[webkit-changes] [WebKit/WebKit] 005922: [JSC] Fix Re-entrancy in ErrorInstance::computeErr...

Ryosuke Niwa noreply at github.com
Sat Mar 16 00:50:16 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 00592216a6f11528ef9843a4a7b11d3f26b0d983
      https://github.com/WebKit/WebKit/commit/00592216a6f11528ef9843a4a7b11d3f26b0d983
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2024-03-16 (Sat, 16 Mar 2024)

  Changed paths:
    A JSTests/stress/error-instance.js
    M Source/JavaScriptCore/runtime/ErrorInstance.cpp

  Log Message:
  -----------
  [JSC] Fix Re-entrancy in ErrorInstance::computeErrorInfo
https://bugs.webkit.org/show_bug.cgi?id=267785
rdar://121098660

Reviewed by Yusuke Suzuki.

ErrorInstance::computeErrorInfo computes stack trace string, which may
trigger GC and re-enter to this function with the same ErrorInstance
while computing the stack string. We should defer GC after stacking trace
string is materialized.

* JSTests/stress/error-instance.js: Added.
(main.const.error):
(main):
* Source/JavaScriptCore/runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::computeErrorInfo):

Originally-landed-as: 272448.260 at safari-7618-branch (ade92866440e). rdar://124555384
Canonical link: https://commits.webkit.org/276233@main


  Commit: bd9e9204f3d9e4c8ac2feb1bdf51247fadf1c5bd
      https://github.com/WebKit/WebKit/commit/bd9e9204f3d9e4c8ac2feb1bdf51247fadf1c5bd
  Author: Nisha Jain <nisha_jain at apple.com>
  Date:   2024-03-16 (Sat, 16 Mar 2024)

  Changed paths:
    M Source/WebCore/html/HTMLPlugInImageElement.cpp

  Log Message:
  -----------
  "ASAN_SEGV | WebCore::Style::resolveForDocument; WebCore::Document::styleForElementIgnoringPendingStylesheets; WebCore::Element::resolveComputedStyle"
https://bugs.webkit.org/show_bug.cgi?id=267656
rdar://119187152.

Reviewed by Ryosuke Niwa.

Need to prevent attempt to load a disconnected plugin.
Not adding a new test case as could not make a reliable reproduction of this issue.

* Source/WebCore/html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::requestObject):

Originally-landed-as: 272448.257 at safari-7618-branch (23c6a88ad691). rdar://124555413
Canonical link: https://commits.webkit.org/276234@main


  Commit: cabbec4bbea7104440e03c4964bc297557e80cb4
      https://github.com/WebKit/WebKit/commit/cabbec4bbea7104440e03c4964bc297557e80cb4
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2024-03-16 (Sat, 16 Mar 2024)

  Changed paths:
    M JSTests/stress/intl-collator.js
    M JSTests/stress/intl-datetimeformat.js
    M JSTests/stress/intl-numberformat.js
    M Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp
    M Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
    M Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp

  Log Message:
  -----------
  [JSC] Use dynamic cast in intlCollatorFuncCompare, intlDateTimeFormatFuncFormatDateTime, and intlNumberFormatFuncFormat
https://bugs.webkit.org/show_bug.cgi?id=267725
rdar://121029647

Reviewed by Yusuke Suzuki and Mark Lam.

We should ensure `thisValue` is the desired object. So, should use dynamic
cast instead in intlCollatorFuncCompare, intlDateTimeFormatFuncFormatDateTime,
and intlNumberFormatFuncFormat.

* Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):

Originally-landed-as: 272448.254 at safari-7618-branch (5173338bb6f1). rdar://124555823
Canonical link: https://commits.webkit.org/276235@main


  Commit: 14b04872e30ed2b0f5a94320bd6342eaa2dce16e
      https://github.com/WebKit/WebKit/commit/14b04872e30ed2b0f5a94320bd6342eaa2dce16e
  Author: Ryosuke Niwa <rniwa at webkit.org>
  Date:   2024-03-16 (Sat, 16 Mar 2024)

  Changed paths:
    A LayoutTests/fast/images/image-document-event-handler-crash-expected.txt
    A LayoutTests/fast/images/image-document-event-handler-crash.html
    M Source/WebCore/html/ImageDocument.cpp

  Log Message:
  -----------
  Crash in ImageEventListener::handleEvent
https://bugs.webkit.org/show_bug.cgi?id=267739
rdar://118761846

Reviewed by Chris Dumez.

Use WeakPtr instead of a raw reference.

* LayoutTests/fast/images/image-document-event-handler-crash-expected.txt: Added.
* LayoutTests/fast/images/image-document-event-handler-crash.html: Added.
* Source/WebCore/html/ImageDocument.cpp:
(WebCore::ImageEventListener::handleEvent):

Originally-landed-as: 272448.253 at safari-7618-branch (b417dff04acd). rdar://124555893
Canonical link: https://commits.webkit.org/276236@main


Compare: https://github.com/WebKit/WebKit/compare/cf053c07242e...14b04872e30e

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list