This is a first pass at implementing CRC2D.createPattern() and the
associated CanvasPattern object. This implementation only works for a
few of the required image sources [like CRC2D.drawImage()], and does
not yet support transforms. Other than that it supports everything
else (which is mainly the various repeat modes).
The shadowRoot property getter that will be added in subsequent commits
has an additional check that checks whether the shadow root is opened.
I didn't update the function logic to match with the IDL interface,
because it's very likely we don't want that check in the existing code,
so that for example closed shadow root elements can still be updated.
ARIA has its own spec and is not part of the DOM spec, which is what the
Web::DOM namespace is for (https://www.w3.org/TR/wai-aria-1.2/).
This allows us to stay closer to the spec with function names and don't
have to add the word "ARIA" to identifiers constantly - the namespace
now provides that clarity.
Note that as of this commit, there aren't any such throwers, and the
call site in Heap::allocate will drop exceptions on the floor. This
commit only serves to change the declaration of the overrides, make sure
they return an empty value, and to propagate OOM errors frm their base
initialize invocations.
This replaces the FlyStrings for ARIA roles that were constructed in
a [[gnu::constructor]] with a single enum. I came across this as the
DOM inspector was crashing due to a null FlyString for an ARIA role.
After fixing that, I was confused as to why these roles were not an
enum. Looking at the spec there's a fixed list of roles and switching
from references to static strings to an enum was pretty much an
exercise in find and replace :).
No functional changes (outside of fixing the mentioned crash).
Having an alias function that only wraps another one is silly, and
keeping the more obvious name should flush out more uses of deprecated
strings.
No behavior change.
This gets:
- CanvasRenderingContext2D.createLinearGradient()
- CanvasRenderingContext2D.createConicGradient()
- CanvasRenderingContext2D.createRadialGradient()
Actually working as fill styles for paths and rectangles :^)
Getting them working for strokes is left as an exercise is
left as an exercise for the reader.
This includes:
- Moving it from Bindings/ to HTML/
- Renaming it from LocationObject to Location
- Removing the manual definitions of the constructor and prototype
- Removing special handling of the Location interface from the bindings
generator
- Converting the JS_DEFINE_NATIVE_FUNCTIONs to regular functions
returning DeprecatedString instead of PrimitiveString
- Adding missing (no-op) setters for the various attributes, which are
expected to exist by the bindings generator
Instead of sifting through the layout tree to extract the selected text,
look at the DOM selection instead.
Note that we can't just stringify the DOM Range, as that would include
non-visible things (like the content of <style> elements, etc.) so we
run it through an ad-hoc variant of the range stringification algorithm.
This can probably be factored better, but it's a start. :^)
This needs to happen before prototype/constructor intitialization can be
made lazy. Otherwise, GC could run during the C++ constructor and try to
collect the object currently being created.
DeprecatedFlyString relies heavily on DeprecatedString's StringImpl, so
let's rename it to A) match the name of DeprecatedString, B) write a new
FlyString class that is tied to String.
Move the macro to LibJS and change it to return a throw completion
instead of a WebIDL exception. This will let us use this macro within
LibJS to handle OOM conditions.
These instances were detected by searching for files that include
stdlib.h, but don't match the regex:
\\b(_abort|abort|abs|aligned_alloc|arc4random|arc4random_buf|arc4random_
uniform|atexit|atof|atoi|atol|atoll|bsearch|calloc|clearenv|div|div_t|ex
it|_Exit|EXIT_FAILURE|EXIT_SUCCESS|free|getenv|getprogname|grantpt|labs|
ldiv|ldiv_t|llabs|lldiv|lldiv_t|malloc|malloc_good_size|malloc_size|mble
n|mbstowcs|mbtowc|mkdtemp|mkstemp|mkstemps|mktemp|posix_memalign|posix_o
penpt|ptsname|ptsname_r|putenv|qsort|qsort_r|rand|RAND_MAX|random|reallo
c|realpath|secure_getenv|serenity_dump_malloc_stats|serenity_setenv|sete
nv|setprogname|srand|srandom|strtod|strtof|strtol|strtold|strtoll|strtou
l|strtoull|system|unlockpt|unsetenv|wcstombs|wctomb)\\b
(Without the linebreaks.)
This regex is pessimistic, so there might be more files that don't
actually use anything from the stdlib.
In theory, one might use LibCPP to detect things like this
automatically, but let's do this one step after another.
Required by Twitter to move the input caret of the 2FA <input> element
to the start. However, we don't currently handle individual <input>
element selections.
This is fixed by making the "about to be notified rejected promises
list" use JS::Handle instead of JS::NonnullGCPtr. This UAF happens
because notify_about_rejected_promises makes a local copy of this list,
empties the member variable list and then moves the local copy into a
JS::SafeFunction lambda. JS::SafeFunction can only see GC pointers that
are in its storage, not external storage.
Example exploit (requires fixed microtask timing by removing the dummy
execution context):
```html
<script>
Promise.reject(new Error);
// Exit the script block, causing a microtask checkpoint and thus
// queuing of a task to fire the unhandled rejection event for the
// above promise.
// During the time after being queued but before being ran, these
// promises are not kept alive. This is because JS::SafeFunction cannot
// see into a Vector, meaning it can't visit the stored NonnullGCPtrs.
</script>
<script defer>
// Cause a garbage collection, destroying the above promise.
const b = [];
for (var i = 0; i < 200000; i++)
b.push({});
// Some time after this script block, the queued unhandled rejection
// event task will fire, with the event object containing the dead
// promise.
window.onunhandledrejection = (event) => {
let value = event.promise;
console.log(value);
}
</script>
```
