[webkit-changes] [WebKit/WebKit] 8b2e50: ASAN_ILL | WebCore::RenderTableSection::layoutRows...
Commit Queue
noreply at github.com
Thu Mar 14 10:46:55 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 8b2e50918a1c6a0c064267a241b81c5b6f01115e
https://github.com/WebKit/WebKit/commit/8b2e50918a1c6a0c064267a241b81c5b6f01115e
Author: Erica Li <lerica at apple.com>
Date: 2024-03-14 (Thu, 14 Mar 2024)
Changed paths:
A LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash-expected.txt
A LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash.html
M Source/WebCore/rendering/RenderTable.cpp
Log Message:
-----------
ASAN_ILL | WebCore::RenderTableSection::layoutRows; WebCore::RenderTable::simplifiedNormalFlowLayout; WebCore::RenderBlock::simplifiedLayout.
https://bugs.webkit.org/show_bug.cgi?id=267198
rdar://113940614
Reviewed by Alan Baradlay.
Always setChildNeedsLayout for sections to make sure normalChildNeedsLayout is flagged,
as for pagination we need to run a full layout on child table sections even when the initial change,
otherwise requires simplified layout only.
* LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash-expected.txt: Added.
* LayoutTests/fast/multicol/pagination/pagination-diry-sections-crash.html: Added.
* LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt: re-baseline again, adding end of line back.
* Source/WebCore/rendering/RenderTable.cpp:
(WebCore::RenderTable::markForPaginationRelayoutIfNeeded):
Originally-landed-as: 272448.104 at safari-7618-branch (8737c0374652). rdar://124556239
Canonical link: https://commits.webkit.org/276103@main
Commit: ceb7e89febcd92b46d65396ce68e0d58ae6bcd6e
https://github.com/WebKit/WebKit/commit/ceb7e89febcd92b46d65396ce68e0d58ae6bcd6e
Author: Alexey Shvayka <ashvayka at apple.com>
Date: 2024-03-14 (Thu, 14 Mar 2024)
Changed paths:
A JSTests/stress/regress-120777816.js
M Source/JavaScriptCore/builtins/ProxyHelpers.js
M Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h
M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
M Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/runtime/ProxyObject.cpp
Log Message:
-----------
[JSC] get_by_id_with_this + ProxyObject can leak JSScope objects
https://bugs.webkit.org/show_bug.cgi?id=267425
<rdar://120777816>
Reviewed by Yusuke Suzuki and Justin Michaud.
According to the spec [1], `var base = { foo }; with (base) foo();` should be called with `this`
value of `base`, which is why FunctionCallResolveNode moves resolved scope to thisRegister().
That is arguably a bad design, and there is an effort [2] to abolish using JSScope as `this` value.
When `this` value is accessed by JS code, it's being sanitized via ToThis (JSScope replaced with
`undefined`), yet not in case of `super.property` access calling into ProxyObject `get` trap,
which passes raw `this` value as receiver parameter, leaking JSScope to be exploited.
For performance reasons, we can't call toThis() whenever `get_by_id_with_this` is used, so this
change introduces @toThis() intrinsic specifically for ProxyObject IC helpers, tweaks DFG to respect
`m_srcDst`, and also fixes baseline code.
Inlineability of ProxyObject IC helpers was verified to remain unaffected (`performProxyObjectGet`
is smaller then 120 while other helpers were already exceeding inline size limit).
[1]: https://tc39.es/ecma262/#sec-evaluatecall (step 1.b.iii)
[2]: https://bugs.webkit.org/show_bug.cgi?id=225397
* JSTests/stress/regress-120777816.js: Added.
* Source/JavaScriptCore/builtins/ProxyHelpers.js:
(linkTimeConstant.performProxyObjectGet):
(linkTimeConstant.performProxyObjectGetByVal):
(linkTimeConstant.performProxyObjectSetSloppy):
(linkTimeConstant.performProxyObjectSetStrict):
* Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h:
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitToThis):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitToThis):
* Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:
(JSC::BytecodeIntrinsicNode::emit_intrinsic_toThis):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::getThis): Deleted.
(JSC::DFG::ByteCodeParser::setThis): Deleted.
* Source/JavaScriptCore/runtime/ProxyObject.cpp:
(JSC::performProxyGet):
(JSC::ProxyObject::performPut):
Originally-landed-as: 272448.103 at safari-7618-branch (e3a75800fe85). rdar://124556295
Canonical link: https://commits.webkit.org/276104@main
Commit: ffe58e2be703e4f6b69eb8c315b1c186676bb4b5
https://github.com/WebKit/WebKit/commit/ffe58e2be703e4f6b69eb8c315b1c186676bb4b5
Author: Alan Baradlay <zalan at apple.com>
Date: 2024-03-14 (Thu, 14 Mar 2024)
Changed paths:
A LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child-expected.txt
A LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child.html
M Source/WebCore/rendering/RenderBlockFlow.cpp
Log Message:
-----------
Invalidate existing inline layout content when simplified out-of-flow is sufficient
https://bugs.webkit.org/show_bug.cgi?id=267487
rdar://120496542
Reviewed by Antti Koivisto.
Do not leave stale inline content around.
* LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child-expected.txt: Added.
* LayoutTests/fast/inline/dynamic-inline-content-with-out-of-flow-child.html: Added.
* Source/WebCore/rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::layoutModernLines):
Originally-landed-as: 272448.102 at safari-7618-branch (6d2f579ca0ad). rdar://124556312
Canonical link: https://commits.webkit.org/276105@main
Commit: 4e7c454bf50238f063d9614230027e7d1c1f5cd7
https://github.com/WebKit/WebKit/commit/4e7c454bf50238f063d9614230027e7d1c1f5cd7
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2024-03-14 (Thu, 14 Mar 2024)
Changed paths:
M Source/JavaScriptCore/runtime/CommonSlowPaths.h
M Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp
M Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
M Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp
M Source/JavaScriptCore/runtime/JSFunction.cpp
M Source/JavaScriptCore/runtime/JSFunction.h
M Source/JavaScriptCore/runtime/JSFunctionInlines.h
Log Message:
-----------
[JSC] setHasModifiedLengthForBoundOrNonHostFunction and setHasModifiedNameForBoundOrNonHostFunction shouldn't be called if it fails to reify the property
https://bugs.webkit.org/show_bug.cgi?id=267380
rdar://118761737
Reviewed by Yusuke Suzuki.
setHasModifiedLengthForBoundOrNonHostFunction and setHasModifiedNameForBoundOrNonHostFunction
can be called if JSFunction::put() fails to reify the property. This case may
cause inconsistency between the AI and the runtime environment.
* Source/JavaScriptCore/runtime/JSFunction.cpp:
(JSC::JSFunction::put):
Originally-landed-as: 272448.101 at safari-7618-branch (70ca9c1f54a0). rdar://124556382
Canonical link: https://commits.webkit.org/276106@main
Commit: 93603245b1ebc4cd2c451af93d98c86533c0d6fe
https://github.com/WebKit/WebKit/commit/93603245b1ebc4cd2c451af93d98c86533c0d6fe
Author: Ryan Reno <rreno at apple.com>
Date: 2024-03-14 (Thu, 14 Mar 2024)
Changed paths:
A LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part-expected.txt
A LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part.py
A LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part-expected.txt
A LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part.py
M Source/WebCore/loader/DocumentLoader.cpp
M Source/WebCore/loader/DocumentLoader.h
Log Message:
-----------
Content-Type x-mixed-replace can be abused to bypass CSP
https://bugs.webkit.org/show_bug.cgi?id=264811
rdar://118394343
Reviewed by John Wilander and Brent Fulgham.
When replacing the document in a multipart/x-mixed-replace response, the
DocumentLoader would reset its CSP every time a new response was received.
This change makes the CSP persistent across document replacements when
loading multipart content. Now the CSP can only become more restrictive
as new parts are received.
* LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part-expected.txt: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part.py: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part-expected.txt: Added.
* LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part.py: Added.
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::shouldClearContentSecurityPolicyForResponse const):
(WebCore::DocumentLoader::responseReceived):
* Source/WebCore/loader/DocumentLoader.h:
Originally-landed-as: 272448.100 at safari-7618-branch (7f3ac60a98fc). rdar://124556491
Canonical link: https://commits.webkit.org/276107@main
Commit: 18b2179221761d08ccea246b4f4f36ec24e9cc5e
https://github.com/WebKit/WebKit/commit/18b2179221761d08ccea246b4f4f36ec24e9cc5e
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2024-03-14 (Thu, 14 Mar 2024)
Changed paths:
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
Should crash when deserializing JSArray object containing named property length
https://bugs.webkit.org/show_bug.cgi?id=267036
rdar://120410983
Reviewed by Sihui Liu and Mark Lam.
`length` is treated as a special property in JSArray. There shouldn't
be any named property `length` in JSArray. So, should crash when
deserializing JSArray object containing named property `length`.
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::objectStartVisitMember):
(WebCore::CloneDeserializer::objectEndVisitMember):
(WebCore::CloneDeserializer::deserialize):
Originally-landed-as: 272448.74 at safari-7618-branch (7bd07231e704). rdar://124556898
Canonical link: https://commits.webkit.org/276108@main
Compare: https://github.com/WebKit/WebKit/compare/9854e2932ee2...18b217922176
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list