Branch: refs/heads/safari-7622.2.11.11-branch
Home: https://github.com/WebKit/WebKit
Commit: 8a5722cf62eac05b853e35acdffae6e3a2a47649
https://github.com/WebKit/WebKit/commit/8a5722cf62eac05b853e35acdffae6e3a2a47649
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: a69827246fdf4904ab732819b3068d0bd316266c
https://github.com/WebKit/WebKit/commit/a69827246fdf4904ab732819b3068d0bd316266c
Author: Keith Miller <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
A JSTests/stress/array-allocation-sink-conditional-write-osr.js
A JSTests/stress/array-sink-materialize-conditional-write-argument-value.js
A JSTests/stress/array-sink-materialize-conditional-write.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
Cherry-pick 934b1e28a87a. rdar://162144480
Conditional writes are incorrectly handled in Array allocation sinking
https://bugs.webkit.org/show_bug.cgi?id=299956
rdar://161681941
Reviewed by Yusuke Suzuki and Yijia Huang.
The current bottom value in ObjectAllocationSinking is incorrect for arrays.
Unlike with objects, which track conditional stores by passing the active
structure through SSA, arrays can't do this. Instead we should set default
value
to the appropriate hole value for the given IndexingShape. To make this work
I had to fix some Phi/Upsilon ResultFormat bugs since they previously
assumed
everything would be a JSValue.
Also, add ASSERT to FTL lowering that the Phi/Upsilon formats match. I
spent 1/2 a day
trying to understand why I was getting zero, when the issue was those
values disagreed
and I was getting the default zero value.
Tests: JSTests/stress/array-allocation-sink-conditional-write-osr.js
JSTests/stress/array-sink-materialize-conditional-write-argument-value.js
JSTests/stress/array-sink-materialize-conditional-write.js
Canonical link: https://commits.webkit.org/300888@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: e60290dafe8672f55403b51df5f1595a8ecaa359
https://github.com/WebKit/WebKit/commit/e60290dafe8672f55403b51df5f1595a8ecaa359
Author: Alan Baradlay <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
A LayoutTests/fast/repaint/new-deprecated-flex-item-repaint-expected.txt
A LayoutTests/fast/repaint/new-deprecated-flex-item-repaint.html
A
LayoutTests/platform/mac-wk1/fast/repaint/new-deprecated-flex-item-repaint-expected.txt
M Source/WebCore/rendering/RenderDeprecatedFlexibleBox.cpp
Log Message:
-----------
Cherry-pick a9981fc4ecfa. rdar://162151781
Text in voice search is cropped on baidu.com
https://bugs.webkit.org/show_bug.cgi?id=300283
<rdar://154781269>
Reviewed by Antti Koivisto.
This is the deprecated flex box version of 199925@main fix where we need to
issue
full repaint on flex items that never had layout before.
Test: fast/repaint/new-deprecated-flex-item-repaint.html
* LayoutTests/fast/repaint/new-deprecated-flex-item-repaint-expected.txt:
Added.
* LayoutTests/fast/repaint/new-deprecated-flex-item-repaint.html: Added.
*
LayoutTests/platform/mac-wk1/fast/repaint/new-deprecated-flex-item-repaint-expected.txt:
Added.
* Source/WebCore/rendering/RenderDeprecatedFlexibleBox.cpp:
(WebCore::issueFullRepaintOnFirstLayout):
(WebCore::layoutChildIfNeededApplyingDelta):
(WebCore::RenderDeprecatedFlexibleBox::layoutSingleClampedFlexItem):
(WebCore::RenderDeprecatedFlexibleBox::layoutVerticalBox):
Canonical link: https://commits.webkit.org/301147@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 662670d7bd8099a743c75117ad0f21c73672d2e4
https://github.com/WebKit/WebKit/commit/662670d7bd8099a743c75117ad0f21c73672d2e4
Author: Sihui Liu <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
M Source/WebKit/NetworkProcess/storage/SQLiteStorageArea.cpp
Log Message:
-----------
Cherry-pick b290846137ed. rdar://162138327
ASSERTION FAILED: checkedPtrCountWithoutThreadCheck() in
SQLiteStorageArea::prepareDatabase
https://bugs.webkit.org/show_bug.cgi?id=300294
rdar://162083739
Reviewed by Chris Dumez.
SQLiteStorageArea::prepareDatabase might set m_database to null after
m_database is captured in a local CheckedPtr
variable resultDatabase. When the CheckedPtr variable is destroyed at
function exit, the assertion will be hit as the
SQLiteDatabase object is already gone. To fix this, this patch uses a local
UniqueRef variable to replace the
CheckedPtr. The UniqueRef is only moved to m_database if operation
succeeds, so prepareDatabase does not need to reset
m_database in multiple conditions.
This patch also contains a drive-by fix that when prepareDatabase tries to
open database for the second time, it does
not pass the right open options.
Canonical link: https://commits.webkit.org/301155@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 0987e797e8c9335c27ee80eabee087af8c014590
https://github.com/WebKit/WebKit/commit/0987e797e8c9335c27ee80eabee087af8c014590
Author: Dan Hecht <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
A JSTests/wasm/stress/ipint-bbq-osr-check-try-implicit-slot-overlap2.js
M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
Log Message:
-----------
Cherry-pick d37b918c6ed2. rdar://158848294
[JSC] BBQ does not have implicit exception slot inside Try
https://bugs.webkit.org/show_bug.cgi?id=300350
rdar://158848294
Reviewed by Yusuke Suzuki.
Follow up to 297297.400@safari-7622-branch: do not access
BBQJIT::exception() for Try blocks, and fill the Void stack map
entry with a zero constant so that loadValuesIntoBuffer() will
zero fill this placeholder slot when constructing the scratch buffer
for BBQ -> OMG loop OSR.
* JSTests/wasm/stress/ipint-bbq-osr-check-try-implicit-slot-overlap2.js:
Added.
(instantiate):
(async let.fn0):
(let.fn1):
(let.fn2):
(let.fn3):
(let.fn4):
(let.fn5):
(async let):
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::exception):
(JSC::Wasm::BBQJITImpl::BBQJIT::makeStackMap):
Canonical link: https://commits.webkit.org/297297.520@safari-7622-branch
Canonical link: https://commits.webkit.org/[email protected]
Commit: 12c053fe9372f1358280413d6532f40d47ba8941
https://github.com/WebKit/WebKit/commit/12c053fe9372f1358280413d6532f40d47ba8941
Author: Dana Estra <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
M Source/WebCore/Modules/mediasession/MediaSession.h
M Source/WebCore/page/Quirks.cpp
M Source/WebCore/page/Quirks.h
M Source/WebCore/page/QuirksData.h
M Source/WebKit/WebProcess/cocoa/PlaybackSessionManager.mm
Log Message:
-----------
Cherry-pick 902a75fcfd40. rdar://158430821
HBO Max videos are labeled as ads in PiP
https://bugs.webkit.org/show_bug.cgi?id=298611
rdar://158430821
Reviewed by Ryan Reno.
HBO sets the skipAd action handler to an empty function, presumably
to attempt to say that the user cannot skip ads in pip. Until they
remove this, we should quirk HBO to not allow ad skipping on the site.
* Source/WebCore/Modules/mediasession/MediaSession.h:
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::shouldDisableAdSkippingInPip const):
(WebCore::handleHBOMaxQuirks):
* Source/WebCore/page/Quirks.h:
* Source/WebCore/page/QuirksData.h:
* Source/WebKit/WebProcess/cocoa/PlaybackSessionManager.mm:
(WebKit::PlaybackSessionManager::actionHandlersChanged):
Canonical link: https://commits.webkit.org/299784@main
Update MediaSession.h
(cherry picked from commit e069374fbd3348481aa0d18989fd763cdcf3c9ed)
Canonical link: https://commits.webkit.org/[email protected]
Commit: 9b69ee2add8458096cb1c1f008e643c9f29bcc9c
https://github.com/WebKit/WebKit/commit/9b69ee2add8458096cb1c1f008e643c9f29bcc9c
Author: Wenson Hsieh <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
M Source/WebKit/WebProcess/cocoa/PlaybackSessionManager.mm
Log Message:
-----------
Cherry-pick 9546eecd7fc7. rdar://160307005
Unreviewed, fix the build after 299784@main
Change:
```
if (RefPtr page = m_page.get() && !skipAdIsDisabledQuirk)
```
to:
```
if (RefPtr page = m_page.get(); page && !skipAdIsDisabledQuirk)
```
* Source/WebKit/WebProcess/cocoa/PlaybackSessionManager.mm:
(WebKit::PlaybackSessionManager::actionHandlersChanged):
Canonical link: https://commits.webkit.org/299789@main
(cherry picked from commit 9546eecd7fc75470284d37f6a62f544724a8eb46)
Canonical link: https://commits.webkit.org/[email protected]
Commit: 6a6c2e01a1b1d9d0c853d6885096015827f02002
https://github.com/WebKit/WebKit/commit/6a6c2e01a1b1d9d0c853d6885096015827f02002
Author: Dan Hecht <[email protected]>
Date: 2025-10-09 (Thu, 09 Oct 2025)
Changed paths:
A JSTests/wasm/stress/catch-nested-expr-stack-and-locals.js
A JSTests/wasm/stress/catch-nested-rethrow.js
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
Log Message:
-----------
Cherry-pick 6f9b4a803bef. rdar://162211758
[JSC] Wasm: Fix OMG exceptions with nested catch
https://bugs.webkit.org/show_bug.cgi?id=300395
rdar://162211758
Reviewed by Yusuke Suzuki.
OMGIRGenerator::emitCatchImpl consumes the scratch buffer produced by
the stack map generated by OMGIRGenerator::preparePatchpointForExceptions
which has the catch exception after the expressions of a Catch block.
However, when Options::useWasmIPInt()==true, connectControlAtEntrypoint()
does not load the exception value.
Added new tests to verify nested catch rethrow exception and
expression slots (and locals) are restored correctly when entering an
inner catch handler, as well verify that this state remains correct
for the OSR loop case.
* JSTests/wasm/stress/catch-nested-expr-stack-and-locals.js: Added.
(async testExpressionStack):
(async testExpressionStackWithOSR):
* JSTests/wasm/stress/catch-nested-rethrow.js: Added.
(async testBasic):
(async testWithOSR):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::connectControlAtEntrypoint):
(JSC::Wasm::OMGIRGenerator::addLoop):
(JSC::Wasm::OMGIRGenerator::emitCatchImpl):
(JSC::Wasm::OMGIRGenerator::emitCatchTableImpl):
Canonical link: https://commits.webkit.org/297297.521@safari-7622-branch
Canonical link: https://commits.webkit.org/[email protected]
Commit: c5d762c621f9789cbbc10cc8efb9a7b3b87587c4
https://github.com/WebKit/WebKit/commit/c5d762c621f9789cbbc10cc8efb9a7b3b87587c4
Author: Lily Spiniolas <[email protected]>
Date: 2025-10-09 (Thu, 09 Oct 2025)
Changed paths:
A
LayoutTests/editing/selection/ios/scrolling-after-caret-selection-inside-contenteditable-div-expected.txt
A
LayoutTests/editing/selection/ios/scrolling-after-caret-selection-inside-contenteditable-div.html
M LayoutTests/resources/ui-helper.js
M Source/WebKit/UIProcess/ios/WKTextInteractionWrapper.mm
M Tools/TestRunnerShared/UIScriptContext/Bindings/UIScriptController.idl
M Tools/TestRunnerShared/UIScriptContext/UIScriptController.h
M Tools/WebKitTestRunner/ios/UIScriptControllerIOS.h
M Tools/WebKitTestRunner/ios/UIScriptControllerIOS.mm
Log Message:
-----------
Cherry-pick 081f5360d06e. rdar://162144018
[iOS] Cannot scroll on gemini.google.com after sending message
https://bugs.webkit.org/show_bug.cgi?id=300153
rdar://157042896
Reviewed by Wenson Hsieh.
When selection honors overflow scrolling is enabled (specifically after
285350@main,
in which we switched from tracking scroll containers for the selection to
tracking
the graphics layer for the selection), scrolling does not work as expected
on
gemini.google.com. After typing a message and hitting the send button, it
is not
possible to scroll in the conversation log until the log is tapped. This is
the
result of views related to text selection impacting the results of
`hitTest:` in
`WKScrollView`. To prevent this from happening, there is existing logic
which calls
`makeTextSelectionViewsNonInteractiveForScope` which ensures that user
interaction
is disabled for all views in `[_textInteractionWrapper
managedTextSelectionViews]`.
However, `managedTextSelectionViews` may be empty even when views related
to text
selection are present in the view hierarchy (this is the case on
gemini.google.com).
In this scenario, `makeTextSelectionViewsNonInteractiveForScope` fails to
disable
user interaction on the text selection views, causing them to impact hit
test results.
The emptiness of `managedTextSelectionViews` is the result of the following:
After the page loads but before user interaction:
1. gemini.google.com programmatically focuses a contenteditable div on page
load (the
message field), causing a selection to be made.
2. `prepareToMoveSelectionContainer:(UIView *)newContainer` is called as a
result
of the selection. `newContainer` is not yet the `superview` of the
display interaction's
highlight view, so `[displayInteraction willMoveToView:_view]` &
`[displayInteraction didMoveToView:_view]` are called to move the views
related to
text selection.
3. To determine which views are related to text selection, we compare the
descendants
of newContainer before calling `willMoveToView` and `didMoveToView` as
mentioned above
to the descendants afterwards. These views are stored in
_managedTextSelectionViews.
4. Critically, UIKit does not actually install any views because the
interaction is not
in the activated state (the focus which got us here was programmatic).
There is no
difference between the before and after state, so
_managedTextSelectionViews remains
empty.
After activating and typing in the message field:
5. The selection/highlight views are installed by UIKit as expected.
`prepareToMoveSelectionContainer:(UIView *)newContainer` is called
afterwards, but the
highlight/selection views have already been appended to the new
container.
_managedTextSelectionViews is thus not updated, and remains empty.
After the send button is pressed:
6. The selection is not cleared despite editing ending. This is because the
message field
is a contenteditable div rather than a text input or textarea (see
webkit.org/b/38696).
The highlight views remain installed as a result.
After attempting to scroll:
7. To prevent the selection/highlight views from interfering with the
scroll view's hit test,
we temporarily disable user interaction for all of the
selection/highlight views stored in
_managedTextSelectionViews. In this case, _managedTextSelectionViews is
empty despite the
presence of the views. The hit test breaks, and scrolling does not work
as a result.
To fix this, we simply activate the display interaction before calling
`willMoveToView` and
`didMoveToView`.
Added new UIHelper method `setFocusStartsInputSessionPolicy` to change the
input session policy
during a test. This is important for the newly added layout test because to
mimic the behavior
of a physical device without a hardware keyboard, we must start the test
with the policy set
to `disallow`, and then later restore it to "auto". This is required so
that we can avoid showing
keyboard UI on the initial programmatic focus (which would have started an
actual editing session)
and then later show the keyboard UI after activating the input field, just
like a physical device
without a hardware keyboard attached.
Test:
editing/selection/ios/scrolling-after-caret-selection-inside-contenteditable-div.html
*
LayoutTests/editing/selection/ios/scrolling-after-caret-selection-inside-contenteditable-div-expected.txt:
Added.
*
LayoutTests/editing/selection/ios/scrolling-after-caret-selection-inside-contenteditable-div.html:
Added.
* LayoutTests/resources/ui-helper.js:
(window.UIHelper.setFocusStartsInputSessionPolicy):
* Source/WebKit/UIProcess/ios/WKTextInteractionWrapper.mm:
(-[WKTextInteractionWrapper prepareToMoveSelectionContainer:]):
* Tools/TestRunnerShared/UIScriptContext/Bindings/UIScriptController.idl:
* Tools/TestRunnerShared/UIScriptContext/UIScriptController.h:
(WTR::UIScriptController::setFocusStartsInputSessionPolicy):
* Tools/WebKitTestRunner/ios/UIScriptControllerIOS.h:
* Tools/WebKitTestRunner/ios/UIScriptControllerIOS.mm:
(WTR::UIScriptControllerIOS::setFocusStartsInputSessionPolicy):
Canonical link: https://commits.webkit.org/301162@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 59834b9bbf87e59c078c6594dd9995efef603771
https://github.com/WebKit/WebKit/commit/59834b9bbf87e59c078c6594dd9995efef603771
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-09 (Thu, 09 Oct 2025)
Changed paths:
R
LayoutTests/editing/selection/ios/scrolling-after-caret-selection-inside-contenteditable-div-expected.txt
R
LayoutTests/editing/selection/ios/scrolling-after-caret-selection-inside-contenteditable-div.html
M LayoutTests/resources/ui-helper.js
M Source/WebKit/UIProcess/ios/WKTextInteractionWrapper.mm
M Tools/TestRunnerShared/UIScriptContext/Bindings/UIScriptController.idl
M Tools/TestRunnerShared/UIScriptContext/UIScriptController.h
M Tools/WebKitTestRunner/ios/UIScriptControllerIOS.h
M Tools/WebKitTestRunner/ios/UIScriptControllerIOS.mm
Log Message:
-----------
Revert 081f5360d06e. rdar://162144018
This reverts commit c5d762c621f9789cbbc10cc8efb9a7b3b87587c4.
Canonical link: https://commits.webkit.org/[email protected]
Commit: 7b87b8d1aec9a20f85a43a17a1a59620903f8e56
https://github.com/WebKit/WebKit/commit/7b87b8d1aec9a20f85a43a17a1a59620903f8e56
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-10 (Fri, 10 Oct 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: 499485d03bfe6cebddb25b142d79a7ba2830eab6
https://github.com/WebKit/WebKit/commit/499485d03bfe6cebddb25b142d79a7ba2830eab6
Author: Youenn Fablet <[email protected]>
Date: 2025-10-10 (Fri, 10 Oct 2025)
Changed paths:
M Source/WebCore/platform/graphics/cocoa/AV1UtilitiesCocoa.h
M Source/WebCore/platform/graphics/cocoa/AV1UtilitiesCocoa.mm
M Source/WebCore/platform/graphics/cocoa/VP9UtilitiesCocoa.h
M Source/WebCore/platform/graphics/cocoa/VP9UtilitiesCocoa.mm
M Source/WebKit/GPUProcess/GPUProcessCreationParameters.h
M Source/WebKit/GPUProcess/GPUProcessCreationParameters.serialization.in
M Source/WebKit/GPUProcess/cocoa/GPUProcessCocoa.mm
M Source/WebKit/UIProcess/GPU/GPUProcessProxy.cpp
Log Message:
-----------
Cherry-pick 762d8ed5eb53. rdar://162366325
Cherry-pick 38c1a932abd1. rdar://162366325
Reduce calls to VTIsHardwareDecodeSupported(kCMVideoCodecType_VP9) in
GPUProcess
rdar://157511010
https://bugs.webkit.org/show_bug.cgi?id=300433
Reviewed by Chris Dumez.
Following on https://commits.webkit.org/300866@main which got reverted,
we want to reduce the number of calls to
VTIsHardwareDecodeSupported(kCMVideoCodecType_VP9) in GPUProcess.
https://commits.webkit.org/300866@main was reverted as it was buffering
VTIsHardwareDecodeSupported(kCMVideoCodecType_VP9) value.
The GPUProcess is first calling vp9HardwareDecoderAvailableInProcess()
before calling registerSupplementalVP9Decoder().
vp9HardwareDecoderAvailableInProcess() is always returning false before
registerSupplementalVP9Decoder() is called.
The buffering done in https://commits.webkit.org/300866@main would then
forbid the GPUProcess that it has VP9 HW support.
To fix that issue while keeping the buffering, we do the following
approach:
- Given the UIProcess is buffering whether there is VP9 HW support,
whenever the GPUProcess gets that info, it stores it in a static value.
- The GPUProcess will use that value when set to answer to
vp9HardwareDecoderAvailableInProcess().
- In case of a registerSupplementalVP9Decoder() and GPUProcess thinks
there is no HW VP9 support, we clear the static value.
We do the same buffering for AV1.
This ensures that there will be at most:
- one VTIsHardwareDecodeSupported for AV1 for the lifetime of the
UIProcess.
- two VTIsHardwareDecodeSupported for VP9 for the lifetime of the
UIProcess.
Manually tested.
Canonical link: https://commits.webkit.org/301307@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 93792f85b7f5a59683f7d6676b4dae6774d2c356
https://github.com/WebKit/WebKit/commit/93792f85b7f5a59683f7d6676b4dae6774d2c356
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-14 (Tue, 14 Oct 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: 35df5804a952e19824a1e3a9173a4b925129f85f
https://github.com/WebKit/WebKit/commit/35df5804a952e19824a1e3a9173a4b925129f85f
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-15 (Wed, 15 Oct 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: 3fb85e6c8b4afeb99e8b7490d099562da7548366
https://github.com/WebKit/WebKit/commit/3fb85e6c8b4afeb99e8b7490d099562da7548366
Author: Keith Miller <[email protected]>
Date: 2025-10-15 (Wed, 15 Oct 2025)
Changed paths:
M Source/JavaScriptCore/runtime/OptionsList.h
Log Message:
-----------
Cherry-pick 70e68bf51c13. rdar://162482391
[No-merge-back] Turn Off Array Allocation Sinking
https://bugs.webkit.org/show_bug.cgi?id=300718
rdar://162482391
Reviewed by Yusuke Suzuki and Yijia Huang.
There seem to be outstanding issues with Array allocation sinking.
We should disable it for now while we resolve those issues.
Canonical link: https://commits.webkit.org/297297.522@safari-7622-branch
Canonical link: https://commits.webkit.org/[email protected]
Commit: 6e9eba16d49b90b96fd07b3b97b15d5ba97da029
https://github.com/WebKit/WebKit/commit/6e9eba16d49b90b96fd07b3b97b15d5ba97da029
Author: Ryosuke Niwa <[email protected]>
Date: 2025-10-15 (Wed, 15 Oct 2025)
Changed paths:
M Source/WebCore/dom/LiveNodeList.h
M Source/WebCore/dom/LiveNodeListInlines.h
M Source/WebCore/html/CollectionTraversal.h
M Source/WebCore/html/CollectionTraversalInlines.h
M Source/WebCore/html/CollectionType.h
M Source/WebCore/html/LabelsNodeList.h
Log Message:
-----------
Cherry-pick 30ad85529639. rdar://162644342
Cherry-pick 74aabff89f46. rdar://162644342
Crash in LabelsNodeList::~LabelsNodeList
https://bugs.webkit.org/show_bug.cgi?id=300692
<rdar://162254579>
Reviewed by Chris Dumez.
Fix the crash by using WeakPtr instead of CheckedPtr in LabelsNodeList.
No new tests since we don't have a reproduction.
* Source/WebCore/dom/LiveNodeList.h:
* Source/WebCore/html/CollectionTraversal.h:
* Source/WebCore/html/CollectionTraversalInlines.h:
(WebCore::CollectionTraversal<CollectionTraversalType::WeakPtrDescendants>::begin):
(WebCore::CollectionTraversal<CollectionTraversalType::WeakPtrDescendants>::last):
(WebCore::CollectionTraversal<CollectionTraversalType::WeakPtrDescendants>::traverseForward):
(WebCore::CollectionTraversal<CollectionTraversalType::WeakPtrDescendants>::traverseBackward):
* Source/WebCore/html/CollectionType.h:
Canonical link: https://commits.webkit.org/301516@main
(cherry picked from commit ce7e8f28b6b8fe961ec89320d199ec1bfc3510a1)
Canonical link:
https://commits.webkit.org/[email protected]
Canonical link: https://commits.webkit.org/[email protected]
Commit: ebd447fbb494b3504a2297d5612a972fe8e5cd51
https://github.com/WebKit/WebKit/commit/ebd447fbb494b3504a2297d5612a972fe8e5cd51
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-16 (Thu, 16 Oct 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: 153c221f942a62088ffa3d153649963cb69f14a0
https://github.com/WebKit/WebKit/commit/153c221f942a62088ffa3d153649963cb69f14a0
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-21 (Tue, 21 Oct 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: 71eb5f5e2f0cf001d0238b1efb0bc5bf37fd422d
https://github.com/WebKit/WebKit/commit/71eb5f5e2f0cf001d0238b1efb0bc5bf37fd422d
Author: Alan Baradlay <[email protected]>
Date: 2025-10-21 (Tue, 21 Oct 2025)
Changed paths:
A LayoutTests/fast/box-shadow/inset-shadow-large-spread2-expected.html
A LayoutTests/fast/box-shadow/inset-shadow-large-spread2.html
M Source/WebCore/rendering/BackgroundPainter.cpp
Log Message:
-----------
Cherry-pick 8b5fe77dc02b. rdar://163134443
REGRESSION (299603@main): Inset box-shadow not rendered when spread is
larger than element
https://bugs.webkit.org/show_bug.cgi?id=300477
<rdar://problem/162373297>
Reviewed by Simon Fraser.
When the inset shadow fully covers the box (i.e., the inner hole rect
becomes zero),
we should paint the outer shape (the full rect) rather than the zero rect.
(Note that the inner rect is never the (inset) shadow itself).
Test: fast/box-shadow/inset-shadow-large-spread2.html
* LayoutTests/fast/box-shadow/inset-shadow-large-spread2-expected.html:
Added.
* LayoutTests/fast/box-shadow/inset-shadow-large-spread2.html: Added.
* Source/WebCore/rendering/BackgroundPainter.cpp:
(WebCore::BackgroundPainter::paintBoxShadow const):
Canonical link: https://commits.webkit.org/301741@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 3b492a42865019ca01b2e7c8c3b8c89f9722ab8e
https://github.com/WebKit/WebKit/commit/3b492a42865019ca01b2e7c8c3b8c89f9722ab8e
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-22 (Wed, 22 Oct 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: 3178cacce0de128e9cb92141e91755219dfc243c
https://github.com/WebKit/WebKit/commit/3178cacce0de128e9cb92141e91755219dfc243c
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-23 (Thu, 23 Oct 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: 1d22cba4c962f87a5f866385339a6ade07a193fb
https://github.com/WebKit/WebKit/commit/1d22cba4c962f87a5f866385339a6ade07a193fb
Author: Matthew Finkel <[email protected]>
Date: 2025-10-23 (Thu, 23 Oct 2025)
Changed paths:
R
LayoutTests/http/tests/cookies/block-cookies-when-loading-document-in-sandboxed-iframe.https-expected.txt
R
LayoutTests/http/tests/cookies/block-cookies-when-loading-document-in-sandboxed-iframe.https.html
M LayoutTests/http/tests/cookies/resources/cookie-utilities.js
R
LayoutTests/http/tests/websocket/tests/hybi/resources/set-cookie-with-websocket-and-echo.https.html
R
LayoutTests/http/tests/websocket/tests/hybi/websocket-in-sandboxed-iframe.https-expected.txt
R
LayoutTests/http/tests/websocket/tests/hybi/websocket-in-sandboxed-iframe.https.html
M LayoutTests/platform/mac-wk1/TestExpectations
M Source/WebCore/loader/DocumentLoader.cpp
Log Message:
-----------
Cherry-pick f31ea22e0275. rdar://163218886
Cherry-pick 740fdbc5ab49. rdar://163218886
REGRESSION (CheerB/LuckB): iCloud webmail attachments fail to download
(cookies not forwarding to iframe request)
rdar://163218886
Blocking all cookies in the initial request from a sandboxed iframe is
too
restrictive. This causes website breakage in some limited cases where
the
server expects that SameSite={Lax,None} cookies are included, such as
on iCloud
web mail.
Reverted change:
Sandboxed iframe without same-origin flag should not have access to
its site's cookies
https://bugs.webkit.org/show_bug.cgi?id=286769
rdar://143051787
499@safari-7622-branch (25ef58bd202a)
(cherry picked from commit 740fdbc5ab49a8d00e582fa79aadf88327e93f7c)
Canonical link:
https://commits.webkit.org/[email protected]
Canonical link: https://commits.webkit.org/[email protected]
Commit: 6214d577e8b731b897ec7155a4be62efe1ffd854
https://github.com/WebKit/WebKit/commit/6214d577e8b731b897ec7155a4be62efe1ffd854
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-23 (Thu, 23 Oct 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Compare: https://github.com/WebKit/WebKit/compare/8a5722cf62ea%5E...6214d577e8b7
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
