[webkit-changes] [WebKit/WebKit] 4d2933: [JSC] Harden CustomGetterSetter by adding MethodTa...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 4d29332a09b0f3b17eff2d44f464dd8dff77cad0 https://github.com/WebKit/WebKit/commit/4d29332a09b0f3b17eff2d44f464dd8dff77cad0 Author: Alexey Shvayka Date: 2024-05-22 (Wed, 22 May 2024) Changed paths: M Source/JavaScriptCore/runtime/CustomGetterSetter.h Log Message: --- [JSC] Harden CustomGetterSetter by adding MethodTable overrides that always crash https://bugs.webkit.org/show_bug.cgi?id=268897 Reviewed by Mark Lam. Just like GetterSetter, CustomGetterSetter is never purposely exposed to userland code. However, to make exploitation of accidentally exposed CustomGetterSetter objects difficult, this patch implements MethodTable overrides that abort the program when reached, similar to GetterSetter. * Source/JavaScriptCore/runtime/CustomGetterSetter.h: (JSC::CustomGetterSetter::getOwnPropertySlot): (JSC::CustomGetterSetter::put): (JSC::CustomGetterSetter::putByIndex): (JSC::CustomGetterSetter::setPrototype): (JSC::CustomGetterSetter::defineOwnProperty): (JSC::CustomGetterSetter::deleteProperty): Originally-landed-as: 272448.523@safari-7618-branch (66d8614c41ca). rdar://128498125 Canonical link: https://commits.webkit.org/279156@main Commit: b287b6cc9662e88415c7958132ab001431b35f9f https://github.com/WebKit/WebKit/commit/b287b6cc9662e88415c7958132ab001431b35f9f Author: Erica Li Date: 2024-05-22 (Wed, 22 May 2024) Changed paths: A LayoutTests/ipc/create-media-source-with-invalid-constraints-crash-expected.txt A LayoutTests/ipc/create-media-source-with-invalid-constraints-crash.html M Source/WebCore/platform/mediastream/MediaConstraints.cpp M Source/WebCore/platform/mediastream/MediaConstraints.h M Source/WebKit/UIProcess/Cocoa/UserMediaCaptureManagerProxy.cpp Log Message: --- WTFCrashWithSecurityImplication in WebCore::RealtimeMediaSource::fitnessDistance https://bugs.webkit.org/show_bug.cgi?id=268800 rdar://122105977 Reviewed by Youenn Fablet. This is short-term suggested fix to add isValid check to MediaTrackConstraintSetMap to ensure each incomming contraint from IPC call has the right MediaConstraintType. * LayoutTests/ipc/create-media-source-with-invalid-constraints-crash-expected.txt: Added. * LayoutTests/ipc/create-media-source-with-invalid-constraints-crash.html: Added. * Source/WebCore/platform/mediastream/MediaConstraints.cpp: (WebCore::MediaTrackConstraintSetMap::isValid const): * Source/WebCore/platform/mediastream/MediaConstraints.h: * Source/WebKit/UIProcess/Cocoa/UserMediaCaptureManagerProxy.cpp: (WebKit::UserMediaCaptureManagerProxy::createMediaSourceForCaptureDeviceWithConstraints): (WebKit::UserMediaCaptureManagerProxy::applyConstraints): Originally-landed-as: 272448.542@safari-7618-branch (01389d47b6ec). rdar://128498600 Canonical link: https://commits.webkit.org/279157@main Compare: https://github.com/WebKit/WebKit/compare/223c3b4280f0...b287b6cc9662 To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] fd2cfc: ASAN_TRAP | WebCore::RenderObject::~RenderObject; ...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: fd2cfc0030266cf4914ed09116b2fbd745662985 https://github.com/WebKit/WebKit/commit/fd2cfc0030266cf4914ed09116b2fbd745662985 Author: Erica Li Date: 2024-05-16 (Thu, 16 May 2024) Changed paths: A LayoutTests/fast/text/splitText-crash-during-tear-down-renderers-after-slot-change-expected.txt A LayoutTests/fast/text/splitText-crash-during-tear-down-renderers-after-slot-change.html M Source/WebCore/editing/SplitTextNodeContainingElementCommand.cpp Log Message: --- ASAN_TRAP | WebCore::RenderObject::~RenderObject; WebCore::RenderInline::~RenderInline. https://bugs.webkit.org/show_bug.cgi?id=269667 rdar://122491721 Reviewed by Ryosuke Niwa and Chris Dumez. Reduce the scope of CheckedPtr renderer in `SplitTextNodeContainingElementCommand::doApply`, as following `splitElement` could destruct renderer. * LayoutTests/fast/text/splitText-crash-during-tear-down-renderers-after-slot-change-expected.txt: Added. * LayoutTests/fast/text/splitText-crash-during-tear-down-renderers-after-slot-change.html: Added. * Source/WebCore/editing/SplitTextNodeContainingElementCommand.cpp: (WebCore::SplitTextNodeContainingElementCommand::doApply): Originally-landed-as: 272448.580@safari-7618-branch (3dc4ac46465e). rdar://128215842 Canonical link: https://commits.webkit.org/278897@main Commit: 83a9a0ad6917ef3d6002b5123cc42d7dd847a9b6 https://github.com/WebKit/WebKit/commit/83a9a0ad6917ef3d6002b5123cc42d7dd847a9b6 Author: Erica Li Date: 2024-05-16 (Thu, 16 May 2024) Changed paths: M LayoutTests/fast/text/splitText-crash-during-tear-down-renderers-after-slot-change.html Log Message: --- Fix flakey splitText-crash-during-tear-down-renderers-after-slot-change. rdar://125264773 Reviewed by Jonathan Bedard. Fix text difference on some release builds. * LayoutTests/fast/text/splitText-crash-during-tear-down-renderers-after-slot-change.html: Originally-landed-as: 272448.780@safari-7618-branch (c57347c1c44f). rdar://128088552 Canonical link: https://commits.webkit.org/278898@main Compare: https://github.com/WebKit/WebKit/compare/4f5aa1a1182d...83a9a0ad6917 To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 8251b5: ASAN_SEGV | WebCore::RenderFragmentedFlow::objectS...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 8251b5c26b6d9ddd3ac1268c2d8c7940094a49af https://github.com/WebKit/WebKit/commit/8251b5c26b6d9ddd3ac1268c2d8c7940094a49af Author: Erica Li Date: 2024-05-04 (Sat, 04 May 2024) Changed paths: A LayoutTests/fast/css-grid-layout/out-of-flow-positioned-dialog-showModal-crash-expected.txt A LayoutTests/fast/css-grid-layout/out-of-flow-positioned-dialog-showModal-crash.html M Source/WebCore/dom/FullscreenManager.cpp M Source/WebCore/html/HTMLDialogElement.cpp M Source/WebCore/rendering/RenderBox.cpp M Source/WebCore/rendering/RenderElement.cpp M Source/WebCore/rendering/RenderElement.h Log Message: --- ASAN_SEGV | WebCore::RenderFragmentedFlow::objectShouldFragmentInFlowFragment. rdar://125183911 https://bugs.webkit.org/show_bug.cgi?id=272301 Reviewed by Alan Baradlay. This is another case where we can not dectect containing block change in styledid/willchange like what was fixed in 266309@main, moved markRendererDirtyAfterTopLayerChange to Element as common API which can be used by FullscreenManager and HTMLDialogElement. * LayoutTests/fast/css-grid-layout/out-of-flow-positioned-dialog-showModal-crash-expected.txt: Added. * LayoutTests/fast/css-grid-layout/out-of-flow-positioned-dialog-showModal-crash.html: Added. * Source/WebCore/dom/FullscreenManager.cpp: (WebCore::FullscreenManager::willEnterFullscreen): (WebCore::markRendererDirtyAfterTopLayerChange): Deleted. * Source/WebCore/html/HTMLDialogElement.cpp: (WebCore::HTMLDialogElement::showModal): * Source/WebCore/rendering/RenderBox.cpp: (WebCore::gridStyleHasNotChanged): mini refactoring to make criteria looks more clear. (WebCore::RenderBox::updateGridPositionAfterStyleChange): * Source/WebCore/rendering/RenderElement.cpp: (WebCore::RenderElement::markRendererDirtyAfterTopLayerChange): * Source/WebCore/rendering/RenderElement.h: Canonical link: https://commits.webkit.org/278372@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 93bde1: Cherry-pick 276925@main (59cedf7135bc). https://bu...
Branch: refs/heads/webkitglib/2.44 Home: https://github.com/WebKit/WebKit Commit: 93bde17ed761f5de54726de83ced4959303794c6 https://github.com/WebKit/WebKit/commit/93bde17ed761f5de54726de83ced4959303794c6 Author: Abrar Rahman Protyasha Date: 2024-04-12 (Fri, 12 Apr 2024) Changed paths: M Source/WebCore/page/ViewportConfiguration.cpp M Source/WebCore/page/ViewportConfiguration.h Log Message: --- Cherry-pick 276925@main (59cedf7135bc). https://bugs.webkit.org/show_bug.cgi?id=271962 Linker error when logging ViewportConfiguration to TextStream in Release configuration https://bugs.webkit.org/show_bug.cgi?id=271962 rdar://125713559 Reviewed by Sihui Liu. WebCore::operator<<(WTF::TextStream&, WebCore::ViewConfiguration const&) is defined behind !LOG_DISABLED, which means in Release configuration, the linker cannot find this definition. This patch fixes the linker error by removing the relevant !LOG_DISABLED checks around both the operator<< overload definition and the description()/dump() declarations, since said methods are referenced by the operator<< overload. * Source/WebCore/page/ViewportConfiguration.cpp: (WebCore::ViewportConfiguration::setIsKnownToLayOutWiderThanViewport): (WebCore::ViewportConfiguration::dump const): * Source/WebCore/page/ViewportConfiguration.h: Canonical link: https://commits.webkit.org/276925@main Canonical link: https://commits.webkit.org/274313.133@webkitglib/2.44 Commit: aff53249f2d491d082094a2aa57008c46e55d278 https://github.com/WebKit/WebKit/commit/aff53249f2d491d082094a2aa57008c46e55d278 Author: Erica Li Date: 2024-04-14 (Sun, 14 Apr 2024) Changed paths: M Source/WebCore/html/ImageDocument.cpp Log Message: --- Cherry-pick 276379@main (d036679431a5). https://bugs.webkit.org/show_bug.cgi?id=271028 ASAN_SEGV | WebCore::LocalFrame::injectUserScripts. rdar://124432384 https://bugs.webkit.org/show_bug.cgi?id=271028 Reviewed by Ryosuke Niwa. Frame might be detached early, null checking before injectUserScripts from image document. * Source/WebCore/html/ImageDocument.cpp: (WebCore::ImageDocument::createDocumentStructure): Canonical link: https://commits.webkit.org/276379@main Canonical link: https://commits.webkit.org/274313.134@webkitglib/2.44 Compare: https://github.com/WebKit/WebKit/compare/8ce83c4bf224...aff53249f2d4 To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] bae2d5: Build failure when CHECKED_POINTER_DEBUG enabled.
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: bae2d58d0bf88b4579ffce62a51d107945fc4599 https://github.com/WebKit/WebKit/commit/bae2d58d0bf88b4579ffce62a51d107945fc4599 Author: Erica Li Date: 2024-04-10 (Wed, 10 Apr 2024) Changed paths: M Source/WebCore/Modules/speech/SpeechRecognitionCaptureSourceImpl.h M Source/WebCore/dom/PendingScriptClient.h M Source/WebCore/dom/ScriptRunner.h M Source/WebCore/dom/TreeScope.cpp M Source/WebCore/html/parser/HTMLDocumentParser.h M Source/WebCore/platform/cocoa/PlaybackSessionModel.h M Source/WebCore/platform/cocoa/VideoPresentationModel.h M Source/WebCore/platform/cocoa/WebAVPlayerLayer.mm M Source/WebCore/platform/graphics/cocoa/NullPlaybackSessionInterface.h M Source/WebCore/platform/graphics/cocoa/NullVideoPresentationInterface.h M Source/WebCore/platform/ios/PlaybackSessionInterfaceIOS.h M Source/WebCore/platform/ios/PlaybackSessionInterfaceIOS.mm M Source/WebCore/platform/ios/VideoPresentationInterfaceIOS.h M Source/WebCore/platform/ios/WebVideoFullscreenControllerAVKit.mm M Source/WebCore/platform/mac/PlaybackSessionInterfaceMac.h M Source/WebCore/platform/mac/PlaybackSessionInterfaceMac.mm M Source/WebCore/platform/mac/VideoPresentationInterfaceMac.h M Source/WebCore/platform/mediarecorder/MediaRecorderPrivate.h M Source/WebCore/platform/mediastream/AudioTrackPrivateMediaStream.h M Source/WebCore/platform/mediastream/RealtimeMediaSource.h M Source/WebCore/platform/mediastream/mac/MediaStreamTrackAudioSourceProviderCocoa.h M Source/WebCore/platform/mediastream/mac/RealtimeOutgoingAudioSourceCocoa.h M Source/WebCore/testing/Internals.h M Source/WebCore/xml/parser/XMLDocumentParser.h M Source/WebKit/NetworkProcess/Downloads/DownloadManager.h M Source/WebKit/NetworkProcess/NetworkProcess.h M Source/WebKit/UIProcess/Cocoa/UserMediaCaptureManagerProxy.cpp M Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenViewController.mm M Source/WebKit/WebProcess/Speech/SpeechRecognitionRealtimeMediaSourceManager.cpp M Source/WebKit/WebProcess/cocoa/PlaybackSessionManager.h M Source/WebKit/WebProcess/cocoa/VideoPresentationManager.h Log Message: --- Build failure when CHECKED_POINTER_DEBUG enabled. https://bugs.webkit.org/show_bug.cgi?id=272463 rdar://126211299 Reviewed by Chris Dumez. Fix CHECKED_POINTER_DEBUG flag failed to build after 275125@main * Source/WebCore/Modules/speech/SpeechRecognitionCaptureSourceImpl.h: * Source/WebCore/dom/PendingScriptClient.h: * Source/WebCore/dom/ScriptRunner.h: * Source/WebCore/dom/TreeScope.cpp: (WebCore::TreeScope::registerCheckedPtr const): Deleted. (WebCore::TreeScope::copyCheckedPtr const): Deleted. (WebCore::TreeScope::moveCheckedPtr const): Deleted. (WebCore::TreeScope::unregisterCheckedPtr const): Deleted. * Source/WebCore/html/parser/HTMLDocumentParser.h: * Source/WebCore/platform/cocoa/PlaybackSessionModel.h: * Source/WebCore/platform/cocoa/VideoPresentationModel.h: * Source/WebCore/platform/cocoa/WebAVPlayerLayer.mm: * Source/WebCore/platform/graphics/cocoa/NullPlaybackSessionInterface.h: * Source/WebCore/platform/graphics/cocoa/NullVideoPresentationInterface.h: * Source/WebCore/platform/ios/PlaybackSessionInterfaceIOS.h: * Source/WebCore/platform/ios/PlaybackSessionInterfaceIOS.mm: (WebCore::PlaybackSessionInterfaceIOS::registerCheckedPtr const): (WebCore::PlaybackSessionInterfaceIOS::copyCheckedPtr const): (WebCore::PlaybackSessionInterfaceIOS::moveCheckedPtr const): (WebCore::PlaybackSessionInterfaceIOS::unregisterCheckedPtr const): * Source/WebCore/platform/ios/VideoPresentationInterfaceIOS.h: * Source/WebCore/platform/ios/WebVideoFullscreenControllerAVKit.mm: * Source/WebCore/platform/mac/PlaybackSessionInterfaceMac.h: * Source/WebCore/platform/mac/PlaybackSessionInterfaceMac.mm: (WebCore::PlaybackSessionInterfaceMac::registerCheckedPtr const): (WebCore::PlaybackSessionInterfaceMac::copyCheckedPtr const): (WebCore::PlaybackSessionInterfaceMac::moveCheckedPtr const): (WebCore::PlaybackSessionInterfaceMac::unregisterCheckedPtr const): * Source/WebCore/platform/mac/VideoPresentationInterfaceMac.h: * Source/WebCore/platform/mediarecorder/MediaRecorderPrivate.h: * Source/WebCore/platform/mediastream/AudioTrackPrivateMediaStream.h: * Source/WebCore/platform/mediastream/RealtimeMediaSource.h: * Source/WebCore/platform/mediastream/mac/MediaStreamTrackAudioSourceProviderCocoa.h: * Source/WebCore/platform/mediastream/mac/RealtimeOutgoingAudioSourceCocoa.h: * Source/WebCore/testing/Internals.h: * Source/WebCore/xml/parser/XMLDocumentParser.h: * Source/WebKit/NetworkProcess/Downloads/DownloadManager.h: * Source/WebKit/NetworkProcess/NetworkProcess.h: * Source/WebKit/UIProcess/Cocoa/UserMediaCaptureManagerProxy.cpp: * Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenViewController.mm: *
[webkit-changes] [WebKit/WebKit] 16f147: Update Erica Li's status as committer.
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 16f147d06627e9accc8fa041ccc0f639b5c510cf https://github.com/WebKit/WebKit/commit/16f147d06627e9accc8fa041ccc0f639b5c510cf Author: Erica Li Date: 2024-03-21 (Thu, 21 Mar 2024) Changed paths: M metadata/contributors.json Log Message: --- Update Erica Li's status as committer. https://bugs.webkit.org/show_bug.cgi?id=271446 rdar://125214242 Reviewed by John Wilander. update status for lerica. * metadata/contributors.json: Canonical link: https://commits.webkit.org/276533@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 81b0d4: ASAN_SEGV | Hard null deref |LayoutIntegration::Bo...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 81b0d446a83d8bab20a4244d95b8885a53d81ad5 https://github.com/WebKit/WebKit/commit/81b0d446a83d8bab20a4244d95b8885a53d81ad5 Author: Erica Li Date: 2024-03-20 (Wed, 20 Mar 2024) Changed paths: A LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash-expected.txt A LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash.html M LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt M Source/WebCore/rendering/RenderInline.cpp Log Message: --- ASAN_SEGV | Hard null deref |LayoutIntegration::BoxTree::layoutBoxForRenderer; LayoutIntegration::LineLayout::enclosingBorderBoxRectFor; WebCore::RenderInline::linesBoundingBox. https://bugs.webkit.org/show_bug.cgi?id=266567. rdar://114586645. Reviewed by Alan Baradlay. similar to 107979394, apply handling for repainting a freshly inserted sticky inline box. * LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash-expected.txt: Added. * LayoutTests/fast/inline/sticky-inline-box-invalidation-repaint-crash.html: Added. * LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt: re-baseline for rdar://119187070. * Source/WebCore/rendering/RenderInline.cpp: (WebCore::RenderInline::linesBoundingBox const): Originally-landed-as: 272448.75@safari-7618-branch (2534e02e1983). rdar://124556813 Canonical link: https://commits.webkit.org/276404@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] d03667: ASAN_SEGV | WebCore::LocalFrame::injectUserScripts.
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: d036679431a5a508b0a2ec21de6731219dd41229 https://github.com/WebKit/WebKit/commit/d036679431a5a508b0a2ec21de6731219dd41229 Author: Erica Li Date: 2024-03-19 (Tue, 19 Mar 2024) Changed paths: M Source/WebCore/html/ImageDocument.cpp Log Message: --- ASAN_SEGV | WebCore::LocalFrame::injectUserScripts. rdar://124432384 https://bugs.webkit.org/show_bug.cgi?id=271028 Reviewed by Ryosuke Niwa. Frame might be detached early, null checking before injectUserScripts from image document. * Source/WebCore/html/ImageDocument.cpp: (WebCore::ImageDocument::createDocumentStructure): Canonical link: https://commits.webkit.org/276379@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] e644c8: Align criteria for isAlignedForUnder.
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: e644c808ec390094ac7cc6701b45156ad6ef38e5 https://github.com/WebKit/WebKit/commit/e644c808ec390094ac7cc6701b45156ad6ef38e5 Author: Erica Li Date: 2024-03-06 (Wed, 06 Mar 2024) Changed paths: A LayoutTests/fast/css3-text/css3-text-decoration/text-underline-position/text-underline-position-auto-computed-underline-offset-crash-expected.txt A LayoutTests/fast/css3-text/css3-text-decoration/text-underline-position/text-underline-position-auto-computed-underline-offset-crash.html M Source/WebCore/rendering/style/RenderStyle.cpp M Source/WebCore/style/InlineTextBoxStyle.cpp M Source/WebCore/style/InlineTextBoxStyle.h Log Message: --- Align criteria for isAlignedForUnder. https://bugs.webkit.org/show_bug.cgi?id=270431 Reviewed by Alan Baradlay. The criteria of isAlignedForUnder is not aligned between RenderStyle::changeAffectsVisualOverflow from and isAlignedForUnder in InlineTextBoxStyle. * LayoutTests/fast/css3-text/css3-text-decoration/text-underline-position/text-underline-position-auto-computed-underline-offset-crash-expected.txt: Added. * LayoutTests/fast/css3-text/css3-text-decoration/text-underline-position/text-underline-position-auto-computed-underline-offset-crash.html: Added. * Source/WebCore/rendering/style/RenderStyle.cpp: (WebCore::RenderStyle::changeAffectsVisualOverflow const): * Source/WebCore/style/InlineTextBoxStyle.cpp: (WebCore::isAlignedForUnder): * Source/WebCore/style/InlineTextBoxStyle.h: Canonical link: https://commits.webkit.org/275771@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] bac31e: Null pointer dereference in WebCore::ImageDocument...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: bac31e80659aa2caacbacfbba84a4053e322ed6f https://github.com/WebKit/WebKit/commit/bac31e80659aa2caacbacfbba84a4053e322ed6f Author: Erica Li Date: 2024-02-29 (Thu, 29 Feb 2024) Changed paths: A LayoutTests/fast/images/imageDocument-appendBytes-crash-expected.txt A LayoutTests/fast/images/imageDocument-appendBytes-crash.html M Source/WebCore/html/ImageDocument.cpp Log Message: --- Null pointer dereference in WebCore::ImageDocument::createDocumentStructure. https://bugs.webkit.org/show_bug.cgi?id=270283. rdar://122779661. Reviewed by Chris Dumez. Adding null check to prevent the cases where local frame would be detached during createDocumentStructure. * LayoutTests/fast/images/imageDocument-appendBytes-crash-expected.txt: Added. * LayoutTests/fast/images/imageDocument-appendBytes-crash.html: Added. * Source/WebCore/html/ImageDocument.cpp: (WebCore::ImageDocument::updateDuringParsing): (WebCore::ImageDocument::createDocumentStructure): Canonical link: https://commits.webkit.org/275537@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 7175cd: Deadlock under ~PluginView() with PDFPlugin.
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 7175cd9a22b4a115e8fc413db3fb759b193b0b80 https://github.com/WebKit/WebKit/commit/7175cd9a22b4a115e8fc413db3fb759b193b0b80 Author: Erica Li Date: 2024-02-14 (Wed, 14 Feb 2024) Changed paths: A LayoutTests/compositing/plugins/pdf/pdf-plugin-hang-during-destruction-expected.txt A LayoutTests/compositing/plugins/pdf/pdf-plugin-hang-during-destruction.html M Source/WebKit/WebProcess/Plugins/PDF/PDFIncrementalLoader.h M Source/WebKit/WebProcess/Plugins/PDF/PDFIncrementalLoader.mm M Source/WebKit/WebProcess/Plugins/PDF/PDFPluginBase.h Log Message: --- Deadlock under ~PluginView() with PDFPlugin. rdar://108489643 https://bugs.webkit.org/show_bug.cgi?id=268536 Reviewed by Simon Fraser. dataProviderGetBytesAtPosition might be invoked recursively from CG, and it highly increased the possiblity when the main runloop is destructing the PDFPlugin, while the another main runloop is dispatched from dataProviderGetBytesAtPosition and does not get chance to signal semaphore as it is waiting current runloop to finish, that causes deadlock. This change is to stop dispatch main runloop when plugin has been destroyed and signal the semaphore before main thread calling waitForCompletion for m_pdfThread. * LayoutTests/compositing/plugins/pdf/pdf-plugin-hang-during-destruction-expected.txt: Added. * LayoutTests/compositing/plugins/pdf/pdf-plugin-hang-during-destruction.html: Added. * Source/WebKit/WebProcess/Plugins/PDF/PDFIncrementalLoader.h: * Source/WebKit/WebProcess/Plugins/PDF/PDFIncrementalLoader.mm: (WebKit::PDFIncrementalLoader::clear): (WebKit::PDFIncrementalLoader::dataProviderGetBytesAtPosition): * Source/WebKit/WebProcess/Plugins/PDF/PDFPluginBase.h: (WebKit::PDFPluginBase::hasBeenDestroyed const): Canonical link: https://commits.webkit.org/274694@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 89a06f: Deadlock under ~PluginView() with PDFPlugin.
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 89a06fec3aed7311462e7614afa571d3babf4aef https://github.com/WebKit/WebKit/commit/89a06fec3aed7311462e7614afa571d3babf4aef Author: Erica Li Date: 2024-02-02 (Fri, 02 Feb 2024) Changed paths: A LayoutTests/compositing/plugins/pdf/pdf-plugin-hang-during-destruction-expected.txt A LayoutTests/compositing/plugins/pdf/pdf-plugin-hang-during-destruction.html M Source/WebKit/WebProcess/Plugins/PDF/PDFIncrementalLoader.h M Source/WebKit/WebProcess/Plugins/PDF/PDFIncrementalLoader.mm Log Message: --- Deadlock under ~PluginView() with PDFPlugin. rdar://108489643 https://bugs.webkit.org/show_bug.cgi?id=268536 Reviewed by Simon Fraser. dataProviderGetBytesAtPosition might be invoked recursively from CG, and it highly increased the possiblity when the main runloop is destructing the PDFPlugin, while the another main runloop is dispatched from dataProviderGetBytesAtPosition and does not get chance to signal semaphore as it is waiting current runloop to finish, that causes deadlock. This change is to stop dispatch main runloop when document finshed loading and signal the semaphore before main thread calling waitForCompletion for m_pdfThread. * LayoutTests/compositing/plugins/pdf/pdf-plugin-hang-during-destruction-expected.txt: Added. * LayoutTests/compositing/plugins/pdf/pdf-plugin-hang-during-destruction.html: Added. * Source/WebKit/WebProcess/Plugins/PDF/PDFIncrementalLoader.h: * Source/WebKit/WebProcess/Plugins/PDF/PDFIncrementalLoader.mm: (WebKit::PDFIncrementalLoader::clear): (WebKit::PDFIncrementalLoader::dataProviderGetBytesAtPosition): Canonical link: https://commits.webkit.org/273988@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 5d81c0: Sync rebaseline change to main: [iOS17]dynamic-chi...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 5d81c0c6a572c9a077cde53f493474d7e69a2df1 https://github.com/WebKit/WebKit/commit/5d81c0c6a572c9a077cde53f493474d7e69a2df1 Author: Erica Li Date: 2024-01-31 (Wed, 31 Jan 2024) Changed paths: M LayoutTests/platform/ios-wk2/TestExpectations M LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt Log Message: --- Sync rebaseline change to main: [iOS17]dynamic-childlist-002.html rdar://121931010 https://bugs.webkit.org/show_bug.cgi?id=268382 Reviewed by Anne van Kesteren. Unmark test expectation and rebaseline dynamic-childlist-002.html for ios-wk2. * LayoutTests/platform/ios-wk2/TestExpectations: * LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/mathml/relations/html5-tree/dynamic-childlist-002-expected.txt: Canonical link: https://commits.webkit.org/273816@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 580e58: [72857589b8bce60e] ASAN_ILL | WebCore::TreeScopeOr...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 580e5844c227041f4e3dc3356948a9568a3b6d15 https://github.com/WebKit/WebKit/commit/580e5844c227041f4e3dc3356948a9568a3b6d15 Author: Erica Li Date: 2024-01-24 (Wed, 24 Jan 2024) Changed paths: A LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash-expected.txt A LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash.html M Source/WebCore/svg/SVGAnimateMotionElement.cpp M Source/WebCore/svg/SVGAnimateMotionElement.h M Source/WebCore/svg/SVGMPathElement.cpp M Source/WebCore/svg/SVGMPathElement.h Log Message: --- [72857589b8bce60e] ASAN_ILL | WebCore::TreeScopeOrderedMap::getElementById; WebCore::TreeScope::getElementById; WebCore::SVGURIReference::targetElementFromIRIString. https://bugs.webkit.org/show_bug.cgi?id=265562 rdar://118513775 Reviewed by Chris Dumez. updateAnimationPath should be done after treescope is fully updated. * LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash-expected.txt: Added. * LayoutTests/fast/shadow-dom/svg-mpath-removed-from-ancestor-crash.html: Added. * Source/WebCore/svg/SVGAnimateMotionElement.cpp: (WebCore::SVGAnimateMotionElement::childrenChanged): * Source/WebCore/svg/SVGAnimateMotionElement.h: * Source/WebCore/svg/SVGMPathElement.cpp: (WebCore::SVGMPathElement::removedFromAncestor): (WebCore::SVGMPathElement::targetPathChanged): (WebCore::SVGMPathElement::notifyParentOfPathChange): Deleted. * Source/WebCore/svg/SVGMPathElement.h: Originally-landed-as: 267815.611@safari-7617-branch (ca57f6a1de59). rdar://121480927 Canonical link: https://commits.webkit.org/273473@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] b46a8f: Use-after-free in processResponse in ServiceWorker...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: b46a8fcd809a9c84aa92538e942e1fa0c789ed27 https://github.com/WebKit/WebKit/commit/b46a8fcd809a9c84aa92538e942e1fa0c789ed27 Author: Youenn Fablet Date: 2024-01-24 (Wed, 24 Jan 2024) Changed paths: M Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp Log Message: --- Use-after-free in processResponse in ServiceWorkerFetch.cpp rdar://118039950 Reviewed by Chris Dumez. Cancelling the stream can trigger GC when creating the DOMException JS wrapper. This might collect the FetchResponse object. To make sure the FetchResponse object stays live for the whole time, we protect it in the callback. * Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp: (WebCore::ServiceWorkerFetch::processResponse): Originally-landed-as: 267815.569@safari-7617-branch (5ebdf97c0a26). rdar://121481543 Canonical link: https://commits.webkit.org/273420@main Commit: dc6de2647a918167eeaf607fb54ca0f651b32979 https://github.com/WebKit/WebKit/commit/dc6de2647a918167eeaf607fb54ca0f651b32979 Author: Claudio Saavedra Date: 2024-01-24 (Wed, 24 Jan 2024) Changed paths: A LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting-expected.txt A LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting.html M Source/WebCore/dom/ContainerNode.cpp Log Message: --- DOM: Make sure to set tree scope during parser insertion https://bugs.webkit.org/show_bug.cgi?id=263178 rdar://116715621 Reviewed by Ryosuke Niwa. It is possible for an element to be reparented, pg., to a shadow tree before parsing has finished, so we need to make sure to set the correct tree scope for a new element during parsing insertion, otherwise it might end up associated to the wrong tree scope. * LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting-expected.txt: Added. * LayoutTests/fast/parser/parser-insertion-after-shadow-reparenting.html: Added. * Source/WebCore/dom/ContainerNode.cpp: (WebCore::ContainerNode::parserInsertBefore): Originally-landed-as: 268451.4@webkit-2023.9-embargoed (f554230ef55f). rdar://121481452 Canonical link: https://commits.webkit.org/273421@main Commit: 0023fa29b365fd4f1f7c79ff3bd84786e96a1ea9 https://github.com/WebKit/WebKit/commit/0023fa29b365fd4f1f7c79ff3bd84786e96a1ea9 Author: Kimmo Kinnunen Date: 2024-01-24 (Wed, 24 Jan 2024) Changed paths: M Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.mm Log Message: --- GraphicsContextGLCocoa::setDrawingBufferColorSpace is missing makeContextCurrent() https://bugs.webkit.org/show_bug.cgi?id=265129 rdar://118650182 Reviewed by Dan Glastonbury. All public API entrypoints in GraphicsContextGLANGLE should call the makeContextCurrent(). * Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.mm: (WebCore::GraphicsContextGLCocoa::setDrawingBufferColorSpace): Originally-landed-as: 267815.586@safari-7617-branch (e408ece1b8a7). rdar://121481426 Canonical link: https://commits.webkit.org/273422@main Commit: f0b62299b0c73fae19a498524298a672479afdf9 https://github.com/WebKit/WebKit/commit/f0b62299b0c73fae19a498524298a672479afdf9 Author: Kimmo Kinnunen Date: 2024-01-24 (Wed, 24 Jan 2024) Changed paths: M Source/ThirdParty/ANGLE/src/libANGLE/Surface.cpp M Source/ThirdParty/ANGLE/src/libANGLE/Texture.cpp M Source/ThirdParty/ANGLE/src/tests/gl_tests/PbufferTest.cpp Log Message: --- ANGLE eglBindTexImage ASSERT when overwriting a binding https://bugs.webkit.org/show_bug.cgi?id=265127 rdar://118649807 Reviewed by Dan Glastonbury. glBindTexture(GL_TEXTURE_2D, tex); eglBindTexImage(.., pbuffer, ...); - Would set the Surface::mBoundTexture of pbuffer - Would set the Texture::mBoundSurface of tex eglBindTexImage(.., pbuffer2, ...); - Would set the Surface::mBoundTexture of pbuffer2 - Would set the Texture::mBoundSurface of tex - Would fail to unset Surface::mBoundTexture of pbuffer Fix by making the unset logic linear, avoiding Surface -> Texture -> Surface call sequence. * Source/ThirdParty/ANGLE/src/libANGLE/Surface.cpp: (egl::Surface::bindTexImage): * Source/ThirdParty/ANGLE/src/libANGLE/Texture.cpp: (gl::Texture::bindTexImageFromSurface): * Source/ThirdParty/ANGLE/src/tests/gl_tests/PbufferTest.cpp: Originally-landed-as: 267815.587@safari-7617-branch (db3f6a7dbf33). rdar://121481385 Canonical link: https://commits.webkit.org/273423@main Commit: 568df84631eb4f205057cb9634fa404e2787d08c https://github.com/WebKit/WebKit/commit/568df84631eb4f205057cb9634fa404e2787d08c Author: Erica Li Date: 2024-01-24 (Wed, 24 Jan 2024) Changed paths: A LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash-expected.txt A LayoutTests/fast/text/line-break-after-whitespace-create-display-content-crash.html M
[webkit-changes] [WebKit/WebKit] c8a4c0: Fix svg-write-resources-null-maskImage-crash-expec...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: c8a4c028a9e7cdade35b4a20cf7db8721c3b5b9b https://github.com/WebKit/WebKit/commit/c8a4c028a9e7cdade35b4a20cf7db8721c3b5b9b Author: Erica Li Date: 2024-01-22 (Mon, 22 Jan 2024) Changed paths: M LayoutTests/svg/css/svg-write-resources-null-maskImage-crash-expected.html M LayoutTests/svg/css/svg-write-resources-null-maskImage-crash.html Log Message: --- Fix svg-write-resources-null-maskImage-crash-expected.html. rdar://121162928 Reviewed by Tim Nguyen. Removing and style attribute from expected file. * LayoutTests/svg/css/svg-write-resources-null-maskImage-crash-expected.html: * LayoutTests/svg/css/svg-write-resources-null-maskImage-crash.html: Canonical link: https://commits.webkit.org/273345@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] bb8055: CrashOnOverflow::crash() in WebKit::RemoteLayerBac...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: bb80551dbd88f20894255ac92baa7c438c6731c7 https://github.com/WebKit/WebKit/commit/bb80551dbd88f20894255ac92baa7c438c6731c7 Author: Erica Li Date: 2024-01-18 (Thu, 18 Jan 2024) Changed paths: A LayoutTests/remote-layer-tree/image-buffer-backend-size-area-overflow-crash-expected.txt A LayoutTests/remote-layer-tree/image-buffer-backend-size-area-overflow-crash.html M Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.cpp M Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.mm Log Message: --- CrashOnOverflow::crash() in WebKit::RemoteLayerBackingStore::supportsPartialRepaint() const + 0 (RemoteLayerBackingStore.mm:303). https://bugs.webkit.org/show_bug.cgi?id=267635 rdar://120842299 Reviewed by Kimmo Kinnunen. Adding overflow check to where ImageBuffer::calculateBackendSize is used to calcuate area as it is not safe (casting FloatSize to IntSize). * LayoutTests/remote-layer-tree/image-buffer-backend-size-area-overflow-crash-expected.txt: Added. * LayoutTests/remote-layer-tree/image-buffer-backend-size-area-overflow-crash.html: Added. * Source/WebKit/GPUProcess/graphics/RemoteRenderingBackend.cpp: (WebKit::isSmallLayerBacking): * Source/WebKit/Shared/RemoteLayerTree/RemoteLayerBackingStore.mm: (WebKit::RemoteLayerBackingStore::supportsPartialRepaint const): Canonical link: https://commits.webkit.org/273174@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] a3c2ba: Accumulating offsets to handle fixed position cont...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: a3c2ba9f9c71c4d54675a9d5ca88f0a739c0b967 https://github.com/WebKit/WebKit/commit/a3c2ba9f9c71c4d54675a9d5ca88f0a739c0b967 Author: Erica Li Date: 2024-01-17 (Wed, 17 Jan 2024) Changed paths: A LayoutTests/fast/block/positioning/fixed-position-transform-related-container-expected.txt A LayoutTests/fast/block/positioning/fixed-position-transform-related-container.html M Source/WebCore/rendering/RenderLayer.cpp Log Message: --- Accumulating offsets to handle fixed position container has a transform-related property but not a transform. https://bugs.webkit.org/show_bug.cgi?id=266976 rdar://120349843 Reviewed by Simon Fraser. Referring chromium fix: https://codereview.chromium.org/423002 * LayoutTests/fast/block/positioning/fixed-position-transform-related-container-expected.txt: Added. * LayoutTests/fast/block/positioning/fixed-position-transform-related-container.html: Added. * Source/WebCore/rendering/RenderLayer.cpp: (WebCore::accumulateOffsetTowardsAncestor): Canonical link: https://commits.webkit.org/273161@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] e87ab3: jsc_fuz/wktr: null ptr deref in WebCore::writeReso...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: e87ab3954b6a74b7528e7ec618033367c7f770ea https://github.com/WebKit/WebKit/commit/e87ab3954b6a74b7528e7ec618033367c7f770ea Author: Erica Li Date: 2024-01-16 (Tue, 16 Jan 2024) Changed paths: A LayoutTests/svg/css/svg-write-resources-null-maskImage-crash-expected.html A LayoutTests/svg/css/svg-write-resources-null-maskImage-crash.html M Source/WebCore/rendering/svg/SVGRenderTreeAsText.cpp Log Message: --- jsc_fuz/wktr: null ptr deref in WebCore::writeResources(WTF::TextStream&, WebCore::RenderObject const&, WTF::OptionSet) + 116 (SVGRenderTreeAsText.cpp:595) https://bugs.webkit.org/show_bug.cgi?id=267528 rdar://120991613 Reviewed by Nikolas Zimmermann. Add null check for maskImage in WebCore::writeResources also. * LayoutTests/svg/css/svg-write-resources-null-maskImage-crash-expected.html: Added. * LayoutTests/svg/css/svg-write-resources-null-maskImage-crash.html: Added. * Source/WebCore/rendering/svg/SVGRenderTreeAsText.cpp: (WebCore::writeResources): Canonical link: https://commits.webkit.org/273111@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 15b690: jsc_fuz/wktr: ASSERT_WITH_SECURITY_IMPLICATION(pos...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 15b690620471d2779fb7c994a689178d3db1dc68 https://github.com/WebKit/WebKit/commit/15b690620471d2779fb7c994a689178d3db1dc68 Author: Erica Li Date: 2023-12-20 (Wed, 20 Dec 2023) Changed paths: A LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists-expected.txt A LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists.html M LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists-expected.txt M Source/WebCore/css/CSSStyleSheet.cpp M Source/WebCore/css/StyleSheetContents.cpp M Source/WebCore/css/StyleSheetContents.h Log Message: --- jsc_fuz/wktr: ASSERT_WITH_SECURITY_IMPLICATION(position <= size()); in CSSStyleSheet::insertRule(...) CSSStyleSheet.cpp:365 https://bugs.webkit.org/show_bug.cgi?id=263950 rdar://117469266 Reviewed by Antti Koivisto and Darin Adler. Based on specification, we should return early and throw InvalidStateError exception when attempting to delete @namespace rule, and list contains anything other than @import or @namespace rules. * LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists-expected.txt: Added. * LayoutTests/fast/css/delete-namespace-rule-when-child-rule-exists.html: Added. * LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/css/cssom/delete-namespace-rule-when-child-rule-exists.html: Added. * Source/WebCore/css/CSSStyleSheet.cpp: (WebCore::CSSStyleSheet::deleteRule): * Source/WebCore/css/StyleSheetContents.cpp: (WebCore::StyleSheetContents::wrapperDeleteRule): * Source/WebCore/css/StyleSheetContents.h: Originally-landed-as: 267815.506@safari-7617-branch (40098636b478). rdar://119598025 Canonical link: https://commits.webkit.org/272384@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] eae948: rdar://110000099 (jsc_fuz/wktr: invalid message We...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: eae948cc319807613f9921d1babbcac374f57587 https://github.com/WebKit/WebKit/commit/eae948cc319807613f9921d1babbcac374f57587 Author: Erica Li Date: 2023-12-19 (Tue, 19 Dec 2023) Changed paths: A LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event-expected.txt A LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event.html M Source/WebCore/loader/FrameLoader.cpp Log Message: --- rdar://11099 (jsc_fuz/wktr: invalid message WebPasteboardProxy_GetPasteboardChangeCount) https://bugs.webkit.org/show_bug.cgi\?id\=262292 rdar://11099 Reviewed by Wenson Hsieh. Disable copy paste for beforeunload event. * LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event-expected.txt: Added. * LayoutTests/editing/pasteboard/copy-paste-crash-onbeforeunload-event.html: Added. * Source/WebCore/loader/FrameLoader.cpp: (WebCore::ForbidCopyPasteScope::ForbidCopyPasteScope): (WebCore::ForbidCopyPasteScope::~ForbidCopyPasteScope): (WebCore::FrameLoader::dispatchBeforeUnloadEvent): Originally-landed-as: 267815.226@safari-7617-branch (20bb95c77d7c). rdar://119592394 Canonical link: https://commits.webkit.org/272314@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 8d9001: jsc_fuz/wktr: null ptr deref in WebCore::invokeWri...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 8d900198ca1e68cca80a4b2f0d4251d661a41361 https://github.com/WebKit/WebKit/commit/8d900198ca1e68cca80a4b2f0d4251d661a41361 Author: Erica Li Date: 2023-12-18 (Mon, 18 Dec 2023) Changed paths: A LayoutTests/streams/writable-stream-create-within-multiple-workers-crash-expected.txt A LayoutTests/streams/writable-stream-create-within-multiple-workers-crash.html M Source/WebCore/bindings/js/InternalWritableStream.cpp M Tools/DumpRenderTree/mac/DumpRenderTree.mm Log Message: --- jsc_fuz/wktr: null ptr deref in WebCore::invokeWritableStreamFunction(...) (InternalWritableStream.cpp:49) https://bugs.webkit.org/show_bug.cgi\?id\=262865 rdar://116465595 Reviewed by Mark Lam. Return early when worker is terminated while trying to get function from globalObject. Set useDollarVM in test option initialization for cases when useDollarVM will be reset before injectInternalsObject is called in DRT. * LayoutTests/streams/writable-stream-create-within-multiple-workers-crash-expected.txt: Added. * LayoutTests/streams/writable-stream-create-within-multiple-workers-crash.html: Added. * Source/WebCore/bindings/js/InternalWritableStream.cpp: (WebCore::invokeWritableStreamFunction): * Tools/DumpRenderTree/mac/DumpRenderTree.mm: (testOptionsForTest): Originally-landed-as: 267815.398@safari-7617-branch (f11c81a103a8). rdar://119596601 Canonical link: https://commits.webkit.org/272251@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 694415: ScrollingStateScrollingNode destructor should be a...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 69441586e9e090843c0bb55f9a8b7eb97b1521e4 https://github.com/WebKit/WebKit/commit/69441586e9e090843c0bb55f9a8b7eb97b1521e4 Author: Erica Li Date: 2023-11-14 (Tue, 14 Nov 2023) Changed paths: M Source/WebCore/page/scrolling/ScrollingStateNode.h M Source/WebCore/page/scrolling/ScrollingStateScrollingNode.cpp Log Message: --- ScrollingStateScrollingNode destructor should be able to handle being called before being attached to a tree. https://bugs.webkit.org/show_bug.cgi?id=264722 rdar://117803479 Reviewed by Alex Christensen. Adding null check to handle the case when destructor being called before being attached to a tree. * Source/WebCore/page/scrolling/ScrollingStateNode.h: (WebCore::ScrollingStateNode::isAttachedToScrollingStateTree const): * Source/WebCore/page/scrolling/ScrollingStateScrollingNode.cpp: (WebCore::ScrollingStateScrollingNode::~ScrollingStateScrollingNode): Canonical link: https://commits.webkit.org/270696@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 577579: jsc_fuz/wktr: null ptr deref in WebCore::ShareData...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 577579c2ca9159d22ec96469cd168b843222b8fb https://github.com/WebKit/WebKit/commit/577579c2ca9159d22ec96469cd168b843222b8fb Author: Erica Li Date: 2023-10-28 (Sat, 28 Oct 2023) Changed paths: M LayoutTests/TestExpectations A LayoutTests/http/tests/webshare/navigator-share-files-fail-access-control-checks-crash-expected.txt A LayoutTests/http/tests/webshare/navigator-share-files-fail-access-control-checks-crash.html M Source/WebCore/page/ShareDataReader.cpp Log Message: --- jsc_fuz/wktr: null ptr deref in WebCore::ShareDataReader::start(WebCore::Document*, WebCore::ShareDataWithParsedURL&&) + 240 (ShareDataReader.cpp:53) https://bugs.webkit.org/show_bug.cgi\?id\=263643 rdar://115059534 Reviewed by Chris Dumez. Adding empty check for m_pendingFileLoads in case reader has canceled during loop due to error and accessing null ptr. * LayoutTests/TestExpectations: Exclude console message as this test logging blob url which contains unique UUID generated from each run. * LayoutTests/http/tests/webshare/navigator-share-files-fail-access-control-checks-crash-expected.txt: Added. * LayoutTests/http/tests/webshare/navigator-share-files-fail-access-control-checks-crash.html: Added. * Source/WebCore/page/ShareDataReader.cpp: (WebCore::ShareDataReader::start): Canonical link: https://commits.webkit.org/269885@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes