Branch: refs/heads/safari-7622.2.11.13-branch
Home: https://github.com/WebKit/WebKit
Commit: d762b017e3c39011b81a312d2ba9a26b2ca2f313
https://github.com/WebKit/WebKit/commit/d762b017e3c39011b81a312d2ba9a26b2ca2f313
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: c2bfcde4a5bd3a236a55482854ce08b452a2e7d3
https://github.com/WebKit/WebKit/commit/c2bfcde4a5bd3a236a55482854ce08b452a2e7d3
Author: Keith Miller <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
A JSTests/stress/array-allocation-sink-conditional-write-osr.js
A JSTests/stress/array-sink-materialize-conditional-write-argument-value.js
A JSTests/stress/array-sink-materialize-conditional-write.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
Cherry-pick 934b1e28a87a. rdar://162144480
Conditional writes are incorrectly handled in Array allocation sinking
https://bugs.webkit.org/show_bug.cgi?id=299956
rdar://161681941
Reviewed by Yusuke Suzuki and Yijia Huang.
The current bottom value in ObjectAllocationSinking is incorrect for arrays.
Unlike with objects, which track conditional stores by passing the active
structure through SSA, arrays can't do this. Instead we should set default
value
to the appropriate hole value for the given IndexingShape. To make this work
I had to fix some Phi/Upsilon ResultFormat bugs since they previously
assumed
everything would be a JSValue.
Also, add ASSERT to FTL lowering that the Phi/Upsilon formats match. I
spent 1/2 a day
trying to understand why I was getting zero, when the issue was those
values disagreed
and I was getting the default zero value.
Tests: JSTests/stress/array-allocation-sink-conditional-write-osr.js
JSTests/stress/array-sink-materialize-conditional-write-argument-value.js
JSTests/stress/array-sink-materialize-conditional-write.js
Canonical link: https://commits.webkit.org/300888@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 4429453dacf8701da017d293af9aad7dec24aaa6
https://github.com/WebKit/WebKit/commit/4429453dacf8701da017d293af9aad7dec24aaa6
Author: Alan Baradlay <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
A LayoutTests/fast/repaint/new-deprecated-flex-item-repaint-expected.txt
A LayoutTests/fast/repaint/new-deprecated-flex-item-repaint.html
A
LayoutTests/platform/mac-wk1/fast/repaint/new-deprecated-flex-item-repaint-expected.txt
M Source/WebCore/rendering/RenderDeprecatedFlexibleBox.cpp
Log Message:
-----------
Cherry-pick a9981fc4ecfa. rdar://162151781
Text in voice search is cropped on baidu.com
https://bugs.webkit.org/show_bug.cgi?id=300283
<rdar://154781269>
Reviewed by Antti Koivisto.
This is the deprecated flex box version of 199925@main fix where we need to
issue
full repaint on flex items that never had layout before.
Test: fast/repaint/new-deprecated-flex-item-repaint.html
* LayoutTests/fast/repaint/new-deprecated-flex-item-repaint-expected.txt:
Added.
* LayoutTests/fast/repaint/new-deprecated-flex-item-repaint.html: Added.
*
LayoutTests/platform/mac-wk1/fast/repaint/new-deprecated-flex-item-repaint-expected.txt:
Added.
* Source/WebCore/rendering/RenderDeprecatedFlexibleBox.cpp:
(WebCore::issueFullRepaintOnFirstLayout):
(WebCore::layoutChildIfNeededApplyingDelta):
(WebCore::RenderDeprecatedFlexibleBox::layoutSingleClampedFlexItem):
(WebCore::RenderDeprecatedFlexibleBox::layoutVerticalBox):
Canonical link: https://commits.webkit.org/301147@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 930df5511fcac76f1429d3a98dcc6255a4776bf2
https://github.com/WebKit/WebKit/commit/930df5511fcac76f1429d3a98dcc6255a4776bf2
Author: Dan Hecht <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
A JSTests/wasm/stress/ipint-bbq-osr-check-try-implicit-slot-overlap2.js
M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
Log Message:
-----------
Cherry-pick d37b918c6ed2. rdar://158848294
[JSC] BBQ does not have implicit exception slot inside Try
https://bugs.webkit.org/show_bug.cgi?id=300350
rdar://158848294
Reviewed by Yusuke Suzuki.
Follow up to 297297.400@safari-7622-branch: do not access
BBQJIT::exception() for Try blocks, and fill the Void stack map
entry with a zero constant so that loadValuesIntoBuffer() will
zero fill this placeholder slot when constructing the scratch buffer
for BBQ -> OMG loop OSR.
* JSTests/wasm/stress/ipint-bbq-osr-check-try-implicit-slot-overlap2.js:
Added.
(instantiate):
(async let.fn0):
(let.fn1):
(let.fn2):
(let.fn3):
(let.fn4):
(let.fn5):
(async let):
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::exception):
(JSC::Wasm::BBQJITImpl::BBQJIT::makeStackMap):
Canonical link: https://commits.webkit.org/297297.520@safari-7622-branch
Canonical link: https://commits.webkit.org/[email protected]
Commit: 70b765a35e7f244203254d271fcea40570154b5c
https://github.com/WebKit/WebKit/commit/70b765a35e7f244203254d271fcea40570154b5c
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
R JSTests/wasm/stress/ipint-bbq-osr-check-try-implicit-slot-overlap2.js
M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
Log Message:
-----------
Revert d37b918c6ed2. rdar://158848294
This reverts commit 930df5511fcac76f1429d3a98dcc6255a4776bf2.
Commit: a3f679df0e38f48cfa6b0486380860bd9dc41344
https://github.com/WebKit/WebKit/commit/a3f679df0e38f48cfa6b0486380860bd9dc41344
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
R LayoutTests/fast/repaint/new-deprecated-flex-item-repaint-expected.txt
R LayoutTests/fast/repaint/new-deprecated-flex-item-repaint.html
R
LayoutTests/platform/mac-wk1/fast/repaint/new-deprecated-flex-item-repaint-expected.txt
M Source/WebCore/rendering/RenderDeprecatedFlexibleBox.cpp
Log Message:
-----------
Revert a9981fc4ecfa. rdar://162151781
This reverts commit 4429453dacf8701da017d293af9aad7dec24aaa6.
Commit: b413f1a1c83295058d04a5fd648c21c23be9ed5d
https://github.com/WebKit/WebKit/commit/b413f1a1c83295058d04a5fd648c21c23be9ed5d
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
R JSTests/stress/array-allocation-sink-conditional-write-osr.js
R JSTests/stress/array-sink-materialize-conditional-write-argument-value.js
R JSTests/stress/array-sink-materialize-conditional-write.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
Revert 934b1e28a87a. rdar://162144480
This reverts commit c2bfcde4a5bd3a236a55482854ce08b452a2e7d3.
Commit: 57d7e5a0f7e99cddc63577ce862d6eff6842d66c
https://github.com/WebKit/WebKit/commit/57d7e5a0f7e99cddc63577ce862d6eff6842d66c
Author: Dana Estra <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
M Source/WebCore/Modules/mediasession/MediaSession.h
M Source/WebCore/page/Quirks.cpp
M Source/WebCore/page/Quirks.h
M Source/WebCore/page/QuirksData.h
M Source/WebKit/WebProcess/cocoa/PlaybackSessionManager.mm
Log Message:
-----------
Cherry-pick 12c053fe9372. rdar://160307005
Cherry-pick 902a75fcfd40. rdar://158430821
HBO Max videos are labeled as ads in PiP
https://bugs.webkit.org/show_bug.cgi?id=298611
rdar://158430821
Reviewed by Ryan Reno.
HBO sets the skipAd action handler to an empty function, presumably
to attempt to say that the user cannot skip ads in pip. Until they
remove this, we should quirk HBO to not allow ad skipping on the site.
* Source/WebCore/Modules/mediasession/MediaSession.h:
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::shouldDisableAdSkippingInPip const):
(WebCore::handleHBOMaxQuirks):
* Source/WebCore/page/Quirks.h:
* Source/WebCore/page/QuirksData.h:
* Source/WebKit/WebProcess/cocoa/PlaybackSessionManager.mm:
(WebKit::PlaybackSessionManager::actionHandlersChanged):
Canonical link: https://commits.webkit.org/299784@main
Update MediaSession.h
(cherry picked from commit e069374fbd3348481aa0d18989fd763cdcf3c9ed)
Canonical link:
https://commits.webkit.org/[email protected]
Canonical link: https://commits.webkit.org/[email protected]
Commit: 98dea771f4cb833744febaa18ed33a80e793f684
https://github.com/WebKit/WebKit/commit/98dea771f4cb833744febaa18ed33a80e793f684
Author: Wenson Hsieh <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
M Source/WebKit/WebProcess/cocoa/PlaybackSessionManager.mm
Log Message:
-----------
Cherry-pick 9b69ee2add84. rdar://160307005
Cherry-pick 9546eecd7fc7. rdar://160307005
Unreviewed, fix the build after 299784@main
Change:
```
if (RefPtr page = m_page.get() && !skipAdIsDisabledQuirk)
```
to:
```
if (RefPtr page = m_page.get(); page && !skipAdIsDisabledQuirk)
```
* Source/WebKit/WebProcess/cocoa/PlaybackSessionManager.mm:
(WebKit::PlaybackSessionManager::actionHandlersChanged):
Canonical link: https://commits.webkit.org/299789@main
(cherry picked from commit 9546eecd7fc75470284d37f6a62f544724a8eb46)
Canonical link:
https://commits.webkit.org/[email protected]
Canonical link: https://commits.webkit.org/[email protected]
Commit: 63b63ccab03fc2024ffaa543b9ee5164db1645c7
https://github.com/WebKit/WebKit/commit/63b63ccab03fc2024ffaa543b9ee5164db1645c7
Author: Lily Spiniolas <[email protected]>
Date: 2025-10-09 (Thu, 09 Oct 2025)
Changed paths:
A
LayoutTests/editing/selection/ios/scrolling-after-caret-selection-inside-contenteditable-div-expected.txt
A
LayoutTests/editing/selection/ios/scrolling-after-caret-selection-inside-contenteditable-div.html
M LayoutTests/resources/ui-helper.js
M Source/WebKit/UIProcess/ios/WKTextInteractionWrapper.mm
M Tools/TestRunnerShared/UIScriptContext/Bindings/UIScriptController.idl
M Tools/TestRunnerShared/UIScriptContext/UIScriptController.h
M Tools/WebKitTestRunner/ios/UIScriptControllerIOS.h
M Tools/WebKitTestRunner/ios/UIScriptControllerIOS.mm
Log Message:
-----------
Cherry-pick 081f5360d06e. rdar://162144018
[iOS] Cannot scroll on gemini.google.com after sending message
https://bugs.webkit.org/show_bug.cgi?id=300153
rdar://157042896
Reviewed by Wenson Hsieh.
When selection honors overflow scrolling is enabled (specifically after
285350@main,
in which we switched from tracking scroll containers for the selection to
tracking
the graphics layer for the selection), scrolling does not work as expected
on
gemini.google.com. After typing a message and hitting the send button, it
is not
possible to scroll in the conversation log until the log is tapped. This is
the
result of views related to text selection impacting the results of
`hitTest:` in
`WKScrollView`. To prevent this from happening, there is existing logic
which calls
`makeTextSelectionViewsNonInteractiveForScope` which ensures that user
interaction
is disabled for all views in `[_textInteractionWrapper
managedTextSelectionViews]`.
However, `managedTextSelectionViews` may be empty even when views related
to text
selection are present in the view hierarchy (this is the case on
gemini.google.com).
In this scenario, `makeTextSelectionViewsNonInteractiveForScope` fails to
disable
user interaction on the text selection views, causing them to impact hit
test results.
The emptiness of `managedTextSelectionViews` is the result of the following:
After the page loads but before user interaction:
1. gemini.google.com programmatically focuses a contenteditable div on page
load (the
message field), causing a selection to be made.
2. `prepareToMoveSelectionContainer:(UIView *)newContainer` is called as a
result
of the selection. `newContainer` is not yet the `superview` of the
display interaction's
highlight view, so `[displayInteraction willMoveToView:_view]` &
`[displayInteraction didMoveToView:_view]` are called to move the views
related to
text selection.
3. To determine which views are related to text selection, we compare the
descendants
of newContainer before calling `willMoveToView` and `didMoveToView` as
mentioned above
to the descendants afterwards. These views are stored in
_managedTextSelectionViews.
4. Critically, UIKit does not actually install any views because the
interaction is not
in the activated state (the focus which got us here was programmatic).
There is no
difference between the before and after state, so
_managedTextSelectionViews remains
empty.
After activating and typing in the message field:
5. The selection/highlight views are installed by UIKit as expected.
`prepareToMoveSelectionContainer:(UIView *)newContainer` is called
afterwards, but the
highlight/selection views have already been appended to the new
container.
_managedTextSelectionViews is thus not updated, and remains empty.
After the send button is pressed:
6. The selection is not cleared despite editing ending. This is because the
message field
is a contenteditable div rather than a text input or textarea (see
webkit.org/b/38696).
The highlight views remain installed as a result.
After attempting to scroll:
7. To prevent the selection/highlight views from interfering with the
scroll view's hit test,
we temporarily disable user interaction for all of the
selection/highlight views stored in
_managedTextSelectionViews. In this case, _managedTextSelectionViews is
empty despite the
presence of the views. The hit test breaks, and scrolling does not work
as a result.
To fix this, we simply activate the display interaction before calling
`willMoveToView` and
`didMoveToView`.
Added new UIHelper method `setFocusStartsInputSessionPolicy` to change the
input session policy
during a test. This is important for the newly added layout test because to
mimic the behavior
of a physical device without a hardware keyboard, we must start the test
with the policy set
to `disallow`, and then later restore it to "auto". This is required so
that we can avoid showing
keyboard UI on the initial programmatic focus (which would have started an
actual editing session)
and then later show the keyboard UI after activating the input field, just
like a physical device
without a hardware keyboard attached.
Test:
editing/selection/ios/scrolling-after-caret-selection-inside-contenteditable-div.html
*
LayoutTests/editing/selection/ios/scrolling-after-caret-selection-inside-contenteditable-div-expected.txt:
Added.
*
LayoutTests/editing/selection/ios/scrolling-after-caret-selection-inside-contenteditable-div.html:
Added.
* LayoutTests/resources/ui-helper.js:
(window.UIHelper.setFocusStartsInputSessionPolicy):
* Source/WebKit/UIProcess/ios/WKTextInteractionWrapper.mm:
(-[WKTextInteractionWrapper prepareToMoveSelectionContainer:]):
* Tools/TestRunnerShared/UIScriptContext/Bindings/UIScriptController.idl:
* Tools/TestRunnerShared/UIScriptContext/UIScriptController.h:
(WTR::UIScriptController::setFocusStartsInputSessionPolicy):
* Tools/WebKitTestRunner/ios/UIScriptControllerIOS.h:
* Tools/WebKitTestRunner/ios/UIScriptControllerIOS.mm:
(WTR::UIScriptControllerIOS::setFocusStartsInputSessionPolicy):
Canonical link: https://commits.webkit.org/301162@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: da9a60d986afd09dbd096c093133c3a2a591f336
https://github.com/WebKit/WebKit/commit/da9a60d986afd09dbd096c093133c3a2a591f336
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-10 (Fri, 10 Oct 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: 147a755931ac4973612df9bfaf1fd377c52ec3d6
https://github.com/WebKit/WebKit/commit/147a755931ac4973612df9bfaf1fd377c52ec3d6
Author: Mohsin Qureshi <[email protected]>
Date: 2025-10-23 (Thu, 23 Oct 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: c552665cb401e9d2342aff82dc7b62a7ae4347bb
https://github.com/WebKit/WebKit/commit/c552665cb401e9d2342aff82dc7b62a7ae4347bb
Author: Matthew Finkel <[email protected]>
Date: 2025-10-23 (Thu, 23 Oct 2025)
Changed paths:
R
LayoutTests/http/tests/cookies/block-cookies-when-loading-document-in-sandboxed-iframe.https-expected.txt
R
LayoutTests/http/tests/cookies/block-cookies-when-loading-document-in-sandboxed-iframe.https.html
M LayoutTests/http/tests/cookies/resources/cookie-utilities.js
R
LayoutTests/http/tests/websocket/tests/hybi/resources/set-cookie-with-websocket-and-echo.https.html
R
LayoutTests/http/tests/websocket/tests/hybi/websocket-in-sandboxed-iframe.https-expected.txt
R
LayoutTests/http/tests/websocket/tests/hybi/websocket-in-sandboxed-iframe.https.html
M LayoutTests/platform/mac-wk1/TestExpectations
M Source/WebCore/loader/DocumentLoader.cpp
Log Message:
-----------
Cherry-pick f31ea22e0275. rdar://163218886
Cherry-pick 740fdbc5ab49. rdar://163218886
REGRESSION (CheerB/LuckB): iCloud webmail attachments fail to download
(cookies not forwarding to iframe request)
rdar://163218886
Blocking all cookies in the initial request from a sandboxed iframe is
too
restrictive. This causes website breakage in some limited cases where
the
server expects that SameSite={Lax,None} cookies are included, such as
on iCloud
web mail.
Reverted change:
Sandboxed iframe without same-origin flag should not have access to
its site's cookies
https://bugs.webkit.org/show_bug.cgi?id=286769
rdar://143051787
499@safari-7622-branch (25ef58bd202a)
(cherry picked from commit 740fdbc5ab49a8d00e582fa79aadf88327e93f7c)
Canonical link:
https://commits.webkit.org/[email protected]
Canonical link: https://commits.webkit.org/[email protected]
Compare: https://github.com/WebKit/WebKit/compare/d762b017e3c3%5E...c552665cb401
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
