Branch: refs/heads/safari-7617.1.6-branch Home: https://github.com/WebKit/WebKit Commit: aa902502a97f9ed8895ca52a03ed5a86f4e19cc0 https://github.com/WebKit/WebKit/commit/aa902502a97f9ed8895ca52a03ed5a86f4e19cc0 Author: Myles C. Maxfield <mmaxfi...@apple.com> Date: 2023-08-28 (Mon, 28 Aug 2023)
Changed paths: A LayoutTests/http/tests/images/repaint-garbled-expected.html A LayoutTests/http/tests/images/repaint-garbled.html A LayoutTests/http/tests/images/resources/green-313x313.jxl M Source/WebCore/platform/graphics/cg/ImageBackingStoreCG.cpp Log Message: ----------- Cherry-pick e633a9de382d. rdar://113298905 [macOS Downlevels] AVIF and JPEG XL images can get corrupted https://bugs.webkit.org/show_bug.cgi?id=259698 <rdar://problem/113007909> Reviewed by Said Abou-Hallawa. When we create a `NativeImage`, we call `ImageSource::frameAtIndexCacheIfNeeded()` with a caching mode of `MetadataAndImage`. This does 2 things: 1. `auto platformImage = m_decoder->createFrameImageAtIndex(index, subsamplingLevelValue, decodingOptions);` 2. `cachePlatformImageAtIndex(WTFMove(platformImage), index, subsamplingLevelValue, DecodingOptions(DecodingMode::Synchronous));` ImageSource owns its own cache of `Vector<ImageFrame, 1> m_frames;` whereas `ScalableImageDecoder` owns its own `Vector<ScalableImageDecoderFrame, 1> m_frameBufferCache`. Therefore, the output of `createFrameImageAtIndex()` may be expected to outlive the `ImageDecoder` it came from. However, `createFrameImageAtIndex()` indirectly calls into `ImageBackingStore::image()` which creates the `CGImage` with a `CGDataProvider` that points into the `ImageBackingStore`, which is owned by the `m_frameBufferCache` which is owned by the `ScalableImageDecoder`. So, when the `ImageSource` destroys its `ImageDecoder`, it blows away the contents of the `CGImage`s being cached, but the images themselves live on inside the `ImageSource` itself. That leads to this kind of corruption. The solution is to make the `CGImage` retain its backing data. * LayoutTests/http/tests/images/repaint-garbled-expected.html: Added. * LayoutTests/http/tests/images/repaint-garbled.html: Added. * LayoutTests/http/tests/images/resources/green-313x313.jxl: Added. * Source/WebCore/platform/graphics/cg/ImageBackingStoreCG.cpp: (WebCore::ImageBackingStore::image const): Canonical link: https://commits.webkit.org/265870.229@safari-7616-branch Identifier: 267312.1@safari-7617.1.6-branch Commit: 3047163aca7b381ebe8694a7b64ec9930ccccf77 https://github.com/WebKit/WebKit/commit/3047163aca7b381ebe8694a7b64ec9930ccccf77 Author: Timothy Hatcher <timo...@apple.com> Date: 2023-08-29 (Tue, 29 Aug 2023) Changed paths: M Source/WebKit/UIProcess/API/Cocoa/_WKWebExtensionMatchPattern.h M Source/WebKit/UIProcess/API/Cocoa/_WKWebExtensionMatchPattern.mm Log Message: ----------- Cherry-pick 4bd7a7653518. rdar://114581149 REGRESSION(267111@main): Safari crash when tapping “allow for one day” Terminating app due to uncaught exception. https://webkit.org/b/260828 rdar://114581149 Reviewed by Chris Dumez. The matchesURL: and matchesURL:options: methods should take nil for the URL and always return NO. This was happening by accident before. Also mark the match methods as taking nullable URLs and patterns. * Source/WebKit/UIProcess/API/Cocoa/_WKWebExtensionMatchPattern.h: * Source/WebKit/UIProcess/API/Cocoa/_WKWebExtensionMatchPattern.mm: (-[_WKWebExtensionMatchPattern matchesURL:options:]): Return early if the URL is nil. Canonical link: https://commits.webkit.org/267373@main Identifier: 266246.1068@safari-7617.1.6-branch Commit: 49d771c59bb19c90059bc7b2ad034041f430ca9d https://github.com/WebKit/WebKit/commit/49d771c59bb19c90059bc7b2ad034041f430ca9d Author: Dan Robson <dtr_bugzi...@apple.com> Date: 2023-08-29 (Tue, 29 Aug 2023) Changed paths: R LayoutTests/http/tests/images/repaint-garbled-expected.html R LayoutTests/http/tests/images/repaint-garbled.html R LayoutTests/http/tests/images/resources/green-313x313.jxl M Source/WebCore/platform/graphics/cg/ImageBackingStoreCG.cpp Log Message: ----------- Revert "Cherry-pick e633a9de382d. rdar://113298905" This reverts commit aa902502a97f9ed8895ca52a03ed5a86f4e19cc0. Identifier: 267312.2@safari-7617.1.6-branch Compare: https://github.com/WebKit/WebKit/compare/aa902502a97f%5E...49d771c59bb1 To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes