Possible crash computing event regions
[WebKit-https.git] / Source / WebCore / ChangeLog
index 5d666eb..3cdf793 100644 (file)
@@ -1,3 +1,289 @@
+2018-01-06  Simon Fraser  <simon.fraser@apple.com>
+
+        Possible crash computing event regions
+        https://bugs.webkit.org/show_bug.cgi?id=181368
+        rdar://problem/34847081
+
+        Reviewed by Zalan Bujtas.
+
+        Don't trigger layout in Element::absoluteEventHandlerBounds(), since this can run arbirary script
+        which might delete elements or re-enter Document::absoluteRegionForEventTargets().
+
+        It's OK to not trigger layout, because if layout is dirty, the next layout will update event regions again.
+
+        Add a LayoutDisallowedScope to check that Document::absoluteRegionForEventTargets() doesn't
+        trigger layout, and move the check for LayoutDisallowedScope::isLayoutAllowed() from Document::updateLayout()
+        to LayoutContext::layout(), since some layouts don't happen via the former (e.g. the one being removed here).
+
+        The test checks that the assertion does not fire. I was not able to get a reliable test for any crash.
+
+        Test: fast/events/event-handler-regions-layout.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::updateLayout):
+        (WebCore::Document::absoluteRegionForEventTargets):
+        * dom/Element.cpp:
+        (WebCore::Element::absoluteEventHandlerBounds):
+        * page/LayoutContext.cpp:
+        (WebCore::LayoutContext::layout):
+        * rendering/LayoutDisallowedScope.h: Move the #ifdefs around to avoid defining the enum twice.
+        (WebCore::LayoutDisallowedScope::LayoutDisallowedScope):
+        (WebCore::LayoutDisallowedScope::isLayoutAllowed):
+
+2018-01-06  Simon Fraser  <simon.fraser@apple.com>
+
+        Crash under RenderLayer::scrollTo() with marquee
+        https://bugs.webkit.org/show_bug.cgi?id=181349
+        rdar://problem/36190168
+
+        Reviewed by Zalan Bujtas.
+
+        Don't call updateWidgetPositions() synchonously during RenderLayer scrolling, because it
+        can run arbitrary script which may trigger destruction of this RenderLayer.
+
+        Instead, queue up updateWidgetPositions() on a zero-delay timer.
+
+        Under some circumstances this may allow a paint to occur before the widgets have been
+        updated (which could be fixed with a more invasive change), but in practice I saw no
+        painting issues with plug-ins or iframes inside overflow scroll, in WebKit or LegacyWebKit.
+
+        Test: fast/scrolling/marquee-scroll-crash.html
+
+        * page/FrameView.cpp:
+        (WebCore::FrameView::FrameView):
+        (WebCore::FrameView::updateWidgetPositions):
+        (WebCore::FrameView::scheduleUpdateWidgetPositions):
+        (WebCore::FrameView::updateWidgetPositionsTimerFired):
+        * page/FrameView.h:
+        * rendering/RenderLayer.cpp:
+        (WebCore::RenderLayer::scrollTo):
+
+2018-01-05  Dean Jackson  <dino@apple.com>
+
+        Accurately clip copyTexImage2D and copyTexSubImage2D
+        https://bugs.webkit.org/show_bug.cgi?id=181356
+        <rdar://problem/35083877>
+
+        Reviewed by Eric Carlson.
+
+        The code to make sure copyTexSubImage2D and copyTexImage2D will not try to read
+        out of bounds had a bad bug introduced here:
+        https://bugs.webkit.org/show_bug.cgi?id=51421
+
+        With appropriate parameters, it would produce a rectangle with
+        negative dimensions. Most GL drivers just ignored this, but some
+        are not happy.
+
+        Test: fast/canvas/webgl/copy-tex-image-and-sub-image-2d-bad-input.html
+
+        * html/canvas/WebGLRenderingContextBase.cpp:
+        (WebCore::clip2D): Reimplement this in a more sane manner, and use
+        checked arithmetic while here.
+        * html/canvas/WebGLRenderingContextBase.h:
+        (WebCore::clip1D): Deleted.
+        (WebCore::clip2D): Deleted.
+
+2018-01-06  Antti Koivisto  <antti@apple.com>
+
+        Use WeakPtr for RenderTreePosition::m_nextSibling
+        https://bugs.webkit.org/show_bug.cgi?id=181363
+
+        Reviewed by Zalan Bujtas.
+
+        For safety. In most cases it is null and won't cause us to instantiate WeakReferences for
+        many new objects.
+
+        * rendering/updating/RenderTreePosition.cpp:
+        (WebCore::RenderTreePosition::computeNextSibling):
+        * rendering/updating/RenderTreePosition.h:
+        (WebCore::RenderTreePosition::RenderTreePosition):
+        (WebCore::RenderTreePosition::nextSibling const):
+
+2018-01-05  David Kilzer  <ddkilzer@apple.com>
+
+        Re-enable -Wcast-qual in WebCore for Apple ports
+        <https://webkit.org/b/177895>
+        <rdar://problem/34960830>
+
+        Reviewed by Joseph Pecoraro.
+
+        * Configurations/Base.xcconfig:
+        (WARNING_CFLAGS): Remove FIXME and add -Wcast-qual back to
+        arguments.
+
+        * crypto/mac/SerializedCryptoKeyWrapMac.mm:
+        (WebCore::createAndStoreMasterKey):
+        - Use checked_cf_cast<SecACLRef>().
+
+        * editing/cocoa/DataDetection.mm:
+        (WebCore::detectItemAtPositionWithRange):
+        - Manually cast CFTypeRef to DDResultRef until
+          DDResultGetTypeID() is available as SPI.
+
+        * platform/gamepad/mac/HIDGamepad.cpp:
+        (WebCore::HIDGamepad::initElementsFromArray):
+        - Use checked_cf_cast<IOHIDElementRef>().
+
+        * platform/graphics/avfoundation/objc/MediaSampleAVFObjC.mm:
+        (WebCore::MediaSampleAVFObjC::createImageSample):
+        (WebCore::CMSampleBufferIsRandomAccess):
+        (WebCore::CMSampleBufferIsNonDisplaying):
+        (WebCore::MediaSampleAVFObjC::createNonDisplayingCopy const):
+        - Use checked_cf_cast<CFMutableDictionaryRef>() and
+          checked_cf_cast<CFDictionaryRef>().
+
+        * platform/graphics/cocoa/IOSurface.h:
+        (WebCore::IOSurface::asLayerContents):
+        - Use reinterpret_cast<id>() to cast from IOSurfaceRef to id.
+
+        * platform/graphics/cocoa/WebCoreDecompressionSession.mm:
+        (WebCore::WebCoreDecompressionSession::getFirstVideoFrame):
+        (WebCore::WebCoreDecompressionSession::automaticDequeue):
+        (WebCore::WebCoreDecompressionSession::imageForTime):
+        (WebCore::WebCoreDecompressionSession::getDecodeTime):
+        (WebCore::WebCoreDecompressionSession::getPresentationTime):
+        (WebCore::WebCoreDecompressionSession::getDuration):
+        - Use checked_cf_cast<CMSampleBufferRef>().
+
+        * platform/graphics/Font.h:
+        (WebCore::Font::m_kernedCFStringAttributes):
+        (WebCore::Font::m_nonKernedCFStringAttributes):
+        - Change type from RetainPtr<CFDictionaryRef> to
+          RetainPtr<CFMutableDictionaryRef> since that's what they are.
+        * platform/graphics/mac/SimpleFontDataCoreText.cpp:
+        (WebCore::Font::getCFStringAttributes const):
+        - Replace local `mutableAttributes` variable with
+          `attributesDictionary.get()` since it returns the correct type
+          now.
+
+        * platform/ios/wak/WAKView.mm:
+        (-[WAKView _initWithViewRef:]):
+        (_WAKCopyWrapper):
+        * platform/ios/wak/WKView.mm:
+        (_WKViewClearSuperview):
+        (WKViewFirstChild):
+        (WKViewNextSibling):
+        - Use static_cast<WKViewRef>(const_cast<void*>()) to convert
+          const void* variable to WKViewRef.
+
+        * platform/mac/PasteboardMac.mm:
+        (WebCore::flipImageSpec):
+        (WebCore::setDragImageImpl):
+        - Use const_cast<> to remove 'const' modifier from
+          unsigned char pointers.  This regressed while -Wcast-qual was
+          disabled for WebCore.
+
+        * platform/mac/SSLKeyGeneratorMac.mm:
+        (WebCore::signedPublicKeyAndChallengeString):
+        - Use checked_cf_cast<SecACLRef>().
+
+        * platform/mediastream/mac/RealtimeIncomingVideoSourceCocoa.cpp:
+        (WebCore::RealtimeIncomingVideoSourceCocoa::OnFrame):
+        - Use checked_cf_cast<CFMutableDictionaryRef>().
+
+        * platform/network/cf/SocketStreamHandleImplCFNet.cpp:
+        (WebCore::copyCONNECTProxyResponse):
+        - Use checked_cf_cast<CFHTTPMessageRef>().
+
+        * platform/network/cocoa/ResourceResponseCocoa.mm:
+        (WebCore::ResourceResponse::platformCertificateInfo const):
+        - Use checked_cf_cast<SecTrustRef>().
+
+        * platform/network/mac/CertificateInfoMac.mm:
+        (WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate const):
+        (WebCore::CertificateInfo::dump const):
+        - Use checked_cf_cast<SecCertificateRef>().
+
+        * testing/cocoa/WebArchiveDumpSupport.mm:
+        (WebCoreTestSupport::createCFURLResponseFromResponseData):
+        - Use checked_cf_cast<>() for CFMutable* types.
+
+2018-01-05  John Wilander  <wilander@apple.com>
+
+        Storage Access API: Refactor to make naming accurate and explicit, simplify access table, and prepare for access removal for page
+        https://bugs.webkit.org/show_bug.cgi?id=181357
+        <rdar://problem/36331031>
+
+        Reviewed by Alex Christensen.
+
+        No new tests. The only changed functionality that isn't covered
+        by existing tests is cross-origin iframes in the same partition
+        should be handled as already having access. This cannot be
+        tested in layout tests since they don't support subdomains.
+
+        This change does the following:
+        - Changes function and message names to reflect how this feature
+          was eventually implemented, i.e. access per frame.
+        - Makes it explicit that the UI process is only involved in
+          granting storage access and not removing storage access.
+          The latter is done directly by the web process.
+        - Simplifies the network process' entry map since only needs to
+          be able to give access to one domain in one frame at a time.
+          Access goes away on frame navigation so there can only be one
+          domain at a time per frame. Also, the map now uses pageIDs as
+          main keys to prepare for efficient access removal for all
+          frames under a page.
+        - Fixes a bug in so that a cross-origin iframe with the same
+          partition as the top frame correctly is handled as already
+          having access.
+
+        * platform/network/NetworkStorageSession.h:
+        * platform/network/cf/NetworkStorageSessionCFNet.cpp:
+        (WebCore::NetworkStorageSession::cookieStoragePartition const):
+            The only change here is the changed named of the call to
+            NetworkStorageSession::hasStorageAccessForFrame().
+        (WebCore::NetworkStorageSession::hasStorageAccessForFrame const):
+        (WebCore::NetworkStorageSession::grantStorageAccessForFrame):
+        (WebCore::NetworkStorageSession::removeStorageAccessForFrame):
+        (WebCore::NetworkStorageSession::isStorageAccessGranted const): Deleted.
+        (WebCore::NetworkStorageSession::setStorageAccessGranted): Deleted.
+        (WebCore::NetworkStorageSession::removeStorageAccess): Deleted.
+
+2018-01-05  Youenn Fablet  <youenn@apple.com>
+
+        Implement Cache API partitioning based on ClientOrigin
+        https://bugs.webkit.org/show_bug.cgi?id=181240
+
+        Reviewed by Alex Christensen.
+
+        Covered by updated tests.
+
+        Previously, cache storage was partitioned according the origin of the client, represented as a String.
+        We now partition according both client and top origins, represented as a ClientOrigin
+
+        Minor refactoring to use more makePendingActivity.
+        Added support for IPC serialization of ClientOrigin.
+        Added SecurityOriginData::toString which is used by WebKit2 Cache Storage implementation.
+
+        * Modules/cache/CacheStorageConnection.cpp:
+        (WebCore::CacheStorageConnection::open):
+        (WebCore::CacheStorageConnection::retrieveCaches):
+        * Modules/cache/CacheStorageConnection.h:
+        (WebCore::CacheStorageConnection::clearMemoryRepresentation):
+        (WebCore::CacheStorageConnection::doOpen):
+        (WebCore::CacheStorageConnection::doRetrieveCaches):
+        * Modules/cache/DOMCacheStorage.cpp:
+        (WebCore::DOMCacheStorage::origin const):
+        (WebCore::DOMCacheStorage::retrieveCaches):
+        (WebCore::DOMCacheStorage::open):
+        (WebCore::DOMCacheStorage::remove):
+        * Modules/cache/DOMCacheStorage.h:
+        * Modules/cache/WorkerCacheStorageConnection.cpp:
+        (WebCore::WorkerCacheStorageConnection::doOpen):
+        (WebCore::WorkerCacheStorageConnection::doRetrieveCaches):
+        * Modules/cache/WorkerCacheStorageConnection.h:
+        * page/ClientOrigin.h:
+        (WebCore::ClientOrigin::isolatedCopy const):
+        (WebCore::ClientOrigin::encode const):
+        (WebCore::ClientOrigin::decode):
+        * page/SecurityOriginData.cpp:
+        (WebCore::SecurityOriginData::toString const):
+        (WebCore::SecurityOriginData::debugString const): Deleted.
+        * page/SecurityOriginData.h:
+        (WebCore::SecurityOriginData::debugString const):
+        * testing/Internals.cpp:
+        (WebCore::Internals::clearCacheStorageMemoryRepresentation):
+
 2018-01-05  Wenson Hsieh  <wenson_hsieh@apple.com>
 
         [Attachment Support] Add a way to write blob data to a file URL from the UI process