Branch: refs/heads/webkitglib/2.48
Home: https://github.com/WebKit/WebKit
Commit: 2a29384d19944ad99475962c8eb1af51e6bb1f1d
https://github.com/WebKit/WebKit/commit/2a29384d19944ad99475962c8eb1af51e6bb1f1d
Author: Russell Epstein <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
Log Message:
-----------
Cherry-pick 289651.11@safari-7621-branch (f9ec4c5d77ee).
https://bugs.webkit.org/show_bug.cgi?id=288936
Disable FilterLinkDecorationByDefaultEnabled feature flag
rdar://143989240
Reviewed by Brent Fulgham.
* Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml: Disable
FilterLinkDecorationByDefaultEnabled. Change status to 'testable'.
Canonical link: https://commits.webkit.org/289651.11@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.106@webkitglib/2.48
Commit: 1c0ce1abae341ff34caf61c967d5da3555394aec
https://github.com/WebKit/WebKit/commit/1c0ce1abae341ff34caf61c967d5da3555394aec
Author: Chris Dumez <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/WTF/wtf/UUID.h
M Source/WebKit/Shared/WTFArgumentCoders.serialization.in
Log Message:
-----------
Cherry-pick 283286.608@safari-7620-branch (c860007e04ea).
https://bugs.webkit.org/show_bug.cgi?id=285690
WTF::UUID IPC deserialization doesn't check against emptyValue
https://bugs.webkit.org/show_bug.cgi?id=285690
rdar://141754711
Reviewed by Brent Fulgham.
During IPC deserialization, we now check that the serialized
UUID is not the empty value. It used to check only for the deleted
value.
* Source/WTF/wtf/UUID.h:
(WTF::UUID::isValid):
* Source/WebKit/Shared/WTFArgumentCoders.serialization.in:
Canonical link: https://commits.webkit.org/283286.608@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.12@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.107@webkitglib/2.48
Commit: ddb817fb313990093fb75c72777f469d368c0631
https://github.com/WebKit/WebKit/commit/ddb817fb313990093fb75c72777f469d368c0631
Author: Youenn Fablet <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/third_party/boringssl/src/crypto/bio/printf.c
Log Message:
-----------
Cherry-pick 283286.609@safari-7620-branch (d55b7f471238).
https://bugs.webkit.org/show_bug.cgi?id=285690
Potential 'overflow' issue commited to upstream libwebrtc
rdar://141802173
Reviewed by Jean-Yves Avenard.
Cherrry-picking of
https://boringssl.googlesource.com/boringssl/+/168777fbc49296eeb54b5da8fc7dfcae1a4d3e27.
*
Source/ThirdParty/libwebrtc/Source/third_party/boringssl/src/crypto/bio/printf.c:
(BIO_printf):
Canonical link: https://commits.webkit.org/283286.609@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.13@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.108@webkitglib/2.48
Commit: dd9c8b03e3d22daeba20b7a4339d5c8dc7a4b49c
https://github.com/WebKit/WebKit/commit/dd9c8b03e3d22daeba20b7a4339d5c8dc7a4b49c
Author: Chris Dumez <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A
LayoutTests/storage/indexeddb/cursor-continue-add-error-private-expected.txt
A LayoutTests/storage/indexeddb/cursor-continue-add-error-private.html
M Source/WebCore/Modules/indexeddb/server/IndexValueStore.cpp
Log Message:
-----------
Cherry-pick 283286.610@safari-7620-branch (02c5baaa939c).
https://bugs.webkit.org/show_bug.cgi?id=285703
IndexValueStore::removeRecord should only remove the IndexValueEntry when
it's empty
https://bugs.webkit.org/show_bug.cgi?id=285703
rdar://142446346
Reviewed by Sihui Liu.
The previous implementation was removing the entire `IndexValueEntry`
object (iterator->value)
when successfully removing the specified key. However, when the index has
been set up to allow
duplicate values, it may have multiple keys. So in that case, after
removing a key from the
entry, its count may still not be zero, namely,
`iterator->value->getCount() > 0`. Consequently,
an incorrect entry could be removed prematurely without notifying the
cursors referencing it,
which then can lead to use-after-free.
*
LayoutTests/storage/indexeddb/cursor-continue-add-error-private-expected.txt:
Added.
* LayoutTests/storage/indexeddb/cursor-continue-add-error-private.html:
Added.
* Source/WebCore/Modules/indexeddb/server/IndexValueStore.cpp:
(WebCore::IDBServer::IndexValueStore::removeRecord):
Canonical link: https://commits.webkit.org/283286.610@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.14@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.109@webkitglib/2.48
Commit: f7dbf5456e9fb260dfcb8ad336951b90079a6cda
https://github.com/WebKit/WebKit/commit/f7dbf5456e9fb260dfcb8ad336951b90079a6cda
Author: Chris Dumez <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Tools/WebKitTestRunner/TestInvocation.cpp
Log Message:
-----------
Cherry-pick 283286.611@safari-7620-branch (bad30b75d429).
https://bugs.webkit.org/show_bug.cgi?id=285869
Guard against overflows in TestInvocation::dumpResults()
https://bugs.webkit.org/show_bug.cgi?id=285869
rdar://142781265
Reviewed by Ryosuke Niwa.
A badly behaving WebProcess could spam the UIProcess with test output
until the StringBuilder overflows, causing the UIProcess to crash.
Instead, we now record the overflow and simply dump in the test output
that the text overflowed.
* Tools/WebKitTestRunner/TestInvocation.cpp:
(WTR::TestInvocation::TestInvocation):
(WTR::TestInvocation::dumpResults):
Canonical link: https://commits.webkit.org/283286.611@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.15@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.110@webkitglib/2.48
Commit: 069ef50ba55f541439e775d9572be9a62b221782
https://github.com/WebKit/WebKit/commit/069ef50ba55f541439e775d9572be9a62b221782
Author: Yusuke Suzuki <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A LayoutTests/js/dom/resizable-array-buffer-do-not-crash-expected.txt
A LayoutTests/js/dom/resizable-array-buffer-do-not-crash.html
A LayoutTests/js/dom/script-tests/resizable-array-buffer-do-not-crash.js
M Source/JavaScriptCore/runtime/ArrayBufferView.h
Log Message:
-----------
Cherry-pick 283286.614@safari-7620-branch (604d4327862d).
https://bugs.webkit.org/show_bug.cgi?id=285876
[JSC] Fix incorrect OOB condition for resizable ArrayBuffer in C++ wrapper
code
https://bugs.webkit.org/show_bug.cgi?id=285876
rdar://141269480
Reviewed by Yijia Huang and Keith Miller.
OOB checking condition is not correct for resizable ArrayBuffer when it
is used with C++ wrapper code. This patch fixes it.
* LayoutTests/js/dom/resizable-array-buffer-do-not-crash-expected.txt:
Added.
* LayoutTests/js/dom/resizable-array-buffer-do-not-crash.html: Added.
* LayoutTests/js/dom/script-tests/resizable-array-buffer-do-not-crash.js:
Added.
(main):
* Source/JavaScriptCore/runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::byteOffset const):
(JSC::ArrayBufferView::byteLength const):
Canonical link: https://commits.webkit.org/283286.614@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.18@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.111@webkitglib/2.48
Commit: ffbfaf57ada9bdc5ba095b7b1705809f073077e1
https://github.com/WebKit/WebKit/commit/ffbfaf57ada9bdc5ba095b7b1705809f073077e1
Author: Yusuke Suzuki <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A JSTests/stress/eval-call-should-update-top-frame.js
M Source/JavaScriptCore/jit/JITOperations.cpp
Log Message:
-----------
Cherry-pick 283286.615@safari-7620-branch (2d42b44d8073).
https://bugs.webkit.org/show_bug.cgi?id=285892
[JSC] Eval call operations should update VM::topCallFrame
https://bugs.webkit.org/show_bug.cgi?id=285892
rdar://140795825
Reviewed by Yijia Huang.
Eval operations should update VM::topCallFrame to prepare for throwing
an error for OOM of input string resolution.
* JSTests/stress/eval-call-should-update-top-frame.js: Added.
* Source/JavaScriptCore/jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
Canonical link: https://commits.webkit.org/283286.615@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.19@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.112@webkitglib/2.48
Commit: 4cd747e37de12fab914d4152c9a4b705fafc28c1
https://github.com/WebKit/WebKit/commit/4cd747e37de12fab914d4152c9a4b705fafc28c1
Author: Sihui Liu <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A LayoutTests/storage/indexeddb/delete-indexes-with-same-name-expected.txt
A
LayoutTests/storage/indexeddb/delete-indexes-with-same-name-private-expected.txt
A LayoutTests/storage/indexeddb/delete-indexes-with-same-name-private.html
A LayoutTests/storage/indexeddb/delete-indexes-with-same-name.html
A LayoutTests/storage/indexeddb/resources/delete-indexes-with-same-name.js
M Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.h
Log Message:
-----------
Cherry-pick 283286.616@safari-7620-branch (7ffc1f92efb2).
https://bugs.webkit.org/show_bug.cgi?id=285892
MemoryBackingStoreTransaction::m_deletedIndexes should not track indexes by
name
rdar://141931985
Reviewed by Chris Dumez.
According to spec
(https://www.w3.org/TR/IndexedDB/#dom-idbobjectstore-createindex), index name
is unique in its object
store. A transaction can operate on multiple object stores, so index name
is not unique in transaction, and transaction
should not track indexes by name. To fix this, make
MemoryBackingStoreTransaction::m_deletedIndexes a set instead of
a map.
Tests: storage/indexeddb/delete-indexes-with-same-name.html
storage/indexeddb/delete-indexes-with-same-name-private.html
* LayoutTests/storage/indexeddb/delete-indexes-with-same-name-expected.txt:
Added.
*
LayoutTests/storage/indexeddb/delete-indexes-with-same-name-private-expected.txt:
Added.
* LayoutTests/storage/indexeddb/delete-indexes-with-same-name-private.html:
Added.
* LayoutTests/storage/indexeddb/delete-indexes-with-same-name.html: Added.
* LayoutTests/storage/indexeddb/resources/delete-indexes-with-same-name.js:
Added.
(prepareDatabase):
(upgradeDatabase):
(deleteIndexes):
* Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp:
(WebCore::IDBServer::MemoryBackingStoreTransaction::indexDeleted):
(WebCore::IDBServer::MemoryBackingStoreTransaction::objectStoreDeleted):
(WebCore::IDBServer::MemoryBackingStoreTransaction::abort):
* Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.h:
Canonical link: https://commits.webkit.org/283286.616@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.20@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.113@webkitglib/2.48
Commit: 1dcd84eda7d67665cedf0aed69f85b26fb738e9e
https://github.com/WebKit/WebKit/commit/1dcd84eda7d67665cedf0aed69f85b26fb738e9e
Author: Keith Miller <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A JSTests/stress/static-private-fields-dont-need-property-conditions.js
M Source/JavaScriptCore/bytecode/Repatch.cpp
Log Message:
-----------
Cherry-pick 283286.618@safari-7620-branch (222ba8af1970).
https://bugs.webkit.org/show_bug.cgi?id=285643
[JSC] Puts to private fields shouldn't generate property conditions
https://bugs.webkit.org/show_bug.cgi?id=285643
rdar://142585218
Reviewed by Yusuke Suzuki.
Private fields shouldn't generate property conditions this is because:
1) Private fields are always own properties so we should never walk the
prototype chain.
2) Private names are constants in the function rather than part of the code
block or IC.
We could solve (2) by having the CodeBlock's ICs reference the private name
but that's not useful
anyway because we don't need to walk the prototype chain.
* JSTests/stress/static-private-fields-dont-need-property-conditions.js:
Added.
(f0):
(catch):
(const.v12.of.v3.):
(const.v12.of.v3):
* Source/JavaScriptCore/bytecode/Repatch.cpp:
(JSC::tryCacheGetBy):
(JSC::tryCachePutBy):
(JSC::tryCacheInBy):
Canonical link: https://commits.webkit.org/283286.618@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.22@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.114@webkitglib/2.48
Commit: 9797dbdb12b56e19444a274f07788dfd531d1c2d
https://github.com/WebKit/WebKit/commit/9797dbdb12b56e19444a274f07788dfd531d1c2d
Author: Sihui Liu <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.h
M Source/WebCore/Modules/indexeddb/server/MemoryCursor.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryCursor.h
M Source/WebCore/Modules/indexeddb/server/MemoryIDBBackingStore.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryIDBBackingStore.h
M Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryIndex.h
M Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.h
M Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h
M Source/WebCore/Modules/indexeddb/server/MemoryObjectStoreCursor.cpp
M Source/WebCore/Modules/indexeddb/server/MemoryObjectStoreCursor.h
Log Message:
-----------
Cherry-pick 283286.620@safari-7620-branch (6a243437ed2c).
https://bugs.webkit.org/show_bug.cgi?id=285643
Cursors should be closed when its transaction finishes
rdar://141673897
Reviewed by Chris Dumez.
According to spec, cursor's lifetime should be tied to its transaction, not
its source (object store or index). This
means when transaction ends, cursor should also be closed. To implement
this, now we make MemoryCursor keep track of
the transaction it is created in, and ensures its owner (MemoryObjectStore
and MemoryIndex) releases it when
corresponding transaction finishes.
* Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp:
(WebCore::IDBServer::MemoryBackingStoreTransaction::create):
(WebCore::IDBServer::MemoryBackingStoreTransaction::finish):
* Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.h:
* Source/WebCore/Modules/indexeddb/server/MemoryCursor.cpp:
(WebCore::IDBServer::MemoryCursor::MemoryCursor):
* Source/WebCore/Modules/indexeddb/server/MemoryCursor.h:
(WebCore::IDBServer::MemoryCursor::transaction const):
* Source/WebCore/Modules/indexeddb/server/MemoryIDBBackingStore.cpp:
(WebCore::IDBServer::MemoryIDBBackingStore::openCursor):
(WebCore::IDBServer::MemoryIDBBackingStore::objectStoreForName const):
* Source/WebCore/Modules/indexeddb/server/MemoryIDBBackingStore.h:
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp:
(WebCore::IDBServer::MemoryIndex::maybeOpenCursor):
(WebCore::IDBServer::MemoryIndex::transactionFinished):
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.h:
* Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.cpp:
(WebCore::IDBServer::MemoryIndexCursor::MemoryIndexCursor):
* Source/WebCore/Modules/indexeddb/server/MemoryIndexCursor.h:
* Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.cpp:
(WebCore::IDBServer::MemoryObjectStore::transactionFinished):
(WebCore::IDBServer::MemoryObjectStore::maybeOpenCursor):
* Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.h:
(WebCore::IDBServer::MemoryObjectStore::writeTransaction):
* Source/WebCore/Modules/indexeddb/server/MemoryObjectStoreCursor.cpp:
(WebCore::IDBServer::MemoryObjectStoreCursor::MemoryObjectStoreCursor):
* Source/WebCore/Modules/indexeddb/server/MemoryObjectStoreCursor.h:
Canonical link: https://commits.webkit.org/283286.620@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.25@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.115@webkitglib/2.48
Commit: 0ef4da86194d95b865405d4f2d14128e09f7a218
https://github.com/WebKit/WebKit/commit/0ef4da86194d95b865405d4f2d14128e09f7a218
Author: Sihui Liu <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.cpp
Log Message:
-----------
Cherry-pick 283286.619@safari-7620-branch (0797bced96ba).
https://bugs.webkit.org/show_bug.cgi?id=285643
Do not create index if index with the same identifier exists
rdar://142446444
Reviewed by Chris Dumez.
MemoryObjectStore::createIndex currently creates index and updates
m_indexesByIdentifier without checking whether
identifier already exists. This could lead to original index gets destroyed
without proper cleanup (some object may
still refer to that index).
* Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.cpp:
(WebCore::IDBServer::MemoryObjectStore::createIndex):
Canonical link: https://commits.webkit.org/283286.619@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.26@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.116@webkitglib/2.48
Commit: 3cbb7430f342e65daa7e8d0bbdb8c31267bc1270
https://github.com/WebKit/WebKit/commit/3cbb7430f342e65daa7e8d0bbdb8c31267bc1270
Author: Keith Miller <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
Log Message:
-----------
Cherry-pick 283286.621@safari-7620-branch (cf19ad9af78c).
https://bugs.webkit.org/show_bug.cgi?id=286145
GetById constant folding should use the results of AI
https://bugs.webkit.org/show_bug.cgi?id=286145
rdar://141582168
Reviewed by Yusuke Suzuki and Yijia Huang.
Right now ConstantFolding tries to recompute the same information that AI
does.
However since compilation is concurrent this information could be outdated
on the
mutator. This can cause problems, instead ConstantFolding should just trust
AI.
This isn't really the right long term fix for this. Instead ConstantFolding
should just be part of AI (conditionally enabled) but we should fix that in
a
follow up patch.
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
Canonical link: https://commits.webkit.org/283286.621@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.27@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.117@webkitglib/2.48
Commit: 227bfbcaa5fa617c20d06d8debc3ae8ff3e4de13
https://github.com/WebKit/WebKit/commit/227bfbcaa5fa617c20d06d8debc3ae8ff3e4de13
Author: Yusuke Suzuki <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A JSTests/stress/enumerator-put-by-val-should-respect-readonly.js
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/JavaScriptCore/jit/JITPropertyAccess.cpp
M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
M Source/JavaScriptCore/runtime/CommonSlowPathsInlines.h
Log Message:
-----------
Cherry-pick 283286.623@safari-7620-branch (0e91bfa1a4ef).
https://bugs.webkit.org/show_bug.cgi?id=286325
[JSC] enumerator_put_by_val should respect ReadOnly
https://bugs.webkit.org/show_bug.cgi?id=286325
rdar://143136742
Reviewed by Keith Miller.
For EnumeratorPutByVal, we should check
hasReadOnlyOrGetterSetterPropertiesExcludingProto bit too
since enumerated names may have ReadOnly properties.
* JSTests/stress/enumerator-put-by-val-should-respect-readonly.js: Added.
(shouldBe):
(shouldThrow):
(strict):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileEnumeratorPutByVal):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_enumerator_put_by_val):
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/runtime/CommonSlowPathsInlines.h:
(JSC::CommonSlowPaths::opEnumeratorPutByVal):
Canonical link: https://commits.webkit.org/283286.623@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.28@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.118@webkitglib/2.48
Commit: fdac3c039682995ad5ce8fa46187e3d1378b3760
https://github.com/WebKit/WebKit/commit/fdac3c039682995ad5ce8fa46187e3d1378b3760
Author: Daniel Liu <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M JSTests/stress/regexp-duplicate-named-captures.js
M Source/JavaScriptCore/yarr/YarrPattern.cpp
Log Message:
-----------
Cherry-pick 283286.624@safari-7620-branch (f17564aaeeb2).
https://bugs.webkit.org/show_bug.cgi?id=286315
Removing zero-count repeats of a forward reference should remove the
associated m_forwardReferencesInLookbehind entry
https://bugs.webkit.org/show_bug.cgi?id=286315
rdar://143118888
Reviewed by Yusuke Suzuki.
Currently, Yarr tries to convert forward references to backreferences if
possible. If
a forward reference is elided because it is quantified with a zero repeat
count, it can
be removed. However, we do not remove bookkeeping data for backreference
conversion,
meaning that we hold a stale index in this data.
* JSTests/stress/regexp-duplicate-named-captures.js:
* Source/JavaScriptCore/yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::quantifyAtom):
Canonical link: https://commits.webkit.org/283286.624@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.29@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.119@webkitglib/2.48
Commit: 4b0795ccbf6c378f2e1445456eddacf147c1b0c0
https://github.com/WebKit/WebKit/commit/4b0795ccbf6c378f2e1445456eddacf147c1b0c0
Author: Said Abou-Hallawa <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A
LayoutTests/fast/canvas/getCSSCanvasContext-create-and-request-expected.txt
A LayoutTests/fast/canvas/getCSSCanvasContext-create-and-request.html
M Source/WebCore/html/HTMLCanvasElement.cpp
Log Message:
-----------
Cherry-pick 283286.625@safari-7620-branch (ea954231fc42).
https://bugs.webkit.org/show_bug.cgi?id=286105
getCSSCanvasContext() unconditionally casts the context to
ImageBitmapRenderingContext
https://bugs.webkit.org/show_bug.cgi?id=286105
rdar://142779827
Reviewed by Dan Glastonbury.
Like what we do in similar functions, getContextBitmapRenderer() should
return
nullptr if the type of m_context is not `bitmaprenderer`. It should check
m_context.isBitmapRenderer() before casting m_context to
ImageBitmapRenderingContext
Alternatively we can use dynamicDowncast<ImageBitmapRenderingContext>
instead.
*
LayoutTests/fast/canvas/getCSSCanvasContext-create-and-request-expected.txt:
Added.
* LayoutTests/fast/canvas/getCSSCanvasContext-create-and-request.html:
Added.
* Source/WebCore/html/HTMLCanvasElement.cpp:
(WebCore::HTMLCanvasElement::getContext2d):
(WebCore::HTMLCanvasElement::getContextWebGL):
(WebCore::HTMLCanvasElement::getContextBitmapRenderer):
(WebCore::HTMLCanvasElement::getContextWebGPU):
Canonical link: https://commits.webkit.org/283286.625@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.30@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.120@webkitglib/2.48
Commit: 2287a718a19aeaaaa638d6c8b6f4e6776f3dcf00
https://github.com/WebKit/WebKit/commit/2287a718a19aeaaaa638d6c8b6f4e6776f3dcf00
Author: Pascoe <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebPageProxy.h
M Tools/TestWebKitAPI/Tests/WebKitCocoa/OpenAndCloseWindow.mm
Log Message:
-----------
Cherry-pick 283286.627@safari-7620-branch (c08948bfe20e).
https://bugs.webkit.org/show_bug.cgi?id=286381
Some clients decide to unconditionally load window.open requests in the
main frame
https://bugs.webkit.org/show_bug.cgi?id=286381
rdar://142278116
Reviewed by Alex Christensen and Charlie Wolfe.
Some clients of WKWebView decide to uncoditionally load the request from
window.open and
return nil during their createWebViewWithConfiguration UI delegate call.
This is okay in
most situations if you want to replace what is in the main frame, but is an
issue whenever
the url passed to window.open is a javascript url. In this case, any
i-frame can use this
to run script as the main frame.
To fix this, we ignore javascript scheme load requests that are made during
the short time
we are calling the createNewPage UI delegate. The normal flow is to make a
request after this
delegate has completed and it's unusual for apps to make one while they are
processing this delegate,
so I think this won't break any apps.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::loadRequest):
(WebKit::WebPageProxy::createNewPage):
* Source/WebKit/UIProcess/WebPageProxy.h:
Canonical link: https://commits.webkit.org/283286.627@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.31@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.121@webkitglib/2.48
Commit: 5fb8357c878a6d97dcc84e4f82a60bccdceb191b
https://github.com/WebKit/WebKit/commit/5fb8357c878a6d97dcc84e4f82a60bccdceb191b
Author: Antti Koivisto <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A LayoutTests/fast/selectors/has-nesting-crash-expected.txt
A LayoutTests/fast/selectors/has-nesting-crash.html
M Source/WebCore/css/CSSSelector.h
M Source/WebCore/css/CSSStyleSheet.cpp
M Source/WebCore/css/SelectorChecker.cpp
M Source/WebCore/css/StyleSheetContents.h
M Source/WebCore/style/RuleSetBuilder.cpp
M Source/WebCore/style/RuleSetBuilder.h
Log Message:
-----------
Cherry-pick 283286.628@safari-7620-branch (0cd63a733258).
https://bugs.webkit.org/show_bug.cgi?id=284055
REGRESSION: Crashes in SelectorChecker::checkOne
https://bugs.webkit.org/show_bug.cgi?id=284055
rdar://140936598
Reviewed by Ryosuke Niwa.
Track whether we have resolved nested selectors and avoid doing it again if
we have.
Reset the bit if the stylesheet is mutated.
This avoids a situtation where selectors in shared adopted stylesheets get
mutated multiple times via nesting
resolution leading to use of a deleted selector (such stylesheets are
otherwise immutable).
* LayoutTests/fast/selectors/has-nesting-crash-expected.txt: Added.
* LayoutTests/fast/selectors/has-nesting-crash.html: Added.
* Source/WebCore/css/CSSSelector.h:
(WebCore::CSSSelector::destructorHasBeenCalled const):
* Source/WebCore/css/CSSStyleSheet.cpp:
(WebCore::CSSStyleSheet::didMutateRules):
* Source/WebCore/css/SelectorChecker.cpp:
(WebCore::SelectorChecker::match const):
* Source/WebCore/css/StyleSheetContents.h:
* Source/WebCore/style/RuleSetBuilder.cpp:
(WebCore::Style::m_builderShouldResolveNesting):
(WebCore::Style::RuleSetBuilder::addChildRule):
(WebCore::Style::RuleSetBuilder::addRulesFromSheetContents):
(WebCore::Style::RuleSetBuilder::addStyleRule):
(WebCore::Style::m_shouldResolveNesting): Deleted.
* Source/WebCore/style/RuleSetBuilder.h:
Canonical link: https://commits.webkit.org/283286.628@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.32@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.122@webkitglib/2.48
Commit: ce7f2eb3ff36e591b7ed7ec9e0ec08c553a040a5
https://github.com/WebKit/WebKit/commit/ce7f2eb3ff36e591b7ed7ec9e0ec08c553a040a5
Author: Antti Koivisto <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A LayoutTests/fast/css/transform-translate-parsing-crash-expected.txt
A LayoutTests/fast/css/transform-translate-parsing-crash.html
M Source/WebCore/css/parser/CSSParserFastPaths.cpp
Log Message:
-----------
Cherry-pick 283286.630@safari-7620-branch (c09afb6b82bf).
https://bugs.webkit.org/show_bug.cgi?id=286462
Crash in transform fast-path parsing
https://bugs.webkit.org/show_bug.cgi?id=286462
rdar://142276253
Reviewed by Darin Adler.
* LayoutTests/fast/css/transform-translate-parsing-crash-expected.txt:
Added.
* LayoutTests/fast/css/transform-translate-parsing-crash.html: Added.
* Source/WebCore/css/parser/CSSParserFastPaths.cpp:
(WebCore::parseSimpleTransformValue):
Check we don't access out of bounds indexes.
Canonical link: https://commits.webkit.org/283286.630@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.34@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.123@webkitglib/2.48
Commit: 945d070ff077d5bb140d5d02dc4a5c51530adaf1
https://github.com/WebKit/WebKit/commit/945d070ff077d5bb140d5d02dc4a5c51530adaf1
Author: Sihui Liu <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp
Log Message:
-----------
Cherry-pick 283286.631@safari-7620-branch (43d9bdf80277).
https://bugs.webkit.org/show_bug.cgi?id=286462
Do not start new transaction when there is active version change transcation
rdar://142170054
Reviewed by Brady Eidson.
According to spec
(https://w3c.github.io/IndexedDB/#upgrade-transaction-construct), version
change (or upgrade)
transaction has exclusive access to database. The current implementation
enforces this on client side (web process) by
not adding new transaction on server when there is ongoing version change
transaction. This patch adds this check to
server side since web process could be compromised and schedule
transactions unexpectedly.
* Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp:
(WebCore::IDBServer::UniqueIDBDatabase::takeNextRunnableTransaction):
Canonical link: https://commits.webkit.org/283286.631@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.36@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.124@webkitglib/2.48
Commit: 5cf4deaf2527c37012c34115bbf47adbdf3fc27b
https://github.com/WebKit/WebKit/commit/5cf4deaf2527c37012c34115bbf47adbdf3fc27b
Author: Daniel Liu <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A JSTests/wasm/stress/bbq-fusedif-register-alloc.js
M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp
Log Message:
-----------
Cherry-pick 283286.632@safari-7620-branch (4af308c795b6).
https://bugs.webkit.org/show_bug.cgi?id=286512
BBQ FusedIf should propagate allocated scratch register to new block
https://bugs.webkit.org/show_bug.cgi?id=286512
rdar://142474221
Reviewed by Yusuke Suzuki.
Since FusedIf allocates a scratch register, the new block created by
FusedIf needs to be aware of this allocation, or else it may try to
allocate another register in the same place.
* Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addFusedIfCompare):
Canonical link: https://commits.webkit.org/283286.632@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.37@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.125@webkitglib/2.48
Commit: d2aa03f3cd4814108fbe23fb9362e9b6530a27da
https://github.com/WebKit/WebKit/commit/d2aa03f3cd4814108fbe23fb9362e9b6530a27da
Author: Jer Noble <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A LayoutTests/http/tests/media/clearkey/clear-key-session-id-expected.txt
A LayoutTests/http/tests/media/clearkey/clear-key-session-id.html
M Source/WebCore/platform/encryptedmedia/clearkey/CDMClearKey.cpp
M Source/WebCore/platform/encryptedmedia/clearkey/CDMClearKey.h
Log Message:
-----------
Cherry-pick 283286.633@safari-7620-branch (0fdf187e80df).
https://bugs.webkit.org/show_bug.cgi?id=286580
ClearKey session identifiers persist across MediaKeySystem instances
https://bugs.webkit.org/show_bug.cgi?id=286580
rdar://143525332
Reviewed by Eric Carlson.
Store the next session identifier value in the CDMInstanceClearKey, rather
than as
a static variable.
* LayoutTests/http/tests/media/clearkey/clear-key-session-id-expected.txt:
Added.
* LayoutTests/http/tests/media/clearkey/clear-key-session-id.html: Added.
* Source/WebCore/platform/encryptedmedia/clearkey/CDMClearKey.cpp:
(WebCore::CDMInstanceSessionClearKey::requestLicense):
* Source/WebCore/platform/encryptedmedia/clearkey/CDMClearKey.h:
Canonical link: https://commits.webkit.org/283286.633@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.38@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.126@webkitglib/2.48
Commit: 5cadfce6d193e3ec255392fbd13642796a07e659
https://github.com/WebKit/WebKit/commit/5cadfce6d193e3ec255392fbd13642796a07e659
Author: Matt Woodrow <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/WebCore/dom/ViewTransition.cpp
M Source/WebCore/dom/ViewTransition.h
Log Message:
-----------
Cherry-pick 283286.634@safari-7620-branch (9ea70df86dfe).
https://bugs.webkit.org/show_bug.cgi?id=286109
Crash in WebCore::forEachRendererInPaintOrder;
WebCore::ViewTransition::captureNewState.
https://bugs.webkit.org/show_bug.cgi?id=286109
<rdar://142779342>
Reviewed by Tim Nguyen.
captureNewState was writing new styles while iterating the render layer
tree,
and also implicitly flushing styles by reading computed values. In rare
cases
the style flush could invalidate the render layer positioned list.
This change splits this into two separate passes. The first pass reads all
the
computed styles from the captured elements, and then second pass generates
all
the stylesheet changes. Finally we flush style, and configure the VT psuedo
renderers as needed.
* Source/WebCore/dom/ViewTransition.cpp:
(WebCore::ViewTransition::updatePropertiesForGroupPseudo):
(WebCore::ViewTransition::captureNewState):
(WebCore::ViewTransition::setupTransitionPseudoElements):
(WebCore::ViewTransition::activateViewTransition):
(WebCore::ViewTransition::handleTransitionFrame):
(WebCore::ViewTransition::updateNewState):
(WebCore::ViewTransition::updatePseudoElementStyles):
(WebCore::ViewTransition::updatePseudoElementRenderers):
(WebCore::ViewTransition::updatePropertiesForRenderer): Deleted.
(WebCore::ViewTransition::updatePseudoElementSizes): Deleted.
* Source/WebCore/dom/ViewTransition.h:
Canonical link: https://commits.webkit.org/283286.634@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.39@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.127@webkitglib/2.48
Commit: 311862787420e45618e86b7a5bbb50b578c43de2
https://github.com/WebKit/WebKit/commit/311862787420e45618e86b7a5bbb50b578c43de2
Author: Michael Saboff <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A JSTests/stress/regexp-lookbehind-char-ignorecase-nongreedy.js
M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
Log Message:
-----------
Cherry-pick 283286.635@safari-7620-branch (facb51ef4940).
https://bugs.webkit.org/show_bug.cgi?id=286691
[JSC] ASAN_TRAP | Yarr::Interpreter::matchDisjunction;
Yarr::Interpreter::interpret; JSC::Yarr::interpret
https://bugs.webkit.org/show_bug.cgi?id=286691
rdar://143684098
Reviewed by Mark Lam.
We weren't initializing the begining postion in the
PatternCasedCharacterNonGreedy matching
code like we were in the PatternCharacterNonGreedy matching code. Unified
the two code patch
into one.
Added new tests.
* JSTests/stress/regexp-lookbehind-char-ignorecase-nongreedy.js: Added.
(arrayToString):
(objectToString):
(dumpValue):
(compareArray):
(compareGroups):
(testRegExp):
(testRegExpSyntaxError):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::matchDisjunction):
Canonical link: https://commits.webkit.org/283286.635@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.40@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.128@webkitglib/2.48
Commit: 4c65775f049beec4fe0a50c1243dcfa634bf33e1
https://github.com/WebKit/WebKit/commit/4c65775f049beec4fe0a50c1243dcfa634bf33e1
Author: Jer Noble <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
R
LayoutTests/platform/ios/imported/w3c/web-platform-tests/webaudio/the-audio-api/the-audioworklet-interface/audioworklet-denormals.https.window-expected.txt
M LayoutTests/platform/mac/TestExpectations
A LayoutTests/webaudio/audoworklet-denormal-float-values-expected.txt
A LayoutTests/webaudio/audoworklet-denormal-float-values.html
M Source/WTF/wtf/PlatformHave.h
M Source/WebCore/Sources.txt
M Source/WebCore/WebCore.xcodeproj/project.pbxproj
A Source/WebCore/platform/audio/DenormalDisabler.cpp
M Source/WebCore/platform/audio/DenormalDisabler.h
Log Message:
-----------
Cherry-pick 289651.43@safari-7621-branch (c1b04541303e).
https://bugs.webkit.org/show_bug.cgi?id=286694
Enable Denormal Disabling on ARM platforms
https://bugs.webkit.org/show_bug.cgi?id=286694
rdar://141366322
Reviewed by Jean-Yves Avenard.
Modernize DenormalDisabler with an implementation inspired by libwebrtc's.
The original DenormalDisabler from 2011 only worked with Windows+MSVC, or on
platforms supporting SSE. Migrate all the CPU checks into PlatformHave.h,
move the implementation into a .cpp file, and add an implementation for ARM.
* LayoutTests/webaudio/audoworklet-denormal-float-values-expected.txt:
Added.
* LayoutTests/webaudio/audoworklet-denormal-float-values.html: Added.
* Source/WTF/wtf/PlatformHave.h:
* Source/WebCore/Sources.txt:
* Source/WebCore/WebCore.xcodeproj/project.pbxproj:
* Source/WebCore/platform/audio/DenormalDisabler.cpp: Added.
(WebCore::readStatusWord):
(WebCore::setStatusWord):
(WebCore::areDenormalsEnabled):
(WebCore::DenormalDisabler::DenormalDisabler):
(WebCore::DenormalDisabler::~DenormalDisabler):
* Source/WebCore/platform/audio/DenormalDisabler.h:
Canonical link: https://commits.webkit.org/289651.43@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.129@webkitglib/2.48
Commit: 899c0b9c6f4f7395b81678344846c986b115fe48
https://github.com/WebKit/WebKit/commit/899c0b9c6f4f7395b81678344846c986b115fe48
Author: Timothy Hatcher <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/WebCore/bindings/js/CachedModuleScriptLoader.cpp
M Source/WebCore/bindings/js/CachedModuleScriptLoader.h
M Source/WebCore/bindings/js/CachedScriptFetcher.cpp
M Source/WebCore/bindings/js/CachedScriptFetcher.h
M Source/WebCore/bindings/js/ScriptModuleLoader.cpp
M Source/WebCore/dom/LoadableClassicScript.cpp
M Source/WebCore/dom/ScriptElementCachedScriptFetcher.cpp
M Source/WebCore/dom/ScriptElementCachedScriptFetcher.h
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtension.mm
Log Message:
-----------
Cherry-pick 289651.71@safari-7621-branch (e0100f67af2d).
https://bugs.webkit.org/show_bug.cgi?id=287305
Script imports in Web Extension content script are not isolated from
service workers.
https://webkit.org/b/287305
rdar://144104878
Reviewed by Chris Dumez.
When importing a script in an extension isolated world, we should load it
so that
it does not use the page's service worker to prevent interference.
* Source/WebCore/bindings/js/CachedModuleScriptLoader.cpp:
(WebCore::CachedModuleScriptLoader::load): Pass serviceWorkersMode.
* Source/WebCore/bindings/js/CachedModuleScriptLoader.h:
* Source/WebCore/bindings/js/CachedScriptFetcher.cpp:
(WebCore::CachedScriptFetcher::requestModuleScript const): Pass
serviceWorkersMode.
(WebCore::CachedScriptFetcher::requestScriptWithCache const): Use
serviceWorkersMode or
default to ServiceWorkersMode::All.
* Source/WebCore/bindings/js/CachedScriptFetcher.h:
* Source/WebCore/bindings/js/ScriptModuleLoader.cpp:
(WebCore::ScriptModuleLoader::fetch): Pass ServiceWorkersMode based on the
current world.
* Source/WebCore/dom/LoadableClassicScript.cpp:
(WebCore::LoadableNonModuleScriptBase::load): Pass { } for
serviceWorkersMode.
* Source/WebCore/dom/ScriptElementCachedScriptFetcher.cpp:
(WebCore::ScriptElementCachedScriptFetcher::requestModuleScript const):
Pass serviceWorkersMode.
* Source/WebCore/dom/ScriptElementCachedScriptFetcher.h:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtension.mm:
(TestWebKitAPI::TEST(WKWebExtension, ContentScriptImport)): Added.
Canonical link: https://commits.webkit.org/289651.71@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.130@webkitglib/2.48
Commit: 247273bfc5d73cb2ad69d27d6938472ac9ba2250
https://github.com/WebKit/WebKit/commit/247273bfc5d73cb2ad69d27d6938472ac9ba2250
Author: Alex Christensen <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in
M Source/WebKit/Scripts/webkit/messages.py
M Source/WebKit/Scripts/webkit/tests/MessageArgumentDescriptions.cpp
M Source/WebKit/Shared/WTFArgumentCoders.serialization.in
M Source/WebKit/WebProcess/WebCoreSupport/WebMessagePortChannelProvider.cpp
Log Message:
-----------
Cherry-pick 283286.636@safari-7620-branch (b7588e839b38).
https://bugs.webkit.org/show_bug.cgi?id=286822
Use an ObjectIdentifier instead of uint64_t for
NetworkConnectionToWebProcess::didDeliverMessagePortMessages
https://bugs.webkit.org/show_bug.cgi?id=286822
rdar://140773504
Reviewed by Chris Dumez.
If you send a 0 or -1 to
NetworkConnectionToWebProcess::didDeliverMessagePortMessages it corrupts
HashTable memory.
ObjectIdentifier will refuse to decode such values successfully.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::nextMessageBatchIdentifier):
(WebKit::NetworkConnectionToWebProcess::takeAllMessagesForPort):
(WebKit::NetworkConnectionToWebProcess::didDeliverMessagePortMessages):
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp.orig:
Copied from Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h:
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in:
* Source/WebKit/Scripts/webkit/messages.py:
(serialized_identifiers):
(headers_for_type):
* Source/WebKit/Scripts/webkit/tests/MessageArgumentDescriptions.cpp:
(IPC::serializedIdentifiers):
* Source/WebKit/Shared/WTFArgumentCoders.serialization.in:
* Source/WebKit/WebProcess/WebCoreSupport/WebMessagePortChannelProvider.cpp:
(WebKit::WebMessagePortChannelProvider::takeAllMessagesForPort):
Canonical link: https://commits.webkit.org/283286.636@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.91@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.131@webkitglib/2.48
Commit: ab52cba9f523d289aed9c90ad07fcf4eab1dccb4
https://github.com/WebKit/WebKit/commit/ab52cba9f523d289aed9c90ad07fcf4eab1dccb4
Author: Darryl Parkinson <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M LayoutTests/http/wpt/webauthn/ctap-hid-failure.https.html
M LayoutTests/http/wpt/webauthn/ctap-hid-success.https.html
M LayoutTests/http/wpt/webauthn/ctap-nfc-failure.https.html
M LayoutTests/http/wpt/webauthn/idl.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid-silent.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-hid.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local-silent.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-local.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-nfc.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-u2f-silent.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-create-failure-u2f.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-create-failure.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-ccid.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-hid.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-local.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-nfc.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-create-success-u2f.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-cross-origin.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid-silent.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-hid.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-local-silent.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-local.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-nfc.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-u2f-silent.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-get-failure-u2f.https.html
M LayoutTests/http/wpt/webauthn/public-key-credential-get-failure.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-get-success-ccid.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-get-success-hid.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-get-success-local.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-get-success-nfc.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-get-success-u2f.https.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-get-with-invalid-parameters.https.html
M LayoutTests/http/wpt/webauthn/public-key-credential-ip-address.html
M
LayoutTests/http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https.html
M
LayoutTests/http/wpt/webauthn/resources/public-key-credential-cross-origin.https.html
M
LayoutTests/http/wpt/webauthn/resources/public-key-credential-ip-address.https.html
M Source/WebKit/UIProcess/WebPageProxy.messages.in
M Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm
Log Message:
-----------
Cherry-pick 289651.122@safari-7621-branch (187eb9fbee7c).
https://bugs.webkit.org/show_bug.cgi?id=287249
Annotate SetMockWebAuthenticationConfiguration endpoint with
AllowTestOnlyIPC
https://bugs.webkit.org/show_bug.cgi?id=287249
rdar://144224078
Reviewed by Sihui Liu and Ryosuke Niwa.
Annotate SetMockWebAuthenticationConfiguration endpoint with
AllowTestOnlyIPC
* Source/WebKit/UIProcess/WebPageProxy.messages.in:
Canonical link: https://commits.webkit.org/289651.122@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.132@webkitglib/2.48
Commit: b4092de69fc94b6e3906b6f65a2882528a4f86a1
https://github.com/WebKit/WebKit/commit/b4092de69fc94b6e3906b6f65a2882528a4f86a1
Author: Daniel Liu <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/JavaScriptCore/bytecode/GetByIdMetadata.h
Log Message:
-----------
Cherry-pick 289651.165@safari-7621-branch (a93595279e2b).
https://bugs.webkit.org/show_bug.cgi?id=287567
LLInt GetByIdModeMetadata should not hold potentially dead structure IDs
https://bugs.webkit.org/show_bug.cgi?id=287567
rdar://144076957
Reviewed by Yijia Huang and Yusuke Suzuki.
GetByIdModeMetadata does not reset its structure ID upon transitioning to
ArrayLengthMode,
meaning that this could get held over across another reset. This could
later cause access
to a freed (or reallocated) structure ID.
This patch also cleans up the code in `setProtoLoadMode` slightly to clear
up the specific
writes being performed.
This does not apply to other modes, since they set their structure ID
explicitly. Since the
mutator thread is the thread changing modes, it will only invalidate the
structure ID after
the call to clearToDefaultModeWithoutCache finishes, meaning that the
structure ID already
is cleared.
* Source/JavaScriptCore/bytecode/GetByIdMetadata.h:
(JSC::GetByIdModeMetadata::clearToDefaultModeWithoutCache):
(JSC::GetByIdModeMetadata::setUnsetMode):
(JSC::GetByIdModeMetadata::setArrayLengthMode):
(JSC::GetByIdModeMetadata::setProtoLoadMode):
* Source/JavaScriptCore/bytecode/GetByStatus.cpp:
(JSC::GetByStatus::computeFromLLInt):
Canonical link: https://commits.webkit.org/289651.165@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.133@webkitglib/2.48
Commit: ddbb652ea0fe948d482c9bdb61452488b1ed9305
https://github.com/WebKit/WebKit/commit/ddbb652ea0fe948d482c9bdb61452488b1ed9305
Author: Wenson Hsieh <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/WebKit/WebProcess/WebPage/ViewGestureGeometryCollector.cpp
Log Message:
-----------
Cherry-pick 289651.168@safari-7621-branch (fa20ee9ef67f).
https://bugs.webkit.org/show_bug.cgi?id=288407
[watchOS] Occasional crash in
ViewGestureGeometryCollector::computeTextLegibilityScales when double-tapping
https://bugs.webkit.org/show_bug.cgi?id=288407
rdar://145501290
Reviewed by Abrar Rahman Protyasha.
Avoid hash table lookup and mutation in `computeTextLegibilityScales`, in
the case where the font
size is not a valid `unsigned` hash key; this would correspond to either 0
or an extremely large
value anyways, which can safely be ignored for the purposes of this
heuristic, which attempts to
estimate a good scale to set when double-tapping to zoom that makes most of
the text on the webpage
legible, based on a histogram of sampled font sizes for visible text in the
DOM.
To make this code a bit easier to reason about, we also replace the
`HashMap<unsigned, unsigned>`
with `HashCountedSet<unsigned>`, and use `add(…)` to increment the counter
per bucket. Importantly,
we can also use `HashCountedSet::isValidValue` to avoid any attempts to
perform hash table lookup/
mutations against invalid keys (note that the `ValueType` for a
`HashCountedSet` corresponds to the
hash key, not the internal count which is always `unsigned`).
* Source/WebKit/WebProcess/WebPage/ViewGestureGeometryCollector.cpp:
(WebKit::ViewGestureGeometryCollector::computeTextLegibilityScales):
Canonical link: https://commits.webkit.org/289651.168@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.134@webkitglib/2.48
Commit: 5259d53d6b27e8168f8f0229836e792a11e4030c
https://github.com/WebKit/WebKit/commit/5259d53d6b27e8168f8f0229836e792a11e4030c
Author: Chris Dumez <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A LayoutTests/webaudio/audioworklet-exception-handling-expected.txt
A LayoutTests/webaudio/audioworklet-exception-handling.html
M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
Log Message:
-----------
Cherry-pick 289651.171@safari-7621-branch (56ecf8401bfc).
https://bugs.webkit.org/show_bug.cgi?id=288452
Missing exception checks in AudioWorkletProcessor.cpp leading to an OOB
write
https://bugs.webkit.org/show_bug.cgi?id=288452
rdar://145525358
Reviewed by Yusuke Suzuki.
Add missing exception checks in AudioWorkletProcessor.cpp.
* LayoutTests/webaudio/audioworklet-exception-handling-expected.txt: Added.
* LayoutTests/webaudio/audioworklet-exception-handling.html: Added.
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
(WebCore::getArrayAtIndex):
(WebCore::constructJSFloat32Array):
(WebCore::constructFrozenKeyValueObject):
(WebCore::constructFrozenJSArray):
(WebCore::copyDataFromJSArrayToBuses):
(WebCore::copyDataFromBusesToJSArray):
(WebCore::copyDataFromParameterMapToJSObject):
(WebCore::zeroJSArray):
(WebCore::AudioWorkletProcessor::buildJSArguments):
(WebCore::AudioWorkletProcessor::process):
Canonical link: https://commits.webkit.org/289651.171@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.135@webkitglib/2.48
Commit: 6677c79b4a499220676f81abbffa833153fed306
https://github.com/WebKit/WebKit/commit/6677c79b4a499220676f81abbffa833153fed306
Author: Frédéric Wang <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A LayoutTests/fast/editing/insert-list-hang-and-assert-expected.txt
A LayoutTests/fast/editing/insert-list-hang-and-assert.html
A
LayoutTests/fast/frames/max-connected-subframe-count-with-lazy-loading-crash-expected.txt
A
LayoutTests/fast/frames/max-connected-subframe-count-with-lazy-loading-crash.html
M LayoutTests/fast/ruby/crash-when-ruby-base-is-collapsed-expected.txt
M LayoutTests/fast/text/selection-on-a-detached-tree-expected.txt
M Source/WebCore/editing/InsertListCommand.cpp
M Source/WebCore/editing/markup.cpp
M Source/WebCore/loader/SubframeLoader.cpp
M Source/WebCore/loader/SubframeLoader.h
Log Message:
-----------
Cherry-pick [email protected] (abbb214798c6).
https://bugs.webkit.org/show_bug.cgi?id=286833
Fix connectedSubframeCount overflow with lazy frame loading.
https://bugs.webkit.org/show_bug.cgi?id=286833
Reviewed by Ryosuke Niwa.
HTMLFrameElementBase::openURL() calls createFrameIfNecessary() for lazy
loaded frames, which will unconditionally increments the value of
RareDataBitFields::connectedSubframeCount and can lead to a size
overflow for it. This patch makes sure it never exceeds the value of
Page::maxNumberOfFrames.
This bug was originally detected via a repro case that relies on
InsertListCommand::doApply() looping infinitely and hitting a debug
assertion in StyledMarkupAccumulator::textContentRespectingRange().
These two issues are also fixed in this patch.
* LayoutTests/fast/editing/insert-list-hang-and-assert-expected.txt: Added.
* LayoutTests/fast/editing/insert-list-hang-and-assert.html: Added. This is
based on the original repro for the editor bugs.
*
LayoutTests/fast/frames/max-connected-subframe-count-with-lazy-loading-crash-expected.txt:
Added.
*
LayoutTests/fast/frames/max-connected-subframe-count-with-lazy-loading-crash.html:
Added. This is a direct test for the frame bug.
* LayoutTests/fast/ruby/crash-when-ruby-base-is-collapsed-expected.txt:
Update expectation.
* LayoutTests/fast/text/selection-on-a-detached-tree-expected.txt: Update
expectation.
* Source/WebCore/editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::doApply): Make sure startOfCurrentParagraph
always moves forward, so that we eventually stop.
* Source/WebCore/editing/markup.cpp:
(WebCore::StyledMarkupAccumulator::textContentRespectingRange): Don't
assert for start == end. This handles the case when
m_start.containerNode() is before the Text node and the m_end is offset 0
in the Text node.
* Source/WebCore/loader/SubframeLoader.cpp:
(WebCore::FrameLoader::SubframeLoader::canCreateSubFrame const): Introduce
a helper for some conditons of FrameLoader::SubframeLoader::loadSubframe.
(WebCore::FrameLoader::SubframeLoader::createFrameIfNecessary): Use
canCreateSubFrame().
(WebCore::FrameLoader::SubframeLoader::loadSubframe): Ditto.
* Source/WebCore/loader/SubframeLoader.h: Declare canCreateSubFrame().
Canonical link: https://commits.webkit.org/[email protected]
Canonical link: https://commits.webkit.org/289651.187@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.136@webkitglib/2.48
Commit: 62ad98f8ceb27cdcc2bec98e7d3402c6fe537f45
https://github.com/WebKit/WebKit/commit/62ad98f8ceb27cdcc2bec98e7d3402c6fe537f45
Author: Frédéric Wang <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A
LayoutTests/fast/rendering/render-multi-column-set-invalidate-002-crash-expected.txt
A
LayoutTests/fast/rendering/render-multi-column-set-invalidate-002-crash.html
M Source/WebCore/rendering/RenderObject.cpp
Log Message:
-----------
Cherry-pick [email protected] (90b6e2339664).
https://bugs.webkit.org/show_bug.cgi?id=286931
Handle consecutive MultiColumnSets in
propagateRepaintToParentWithOutlineAutoIfNeeded
https://bugs.webkit.org/show_bug.cgi?id=286931
Reviewed by Alan Baradlay.
Special code was added in https://commits.webkit.org/259412@main for
propagateRepaintToParentWithOutlineAutoIfNeeded() to handle placeholder
of MultiColumnSet. However, this code assumes the renderer argument of
findColumnSpannerPlaceholder() is necessarily a spanner if its previous
sibling is a MultiColumnSet, which is not the case in the reported
repro case. We align with RenderMultiColumnSet::requiresBalancing() and
skip the fix in that case. See bug 286931 for details.
*
LayoutTests/fast/rendering/render-multi-column-set-invalidate-002-crash-expected.txt:
Added.
*
LayoutTests/fast/rendering/render-multi-column-set-invalidate-002-crash.html:
Added. Reduced from the original repro.
* Source/WebCore/rendering/RenderObject.cpp:
(WebCore::RenderObject::propagateRepaintToParentWithOutlineAutoIfNeeded
const): Don't try getting a spanner in the bad case when the renderer it itself
a MultiColumnSet.
Canonical link: https://commits.webkit.org/[email protected]
Canonical link: https://commits.webkit.org/289651.188@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.137@webkitglib/2.48
Commit: 8746ffddc9133318e05521576c239dbd47189888
https://github.com/WebKit/WebKit/commit/8746ffddc9133318e05521576c239dbd47189888
Author: Claudio Saavedra <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A
LayoutTests/media/encrypted-media/media-events-transfer-arrays-expected.txt
A LayoutTests/media/encrypted-media/media-events-transfer-arrays.html
M Source/JavaScriptCore/jsc.cpp
M Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h
M Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
M Source/WebCore/Modules/webaudio/AudioBuffer.cpp
Log Message:
-----------
Cherry-pick [email protected] (15ab95a2898a).
https://bugs.webkit.org/show_bug.cgi?id=286835
ASAN_TRAP | JSArrayBufferView::ConstructionContext::ConstructionContext;
JSC::JSGenericTypedArrayView::create; JSC::GenericTypedArrayView::wrapImpl
https://bugs.webkit.org/show_bug.cgi?id=286835
Reviewed by Yijia Huang.
Since ArrayBuffer#transfer was added, it's not possible to assume that a
impl TypedArray
will have a valid ArrayBuffer attached. When wrapping a TypedArray with a
JS counter part,
JSGenericTypedArrayView<Adaptor>::create() was assumming that the
TypedArray's buffer would
not be nullptr, but this is not the case if JS code has transferred the
buffer
elsewhere.
To fix this check that the buffer has not been detached and throw if that's
not the case.
This bug seems to only be reproducible at the moment with legacy EME events
that have Uint8Array attributes, so the added test covers both occurences
I found.
*
LayoutTests/media/encrypted-media/media-events-transfer-arrays-expected.txt:
Added.
* LayoutTests/media/encrypted-media/media-events-transfer-arrays.html:
Added.
* Source/JavaScriptCore/jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::wrapImpl):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h:
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::create):
* Source/WebCore/Modules/webaudio/AudioBuffer.cpp:
(WebCore::AudioBuffer::getChannelData):
Canonical link: https://commits.webkit.org/[email protected]
Canonical link: https://commits.webkit.org/289651.189@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.138@webkitglib/2.48
Commit: 4ff8e1f00ec5288fff4684d6950d47e665d71f53
https://github.com/WebKit/WebKit/commit/4ff8e1f00ec5288fff4684d6950d47e665d71f53
Author: Daniel Liu <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
Log Message:
-----------
Cherry-pick 289651.190@safari-7621-branch (15053072f223).
https://bugs.webkit.org/show_bug.cgi?id=288554
CodeBlock should reset its StubInfo when jettisoned
https://bugs.webkit.org/show_bug.cgi?id=288554
rdar://144072285
Reviewed by Yusuke Suzuki.
CodeBlock's StubInfo can keep watchpoints alive which do not ref data they
hold, meaning
that when the CodeBlock is jettisoned, we may have dangling pointers to
data that was
freed during a GC.
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::jettison):
Canonical link: https://commits.webkit.org/289651.190@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.139@webkitglib/2.48
Commit: 842ab26be9f04e717f050cba708f5537685f9a72
https://github.com/WebKit/WebKit/commit/842ab26be9f04e717f050cba708f5537685f9a72
Author: Rupin Mittal <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A
LayoutTests/cookies/cookie-store-register-eventlistener-from-file-protocol-expected.txt
A
LayoutTests/cookies/cookie-store-register-eventlistener-from-file-protocol.html
M Source/WebCore/Modules/cookie-store/CookieStore.cpp
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
Log Message:
-----------
Cherry-pick 289651.191@safari-7621-branch (9bf48496fa9a).
https://bugs.webkit.org/show_bug.cgi?id=288666
[SU+Main] [990d58df312b55ff] ASAN_TRAP |
WebKit::WebCookieJar::addChangeListenerWithAccess;
WebKit::WebCookieJar::addChangeListener;
WebCore::CookieStore::eventListenersDidChange
https://bugs.webkit.org/show_bug.cgi?id=288666
rdar://144404037
Reviewed by Chris Dumez.
Event listeners are keyed on the host of the document that registered them.
If the request comes from
a file protocol, the host will be empty and attempting to use an empty
string as the key of a HashMap
causes an assert to be hit, leading to a crash.
We fix this by ensuring that the CookieStore and WebCookieJar do not
attempt to register event listeners
with empty host names and if, somehow, such a request were to make it to
the Network Process, that process
will kill the sending Web Process.
Credit to Rob Buis for doing most of the work in creating the layout test.
*
LayoutTests/cookies/cookie-store-register-eventlistener-from-file-protocol-expected.txt:
Added.
*
LayoutTests/cookies/cookie-store-register-eventlistener-from-file-protocol.html:
Added.
* Source/WebCore/Modules/cookie-store/CookieStore.cpp:
(WebCore::CookieStore::stop):
(WebCore::CookieStore::eventListenersDidChange):
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::subscribeToCookieChangeNotifications):
(WebKit::NetworkConnectionToWebProcess::unsubscribeFromCookieChangeNotifications):
Canonical link: https://commits.webkit.org/289651.191@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.140@webkitglib/2.48
Commit: 7ee37925b6553ddd2d768cd4efd60447a3181af1
https://github.com/WebKit/WebKit/commit/7ee37925b6553ddd2d768cd4efd60447a3181af1
Author: Rob Buis <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A LayoutTests/fast/html/autopopover-mismatch-crash-expected.txt
A LayoutTests/fast/html/autopopover-mismatch-crash.html
M Source/WebCore/dom/Document.cpp
Log Message:
-----------
Cherry-pick [email protected] (7e6ca0c83e15).
https://bugs.webkit.org/show_bug.cgi?id=286837
ASAN_TRAP | WebCore::Document::removeTopLayerElement;
WebCore::Element::removeFromTopLayer; WebCore::Element::removedFromAncestor
https://bugs.webkit.org/show_bug.cgi?id=286837
Reviewed by Tim Nguyen.
Reloading a document can cause it to become not fully active. That is one
of the reasons why
HTMLElement::checkPopoverValidity can fail. In the test case it does fail
at the final
instruction where popover is set to 'auto', as part of the
popoverAttributeChanged steps. So
we end up with an 'auto' popover that is still showing, and any gc/deletion
of the element
will end up in Document::removeTopLayerElement, the if statement will be
true and the RELEASE_ASSERT
hit, since the element was never added to m_autoPopoverList, as the test
case demonstrates.
Fixing this has proven to be hard, so just remove the RELEASE_ASSERT since
we have now a situation where
the popover was not necessarily added to m_autoPopoverList.
* LayoutTests/fast/html/autopopover-mismatch-crash-expected.txt: Added.
* LayoutTests/fast/html/autopopover-mismatch-crash.html: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::addTopLayerElement):
(WebCore::Document::removeTopLayerElement):
Canonical link: https://commits.webkit.org/[email protected]
Canonical link: https://commits.webkit.org/289651.198@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.141@webkitglib/2.48
Commit: d9db92885d62591508652b727c254e864031879a
https://github.com/WebKit/WebKit/commit/d9db92885d62591508652b727c254e864031879a
Author: Frédéric Wang <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A
LayoutTests/fast/cookie-store/start-listening-for-change-with-null-url-crash-expected.txt
A
LayoutTests/fast/cookie-store/start-listening-for-change-with-null-url-crash.html
Log Message:
-----------
Cherry-pick [email protected] (181f1f4f7cd0).
https://bugs.webkit.org/show_bug.cgi?id=286834
Add a test for a NULLPTR crash in startListeningForCookieChangeNotifications
https://bugs.webkit.org/show_bug.cgi?id=286834
Reviewed by Ryosuke Niwa.
It was crashing when the url argument contains a null string but this was
fixed
by https://commits.webkit.org/289567@main which block cookies for an invalid
url.
*
LayoutTests/fast/cookie-store/start-listening-for-change-with-null-url-crash-expected.txt:
Added.
*
LayoutTests/fast/cookie-store/start-listening-for-change-with-null-url-crash.html:
Added.
Canonical link: https://commits.webkit.org/[email protected]
Canonical link: https://commits.webkit.org/289651.199@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.142@webkitglib/2.48
Commit: a6db3f7923863143d61c282bc4114bad72e3ba9b
https://github.com/WebKit/WebKit/commit/a6db3f7923863143d61c282bc4114bad72e3ba9b
Author: Yusuke Suzuki <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A JSTests/stress/stack-height-check.js
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Log Message:
-----------
Cherry-pick 289651.210@safari-7621-branch (d58fb4361f2a).
https://bugs.webkit.org/show_bug.cgi?id=287791
Instruction movaps access unaligned memory in JavaScriptCore
operationHasEnumerableIndexedProperty
https://bugs.webkit.org/show_bug.cgi?id=287791
rdar://144977122
Reviewed by Yijia Huang.
Except for ARM64, pushToSave just pushes the register to the stack. So
in x64 etc., stack height alignment can be broken when we only do
pushing once. We need to do twice to align stack with 16-bytes.
* JSTests/stress/stack-height-check.js: Added.
(test):
(const.v20.in.v19.test.v20):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
Canonical link: https://commits.webkit.org/289651.210@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.143@webkitglib/2.48
Commit: 7222f95087176e9641353544b6890680a5cda217
https://github.com/WebKit/WebKit/commit/7222f95087176e9641353544b6890680a5cda217
Author: Yusuke Suzuki <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/JavaScriptCore/bytecode/GetByIdMetadata.h
Log Message:
-----------
Cherry-pick 289651.211@safari-7621-branch (38a19eb3b7c0).
https://bugs.webkit.org/show_bug.cgi?id=289017
[JSC] GetByIdModeMetadata's mode needs to be set when not using 64bit
pointer
https://bugs.webkit.org/show_bug.cgi?id=289017
rdar://145852436
Reviewed by Mark Lam.
On environment having 32bit pointer or non-little-endian, mode needs to
be set.
* Source/JavaScriptCore/bytecode/GetByIdMetadata.h:
(JSC::GetByIdModeMetadata::setProtoLoadMode):
Canonical link: https://commits.webkit.org/289651.211@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.144@webkitglib/2.48
Commit: 00f2564d0704513d514dc2d5702b91a35bee1a4e
https://github.com/WebKit/WebKit/commit/00f2564d0704513d514dc2d5702b91a35bee1a4e
Author: Brent Fulgham <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
Log Message:
-----------
Cherry-pick 17b810c5dd42. https://bugs.webkit.org/show_bug.cgi?id=289017
[LDM] Disable SafeFontParser code path until stability issues are resolved
rdar://146310860
Reviewed by Vitor Roriz.
Revert the enablement of the SafeFontParser in LDM.
* Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml:
Canonical link: https://commits.webkit.org/289651.233@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.145@webkitglib/2.48
Commit: a2d01afed7369155c1f03e8728135562656a8861
https://github.com/WebKit/WebKit/commit/a2d01afed7369155c1f03e8728135562656a8861
Author: Dan Hecht <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M JSTests/wasm/stress/tail-call-js-to-wasm.js
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
Log Message:
-----------
Cherry-pick 0f9cca586aee. https://bugs.webkit.org/show_bug.cgi?id=289100
[JSC] wasm tail-call patchpoint can clobber param register
https://bugs.webkit.org/show_bug.cgi?id=289100
rdar://145246917
Reviewed by Yusuke Suzuki and Keith Miller.
The wasm tail call patchpoint was saving/restoring
the tmp register before clobbering it, however it was still
reading the tmp register in the case that the tmp was used
to pass an argument. Fix this by using the already spilled
value for this register.
Also, in assert builds, the code that stores 0xBEEF to
the safe area clobbers tmp (since it's also the
macroassembler's data scratch), so the tmp spilling
must occur before that.
An alternate solution considered was to mark the tmp
(which is also the macroassembler's scratch) as an early
clobber. However, on x86_64 there are not enough registers
for that solution since a register is used to carry the
"calleeCallee" across the prepare code, and on x86_64 the
only available register for that is the tmp/scratch.
* JSTests/wasm/stress/tail-call-js-to-wasm.js:
(async testCallToTail):
(async testCallToTail2):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::prepareForTailCallImpl):
Canonical link: https://commits.webkit.org/289651.241@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.146@webkitglib/2.48
Commit: 60942f7a9eca63532c4f275033c8ab3c7c7ba335
https://github.com/WebKit/WebKit/commit/60942f7a9eca63532c4f275033c8ab3c7c7ba335
Author: Yusuke Suzuki <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A JSTests/wasm/stress/js-tag-rethrow.js
M Source/JavaScriptCore/interpreter/Interpreter.cpp
Log Message:
-----------
Cherry-pick 5c8b9aff5306. https://bugs.webkit.org/show_bug.cgi?id=289286
[JSC] js-tagged error can be rethrow so we should wrap it whenever
exception is not wasm exception
https://bugs.webkit.org/show_bug.cgi?id=289286
rdar://144588498
Reviewed by Keith Miller.
JS-tagged exception can be thrown via rethrow. So it does not matter
whether an error is through JS frames. Let's wrap an exception with wasm
exception object whenever thrown value is not an wasm exception value
*and* handler is wasm code.
* JSTests/wasm/stress/js-tag-rethrow.js: Added.
(main):
(shouldBe):
(catch):
* Source/JavaScriptCore/interpreter/Interpreter.cpp:
(JSC::UnwindFunctor::UnwindFunctor):
(JSC::UnwindFunctor::operator() const):
Canonical link: https://commits.webkit.org/289651.242@safari-7621-branch
Canonical link: https://commits.webkit.org/290945.147@webkitglib/2.48
Commit: 2569e17b04b3ae07c6d866c01a3647480a30c752
https://github.com/WebKit/WebKit/commit/2569e17b04b3ae07c6d866c01a3647480a30c752
Author: Adrian Perez de Castro <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/WebCore/platform/encryptedmedia/clearkey/CDMClearKey.cpp
Log Message:
-----------
fixup! Cherry-pick 283286.633@safari-7620-branch (0fdf187e80df).
https://bugs.webkit.org/show_bug.cgi?id=286580
Canonical link: https://commits.webkit.org/290945.148@webkitglib/2.48
Compare: https://github.com/WebKit/WebKit/compare/f7487089491a...2569e17b04b3
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
