[webkit-changes] [WebKit/WebKit] 6ae229: Versioning.
MyahCobbs
noreply at github.com
Tue May 14 16:13:26 PDT 2024
Branch: refs/heads/safari-7617.1.16.10-branch
Home: https://github.com/WebKit/WebKit
Commit: 6ae229cc8de1cf1571c057fe282488406d83bf14
https://github.com/WebKit/WebKit/commit/6ae229cc8de1cf1571c057fe282488406d83bf14
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-11-07 (Tue, 07 Nov 2023)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7617.1.16.10.1
Identifier: 267815.519 at safari-7617.1.16.10-branch
Commit: 148583983724ef02e6d9be392737ecad37640d77
https://github.com/WebKit/WebKit/commit/148583983724ef02e6d9be392737ecad37640d77
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-11-07 (Tue, 07 Nov 2023)
Changed paths:
M Source/WebCore/Modules/cache/WorkerCacheStorageConnection.cpp
M Source/WebCore/Modules/permissions/Permissions.cpp
M Source/WebCore/Modules/storage/WorkerStorageConnection.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletMessagingProxy.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletThread.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletThread.h
M Source/WebCore/Modules/websockets/WebSocket.cpp
M Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp
M Source/WebCore/dom/BroadcastChannel.cpp
M Source/WebCore/dom/ScriptExecutionContext.cpp
M Source/WebCore/loader/WorkerThreadableLoader.cpp
M Source/WebCore/loader/WorkerThreadableLoader.h
M Source/WebCore/loader/cache/MemoryCache.cpp
M Source/WebCore/page/WorkerNavigator.cpp
M Source/WebCore/workers/WorkerGlobalScope.cpp
M Source/WebCore/workers/WorkerMessagingProxy.cpp
M Source/WebCore/workers/WorkerNotificationClient.cpp
M Source/WebCore/workers/WorkerOrWorkletThread.h
M Source/WebCore/workers/WorkerThread.cpp
M Source/WebCore/workers/WorkerThread.h
M Source/WebCore/workers/service/context/ServiceWorkerThreadProxy.cpp
M Source/WebCore/workers/shared/context/SharedWorkerThreadProxy.cpp
Log Message:
-----------
Cherry-pick 4cae7c8ab138. rdar://117727810
Crash under WebCore::createMainThreadConnection(WebCore::WorkerGlobalScope&)
https://bugs.webkit.org/show_bug.cgi?id=264222
rdar://117727810
Reviewed by Darin Adler.
We're crashing when calling `createCacheStorageConnection()` on the WorkerLoaderProxy which
we got from the WorkerThread. I believe the WorkerLoaderProxy reference returned by the
WorkerThread is stale, which is possible since it keeps C++ references to its proxies.
To address the issue, I updated WorkerThread to keep raw pointers to its proxies instead of
C++ references. I am also adding a clearProxies() function to clear those raw pointers once
the proxies get destroyed. Finally, I added null checks are proxy use sites now that we null
them out.
In the future, we should convert this raw pointers into CheckedPtrs.
* Source/WebCore/Modules/badge/WorkerBadgeProxy.h:
* Source/WebCore/Modules/cache/WorkerCacheStorageConnection.cpp:
(WebCore::createMainThreadConnection):
* Source/WebCore/Modules/permissions/Permissions.cpp:
(WebCore::Permissions::query):
* Source/WebCore/Modules/storage/WorkerStorageConnection.cpp:
(WebCore::WorkerStorageConnection::getPersisted):
(WebCore::WorkerStorageConnection::getEstimate):
(WebCore::WorkerStorageConnection::fileSystemGetDirectory):
* Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp:
(WebCore::AudioWorkletGlobalScope::registerProcessor):
* Source/WebCore/Modules/webaudio/AudioWorkletMessagingProxy.cpp:
(WebCore::AudioWorkletMessagingProxy::~AudioWorkletMessagingProxy):
* Source/WebCore/Modules/webaudio/AudioWorkletThread.cpp:
(WebCore::AudioWorkletThread::clearProxies):
(WebCore::AudioWorkletThread::workerLoaderProxy):
(WebCore::AudioWorkletThread::messagingProxy):
* Source/WebCore/Modules/webaudio/AudioWorkletThread.h:
(WebCore::AudioWorkletThread::messagingProxy): Deleted.
* Source/WebCore/Modules/websockets/WebSocket.cpp:
(WebCore::WebSocket::connect):
* Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp:
(WebCore::WorkerThreadableWebSocketChannel::Bridge::Bridge):
(WebCore::WorkerThreadableWebSocketChannel::Bridge::mainThreadInitialize):
* Source/WebCore/dom/BroadcastChannel.cpp:
(WebCore::BroadcastChannel::MainThreadBridge::ensureOnMainThread):
* Source/WebCore/dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::postTaskToResponsibleDocument):
* Source/WebCore/loader/WorkerThreadableLoader.cpp:
(WebCore::WorkerThreadableLoader::WorkerThreadableLoader):
* Source/WebCore/loader/cache/MemoryCache.cpp:
(WebCore::MemoryCache::removeRequestFromSessionCaches):
* Source/WebCore/page/WorkerNavigator.cpp:
(WebCore::WorkerNavigator::setAppBadge):
* Source/WebCore/workers/WorkerDebuggerProxy.h:
* Source/WebCore/workers/WorkerGlobalScope.cpp:
(WebCore::WorkerGlobalScope::~WorkerGlobalScope):
(WebCore::WorkerGlobalScope::createRTCDataChannelRemoteHandlerConnection):
(WebCore::WorkerGlobalScope::close):
(WebCore::WorkerGlobalScope::logExceptionToConsole):
(WebCore::WorkerGlobalScope::wrapCryptoKey):
(WebCore::WorkerGlobalScope::unwrapCryptoKey):
(WebCore::WorkerGlobalScope::reportErrorToWorkerObject):
* Source/WebCore/workers/WorkerLoaderProxy.h:
* Source/WebCore/workers/WorkerMessagingProxy.cpp:
(WebCore::WorkerMessagingProxy::WorkerMessagingProxy):
(WebCore::WorkerMessagingProxy::~WorkerMessagingProxy):
(WebCore::WorkerMessagingProxy::workerGlobalScopeDestroyedInternal):
* Source/WebCore/workers/WorkerNotificationClient.cpp:
(WebCore::WorkerNotificationClient::postToMainThread):
* Source/WebCore/workers/WorkerOrWorkletThread.h:
* Source/WebCore/workers/WorkerReportingProxy.h:
* Source/WebCore/workers/WorkerThread.cpp:
(WebCore::WorkerThread::workerBadgeProxy const):
(WebCore::WorkerThread::workerDebuggerProxy const):
(WebCore::WorkerThread::workerLoaderProxy):
(WebCore::WorkerThread::workerReportingProxy const):
(WebCore::WorkerThread::clearProxies):
* Source/WebCore/workers/WorkerThread.h:
(WebCore::WorkerThread::workerBadgeProxy const): Deleted.
(WebCore::WorkerThread::workerReportingProxy const): Deleted.
* Source/WebCore/workers/service/context/ServiceWorkerThreadProxy.cpp:
(WebCore::ServiceWorkerThreadProxy::~ServiceWorkerThreadProxy):
* Source/WebCore/workers/shared/context/SharedWorkerThreadProxy.cpp:
(WebCore::SharedWorkerThreadProxy::~SharedWorkerThreadProxy):
Canonical link: https://commits.webkit.org/267815.537@safari-7617-branch
Identifier: 267815.520 at safari-7617.1.16.10-branch
Commit: 53b4f7dafd773a864861da6586e2846b52048a6b
https://github.com/WebKit/WebKit/commit/53b4f7dafd773a864861da6586e2846b52048a6b
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7617.1.16.10.2
Identifier: 267815.521 at safari-7617.1.16.10-branch
Commit: dc970450a8d03977a3b40bc7c8ba4d8d9e54f0c4
https://github.com/WebKit/WebKit/commit/dc970450a8d03977a3b40bc7c8ba4d8d9e54f0c4
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M Source/WebCore/platform/graphics/FontCascade.cpp
M Source/WebCore/platform/graphics/FontCascadeFonts.cpp
M Source/WebCore/platform/graphics/FontRanges.cpp
M Source/WebCore/platform/graphics/GlyphPage.h
Log Message:
-----------
Cherry-pick ef2295446d89. rdar://117905809
Use GlyphData.isValid() consistently for checking whether GlyphData is valid.
https://bugs.webkit.org/show_bug.cgi?id=264130
rdar://117905809
Reviewed by Tim Nguyen.
Replace GlyphData validity checks using .glyph and .font directly with .isValid().
Make .isValid() return false even if .glyph is non-zero and .font is null
(which should never happen) since a .font null check isn't expensive anyway.
* Source/WebCore/platform/graphics/FontCascade.cpp:
(WebCore::FontCascade::fontForCombiningCharacterSequence const):
* Source/WebCore/platform/graphics/FontCascadeFonts.cpp:
(WebCore::FontCascadeFonts::GlyphPageCacheEntry::setGlyphDataForCharacter):
(WebCore::FontCascadeFonts::glyphDataForSystemFallback):
(WebCore::FontCascadeFonts::glyphDataForVariant):
(WebCore::FontCascadeFonts::glyphDataForCharacter):
* Source/WebCore/platform/graphics/FontRanges.cpp:
(WebCore::FontRanges::glyphDataForCharacter const):
* Source/WebCore/platform/graphics/GlyphPage.h:
(WebCore::GlyphData::isValid const):
Canonical link: https://commits.webkit.org/270299@main
Identifier: 267815.522 at safari-7617.1.16.10-branch
Commit: e7e6ce5d47ae45ba74b1b2d6a48c30c5717218fa
https://github.com/WebKit/WebKit/commit/e7e6ce5d47ae45ba74b1b2d6a48c30c5717218fa
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M Source/WebCore/platform/graphics/FontRanges.cpp
Log Message:
-----------
Unreviewed fix. rdar://117905809
Identifier: 267815.523 at safari-7617.1.16.10-branch
Commit: c9941f3a13740e86f14cf5e8306bd5b4ef2c760a
https://github.com/WebKit/WebKit/commit/c9941f3a13740e86f14cf5e8306bd5b4ef2c760a
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
A LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt
A LayoutTests/storage/indexeddb/abort-index-rename-crash.html
M Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryIndex.h
M Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h
Log Message:
-----------
Cherry-pick 64bcd93cbc55. rdar://117463447
jsc_fuz/wktr: heap-use-after-free in WebCore::IDBServer::MemoryObjectStore::takeIndexByIdentifier(unsigned long long) MemoryObjectStore.cpp:128.
https://bugs.webkit.org/show_bug.cgi?id=264180.
rdar://117463447.
Reviewed by Sihui Liu.
MemoryIndex now keeps WeakPtr to MemoryObjectStore 'm_objectStore' and checks it's validity before using it. Also RefPtr conversion from WekPtr using get() API as applicable.
* LayoutTests/storage/indexeddb/abort-index-rename-crash-expected.txt: Added the test expected file.
* LayoutTests/storage/indexeddb/abort-index-rename-crash.html: Added the test case.
* Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp: Checks the validity of MemoryObjectStore pointer before using.
(WebCore::IDBServer::MemoryBackingStoreTransaction::objectStoreDeleted):
(WebCore::IDBServer::MemoryBackingStoreTransaction::indexRenamed):
(WebCore::IDBServer::MemoryBackingStoreTransaction::abort):
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp: Changed direct reference to WeakPtr. Also used RefPtr conversion using get() API as applicable.
(WebCore::IDBServer::MemoryIndex::objectStoreCleared):
(WebCore::IDBServer::MemoryIndex::clearIndexValueStore):
(WebCore::IDBServer::MemoryIndex::replaceIndexValueStore):
(WebCore::IDBServer::MemoryIndex::getResultForKeyRange const):
(WebCore::IDBServer::MemoryIndex::getAllRecords const):
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.h: Changed direct reference to WeakPtr.
(WebCore::IDBServer::MemoryIndex::objectStore):
* Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp: Used RefPtr conversion using get() API for MemoryIndex based MemoryObjectStore object.
(WebCore::IDBServer::MemoryIndexCursor::currentData):
* Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h:
Canonical link: https://commits.webkit.org/267815.545@safari-7617-branch
Commit: 6d130a627befff27108f046b1e31eb039a1920e7
https://github.com/WebKit/WebKit/commit/6d130a627befff27108f046b1e31eb039a1920e7
Author: Myah Cobbs <mcobbs at apple.com>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/fast/multicol/last-set-crash-expected.txt
A LayoutTests/fast/multicol/last-set-crash.html
M Source/WebCore/rendering/RenderMultiColumnFlow.cpp
M Source/WebCore/rendering/RenderMultiColumnFlow.h
Log Message:
-----------
Cherry-pick f524a15d0633. rdar://114559559
WTFCrashWithSecurityImplication in WebCore::RenderFragmentedFlow::removeLineFragmentInfo()
https://bugs.webkit.org/show_bug.cgi?id=264327
rdar://114559559
Reviewed by Alan Baradlay.
* LayoutTests/TestExpectations:
Skip test on debug due to some assertion failures.
* LayoutTests/fast/multicol/last-set-crash-expected.txt: Added.
* LayoutTests/fast/multicol/last-set-crash.html: Added.
* Source/WebCore/rendering/RenderMultiColumnFlow.cpp:
(WebCore::RenderMultiColumnFlow::fragmentAtBlockOffset const):
Tree mutations may have made m_lastSetWorkedOn cache invalid by moving the multicolumn set under a different multicolumn flow.
Check for this.
* Source/WebCore/rendering/RenderMultiColumnFlow.h:
Also make it use WeakPtr.
Canonical link: https://commits.webkit.org/267815.546@safari-7617-branch
Compare: https://github.com/WebKit/WebKit/compare/6ae229cc8de1%5E...6d130a627bef
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list