Branch: refs/heads/webkitglib/2.48
Home: https://github.com/WebKit/WebKit
Commit: a33e05f0d7ac3f364f3374e9cba6f6304c38c329
https://github.com/WebKit/WebKit/commit/a33e05f0d7ac3f364f3374e9cba6f6304c38c329
Author: Pablo Saavedra <[email protected]>
Date: 2025-03-13 (Thu, 13 Mar 2025)
Changed paths:
M Source/WebKit/WPEPlatform/wpe/WPESettings.cpp
M Source/WebKit/WPEPlatform/wpe/WPESettings.h
M Source/WebKit/WPEPlatform/wpe/drm/WPEDisplayDRM.h
Log Message:
-----------
Cherry-pick 292007@main (11fcf7e9b0b1).
https://bugs.webkit.org/show_bug.cgi?id=289530
[WPE] Fix missing default values in WPESettings
https://bugs.webkit.org/show_bug.cgi?id=289530
Reviewed by Carlos Garcia Campos.
These settings are defined in WPESettings.h but never initialized in
WPESettings.cpp. Added initialization for them in WPESettings.cpp
with the expected default values according with the documentation.
Also relocate DRM scale setting definition in WPESettings to
WPEDisplayDRM.
Related-To: https://commits.webkit.org/288922@main
* Source/WebKit/WPEPlatform/wpe/WPESettings.cpp:
(_WPESettingsPrivate::_WPESettingsPrivate):
* Source/WebKit/WPEPlatform/wpe/WPESettings.h:
* Source/WebKit/WPEPlatform/wpe/drm/WPEDisplayDRM.h:
Canonical link: https://commits.webkit.org/292007@main
Canonical link: https://commits.webkit.org/290945.52@webkitglib/2.48
Commit: e860abe98e96ff5e878e7d221d0107865159952a
https://github.com/WebKit/WebKit/commit/e860abe98e96ff5e878e7d221d0107865159952a
Author: Devin Rousso <[email protected]>
Date: 2025-03-13 (Thu, 13 Mar 2025)
Changed paths:
M
Source/WebInspectorUI/UserInterface/Models/HeapAllocationsTimelineRecord.js
M Source/WebInspectorUI/UserInterface/Models/ScriptTimelineRecord.js
M Source/WebInspectorUI/UserInterface/Models/TimelineRecording.js
M Source/WebInspectorUI/UserInterface/Proxies/HeapSnapshotWorkerProxy.js
M Source/WebInspectorUI/UserInterface/Views/HeapAllocationsTimelineView.js
Log Message:
-----------
Cherry-pick 291997@main (b2348a683116).
https://bugs.webkit.org/show_bug.cgi?id=289070
Web Inspector: REGRESSION(290430@main): Assertion Failed at
CallingContextTreeNode.js:76
https://bugs.webkit.org/show_bug.cgi?id=289070
Reviewed by BJ Burg.
* Source/WebInspectorUI/UserInterface/Models/ScriptTimelineRecord.js:
(WI.ScriptTimelineRecord.async fromJSON):
(WI.ScriptTimelineRecord.prototype.toJSON):
It's no longer allowed to not have a `target` after 290430@main.
*
Source/WebInspectorUI/UserInterface/Models/HeapAllocationsTimelineRecord.js:
(WI.HeapAllocationsTimelineRecord.async fromJSON):
(WI.HeapAllocationsTimelineRecord.prototype.toJSON):
* Source/WebInspectorUI/UserInterface/Models/TimelineRecording.js:
(WI.TimelineRecording.async import):
* Source/WebInspectorUI/UserInterface/Proxies/HeapSnapshotWorkerProxy.js:
(WI.HeapSnapshotWorkerProxy.prototype.createImportedSnapshot):
* Source/WebInspectorUI/UserInterface/Views/HeapAllocationsTimelineView.js:
(WI.HeapAllocationsTimelineView.prototype._importButtonNavigationItemClicked):
Drive-by: add extra FIXME comments for supporting `Worker` targets when
exporting/importing timeline recordings.
Canonical link: https://commits.webkit.org/291997@main
Canonical link: https://commits.webkit.org/290945.53@webkitglib/2.48
Commit: 0b23700c418a8fc77eafe23bd45dc4c4e32c5905
https://github.com/WebKit/WebKit/commit/0b23700c418a8fc77eafe23bd45dc4c4e32c5905
Author: Pratiksha Choudhury <[email protected]>
Date: 2025-03-13 (Thu, 13 Mar 2025)
Changed paths:
M Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp
Log Message:
-----------
Cherry-pick 291974@main (1d9dbbef7133).
https://bugs.webkit.org/show_bug.cgi?id=288989
Nullptr crash in MediaRecorder::requestDataInternal()
https://bugs.webkit.org/show_bug.cgi?id=288989
rdar://144407606
Reviewed by Jean-Yves Avenard.
Added a nullptr check for buffer object. As per W3C spec, the blob can be
empty if no data is gathered.
We do not have reliable test script to repro this edge case race condition.
* Source/WebCore/Modules/mediarecorder/MediaRecorder.cpp:
(WebCore::MediaRecorder::requestDataInternal):
Canonical link: https://commits.webkit.org/291974@main
Canonical link: https://commits.webkit.org/290945.54@webkitglib/2.48
Commit: 0cb293db23f8dcde1ac064b999ed24e8008f607c
https://github.com/WebKit/WebKit/commit/0cb293db23f8dcde1ac064b999ed24e8008f607c
Author: Yusuke Suzuki <[email protected]>
Date: 2025-03-13 (Thu, 13 Mar 2025)
Changed paths:
A JSTests/stress/regexp-cache-adjustment.js
M Source/JavaScriptCore/dfg/DFGOperations.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
M Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
M Source/JavaScriptCore/runtime/RegExpCachedResult.cpp
M Source/JavaScriptCore/runtime/RegExpCachedResult.h
M Source/JavaScriptCore/runtime/RegExpGlobalData.h
M Source/JavaScriptCore/runtime/RegExpGlobalDataInlines.h
M Source/JavaScriptCore/runtime/RegExpMatchesArray.h
M Source/JavaScriptCore/runtime/RegExpObjectInlines.h
M Source/JavaScriptCore/runtime/RegExpSubstringGlobalAtomCache.cpp
M Source/JavaScriptCore/runtime/RegExpSubstringGlobalAtomCache.h
M Source/JavaScriptCore/runtime/StringPrototype.cpp
Log Message:
-----------
Cherry-pick 291881@main (cc0a0f907148).
https://bugs.webkit.org/show_bug.cgi?id=289337
REGRESSION (285042@main-285687@main): `RegExp["$&"]` incorrectly returns an
empty string
https://bugs.webkit.org/show_bug.cgi?id=289337
rdar://146622507
Reviewed by Yijia Huang.
For Atom matching, we need to update RegExpCachedResult correctly to
update RegExp.rightContext / RegExp.lastMatch etc. This patch does it.
1. For normal RegExp matching, we just store the lastResult to update
the cache.
2. For Atom string matching, we use last matched string index, creating
MatchResult from that and update the cache with it.
3. For one character matching, we do not want to make this slower by
getting the last offset of matched character since these fields are
rarely accessed. Instead, we record oneCharacterMatch flag, and when
reifying the result, we scan the string from reverse order to find
the last matched one character.
* JSTests/stress/regexp-cache-adjustment.js: Added.
(shouldBe):
(clearCache):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileRegExpTestInline):
* Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* Source/JavaScriptCore/runtime/RegExpCachedResult.cpp:
(JSC::RegExpCachedResult::lastResult):
* Source/JavaScriptCore/runtime/RegExpCachedResult.h:
(JSC::RegExpCachedResult::offsetOfOneCharacterMatch):
* Source/JavaScriptCore/runtime/RegExpGlobalData.h:
* Source/JavaScriptCore/runtime/RegExpGlobalDataInlines.h:
(JSC::RegExpCachedResult::record):
(JSC::RegExpGlobalData::performMatch):
(JSC::RegExpGlobalData::recordMatch):
(JSC::RegExpGlobalData::resetResultFromCache):
* Source/JavaScriptCore/runtime/RegExpMatchesArray.h:
* Source/JavaScriptCore/runtime/RegExpObjectInlines.h:
(JSC::RegExpObject::execInline):
(JSC::genericMatches):
(JSC::collectGlobalAtomMatches):
* Source/JavaScriptCore/runtime/RegExpSubstringGlobalAtomCache.cpp:
(JSC::RegExpSubstringGlobalAtomCache::collectMatches):
* Source/JavaScriptCore/runtime/RegExpSubstringGlobalAtomCache.h:
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::removeUsingRegExpSearch):
Canonical link: https://commits.webkit.org/291881@main
Canonical link: https://commits.webkit.org/290945.55@webkitglib/2.48
Commit: c3c81d719d6f525a4f1d69b325ae2efbfed94de2
https://github.com/WebKit/WebKit/commit/c3c81d719d6f525a4f1d69b325ae2efbfed94de2
Author: Yusuke Suzuki <[email protected]>
Date: 2025-03-13 (Thu, 13 Mar 2025)
Changed paths:
A JSTests/stress/large-regexp-stack-use.js
M JSTests/stress/regexp-huge-oom.js
M Source/JavaScriptCore/runtime/OptionsList.h
Log Message:
-----------
Cherry-pick 291877@main (75a5cc813c16).
https://bugs.webkit.org/show_bug.cgi?id=289330
REGRESSION (288911@main-290821@main): RegExp for large input (800KB)
incorrectly returns null
https://bugs.webkit.org/show_bug.cgi?id=289330
rdar://146497732
Reviewed by Sosuke Suzuki.
We increase maxRegExpStackSize from 16 MB to 128 MB. This number is
picked because,
1. V8 IRRegExp's max RegExp stack size is 64 MB.
2. Our stack usage is a bit larger than V8.
So, we picked the next power-of-two size, 128 MB. This is still good
compared to unbound size of stack increase.
* JSTests/stress/large-regexp-stack-use.js: Added.
(shouldBe):
* Source/JavaScriptCore/runtime/OptionsList.h:
Canonical link: https://commits.webkit.org/291877@main
Canonical link: https://commits.webkit.org/290945.56@webkitglib/2.48
Commit: 30d9e84a9d5fe9c162e42c20923a9909c49aebda
https://github.com/WebKit/WebKit/commit/30d9e84a9d5fe9c162e42c20923a9909c49aebda
Author: Yusuke Suzuki <[email protected]>
Date: 2025-03-13 (Thu, 13 Mar 2025)
Changed paths:
M Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp
Log Message:
-----------
Cherry-pick 291720@main (3a3f835a76f0).
https://bugs.webkit.org/show_bug.cgi?id=289268
[JSC] m_expressionInfo may be not set yet
https://bugs.webkit.org/show_bug.cgi?id=289268
rdar://146399098
Reviewed by Yijia Huang.
Since this field is set after object allocation is done, there is a
chance that concurrent GC markers find this object before setting a
value to m_expressionInfo field and accessing it. So, it can be a
nullptr, thus we should check nullptr check before using it from
concurrent GC markers.
* Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::visitChildrenImpl):
Canonical link: https://commits.webkit.org/291720@main
Canonical link: https://commits.webkit.org/290945.57@webkitglib/2.48
Commit: 570fdd524089d2f8c1b54c2b83c61dd6609cb9c1
https://github.com/WebKit/WebKit/commit/570fdd524089d2f8c1b54c2b83c61dd6609cb9c1
Author: Yusuke Suzuki <[email protected]>
Date: 2025-03-13 (Thu, 13 Mar 2025)
Changed paths:
M Source/WebCore/dom/MessageEvent.cpp
Log Message:
-----------
Cherry-pick 291689@main (151ef788a55c).
https://bugs.webkit.org/show_bug.cgi?id=289218
REGRESSION: ASSERTION FAILED: !m_needExceptionCheck: ./runtime/VM.cpp(1450)
: void JSC::VM::verifyExceptionCheckNeedIsSatisfied(unsigned int,
ExceptionEventLocation &)
https://bugs.webkit.org/show_bug.cgi?id=289218
rdar://146364641
Reviewed by Ryosuke Niwa.
MessageEvent is broken, which does not handle SerializedScriptValue
properly.
* Source/WebCore/dom/MessageEvent.cpp:
(WebCore::MessageEvent::create):
Canonical link: https://commits.webkit.org/291689@main
Canonical link: https://commits.webkit.org/290945.58@webkitglib/2.48
Commit: e0b6243a1ecee0a9d9437e949724746470f8c805
https://github.com/WebKit/WebKit/commit/e0b6243a1ecee0a9d9437e949724746470f8c805
Author: Abrar Rahman Protyasha <[email protected]>
Date: 2025-03-13 (Thu, 13 Mar 2025)
Changed paths:
M Source/WebCore/loader/FrameLoader.cpp
Log Message:
-----------
Cherry-pick 291655@main (6fdcc035f663).
https://bugs.webkit.org/show_bug.cgi?id=289182
Web content processes sometimes crashes under Page::viewportArguments()
calls from FrameLoader::commitProvisionalLoad()
https://bugs.webkit.org/show_bug.cgi?id=289182
rdar://145386222
Reviewed by Wenson Hsieh.
Sometimes the WP crashes under WebCore::Page::viewportArguments() with a
backtrace like this:
```
WTF::RawPtrTraits<WebCore::Frame>::unwrap(WebCore::Frame* const&) (WebCore)
WTF::Ref<WebCore::Frame, WTF::RawPtrTraits<WebCore::Frame>,
WTF::DefaultRefDerefTraits<WebCore::Frame>>::get() const (WebCore)
WTF::Ref<WebCore::Frame, WTF::RawPtrTraits<WebCore::Frame>,
WTF::DefaultRefDerefTraits<WebCore::Frame>>::Ref(WTF::Ref<WebCore::Frame,
WTF::RawPtrTraits<WebCore::Frame>, WTF::DefaultRefDerefTraits<WebCore::Frame>>
const&) (WebCore)
WTF::Ref<WebCore::Frame, WTF::RawPtrTraits<WebCore::Frame>,
WTF::DefaultRefDerefTraits<WebCore::Frame>>::Ref(WTF::Ref<WebCore::Frame,
WTF::RawPtrTraits<WebCore::Frame>, WTF::DefaultRefDerefTraits<WebCore::Frame>>
const&) (WebCore)
WebCore::Page::protectedMainFrame() const (WebCore)
WebCore::Page::viewportArguments() const (WebCore)
WebCore::FrameLoader::commitProvisionalLoad() (WebCore)
```
While the root cause is yet to be determined, we can make the process
less crashy by null checking frame->page() before querying for viewport
arguments in FrameLoader::commitProvisionalLoad.
Note that this is better than null checking m_mainFrame on the Page
object, because Page holds a strong reference to m_mainFrame, and so if
we're crashing while dereferencing that object, it indicates all of Page
is null.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::commitProvisionalLoad):
Canonical link: https://commits.webkit.org/291655@main
Canonical link: https://commits.webkit.org/290945.59@webkitglib/2.48
Compare: https://github.com/WebKit/WebKit/compare/03405f516f5b...e0b6243a1ece
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
