[webkit-changes] [WebKit/WebKit] 8a1997: [JSC] PropertyCondition::isStillValidAssumingImpur...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 8a1997806028a9b1490488a6503a238dca0239ff https://github.com/WebKit/WebKit/commit/8a1997806028a9b1490488a6503a238dca0239ff Author: Alexey Shvayka Date: 2023-08-04 (Fri, 04 Aug 2023) Changed paths: A LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt A LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html M Source/JavaScriptCore/bytecode/PropertyCondition.cpp Log Message: --- [JSC] PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() should take non-reified static properties into account https://bugs.webkit.org/show_bug.cgi?id=255952 Reviewed by Yusuke Suzuki. Currently, PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() is not checking the structure's non-reified static properties against the condition. This can lead to incorrect analysis of side effects: AbsenceOfSetEffect condition with a non-reified static setter is considered pure even though a setter with arbitrary code can be invoked. This patch fixes AbsenceOfSetEffect validity check for structures with non-reified static properties while takes extra care to make the fix as precise as possible to avoid unnecessary slowdowns. * LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt: Added. * LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html: Added. * Source/JavaScriptCore/bytecode/PropertyCondition.cpp: (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): Originally-landed-as: 259548.775@safari-7615-branch (ffe32d106cb2). rdar://113160398 Canonical link: https://commits.webkit.org/266582@main Commit: e4c0a68634713df2f29808131c7dca900a3dc7e7 https://github.com/WebKit/WebKit/commit/e4c0a68634713df2f29808131c7dca900a3dc7e7 Author: Youenn Fablet Date: 2023-08-04 (Fri, 04 Aug 2023) Changed paths: M LayoutTests/platform/mac-wk1/TestExpectations M Source/WebCore/platform/cocoa/SharedVideoFrameInfo.h M Source/WebCore/platform/cocoa/SharedVideoFrameInfo.mm Log Message: --- [GPUP][CoreIPC] Integer overflow in SharedVideoFrameInfo::storageSize leading to OOB read rdar://107023292 Reviewed by Eric Carlson. Compute with safeMultitply/safeAdd the total size of the frame. If there is an overflow, we now fail the decoding of SharedVideoFrameInfo. We store the size of the frame in SharedVideoFrameInfo to not recompute it a second time. Covered by provided IPC test. * LayoutTests/ipc/shared-video-frame-size-expected.txt: Added. * LayoutTests/ipc/shared-video-frame-size.html: Added. * LayoutTests/platform/mac-wk1/TestExpectations: * Source/WebCore/platform/cocoa/SharedVideoFrameInfo.h: * Source/WebCore/platform/cocoa/SharedVideoFrameInfo.mm: (WebCore::SharedVideoFrameInfo::storageSize const): (WebCore::SharedVideoFrameInfo::decode): Originally-landed-as: 259548.590@safari-7615-branch (dd4ad7b0b286). rdar://113166244 Canonical link: https://commits.webkit.org/266583@main Commit: 549d44e287b72e8ef61a07b54494990d8528307e https://github.com/WebKit/WebKit/commit/549d44e287b72e8ef61a07b54494990d8528307e Author: Chirag M Shah Date: 2023-08-04 (Fri, 04 Aug 2023) Changed paths: M LayoutTests/TestExpectations A LayoutTests/fullscreen/exit-full-screen-video-crash-expected.txt A LayoutTests/fullscreen/exit-full-screen-video-crash.html A LayoutTests/platform/gtk/fullscreen/exit-full-screen-video-crash-expected.txt M Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm Log Message: --- Fix crash when HTMLMediaElement::exitFullscreen is called on a video element which is not currently full screen https://bugs.webkit.org/show_bug.cgi?id=255970 rdar://108489504 Reviewed by Jer Noble. This change fixes an issue where exitFullScreen is called on video, but the current full screen element is div, due to which we end up scheduling the webkitendfullscreenEvent event for video, which trips over an assertion. * LayoutTests/fullscreen/exit-full-screen-video-crash-expected.txt: Added. * LayoutTests/fullscreen/exit-full-screen-video-crash.html: Added. * Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm: (WebKit::VideoFullscreenManager::exitVideoFullscreenForVideoElement): (WebKit::VideoFullscreenManager::exitVideoFullscreenToModeWithoutAnimation): Originally-landed-as: 259548.703@safari-7615-branch (0ffc79d64999). rdar://113167859 Canonical link: https://commits.webkit.org/266584@main Commit: 067d7d9bd14860f25f32e8334c8c6b0898b08979 https://github.com/WebKit/WebKit/commit/067d7d9bd14860f25f32e8334c8c6b0898b08979 Author: Arunsundar Kannan Date: 2023-08-04 (Fri, 04 Aug 2023) Changed paths: A LayoutTests/fast/css/style-builder-apply-value-content-type-confusion-expected.txt A LayoutTests/fast/css/style-builder-apply-value-content-type-confusion.html Log Message: --- Fix type confusion
[webkit-changes] [WebKit/WebKit] 51d7c7: Renderinline::offsetForInFlowPositionedInline caus...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 51d7c7775f9625ce5679c11768b50eea2520b905 https://github.com/WebKit/WebKit/commit/51d7c7775f9625ce5679c11768b50eea2520b905 Author: Arunsundar Kannan Date: 2023-07-31 (Mon, 31 Jul 2023) Changed paths: A LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt A LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html M Source/WebCore/rendering/RenderInline.cpp Log Message: --- Renderinline::offsetForInFlowPositionedInline causes a null-deref of a laybox on repaint. https://bugs.webkit.org/show_bug.cgi?id=22. rdar://107952390. Reviewed by Alan Baradlay. Line layout codepath invalidation is triggered by JS which issues a repaint on the newly inserted renderer. The newly inserted renderer is used for geometry computations and which calls offsetForInFlowPositionedInline in case of inline boxes. This tries to access the lineBoxes assocaited with the renderers but they invalidated by previous repaints. This leads to null deref of the lineboxes. * LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt: Added. * LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html: Added. * Source/WebCore/rendering/RenderBlockFlow.cpp: (WebCore::RenderBlockFlow::isLineLayoutPresent const): * Source/WebCore/rendering/RenderBlockFlow.h: * Source/WebCore/rendering/RenderInline.cpp: (WebCore::RenderInline::offsetForInFlowPositionedInline const): Originally-landed-as: 259548.678@safari-7615-branch (7c662f5b36e3). rdar://107952390 Canonical link: https://commits.webkit.org/266452@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 64b84d: Fix type confusion in StyleBuilder::ConvertGridTra...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 64b84dc3788d87886b69f38a58f9a693f7443c10 https://github.com/WebKit/WebKit/commit/64b84dc3788d87886b69f38a58f9a693f7443c10 Author: Arunsundar Kannan Date: 2023-07-31 (Mon, 31 Jul 2023) Changed paths: A LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion-expected.txt A LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion.html M Source/WebCore/style/StyleBuilderConverter.h Log Message: --- Fix type confusion in StyleBuilder::ConvertGridTrackSizeList. https://bugs.webkit.org/show_bug.cgi?id=256055. rdar://108501981. Reviewed by Antti Koivisto. This change fixes convertGridTrackSizeList so that it can deal with single values instead of expecting a list of values towards the end. * LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion-expected.txt: Added. * LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion.html: Added. * Source/WebCore/style/StyleBuilderConverter.h: (WebCore::Style::BuilderConverter::convertGridTrackSizeList): Originally-landed-as: 259548.746@safari-7615-branch (1b98f8905ce2). rdar://108501981 Canonical link: https://commits.webkit.org/266445@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 89d106: Address coding style violation in 0875b59.
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 89d1067e358bcb504a285158f649d7404f81c21c https://github.com/WebKit/WebKit/commit/89d1067e358bcb504a285158f649d7404f81c21c Author: Arunsundar Kannan Date: 2023-06-20 (Tue, 20 Jun 2023) Changed paths: M Source/WebCore/style/StyleBuilderConverter.h Log Message: --- Address coding style violation in 0875b59. https://bugs.webkit.org/show_bug.cgi?id=258308. rdar://108900492. Reviewed by Tim Nguyen. Removed the coding style violations introduced in the above commit. * Source/WebCore/style/StyleBuilderConverter.h: (WebCore::Style::BuilderConverter::convertShapeValue): Canonical link: https://commits.webkit.org/265325@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 0e26fb: Assertion failure in GridIterator ASSERT(m_grid.nu...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 0e26fb7015a6a98eaf2a59fd616efaba4988e207 https://github.com/WebKit/WebKit/commit/0e26fb7015a6a98eaf2a59fd616efaba4988e207 Author: Arunsundar Kannan Date: 2023-05-23 (Tue, 23 May 2023) Changed paths: A LayoutTests/fast/css-grid-layout/gridmatrix-columnSize-failure-expected.txt A LayoutTests/fast/css-grid-layout/gridmatrix-columnSize-failure.html M Source/WebCore/rendering/Grid.cpp M Source/WebCore/rendering/Grid.h Log Message: --- Assertion failure in GridIterator ASSERT(m_grid.numTracks(ForColumns)) https://bugs.webkit.org/show_bug.cgi?id=253127 rdar://105548703 Reviewed by Matt Woodrow. The grid matrix for a subgrid of an element in the row-axis has one row with no columns, which are then lazily created as needed. An assertion in GridIterator constructor fails as column size is zero. This change additionally checks the maximum Columns ivar of the grid class to assert only for valid cases. * Source/WebCore/rendering/Grid.cpp: (WebCore::Grid::gridItemSpanIgnoringCollapsedTracks const): (WebCore::GridIterator::GridIterator): (WebCore::GridIterator::nextGridItem): (WebCore::GridIterator::isEmptyAreaEnough const): (WebCore::GridIterator::nextEmptyGridArea): * Source/WebCore/rendering/Grid.h: Originally-landed-as: 259548.376@safari-7615-branch (189d480c5fbd). rdar://105548703 Canonical link: https://commits.webkit.org/264420@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 9d7925: CDMPrivateFairPlayStreaming parsing of WebCore::IS...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 9d792587594f2ea0714bdf233d63c6dbf7e060d1 https://github.com/WebKit/WebKit/commit/9d792587594f2ea0714bdf233d63c6dbf7e060d1 Author: Arunsundar Kannan Date: 2023-05-22 (Mon, 22 May 2023) Changed paths: A LayoutTests/http/tests/media/fairplay/fps-init-data-cenc-oob-crash-expected.txt A LayoutTests/http/tests/media/fairplay/fps-init-data-cenc-oob-crash.html M Source/WebCore/platform/graphics/avfoundation/ISOFairPlayStreamingPsshBox.cpp Log Message: --- CDMPrivateFairPlayStreaming parsing of WebCore::ISOFairPlayStreamingKeyRequestInfoBox can trigger an OOB read. https://bugs.webkit.org/show_bug.cgi?id=255075 rdar://103843976 Reviewed by Jer Noble. ISOFairPlayStreamingKeyRequestInfoBox::parse is missing basic bounds checking before memcpy. This change add the check. * LayoutTests/http/tests/media/fairplay/fps-init-data-cenc-oob-crash-expected.txt: Added. * LayoutTests/http/tests/media/fairplay/fps-init-data-cenc-oob-crash.html: Added. * Source/WebCore/platform/graphics/avfoundation/ISOFairPlayStreamingPsshBox.cpp: (WebCore::ISOFairPlayStreamingKeyRequestInfoBox::parse): (WebCore::ISOFairPlayStreamingKeyAssetIdBox::parse): (WebCore::ISOFairPlayStreamingKeyContextBox::parse): Originally-landed-as: 259548.588@safari-7615-branch (3f8875488cf5). rdar://103843976 Canonical link: https://commits.webkit.org/264369@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] c31488: Potential OOB Read in ISOProtectionSystemSpecificH...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: c31488496881035b30feee2217f4640a6c71e18b https://github.com/WebKit/WebKit/commit/c31488496881035b30feee2217f4640a6c71e18b Author: Arunsundar Kannan Date: 2023-05-22 (Mon, 22 May 2023) Changed paths: M Source/WebCore/platform/graphics/iso/ISOProtectionSystemSpecificHeaderBox.cpp Log Message: --- Potential OOB Read in ISOProtectionSystemSpecificHeaderBox::parse(...). https://bugs.webkit.org/show_bug.cgi?id=254931. rdar://107441432 Reviewed by Jer Noble. There is a potential OOB access in ISOProtectionSystemSpecificHeaderBox::parse when we do memcpy without a bounds check. This adds a bounds check to prevent such access. * Source/WebCore/platform/graphics/iso/ISOProtectionSystemSpecificHeaderBox.cpp: (WebCore::ISOProtectionSystemSpecificHeaderBox::parse): Originally-landed-as: 259548.574@safari-7615-branch (0c76eb21f2d8). rdar://107441432 Canonical link: https://commits.webkit.org/264367@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 5c059a: CDMPrivateFairPlayStreaming parsing of WebCore::IS...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 5c059ab32c26d642874354e3be0f8802d8e71e1b https://github.com/WebKit/WebKit/commit/5c059ab32c26d642874354e3be0f8802d8e71e1b Author: Arunsundar Kannan Date: 2023-05-22 (Mon, 22 May 2023) Changed paths: A LayoutTests/http/tests/media/fairplay/fps-init-data-sinf-oob-crash-expected.txt A LayoutTests/http/tests/media/fairplay/fps-init-data-sinf-oob-crash.html M Source/WebCore/platform/graphics/iso/ISOTrackEncryptionBox.cpp Log Message: --- CDMPrivateFairPlayStreaming parsing of WebCore::ISOTrackEncryptionBox can lead to a heap-buffer-overflow. https://bugs.webkit.org/show_bug.cgi?id=254781. rdar://103849722 Reviewed by Jer Noble. WebCore::ISOTrackEncryptionBox::parse() is missing basic bounds checking before memcpy. This change add the check. * LayoutTests/http/tests/media/fairplay/fps-init-data-sinf-oob-crash-expected.txt: Added. * LayoutTests/http/tests/media/fairplay/fps-init-data-sinf-oob-crash.html: Added. * Source/WebCore/platform/graphics/iso/ISOTrackEncryptionBox.cpp: (WebCore::ISOTrackEncryptionBox::parse): Originally-landed-as: 259548.536@safari-7615-branch (8320a5247c74). rdar://103849722 Canonical link: https://commits.webkit.org/264364@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 9565d9: Null ptr deref in CSSStyleSheet::replaceSync.
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 9565d92681d724cfb509da570d98241ab6263272 https://github.com/WebKit/WebKit/commit/9565d92681d724cfb509da570d98241ab6263272 Author: Arunsundar Kannan Date: 2023-05-22 (Mon, 22 May 2023) Changed paths: A LayoutTests/imported/w3c/web-platform-tests/css/cssom/css-stylesheet-replaceSync-null-deref-expected.txt A LayoutTests/imported/w3c/web-platform-tests/css/cssom/css-stylesheet-replaceSync-null-deref.html M Source/WebCore/css/CSSStyleSheet.cpp Log Message: --- Null ptr deref in CSSStyleSheet::replaceSync. https://bugs.webkit.org/show_bug.cgi?id=254727. rdar://101629411. Reviewed by Chris Dumez. Added a null check in CSSStyleSheet::replaceSync to prevent a null deref. * LayoutTests/imported/w3c/web-platform-tests/css/cssom/css-stylesheet-replaceSync-null-deref-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/css/cssom/css-stylesheet-replaceSync-null-deref.html: Added. * Source/WebCore/css/CSSStyleSheet.cpp: (WebCore::CSSStyleSheet::replaceSync): Originally-landed-as: 259548.524@safari-7615-branch (a48f8590fa3e). rdar://101629411 Canonical link: https://commits.webkit.org/264358@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] e357a6: Web content process crashes when mutating grid-tem...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: e357a6a2cd384f7aa70e6aa4f2e552829e971b3c https://github.com/WebKit/WebKit/commit/e357a6a2cd384f7aa70e6aa4f2e552829e971b3c Author: Arunsundar Kannan Date: 2023-05-22 (Mon, 22 May 2023) Changed paths: A LayoutTests/fast/css-grid-layout/GridtrackSizing-overflowon-mutating-grid-columns-expected.txt A LayoutTests/fast/css-grid-layout/GridtrackSizing-overflowon-mutating-grid-columns.html M Source/WebCore/rendering/RenderGrid.cpp Log Message: --- Web content process crashes when mutating grid-template-columns of subgrid parent grid. https://bugs.webkit.org/show_bug.cgi?id=253916. rdar://106458581. Reviewed by Matt Woodrow. After grid-template-column of the subgrid's parent grid mutates, needsItemsPlacement flag is not set for the subgrid's currentgrid. As a result, gridTracks for subgrids->curretGrid() don't undergo resizing, resulting in a OOB in copyUsedTrackSizesForSubgrid().This changes sets needsItemPlacement flag as needed. * LayoutTests/fast/css-grid-layout/GridtrackSizing-overflowon-mutating-grid-columns-expected.txt: Added. * LayoutTests/fast/css-grid-layout/GridtrackSizing-overflowon-mutating-grid-columns.html: Added. * Source/WebCore/rendering/RenderGrid.cpp: (WebCore::RenderGrid::placeItemsOnGrid): Originally-landed-as: 259548.434@safari-7615-branch (54a21b4db4fa). rdar://106458581 Canonical link: https://commits.webkit.org/264346@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 967f74: Fix type confusion in StyleBuilderCustom::ApplyVal...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 967f74508a933d74938539523c1559ff2f08147c https://github.com/WebKit/WebKit/commit/967f74508a933d74938539523c1559ff2f08147c Author: Arunsundar Kannan Date: 2023-05-08 (Mon, 08 May 2023) Changed paths: A LayoutTests/fast/css/style-builder-custom-apply-value-will-change-type-confusion-expected.txt A LayoutTests/fast/css/style-builder-custom-apply-value-will-change-type-confusion.html M Source/WebCore/style/StyleBuilderCustom.h Log Message: --- Fix type confusion in StyleBuilderCustom::ApplyValueWillChange. https://bugs.webkit.org/show_bug.cgi?id=256053. rdar://108502113. Reviewed by Antti Koivisto. This change fixes applyValueWillChange so that it can deal with single values instead of expecting a list of values towards the end. * LayoutTests/fast/css/style-builder-custom-apply-value-will-change-type-confusion-expected.txt: Added. * LayoutTests/fast/css/style-builder-custom-apply-value-will-change-type-confusion.html: Added. * Source/WebCore/style/StyleBuilderCustom.h: (WebCore::Style::BuilderCustom::applyValueWillChange): Canonical link: https://commits.webkit.org/263789@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 0875b5: Fix type confusion in StyleBuilderConverter::Conve...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 0875b595b40e4c768aa706f8eb6a53f786676dd2 https://github.com/WebKit/WebKit/commit/0875b595b40e4c768aa706f8eb6a53f786676dd2 Author: Arunsundar Kannan Date: 2023-05-04 (Thu, 04 May 2023) Changed paths: A LayoutTests/fast/css/style-converter-convert-shape-value-type-confusion-expected.txt A LayoutTests/fast/css/style-converter-convert-shape-value-type-confusion.html M Source/WebCore/style/StyleBuilderConverter.h Log Message: --- Fix type confusion in StyleBuilderConverter::ConvertShapeValue. https://bugs.webkit.org/show_bug.cgi?id=256049. rdar://108502377. Reviewed by Antti Koivisto. This change fixes convertShapeValue so that it can deal with single values instead of expecting a list of values towards the end. * LayoutTests/fast/css/style-converter-convert-shape-value-type-confusion-expected.txt: Added. * LayoutTests/fast/css/style-converter-convert-shape-value-type-confusion.html: Added. * Source/WebCore/style/StyleBuilderConverter.h: (WebCore::Style::BuilderConverter::convertShapeValue): Canonical link: https://commits.webkit.org/263679@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] bf05a6: HTMLFormControlElement::popoverTargetElement() is ...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: bf05a6ed90f856bf3a59b7ab4dd1dd7f14514aa8 https://github.com/WebKit/WebKit/commit/bf05a6ed90f856bf3a59b7ab4dd1dd7f14514aa8 Author: Arunsundar Kannan Date: 2023-04-26 (Wed, 26 Apr 2023) Changed paths: M Source/WebCore/html/HTMLFormControlElement.cpp Log Message: --- HTMLFormControlElement::popoverTargetElement() is broken when popover preference is disabled. https://bugs.webkit.org/show_bug.cgi?id=255889. rdar://108472734. Reviewed by Tim Nguyen. HTMLFormControlElement::popoverTargetElement() fails an assertion for availabity of pop over target attribute.This change checks if popoverAttribute is Enabled and bails if it is not enabled. * Source/WebCore/html/HTMLFormControlElement.cpp: (WebCore::HTMLFormControlElement::popoverTargetElement const): Canonical link: https://commits.webkit.org/263417@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 65e007: ASSERTION FAILED: areEssentiallyEqual(rendererMapp...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 65e007731e39595663e9ccbbe216c21de0b6c8d8 https://github.com/WebKit/WebKit/commit/65e007731e39595663e9ccbbe216c21de0b6c8d8 Author: Arunsundar Kannan Date: 2023-04-21 (Fri, 21 Apr 2023) Changed paths: A LayoutTests/fast/layers/accumulated-offset-overflow-Render-geometry-map-expected.txt A LayoutTests/fast/layers/accumulated-offset-overflow-Render-geometry-map.html M Source/WebCore/rendering/RenderGeometryMap.cpp Log Message: --- ASSERTION FAILED: areEssentiallyEqual(rendererMappedResult, result) in rendergeometrymap::mapToContainer. https://bugs.webkit.org/show_bug.cgi?id=255686. rdar://108285849. Reviewed by Simon Fraser. TransformState::translateMappedCoordinates uses accumalatedOffsets to calculate layoutsize in RenderGeometryMap. This calcalation fails a sanity check later as the accumulated offset overflows and saturates. Added a check to fix that. * LayoutTests/fast/layers/accumulated-offset-overflow-Render-geometry-map-expected.txt: Added. * LayoutTests/fast/layers/accumulated-offset-overflow-Render-geometry-map.html: Added. * Source/WebCore/rendering/RenderGeometryMap.cpp: (WebCore::RenderGeometryMap::mapToContainer const): Canonical link: https://commits.webkit.org/263257@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 9f5775: Remove smart pointer violation in NetworkContentRu...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 9f577500830e979799eb12ab38c9a88a2322d0bf https://github.com/WebKit/WebKit/commit/9f577500830e979799eb12ab38c9a88a2322d0bf Author: Arunsundar Kannan Date: 2023-03-28 (Tue, 28 Mar 2023) Changed paths: M Source/WebKit/NetworkProcess/CustomProtocols/LegacyCustomProtocolManager.cpp M Source/WebKit/NetworkProcess/CustomProtocols/LegacyCustomProtocolManager.h M Source/WebKit/NetworkProcess/NetworkContentRuleListManager.cpp M Source/WebKit/NetworkProcess/NetworkContentRuleListManager.h M Source/WebKit/NetworkProcess/NetworkProcess.h Log Message: --- Remove smart pointer violation in NetworkContentRuleListManager, LegacyCustomProtocolManager. https://bugs.webkit.org/show_bug.cgi?id=254500. rdar://107255403. Reviewed by Chris Dumez. m_process is using raw references, this changes uses WTF:: Ref. * Source/WebKit/NetworkProcess/CustomProtocols/LegacyCustomProtocolManager.cpp: (WebKit::LegacyCustomProtocolManager::LegacyCustomProtocolManager): (WebKit::LegacyCustomProtocolManager::startLoading): (WebKit::LegacyCustomProtocolManager::stopLoading): * Source/WebKit/NetworkProcess/CustomProtocols/LegacyCustomProtocolManager.h: * Source/WebKit/NetworkProcess/NetworkContentRuleListManager.cpp: (WebKit::NetworkContentRuleListManager::contentExtensionsBackend): * Source/WebKit/NetworkProcess/NetworkContentRuleListManager.h: Canonical link: https://commits.webkit.org/262240@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] ad9f18: Remove use of raw pointers in cachedResourceLoader...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: ad9f1876e28f6497dfe297d81d3f396efef6b7dc https://github.com/WebKit/WebKit/commit/ad9f1876e28f6497dfe297d81d3f396efef6b7dc Author: Arunsundar Kannan Date: 2023-03-28 (Tue, 28 Mar 2023) Changed paths: M Source/WebCore/loader/ApplicationManifestLoader.cpp M Source/WebCore/loader/ApplicationManifestLoader.h M Source/WebCore/loader/cache/CachedResourceLoader.cpp M Source/WebCore/loader/cache/CachedResourceLoader.h M Source/WebCore/loader/icon/IconLoader.cpp M Source/WebCore/loader/icon/IconLoader.h Log Message: --- Remove use of raw pointers in cachedResourceLoader class, IconLoader, ApplicationManifestLoader. https://bugs.webkit.org/show_bug.cgi?id=254437. rdar://107196321. Reviewed by Chris Dumez. Changed m_documentLoader ivar to CheckedPtr/CheckedRef instead of raw pointer.. * Source/WebCore/loader/cache/CachedResourceLoader.cpp: (WebCore::CachedResourceLoader::requestResource): (WebCore::CachedResourceLoader::clearDocumentLoader): (WebCore::CachedResourceLoader::loadDone): * Source/WebCore/loader/cache/CachedResourceLoader.h: (WebCore::CachedResourceLoader::clearDocumentLoader): Deleted. Canonical link: https://commits.webkit.org/262238@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 0ba2b3: Attribute change results in assertion failure chec...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 0ba2b3fa758f25392de776de7f044a466ca397c2 https://github.com/WebKit/WebKit/commit/0ba2b3fa758f25392de776de7f044a466ca397c2 Author: Arunsundar Kannan Date: 2023-02-09 (Thu, 09 Feb 2023) Changed paths: A LayoutTests/fast/html/parent-less-source-crash-type-change-expected.txt A LayoutTests/fast/html/parent-less-source-crash-type-change.html M Source/WebCore/html/HTMLSourceElement.cpp Log Message: --- Attribute change results in assertion failure checking for parent node for a parent less element. https://bugs.webkit.org/show_bug.cgi?id=251888 rdar://104819364 Reviewed by Ryosuke Niwa. This change sets 'm_shouldCallSourcesChanged' to false after the parentNode is disassociated from the Node in question. This will avoid the call that leads to the crash. * LayoutTests/fast/html/parent-less-source-crash-type-change-expected.txt: Added. * LayoutTests/fast/html/parent-less-source-crash-type-change.html: Added. * Source/WebCore/dom/ContainerNodeAlgorithms.cpp: (WebCore::removeDetachedChildrenInContainer): * Source/WebCore/html/HTMLSourceElement.cpp: (WebCore::HTMLSourceElement::setShouldCallSourcesChanged): * Source/WebCore/html/HTMLSourceElement.h: Canonical link: https://commits.webkit.org/260072@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 9238da: Cherry-pick 256338@main (1428865fbb25). rdar://101...
Branch: refs/heads/safari-7615-branch Home: https://github.com/WebKit/WebKit Commit: 9238da6bab485f543030f60efbfff8bc6438e939 https://github.com/WebKit/WebKit/commit/9238da6bab485f543030f60efbfff8bc6438e939 Author: Jonathan Bedard Date: 2022-11-10 (Thu, 10 Nov 2022) Changed paths: M Tools/Scripts/libraries/webkitscmpy/setup.py M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py Log Message: --- Cherry-pick 256338@main (1428865fbb25). rdar://101932575 [git-webkit] Improve logging when automatically determining target remote https://bugs.webkit.org/show_bug.cgi?id=247459 rdar://101932575 Reviewed by Aakash Jain. * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version. * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto. * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py: (PullRequest.pull_request_branch_point): Canonical link: https://commits.webkit.org/256338@main Canonical link: https://commits.webkit.org/252432.805@safari-7614-branch Commit: a09205d980f61ca2bc0ee8a5ee14e6d3e67632d9 https://github.com/WebKit/WebKit/commit/a09205d980f61ca2bc0ee8a5ee14e6d3e67632d9 Author: Chris Dumez Date: 2022-11-10 (Thu, 10 Nov 2022) Changed paths: A LayoutTests/fast/forms/datalist/datalist-idTargetChanged-crash-expected.txt A LayoutTests/fast/forms/datalist/datalist-idTargetChanged-crash.html M Source/WebCore/html/HTMLInputElement.cpp Log Message: --- Assertion hit under IdTargetObserverRegistry::notifyObservers() https://bugs.webkit.org/show_bug.cgi?id=247592 rdar://101454107 Reviewed by Aditya Keerthi, Wenson Hsieh and Geoffrey Garen. ListAttributeTargetObserver::idTargetChanged() is not safe to re-enter. As a result, we have an assertion and a runtime check to protect against this. However, it was still possible to hit this assertion in debug. ListAttributeTargetObserver::idTargetChanged() would call TextFieldInputType::dataListMayHaveChanged() which could run script by calling createDataListDropdownIndicator(). The script could then change the datalist element's id, which would attempt to re-enter. This patch addresses the issue by calling dataListMayHaveChanged() asynchronously. * LayoutTests/fast/forms/datalist/datalist-idTargetChanged-crash-expected.txt: Added. * LayoutTests/fast/forms/datalist/datalist-idTargetChanged-crash.html: Added. * Source/WebCore/html/HTMLInputElement.cpp: (WebCore::ListAttributeTargetObserver::idTargetChanged): Canonical link: https://commits.webkit.org/252432.806@safari-7614-branch Commit: 03faecd515d8b3dc6d43f29794e66620e783ca5c https://github.com/WebKit/WebKit/commit/03faecd515d8b3dc6d43f29794e66620e783ca5c Author: Chris Dumez Date: 2022-11-10 (Thu, 10 Nov 2022) Changed paths: A LayoutTests/fast/workers/terminate-worker-with-event-listener-crash-expected.txt A LayoutTests/fast/workers/terminate-worker-with-event-listener-crash.html M LayoutTests/imported/w3c/web-platform-tests/workers/WorkerGlobalScope_ErrorEvent_colno-expected.txt M Source/WebCore/Modules/indexeddb/IDBDatabase.cpp M Source/WebCore/Modules/indexeddb/IDBRequest.cpp M Source/WebCore/Modules/indexeddb/IDBTransaction.cpp M Source/WebCore/animation/WebAnimation.cpp M Source/WebCore/animation/WebAnimation.h M Source/WebCore/dom/Document.cpp M Source/WebCore/dom/Document.h M Source/WebCore/dom/EventTarget.cpp M Source/WebCore/dom/ScriptExecutionContext.cpp M Source/WebCore/dom/ScriptExecutionContext.h M Source/WebCore/history/CachedFrame.cpp M Source/WebCore/workers/WorkerGlobalScope.cpp M Source/WebCore/workers/WorkerGlobalScope.h M Source/WebCore/workers/WorkerOrWorkletGlobalScope.cpp M Source/WebCore/workers/service/ServiceWorker.cpp M Source/WebCore/workers/service/ServiceWorkerContainer.cpp M Source/WebCore/workers/service/ServiceWorkerRegistration.cpp M Source/WebCore/workers/service/ServiceWorkerRegistration.h Log Message: --- Heap use-after-free in DOMWrapperWorld::~DOMWrapperWorld https://bugs.webkit.org/show_bug.cgi?id=246022 rdar://100763856 Reviewed by Ryosuke Niwa. DOMWrapperWorld is not expected to outlive its associated JSVMClientData. There is an assertion inside ~JSVMClientData() to guard against this, which was getting hit when running the included test. The reason for this is that the DedicatedWorkerGlobalScope had already prepared for destruction and cleared its ScriptController. However, a JSEventListener on a FontFaceSet object was staying around and keeping the DOMWrapperWorld alive via a strong reference. We normally try to protect against this by removing event listeners when the script execution context is preparing for destruction. However, our logic to do so was only removing event listeners that
[webkit-changes] [WebKit/WebKit] 0675bb: Cherry-pick 252432.838@safari-7614-branch (6651709...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 0675bbf6a5db80a0dbf04ae7a7485a09b056d032 https://github.com/WebKit/WebKit/commit/0675bbf6a5db80a0dbf04ae7a7485a09b056d032 Author: Arunsundar Kannan Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: A LayoutTests/fast/forms/textfield-input-type-crash-onblur-expected.txt A LayoutTests/fast/forms/textfield-input-type-crash-onblur.html M Source/WebCore/html/HTMLInputElement.cpp M Source/WebCore/html/HTMLOptionElement.cpp M Source/WebCore/html/TextFieldInputType.cpp Log Message: --- Cherry-pick 252432.838@safari-7614-branch (665170902bfa). rdar://104601528 UAF crash occurs during a style update when an older freed HTMLElement is accessed https://bugs.webkit.org/show_bug.cgi?id=247389 rdar://101420898 Reviewed by Ryosuke Niwa and Ryan Haddad. * LayoutTests/fast/forms/textfield-input-type-crash-onblur-expected.txt: Added. * LayoutTests/fast/forms/textfield-input-type-crash-onblur.html: Added. * Source/WebCore/html/HTMLInputElement.cpp: (WebCore::HTMLInputElement::dataListMayHaveChanged): * Source/WebCore/html/HTMLOptionElement.cpp: (WebCore::HTMLOptionElement::childrenChanged): * Source/WebCore/html/TextFieldInputType.cpp: (WebCore::TextFieldInputType::createDataListDropdownIndicator): (WebCore::TextFieldInputType::dataListMayHaveChanged): Canonical link: https://commits.webkit.org/252432.838@safari-7614-branch Canonical link: https://commits.webkit.org/259321@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 3de90c: Generate serializers for class LayoutRect, ScreenD...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 3de90cce1c0256a072a3d55ffceca43bbc412fda https://github.com/WebKit/WebKit/commit/3de90cce1c0256a072a3d55ffceca43bbc412fda Author: Arunsundar Kannan Date: 2022-11-10 (Thu, 10 Nov 2022) Changed paths: M Source/WebCore/Headers.cmake M Source/WebCore/WebCore.xcodeproj/project.pbxproj M Source/WebCore/platform/MediaCapabilitiesDecodingInfo.h M Source/WebCore/platform/MediaCapabilitiesEncodingInfo.h M Source/WebCore/platform/MediaCapabilitiesInfo.h M Source/WebCore/platform/graphics/LayoutRect.h A Source/WebCore/platform/graphics/ScreenDataOverrides.h M Source/WebCore/platform/graphics/VP9Utilities.h M Source/WebCore/platform/mediastream/MediaStreamRequest.h M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in Log Message: --- Generate serializers for class LayoutRect, ScreenDataOverrides, MediaCapabilitiesInfo, MediaStreamRequest https://bugs.webkit.org/show_bug.cgi?id=247648 rdar://101308191 Reviewed by Alex Christensen. * Source/WebCore/platform/MediaCapabilitiesInfo.h: (WebCore::MediaCapabilitiesInfo::encode const): Deleted. (WebCore::MediaCapabilitiesInfo::decode): Deleted. * Source/WebCore/platform/graphics/LayoutRect.h: (WebCore::LayoutRect::encode const): Deleted. (WebCore::LayoutRect::decode): Deleted. * Source/WebCore/platform/graphics/VP9Utilities.h: (WebCore::ScreenDataOverrides::encode const): Deleted. (WebCore::ScreenDataOverrides::decode): Deleted. * Source/WebCore/platform/mediastream/MediaStreamRequest.h: (WebCore::MediaStreamRequest::encode const): Deleted. (WebCore::MediaStreamRequest::decode): Deleted. * Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in: Canonical link: https://commits.webkit.org/256545@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] da5c9f: Add Arunsundar Kannan to contributors.json
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: da5c9f236e59d353681445420784afc20ec2a954 https://github.com/WebKit/WebKit/commit/da5c9f236e59d353681445420784afc20ec2a954 Author: Arunsundar Kannan Date: 2022-11-04 (Fri, 04 Nov 2022) Changed paths: M metadata/contributors.json Log Message: --- Add Arunsundar Kannan to contributors.json https://bugs.webkit.org/show_bug.cgi?id=247439 rdar://101916303 Reviewed by Jonathan Bedard. * metadata/contributors.json: Canonical link: https://commits.webkit.org/256322@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 67c0cc: This ensures that the viewport anchor layer will b...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 67c0ccbbabbdad78541304fe936be3ef6bec10b9 https://github.com/WebKit/WebKit/commit/67c0ccbbabbdad78541304fe936be3ef6bec10b9 Author: Arunsundar Kannan Date: 2022-10-26 (Wed, 26 Oct 2022) Changed paths: A LayoutTests/compositing/scrolling/fixed-style-with-rotation-expected.txt A LayoutTests/compositing/scrolling/fixed-style-with-rotation.html A LayoutTests/compositing/scrolling/sticky-style-with-rotation-expected.txt A LayoutTests/compositing/scrolling/sticky-style-with-rotation.html M Source/WebCore/rendering/RenderLayerCompositor.cpp Log Message: --- This ensures that the viewport anchor layer will be updated when updating compositing layers upon style change https://bugs.webkit.org/show_bug.cgi?id=246890 rdar://99568474 Reviewed by Simon Fraser. * LayoutTests/compositing/scrolling/fixed-style-with-rotation.html: Added. * LayoutTests/compositing/scrolling/sticky-style-with-rotation.html: Added. * Source/WebCore/rendering/RenderLayerCompositor.cpp: (WebCore::RenderLayerCompositor::layerStyleChanged): Canonical link: https://commits.webkit.org/256025@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
