[webkit-changes] [WebKit/WebKit] 96f558: WASM unreachable code validation is broken

Rob Buis noreply at github.com
Thu May 16 12:54:36 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 96f558b446153e1417a8df780d22e338091d86a6
      https://github.com/WebKit/WebKit/commit/96f558b446153e1417a8df780d22e338091d86a6
  Author: Mikhail R. Gadelha <mikhail at igalia.com>
  Date:   2024-05-16 (Thu, 16 May 2024)

  Changed paths:
    A JSTests/wasm/stress/wasm-unreachable-br-block.js
    M Source/JavaScriptCore/wasm/WasmFunctionParser.h

  Log Message:
  -----------
  WASM unreachable code validation is broken
https://bugs.webkit.org/show_bug.cgi?id=265425
rdar://103288466

Reviewed by Keith Miller.

This patch fixes an assertion failure in the unreachable code parser
when the target of a br instruction is a block that was not added into
the control stack.

The code that checks the br target now takes into account the number of
unreachable blocks, if the br instruction is also unreachable. This is
similar to the solution employed by parseDelegateTarget and should
support cases when block, if, try, and loop were not added to the control
stack.

* JSTests/wasm/stress/wasm-unreachable-br-block.js: Added.
(async test):
* Source/JavaScriptCore/wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseBranchTarget):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):

Originally-landed-as: 274097.7 at webkit-2024.2-embargoed (ab8e4a4470bb). rdar://128090590
Canonical link: https://commits.webkit.org/278882@main


  Commit: 72485b3a40e30c94b4394e7bac01af3159debbd6
      https://github.com/WebKit/WebKit/commit/72485b3a40e30c94b4394e7bac01af3159debbd6
  Author: Žan Doberšek <zdobersek at igalia.com>
  Date:   2024-05-16 (Thu, 16 May 2024)

  Changed paths:
    A LayoutTests/fast/css/repeating-conic-gradient-small-range-expected.txt
    A LayoutTests/fast/css/repeating-conic-gradient-small-range.html
    A LayoutTests/fast/css/repeating-linear-gradient-small-range-expected.txt
    A LayoutTests/fast/css/repeating-linear-gradient-small-range.html
    A LayoutTests/fast/css/repeating-radial-gradient-small-range-expected.txt
    A LayoutTests/fast/css/repeating-radial-gradient-small-range.html
    M LayoutTests/platform/glib/TestExpectations
    M Source/WebCore/rendering/style/StyleGradientImage.cpp

  Log Message:
  -----------
  ASAN_ILL | WTF::Vector::expandCapacity; WTF::Vector::expandCapacity; WebCore::StyleGradientImage::computeStops
https://bugs.webkit.org/show_bug.cgi?id=264639
rdar://114069174

Reviewed by Antti Koivisto.

When working with repeating gradients, more care should be put into limiting the
amount of stops that can be additionally generated. If the original gradient
range is already too small, the extra stops are not generated. Once the number
of additional stops is calculated, the generation proceeds only if that number
is below some reasonable limit. That generation is also improved slightly by
creating a separate Vector of gradient stops that then simply replaces the
original one.

* LayoutTests/fast/css/repeating-conic-gradient-small-range-expected.txt: Added.
* LayoutTests/fast/css/repeating-conic-gradient-small-range.html: Added.
* LayoutTests/fast/css/repeating-linear-gradient-small-range-expected.txt: Added.
* LayoutTests/fast/css/repeating-linear-gradient-small-range.html: Added.
* LayoutTests/fast/css/repeating-radial-gradient-small-range-expected.txt: Added.
* LayoutTests/fast/css/repeating-radial-gradient-small-range.html: Added.
* LayoutTests/platform/glib/TestExpectations:
* Source/WebCore/rendering/style/StyleGradientImage.cpp:
(WebCore::StyleGradientImage::computeStops const):

Originally-landed-as: 274097.8 at webkit-2024.2-embargoed (efd994a148b6). rdar://128090422
Canonical link: https://commits.webkit.org/278883@main


  Commit: 3f5fc52ff3ea57f51b2a004ea0e47542b13ad1ae
      https://github.com/WebKit/WebKit/commit/3f5fc52ff3ea57f51b2a004ea0e47542b13ad1ae
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2024-05-16 (Thu, 16 May 2024)

  Changed paths:
    A LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash-expected.txt
    A LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash.html
    M Source/WebCore/html/HTMLPlugInImageElement.cpp

  Log Message:
  -----------
  HTMLPlugInImageElement: verify that element is in same document before requesting a load
https://bugs.webkit.org/show_bug.cgi?id=268769
rdar://121960561

Reviewed by Ryosuke Niwa.

The testcase shows a scenario where a plugin is set up to start loading the plugin contents
from an event loop, however before the event loop is started the rest of the script will run, which
moves the plugin to a different document, thus hitting an ASSERT in WebFrame::createSubframe when the load
is performed. Protect against this by returning early when this situation is detected in the event loop.

* LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash-expected.txt: Added.
* LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash.html: Added.
* Source/WebCore/html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::requestObject):

Originally-landed-as: 274097.9 at webkit-2024.2-embargoed (f81d56c47751). rdar://128089895
Canonical link: https://commits.webkit.org/278884@main


Compare: https://github.com/WebKit/WebKit/compare/26dd802ebb28...3f5fc52ff3ea

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list