[webkit-changes] [WebKit/WebKit] d40f26: Cherry-pick 282366 at main (a253c001711d). https://bu...
Jean-Yves Avenard
noreply at github.com
Wed Sep 4 05:35:26 PDT 2024
Branch: refs/heads/webkitglib/2.44
Home: https://github.com/WebKit/WebKit
Commit: d40f26d3f7f07b8f79b866b08aec032d1064db32
https://github.com/WebKit/WebKit/commit/d40f26d3f7f07b8f79b866b08aec032d1064db32
Author: Charlie Wolfe <charliew at apple.com>
Date: 2024-09-04 (Wed, 04 Sep 2024)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Cherry-pick 282366 at main (a253c001711d). https://bugs.webkit.org/show_bug.cgi?id=278214
Crash in `Messages::WebPage::PerformDragControllerAction` reply
https://bugs.webkit.org/show_bug.cgi?id=278214
rdar://124961036
Reviewed by Pascoe.
Crash logs indicates that m_pageClient can be null if this completion handler is called as a result of
the web process terminating.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::performDragControllerAction):
Canonical link: https://commits.webkit.org/282366@main
Canonical link: https://commits.webkit.org/274313.411@webkitglib/2.44
Commit: e6041cea9d0138f150772d57590a2a87ae101d9f
https://github.com/WebKit/WebKit/commit/e6041cea9d0138f150772d57590a2a87ae101d9f
Author: Vitaly Dyachkov <vitaly at igalia.com>
Date: 2024-09-04 (Wed, 04 Sep 2024)
Changed paths:
M LayoutTests/TestExpectations
M Source/WebCore/rendering/RenderMultiColumnFlow.cpp
Log Message:
-----------
Cherry-pick 282127 at main (243516e30c68). https://bugs.webkit.org/show_bug.cgi?id=277946
[Debug] `fast/multicol/crash-in-vertical-writing-mode.html` is a constant crash
https://bugs.webkit.org/show_bug.cgi?id=277946
Reviewed by Alan Baradlay.
In some circumstances `RenderMultiColumnFlow::updateMinimumPageHeight()`
is being called when the fragments are still invalid and the asseration
`ASSERT(!m_fragmentsInvalidated)` is reached in
`RenderFragmentedFlow::fragmentAtBlockOffset()`.
To prevent this, we should check that
`RenderFragmentedFlow::hasValidFragmentInto()`.
This patch doesn't change the behaviour in the release build, but
prevents a crash in the debug build.
* LayoutTests/TestExpectations:
* Source/WebCore/rendering/RenderMultiColumnFlow.cpp:
(WebCore::RenderMultiColumnFlow::updateMinimumPageHeight):
Canonical link: https://commits.webkit.org/282127@main
Canonical link: https://commits.webkit.org/274313.412@webkitglib/2.44
Commit: 5f48d180c1b77bccd1140cdfda1f75a3329b26f8
https://github.com/WebKit/WebKit/commit/5f48d180c1b77bccd1140cdfda1f75a3329b26f8
Author: Jean-Yves Avenard <jya at apple.com>
Date: 2024-09-04 (Wed, 04 Sep 2024)
Changed paths:
M Source/WebCore/PAL/ThirdParty/libavif/ThirdParty/dav1d/src/refmvs.c
Log Message:
-----------
Cherry-pick 281794 at main (b8956add1330). <bug>
Potential 'overread' issue commited to upstream dav1d https://bugs.webkit.org/show_bug.cgi?id=274070 rdar://125547790
Reviewed by Youenn Fablet.
The refmvs_block struct is only 12 bytes large but it's accessed
using 16-byte unaligned loads in asm.
In order to avoid reading past the end of the allocated buffer
we therefore need to pad the allocation size by 4 bytes.
Fix from upstream 076955a1534bb49325a2252f6a1f494674e5363a
* Source/WebCore/PAL/ThirdParty/libavif/ThirdParty/dav1d/src/refmvs.c:
(dav1d_refmvs_init_frame):
Originally-landed-as: 272448.1027 at safari-7618-branch (17ea9a97d6d4). rdar://132954870
Canonical link: https://commits.webkit.org/281794@main
Canonical link: https://commits.webkit.org/274313.413@webkitglib/2.44
Compare: https://github.com/WebKit/WebKit/compare/3c7a03e5c3e8...5f48d180c1b7
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list