Branch: refs/heads/safari-7618.2.12.13-branch Home: https://github.com/WebKit/WebKit Commit: ea2439209d9fe9154b5f04fb3bba08379bfc8d72 https://github.com/WebKit/WebKit/commit/ea2439209d9fe9154b5f04fb3bba08379bfc8d72 Author: Mohsin Qureshi <mohs...@apple.com> Date: 2024-04-15 (Mon, 15 Apr 2024)
Changed paths: M Configurations/Version.xcconfig Log Message: ----------- Versioning. WebKit-7618.2.12.13.1 Canonical link: https://commits.webkit.org/272448.932@safari-7618.2.12.13-branch Commit: b76830ca75df8b00dbdb36c592ad84f7ed110866 https://github.com/WebKit/WebKit/commit/b76830ca75df8b00dbdb36c592ad84f7ed110866 Author: Chris Dumez <cdu...@apple.com> Date: 2024-04-16 (Tue, 16 Apr 2024) Changed paths: M Source/WebKit/Shared/AuxiliaryProcess.h M Source/WebKit/Shared/AuxiliaryProcess.messages.in M Source/WebKit/Shared/Cocoa/AuxiliaryProcessCocoa.mm M Source/WebKit/UIProcess/AuxiliaryProcessProxy.cpp M Source/WebKit/UIProcess/AuxiliaryProcessProxy.h M Source/WebKit/UIProcess/Cocoa/AuxiliaryProcessProxyCocoa.mm Log Message: ----------- Cherry-pick d6540a38e780. rdar://126492909 Regression(277427@main) Crash under AuxiliaryProcessProxy::notifyPreferencesChanged() https://bugs.webkit.org/show_bug.cgi?id=272695 rdar://126492909 Reviewed by Per Arne Vollan. We were using a HashMap to store preferences whose key was a std::pair<String, String>. The first String was the domain and the second the preference name. However, for global preferences, the domain is null, causing a crash when hashing the key. To address an issue, we now store global preferences in a separate HashMap. * Source/WebKit/Shared/AuxiliaryProcess.h: * Source/WebKit/Shared/AuxiliaryProcess.messages.in: * Source/WebKit/Shared/Cocoa/AuxiliaryProcessCocoa.mm: (WebKit::AuxiliaryProcess::preferencesDidUpdate): * Source/WebKit/UIProcess/AuxiliaryProcessProxy.cpp: (WebKit::AuxiliaryProcessProxy::didChangeThrottleState): * Source/WebKit/UIProcess/AuxiliaryProcessProxy.h: * Source/WebKit/UIProcess/Cocoa/AuxiliaryProcessProxyCocoa.mm: (WebKit::AuxiliaryProcessProxy::notifyPreferencesChanged): Canonical link: https://commits.webkit.org/277514@main Commit: c4b640fbedbee2518b1fb4b1847657a91df811ed https://github.com/WebKit/WebKit/commit/c4b640fbedbee2518b1fb4b1847657a91df811ed Author: Dan Robson <dtr_bugzi...@apple.com> Date: 2024-04-17 (Wed, 17 Apr 2024) Changed paths: M Configurations/Version.xcconfig Log Message: ----------- Versioning. WebKit-7618.2.12.13.2 Canonical link: https://commits.webkit.org/272448.934@safari-7618.2.12.13-branch Commit: d7e2f94c57ea9901695253d7882747b6f62b6ab8 https://github.com/WebKit/WebKit/commit/d7e2f94c57ea9901695253d7882747b6f62b6ab8 Author: Per Arne Vollan <pvol...@apple.com> Date: 2024-04-17 (Wed, 17 Apr 2024) Changed paths: M Source/WebKit/Platform/cocoa/XPCUtilities.h M Source/WebKit/Platform/cocoa/XPCUtilities.mm M Source/WebKit/Shared/Authentication/cocoa/AuthenticationManagerCocoa.mm M Source/WebKit/Shared/Cocoa/XPCEndpoint.mm M Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceMain.mm Log Message: ----------- Cherry-pick 3c2c899f692d. rdar://126479653 WebKit process termination with xpc_connection_kill does not always work https://bugs.webkit.org/show_bug.cgi?id=272669 rdar://126479653 Reviewed by Chris Dumez. WebKit process termination with xpc_connection_kill does not always work. We are currently seeing flaky termination behavior on macOS, where the child processes are not always terminated successfully. Additionally, on iOS, the XPC connection has become anonymous due to migration to extensions for WebKit processes, and xpc_connection_kill does not support anonymous connections. This patch addresses this issue by creating and sending a XPC message to the child process to request termination. This has a high chance of success, since we know that the XPC connection termination watchdog is holding a background assertion on the process, so it is not suspended. Additionally, the XPC message is being handled on the XPC event handler thread, which is handling very few messages, so it is very unlikely that it is blocked and cannot handle the message. This gives the process a chance to exit cleanly and send a reply back. If the UI process does not receive the expected reply, it will try calling xpc_connection_kill. * Source/WebKit/Platform/cocoa/XPCUtilities.h: * Source/WebKit/Platform/cocoa/XPCUtilities.mm: (WebKit::terminateWithReason): (WebKit::handleXPCExitMessage): * Source/WebKit/Shared/Authentication/cocoa/AuthenticationManagerCocoa.mm: (WebKit::AuthenticationManager::initializeConnection): * Source/WebKit/Shared/Cocoa/XPCEndpoint.mm: (WebKit::XPCEndpoint::XPCEndpoint): * Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceMain.mm: (WebKit::XPCServiceEventHandler): Canonical link: https://commits.webkit.org/277509@main Commit: 66b2665acc10dd7202645d8b212f647aada6762e https://github.com/WebKit/WebKit/commit/66b2665acc10dd7202645d8b212f647aada6762e Author: Per Arne Vollan <pvol...@apple.com> Date: 2024-04-17 (Wed, 17 Apr 2024) Changed paths: M Source/WebKit/Platform/cocoa/XPCUtilities.mm Log Message: ----------- Cherry-pick 1bfeac262aa5. rdar://126479653 Compile fix after <https://commits.webkit.org/277509@main> https://bugs.webkit.org/show_bug.cgi?id=272824 rdar://126479653 Unreviewed compile fix. * Source/WebKit/Platform/cocoa/XPCUtilities.mm: Canonical link: https://commits.webkit.org/277621@main Commit: 92b8d408b1f9658808dd21758df668195f20c3c6 https://github.com/WebKit/WebKit/commit/92b8d408b1f9658808dd21758df668195f20c3c6 Author: Mohsin Qureshi <mohs...@apple.com> Date: 2024-04-17 (Wed, 17 Apr 2024) Changed paths: M Source/JavaScriptCore/CMakeLists.txt M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj M Source/JavaScriptCore/Sources.txt M Source/JavaScriptCore/bytecode/ExpressionInfo.h M Source/JavaScriptCore/runtime/CachedTypes.cpp M Source/JavaScriptCore/runtime/FileBasedFuzzerAgentBase.h A Source/JavaScriptCore/runtime/JSCBytecodeCacheVersion.cpp R Source/JavaScriptCore/runtime/JSCBytecodeCacheVersion.cpp.in M Source/JavaScriptCore/runtime/JSCBytecodeCacheVersion.h M Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp M Source/WTF/wtf/spi/darwin/dyldSPI.h Log Message: ----------- Apply patch. rdar://126195542 Commit: a6f1d0aa1f343e915ba446d337ec720ba8310b1f https://github.com/WebKit/WebKit/commit/a6f1d0aa1f343e915ba446d337ec720ba8310b1f Author: Mohsin Qureshi <mohs...@apple.com> Date: 2024-04-17 (Wed, 17 Apr 2024) Changed paths: M Source/JavaScriptCore/CMakeLists.txt M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj M Source/JavaScriptCore/Sources.txt M Source/JavaScriptCore/bytecode/ExpressionInfo.h M Source/JavaScriptCore/runtime/CachedTypes.cpp M Source/JavaScriptCore/runtime/FileBasedFuzzerAgentBase.h R Source/JavaScriptCore/runtime/JSCBytecodeCacheVersion.cpp A Source/JavaScriptCore/runtime/JSCBytecodeCacheVersion.cpp.in M Source/JavaScriptCore/runtime/JSCBytecodeCacheVersion.h M Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp M Source/WTF/wtf/spi/darwin/dyldSPI.h Log Message: ----------- Revert "Apply patch. rdar://126195542" This reverts commit 92b8d408b1f9658808dd21758df668195f20c3c6. Commit: e7cb80cb98d995a71bb29eae929183aa008ead5f https://github.com/WebKit/WebKit/commit/e7cb80cb98d995a71bb29eae929183aa008ead5f Author: Mohsin Qureshi <mohs...@apple.com> Date: 2024-04-17 (Wed, 17 Apr 2024) Changed paths: M Source/WebKit/Platform/cocoa/XPCUtilities.mm Log Message: ----------- Revert "Cherry-pick 1bfeac262aa5. rdar://126479653" This reverts commit 66b2665acc10dd7202645d8b212f647aada6762e. Commit: dbfb1cdd989125f7c728d08c0a2d00cb3c117dfe https://github.com/WebKit/WebKit/commit/dbfb1cdd989125f7c728d08c0a2d00cb3c117dfe Author: Mohsin Qureshi <mohs...@apple.com> Date: 2024-04-17 (Wed, 17 Apr 2024) Changed paths: M Source/WebKit/Platform/cocoa/XPCUtilities.h M Source/WebKit/Platform/cocoa/XPCUtilities.mm M Source/WebKit/Shared/Authentication/cocoa/AuthenticationManagerCocoa.mm M Source/WebKit/Shared/Cocoa/XPCEndpoint.mm M Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceMain.mm Log Message: ----------- Revert "Cherry-pick 3c2c899f692d. rdar://126479653" This reverts commit d7e2f94c57ea9901695253d7882747b6f62b6ab8. Commit: 6ce501a2bff07d473dc2f57cbbde83e6c88108d1 https://github.com/WebKit/WebKit/commit/6ce501a2bff07d473dc2f57cbbde83e6c88108d1 Author: Keith Miller <keith_mil...@apple.com> Date: 2024-04-22 (Mon, 22 Apr 2024) Changed paths: M Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h M Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp M Source/JavaScriptCore/jit/ThunkGenerators.cpp M Source/JavaScriptCore/llint/LLIntThunks.cpp M Source/JavaScriptCore/runtime/Options.cpp M Source/JavaScriptCore/runtime/OptionsList.h M Source/WTF/wtf/PtrTag.h M Source/WebKit/WebProcess/WebProcess.cpp M Tools/Scripts/run-jsc-stress-tests Log Message: ----------- Cherry-pick f442fbe222f3. rdar://125596635 Make it harder to get a PAC signing gadget in JIT code. https://bugs.webkit.org/show_bug.cgi?id=272750 rdar://125596635 Reviewed by Yusuke Suzuki. Right now if an attacker can control where code is allocated they can overlap code to create a PAC bypass. This patch makes that harder (in the WebContent process) by only allowing pacibsp and pacizb. This means that during arity fixup we now tag the return PC with pacizb. This is ok because we don't use the zero diversifier for anything. For reifying inlined call frames during OSR exit things are a bit more complicated. First we have be careful to only move signed return addresses into lr then untag them there. Also, we have to shuffle SP to point to where it would in reified frame. This means that there is technically live data below our SP, which on many OSes causes problems. Talking to our kernel folks however this isn't a problem as long as we don't have any signal handlers or run lldb expressions in this window. We don't use signal handlers in the WebContent process and this patch tries to limit/document the window of JIT code where lldb would trash the stack. * Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::tagPtr): * Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::reifyInlinedCallFrames): (JSC::AssemblyHelpers::transferReturnPC): * Source/JavaScriptCore/jit/ThunkGenerators.cpp: (JSC::arityFixupGenerator): * Source/JavaScriptCore/llint/LLIntThunks.cpp: (JSC::LLInt::tagGateThunk): (JSC::LLInt::untagGateThunk): * Source/JavaScriptCore/runtime/OptionsList.h: * Source/WTF/wtf/PtrTag.h: * Source/WebKit/WebProcess/WebProcess.cpp: (WebKit::WebProcess::initializeProcess): * Tools/Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/272448.948@safari-7618-branch Canonical link: https://commits.webkit.org/272448.941@safari-7618.2.12.13-branch Compare: https://github.com/WebKit/WebKit/compare/ea2439209d9f%5E...6ce501a2bff0 To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes