[webkit-changes] [WebKit/WebKit] fb9cb1: Cherry-pick 272448.472 at safari-7618-branch (7fdb5ce...

Alan Baradlay noreply at github.com
Mon Mar 11 02:17:09 PDT 2024


  Branch: refs/heads/webkitglib/2.44
  Home:   https://github.com/WebKit/WebKit
  Commit: fb9cb17cdb0d6281e68ef1709762d985c04130f2
      https://github.com/WebKit/WebKit/commit/fb9cb17cdb0d6281e68ef1709762d985c04130f2
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/JavaScriptCore/Scripts/process-entitlements.sh
    M Source/JavaScriptCore/jit/ExecutableAllocator.cpp
    M Source/WebKit/Scripts/process-entitlements.sh

  Log Message:
  -----------
  Cherry-pick 272448.472 at safari-7618-branch (7fdb5ce499c7). https://bugs.webkit.org/show_bug.cgi?id=267886

    Clean up some JSC entitlements.
    https://bugs.webkit.org/show_bug.cgi?id=267886
    rdar://121395716

    Reviewed by Justin Michaud, Per Arne Vollan, and Alexey Shvaika.

    * Source/JavaScriptCore/Scripts/process-entitlements.sh:
    * Source/JavaScriptCore/jit/ExecutableAllocator.cpp:
    (JSC::isJITEnabled):
    (JSC::ExecutableAllocator::disableJIT):
    * Source/WebKit/Scripts/process-entitlements.sh:

    Canonical link: https://commits.webkit.org/272448.472@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.45@webkitglib/2.44


  Commit: 3ee62b21bc6bd6e65a60587d6417bf50ccd5852a
      https://github.com/WebKit/WebKit/commit/3ee62b21bc6bd6e65a60587d6417bf50ccd5852a
  Author: Jean-Yves Avenard <jya at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp

  Log Message:
  -----------
  Cherry-pick 272448.473 at safari-7618-branch (00b3f3ccf06e). https://bugs.webkit.org/show_bug.cgi?id=268731

    Block "setMediaOverridesForTesting" media IPC endpoints when not testing and instead reset values
    https://bugs.webkit.org/show_bug.cgi?id=268731
    rdar://122218365

    Reviewed by Youenn Fablet.

    The fix in https://commits.webkit.org/272448.445@safari-7618-branch was insufficient as
    the setMediaOverridesForTesting IPC endpoints is also used to reset the flags to their default.

    So rather than disabling the IPC endpoints altogether we restrict its use to only reset
    the default values (which are all unset).

    * Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp:
    (WebKit::GPUConnectionToWebProcess::setMediaOverridesForTesting):
    * Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in:

    Canonical link: https://commits.webkit.org/272448.473@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.46@webkitglib/2.44


  Commit: 891762765dc6693bf3fd623ab9ad8647d7c5a9c5
      https://github.com/WebKit/WebKit/commit/891762765dc6693bf3fd623ab9ad8647d7c5a9c5
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/WTF/wtf/PlatformUse.h

  Log Message:
  -----------
  Cherry-pick 272448.493 at safari-7618-branch (3b4b355b9810). https://bugs.webkit.org/show_bug.cgi?id=268788

    Clean up JIT permissions configuration.
    https://bugs.webkit.org/show_bug.cgi?id=268788
    rdar://122141946

    Reviewed by Alexey Shvayka.

    * Source/WTF/wtf/PlatformUse.h:

    Canonical link: https://commits.webkit.org/272448.493@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.47@webkitglib/2.44


  Commit: e5cffbd4257d094055971bb9dbdd213874440645
      https://github.com/WebKit/WebKit/commit/e5cffbd4257d094055971bb9dbdd213874440645
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/JavaScriptCore/Scripts/process-entitlements.sh
    M Source/WebKit/Scripts/process-entitlements.sh

  Log Message:
  -----------
  Cherry-pick 272448.494 at safari-7618-branch (0ebcda9ff537). https://bugs.webkit.org/show_bug.cgi?id=268792

    Refine application of new JIT entitlement for build fix.
    https://bugs.webkit.org/show_bug.cgi?id=268792
    rdar://122352736

    Reviewed by Tim Horton.

    * Source/JavaScriptCore/Scripts/process-entitlements.sh:
    * Source/WebKit/Scripts/process-entitlements.sh:

    Canonical link: https://commits.webkit.org/272448.494@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.48@webkitglib/2.44


  Commit: cf0035a96f0d01e4072f57e30cf4c473853156fe
      https://github.com/WebKit/WebKit/commit/cf0035a96f0d01e4072f57e30cf4c473853156fe
  Author: Matthew Finkel <sysrqb at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A LayoutTests/http/tests/security/file-system-access-via-dataTransfer-expected.txt
    A LayoutTests/http/tests/security/file-system-access-via-dataTransfer.html
    M Source/WebCore/Modules/entriesapi/DOMFileSystem.cpp

  Log Message:
  -----------
  Cherry-pick 272448.2 at safari-7618-branch (18fd76f8a016). https://bugs.webkit.org/show_bug.cgi?id=266703

    Ensure Filesystem root path is not empty
    https://bugs.webkit.org/show_bug.cgi?id=266703
    rdar://119813501

    Reviewed by Chris Dumez.

    When the root path is empty, then the file's name can define an arbitrary
    filesystem path. This change ensures that the path is non-empty, therefore the
    virtual filesystem must be defined under a directory that the user selected.

    * LayoutTests/http/tests/security/file-system-access-via-dataTransfer-expected.txt: Added.
    * LayoutTests/http/tests/security/file-system-access-via-dataTransfer.html: Added.
    * Source/WebCore/Modules/entriesapi/DOMFileSystem.cpp:
    (WebCore::DOMFileSystem::getEntry):
    (WebCore::DOMFileSystem::getFile):

    Canonical link: https://commits.webkit.org/272448.2@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.49@webkitglib/2.44


  Commit: 9969ea40eb0fdedaaaab54af56a4dc5832787884
      https://github.com/WebKit/WebKit/commit/9969ea40eb0fdedaaaab54af56a4dc5832787884
  Author: Michael Saboff <msaboff at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A JSTests/stress/arrow-function-captured-arguments-aliased.js
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
    M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
    M Source/JavaScriptCore/runtime/GetPutInfo.h
    M Source/JavaScriptCore/runtime/ScopedArguments.cpp
    M Source/JavaScriptCore/runtime/ScopedArguments.h
    M Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp
    M Source/JavaScriptCore/runtime/ScopedArgumentsTable.h
    M Source/JavaScriptCore/runtime/SymbolTable.h

  Log Message:
  -----------
  Cherry-pick 272448.5 at safari-7618-branch (97894699773c). https://bugs.webkit.org/show_bug.cgi?id=261934

    Scoped Arguments needs to alias between named and unnamed accesses and across nested scopes
    https://bugs.webkit.org/show_bug.cgi?id=261934
    rdar://114925088
    rdar://117838992

    Reviewed by Yusuke Suzuki.

    Fixed issue where an access to a named argument and a seperate access via its argument[i] counterpart weren't recognized throughout
    all JIT tiers as accesses to the same scoped value.  The DFG bytecode parser can unknowingly constant fold the read access.
    Added aliasing via the SymbolTable and its ScopedArgumentsTable for both types of accesses of such values.
    related objects

    Added watchpoints for scoped arguments, and shared the watchpoint from the SymbolTableEntry for the named parameter with the
    ScopedArgument entry for the matching index.  Tagged op_put_to_scope bytecodes with a new ScopedArgumentInitialization
    initialization type in GetPutInfo to signify this shared watchpoint case.  Since currently all tiers write to scoped arguments
    via ScopedArguments::setIndexQuickly(), that is where we fire its watchpoint.

    Added a new test.

    * JSTests/stress/arrow-function-captured-arguments-aliased.js: Added.
    (createOptAll):
    (createOpt500):
    (createOpt2000):
    (createOpt5000):
    (main):
    * Source/JavaScriptCore/bytecode/CodeBlock.cpp:
    (JSC::CodeBlock::finishCreation):
    * Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
    (JSC::BytecodeGenerator::BytecodeGenerator):
    * Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::parseBlock):
    * Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
    * Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
    * Source/JavaScriptCore/runtime/GetPutInfo.h:
    (JSC::initializationModeName):
    (JSC::isInitialization):
    * Source/JavaScriptCore/runtime/ScopedArguments.cpp:
    (JSC::ScopedArguments::unmapArgument):
    * Source/JavaScriptCore/runtime/ScopedArguments.h:
    * Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp:
    (JSC::ScopedArgumentsTable::tryCreate):
    (JSC::ScopedArgumentsTable::tryClone):
    (JSC::ScopedArgumentsTable::trySetLength):
    (JSC::ScopedArgumentsTable::trySetWatchpointSet):
    * Source/JavaScriptCore/runtime/ScopedArgumentsTable.h:
    * Source/JavaScriptCore/runtime/SymbolTable.cpp:
    (JSC::SymbolTable::cloneScopePart):
    * Source/JavaScriptCore/runtime/SymbolTable.h:

    Canonical link: https://commits.webkit.org/272448.5@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.50@webkitglib/2.44


  Commit: 9d294ccb0b0197e090e8f196affc5409c77e7b1d
      https://github.com/WebKit/WebKit/commit/9d294ccb0b0197e090e8f196affc5409c77e7b1d
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A JSTests/stress/attribute-custom-accessor.js
    M Source/JavaScriptCore/bytecode/PropertyCondition.cpp

  Log Message:
  -----------
  Cherry-pick 272448.6 at safari-7618-branch (24d1c08b9dfa). https://bugs.webkit.org/show_bug.cgi?id=266695

    [JSC] PropertyCondition::isValidValueForAttributes should handle custom accessor and custom value
    https://bugs.webkit.org/show_bug.cgi?id=266695
    rdar://119854137

    Reviewed by Mark Lam.

    PropertyCondition::isValidValueForAttributes only handled accessors and values. And it
    didn't handle custom accessor / custom values. This patch changes it so that we can
    check custom accessor / custom value cases correctly.

    * JSTests/stress/attribute-custom-accessor.js: Added.
    (async asyncSleep):
    (setHasBeenDictionary):
    (watchToJSONForReplacements):
    (async watchLastMatchForReplacements.getLastMatch):
    (async watchLastMatchForReplacements):
    (const.target.toJSON):
    (opt):
    (async main):
    * Source/JavaScriptCore/bytecode/PropertyCondition.cpp:
    (JSC::PropertyCondition::isValidValueForAttributes):

    Canonical link: https://commits.webkit.org/272448.6@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.51@webkitglib/2.44


  Commit: f25f53fda80ea5dc14dc099221db8acffd3a32cc
      https://github.com/WebKit/WebKit/commit/f25f53fda80ea5dc14dc099221db8acffd3a32cc
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/test/encode_api_test.cc
    M Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/encoder/encodeframe.c

  Log Message:
  -----------
  Cherry-pick 272448.9 at safari-7618-branch (965fd49504ed). rdar://119595026

    Potential 'overflow' issue commited to upstream libwebrtc
    rdar://119595026

    Reviewed by Jean-Yves Avenard.

    Cherry-picking of https://github.com/webmproject/libvpx/commit/193b1511956f1732a8d54041a26ca9633a92abf9

    * Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/test/encode_api_test.cc:
    * Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/encoder/encodeframe.c:
    (encode_mb_row):

    Canonical link: https://commits.webkit.org/272448.9@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.52@webkitglib/2.44


  Commit: 2c491b0134f2115d102dd85b7c6d2be859fee121
      https://github.com/WebKit/WebKit/commit/2c491b0134f2115d102dd85b7c6d2be859fee121
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M LayoutTests/http/tests/blink/sendbeacon/beacon-cross-origin.https-expected.txt
    M LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-expected.txt
    M LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https.html
    M LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-expected.txt
    M LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https.html
    M LayoutTests/http/tests/navigation/ping-attribute/resources/secure-anchor-cross-origin.html
    M LayoutTests/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-expected.txt
    A LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe-expected.txt
    A LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe.html
    M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt
    M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt
    A LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe-expected.txt
    A LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https-expected.txt
    A LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https.html
    M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt
    M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt
    A LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-beacon.html
    M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html
    M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html
    M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html
    A LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-ping.html
    M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html
    M LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt
    R LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt
    R LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt
    R LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt
    M LayoutTests/platform/ios/TestExpectations
    M LayoutTests/platform/mac-wk1/TestExpectations
    M LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt
    M Source/WebCore/loader/cache/CachedResourceLoader.cpp

  Log Message:
  -----------
  Cherry-pick 272448.10 at safari-7618-branch (b856378e0a55). rdar://116054889

    Plaintext Ping requests not blocked by mixed-content checks (262117)
    rdar://116054889

    Reviewed by Alex Christensen.

    Enforce mixed content checks for beacons and poings, like we do for regular xhr/fetch.
    This aligns the behavior with Chrome and Firefox.

    We have to change some tests so that preloads kick in deterministically.
    Preloads might not kick in if an early JS resource is already in the cache.
    We therefore clear the memory cache to ensure dump-securitypolicyviolation-and-notify-done.js gets fetched again, which will trigger both preload and resource load.
    Otherwise, we will get only one CONSOLE MESSAGE for the actual blocked load.

    We also have to change some tests so that they use HTTPS and not HTTP.

    * LayoutTests/http/tests/blink/sendbeacon/beacon-cross-origin.https-expected.txt:
    * LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-expected.txt:
    * LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https.html:
    * LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-expected.txt:
    * LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https.html:
    * LayoutTests/http/tests/navigation/ping-attribute/resources/secure-anchor-cross-origin.html:
    * LayoutTests/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-expected.txt:
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe-expected.txt: Added.
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe.html: Added.
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt:
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt:
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe-expected.txt: Added.
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https-expected.txt: Added.
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https.html: Added.
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt:
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt:
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-beacon.html: Added.
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html:
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html:
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html:
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-ping.html: Added.
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html:
    * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html:
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt:
    * LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt: Removed.
    * LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt: Removed.
    * LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt: Removed.
    * LayoutTests/platform/ios/TestExpectations:
    * LayoutTests/platform/mac-wk1/TestExpectations:
    * LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt:
    * LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt:
    * LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt:
    * Source/WebCore/loader/cache/CachedResourceLoader.cpp:
    (WebCore::CachedResourceLoader::checkInsecureContent const):

    Canonical link: https://commits.webkit.org/272448.10@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.53@webkitglib/2.44


  Commit: a430b08533483b9996110a1c926b7b28f0e7289d
      https://github.com/WebKit/WebKit/commit/a430b08533483b9996110a1c926b7b28f0e7289d
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A LayoutTests/fast/ruby/ruby-base-content-should-not-wrap-expected.html
    A LayoutTests/fast/ruby/ruby-base-content-should-not-wrap.html
    M Source/WebCore/layout/formattingContexts/inline/InlineFormattingUtils.cpp

  Log Message:
  -----------
  Cherry-pick 2c41110b8852. https://bugs.webkit.org/show_bug.cgi?id=269235

    [IFC][Ruby] Ruby base content may wrap even when style says no
    https://bugs.webkit.org/show_bug.cgi?id=269235
    <rdar://122811940>

    Reviewed by Antti Koivisto.

    There's no soft wrap opportunity between 2 adjacent non-whitespace characters when style says nowrap.

    * LayoutTests/fast/ruby/ruby-base-content-should-not-wrap-expected.html: Added.
    * LayoutTests/fast/ruby/ruby-base-content-should-not-wrap.html: Added.
    * Source/WebCore/layout/formattingContexts/inline/InlineFormattingUtils.cpp:
    (WebCore::Layout::isAtSoftWrapOpportunity):

    Canonical link: https://commits.webkit.org/272448.537@safari-7618-branch

    Identifier: 272448.559 at safari-7618.1.15.10-branch

Canonical link: https://commits.webkit.org/274313.54@webkitglib/2.44


  Commit: 88dc13476135a2e67d641ed3e8d2fb2d968f8a52
      https://github.com/WebKit/WebKit/commit/88dc13476135a2e67d641ed3e8d2fb2d968f8a52
  Author: Justin Michaud <justin_michaud at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/JavaScriptCore/Scripts/process-entitlements.sh

  Log Message:
  -----------
  Cherry-pick 8179ae2db1bf. <bug>

    Clean up JSC shell entitlements to fix RAMificaton.
    rdar://122826926

    Reviewed by Yusuke Suzuki.

    In https://commits.webkit.org/272448.472@safari-7618-branch, we switched
    to the new allow-jit entitlement. This broke RAMiciation runs because
    the JSC binary doesn't have the com.apple.developer.web-browser-engine.webcontent
    entitlement. This patch adds it.

    * Source/JavaScriptCore/Scripts/process-entitlements.sh:

    Canonical link: https://commits.webkit.org/272448.538@safari-7618-branch

    Identifier: 272448.571 at safari-7618.1.15.10-branch

Canonical link: https://commits.webkit.org/274313.55@webkitglib/2.44


  Commit: b44ec3533719afd748f0d3d60ab5fd8965641f29
      https://github.com/WebKit/WebKit/commit/b44ec3533719afd748f0d3d60ab5fd8965641f29
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https-expected.html
    A LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html
    A LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html.headers
    A LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https-expected.html
    A LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html
    A LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html.headers
    A LayoutTests/http/wpt/content-security-policy/resources/dummy.js
    M Source/WebCore/html/parser/HTMLConstructionSite.cpp

  Log Message:
  -----------
  Cherry-pick 272448.25 at safari-7618-branch (d43f7eafe9c4). https://bugs.webkit.org/show_bug.cgi?id=267241

    Bug in the HTML parser makes it possible to bypass `nonce` attribute hiding
    https://bugs.webkit.org/show_bug.cgi?id=267241
    rdar://120056084

    Reviewed by Ryosuke Niwa.

    Per the HTML specification [1], the `nonce` attribute is supposed to get hidden by
    the user agent once the element gets connected to the document. This means that we
    remove the `nonce` attribute and store its value in an internal field.

    The intention is that elements only expose their nonce via their `nonce` property
    to scripts, and not to side-channels like CSS attribute selectors.

    The HTML specification [2] also says that when encountering a duplicate <body> or
    <html> tag, we should merge the attributes from the duplicate element to the original
    once. When this happened, we could move the `nonce` attribute from a duplicate <body>
    / <html> to the original element and it would not get hidden since the original element
    is already connected to the document.

    To address the issue, we now add special handling for the `nonce` attribute upon merging:
    1. We discard the duplicate element's `nonce` attribute if the original element [[nonce]]
    internal field is already set (meaning the element already has a nonce).
    2. If the original element doesn't have a `nonce` we do merge the attribute and then call
    the logic to hide the `nonce` right away.

    [1] https://html.spec.whatwg.org/multipage/urls-and-fetching.html#nonce-attributes:include-2
    [2] https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-inbody

    * LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https-expected.html: Added.
    * LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html: Added.
    * LayoutTests/http/wpt/content-security-policy/duplicate-body-hide-nonce-attribute.https.html.headers: Added.
    * LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https-expected.html: Added.
    * LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html: Added.
    * LayoutTests/http/wpt/content-security-policy/duplicate-html-hide-nonce-attribute.https.html.headers: Added.
    * LayoutTests/http/wpt/content-security-policy/resources/dummy.js: Added.
    Add test coverage.

    * Source/WebCore/html/parser/HTMLConstructionSite.cpp:
    (WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement):

    Canonical link: https://commits.webkit.org/272448.25@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.56@webkitglib/2.44


  Commit: 2b28f8e04865b48b808be6cda2245138de93cc5f
      https://github.com/WebKit/WebKit/commit/2b28f8e04865b48b808be6cda2245138de93cc5f
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break-expected.txt
    A LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break.html
    M Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp

  Log Message:
  -----------
  Cherry-pick 272448.26 at safari-7618-branch (6eed83460548). https://bugs.webkit.org/show_bug.cgi?id=267270

    Out-of-flow line break box does not initiate render layer
    https://bugs.webkit.org/show_bug.cgi?id=267270
    rdar://120662818

    Reviewed by Antti Koivisto.

    1. Let's not assume that an out-of-flow box is a type of RenderBox (e.g. line break)
    2. Not all out-of-flow positioned boxes trigger layers.

    * LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break-expected.txt: Added.
    * LayoutTests/fast/text/align-line-shift-crash-with-positioned-line-break.html: Added.
    * Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp:
    (WebCore::LayoutIntegration::LineLayout::shiftLinesBy):

    Canonical link: https://commits.webkit.org/272448.26@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.57@webkitglib/2.44


  Commit: dafa1ea85b17155cf5596631f6315bd0e7df872c
      https://github.com/WebKit/WebKit/commit/dafa1ea85b17155cf5596631f6315bd0e7df872c
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A LayoutTests/fast/text/out-of-flow-line-break-crash-expected.txt
    A LayoutTests/fast/text/out-of-flow-line-break-crash.html
    M Source/WebCore/layout/formattingContexts/inline/InlineItemsBuilder.cpp
    M Source/WebCore/layout/formattingContexts/inline/TextOnlySimpleLineBuilder.cpp

  Log Message:
  -----------
  Cherry-pick 272448.28 at safari-7618-branch (2658caa71663). https://bugs.webkit.org/show_bug.cgi?id=267268

    [IFC] Do not treat out-of-flow line break as text content
    https://bugs.webkit.org/show_bug.cgi?id=267268
    rdar://120662940

    Reviewed by Antti Koivisto.

    Out-of-flow line break is not eligible for simplified (text-only) line building.

    * LayoutTests/fast/text/out-of-flow-line-break-crash-expected.txt: Added.
    * LayoutTests/fast/text/out-of-flow-line-break-crash.html: Added.
    * Source/WebCore/layout/formattingContexts/inline/InlineItemsBuilder.cpp:
    (WebCore::Layout::isTextOrLineBreak):
    * Source/WebCore/layout/formattingContexts/inline/TextOnlySimpleLineBuilder.cpp:
    (WebCore::Layout::TextOnlySimpleLineBuilder::placeNonWrappingInlineTextContent):

    Canonical link: https://commits.webkit.org/272448.28@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.58@webkitglib/2.44


  Commit: f5995f4872fef3f5f501d0ac9e113610971b99ba
      https://github.com/WebKit/WebKit/commit/f5995f4872fef3f5f501d0ac9e113610971b99ba
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  Cherry-pick 272448.74 at safari-7618-branch (7bd07231e704). https://bugs.webkit.org/show_bug.cgi?id=267036

    Should crash when deserializing JSArray object containing named property length
    https://bugs.webkit.org/show_bug.cgi?id=267036
    rdar://120410983

    Reviewed by Sihui Liu and Mark Lam.

    `length` is treated as a special property in JSArray. There shouldn't
    be any named property `length` in JSArray. So, should crash when
    deserializing JSArray object containing named property `length`.

    * Source/WebCore/bindings/js/SerializedScriptValue.cpp:
    (WebCore::CloneSerializer::serialize):
    (WebCore::CloneDeserializer::objectStartVisitMember):
    (WebCore::CloneDeserializer::objectEndVisitMember):
    (WebCore::CloneDeserializer::deserialize):

    Canonical link: https://commits.webkit.org/272448.74@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.59@webkitglib/2.44


  Commit: 9f83080fb196b4cce89d943f759743521fd61ffe
      https://github.com/WebKit/WebKit/commit/9f83080fb196b4cce89d943f759743521fd61ffe
  Author: Erica Li <lerica at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash-expected.txt
    A LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash.html
    M LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt
    M Source/WebCore/rendering/RenderInline.cpp

  Log Message:
  -----------
  Cherry-pick 272448.75 at safari-7618-branch (2534e02e1983). https://bugs.webkit.org/show_bug.cgi?id=266567.

    ASAN_SEGV | Hard null deref |LayoutIntegration::BoxTree::layoutBoxForRenderer; LayoutIntegration::LineLayout::enclosingBorderBoxRectFor; WebCore::RenderInline::linesBoundingBox.
    https://bugs.webkit.org/show_bug.cgi?id=266567.
    rdar://114586645.

    Reviewed by Alan Baradlay.

    similar to 107979394, apply handling for repainting a freshly inserted sticky inline box.

    * LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash-expected.txt: Added.
    * LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash.html: Added.
    * LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt: re-baseline for rdar://119187070.
    * Source/WebCore/rendering/RenderInline.cpp:
    (WebCore::RenderInline::linesBoundingBox const):

    Canonical link: https://commits.webkit.org/272448.75@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.60@webkitglib/2.44


  Commit: b99816d88b90129cb7300a41a6a8c3884f93035f
      https://github.com/WebKit/WebKit/commit/b99816d88b90129cb7300a41a6a8c3884f93035f
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A LayoutTests/fast/dynamic/move-inline-level-element-between-blocks-crash-expected.txt
    A LayoutTests/fast/dynamic/move-inline-level-element-between-blocks-crash.html
    M Source/WebCore/layout/integration/LayoutIntegrationBoxTree.cpp
    M Source/WebCore/layout/integration/LayoutIntegrationBoxTree.h
    M Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp
    M Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.h
    M Source/WebCore/rendering/RenderBlockFlow.cpp

  Log Message:
  -----------
  Cherry-pick 272448.98 at safari-7618-branch (77a82bb2bcde). https://bugs.webkit.org/show_bug.cgi?id=267141

    Do not repaint newly moved inline box
    https://bugs.webkit.org/show_bug.cgi?id=267141
    rdar://120555470

    Reviewed by Antti Koivisto.

    1. Repaint needs uptodate geometry information to compute the damaged area
    2. Whenever we invalidate the line layout path, we lose all geometry information so a full repaint is being issued on the very first invalidation.
    (note that there may be multiple mutations happening the same time)

    This patch ensures that such repaints are _not_ issued on newly inserted content.
    Since we don't keep track of whether a particular renderer has already issued repaint, moving renders between blocks could
    potentially be repainted twice; initially when they get detached and later when they get inserted at their new position.
    Repaint issued at this later stage most likely results in incorrectly computed damage area as all relevant geometries are
    relative to the former block -and in some cases it may even trigger crashes as we don't find associated layout/display boxes in
    the new block.

    * LayoutTests/fast/dynamic/move-inline-level-element-between-blocks-crash-expected.txt: Added.
    * LayoutTests/fast/dynamic/move-inline-level-element-between-blocks-crash.html: Added.
    * Source/WebCore/layout/integration/LayoutIntegrationBoxTree.cpp:
    (WebCore::LayoutIntegration::BoxTree::contains const):
    * Source/WebCore/layout/integration/LayoutIntegrationBoxTree.h:
    * Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp:
    (WebCore::LayoutIntegration::LineLayout::contains const):
    * Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.h:
    * Source/WebCore/rendering/RenderBlockFlow.cpp:
    (WebCore::RenderBlockFlow::invalidateLineLayoutPath):

    Canonical link: https://commits.webkit.org/272448.98@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.61@webkitglib/2.44


  Commit: f5909af7891338f7e7227d52235bc26cdf7d2ec5
      https://github.com/WebKit/WebKit/commit/f5909af7891338f7e7227d52235bc26cdf7d2ec5
  Author: Ryan Reno <rreno at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part-expected.txt
    A LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part.py
    A LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part-expected.txt
    A LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part.py
    M Source/WebCore/loader/DocumentLoader.cpp
    M Source/WebCore/loader/DocumentLoader.h

  Log Message:
  -----------
  Cherry-pick 272448.100 at safari-7618-branch (7f3ac60a98fc). https://bugs.webkit.org/show_bug.cgi?id=264811

    Content-Type x-mixed-replace can be abused to bypass CSP
    https://bugs.webkit.org/show_bug.cgi?id=264811
    rdar://118394343

    Reviewed by John Wilander and Brent Fulgham.

    When replacing the document in a multipart/x-mixed-replace response, the
    DocumentLoader would reset its CSP every time a new response was received.
    This change makes the CSP persistent across document replacements when
    loading multipart content. Now the CSP can only become more restrictive
    as new parts are received.

    * LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part-expected.txt: Added.
    * LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part.py: Added.
    * LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part-expected.txt: Added.
    * LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part.py: Added.
    * Source/WebCore/loader/DocumentLoader.cpp:
    (WebCore::DocumentLoader::shouldClearContentSecurityPolicyForResponse const):
    (WebCore::DocumentLoader::responseReceived):
    * Source/WebCore/loader/DocumentLoader.h:

    Canonical link: https://commits.webkit.org/272448.100@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.62@webkitglib/2.44


  Commit: 2790c9e1e613162a1124c8b991644b5cd210ce64
      https://github.com/WebKit/WebKit/commit/2790c9e1e613162a1124c8b991644b5cd210ce64
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/JavaScriptCore/runtime/CommonSlowPaths.h
    M Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp
    M Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
    M Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp
    M Source/JavaScriptCore/runtime/JSFunction.cpp
    M Source/JavaScriptCore/runtime/JSFunction.h
    M Source/JavaScriptCore/runtime/JSFunctionInlines.h

  Log Message:
  -----------
  Cherry-pick 272448.101 at safari-7618-branch (70ca9c1f54a0). https://bugs.webkit.org/show_bug.cgi?id=267380

    [JSC] setHasModifiedLengthForBoundOrNonHostFunction and setHasModifiedNameForBoundOrNonHostFunction shouldn't be called if it fails to reify the property
    https://bugs.webkit.org/show_bug.cgi?id=267380
    rdar://118761737

    Reviewed by Yusuke Suzuki.

    setHasModifiedLengthForBoundOrNonHostFunction and setHasModifiedNameForBoundOrNonHostFunction
    can be called if JSFunction::put() fails to reify the property. This case may
    cause inconsistency between the AI and the runtime environment.

    * Source/JavaScriptCore/runtime/JSFunction.cpp:
    (JSC::JSFunction::put):

    Canonical link: https://commits.webkit.org/272448.101@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.63@webkitglib/2.44


  Commit: b1cf6ce13e4fbb277bf1314c1adf0dc85c210385
      https://github.com/WebKit/WebKit/commit/b1cf6ce13e4fbb277bf1314c1adf0dc85c210385
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child-expected.txt
    A LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child.html
    M Source/WebCore/rendering/RenderBlockFlow.cpp

  Log Message:
  -----------
  Cherry-pick 272448.102 at safari-7618-branch (6d2f579ca0ad). https://bugs.webkit.org/show_bug.cgi?id=267487

    Invalidate existing inline layout content when simplified out-of-flow is sufficient
    https://bugs.webkit.org/show_bug.cgi?id=267487
    rdar://120496542

    Reviewed by Antti Koivisto.

    Do not leave stale inline content around.

    * LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child-expected.txt: Added.
    * LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child.html: Added.
    * Source/WebCore/rendering/RenderBlockFlow.cpp:
    (WebCore::RenderBlockFlow::layoutModernLines):

    Canonical link: https://commits.webkit.org/272448.102@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.64@webkitglib/2.44


  Commit: a625ceb2c781e8515667fc874986a364109006d5
      https://github.com/WebKit/WebKit/commit/a625ceb2c781e8515667fc874986a364109006d5
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A JSTests/stress/regress-120777816.js
    M Source/JavaScriptCore/builtins/ProxyHelpers.js
    M Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
    M Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/runtime/ProxyObject.cpp

  Log Message:
  -----------
  Cherry-pick 272448.103 at safari-7618-branch (e3a75800fe85). https://bugs.webkit.org/show_bug.cgi?id=267425

    [JSC] get_by_id_with_this + ProxyObject can leak JSScope objects
    https://bugs.webkit.org/show_bug.cgi?id=267425
    <rdar://120777816>

    Reviewed by Yusuke Suzuki and Justin Michaud.

    According to the spec [1], `var base = { foo }; with (base) foo();` should be called with `this`
    value of `base`, which is why FunctionCallResolveNode moves resolved scope to thisRegister().
    That is arguably a bad design, and there is an effort [2] to abolish using JSScope as `this` value.

    When `this` value is accessed by JS code, it's being sanitized via ToThis (JSScope replaced with
    `undefined`), yet not in case of `super.property` access calling into ProxyObject `get` trap,
    which passes raw `this` value as receiver parameter, leaking JSScope to be exploited.

    For performance reasons, we can't call toThis() whenever `get_by_id_with_this` is used, so this
    change introduces @toThis() intrinsic specifically for ProxyObject IC helpers, tweaks DFG to respect
    `m_srcDst`, and also fixes baseline code.

    Inlineability of ProxyObject IC helpers was verified to remain unaffected (`performProxyObjectGet`
    is smaller then 120 while other helpers were already exceeding inline size limit).

    [1]: https://tc39.es/ecma262/#sec-evaluatecall (step 1.b.iii)
    [2]: https://bugs.webkit.org/show_bug.cgi?id=225397

    * JSTests/stress/regress-120777816.js: Added.
    * Source/JavaScriptCore/builtins/ProxyHelpers.js:
    (linkTimeConstant.performProxyObjectGet):
    (linkTimeConstant.performProxyObjectGetByVal):
    (linkTimeConstant.performProxyObjectSetSloppy):
    (linkTimeConstant.performProxyObjectSetStrict):
    * Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h:
    * Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
    (JSC::BytecodeGenerator::emitToThis):
    * Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:
    (JSC::BytecodeGenerator::emitToThis):
    * Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:
    (JSC::BytecodeIntrinsicNode::emit_intrinsic_toThis):
    * Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::parseBlock):
    (JSC::DFG::ByteCodeParser::getThis): Deleted.
    (JSC::DFG::ByteCodeParser::setThis): Deleted.
    * Source/JavaScriptCore/runtime/ProxyObject.cpp:
    (JSC::performProxyGet):
    (JSC::ProxyObject::performPut):

    Canonical link: https://commits.webkit.org/272448.103@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.65@webkitglib/2.44


  Commit: 73ee7cb37f540201ba8010e704f0774932527989
      https://github.com/WebKit/WebKit/commit/73ee7cb37f540201ba8010e704f0774932527989
  Author: Erica Li <lerica at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash-expected.txt
    A LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash.html
    M LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt
    M Source/WebCore/rendering/RenderTable.cpp

  Log Message:
  -----------
  Cherry-pick 272448.104 at safari-7618-branch (8737c0374652). https://bugs.webkit.org/show_bug.cgi?id=267198

    ASAN_ILL | WebCore::RenderTableSection::layoutRows; WebCore::RenderTable::simplifiedNormalFlowLayout; WebCore::RenderBlock::simplifiedLayout.
    https://bugs.webkit.org/show_bug.cgi?id=267198
    rdar://113940614

    Reviewed by Alan Baradlay.

    Always setChildNeedsLayout for sections to make sure normalChildNeedsLayout is flagged,
    as for pagination we need to run a full layout on child table sections even when the initial change,
    otherwise requires simplified layout only.

    * LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash-expected.txt: Added.
    * LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash.html: Added.
    * LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt: re-baseline again, adding end of line back.
    * Source/WebCore/rendering/RenderTable.cpp:
    (WebCore::RenderTable::markForPaginationRelayoutIfNeeded):

    Canonical link: https://commits.webkit.org/272448.104@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.66@webkitglib/2.44


  Commit: 1e60cb5df0cafe5d9b9a457267f1166f3a504f70
      https://github.com/WebKit/WebKit/commit/1e60cb5df0cafe5d9b9a457267f1166f3a504f70
  Author: Nisha Jain <nisha_jain at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A LayoutTests/dom/html/document-renderobject-null-crash-expected.txt
    A LayoutTests/dom/html/document-renderobject-null-crash.html
    M Source/WebCore/dom/Document.cpp

  Log Message:
  -----------
  Cherry-pick 272448.251 at safari-7618-branch (9baf7178103b). https://bugs.webkit.org/show_bug.cgi?id=267297

    "NULL Object : Crash under WebCore::RenderObject::~RenderObject; WebCore::RenderText::~RenderText; WebCore::RenderTreeBuilder::destroy"
    https://bugs.webkit.org/show_bug.cgi?id=267297
    rdar://119186861.

    Reviewed by Alan Baradlay.

    Document::caretPositionFromPoint API is using CheckPtr to get RenderObject
    even though the Object is already destroyed. In order to make sure CheckedPtr
    is valid the render needs to be destroyed earlier not after. Using updateLayoutIgnorePendingStylesheets API for uptodate renderer tree.

    * LayoutTests/dom/html/document-renderobject-null-crash-expected.txt: Added test expected file.
    * LayoutTests/dom/html/document-renderobject-null-crash.html: Added test case.
    * Source/WebCore/dom/Document.cpp:
    (WebCore::Document::caretPositionFromPoint): Added updateLayoutIgnorePendingStylesheets to get updated renderer tree before using CheckedPtr.

    Canonical link: https://commits.webkit.org/272448.251@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.67@webkitglib/2.44


  Commit: 8240207120d88887aeae9aaa8b76dac2c4ad67e4
      https://github.com/WebKit/WebKit/commit/8240207120d88887aeae9aaa8b76dac2c4ad67e4
  Author: Nisha Jain <nisha_jain at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A LayoutTests/fast/rendering/render-compositor-null-layer-crash-expected.txt
    A LayoutTests/fast/rendering/render-compositor-null-layer-crash.html
    M Source/WebCore/rendering/RenderLayerCompositor.cpp

  Log Message:
  -----------
  Cherry-pick 272448.252 at safari-7618-branch (a7977801dff3). https://bugs.webkit.org/show_bug.cgi?id=265820

    NULL pointer :  crash under RenderLayerCompositor::scrollableAreaForScrollingNodeID()
    https://bugs.webkit.org/show_bug.cgi?id=265820
    rdar://118424482.

    Reviewed by Simon Fraser.

    Null RenderLayer pointer in RenderLayerCompositor::scrollableAreaForScrollingNodeID().
    As the RenderLayerCompositor has a HashMap which provides a WeakPtr to RenderLayer but the validity
    of this object is not checked before using.

    * LayoutTests/fast/rendering/render-compositor-null-layer-crash-expected.txt: Added test expected file.
    * LayoutTests/fast/rendering/render-compositor-null-layer-crash.html: Added test case.
    * Source/WebCore/rendering/RenderLayerCompositor.cpp:
    (WebCore::RenderLayerCompositor::scrollableAreaForScrollingNodeID const): Checked validity of WeakPtr to RenderLayer before accessing it.

    Canonical link: https://commits.webkit.org/272448.252@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.68@webkitglib/2.44


  Commit: bb20f3e1ac357080e8ac2cd801ceeff7f68e11af
      https://github.com/WebKit/WebKit/commit/bb20f3e1ac357080e8ac2cd801ceeff7f68e11af
  Author: Ryosuke Niwa <rniwa at webkit.org>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A LayoutTests/fast/images/image-document-event-handler-crash-expected.txt
    A LayoutTests/fast/images/image-document-event-handler-crash.html
    M Source/WebCore/html/ImageDocument.cpp

  Log Message:
  -----------
  Cherry-pick 272448.253 at safari-7618-branch (b417dff04acd). https://bugs.webkit.org/show_bug.cgi?id=267739

    Crash in ImageEventListener::handleEvent
    https://bugs.webkit.org/show_bug.cgi?id=267739
    rdar://118761846

    Reviewed by Chris Dumez.

    Use WeakPtr instead of a raw reference.

    * LayoutTests/fast/images/image-document-event-handler-crash-expected.txt: Added.
    * LayoutTests/fast/images/image-document-event-handler-crash.html: Added.
    * Source/WebCore/html/ImageDocument.cpp:
    (WebCore::ImageEventListener::handleEvent):

    Canonical link: https://commits.webkit.org/272448.253@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.69@webkitglib/2.44


  Commit: b1e590214277ea78d34055992c3f2c2c956f0af5
      https://github.com/WebKit/WebKit/commit/b1e590214277ea78d34055992c3f2c2c956f0af5
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M JSTests/stress/intl-collator.js
    M JSTests/stress/intl-datetimeformat.js
    M JSTests/stress/intl-numberformat.js
    M Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp
    M Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
    M Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp

  Log Message:
  -----------
  Cherry-pick 272448.254 at safari-7618-branch (5173338bb6f1). https://bugs.webkit.org/show_bug.cgi?id=267725

    [JSC] Use dynamic cast in intlCollatorFuncCompare, intlDateTimeFormatFuncFormatDateTime, and intlNumberFormatFuncFormat
    https://bugs.webkit.org/show_bug.cgi?id=267725
    rdar://121029647

    Reviewed by Yusuke Suzuki and Mark Lam.

    We should ensure `thisValue` is the desired object. So, should use dynamic
    cast instead in intlCollatorFuncCompare, intlDateTimeFormatFuncFormatDateTime,
    and intlNumberFormatFuncFormat.

    * Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp:
    (JSC::JSC_DEFINE_HOST_FUNCTION):
    * Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp:
    (JSC::JSC_DEFINE_HOST_FUNCTION):
    * Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp:
    (JSC::JSC_DEFINE_HOST_FUNCTION):

    Canonical link: https://commits.webkit.org/272448.254@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.70@webkitglib/2.44


  Commit: 0b776b9a8f1653fa8eaef4babe8d427f946e7c20
      https://github.com/WebKit/WebKit/commit/0b776b9a8f1653fa8eaef4babe8d427f946e7c20
  Author: Nisha Jain <nisha_jain at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/WebCore/html/HTMLPlugInImageElement.cpp

  Log Message:
  -----------
  Cherry-pick 272448.257 at safari-7618-branch (23c6a88ad691). https://bugs.webkit.org/show_bug.cgi?id=267656

    "ASAN_SEGV | WebCore::Style::resolveForDocument; WebCore::Document::styleForElementIgnoringPendingStylesheets; WebCore::Element::resolveComputedStyle"
    https://bugs.webkit.org/show_bug.cgi?id=267656
    rdar://119187152.

    Reviewed by Ryosuke Niwa.

    Need to prevent attempt to load a disconnected plugin.
    Not adding a new test case as could not make a reliable reproduction of this issue.

    * Source/WebCore/html/HTMLPlugInImageElement.cpp:
    (WebCore::HTMLPlugInImageElement::requestObject):

    Canonical link: https://commits.webkit.org/272448.257@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.71@webkitglib/2.44


  Commit: 26a621673d19d5f2221d17da80b75959cf9cf497
      https://github.com/WebKit/WebKit/commit/26a621673d19d5f2221d17da80b75959cf9cf497
  Author: Scott Marcy <mscott at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/ipc/invalid-message-to-addTrackBuffer-expected.txt
    A LayoutTests/ipc/invalid-message-to-addTrackBuffer.html
    M Source/WebKit/GPUProcess/media/RemoteSourceBufferProxy.cpp

  Log Message:
  -----------
  Cherry-pick 272448.259 at safari-7618-branch (60f8c4667d7a). <bug>

    rdar://119489615 ([CoreIPC] SEGV in WebKit::RemoteSourceBufferProxy::addTrackBuffer)

    Checks that the TrackPrivateRemoteIdentifier argument for the IPC call RemoteSourceBufferProxy::addTrackBuffer() is valid and invalidates the IPC message if not.

    Reviewed by David Kilzer.

    If the TrackPrivateRemoteIdentifier value is not a known value, the IPC message will be marked as invalid, which is supposed
    to crash the content process thereby thwarting any attempted attack through this mechanism.

    * LayoutTests/TestExpectations:
    * LayoutTests/ipc/invalid-message-to-addTrackBuffer-expected.txt: Added.
    * LayoutTests/ipc/invalid-message-to-addTrackBuffer.html: Added.
    * Source/WebKit/GPUProcess/media/RemoteSourceBufferProxy.cpp:
    (WebKit::RemoteSourceBufferProxy::addTrackBuffer):

    Canonical link: https://commits.webkit.org/272448.259@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.72@webkitglib/2.44


  Commit: 864a655d7dc8dbb9543814087db2298a962d2e8e
      https://github.com/WebKit/WebKit/commit/864a655d7dc8dbb9543814087db2298a962d2e8e
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A JSTests/stress/error-instance.js
    M Source/JavaScriptCore/runtime/ErrorInstance.cpp

  Log Message:
  -----------
  Cherry-pick 272448.260 at safari-7618-branch (ade92866440e). https://bugs.webkit.org/show_bug.cgi?id=267785

    [JSC] Fix Re-entrancy in ErrorInstance::computeErrorInfo
    https://bugs.webkit.org/show_bug.cgi?id=267785
    rdar://121098660

    Reviewed by Yusuke Suzuki.

    ErrorInstance::computeErrorInfo computes stack trace string, which may
    trigger GC and re-enter to this function with the same ErrorInstance
    while computing the stack string. We should defer GC after stacking trace
    string is materialized.

    * JSTests/stress/error-instance.js: Added.
    (main.const.error):
    (main):
    * Source/JavaScriptCore/runtime/ErrorInstance.cpp:
    (JSC::ErrorInstance::computeErrorInfo):

    Canonical link: https://commits.webkit.org/272448.260@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.73@webkitglib/2.44


  Commit: ce8fd1fe3d066a1e34e4f8da170f2490b39f2594
      https://github.com/WebKit/WebKit/commit/ce8fd1fe3d066a1e34e4f8da170f2490b39f2594
  Author: Michael Saboff <msaboff at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M JSTests/stress/arrow-function-captured-arguments-aliased.js
    M Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp

  Log Message:
  -----------
  Cherry-pick 272448.339 at safari-7618-branch (66df5c618c1c). https://bugs.webkit.org/show_bug.cgi?id=267946

    ASSERTION FAILED: watchpoints (./runtime/ScopedArgumentsTable.cpp(130))
    rdar://121446658
    https://bugs.webkit.org/show_bug.cgi?id=267946

    Reviewed by Alexey Shvayka.

    Insatead of using an ASSERT that we have a valid WatchpointSet in ScopedArgumentsTable::trySetWatchpointSet(), we can just
    exit early if the passed in WatchpointSet is null.  This can happen if the JIT is not enabled.

    Updated the test to run both with and wothout the JIT.

    * JSTests/stress/arrow-function-captured-arguments-aliased.js:
    * Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp:
    (JSC::ScopedArgumentsTable::trySetWatchpointSet):

    Canonical link: https://commits.webkit.org/272448.339@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.74@webkitglib/2.44


  Commit: c5b3362395f1cf0ecd6996bdd43642b54bf84437
      https://github.com/WebKit/WebKit/commit/c5b3362395f1cf0ecd6996bdd43642b54bf84437
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A LayoutTests/js/structuredClone/structured-clone-of-CachedString-in-map-expected.txt
    A LayoutTests/js/structuredClone/structured-clone-of-CachedString-in-map.html
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  Cherry-pick 272448.347 at safari-7618-branch (5546b2ee36b5). https://bugs.webkit.org/show_bug.cgi?id=267971

    CachedString::m_jsString is not protected from GC in CloneDeserializer.
    https://bugs.webkit.org/show_bug.cgi?id=267971
    rdar://120531481

    Reviewed by Chris Dumez.

    The fix is simply to protect it with the m_keepAliveBuffer.  Also moved the m_keepAliveBuffer from
    CloneSerializer to CloneBase.  Previously, I thought that only the serializer needs it.  Now, we
    have a case where the deserializer does too.

    * LayoutTests/js/structuredClone/structured-clone-of-CachedString-in-map-expected.txt: Added.
    * LayoutTests/js/structuredClone/structured-clone-of-CachedString-in-map.html: Added.
    * Source/WebCore/bindings/js/SerializedScriptValue.cpp:
    (WebCore::CloneDeserializer::CachedString::jsString):
    (WebCore::CloneDeserializer::readTerminal):

    Canonical link: https://commits.webkit.org/272448.347@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.75@webkitglib/2.44


  Commit: 611720ecf676648f33d2db5faf1aed2f4155f1ed
      https://github.com/WebKit/WebKit/commit/611720ecf676648f33d2db5faf1aed2f4155f1ed
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/WebCore/html/HTMLPlugInImageElement.cpp

  Log Message:
  -----------
  Cherry-pick 272448.355 at safari-7618-branch (99b063d917a4). https://bugs.webkit.org/show_bug.cgi?id=268010

    Regression(267815.354 at safari-7617-branch) ASSERTION FAILED: ownerElement.document().frame() in the tests
    https://bugs.webkit.org/show_bug.cgi?id=268010
    rdar://121528243

    Reviewed by Ryosuke Niwa and Geoffrey Garen.

    In 267815.354 at safari-7617-branch, we updated HTMLPlugInImageElement::requestObject()
    to call SubframeLoader::requestObject() asynchronously. Previously, when we called
    SubframeLoader::requestObject() the frame owner element's document would still be
    connected (i.e. have a frame) and it was enforced by an assertion both in
    HTMLPlugInImageElement::requestObject() and SubframeLoader::requestObject().

    After my change in 267815.354 at safari-7617-branch, the assertion in
    SubframeLoader::requestObject() would sometimes fail as this code now runs
    asynchronously and the state of the DOM tree may have changed in between.

    To address the issue, check if the document still have a frame when the async
    lambda runs and return early if it doesn't. There is no point in loading a subframe
    in a document that was detached.

    * Source/WebCore/html/HTMLPlugInImageElement.cpp:
    (WebCore::HTMLPlugInImageElement::requestObject):

    Canonical link: https://commits.webkit.org/272448.355@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.76@webkitglib/2.44


  Commit: 1d059ea33da3b6e09f2aaa035cd35cb21f2b1295
      https://github.com/WebKit/WebKit/commit/1d059ea33da3b6e09f2aaa035cd35cb21f2b1295
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/WebCore/editing/TextManipulationController.cpp

  Log Message:
  -----------
  Cherry-pick 272448.385 at safari-7618-branch (2d3dc03ecbbc). https://bugs.webkit.org/show_bug.cgi?id=268235

    Bad cast in TextManipulationController::scheduleObservationUpdate()
    https://bugs.webkit.org/show_bug.cgi?id=268235
    rdar://121646850

    Reviewed by Wenson Hsieh.

    Convert the downcast<>() into a dynamicDowncast<>() since the common ancestor
    is not guaranteed to be an Element.

    I have not been able to reproduce but it is happening in the wild.

    * Source/WebCore/editing/TextManipulationController.cpp:
    (WebCore::TextManipulationController::scheduleObservationUpdate):

    Canonical link: https://commits.webkit.org/272448.385@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.77@webkitglib/2.44


  Commit: acab2b845a2a15319f042989387a8ce81210d828
      https://github.com/WebKit/WebKit/commit/acab2b845a2a15319f042989387a8ce81210d828
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/WebKit/UIProcess/API/Cocoa/WKProcessPool.mm
    M Source/WebKit/UIProcess/API/Cocoa/WKProcessPoolPrivate.h
    M Source/WebKit/UIProcess/WebProcessPool.cpp
    M Source/WebKit/UIProcess/WebProcessPool.h
    M Source/WebKit/UIProcess/WebProcessProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.h
    M Source/WebKit/WebProcess/Storage/WebSWContextManagerConnection.cpp
    M Source/WebKit/WebProcess/Storage/WebSharedWorkerContextManagerConnection.cpp
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp
    M Source/WebKit/WebProcess/WebPage/WebPage.h
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/ServiceWorkerBasic.mm

  Log Message:
  -----------
  Cherry-pick 272448.386 at safari-7618-branch (dd435ec50671). https://bugs.webkit.org/show_bug.cgi?id=268183

    Remote worker processes may not obey the lockdown mode setting
    https://bugs.webkit.org/show_bug.cgi?id=268183
    rdar://121617300

    Reviewed by Youenn Fablet.

    Make sure we carry over the requesting process' lockdown mode state to the
    newly created process when we decide to launch a remote worker process.

    Also make sure that the settings that are meant to be disabled in lockdown
    mode also get disabled in the remote worker contexts, not just in page/window
    contexts.

    * Source/WebKit/UIProcess/API/Cocoa/WKProcessPool.mm:
    (-[WKProcessPool _isJITDisabledInAllServiceWorkerProcesses:]):
    * Source/WebKit/UIProcess/API/Cocoa/WKProcessPoolPrivate.h:
    * Source/WebKit/UIProcess/WebProcessPool.cpp:
    (WebKit::WebProcessPool::establishRemoteWorkerContextConnectionToNetworkProcess):
    (WebKit::WebProcessPool::isJITDisabledInAllServiceWorkerProcesses const):
    * Source/WebKit/UIProcess/WebProcessPool.h:
    * Source/WebKit/UIProcess/WebProcessProxy.cpp:
    (WebKit::WebProcessProxy::createForRemoteWorkers):
    * Source/WebKit/UIProcess/WebProcessProxy.h:
    * Tools/TestWebKitAPI/Tests/WebKitCocoa/ServiceWorkerBasic.mm:

    Canonical link: https://commits.webkit.org/272448.386@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.78@webkitglib/2.44


  Commit: e1ea49a668e7a70d67acc791449bb72464685b1e
      https://github.com/WebKit/WebKit/commit/e1ea49a668e7a70d67acc791449bb72464685b1e
  Author: Erica Li <lerica at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    A LayoutTests/media/audio-remove-playback-crash-expected.txt
    A LayoutTests/media/audio-remove-playback-crash.html
    M Source/WebCore/dom/Document.cpp

  Log Message:
  -----------
  Cherry-pick 272448.387 at safari-7618-branch (303478e273bd). rdar://120661908

    ASAN_ILL | WebCore::Document::removePlaybackTargetPickerClient.
    rdar://120661908

    Reviewed by Chris Dumez.

    Unable to ref the page from removePlaybackTargetPickerClient as it may have started destruction.

    * LayoutTests/media/audio-remove-playback-crash-expected.txt: Added.
    * LayoutTests/media/audio-remove-playback-crash.html: Added.
    * Source/WebCore/dom/Document.cpp:
    (WebCore::Document::removePlaybackTargetPickerClient):

    Canonical link: https://commits.webkit.org/272448.387@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.79@webkitglib/2.44


  Commit: 9987ecf027f9022e0c1fd87e388c419d454c1cce
      https://github.com/WebKit/WebKit/commit/9987ecf027f9022e0c1fd87e388c419d454c1cce
  Author: Abrar Rahman Protyasha <a_protyasha at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.h
    M Source/WebKit/UIProcess/mac/WebViewImpl.h
    M Source/WebKit/UIProcess/mac/WebViewImpl.mm
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/UIDelegate.mm

  Log Message:
  -----------
  Cherry-pick 272448.388 at safari-7618-branch (7047e8e918da). https://bugs.webkit.org/show_bug.cgi?id=268198

    [macOS] Pointer Lock should disengage when client windows present a sheet
    https://bugs.webkit.org/show_bug.cgi?id=268198
    rdar://121694233

    Reviewed by Aditya Keerthi.

    The Pointer Lock API is susceptible to abuse by nefarious webpages since
    they can (programmatically or otherwise) make client windows show alerts
    or permission granting sheets while pointer lock is engaged. Since our
    current implementation of pointer lock stays engaged even when the
    client window presents a sheet, it leaves the user in a compromised
    state where they both don't know the location of the mouse cursor and
    don't have a way to exit the pointer lock state (since the client window
    where pointer lock is engaged is no longer focused or the key window).

    This patch addresses this vulnerability by registering observers for the
    NSWindowWillBeginSheetNotification notification on the WebView's current
    window, and then requesting for pointer lock to be disengaged whenever
    we receive a notification that said window will begin presenting a
    sheet.

    Test case added in WebKit.ClientDisplaysAlertSheetWhilePointerLockActive
    that asserts we successfully exit pointer lock when a client window
    presents an alert sheet. It also tests that we can successfully re-enter
    pointer lock afterwards.

    * Source/WebKit/UIProcess/WebPageProxy.h:
    * Source/WebKit/UIProcess/mac/WebViewImpl.h:
    * Source/WebKit/UIProcess/mac/WebViewImpl.mm:
    (-[WKWindowVisibilityObserver startObserving:]):
    (-[WKWindowVisibilityObserver stopObserving:]):
    (-[WKWindowVisibilityObserver _windowWillBeginSheet:]):
    (WebKit::WebViewImpl::windowWillBeginSheet):
    * Tools/TestWebKitAPI/Tests/WebKitCocoa/UIDelegate.mm:
    (-[PointerLockDelegate resetState]):
    (-[PointerLockDelegate waitForPointerLockEngaged]):
    (-[PointerLockDelegate waitForPointerLockLost]):
    (-[PointerLockDelegate _webViewDidRequestPointerLock:completionHandler:]):
    (-[PointerLockDelegate _webViewDidLosePointerLock:]):

    Canonical link: https://commits.webkit.org/272448.388@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.80@webkitglib/2.44


  Commit: 7d5bbe94e557e1ffcecfc5ecd460267c1b016f90
      https://github.com/WebKit/WebKit/commit/7d5bbe94e557e1ffcecfc5ecd460267c1b016f90
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/WebCore/loader/cache/CachedResourceLoader.cpp

  Log Message:
  -----------
  Cherry-pick 272448.421 at safari-7618-branch (25c11453b693). https://bugs.webkit.org/show_bug.cgi?id=268405

    Bad cast under CachedResourceLoader::preload()
    https://bugs.webkit.org/show_bug.cgi?id=268405
    rdar://121745788

    Reviewed by Brent Fulgham.

    In CachedResourceLoader::preload() we were calling requestResource(type)
    to get a resource. Then if the type we requested was `FontResource`, we
    assumed the the CachedResource returned was a CachedFont and would cast
    to that type. However, this cast ends up being incorrect in some cases.
    I suspect this could happen when requesting resources with the same URL
    but different types.

    To address the issue, we now check the actual type of the returned
    CachedResource before casting it.

    * Source/WebCore/loader/cache/CachedResourceLoader.cpp:
    (WebCore::CachedResourceLoader::preload):

    Canonical link: https://commits.webkit.org/272448.421@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.81@webkitglib/2.44


  Commit: 115cca02ae77bcbe20aa97eb6de694d7c9d3c085
      https://github.com/WebKit/WebKit/commit/115cca02ae77bcbe20aa97eb6de694d7c9d3c085
  Author: Michael Saboff <msaboff at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/JavaScriptCore/runtime/ScopedArguments.h
    M Source/JavaScriptCore/runtime/SymbolTable.cpp
    M Source/JavaScriptCore/runtime/SymbolTable.h

  Log Message:
  -----------
  Cherry-pick 272448.422 at safari-7618-branch (5bc92c9d5253). https://bugs.webkit.org/show_bug.cgi?id=268409

    REGRESSION: JavaScriptCore: JSC::ScopedArguments::setIndexQuickly
    https://bugs.webkit.org/show_bug.cgi?id=268409
    rdar://121748005

    Reviewed by Yusuke Suzuki.

    A code inspection of the symbol table and scoped arguments code revealed that SymbolTable::cloneScopePart() doesn't
    properly copy the ScopedArgumentsTable from the source.  Since ScopedArguments point to the WatchpointSets in the
    related SymbolTable, we need to create new WatchpointSets in the cloned SymbolTable and have the ScopedArguments
    point to the related new WatchpointSets.

    This is a speculative fix.

    * Source/JavaScriptCore/runtime/ScopedArguments.h:
    * Source/JavaScriptCore/runtime/SymbolTable.cpp:
    (JSC::SymbolTable::cloneScopePart):
    (JSC::SymbolTable::hasScopedWatchpointSet):
    * Source/JavaScriptCore/runtime/SymbolTable.h:

    Canonical link: https://commits.webkit.org/272448.422@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.82@webkitglib/2.44


  Commit: d6e2b3f0c562260d3aebb8c49e754d27e985ec17
      https://github.com/WebKit/WebKit/commit/d6e2b3f0c562260d3aebb8c49e754d27e985ec17
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/JavaScriptCore/runtime/ErrorInstance.cpp

  Log Message:
  -----------
  Cherry-pick 272448.442 at safari-7618-branch (58204e87a044). https://bugs.webkit.org/show_bug.cgi?id=268489

    [JSC] Use DeferGCForAWhile instead of DeferGC in computeErrorInfo
    https://bugs.webkit.org/show_bug.cgi?id=268489
    rdar://121906810

    Reviewed by Mark Lam, Yusuke Suzuki and Justin Michaud.

    ErrorInstance::computeErrorInfo can be called from GC's Heap::runEndPhase.
    In the case, we should use DeferGCForAWhile instead of DeferGC since it
    can trigger another GC in its destruction.

    * Source/JavaScriptCore/runtime/ErrorInstance.cpp:
    (JSC::ErrorInstance::computeErrorInfo):

    Canonical link: https://commits.webkit.org/272448.442@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.83@webkitglib/2.44


  Commit: c625381d9c851c3ee66647e2d68efabbdef49059
      https://github.com/WebKit/WebKit/commit/c625381d9c851c3ee66647e2d68efabbdef49059
  Author: Jean-Yves Avenard <jya at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in

  Log Message:
  -----------
  Cherry-pick 272448.445 at safari-7618-branch (b60b2da0516d). rdar://107918233

    Block "setMediaOverridesForTesting" media IPC endpoints when not testing
    rdar://107918233

    Reviewed by Youenn Fablet.

    This is a continuation of 260935 at main, adding the setMediaOverridesForTesting to the list
    of blocked IPC endpoints.

    All involved tests already contains the required keywords.

    * Source/WebKit/GPUProcess/GPUConnectionToWebProcess.messages.in:

    Canonical link: https://commits.webkit.org/272448.445@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.84@webkitglib/2.44


  Commit: c41c2ae9b94315bba45c4c3cdce6fc0e33f213ea
      https://github.com/WebKit/WebKit/commit/c41c2ae9b94315bba45c4c3cdce6fc0e33f213ea
  Author: Justin Michaud <justin_michaud at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/WTF/wtf/PlatformUse.h

  Log Message:
  -----------
  Cherry-pick 272448.444 at safari-7618-branch (323a4029633e). https://bugs.webkit.org/show_bug.cgi?id=268467

    Disable new JIT API until build issues are resolved
    rdar://122018269
    https://bugs.webkit.org/show_bug.cgi?id=268467

    Reviewed by Mark Lam.

    * Source/WTF/wtf/PlatformUse.h:

    Canonical link: https://commits.webkit.org/272448.444@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.85@webkitglib/2.44


  Commit: 3cf2b08d49dd72c6e5e43807940a1fe5c25c8905
      https://github.com/WebKit/WebKit/commit/3cf2b08d49dd72c6e5e43807940a1fe5c25c8905
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M Source/WebCore/rendering/RenderInline.cpp

  Log Message:
  -----------
  Cherry-pick 272448.456 at safari-7618-branch (66b364de9dfc). https://bugs.webkit.org/show_bug.cgi?id=268525

    Inline box may not be present in the enclosing formatting context
    https://bugs.webkit.org/show_bug.cgi?id=268525
    rdar://119921061

    Reviewed by Antti Koivisto.

    Speculative fix when the (potentially damaged) inline box is not present in the enclosing formatting context.
    This may happen when RenderInline::linesBoundingBox is called on a dirty tree after moving an inline box (<span>)
    from a block to an other (but before clearing the tree by running layout).

    * Source/WebCore/rendering/RenderInline.cpp:
    (WebCore::RenderInline::linesBoundingBox const):

    Canonical link: https://commits.webkit.org/272448.456@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.86@webkitglib/2.44


Compare: https://github.com/WebKit/WebKit/compare/5eb5ab62f15a...3cf2b08d49dd

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications


More information about the webkit-changes mailing list