[webkit-changes] [WebKit/WebKit] bcd671: Cherry-pick 276012 at main (910ab18a82d4). https://bu...

Justin Michaud noreply at github.com
Fri Mar 15 12:20:03 PDT 2024


  Branch: refs/heads/webkitglib/2.44
  Home:   https://github.com/WebKit/WebKit
  Commit: bcd671bfcbcd9ca829dedeb66a3ffc67222103be
      https://github.com/WebKit/WebKit/commit/bcd671bfcbcd9ca829dedeb66a3ffc67222103be
  Author: Michael Catanzaro <mcatanzaro at redhat.com>
  Date:   2024-03-15 (Fri, 15 Mar 2024)

  Changed paths:
    M Source/WebKit/PlatformGTK.cmake
    M Source/WebKit/PlatformWPE.cmake
    M Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp
    M Source/WebKit/UIProcess/API/glib/WebKitWebView.h.in

  Log Message:
  -----------
  Cherry-pick 276012 at main (910ab18a82d4). https://bugs.webkit.org/show_bug.cgi?id=269377

    [WPE][GTK] Warning: WebKit2: Couldn't find 'run_async_javascript_function_in_world_finish' for the corresponding async function: 'run_async_javascript_function_in_world'
    https://bugs.webkit.org/show_bug.cgi?id=269377

    Reviewed by Adrian Perez de Castro.

    We need to use the new finish-func annotation so that language bindings
    can figure out how to complete the async call, due to our nonstandard
    naming for the finish function. It seems trying to reuse the same finish
    function for multiple async calls was not such a good idea.

    Unfortunately, with older gobject-introspection, we cannot use this
    new annotation or the build will fail due to the unrecognized
    annotation. So we will need to conditionalize the entire doc comment.

    Finally, I've also fixed the nullability of the world_name parameter,
    which was broken due to a missing colon.

    * Source/WebKit/PlatformGTK.cmake:
    * Source/WebKit/PlatformWPE.cmake:
    * Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp:
    * Source/WebKit/UIProcess/API/glib/WebKitWebView.h.in:

    Canonical link: https://commits.webkit.org/276012@main

Canonical link: https://commits.webkit.org/274313.87@webkitglib/2.44


  Commit: 629d941b3ee1bfad0d8aa15283d6d1ab7092aa58
      https://github.com/WebKit/WebKit/commit/629d941b3ee1bfad0d8aa15283d6d1ab7092aa58
  Author: Adrian Perez de Castro <aperez at igalia.com>
  Date:   2024-03-15 (Fri, 15 Mar 2024)

  Changed paths:
    M Source/WebKit/PlatformGTK.cmake

  Log Message:
  -----------
  Cherry-pick 276019 at main (3a1c08120188). https://bugs.webkit.org/show_bug.cgi?id=269377

    REGRESSION(276012 at main): CMake fails with GObject-Introspection disabled
    https://bugs.webkit.org/show_bug.cgi?id=269377

    Reviewed by Michael Catanzaro and Philippe Normand.

    * Source/WebKit/PlatformGTK.cmake: Quote the expansion of ${GI_VERSION}
      to ensure VERSION_GREATER_EQUAL has at least an empty string as value
      to compare against; otherwise when the variable is undefined there was
      no left-hand side of the comparison, which resulted in CMake erroring
      due to wrong syntax.

    Canonical link: https://commits.webkit.org/276019@main

Canonical link: https://commits.webkit.org/274313.88@webkitglib/2.44


  Commit: b67becf51ef32112a6a5ad03f36f943253dfbebe
      https://github.com/WebKit/WebKit/commit/b67becf51ef32112a6a5ad03f36f943253dfbebe
  Author: Fujii Hironori <Hironori.Fujii at sony.com>
  Date:   2024-03-15 (Fri, 15 Mar 2024)

  Changed paths:
    M Source/WebKit/Scripts/generate-serializers.py

  Log Message:
  -----------
  Cherry-pick 275934 at main (ca6b301ae49e). https://bugs.webkit.org/show_bug.cgi?id=270770

    [Clang] GeneratedSerializers.cpp(3716,11): error: offset of on non-standard-layout type 'WebKit::AudioTrackPrivateRemoteConfiguration' [-Werror,-Winvalid-offsetof]
    https://bugs.webkit.org/show_bug.cgi?id=270770

    Reviewed by Alex Christensen.

    Clang 18.1.1 reports a warning for GeneratedSerializers.cpp:

    > DerivedSources\GeneratedSerializers.cpp(3716,11): error: offset of on non-standard-layout type 'WebKit::AudioTrackPrivateRemoteConfiguration' [-Werror,-Winvalid-offsetof]
    >  3716 |         , offsetof(WebKit::AudioTrackPrivateRemoteConfiguration, enabled)
    >       |           ^                                                      ~~~~~~~

    generate-serializers.py already suppresses the warning for GCC.

    * Source/WebKit/Scripts/generate-serializers.py:
    Ignore `invalid-offsetof` warning both for GCC and Clang.

    Canonical link: https://commits.webkit.org/275934@main

Canonical link: https://commits.webkit.org/274313.89@webkitglib/2.44


  Commit: 76f4db11d9982ef76ec8758fd6c62c3d5f146379
      https://github.com/WebKit/WebKit/commit/76f4db11d9982ef76ec8758fd6c62c3d5f146379
  Author: Fujii Hironori <Hironori.Fujii at sony.com>
  Date:   2024-03-15 (Fri, 15 Mar 2024)

  Changed paths:
    M Source/JavaScriptCore/runtime/DatePrototype.cpp

  Log Message:
  -----------
  Cherry-pick 275926 at main (65fd9be34cc1). https://bugs.webkit.org/show_bug.cgi?id=270769

    [JSC][Clang] DatePrototype.cpp(337,29): error: 'snprintf' will always be truncated; specified size is 28, but format string expands to at least 29 [-Werror,-Wformat-truncation]
    https://bugs.webkit.org/show_bug.cgi?id=270769

    Reviewed by Don Olmstead.

    Clang 18 reports a false warning:

    > JavaScriptCore/runtime/DatePrototype.cpp(337,29): error: 'snprintf' will always be truncated; specified size is 28, but format string expands to at least 29 [-Werror,-Wformat-truncation]

    This problem is tracked by <https://github.com/llvm/llvm-project/issues/71320>.

    * Source/JavaScriptCore/runtime/DatePrototype.cpp:
    Ignore the warning for Clang.

    Canonical link: https://commits.webkit.org/275926@main

Canonical link: https://commits.webkit.org/274313.90@webkitglib/2.44


  Commit: 8a13624c27b86a4c10ecc50f988991a0ffcaca80
      https://github.com/WebKit/WebKit/commit/8a13624c27b86a4c10ecc50f988991a0ffcaca80
  Author: Ryosuke Niwa <rniwa at webkit.org>
  Date:   2024-03-15 (Fri, 15 Mar 2024)

  Changed paths:
    M Source/WebCore/dom/ActiveDOMObject.cpp
    M Source/WebCore/dom/ActiveDOMObject.h
    M Source/WebCore/html/HTMLCanvasElement.cpp
    M Source/WebCore/html/HTMLImageElement.cpp
    M Source/WebCore/html/HTMLMarqueeElement.cpp
    M Source/WebCore/html/HTMLMarqueeElement.h
    M Source/WebCore/html/HTMLMediaElement.cpp
    M Source/WebCore/html/HTMLSourceElement.cpp
    M Source/WebCore/html/HTMLSourceElement.h
    M Source/WebCore/html/HTMLTrackElement.cpp
    M Source/WebCore/html/HTMLTrackElement.h
    M Source/WebCore/html/track/TextTrack.cpp
    M Source/WebCore/html/track/TextTrack.h
    M Source/WebCore/html/track/TextTrackCue.cpp
    M Source/WebCore/html/track/TextTrackCue.h
    M Source/WebCore/html/track/TextTrackCueList.cpp
    M Source/WebCore/html/track/TextTrackCueList.h
    M Source/WebCore/html/track/TrackBase.cpp
    M Source/WebCore/html/track/TrackBase.h
    M Source/WebCore/html/track/TrackListBase.cpp
    M Source/WebCore/html/track/TrackListBase.h

  Log Message:
  -----------
  Cherry-pick 272448.471 at safari-7618-branch (f2f5469a4376). https://bugs.webkit.org/show_bug.cgi?id=268494

    [ Monterey+ wk2 Release ] media/track/media-element-enqueue-event-crash.html  is a flaky crash
    https://bugs.webkit.org/show_bug.cgi?id=268494

    Reviewed by Chris Dumez.

    This PR introduces ActiveDOMObject::didMoveToNewDocument, which migrates ActiveDOMObject from
    one document to another, and deploys it in every ActiveDOMObject owned by Node subclasses such
    as HTMLImageElement and TextTrackCue.

    * Source/WebCore/dom/ActiveDOMObject.cpp:
    (WebCore::ActiveDOMObject::didMoveToNewDocument):
    * Source/WebCore/dom/ActiveDOMObject.h:
    * Source/WebCore/html/HTMLCanvasElement.cpp:
    (WebCore::HTMLCanvasElement::didMoveToNewDocument):
    * Source/WebCore/html/HTMLImageElement.cpp:
    (WebCore::HTMLImageElement::didMoveToNewDocument):
    * Source/WebCore/html/HTMLMarqueeElement.cpp:
    (WebCore::HTMLMarqueeElement::HTMLMarqueeElement):
    (WebCore::HTMLMarqueeElement::didMoveToNewDocument):
    * Source/WebCore/html/HTMLMarqueeElement.h:
    * Source/WebCore/html/HTMLMediaElement.cpp:
    (WebCore::HTMLMediaElement::didMoveToNewDocument):
    (WebCore::HTMLMediaElement::ensureMediaControls): Fixed a bug whereby which this code tries
    to initialize CSSFontSelector object, which is an active DOM object, in the middle of
    Document trying to stop itself.
    (WebCore::HTMLMediaElement::isSuspended const): Added a debug assertion that the script
    execution context associated with Node superclass and ActiveDOMObject superclass match.
    * Source/WebCore/html/HTMLSourceElement.cpp:
    (WebCore::HTMLSourceElement::HTMLSourceElement):
    (WebCore::HTMLSourceElement::didMoveToNewDocument):
    * Source/WebCore/html/HTMLSourceElement.h:
    * Source/WebCore/html/HTMLTrackElement.cpp:
    (WebCore::HTMLTrackElement::HTMLTrackElement):
    (WebCore::HTMLTrackElement::didMoveToNewDocument):
    * Source/WebCore/html/HTMLTrackElement.h:
    * Source/WebCore/html/track/TextTrack.cpp:
    (WebCore::TextTrack::protectedCues const):
    (WebCore::TextTrack::didMoveToNewDocument):
    * Source/WebCore/html/track/TextTrack.h:
    * Source/WebCore/html/track/TextTrackCue.cpp:
    (WebCore::TextTrackCue::didMoveToNewDocument):
    * Source/WebCore/html/track/TextTrackCue.h:
    * Source/WebCore/html/track/TextTrackCueList.cpp:
    (WebCore::TextTrackCueList::didMoveToNewDocument):
    * Source/WebCore/html/track/TextTrackCueList.h:
    * Source/WebCore/html/track/TrackBase.cpp:
    (WebCore::TrackBase::didMoveToNewDocument):
    * Source/WebCore/html/track/TrackBase.h:
    * Source/WebCore/html/track/TrackListBase.cpp:
    (WebCore::TrackListBase::didMoveToNewDocument):
    * Source/WebCore/html/track/TrackListBase.h:

    Canonical link: https://commits.webkit.org/272448.471@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.91@webkitglib/2.44


  Commit: 7d9536886116bc2db98bd74875151238a4005c77
      https://github.com/WebKit/WebKit/commit/7d9536886116bc2db98bd74875151238a4005c77
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2024-03-15 (Fri, 15 Mar 2024)

  Changed paths:
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp
    M Source/WebCore/bindings/js/SerializedScriptValue.h

  Log Message:
  -----------
  Cherry-pick c3c2a42ade13. https://bugs.webkit.org/show_bug.cgi?id=266806

    Safari's IndexedDB data may not be deserialized correctly after system upgrades
    https://bugs.webkit.org/show_bug.cgi?id=266806
    rdar://120031024

    Reviewed by NOBODY (OOPS!).

    To fix rdar://119834827, we introduce version 12.1 to SerializeScriptValue, which changed the terminator of the indexed
    property section in array compared to version 12. To make sure deserializer knows to deserialize version 12.1, we encode
    the minor version in the highest 8 bits of version number. We keep the lowest 24 bit as major version number for
    backward compatibility (the previously stored 32-bit major version number can be intepreted as major version with minor
    version 0).

    * Source/WebCore/bindings/js/SerializedScriptValue.cpp:
    (WebCore::majorVersionFor):
    (WebCore::minorVersionFor):
    (WebCore::makeVersion):
    (WebCore::currentVersion):
    (WebCore::CloneSerializer::serialize):
    (WebCore::CloneSerializer::CloneSerializer):
    (WebCore::CloneDeserializer::deserializeString):
    (WebCore::CloneDeserializer::deserialize):
    (WebCore::CloneDeserializer::isValid const):
    (WebCore::CloneDeserializer::shouldRetryWithVersionUpgrade):
    (WebCore::CloneDeserializer::upgradeVersion):
    (WebCore::CloneDeserializer::read):
    (WebCore::CloneDeserializer::readFile):
    (WebCore::CloneDeserializer::readArrayBuffer):
    (WebCore::CloneDeserializer::readArrayBufferView):
    (WebCore::CloneDeserializer::readImageBitmap):
    (WebCore::CloneDeserializer::readTerminal):
    (WebCore::CloneDeserializer::version const): Deleted.
    (WebCore::SerializedScriptValue::wireFormatVersion): Deleted.
    * Source/WebCore/bindings/js/SerializedScriptValue.h:

    Canonical link: https://commits.webkit.org/267815.665@safari-7617.2.4.10-branch

    Identifier: 270272.2255 at safari-7618-branch

Canonical link: https://commits.webkit.org/274313.92@webkitglib/2.44


  Commit: 6789d169e841c6c69cf4fc778fd139a3a2b1ac10
      https://github.com/WebKit/WebKit/commit/6789d169e841c6c69cf4fc778fd139a3a2b1ac10
  Author: Justin Michaud <justin_michaud at apple.com>
  Date:   2024-03-15 (Fri, 15 Mar 2024)

  Changed paths:
    A JSTests/wasm/stress/repro_1289.js
    A JSTests/wasm/stress/repro_1289.wasm
    A JSTests/wasm/stress/repro_1289.wat
    M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT.h
    M Source/JavaScriptCore/wasm/WasmCallee.h
    M Source/JavaScriptCore/wasm/WasmInstance.h
    M Source/JavaScriptCore/wasm/WasmOperations.cpp
    M Source/JavaScriptCore/wasm/WasmOperations.h
    M Source/JavaScriptCore/wasm/WasmSlowPaths.cpp
    M Source/JavaScriptCore/wasm/WasmThunks.cpp
    M Source/JavaScriptCore/wasm/WasmThunks.h

  Log Message:
  -----------
  Cherry-pick 272448.466 at safari-7618-branch (a08ba6e8c208). https://bugs.webkit.org/show_bug.cgi?id=268424

    BBQJIT OSR Entry throws stack overflow from invalid frame
    https://bugs.webkit.org/show_bug.cgi?id=268424
    rdar://121251778

    Reviewed by Yusuke Suzuki.

    In this test case, we end up in a situation where the current LLInt frame is
    above the soft stack limit. We then loop osr entry into BBQ, where we
    perform a stack check and fail, but before we finish writing the OSR
    entry buffer into our stack frame. The stack unwinder sees the BBQ callee
    and we jump to that, but the frame is uninitialized.

    The fix is two fold; we first make BBQ crash in this case to avoid a
    security issue. We do the same for OMG, just in case this bug is
    exploitable there too.

    Second, we do a stack check before performing OSR entry, and fail early.

    * JSTests/wasm/stress/repro_1289.js: Added.
    (debuggingHelper):
    (instantiateJsc):
    (async let):
    * JSTests/wasm/stress/repro_1289.wasm: Added.
    * JSTests/wasm/stress/repro_1289.wat: Added.
    * Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
    (JSC::Wasm::BBQJIT::stackCheckSize const):
    (JSC::Wasm::BBQJIT::addLoopOSREntrypoint):
    (JSC::Wasm::parseAndCompileBBQ):
    * Source/JavaScriptCore/wasm/WasmCallee.h:
    * Source/JavaScriptCore/wasm/WasmInstance.h:
    (JSC::Wasm::Instance::softStackLimit const):
    * Source/JavaScriptCore/wasm/WasmOperations.cpp:
    (JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
    * Source/JavaScriptCore/wasm/WasmOperations.h:
    * Source/JavaScriptCore/wasm/WasmSlowPaths.cpp:
    (JSC::LLInt::WASM_SLOW_PATH_DECL):
    * Source/JavaScriptCore/wasm/WasmThunks.cpp:
    (JSC::Wasm::crashDueToBBQStackOverflow):
    * Source/JavaScriptCore/wasm/WasmThunks.h:

    Canonical link: https://commits.webkit.org/272448.466@safari-7618-branch

Canonical link: https://commits.webkit.org/274313.93@webkitglib/2.44


Compare: https://github.com/WebKit/WebKit/compare/3cf2b08d49dd...6789d169e841

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications


More information about the webkit-changes mailing list