layout/integration/LayoutIntegrationBoxTree.cpp
M Source/WebCore/layout/integration/LayoutIntegrationBoxTree.h
M Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp
M Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.h
M Source/WebCore/rendering/RenderBlockFlow.cpp
Log Message:
-----------
Cherry-pick 272448.98 at safari-7618-branch (77a82bb2bcde). https://bugs.webkit.org/show_bug.cgi?id=267141
Do not repaint newly moved inline box
https://bugs.webkit.org/show_bug.cgi?id=267141
rdar://120555470
Reviewed by Antti Koivisto.
1. Repaint needs uptodate geometry information to compute the damaged area
2. Whenever we invalidate the line layout path, we lose all geometry information so a full repaint is being issued on the very first invalidation.
(note that there may be multiple mutations happening the same time)
This patch ensures that such repaints are _not_ issued on newly inserted content.
Since we don't keep track of whether a particular renderer has already issued repaint, moving renders between blocks could
potentially be repainted twice; initially when they get detached and later when they get inserted at their new position.
Repaint issued at this later stage most likely results in incorrectly computed damage area as all relevant geometries are
relative to the former block -and in some cases it may even trigger crashes as we don't find associated layout/display boxes in
the new block.
* LayoutTests/fast/dynamic/move-inline-level-element-between-blocks-crash-expected.txt: Added.
* LayoutTests/fast/dynamic/move-inline-level-element-between-blocks-crash.html: Added.
* Source/WebCore/layout/integration/LayoutIntegrationBoxTree.cpp:
(WebCore::LayoutIntegration::BoxTree::contains const):
* Source/WebCore/layout/integration/LayoutIntegrationBoxTree.h:
* Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp:
(WebCore::LayoutIntegration::LineLayout::contains const):
* Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.h:
* Source/WebCore/rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::invalidateLineLayoutPath):
Canonical link: https://commits.webkit.org/272448.98@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.61@webkitglib/2.44
Commit: f5909af7891338f7e7227d52235bc26cdf7d2ec5
https://github.com/WebKit/WebKit/commit/f5909af7891338f7e7227d52235bc26cdf7d2ec5
Author: Ryan Reno <rreno at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part-expected.txt
A LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part.py
A LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part-expected.txt
A LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part.py
M Source/WebCore/loader/DocumentLoader.cpp
M Source/WebCore/loader/DocumentLoader.h
Log Message:
-----------
Cherry-pick 272448.100 at safari-7618-branch (7f3ac60a98fc). https://bugs.webkit.org/show_bug.cgi?id=264811
Content-Type x-mixed-replace can be abused to bypass CSP
https://bugs.webkit.org/show_bug.cgi?id=264811
rdar://118394343
Reviewed by John Wilander and Brent Fulgham.
When replacing the document in a multipart/x-mixed-replace response, the
DocumentLoader would reset its CSP every time a new response was received.
This change makes the CSP persistent across document replacements when
loading multipart content. Now the CSP can only become more restrictive
as new parts are received.
* LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part-expected.txt: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part.py: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part-expected.txt: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part.py: Added.
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::shouldClearContentSecurityPolicyForResponse const):
(WebCore::DocumentLoader::responseReceived):
* Source/WebCore/loader/DocumentLoader.h:
Canonical link: https://commits.webkit.org/272448.100@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.62@webkitglib/2.44
Commit: 2790c9e1e613162a1124c8b991644b5cd210ce64
https://github.com/WebKit/WebKit/commit/2790c9e1e613162a1124c8b991644b5cd210ce64
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/JavaScriptCore/runtime/CommonSlowPaths.h
M Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp
M Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
M Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp
M Source/JavaScriptCore/runtime/JSFunction.cpp
M Source/JavaScriptCore/runtime/JSFunction.h
M Source/JavaScriptCore/runtime/JSFunctionInlines.h
Log Message:
-----------
Cherry-pick 272448.101 at safari-7618-branch (70ca9c1f54a0). https://bugs.webkit.org/show_bug.cgi?id=267380
[JSC] setHasModifiedLengthForBoundOrNonHostFunction and setHasModifiedNameForBoundOrNonHostFunction shouldn't be called if it fails to reify the property
https://bugs.webkit.org/show_bug.cgi?id=267380
rdar://118761737
Reviewed by Yusuke Suzuki.
setHasModifiedLengthForBoundOrNonHostFunction and setHasModifiedNameForBoundOrNonHostFunction
can be called if JSFunction::put() fails to reify the property. This case may
cause inconsistency between the AI and the runtime environment.
* Source/JavaScriptCore/runtime/JSFunction.cpp:
(JSC::JSFunction::put):
Canonical link: https://commits.webkit.org/272448.101@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.63@webkitglib/2.44
Commit: b1cf6ce13e4fbb277bf1314c1adf0dc85c210385
https://github.com/WebKit/WebKit/commit/b1cf6ce13e4fbb277bf1314c1adf0dc85c210385
Author: Alan Baradlay <zalan at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child-expected.txt
A LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child.html
M Source/WebCore/rendering/RenderBlockFlow.cpp
Log Message:
-----------
Cherry-pick 272448.102 at safari-7618-branch (6d2f579ca0ad). https://bugs.webkit.org/show_bug.cgi?id=267487
Invalidate existing inline layout content when simplified out-of-flow is sufficient
https://bugs.webkit.org/show_bug.cgi?id=267487
rdar://120496542
Reviewed by Antti Koivisto.
Do not leave stale inline content around.
* LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child-expected.txt: Added.
* LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child.html: Added.
* Source/WebCore/rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::layoutModernLines):
Canonical link: https://commits.webkit.org/272448.102@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.64@webkitglib/2.44
Commit: a625ceb2c781e8515667fc874986a364109006d5
https://github.com/WebKit/WebKit/commit/a625ceb2c781e8515667fc874986a364109006d5
Author: Alexey Shvayka <ashvayka at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A JSTests/stress/regress-120777816.js
M Source/JavaScriptCore/builtins/ProxyHelpers.js
M Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h
M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
M Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/runtime/ProxyObject.cpp
Log Message:
-----------
Cherry-pick 272448.103 at safari-7618-branch (e3a75800fe85). https://bugs.webkit.org/show_bug.cgi?id=267425
[JSC] get_by_id_with_this + ProxyObject can leak JSScope objects
https://bugs.webkit.org/show_bug.cgi?id=267425
<rdar://120777816>
Reviewed by Yusuke Suzuki and Justin Michaud.
According to the spec [1], `var base = { foo }; with (base) foo();` should be called with `this`
value of `base`, which is why FunctionCallResolveNode moves resolved scope to thisRegister().
That is arguably a bad design, and there is an effort [2] to abolish using JSScope as `this` value.
When `this` value is accessed by JS code, it's being sanitized via ToThis (JSScope replaced with
`undefined`), yet not in case of `super.property` access calling into ProxyObject `get` trap,
which passes raw `this` value as receiver parameter, leaking JSScope to be exploited.
For performance reasons, we can't call toThis() whenever `get_by_id_with_this` is used, so this
change introduces @toThis() intrinsic specifically for ProxyObject IC helpers, tweaks DFG to respect
`m_srcDst`, and also fixes baseline code.
Inlineability of ProxyObject IC helpers was verified to remain unaffected (`performProxyObjectGet`
is smaller then 120 while other helpers were already exceeding inline size limit).
[1]: https://tc39.es/ecma262/#sec-evaluatecall (step 1.b.iii)
[2]: https://bugs.webkit.org/show_bug.cgi?id=225397
* JSTests/stress/regress-120777816.js: Added.
* Source/JavaScriptCore/builtins/ProxyHelpers.js:
(linkTimeConstant.performProxyObjectGet):
(linkTimeConstant.performProxyObjectGetByVal):
(linkTimeConstant.performProxyObjectSetSloppy):
(linkTimeConstant.performProxyObjectSetStrict):
* Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h:
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitToThis):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitToThis):
* Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:
(JSC::BytecodeIntrinsicNode::emit_intrinsic_toThis):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::getThis): Deleted.
(JSC::DFG::ByteCodeParser::setThis): Deleted.
* Source/JavaScriptCore/runtime/ProxyObject.cpp:
(JSC::performProxyGet):
(JSC::ProxyObject::performPut):
Canonical link: https://commits.webkit.org/272448.103@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.65@webkitglib/2.44
Commit: 73ee7cb37f540201ba8010e704f0774932527989
https://github.com/WebKit/WebKit/commit/73ee7cb37f540201ba8010e704f0774932527989
Author: Erica Li <lerica at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash-expected.txt
A LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash.html
M LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt
M Source/WebCore/rendering/RenderTable.cpp
Log Message:
-----------
Cherry-pick 272448.104 at safari-7618-branch (8737c0374652). https://bugs.webkit.org/show_bug.cgi?id=267198
ASAN_ILL | WebCore::RenderTableSection::layoutRows; WebCore::RenderTable::simplifiedNormalFlowLayout; WebCore::RenderBlock::simplifiedLayout.
https://bugs.webkit.org/show_bug.cgi?id=267198
rdar://113940614
Reviewed by Alan Baradlay.
Always setChildNeedsLayout for sections to make sure normalChildNeedsLayout is flagged,
as for pagination we need to run a full layout on child table sections even when the initial change,
otherwise requires simplified layout only.
* LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash-expected.txt: Added.
* LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash.html: Added.
* LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt: re-baseline again, adding end of line back.
* Source/WebCore/rendering/RenderTable.cpp:
(WebCore::RenderTable::markForPaginationRelayoutIfNeeded):
Canonical link: https://commits.webkit.org/272448.104@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.66@webkitglib/2.44
Commit: 1e60cb5df0cafe5d9b9a457267f1166f3a504f70
https://github.com/WebKit/WebKit/commit/1e60cb5df0cafe5d9b9a457267f1166f3a504f70
Author: Nisha Jain <nisha_jain at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/dom/html/document-renderobject-null-crash-expected.txt
A LayoutTests/dom/html/document-renderobject-null-crash.html
M Source/WebCore/dom/Document.cpp
Log Message:
-----------
Cherry-pick 272448.251 at safari-7618-branch (9baf7178103b). https://bugs.webkit.org/show_bug.cgi?id=267297
"NULL Object : Crash under WebCore::RenderObject::~RenderObject; WebCore::RenderText::~RenderText; WebCore::RenderTreeBuilder::destroy"
https://bugs.webkit.org/show_bug.cgi?id=267297
rdar://119186861.
Reviewed by Alan Baradlay.
Document::caretPositionFromPoint API is using CheckPtr to get RenderObject
even though the Object is already destroyed. In order to make sure CheckedPtr
is valid the render needs to be destroyed earlier not after. Using updateLayoutIgnorePendingStylesheets API for uptodate renderer tree.
* LayoutTests/dom/html/document-renderobject-null-crash-expected.txt: Added test expected file.
* LayoutTests/dom/html/document-renderobject-null-crash.html: Added test case.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::caretPositionFromPoint): Added updateLayoutIgnorePendingStylesheets to get updated renderer tree before using CheckedPtr.
Canonical link: https://commits.webkit.org/272448.251@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.67@webkitglib/2.44
Commit: 8240207120d88887aeae9aaa8b76dac2c4ad67e4
https://github.com/WebKit/WebKit/commit/8240207120d88887aeae9aaa8b76dac2c4ad67e4
Author: Nisha Jain <nisha_jain at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/fast/rendering/render-compositor-null-layer-crash-expected.txt
A LayoutTests/fast/rendering/render-compositor-null-layer-crash.html
M Source/WebCore/rendering/RenderLayerCompositor.cpp
Log Message:
-----------
Cherry-pick 272448.252 at safari-7618-branch (a7977801dff3). https://bugs.webkit.org/show_bug.cgi?id=265820
NULL pointer : crash under RenderLayerCompositor::scrollableAreaForScrollingNodeID()
https://bugs.webkit.org/show_bug.cgi?id=265820
rdar://118424482.
Reviewed by Simon Fraser.
Null RenderLayer pointer in RenderLayerCompositor::scrollableAreaForScrollingNodeID().
As the RenderLayerCompositor has a HashMap which provides a WeakPtr to RenderLayer but the validity
of this object is not checked before using.
* LayoutTests/fast/rendering/render-compositor-null-layer-crash-expected.txt: Added test expected file.
* LayoutTests/fast/rendering/render-compositor-null-layer-crash.html: Added test case.
* Source/WebCore/rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::scrollableAreaForScrollingNodeID const): Checked validity of WeakPtr to RenderLayer before accessing it.
Canonical link: https://commits.webkit.org/272448.252@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.68@webkitglib/2.44
Commit: bb20f3e1ac357080e8ac2cd801ceeff7f68e11af
https://github.com/WebKit/WebKit/commit/bb20f3e1ac357080e8ac2cd801ceeff7f68e11af
Author: Ryosuke Niwa <rniwa at webkit.org>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/fast/images/image-document-event-handler-crash-expected.txt
A LayoutTests/fast/images/image-document-event-handler-crash.html
M Source/WebCore/html/ImageDocument.cpp
Log Message:
-----------
Cherry-pick 272448.253 at safari-7618-branch (b417dff04acd). https://bugs.webkit.org/show_bug.cgi?id=267739
Crash in ImageEventListener::handleEvent
https://bugs.webkit.org/show_bug.cgi?id=267739
rdar://118761846
Reviewed by Chris Dumez.
Use WeakPtr instead of a raw reference.
* LayoutTests/fast/images/image-document-event-handler-crash-expected.txt: Added.
* LayoutTests/fast/images/image-document-event-handler-crash.html: Added.
* Source/WebCore/html/ImageDocument.cpp:
(WebCore::ImageEventListener::handleEvent):
Canonical link: https://commits.webkit.org/272448.253@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.69@webkitglib/2.44
Commit: b1e590214277ea78d34055992c3f2c2c956f0af5
https://github.com/WebKit/WebKit/commit/b1e590214277ea78d34055992c3f2c2c956f0af5
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M JSTests/stress/intl-collator.js
M JSTests/stress/intl-datetimeformat.js
M JSTests/stress/intl-numberformat.js
M Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp
M Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
M Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp
Log Message:
-----------
Cherry-pick 272448.254 at safari-7618-branch (5173338bb6f1). https://bugs.webkit.org/show_bug.cgi?id=267725
[JSC] Use dynamic cast in intlCollatorFuncCompare, intlDateTimeFormatFuncFormatDateTime, and intlNumberFormatFuncFormat
https://bugs.webkit.org/show_bug.cgi?id=267725
rdar://121029647
Reviewed by Yusuke Suzuki and Mark Lam.
We should ensure `thisValue` is the desired object. So, should use dynamic
cast instead in intlCollatorFuncCompare, intlDateTimeFormatFuncFormatDateTime,
and intlNumberFormatFuncFormat.
* Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
Canonical link: https://commits.webkit.org/272448.254@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.70@webkitglib/2.44
Commit: 0b776b9a8f1653fa8eaef4babe8d427f946e7c20
https://github.com/WebKit/WebKit/commit/0b776b9a8f1653fa8eaef4babe8d427f946e7c20
Author: Nisha Jain <nisha_jain at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebCore/html/HTMLPlugInImageElement.cpp
Log Message:
-----------
Cherry-pick 272448.257 at safari-7618-branch (23c6a88ad691). https://bugs.webkit.org/show_bug.cgi?id=267656
"ASAN_SEGV | WebCore::Style::resolveForDocument; WebCore::Document::styleForElementIgnoringPendingStylesheets; WebCore::Element::resolveComputedStyle"
https://bugs.webkit.org/show_bug.cgi?id=267656
rdar://119187152.
Reviewed by Ryosuke Niwa.
Need to prevent attempt to load a disconnected plugin.
Not adding a new test case as could not make a reliable reproduction of this issue.
* Source/WebCore/html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::requestObject):
Canonical link: https://commits.webkit.org/272448.257@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.71@webkitglib/2.44
Commit: 26a621673d19d5f2221d17da80b75959cf9cf497
https://github.com/WebKit/WebKit/commit/26a621673d19d5f2221d17da80b75959cf9cf497
Author: Scott Marcy <mscott at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/ipc/invalid-message-to-addTrackBuffer-expected.txt
A LayoutTests/ipc/invalid-message-to-addTrackBuffer.html
M Source/WebKit/GPUProcess/media/RemoteSourceBufferProxy.cpp
Log Message:
-----------
Cherry-pick 272448.259 at safari-7618-branch (60f8c4667d7a). <bug>
rdar://119489615 ([CoreIPC] SEGV in WebKit::RemoteSourceBufferProxy::addTrackBuffer)
Checks that the TrackPrivateRemoteIdentifier argument for the IPC call RemoteSourceBufferProxy::addTrackBuffer() is valid and invalidates the IPC message if not.
Reviewed by David Kilzer.
If the TrackPrivateRemoteIdentifier value is not a known value, the IPC message will be marked as invalid, which is supposed
to crash the content process thereby thwarting any attempted attack through this mechanism.
* LayoutTests/TestExpectations:
* LayoutTests/ipc/invalid-message-to-addTrackBuffer-expected.txt: Added.
* LayoutTests/ipc/invalid-message-to-addTrackBuffer.html: Added.
* Source/WebKit/GPUProcess/media/RemoteSourceBufferProxy.cpp:
(WebKit::RemoteSourceBufferProxy::addTrackBuffer):
Canonical link: https://commits.webkit.org/272448.259@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.72@webkitglib/2.44
Commit: 864a655d7dc8dbb9543814087db2298a962d2e8e
https://github.com/WebKit/WebKit/commit/864a655d7dc8dbb9543814087db2298a962d2e8e
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A JSTests/stress/error-instance.js
M Source/JavaScriptCore/runtime/ErrorInstance.cpp
Log Message:
-----------
Cherry-pick 272448.260 at safari-7618-branch (ade92866440e). https://bugs.webkit.org/show_bug.cgi?id=267785
[JSC] Fix Re-entrancy in ErrorInstance::computeErrorInfo
https://bugs.webkit.org/show_bug.cgi?id=267785
rdar://121098660
Reviewed by Yusuke Suzuki.
ErrorInstance::computeErrorInfo computes stack trace string, which may
trigger GC and re-enter to this function with the same ErrorInstance
while computing the stack string. We should defer GC after stacking trace
string is materialized.
* JSTests/stress/error-instance.js: Added.
(main.const.error):
(main):
* Source/JavaScriptCore/runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::computeErrorInfo):
Canonical link: https://commits.webkit.org/272448.260@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.73@webkitglib/2.44
Commit: ce8fd1fe3d066a1e34e4f8da170f2490b39f2594
https://github.com/WebKit/WebKit/commit/ce8fd1fe3d066a1e34e4f8da170f2490b39f2594
Author: Michael Saboff <msaboff at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M JSTests/stress/arrow-function-captured-arguments-aliased.js
M Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp
Log Message:
-----------
Cherry-pick 272448.339 at safari-7618-branch (66df5c618c1c). https://bugs.webkit.org/show_bug.cgi?id=267946
ASSERTION FAILED: watchpoints (./runtime/ScopedArgumentsTable.cpp(130))
rdar://121446658
https://bugs.webkit.org/show_bug.cgi?id=267946
Reviewed by Alexey Shvayka.
Insatead of using an ASSERT that we have a valid WatchpointSet in ScopedArgumentsTable::trySetWatchpointSet(), we can just
exit early if the passed in WatchpointSet is null. This can happen if the JIT is not enabled.
Updated the test to run both with and wothout the JIT.
* JSTests/stress/arrow-function-captured-arguments-aliased.js:
* Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp:
(JSC::ScopedArgumentsTable::trySetWatchpointSet):
Canonical link: https://commits.webkit.org/272448.339@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.74@webkitglib/2.44
Commit: c5b3362395f1cf0ecd6996bdd43642b54bf84437
https://github.com/WebKit/WebKit/commit/c5b3362395f1cf0ecd6996bdd43642b54bf84437
Author: Mark Lam <mark.lam at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/js/structuredClone/structured-clone-of-CachedString-in-map-expected.txt
A LayoutTests/js/structuredClone/structured-clone-of-CachedString-in-map.html
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Cherry-pick 272448.347 at safari-7618-branch (5546b2ee36b5). https://bugs.webkit.org/show_bug.cgi?id=267971
CachedString::m_jsString is not protected from GC in CloneDeserializer.
https://bugs.webkit.org/show_bug.cgi?id=267971
rdar://120531481
Reviewed by Chris Dumez.
The fix is simply to protect it with the m_keepAliveBuffer. Also moved the m_keepAliveBuffer from
CloneSerializer to CloneBase. Previously, I thought that only the serializer needs it. Now, we
have a case where the deserializer does too.
* LayoutTests/js/structuredClone/structured-clone-of-CachedString-in-map-expected.txt: Added.
* LayoutTests/js/structuredClone/structured-clone-of-CachedString-in-map.html: Added.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::CachedString::jsString):
(WebCore::CloneDeserializer::readTerminal):
Canonical link: https://commits.webkit.org/272448.347@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.75@webkitglib/2.44
Commit: 611720ecf676648f33d2db5faf1aed2f4155f1ed
https://github.com/WebKit/WebKit/commit/611720ecf676648f33d2db5faf1aed2f4155f1ed
Author: Chris Dumez <cdumez at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebCore/html/HTMLPlugInImageElement.cpp
Log Message:
-----------
Cherry-pick 272448.355 at safari-7618-branch (99b063d917a4). https://bugs.webkit.org/show_bug.cgi?id=268010
Regression(267815.354 at safari-7617-branch) ASSERTION FAILED: ownerElement.document().frame() in the tests
https://bugs.webkit.org/show_bug.cgi?id=268010
rdar://121528243
Reviewed by Ryosuke Niwa and Geoffrey Garen.
In 267815.354 at safari-7617-branch, we updated HTMLPlugInImageElement::requestObject()
to call SubframeLoader::requestObject() asynchronously. Previously, when we called
SubframeLoader::requestObject() the frame owner element's document would still be
connected (i.e. have a frame) and it was enforced by an assertion both in
HTMLPlugInImageElement::requestObject() and SubframeLoader::requestObject().
After my change in 267815.354 at safari-7617-branch, the assertion in
SubframeLoader::requestObject() would sometimes fail as this code now runs
asynchronously and the state of the DOM tree may have changed in between.
To address the issue, check if the document still have a frame when the async
lambda runs and return early if it doesn't. There is no point in loading a subframe
in a document that was detached.
* Source/WebCore/html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::requestObject):
Canonical link: https://commits.webkit.org/272448.355@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.76@webkitglib/2.44
Commit: 1d059ea33da3b6e09f2aaa035cd35cb21f2b1295
https://github.com/WebKit/WebKit/commit/1d059ea33da3b6e09f2aaa035cd35cb21f2b1295
Author: Chris Dumez <cdumez at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebCore/editing/TextManipulationController.cpp
Log Message:
-----------
Cherry-pick 272448.385 at safari-7618-branch (2d3dc03ecbbc). https://bugs.webkit.org/show_bug.cgi?id=268235
Bad cast in TextManipulationController::scheduleObservationUpdate()
https://bugs.webkit.org/show_bug.cgi?id=268235
rdar://121646850
Reviewed by Wenson Hsieh.
Convert the downcast<>() into a dynamicDowncast<>() since the common ancestor
is not guaranteed to be an Element.
I have not been able to reproduce but it is happening in the wild.
* Source/WebCore/editing/TextManipulationController.cpp:
(WebCore::TextManipulationController::scheduleObservationUpdate):
Canonical link: https://commits.webkit.org/272448.385@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.77@webkitglib/2.44
Commit: acab2b845a2a15319f042989387a8ce81210d828
https://github.com/WebKit/WebKit/commit/acab2b845a2a15319f042989387a8ce81210d828
Author: Chris Dumez <cdumez at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebKit/UIProcess/API/Cocoa/WKProcessPool.mm
M Source/WebKit/UIProcess/API/Cocoa/WKProcessPoolPrivate.h
M Source/WebKit/UIProcess/WebProcessPool.cpp
M Source/WebKit/UIProcess/WebProcessPool.h
M Source/WebKit/UIProcess/WebProcessProxy.cpp
M Source/WebKit/UIProcess/WebProcessProxy.h
M Source/WebKit/WebProcess/Storage/WebSWContextManagerConnection.cpp
M Source/WebKit/WebProcess/Storage/WebSharedWorkerContextManagerConnection.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
M Source/WebKit/WebProcess/WebPage/WebPage.h
M Tools/TestWebKitAPI/Tests/WebKitCocoa/ServiceWorkerBasic.mm
Log Message:
-----------
Cherry-pick 272448.386 at safari-7618-branch (dd435ec50671). https://bugs.webkit.org/show_bug.cgi?id=268183
Remote worker processes may not obey the lockdown mode setting
https://bugs.webkit.org/show_bug.cgi?id=268183
rdar://121617300
Reviewed by Youenn Fablet.
Make sure we carry over the requesting process' lockdown mode state to the
newly created process when we decide to launch a remote worker process.
Also make sure that the settings that are meant to be disabled in lockdown
mode also get disabled in the remote worker contexts, not just in page/window
contexts.
* Source/WebKit/UIProcess/API/Cocoa/WKProcessPool.mm:
(-[WKProcessPool _isJITDisabledInAllServiceWorkerProcesses:]):
* Source/WebKit/UIProcess/API/Cocoa/WKProcessPoolPrivate.h:
* Source/WebKit/UIProcess/WebProcessPool.cpp:
(WebKit::WebProcessPool::establishRemoteWorkerContextConnectionToNetworkProcess):
(WebKit::WebProcessPool::isJITDisabledInAllServiceWorkerProcesses const):
* Source/WebKit/UIProcess/WebProcessPool.h:
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::createForRemoteWorkers):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/ServiceWorkerBasic.mm:
Canonical link: https://commits.webkit.org/272448.386@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.78@webkitglib/2.44
Commit: e1ea49a668e7a70d67acc791449bb72464685b1e
https://github.com/WebKit/WebKit/commit/e1ea49a668e7a70d67acc791449bb72464685b1e
Author: Erica Li <lerica at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
A LayoutTests/media/audio-remove-playback-crash-expected.txt
A LayoutTests/media/audio-remove-playback-crash.html
M Source/WebCore/dom/Document.cpp
Log Message:
-----------
Cherry-pick 272448.387 at safari-7618-branch (303478e273bd). rdar://120661908
ASAN_ILL | WebCore::Document::removePlaybackTargetPickerClient.
rdar://120661908
Reviewed by Chris Dumez.
Unable to ref the page from removePlaybackTargetPickerClient as it may have started destruction.
* LayoutTests/media/audio-remove-playback-crash-expected.txt: Added.
* LayoutTests/media/audio-remove-playback-crash.html: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::removePlaybackTargetPickerClient):
Canonical link: https://commits.webkit.org/272448.387@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.79@webkitglib/2.44
Commit: 9987ecf027f9022e0c1fd87e388c419d454c1cce
https://github.com/WebKit/WebKit/commit/9987ecf027f9022e0c1fd87e388c419d454c1cce
Author: Abrar Rahman Protyasha <a_protyasha at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.h
M Source/WebKit/UIProcess/mac/WebViewImpl.h
M Source/WebKit/UIProcess/mac/WebViewImpl.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/UIDelegate.mm
Log Message:
-----------
Cherry-pick 272448.388 at safari-7618-branch (7047e8e918da). https://bugs.webkit.org/show_bug.cgi?id=268198
[macOS] Pointer Lock should disengage when client windows present a sheet
https://bugs.webkit.org/show_bug.cgi?id=268198
rdar://121694233
Reviewed by Aditya Keerthi.
The Pointer Lock API is susceptible to abuse by nefarious webpages since
they can (programmatically or otherwise) make client windows show alerts
or permission granting sheets while pointer lock is engaged. Since our
current implementation of pointer lock stays engaged even when the
client window presents a sheet, it leaves the user in a compromised
state where they both don't know the location of the mouse cursor and
don't have a way to exit the pointer lock state (since the client window
where pointer lock is engaged is no longer focused or the key window).
This patch addresses this vulnerability by registering observers for the
NSWindowWillBeginSheetNotification notification on the WebView's current
window, and then requesting for pointer lock to be disengaged whenever
we receive a notification that said window will begin presenting a
sheet.
Test case added in WebKit.ClientDisplaysAlertSheetWhilePointerLockActive
that asserts we successfully exit pointer lock when a client window
presents an alert sheet. It also tests that we can successfully re-enter
pointer lock afterwards.
* Source/WebKit/UIProcess/WebPageProxy.h:
* Source/WebKit/UIProcess/mac/WebViewImpl.h:
* Source/WebKit/UIProcess/mac/WebViewImpl.mm:
(-[WKWindowVisibilityObserver startObserving:]):
(-[WKWindowVisibilityObserver stopObserving:]):
(-[WKWindowVisibilityObserver _windowWillBeginSheet:]):
(WebKit::WebViewImpl::windowWillBeginSheet):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/UIDelegate.mm:
(-[PointerLockDelegate resetState]):
(-[PointerLockDelegate waitForPointerLockEngaged]):
(-[PointerLockDelegate waitForPointerLockLost]):
(-[PointerLockDelegate _webViewDidRequestPointerLock:completionHandler:]):
(-[PointerLockDelegate _webViewDidLosePointerLock:]):
Canonical link: https://commits.webkit.org/272448.388@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.80@webkitglib/2.44
Commit: 7d5bbe94e557e1ffcecfc5ecd460267c1b016f90
https://github.com/WebKit/WebKit/commit/7d5bbe94e557e1ffcecfc5ecd460267c1b016f90
Author: Chris Dumez <cdumez at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebCore/loader/cache/CachedResourceLoader.cpp
Log Message:
-----------
Cherry-pick 272448.421 at safari-7618-branch (25c11453b693). https://bugs.webkit.org/show_bug.cgi?id=268405
Bad cast under CachedResourceLoader::preload()
https://bugs.webkit.org/show_bug.cgi?id=268405
rdar://121745788
Reviewed by Brent Fulgham.
In CachedResourceLoader::preload() we were calling requestResource(type)
to get a resource. Then if the type we requested was `FontResource`, we
assumed the the CachedResource returned was a CachedFont and would cast
to that type. However, this cast ends up being incorrect in some cases.
I suspect this could happen when requesting resources with the same URL
but different types.
To address the issue, we now check the actual type of the returned
CachedResource before casting it.
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::preload):
Canonical link: https://commits.webkit.org/272448.421@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.81@webkitglib/2.44
Commit: 115cca02ae77bcbe20aa97eb6de694d7c9d3c085
https://github.com/WebKit/WebKit/commit/115cca02ae77bcbe20aa97eb6de694d7c9d3c085
Author: Michael Saboff <msaboff at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/JavaScriptCore/runtime/ScopedArguments.h
M Source/JavaScriptCore/runtime/SymbolTable.cpp
M Source/JavaScriptCore/runtime/SymbolTable.h
Log Message:
-----------
Cherry-pick 272448.422 at safari-7618-branch (5bc92c9d5253). https://bugs.webkit.org/show_bug.cgi?id=268409
REGRESSION: JavaScriptCore: JSC::ScopedArguments::setIndexQuickly
https://bugs.webkit.org/show_bug.cgi?id=268409
rdar://121748005
Reviewed by Yusuke Suzuki.
A code inspection of the symbol table and scoped arguments code revealed that SymbolTable::cloneScopePart() doesn't
properly copy the ScopedArgumentsTable from the source. Since ScopedArguments point to the WatchpointSets in the
related SymbolTable, we need to create new WatchpointSets in the cloned SymbolTable and have the ScopedArguments
point to the related new WatchpointSets.
This is a speculative fix.
* Source/JavaScriptCore/runtime/ScopedArguments.h:
* Source/JavaScriptCore/runtime/SymbolTable.cpp:
(JSC::SymbolTable::cloneScopePart):
(JSC::SymbolTable::hasScopedWatchpointSet):
* Source/JavaScriptCore/runtime/SymbolTable.h:
Canonical link: https://commits.webkit.org/272448.422@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.82@webkitglib/2.44
Commit: d6e2b3f0c562260d3aebb8c49e754d27e985ec17
https://github.com/WebKit/WebKit/commit/d6e2b3f0c562260d3aebb8c49e754d27e985ec17
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/JavaScriptCore/runtime/ErrorInstance.cpp
Log Message:
-----------
Cherry-pick 272448.442 at safari-7618-branch (58204e87a044). https://bugs.webkit.org/show_bug.cgi?id=268489
[JSC] Use DeferGCForAWhile instead of DeferGC in computeErrorInfo
https://bugs.webkit.org/show_bug.cgi?id=268489
rdar://121906810
Reviewed by Mark Lam, Yusuke Suzuki and Justin Michaud.
ErrorInstance::computeErrorInfo can be called from GC's Heap::runEndPhase.
In the case, we should use DeferGCForAWhile instead of DeferGC since it
can trigger another GC in its destruction.
* Source/JavaScriptCore/runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::computeErrorInfo):
Canonical link: https://commits.webkit.org/272448.442@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.83@webkitglib/2.44
Commit: c625381d9c851c3ee66647e2d68efabbdef49059
https://github.com/WebKit/WebKit/commit/c625381d9c851c3ee66647e2d68efabbdef49059
Author: Jean-Yves Avenard <jya at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in
Log Message:
-----------
Cherry-pick 272448.445 at safari-7618-branch (b60b2da0516d). rdar://107918233
Block "setMediaOverridesForTesting" media IPC endpoints when not testing
rdar://107918233
Reviewed by Youenn Fablet.
This is a continuation of 260935 at main, adding the setMediaOverridesForTesting to the list
of blocked IPC endpoints.
All involved tests already contains the required keywords.
* Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in:
Canonical link: https://commits.webkit.org/272448.445@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.84@webkitglib/2.44
Commit: c41c2ae9b94315bba45c4c3cdce6fc0e33f213ea
https://github.com/WebKit/WebKit/commit/c41c2ae9b94315bba45c4c3cdce6fc0e33f213ea
Author: Justin Michaud <justin_michaud at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WTF/wtf/PlatformUse.h
Log Message:
-----------
Cherry-pick 272448.444 at safari-7618-branch (323a4029633e). https://bugs.webkit.org/show_bug.cgi?id=268467
Disable new JIT API until build issues are resolved
rdar://122018269
https://bugs.webkit.org/show_bug.cgi?id=268467
Reviewed by Mark Lam.
* Source/WTF/wtf/PlatformUse.h:
Canonical link: https://commits.webkit.org/272448.444@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.85@webkitglib/2.44
Commit: 3cf2b08d49dd72c6e5e43807940a1fe5c25c8905
https://github.com/WebKit/WebKit/commit/3cf2b08d49dd72c6e5e43807940a1fe5c25c8905
Author: Alan Baradlay <zalan at apple.com>
Date: 2024-03-11 (Mon, 11 Mar 2024)
Changed paths:
M Source/WebCore/rendering/RenderInline.cpp
Log Message:
-----------
Cherry-pick 272448.456 at safari-7618-branch (66b364de9dfc). https://bugs.webkit.org/show_bug.cgi?id=268525
Inline box may not be present in the enclosing formatting context
https://bugs.webkit.org/show_bug.cgi?id=268525
rdar://119921061
Reviewed by Antti Koivisto.
Speculative fix when the (potentially damaged) inline box is not present in the enclosing formatting context.
This may happen when RenderInline::linesBoundingBox is called on a dirty tree after moving an inline box (<span>)
from a block to an other (but before clearing the tree by running layout).
* Source/WebCore/rendering/RenderInline.cpp:
(WebCore::RenderInline::linesBoundingBox const):
Canonical link: https://commits.webkit.org/272448.456@safari-7618-branch
Canonical link: https://commits.webkit.org/274313.86@webkitglib/2.44
Compare: https://github.com/WebKit/WebKit/compare/5eb5ab62f15a...3cf2b08d49dd
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list