Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d9acfd1b770df4d87991f92cbd2dcf9526cb0d9c
https://github.com/WebKit/WebKit/commit/d9acfd1b770df4d87991f92cbd2dcf9526cb0d9c
Author: Matthieu Dubet <m_du...@apple.com>
Date: 2024-08-02 (Fri, 02 Aug 2024)
Changed paths:
A LayoutTests/fast/css/cssom-insertrule-crash-expected.html
A LayoutTests/fast/css/cssom-insertrule-crash.html
M Source/WebCore/css/CSSGroupingRule.cpp
M Source/WebCore/css/CSSStyleRule.cpp
M Source/WebCore/css/CSSStyleSheet.cpp
M Source/WebCore/css/CSSStyleSheet.h
M Source/WebCore/css/StyleSheetContents.cpp
M Source/WebCore/css/StyleSheetContents.h
M Source/WebCore/css/parser/CSSParserImpl.cpp
Log Message:
-----------
[CSSOM] Fix insertion of rule inside non nested style rule
https://bugs.webkit.org/show_bug.cgi?id=275129
rdar://126112807
Reviewed by Antti Koivisto.
The CSS parser should not change the "hasNestingRules" status
of a stylesheet (which makes the CoW mechanism fails and a bunch of other
issues).
This patch changes when the CoW will copy the rules to allow mutation
and makes the cache mechanism internal to StyleSheetContent class.
* LayoutTests/fast/css/cssom-insertrule-crash-expected.html: Added.
* LayoutTests/fast/css/cssom-insertrule-crash.html: Added.
* Source/WebCore/css/CSSGroupingRule.cpp:
(WebCore::CSSGroupingRule::prepareChildStyleRuleForNesting):
* Source/WebCore/css/CSSStyleRule.cpp:
(WebCore::CSSStyleRule::insertRule):
* Source/WebCore/css/CSSStyleSheet.cpp:
(WebCore::CSSStyleSheet::prepareChildStyleRuleForNesting):
* Source/WebCore/css/CSSStyleSheet.h:
* Source/WebCore/css/StyleSheetContents.cpp:
(WebCore::StyleSheetContents::StyleSheetContents):
(WebCore::StyleSheetContents::isCacheable const):
(WebCore::StyleSheetContents::hasNestingRules):
* Source/WebCore/css/StyleSheetContents.h:
* Source/WebCore/css/parser/CSSParserImpl.cpp:
(WebCore::CSSParserImpl::consumeNestedGroupRules):
(WebCore::CSSParserImpl::consumeStyleRule):
Originally-landed-as: 272448.1086@safari-7618-branch (d3f4fe14288c).
rdar://132959061
Canonical link: https://commits.webkit.org/281785@main
Commit: d9047878322f6a875050f942e56cc38c5f82088a
https://github.com/WebKit/WebKit/commit/d9047878322f6a875050f942e56cc38c5f82088a
Author: Erica Li <ler...@apple.com>
Date: 2024-08-02 (Fri, 02 Aug 2024)
Changed paths:
A
LayoutTests/fast/scrolling/scrollIntoView-destroy-renderer-for-meter-element-crash-expected.txt
A
LayoutTests/fast/scrolling/scrollIntoView-destroy-renderer-for-meter-element-crash.html
M Source/WebCore/dom/Element.cpp
Log Message:
-----------
ASAN_ILL | WebCore::RenderMeter::~RenderMeter;
https://bugs.webkit.org/show_bug.cgi?id=275944
rdar://126113504
Reviewed by Alan Baradlay.
The test case produces a crash case where the checkedPtr renderer within
Element::scrollIntoView
will be destroryed, even we called updateLayoutIgnorePendingStylesheets right
before it.
During LocalFrameView::scrollRectToVisible, layout is triggered because:
1. pre-layout: willDoLayout() -> adjustScrollbarsForLayout() turns the
vertical scrollbar to be on
2. during/after layout the scrollbar is updated ONLY when content size has
changed: LocalFrameView::setContentsSize
3. when content size is unchanged the vertical scrollbar remains on,
4. LocalFrameView::scrollRectToVisible -> updateScrollbars checked the
scrollbar has changed,
decided to trigger layout with updateContentsSize().
The fix is to make renderer as WeakPtr instead of CheckedPtr.
This patch also fixes build failuer for CHECKED_POINTER_DEBUG in SU branch.
*
LayoutTests/fast/scrolling/scrollIntoView-destroy-renderer-for-meter-element-crash-expected.txt:
Added.
*
LayoutTests/fast/scrolling/scrollIntoView-destroy-renderer-for-meter-element-crash.html:
Added.
* Source/WebCore/dom/Element.cpp:
(WebCore::listBoxElementScrollIntoView):
(WebCore::Element::scrollIntoView):
* Source/WebCore/dom/TreeScope.cpp:
(WebCore::TreeScope::registerCheckedPtr const): Deleted.
(WebCore::TreeScope::copyCheckedPtr const): Deleted.
(WebCore::TreeScope::moveCheckedPtr const): Deleted.
(WebCore::TreeScope::unregisterCheckedPtr const): Deleted.
Originally-landed-as: 272448.1097@safari-7618.3.11.10-branch (a7082f8505ae).
rdar://132944916
Canonical link: https://commits.webkit.org/281786@main
Commit: eeccf9681be2753e654655d799635ca94f48845a
https://github.com/WebKit/WebKit/commit/eeccf9681be2753e654655d799635ca94f48845a
Author: Sammy Gill <sammy.g...@apple.com>
Date: 2024-08-02 (Fri, 02 Aug 2024)
Changed paths:
A LayoutTests/fast/css/grid-template-rule-no-crash-expected.txt
A LayoutTests/fast/css/grid-template-rule-no-crash.html
M Source/WebCore/css/ShorthandSerializer.cpp
Log Message:
-----------
Bad downcast in ShorthandSerializer::serializeGridTemplate
https://bugs.webkit.org/show_bug.cgi?id=275863
rdar://121949510
Reviewed by Brent Fulgham and Tim Nguyen.
When attempting to parse the more complex version of the grid-template syntax,
the ShorthandSerializer assumes that the value for the grid-template-rows
longhand
will be a CSSValueList. This may not be true as demonstrated in the testcase
which
ends up returning a CSSSubgridValue for the longhand value.
Instead of just blindly downcasting, let's replace the erroneous
isLonghandValueNone(rowsIndex) with !rowTrackSizes->isValueList() to make sure
we return
a null string if the value of grid-template-rows is not a CSSValueList and as a
result
cannot be expressed in the shorthand, which is similar to what we do for the
grid-template-columns case. Also rephrase the comment to just say this instead
of the
lengthy and confusing description.
* LayoutTests/fast/css/grid-template-rule-no-crash-expected.txt: Added.
* LayoutTests/fast/css/grid-template-rule-no-crash.html: Added.
* Source/WebCore/css/ShorthandSerializer.cpp:
(WebCore::ShorthandSerializer::serializeGridTemplate const):
Originally-landed-as: 272448.1096@safari-7618-branch (32cdb1b7a376).
rdar://132953407
Canonical link: https://commits.webkit.org/281787@main
Commit: 0fb943e26c18e22794acd8d70df013944f50b9dd
https://github.com/WebKit/WebKit/commit/0fb943e26c18e22794acd8d70df013944f50b9dd
Author: Matthew Finkel <m_fin...@apple.com>
Date: 2024-08-02 (Fri, 02 Aug 2024)
Changed paths:
A
LayoutTests/http/tests/local/blob/resolve-response-with-custom-then-expected.txt
A LayoutTests/http/tests/local/blob/resolve-response-with-custom-then.html
M Source/WebCore/Modules/fetch/FetchBodyOwner.cpp
M Source/WebCore/Modules/fetch/FetchBodyOwner.h
Log Message:
-----------
Extend the lifetime of the Fetch body owner
https://bugs.webkit.org/show_bug.cgi?id=275122
rdar://128250783
Reviewed by Youenn Fablet and Simon Fraser.
This patch extends the lifetime of the FetchBodyOwner while we resolve the
body. In some cases, the body can be prematurely freed if its only reference
is held by a JavaScript object.
*
LayoutTests/http/tests/local/blob/resolve-response-with-custom-then-expected.txt:
Added.
* LayoutTests/http/tests/local/blob/resolve-response-with-custom-then.html:
Added.
* Source/WebCore/Modules/fetch/FetchBodyOwner.cpp:
(WebCore::FetchBodyOwner::blobLoadingSucceeded):
(WebCore::FetchBodyOwner::BlobLoader::didSucceed):
* Source/WebCore/Modules/fetch/FetchBodyOwner.h:
Originally-landed-as: 272448.1095@safari-7618-branch (2ba62228e7b8).
rdar://132954026
Canonical link: https://commits.webkit.org/281788@main
Commit: 0b2843995193ff7b5bab822c5456a69de24a326c
https://github.com/WebKit/WebKit/commit/0b2843995193ff7b5bab822c5456a69de24a326c
Author: Jer Noble <jer.no...@apple.com>
Date: 2024-08-02 (Fri, 02 Aug 2024)
Changed paths:
A LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt
A LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html
M Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
Log Message:
-----------
Add check in AudioBufferSourceNode::renderFromBuffer() when detune is set to
large negative value
https://bugs.webkit.org/show_bug.cgi?id=275273
rdar://125617842
Reviewed by Eric Carlson.
* LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt: Added.
* LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html: Added.
* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
(WebCore::AudioBufferSourceNode::renderFromBuffer):
Originally-landed-as: 272448.1080@safari-7618-branch (64c9479d6f29).
rdar://132954227
Canonical link: https://commits.webkit.org/281789@main
Compare: https://github.com/WebKit/WebKit/compare/adfe4b971f3b...0b2843995193
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
