[webkit-changes] [WebKit/WebKit] 005922: [JSC] Fix Re-entrancy in ErrorInstance::computeErr...

Sat, 16 Mar 2024 00:50:26 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 00592216a6f11528ef9843a4a7b11d3f26b0d983
      
https://github.com/WebKit/WebKit/commit/00592216a6f11528ef9843a4a7b11d3f26b0d983
  Author: Yijia Huang <yijia_hu...@apple.com>
  Date:   2024-03-16 (Sat, 16 Mar 2024)

  Changed paths:
    A JSTests/stress/error-instance.js
    M Source/JavaScriptCore/runtime/ErrorInstance.cpp

  Log Message:
  -----------
  [JSC] Fix Re-entrancy in ErrorInstance::computeErrorInfo
https://bugs.webkit.org/show_bug.cgi?id=267785
rdar://121098660

Reviewed by Yusuke Suzuki.

ErrorInstance::computeErrorInfo computes stack trace string, which may
trigger GC and re-enter to this function with the same ErrorInstance
while computing the stack string. We should defer GC after stacking trace
string is materialized.

* JSTests/stress/error-instance.js: Added.
(main.const.error):
(main):
* Source/JavaScriptCore/runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::computeErrorInfo):

Originally-landed-as: 272448.260@safari-7618-branch (ade92866440e). 
rdar://124555384
Canonical link: https://commits.webkit.org/276233@main


  Commit: bd9e9204f3d9e4c8ac2feb1bdf51247fadf1c5bd
      
https://github.com/WebKit/WebKit/commit/bd9e9204f3d9e4c8ac2feb1bdf51247fadf1c5bd
  Author: Nisha Jain <nisha_j...@apple.com>
  Date:   2024-03-16 (Sat, 16 Mar 2024)

  Changed paths:
    M Source/WebCore/html/HTMLPlugInImageElement.cpp

  Log Message:
  -----------
  "ASAN_SEGV | WebCore::Style::resolveForDocument; 
WebCore::Document::styleForElementIgnoringPendingStylesheets; 
WebCore::Element::resolveComputedStyle"
https://bugs.webkit.org/show_bug.cgi?id=267656
rdar://119187152.

Reviewed by Ryosuke Niwa.

Need to prevent attempt to load a disconnected plugin.
Not adding a new test case as could not make a reliable reproduction of this 
issue.

* Source/WebCore/html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::requestObject):

Originally-landed-as: 272448.257@safari-7618-branch (23c6a88ad691). 
rdar://124555413
Canonical link: https://commits.webkit.org/276234@main


  Commit: cabbec4bbea7104440e03c4964bc297557e80cb4
      
https://github.com/WebKit/WebKit/commit/cabbec4bbea7104440e03c4964bc297557e80cb4
  Author: Yijia Huang <yijia_hu...@apple.com>
  Date:   2024-03-16 (Sat, 16 Mar 2024)

  Changed paths:
    M JSTests/stress/intl-collator.js
    M JSTests/stress/intl-datetimeformat.js
    M JSTests/stress/intl-numberformat.js
    M Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp
    M Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
    M Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp

  Log Message:
  -----------
  [JSC] Use dynamic cast in intlCollatorFuncCompare, 
intlDateTimeFormatFuncFormatDateTime, and intlNumberFormatFuncFormat
https://bugs.webkit.org/show_bug.cgi?id=267725
rdar://121029647

Reviewed by Yusuke Suzuki and Mark Lam.

We should ensure `thisValue` is the desired object. So, should use dynamic
cast instead in intlCollatorFuncCompare, intlDateTimeFormatFuncFormatDateTime,
and intlNumberFormatFuncFormat.

* Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):

Originally-landed-as: 272448.254@safari-7618-branch (5173338bb6f1). 
rdar://124555823
Canonical link: https://commits.webkit.org/276235@main


  Commit: 14b04872e30ed2b0f5a94320bd6342eaa2dce16e
      
https://github.com/WebKit/WebKit/commit/14b04872e30ed2b0f5a94320bd6342eaa2dce16e
  Author: Ryosuke Niwa <rn...@webkit.org>
  Date:   2024-03-16 (Sat, 16 Mar 2024)

  Changed paths:
    A LayoutTests/fast/images/image-document-event-handler-crash-expected.txt
    A LayoutTests/fast/images/image-document-event-handler-crash.html
    M Source/WebCore/html/ImageDocument.cpp

  Log Message:
  -----------
  Crash in ImageEventListener::handleEvent
https://bugs.webkit.org/show_bug.cgi?id=267739
rdar://118761846

Reviewed by Chris Dumez.

Use WeakPtr instead of a raw reference.

* LayoutTests/fast/images/image-document-event-handler-crash-expected.txt: 
Added.
* LayoutTests/fast/images/image-document-event-handler-crash.html: Added.
* Source/WebCore/html/ImageDocument.cpp:
(WebCore::ImageEventListener::handleEvent):

Originally-landed-as: 272448.253@safari-7618-branch (b417dff04acd). 
rdar://124555893
Canonical link: https://commits.webkit.org/276236@main


Compare: https://github.com/WebKit/WebKit/compare/cf053c07242e...14b04872e30e

To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to