Branch: refs/heads/safari-7623.1.14.10-branch
Home: https://github.com/WebKit/WebKit
Commit: 17ab777a94b548c46192308b16bcf939fd4d1a5c
https://github.com/WebKit/WebKit/commit/17ab777a94b548c46192308b16bcf939fd4d1a5c
Author: Garrett Davidson <[email protected]>
Date: 2025-11-05 (Wed, 05 Nov 2025)
Changed paths:
M
Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticationServicesForwardDeclarations.h
M
Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticationServicesSoftLink.h
M
Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticationServicesSoftLink.mm
M
Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm
Log Message:
-----------
Cherry-pick 26c5e2d35d15. rdar://163746116
Update isUserVerifyingPlatformAuthenticatorAvailable to check if the device
is configured for passkeys
https://bugs.webkit.org/show_bug.cgi?id=301598
rdar://159192917
Reviewed by Richard Robinson and Pascoe.
Adopt recently-shipped AuthenticationServices API to check if the device is
currently configured for passkeys,
for use when checking isUVPAA().
*
Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticationServicesForwardDeclarations.h:
*
Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticationServicesSoftLink.h:
*
Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticationServicesSoftLink.mm:
*
Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm:
Canonical link: https://commits.webkit.org/302362@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 87d60ba8c987dc7c5a27b283fc4bc257bcb04f49
https://github.com/WebKit/WebKit/commit/87d60ba8c987dc7c5a27b283fc4bc257bcb04f49
Author: BJ Burg <[email protected]>
Date: 2025-11-05 (Wed, 05 Nov 2025)
Changed paths:
M Source/WebKit/UIProcess/Automation/Automation.json
M Source/WebKit/UIProcess/Automation/WebAutomationSession.cpp
M Source/WebKit/UIProcess/Automation/WebAutomationSession.h
Log Message:
-----------
Cherry-pick ebb3aa2df8ef. rdar://164016165
Web Automation: add ability to check if browsing context exists without
switching to it
https://bugs.webkit.org/show_bug.cgi?id=301868
<rdar://161272452>
Reviewed by Tim Nguyen and Basuke Suzuki.
Introduce `Automation.resolveBrowsingContext`, which performs all the
browsing context
validation steps of `Automation.switchToBrowsingContext` but doesn't switch
or focus.
An internal change to safaridriver will adopt this command when performing
the remote end
spec step to check if a browsing context is still open.
* Source/WebKit/UIProcess/Automation/Automation.json:
* Source/WebKit/UIProcess/Automation/WebAutomationSession.h:
* Source/WebKit/UIProcess/Automation/WebAutomationSession.cpp:
(WebKit::WebAutomationSession::resolveBrowsingContext):
Canonical link: https://commits.webkit.org/302513@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 560b0346a2933413a96ec1563f0e36432d7a14fe
https://github.com/WebKit/WebKit/commit/560b0346a2933413a96ec1563f0e36432d7a14fe
Author: Elika Etemad <[email protected]>
Date: 2025-11-05 (Wed, 05 Nov 2025)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-fixed-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-fixed.html
M
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-001-expected.html
M
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-001-ref.html
M
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-001.html
M
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-002.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-003-expected.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-003-ref.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-003.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-004-expected.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-004-ref.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-004.html
M Source/WebCore/rendering/PositionedLayoutConstraints.cpp
M Source/WebCore/rendering/PositionedLayoutConstraints.h
Log Message:
-----------
Cherry-pick a742f82ced72. rdar://164017243
REGRESSION(300921@main): Exclude fixed-positioned boxes from position-area
scrollable CB
https://bugs.webkit.org/show_bug.cgi?id=301880
rdar://163955483
Reviewed by Alan Baradlay.
The recent fix for bug 299950 forgot to exclude fixed-positioned boxes
from the root scrollable containing block pathway, resulting in incorrect
layout for fixed-positioned boxes that use position-area. However, we
still need to avoid using overflow safety to overlap the anchor when it
would otherwise be reachable. This patch excludes fixed-positioned boxes
from using the scrollable containing block from sizing and positioning,
but allows them to overflow into that area when necessary.
Tests:
imported/w3c/web-platform-tests/css/css-anchor-position/position-area-fixed.html
imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-003-ref.html
imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-003.html
imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-004-ref.html
imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-004.html
*
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-fixed-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-fixed.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-001-expected.html:
*
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-001-ref.html:
*
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-001.html:
*
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-002.html:
*
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-003-expected.html:
Copied from
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-001-expected.html.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-003-ref.html:
Copied from
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-001-expected.html.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-003.html:
Copied from
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-001.html.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-004-expected.html:
Copied from
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-001-expected.html.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-004-ref.html:
Copied from
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-001-expected.html.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-004.html:
Copied from
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/position-area-overflow-icb-002.html.
Update and add tests.
* Source/WebCore/rendering/PositionedLayoutConstraints.cpp:
(WebCore::PositionedLayoutConstraints::PositionedLayoutConstraints):
(WebCore::PositionedLayoutConstraints::expandToScrollableArea const):
(WebCore::PositionedLayoutConstraints::captureScrollableArea): Deleted.
Adjust captureScrollableArea API to be re-usable for different LayoutRanges.
Exempt fixed-positioned boxes from the m_containingRange adjustment.
(WebCore::PositionedLayoutConstraints::resolveAlignmentShift const):
Adjust overflow alignment area for fixed-positioned boxes.
(WebCore::PositionedLayoutConstraints::containerAllowsInfiniteOverflow
const):
Add missing check for scrollable RenderView (which returns false on
hasPotentiallyScrollableOverflow() even when the document is scrollable).
* Source/WebCore/rendering/PositionedLayoutConstraints.h:
(WebCore::PositionedLayoutConstraints::expandToScrollableArea):
Canonical link: https://commits.webkit.org/302537@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 15f1b878ca4ac49029a00f3eb20cd25c263e4440
https://github.com/WebKit/WebKit/commit/15f1b878ca4ac49029a00f3eb20cd25c263e4440
Author: Timothy Hatcher <[email protected]>
Date: 2025-11-05 (Wed, 05 Nov 2025)
Changed paths:
M Source/WebKit/UIProcess/Extensions/WebExtensionContext.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtension.mm
Log Message:
-----------
Cherry-pick f86f0d4ad055. rdar://164019010
REGRESSION (300057@main): Content scripts are injected on the wrong pages.
https://webkit.org/b/301890
rdar://162073778
Reviewed by Brian Weinstein.
When an extension declares multiple content scripts with match patterns,
only the first
script correctly respects the match patterns. Subsequent scripts in the
list ignore the
patterns and inject on all pages, and stylesheets fail to inject at all.
The bug was introduced when converting from ObjC++ to C++ in 300057@main.
The original
code used `makeVector<String>(array)` to create a new `Vector` from an
`NSArray` on each
loop iteration. The converted code incorrectly used
`WTFMove(includeMatchPatterns)` and
`WTFMove(excludeMatchPatterns)`, which moved the pattern vectors on the
first iteration,
leaving them empty for all subsequent iterations.
With empty match patterns, WebCore's content script matching logic treats
the patterns as
matching all pages, causing scripts to inject globally instead of on their
intended targets.
The fix changes `WTFMove(patterns)` to `Vector { patterns }`, which creates
a copy of the
pattern vectors for each script and stylesheet, matching the original
behavior.
Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtension.mm
* Source/WebKit/UIProcess/Extensions/WebExtensionContext.cpp:
(WebKit::WebExtensionContext::addInjectedContent): Copy vectors instead of
moving in the loop.
(WebKit::WebExtensionContext::purgeMatchedRulesFromBefore): Add a newline.
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtension.mm:
(TestWebKitAPI::TEST(WKWebExtension,
MultipleContentScriptsInjectedWhenMatched)): Added.
(TestWebKitAPI::TEST(WKWebExtension,
MultipleContentScriptsNotInjectedWhenNotMatched)): Added.
Canonical link: https://commits.webkit.org/302546@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 6c6533bf3dafc3dddcce8f3ddf3bc92c688774a3
https://github.com/WebKit/WebKit/commit/6c6533bf3dafc3dddcce8f3ddf3bc92c688774a3
Author: Razvan Caliman <[email protected]>
Date: 2025-11-05 (Wed, 05 Nov 2025)
Changed paths:
M
Source/WebInspectorUI/UserInterface/Protocol/Legacy/iOS/26.0/InspectorBackendCommands.js
A
Source/WebInspectorUI/UserInterface/Protocol/Legacy/iOS/26.2/InspectorBackendCommands.js
M
Source/WebInspectorUI/UserInterface/Protocol/Legacy/macOS/26.0/InspectorBackendCommands.js
A
Source/WebInspectorUI/UserInterface/Protocol/Legacy/macOS/26.2/InspectorBackendCommands.js
M Source/WebInspectorUI/Versions/Inspector-iOS-26.0.json
A Source/WebInspectorUI/Versions/Inspector-iOS-26.2.json
M Source/WebInspectorUI/Versions/Inspector-macOS-26.0.json
A Source/WebInspectorUI/Versions/Inspector-macOS-26.2.json
Log Message:
-----------
Cherry-pick 8f97d9a80cab. rdar://164035866
Web Inspector: Add Versioned Protocol for iOS 26.2 and macOS 26.2
https://bugs.webkit.org/show_bug.cgi?id=301943
rdar://156926409
Reviewed by BJ Burg.
Snapshot of protocol changes since 26.0
Also, retroactively updates 26.0 snapshot with changes that shipped in that
release.
*
Source/WebInspectorUI/UserInterface/Protocol/Legacy/iOS/26.0/InspectorBackendCommands.js:
*
Source/WebInspectorUI/UserInterface/Protocol/Legacy/iOS/26.2/InspectorBackendCommands.js:
Copied from
Source/WebInspectorUI/UserInterface/Protocol/Legacy/iOS/26.0/InspectorBackendCommands.js.
*
Source/WebInspectorUI/UserInterface/Protocol/Legacy/macOS/26.0/InspectorBackendCommands.js:
*
Source/WebInspectorUI/UserInterface/Protocol/Legacy/macOS/26.2/InspectorBackendCommands.js:
Copied from
Source/WebInspectorUI/UserInterface/Protocol/Legacy/macOS/26.0/InspectorBackendCommands.js.
* Source/WebInspectorUI/Versions/Inspector-iOS-26.0.json:
* Source/WebInspectorUI/Versions/Inspector-iOS-26.2.json: Copied from
Source/WebInspectorUI/Versions/Inspector-iOS-26.0.json.
* Source/WebInspectorUI/Versions/Inspector-macOS-26.0.json:
* Source/WebInspectorUI/Versions/Inspector-macOS-26.2.json: Copied from
Source/WebInspectorUI/Versions/Inspector-macOS-26.0.json.
Canonical link: https://commits.webkit.org/302555@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: f4a0327fbeec9e123eee2ae357dda2715e0e12cc
https://github.com/WebKit/WebKit/commit/f4a0327fbeec9e123eee2ae357dda2715e0e12cc
Author: Said Abou-Hallawa <[email protected]>
Date: 2025-11-05 (Wed, 05 Nov 2025)
Changed paths:
M Source/WebKit/WebProcess/GPU/graphics/RemoteResourceCacheProxy.cpp
Log Message:
-----------
Cherry-pick f0ea9c615ad9. rdar://163447308
REGRESSION(300463@main): Sending the fill pattern image to GPUP can cause
null-pointer dereference in RemoteResourceCacheProxy::recordNativeImageUse()
https://bugs.webkit.org/show_bug.cgi?id=301958
rdar://163447308
Reviewed by Simon Fraser.
Some NativeImages may have backing stores in GPUP only. This happens when
copying
a NativeImage from a RemoteImageBuffer. Examples for this scenario is the
tileImage
of the fill and the stroke patterns.
After 300463@main and when GPUP crashes, these NativeImages can't be
recovered
because their backing stores in GPUP are deleted. The originator
RemoteImageBuffers
are also deleted. So these images cannot be drawn until a full layout
happens.
For now, add a null check to recordNativeImageUse().
* Source/WebKit/WebProcess/GPU/graphics/RemoteResourceCacheProxy.cpp:
(WebKit::RemoteResourceCacheProxy::recordNativeImageUse):
Canonical link: https://commits.webkit.org/302568@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: d283969c71e21945a10e7794d9530f5f4d111eda
https://github.com/WebKit/WebKit/commit/d283969c71e21945a10e7794d9530f5f4d111eda
Author: Wenson Hsieh <[email protected]>
Date: 2025-11-05 (Wed, 05 Nov 2025)
Changed paths:
A LayoutTests/accessibility/crash-when-deleting-hidden-element-expected.txt
A LayoutTests/accessibility/crash-when-deleting-hidden-element.html
M Source/WebCore/editing/Editor.cpp
Log Message:
-----------
Cherry-pick 8bc3a0eefb4f. rdar://164099112
REGRESSION (298476@main): [AX] Crash under
WebCore::Editor::respondToChangedContents when VoiceOver is enabled
https://bugs.webkit.org/show_bug.cgi?id=301982
rdar://163230929
Reviewed by Abrar Rahman Protyasha.
Restore a null check for `node` in `Editor::respondToChangedContents` that
was (effectively) removed
in 298476@main. Prior to that patch, we only passed a pointer into
`AXObjectCache::postNotification`,
which would become a no-op if the `node` was null. After that change, we
now (incorrectly) assume
the `node` is non-null and dereference it.
The selection start node might be null in the case where, while processing
the editing command, we
mutated the DOM in such a way that the selection anchor is no longer
connected or editable.
Test: accessibility/crash-when-deleting-hidden-element.html
*
LayoutTests/accessibility/crash-when-deleting-hidden-element-expected.txt:
Added.
* LayoutTests/accessibility/crash-when-deleting-hidden-element.html: Added.
Add a layout test to exercise the fix by verifying that we don't crash when
accessibility is
enabled, under this codepath.
* Source/WebCore/editing/Editor.cpp:
(WebCore::Editor::respondToChangedContents):
Canonical link: https://commits.webkit.org/302581@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: d85d5300fbe54a0d6ded60fd3582eb168a8df13e
https://github.com/WebKit/WebKit/commit/d85d5300fbe54a0d6ded60fd3582eb168a8df13e
Author: Rupin Mittal <[email protected]>
Date: 2025-11-05 (Wed, 05 Nov 2025)
Changed paths:
M
LayoutTests/imported/w3c/web-platform-tests/navigation-api/ordering-and-transition/anchor-download-intercept-reject.html
M
LayoutTests/imported/w3c/web-platform-tests/navigation-api/ordering-and-transition/back-same-document-intercept-reject.html
M
LayoutTests/imported/w3c/web-platform-tests/navigation-api/ordering-and-transition/location-href-intercept-reject.html
M
LayoutTests/imported/w3c/web-platform-tests/navigation-api/ordering-and-transition/navigate-same-document-intercept-reject.html
M
LayoutTests/imported/w3c/web-platform-tests/navigation-api/ordering-and-transition/reload-intercept-reject.html
M Source/WebCore/page/Navigation.cpp
Log Message:
-----------
Cherry-pick ee02162b1bf1. rdar://164094356
[Navigation API] Fire an abort signal when aborting a NavigateEvent
https://bugs.webkit.org/show_bug.cgi?id=301883
rdar://163957784
Reviewed by Tim Nguyen.
Step 2 of https://html.spec.whatwg.org/#abort-a-navigateevent signals an
abort
on the event's abort controller. We also change the tests to reflect this in
the same way that this WPT change proposal does:
web-platform-tests/wpt#55707
*
LayoutTests/imported/w3c/web-platform-tests/navigation-api/ordering-and-transition/anchor-download-intercept-reject.html:
*
LayoutTests/imported/w3c/web-platform-tests/navigation-api/ordering-and-transition/back-same-document-intercept-reject.html:
*
LayoutTests/imported/w3c/web-platform-tests/navigation-api/ordering-and-transition/location-href-intercept-reject.html:
*
LayoutTests/imported/w3c/web-platform-tests/navigation-api/ordering-and-transition/navigate-same-document-intercept-reject.html:
*
LayoutTests/imported/w3c/web-platform-tests/navigation-api/ordering-and-transition/reload-intercept-reject.html:
* Source/WebCore/page/Navigation.cpp:
(WebCore::Navigation::innerDispatchNavigateEvent):
Canonical link: https://commits.webkit.org/302591@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 9d6b0eb10437abb0505b9fc044377933a9e37c10
https://github.com/WebKit/WebKit/commit/9d6b0eb10437abb0505b9fc044377933a9e37c10
Author: Garrett Davidson <[email protected]>
Date: 2025-11-05 (Wed, 05 Nov 2025)
Changed paths:
M Source/WTF/wtf/PlatformHave.h
M
Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticationServicesForwardDeclarations.h
M
Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticationServicesSoftLink.h
M
Source/WebKit/UIProcess/WebAuthentication/Cocoa/AuthenticationServicesSoftLink.mm
M
Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm
Log Message:
-----------
Cherry-pick 43cf71441cc9. rdar://164107543
Safari may crash when signing in on visionOS
https://bugs.webkit.org/show_bug.cgi?id=301954
rdar://163973546
Reviewed by Aditya Keerthi.
This class isn't available on visionOS, so we should skip this check here.
We didn't catch this
earlier because it is forward declared and softlinked. These macros match
the implementation of
this class.
* Source/WTF/wtf/PlatformHave.h:
*
Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm:
Canonical link: https://commits.webkit.org/302600@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 061ccb39dfcf8d7db18d4823d8e47b5070ad658d
https://github.com/WebKit/WebKit/commit/061ccb39dfcf8d7db18d4823d8e47b5070ad658d
Author: Dan Robson <[email protected]>
Date: 2025-11-05 (Wed, 05 Nov 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: ad7afe0c1a786067e8a91d4884a54fae97154d2b
https://github.com/WebKit/WebKit/commit/ad7afe0c1a786067e8a91d4884a54fae97154d2b
Author: Kiara Rose <[email protected]>
Date: 2025-11-05 (Wed, 05 Nov 2025)
Changed paths:
M Source/WebKit/UIProcess/Extensions/WebExtensionContext.cpp
Log Message:
-----------
Cherry-pick 3bef62dc303f. rdar://164123350
Incorrect date passed when removing expired permission match patterns
https://bugs.webkit.org/show_bug.cgi?id=302029
rdar://164108150
Reviewed by Timothy Hatcher and Brian Weinstein.
We should be using m_nextGrantedPermissionMatchPatternsExpirationDate
instead of m_nextGrantedPermissionsExpirationDate.
* Source/WebKit/UIProcess/Extensions/WebExtensionContext.cpp:
(WebKit::WebExtensionContext::setGrantedPermissions):
Remove duplicate call for adding the permission.
(WebKit::WebExtensionContext::setGrantedPermissionMatchPatterns):
(WebKit::WebExtensionContext::permissionState):
Fix asserts. They'll always pass.
Canonical link: https://commits.webkit.org/302610@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: ca5fe33faa146c800a643dd3c1ae149de3e518d2
https://github.com/WebKit/WebKit/commit/ca5fe33faa146c800a643dd3c1ae149de3e518d2
Author: Kiara Rose <[email protected]>
Date: 2025-11-05 (Wed, 05 Nov 2025)
Changed paths:
M Source/WebKit/UIProcess/Extensions/WebExtension.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtension.mm
Log Message:
-----------
Cherry-pick 3a0125954abc. rdar://164123266
Crash at WebKit::WebExtension::populateActionPropertiesIfNeeded
https://bugs.webkit.org/show_bug.cgi?id=302028
rdar://164059373
Reviewed by Timothy Hatcher.
We were unconditionally grabbing the value off the icon result, regardless
if there was an error or
not. Fix this by only grabbing the result if there is no error.
Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtension.mm
* Source/WebKit/UIProcess/Extensions/WebExtension.cpp:
(WebKit::WebExtension::populateActionPropertiesIfNeeded):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebExtension.mm:
(TestWebKitAPI::TEST(WKWebExtension, ActionParsing)):
Verified this test crashing without the change, and passes with the change.
Canonical link: https://commits.webkit.org/302611@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 31c31ba8d30d313f6ef4323318f0321dd843e29a
https://github.com/WebKit/WebKit/commit/31c31ba8d30d313f6ef4323318f0321dd843e29a
Author: Andy Estes <[email protected]>
Date: 2025-11-06 (Thu, 06 Nov 2025)
Changed paths:
M Source/WebCore/platform/cocoa/VideoPresentationModel.h
M Source/WebCore/platform/cocoa/VideoPresentationModelVideoElement.h
M Source/WebCore/platform/cocoa/VideoPresentationModelVideoElement.mm
M Source/WebCore/platform/graphics/cocoa/NullVideoPresentationInterface.h
M Source/WebCore/platform/ios/VideoPresentationInterfaceIOS.h
M Source/WebCore/platform/ios/VideoPresentationInterfaceIOS.mm
M Source/WebCore/platform/ios/WebVideoFullscreenControllerAVKit.mm
M Source/WebCore/platform/mac/VideoPresentationInterfaceMac.h
M Source/WebCore/platform/mac/VideoPresentationInterfaceMac.mm
M Source/WebKit/Platform/ios/VideoPresentationInterfaceLMK.mm
M Source/WebKit/UIProcess/Cocoa/VideoPresentationManagerProxy.h
M Source/WebKit/UIProcess/Cocoa/VideoPresentationManagerProxy.mm
M Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenViewController.h
M Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenViewController.mm
M Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenWindowControllerIOS.h
M Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenWindowControllerIOS.mm
M Source/WebKit/WebProcess/cocoa/VideoPresentationManager.mm
Log Message:
-----------
Cherry-pick dd4b8a6a214f. rdar://163974170
[visionOS] Chrome missing after exiting spatial fullscreen on uploadvr.com
https://bugs.webkit.org/show_bug.cgi?id=301851
rdar://159979195
Reviewed by Jer Noble.
The following order of events can cause window chrome to be hidden in the
WKWebView's window after
watching a video in spatial fullscreen:
1. The user enters element fullscreen; WKFullscreenWindowController saves
the state of the
WKWebView window’s chrome, then hides the chrome.
2. The user enters spatial fullscreen; LinearMediaKit saves the state of
the WKWebView window’s
chrome, then hides the chrome again.
3. The website calls document.exitFullscreen();
WKFullscreenWindowController closes the element
fullscreen window and restores the saved state of the WKWebView window’s
chrome.
4. The user exits spatial fullscreen; LinearMediaKit restores the saved
state of the WKWebView
window’s chrome.
Since when LinearMediaKit saved the state of the window chrome it was
hidden, it is restored to a
hidden state in (4) even though it was previously made visible in (3).
Resolved this by checking if the native fullscreen-eligible video is in
fullscreen when exiting
element fullscreen. If it is, WKFullscreenWindowController retains
_parentWindowState so that it
can be later restored when native fullscreen exits. Made
WKFullscreenWindowController a client of
the VideoPresentationModel that enters spatial fullscreen (or any other
native fullscreen mode) so
that it can learn when the user exits native fullscreen (which required
adding a new
VideoPresentationModelClient callback). and when they do, used
_parentWindowState to restore window
chrome (as well as other state like ornaments and resizing behavior).
* Source/WebCore/platform/cocoa/VideoPresentationModel.h:
(WebCore::VideoPresentationModelClient::fullscreenModeChanged):
* Source/WebCore/platform/cocoa/VideoPresentationModelVideoElement.h:
* Source/WebCore/platform/cocoa/VideoPresentationModelVideoElement.mm:
(WebCore::VideoPresentationModelVideoElement::fullscreenModeChanged):
* Source/WebCore/platform/ios/VideoPresentationInterfaceIOS.h:
* Source/WebCore/platform/ios/VideoPresentationInterfaceIOS.mm:
(WebCore::VideoPresentationInterfaceIOS::enterFullscreenHandler):
(WebCore::VideoPresentationInterfaceIOS::exitFullscreenHandler):
(WebCore::VideoPresentationInterfaceIOS::didStartPictureInPicture):
(WebCore::VideoPresentationInterfaceIOS::failedToStartPictureInPicture):
(WebCore::VideoPresentationInterfaceIOS::didStopPictureInPicture):
(WebCore::VideoPresentationInterfaceIOS::setMode):
(WebCore::VideoPresentationInterfaceIOS::clearMode):
* Source/WebCore/platform/ios/WebVideoFullscreenControllerAVKit.mm:
(VideoFullscreenControllerContext::fullscreenModeChanged):
* Source/WebKit/Platform/ios/VideoPresentationInterfaceLMK.mm:
(WebKit::VideoPresentationInterfaceLMK::swapFullscreenModesWith):
* Source/WebKit/UIProcess/Cocoa/VideoPresentationManagerProxy.h:
* Source/WebKit/UIProcess/Cocoa/VideoPresentationManagerProxy.mm:
(WebKit::VideoPresentationModelContext::fullscreenModeChanged):
(WebKit::VideoPresentationManagerProxy::setVideoFullscreenMode):
(WebKit::VideoPresentationManagerProxy::didCleanupFullscreen):
* Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenViewController.h:
* Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenViewController.mm:
(-[WKFullScreenViewController invalidate]):
(-[WKFullScreenViewController _bestVideoPresentationInterface]):
(-[WKFullScreenViewController
configureEnvironmentPickerOrFullscreenVideoButtonView]):
(-[WKFullScreenViewController _playbackSessionInterface]):
(-[WKFullScreenViewController _enterVideoFullscreenAction:]):
* Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenWindowControllerIOS.h:
* Source/WebKit/UIProcess/ios/fullscreen/WKFullScreenWindowControllerIOS.mm:
(-[WKFullScreenWindowController initWithWebView:]):
(-[WKFullScreenWindowController _completedExitFullScreen:]):
(-[WKFullScreenWindowController _isBestVideoInFullScreen]):
(-[WKFullScreenWindowController _shouldShowOrnaments]):
(-[WKFullScreenWindowController
_performSpatialFullScreenTransition:completionHandler:]):
(-[WKFullScreenWindowController bestVideoFullscreenModeChanged]):
(-[WKFullScreenWindowController fullScreenViewControllerDidInvalidate:]):
(-[WKFullScreenWindowController
fullScreenViewController:bestVideoPresentationInterfaceDidChange:]):
* Source/WebKit/WebProcess/cocoa/VideoPresentationManager.mm:
(WebKit::VideoPresentationManager::fullscreenModeChanged):
Canonical link: https://commits.webkit.org/302506@main
Identifier: 301765.265@safari-7623-branch
(cherry picked from commit 2216a214c74fcd5d96dc169c470b8aa19c3adfc2)
Canonical link: https://commits.webkit.org/[email protected]
Commit: 84492f98f765deec3e61da2cad9f66a295217eb7
https://github.com/WebKit/WebKit/commit/84492f98f765deec3e61da2cad9f66a295217eb7
Author: Matt Woodrow <[email protected]>
Date: 2025-11-06 (Thu, 06 Nov 2025)
Changed paths:
A
LayoutTests/compositing/repaint/change-opacity-visibility-hidden-expected.txt
A LayoutTests/compositing/repaint/change-opacity-visibility-hidden.html
M
LayoutTests/fast/repaint/incorrect-repaint-when-child-layer-overflows-expected.txt
M
LayoutTests/svg/compositing/transform-change-repainting-viewBox-repaintRects-expected.txt
M Source/WebCore/rendering/RenderElement.cpp
M Source/WebCore/rendering/RenderLayer.cpp
M Source/WebCore/rendering/RenderLayer.h
Log Message:
-----------
Cherry-pick 4d0d8131db61. rdar://161367545
REGRESSION(294225@main): apple.com Careers menu items disappear after
animating in.
https://bugs.webkit.org/show_bug.cgi?id=301538
<rdar://161367545>
Reviewed by Simon Fraser.
Visibility hidden can be overriden by descendants, we need to track repaint
rects if anything in the tree
is visible, not just the current layer.
Test: compositing/repaint/change-opacity-visibility-hidden.html
*
LayoutTests/compositing/repaint/change-opacity-visibility-hidden-expected.txt:
Added.
* LayoutTests/compositing/repaint/change-opacity-visibility-hidden.html:
Added.
*
LayoutTests/fast/repaint/incorrect-repaint-when-child-layer-overflows-expected.txt:
*
LayoutTests/svg/compositing/transform-change-repainting-viewBox-repaintRects-expected.txt:
* Source/WebCore/rendering/RenderElement.cpp:
(WebCore::RenderElement::repaintBeforeStyleChange):
* Source/WebCore/rendering/RenderLayer.cpp:
(WebCore::RenderLayer::recursiveUpdateLayerPositions):
(WebCore::RenderLayer::computeRepaintRects):
(WebCore::RenderLayer::calculateClipRects const):
* Source/WebCore/rendering/RenderLayer.h:
Canonical link: https://commits.webkit.org/302255@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: fc53727c6f33897a383e03691dfbbb42e43370fc
https://github.com/WebKit/WebKit/commit/fc53727c6f33897a383e03691dfbbb42e43370fc
Author: Eric Carlson <[email protected]>
Date: 2025-11-06 (Thu, 06 Nov 2025)
Changed paths:
M
LayoutTests/http/tests/media/hls/track-in-band-hls-metadata-cue-duration.html
M Source/WebCore/platform/cocoa/SerializedPlatformDataCueValue.mm
Log Message:
-----------
Cherry-pick 01952a527b50. rdar://161687917
REGRESSION (Safari 26): Live HLS ID3 timed metadata cues mapped with
endTime = Infinity cause TextTrack.activeCues to include all past cues
indefinitely
https://bugs.webkit.org/show_bug.cgi?id=299853
rdar://161687917
Reviewed by Jer Noble.
274146@main changed the way SerializedPlatformDataCueValue objects are
compared so instead
of creating the native NSObjects and comparing them, every field in the
internal Data struct
is compared directly. The `locale` field is an NSLocale, so values are
compared with `isEqual:`,
but because any message to a nil NSObject returns a falsy value,
`SerializedPlatformDataCueValue::Data::operator==` always returns false if
the data cue
doesn't have a locale.
track-in-band-hls-metadata-cue-duration.html was updated for this fix.
*
LayoutTests/http/tests/media/hls/track-in-band-hls-metadata-cue-duration.html:
* Source/WebCore/platform/cocoa/SerializedPlatformDataCueValue.mm:
(WebCore::SerializedPlatformDataCueValue::Data::operator== const):
Canonical link: https://commits.webkit.org/302395@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 6b70aac4c0d4ef9ad90a928cedf53a2cc1ad5905
https://github.com/WebKit/WebKit/commit/6b70aac4c0d4ef9ad90a928cedf53a2cc1ad5905
Author: BJ Burg <[email protected]>
Date: 2025-11-06 (Thu, 06 Nov 2025)
Changed paths:
M Source/WebCore/inspector/agents/InspectorAnimationAgent.cpp
M Source/WebCore/inspector/agents/InspectorAnimationAgent.h
Log Message:
-----------
Cherry-pick bb6619c24211. rdar://162052589
Web Inspector: adopt more smart pointers in InspectorAnimationAgent (part 2)
https://bugs.webkit.org/show_bug.cgi?id=300926
Reviewed by Devin Rousso.
No new tests, no behavior change.
* Source/WebCore/inspector/agents/InspectorAnimationAgent.cpp:
(WebCore::InspectorAnimationAgent::resolveAnimation):
Do not resolve/bind an animation if its ScriptExecutionContext is gone.
(WebCore::InspectorAnimationAgent::findAnimationId):
(WebCore::InspectorAnimationAgent::bindAnimation):
* Source/WebCore/inspector/agents/InspectorAnimationAgent.h:
Use a WeakRef since we don't expect these references to become null.
We nonetheless should not extend the lifetime of the WebAnimation objects.
Canonical link: https://commits.webkit.org/302497@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 71e3e65148edac8cdde0e33d3b09d8b0692dd640
https://github.com/WebKit/WebKit/commit/71e3e65148edac8cdde0e33d3b09d8b0692dd640
Author: Yusuke Suzuki <[email protected]>
Date: 2025-11-06 (Thu, 06 Nov 2025)
Changed paths:
M Source/JavaScriptCore/runtime/VM.h
M Source/JavaScriptCore/runtime/VMManager.cpp
Log Message:
-----------
Cherry-pick d3494187c3d3. rdar://164088401
[JSC] VM::m_isInService should be initialized before VMThreadContext
https://bugs.webkit.org/show_bug.cgi?id=302043
rdar://164088401
Reviewed by Mark Lam.
After VMThreadContext is initialized, VM is exposed to the other
concurrent threads. So any threads can see this VM via
VMManager::forEachVM etc. We are checking `VM::isInService()` before
using in each thread to ensure that VM is already finalizing its
initialization. However this method is reading a bool field
`VM::m_isInService`, and it is initialized after VMThreadContext is
initialized. This means that it is possible that the concurrent thread
will see a stale value which exists from the allocated memory. If it is
not 0, then we accidentally see this VM as in-service while it is not
yet. This patch moves this field ordering to ensure that initialization
of this field is done before initializing VMThreadContext. And we also
ensure that this bool field is `false` when initializing VMThreadContext
since we are not fully initializing VM yet.
* Source/JavaScriptCore/runtime/VM.h:
* Source/JavaScriptCore/runtime/VMManager.cpp:
(JSC::VMThreadContext::VMThreadContext):
Canonical link: https://commits.webkit.org/302617@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 5f1f534a844a133564c227bf794db5701452c490
https://github.com/WebKit/WebKit/commit/5f1f534a844a133564c227bf794db5701452c490
Author: Joshua Hoffman <[email protected]>
Date: 2025-11-06 (Thu, 06 Nov 2025)
Changed paths:
M Source/WebCore/accessibility/AccessibilityObject.cpp
Log Message:
-----------
Cherry-pick d1fe86c49d8d. rdar://164144237
AX: Page needs to be null-checked in focusedUIElementInAnyLocalFrame
https://bugs.webkit.org/show_bug.cgi?id=302022
rdar://164088439
Reviewed by Chris Fleizach and Tyler Wilcock.
The null check for `page` in this method was removed when it was re-written
in 300491@main. This adds it back to avoid crashing.
* Source/WebCore/accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::focusedUIElementInAnyLocalFrame const):
Canonical link: https://commits.webkit.org/302620@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 7ca9e7b0ce09797eeab9ef7d8b40d7526dfed2b7
https://github.com/WebKit/WebKit/commit/7ca9e7b0ce09797eeab9ef7d8b40d7526dfed2b7
Author: Per Arne Vollan <[email protected]>
Date: 2025-11-06 (Thu, 06 Nov 2025)
Changed paths:
A LayoutTests/contentfiltering/delay-willsendrequest-decision-expected.html
A LayoutTests/contentfiltering/delay-willsendrequest-decision.html
M Source/WebCore/loader/ContentFilter.cpp
M Source/WebCore/loader/ContentFilter.h
M Source/WebCore/platform/PlatformContentFilter.h
M Source/WebCore/platform/cocoa/NetworkExtensionContentFilter.h
M Source/WebCore/platform/cocoa/NetworkExtensionContentFilter.mm
M Source/WebCore/platform/cocoa/ParentalControlsContentFilter.h
M Source/WebCore/platform/cocoa/ParentalControlsContentFilter.mm
M Source/WebCore/testing/MockContentFilter.cpp
M Source/WebCore/testing/MockContentFilter.h
M Source/WebCore/testing/MockContentFilterSettings.cpp
M Source/WebCore/testing/MockContentFilterSettings.h
M Source/WebCore/testing/MockContentFilterSettings.idl
M Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
M Source/WebKit/NetworkProcess/NetworkResourceLoader.h
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
Log Message:
-----------
Cherry-pick f5665ae82cc3. rdar://151461666
The ContentFilter method continueAfterWillSendRequest should use a
completion handler
https://bugs.webkit.org/show_bug.cgi?id=301189
rdar://151461666
Reviewed by Chris Dumez and Sihui Liu.
The ContentFilter method continueAfterWillSendRequest should use a
completion handler to avoid blocking
the main thread waiting for a decision that can take a significant amount
of time. In particular, it is
the NetworkExtensionContentFilter that can take a long time. For this
reason, it is currently doing the
work on a non-main thread, and we have a binary semaphore that we use to
wait synchronously for the
decision. Performing this work on the main thread can block other network
requests. To avoid blocking
the main thread waiting for a semaphore, we should instead use a completion
handler. This patch adds no
new threads, but is instead introducing a completion handler that is called
when the decision is ready.
Before this change, the responsiveness timer in the UI process would
terminate the Networking process
if the content filter was blocking the main thread for more than 6s. This
issue is resolved with this
patch.
Test: contentfiltering/delay-willsendrequest-decision.html
* Source/WebCore/loader/ContentFilter.cpp:
(WebCore::ContentFilter::continueAfterWillSendRequest):
(WebCore::ContentFilter::ContentFilterCallbackAggregator::~ContentFilterCallbackAggregator):
(WebCore::ContentFilter::ContentFilterCallbackAggregator::didReceivePlatformContentFilterDecision):
(WebCore::ContentFilter::ContentFilterCallbackAggregator::ContentFilterCallbackAggregator):
(WebCore::ContentFilter::anyContentFilterIsEnabled const):
* Source/WebCore/loader/ContentFilter.h:
(WebCore::ContentFilter::ContentFilterCallbackAggregator::create):
* Source/WebCore/platform/PlatformContentFilter.h:
(WebCore::PlatformContentFilter::isEnabled const):
* Source/WebCore/platform/cocoa/NetworkExtensionContentFilter.h:
* Source/WebCore/platform/cocoa/NetworkExtensionContentFilter.mm:
(WebCore::NetworkExtensionContentFilter::willSendRequest):
* Source/WebCore/platform/cocoa/ParentalControlsContentFilter.h:
* Source/WebCore/platform/cocoa/ParentalControlsContentFilter.mm:
(WebCore::ParentalControlsContentFilter::willSendRequest):
* Source/WebCore/testing/MockContentFilter.cpp:
(WebCore::MockContentFilter::willSendRequest):
* Source/WebCore/testing/MockContentFilter.h:
* Source/WebCore/testing/MockContentFilterSettings.cpp:
(WebCore::MockContentFilterSettings::setWillSendRequestDecisionDelay):
* Source/WebCore/testing/MockContentFilterSettings.h:
(WebCore::MockContentFilterSettings::willSendRequestDecisionDelay const):
* Source/WebCore/testing/MockContentFilterSettings.idl:
* Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::startContentFiltering):
(WebKit::NetworkResourceLoader::startWithServiceWorker):
* Source/WebKit/NetworkProcess/NetworkResourceLoader.h:
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
Canonical link: https://commits.webkit.org/302627@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: f8c4b746bf340d4df6bdc86bdf59641af487ac55
https://github.com/WebKit/WebKit/commit/f8c4b746bf340d4df6bdc86bdf59641af487ac55
Author: Youenn Fablet <[email protected]>
Date: 2025-11-06 (Thu, 06 Nov 2025)
Changed paths:
M Source/WebCore/Modules/streams/StreamPipeToUtilities.cpp
Log Message:
-----------
Cherry-pick 6e95d94a448e. rdar://164088592
StreamPipeToState::doWrite needs to handle a null write promise
rdar://164088592
https://bugs.webkit.org/show_bug.cgi?id=302067
Reviewed by Chris Dumez.
In case of a worker, the write operation may result in an exception,
leading to a null promise.
In that case, we bail out.
* Source/WebCore/Modules/streams/StreamPipeToUtilities.cpp:
(WebCore::StreamPipeToState::doWrite):
Canonical link: https://commits.webkit.org/302645@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: cc3976131624f43e4922ccb640149325e4b835a2
https://github.com/WebKit/WebKit/commit/cc3976131624f43e4922ccb640149325e4b835a2
Author: Chris Dumez <[email protected]>
Date: 2025-11-06 (Thu, 06 Nov 2025)
Changed paths:
M Source/WebCore/bindings/js/JSNavigateEventCustom.cpp
M Source/WebCore/bindings/js/JSNavigationCustom.cpp
M Source/WebCore/dom/Microtasks.h
M Source/WebCore/page/NavigateEvent.cpp
M Source/WebCore/page/NavigateEvent.h
M Source/WebCore/page/NavigateEvent.idl
M Source/WebCore/page/Navigation.h
Log Message:
-----------
Cherry-pick 86a2114b3e46. rdar://164109145
imported/w3c/web-platform-tests/navigation-api/ordering-and-transition/navigate-204-205-download-then-same-document.html
is a flaky crash
https://bugs.webkit.org/show_bug.cgi?id=301894
Reviewed by Ryosuke Niwa.
The crash was due to the Navigation object not marking its associated
ongoing NavigateEvent when getting visited. Similarly, the NavigateEvent
would fail to mark its associated AbortSignal when visited. As a result,
the AbortSignal's JS wrapper could get garbage collected and we would
crash trying to dispatch the abort event on it.
The test was flakily crashing in debug before this change and is now
reliably passing.
* Source/WebCore/Sources.txt:
* Source/WebCore/WebCore.xcodeproj/project.pbxproj:
* Source/WebCore/bindings/js/JSNavigateEventCustom.cpp:
(WebCore::JSNavigateEvent::visitAdditionalChildren):
* Source/WebCore/bindings/js/JSNavigationCustom.cpp: Copied from
Source/WebCore/bindings/js/JSNavigateEventCustom.cpp.
(WebCore::JSNavigation::visitAdditionalChildren):
* Source/WebCore/dom/Microtasks.h:
* Source/WebCore/page/NavigateEvent.cpp:
(WebCore::root):
* Source/WebCore/page/NavigateEvent.h:
* Source/WebCore/page/NavigateEvent.idl:
* Source/WebCore/page/Navigation.h:
* Source/WebCore/page/Navigation.idl:
Canonical link: https://commits.webkit.org/302530@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: eb89d677d74811c1b7aa15b3652a7b990f977014
https://github.com/WebKit/WebKit/commit/eb89d677d74811c1b7aa15b3652a7b990f977014
Author: Tyler Wilcock <[email protected]>
Date: 2025-11-06 (Thu, 06 Nov 2025)
Changed paths:
M Source/WebCore/accessibility/AXObjectCache.cpp
M Source/WebCore/accessibility/AXObjectCache.h
M Source/WebCore/accessibility/atspi/AXObjectCacheAtspi.cpp
M Source/WebCore/accessibility/ios/AXObjectCacheIOS.mm
M Source/WebCore/accessibility/mac/AXObjectCacheMac.mm
M Source/WebCore/accessibility/playstation/AXObjectCachePlayStation.cpp
M Source/WebCore/accessibility/win/AXObjectCacheWin.cpp
Log Message:
-----------
Cherry-pick 1523cf6f4b3c. rdar://164189675
AX: frameLoadingEventNotification calls getOrCreate even when it's
unnecessary and potentially unsafe (e.g. when layout is dirty)
https://bugs.webkit.org/show_bug.cgi?id=302035
rdar://164059225
Reviewed by Joshua Hoffman.
On Cocoa ports, we have found CheckedPtr crashes stemming from the
getOrCreate(RenderObject&) performed by:
FrameLoader::prepareForLoadStart() ->
AXObjectCache::frameLoadingEventNotification
This probably means layout is dirty when we're calling this getOrCreate,
but I can't say for sure because I haven't been
able to reproduce this crash. Workaround the issue for now by avoiding the
getOrCreate if the AXLoadingEvent type is
one that the platform is going to ignore anyways.
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::frameLoadingEventNotification):
* Source/WebCore/accessibility/AXObjectCache.h:
* Source/WebCore/accessibility/atspi/AXObjectCacheAtspi.cpp:
(WebCore::AXObjectCache::frameLoadingEventPlatformNotification):
* Source/WebCore/accessibility/ios/AXObjectCacheIOS.mm:
(WebCore::AXObjectCache::frameLoadingEventPlatformNotification):
* Source/WebCore/accessibility/mac/AXObjectCacheMac.mm:
(WebCore::AXObjectCache::frameLoadingEventPlatformNotification):
* Source/WebCore/accessibility/playstation/AXObjectCachePlayStation.cpp:
(WebCore::AXObjectCache::frameLoadingEventPlatformNotification):
* Source/WebCore/accessibility/win/AXObjectCacheWin.cpp:
(WebCore::AXObjectCache::frameLoadingEventPlatformNotification):
Canonical link: https://commits.webkit.org/302668@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: f9fcc1c82bc206a6aac369a860b318878bc46b64
https://github.com/WebKit/WebKit/commit/f9fcc1c82bc206a6aac369a860b318878bc46b64
Author: Russell Epstein <[email protected]>
Date: 2025-11-06 (Thu, 06 Nov 2025)
Changed paths:
M
LayoutTests/fast/repaint/hidpi-content-inside-iframe-leaves-trails-expected.txt
M LayoutTests/fast/repaint/hidpi-content-inside-iframe-leaves-trails.html
M LayoutTests/fast/repaint/iframe-on-subpixel-position-expected.txt
M
LayoutTests/platform/mac-sequoia-wk2/fast/repaint/iframe-on-subpixel-position-expected.txt
M
LayoutTests/platform/mac-wk2/fast/repaint/iframe-on-subpixel-position-expected.txt
M Source/WebCore/rendering/RenderView.cpp
M Source/WebCore/rendering/RenderView.h
Log Message:
-----------
Revert "Cherry-pick 7ca23d97bf74. rdar://163507577"
This reverts commit bf72106c60ffb2557ab454d02e3e4c3e9b901621.
Canonical link: https://commits.webkit.org/[email protected]
Commit: 4a5f8575f606628616b5ea985a662483761aacfc
https://github.com/WebKit/WebKit/commit/4a5f8575f606628616b5ea985a662483761aacfc
Author: Antti Koivisto <[email protected]>
Date: 2025-11-06 (Thu, 06 Nov 2025)
Changed paths:
M Source/WebCore/accessibility/AccessibilityObject.cpp
M Source/WebCore/accessibility/AccessibilityRenderObject.cpp
M Source/WebCore/animation/KeyframeEffect.cpp
M Source/WebCore/animation/WebAnimationUtilities.cpp
M Source/WebCore/css/CSSSelector.cpp
M Source/WebCore/css/CSSSelector.h
M Source/WebCore/css/SelectorChecker.cpp
M Source/WebCore/css/SelectorChecker.h
M Source/WebCore/css/parser/CSSSelectorParser.cpp
M Source/WebCore/cssjit/SelectorCompiler.cpp
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/Element.cpp
M Source/WebCore/dom/Element.h
M Source/WebCore/dom/ElementInlines.h
M Source/WebCore/dom/Node.h
M Source/WebCore/dom/NodeInlines.h
M Source/WebCore/dom/PseudoElement.cpp
M Source/WebCore/dom/PseudoElement.h
M Source/WebCore/dom/ViewTransition.cpp
M Source/WebCore/inspector/agents/InspectorCSSAgent.cpp
M Source/WebCore/inspector/agents/InspectorCSSAgent.h
M Source/WebCore/inspector/agents/InspectorDOMAgent.cpp
M Source/WebCore/inspector/agents/InspectorLayerTreeAgent.cpp
M Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp
M
Source/WebCore/layout/formattingContexts/inline/invalidation/InlineInvalidation.cpp
M Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp
M Source/WebCore/page/LocalFrameView.cpp
M Source/WebCore/rendering/MarkedText.cpp
M Source/WebCore/rendering/RenderBlock.cpp
M Source/WebCore/rendering/RenderBlockFlow.cpp
M Source/WebCore/rendering/RenderBox.cpp
M Source/WebCore/rendering/RenderBoxModelObject.h
M Source/WebCore/rendering/RenderCounter.cpp
M Source/WebCore/rendering/RenderElement.cpp
M Source/WebCore/rendering/RenderElement.h
M Source/WebCore/rendering/RenderElementInlines.h
M Source/WebCore/rendering/RenderInline.cpp
M Source/WebCore/rendering/RenderLayerBacking.cpp
M Source/WebCore/rendering/RenderLayerCompositor.cpp
M Source/WebCore/rendering/RenderLayerScrollableArea.cpp
M Source/WebCore/rendering/RenderListItem.cpp
M Source/WebCore/rendering/RenderReplaced.cpp
M Source/WebCore/rendering/RenderScrollbar.cpp
M Source/WebCore/rendering/RenderScrollbar.h
M Source/WebCore/rendering/RenderTextFragment.cpp
M Source/WebCore/rendering/RenderViewTransitionCapture.cpp
M Source/WebCore/rendering/StyledMarkedText.cpp
M Source/WebCore/rendering/TextAutoSizing.cpp
M Source/WebCore/rendering/TextDecorationPainter.cpp
M Source/WebCore/rendering/TextDecorationPainter.h
M Source/WebCore/rendering/style/RenderStyle.cpp
M Source/WebCore/rendering/style/RenderStyle.h
M Source/WebCore/rendering/style/RenderStyleConstants.cpp
M Source/WebCore/rendering/style/RenderStyleConstants.h
M Source/WebCore/rendering/style/RenderStyleInlines.h
M Source/WebCore/rendering/style/RenderStyleSetters.h
M Source/WebCore/rendering/svg/SVGTextBoxPainter.cpp
M Source/WebCore/rendering/updating/RenderTreeBuilderFirstLetter.cpp
M Source/WebCore/rendering/updating/RenderTreeUpdater.cpp
M Source/WebCore/rendering/updating/RenderTreeUpdaterGeneratedContent.cpp
M Source/WebCore/rendering/updating/RenderTreeUpdaterGeneratedContent.h
M Source/WebCore/rendering/updating/RenderTreeUpdaterViewTransition.cpp
M Source/WebCore/style/AnchorPositionEvaluator.cpp
M Source/WebCore/style/ElementRuleCollector.cpp
M Source/WebCore/style/ElementRuleCollector.h
M Source/WebCore/style/MatchedDeclarationsCache.cpp
M Source/WebCore/style/PropertyAllowlist.cpp
M Source/WebCore/style/PropertyAllowlist.h
M Source/WebCore/style/PseudoElementIdentifier.h
M Source/WebCore/style/PseudoElementRequest.h
M Source/WebCore/style/RuleData.cpp
M Source/WebCore/style/StylableInlines.h
M Source/WebCore/style/StyleAdjuster.cpp
M Source/WebCore/style/StyleBuilderState.cpp
M Source/WebCore/style/StyleChange.cpp
M Source/WebCore/style/StylePendingResources.cpp
M Source/WebCore/style/StyleResolver.cpp
M Source/WebCore/style/StyleTreeResolver.cpp
M Source/WebCore/style/Styleable.cpp
M Source/WebCore/testing/Internals.cpp
Log Message:
-----------
Cherry-pick a25210285dc7. rdar://163571796
Rename PseudoId to PseudoElementType
https://bugs.webkit.org/show_bug.cgi?id=300982
rdar://problem/162862210
Reviewed by Tim Nguyen.
Use a less vague name for this enum.
Also some related renamings and cleanups.
This patch does not touch Inspector or the inspector protocol where the old
name is still used.
* Source/WebCore/accessibility/AccessibilityObject.cpp:
(WebCore::AccessibilityObject::shouldCacheStringValue const):
* Source/WebCore/accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::textRuns):
* Source/WebCore/animation/KeyframeEffect.cpp:
(WebCore::KeyframeEffect::isCurrentlyAffectingProperty const):
(WebCore::KeyframeEffect::computeHasSizeDependentTransform):
* Source/WebCore/animation/WebAnimationUtilities.cpp:
(WebCore::compareStyleOriginatedAnimationOwningElementPositionsInDocumentTreeOrder):
(WebCore::pseudoElementIdentifierAsString):
* Source/WebCore/css/CSSSelector.cpp:
(WebCore::CSSSelector::stylePseudoElementTypeFor):
(WebCore::CSSSelector::pseudoId): Deleted.
* Source/WebCore/css/CSSSelector.h:
* Source/WebCore/css/SelectorChecker.cpp:
(WebCore::SelectorChecker::CheckingContext::setRequestedPseudoElement):
(WebCore::SelectorChecker::CheckingContext::requestedPseudoElement const):
(WebCore::SelectorChecker::match const):
(WebCore::SelectorChecker::matchHostPseudoClass const):
(WebCore::hasViewTransitionPseudoElement):
(WebCore::hasScrollbarPseudoElement):
(WebCore::SelectorChecker::matchRecursively const):
(WebCore::SelectorChecker::checkOne const):
(WebCore::SelectorChecker::matchSelectorList const):
(WebCore::SelectorChecker::matchHasPseudoClass const):
(WebCore::SelectorChecker::checkViewTransitionPseudoClass const):
* Source/WebCore/css/SelectorChecker.h:
* Source/WebCore/css/parser/CSSSelectorParser.cpp:
(WebCore::pseudoElementIdentifierFor):
(WebCore::CSSSelectorParser::parsePseudoElement):
* Source/WebCore/cssjit/SelectorCompiler.cpp:
(WebCore::SelectorCompiler::SelectorCodeGenerator::generateSelectorChecker):
(WebCore::SelectorCompiler::SelectorCodeGenerator::generateRequestedPseudoElementEqualsToSelectorPseudoElement):
(WebCore::SelectorCompiler::SelectorCodeGenerator::generateMarkPseudoStyleForPseudoElement):
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::styleForElementIgnoringPendingStylesheets):
* Source/WebCore/dom/Element.cpp:
(WebCore::beforeOrAfterPseudoElement):
(WebCore::Element::computedStyle):
(WebCore::Element::ensurePseudoElement):
(WebCore::Element::pseudoElementIfExists):
* Source/WebCore/dom/Element.h:
* Source/WebCore/dom/ElementInlines.h:
(WebCore::isInTopLayerOrBackdrop):
* Source/WebCore/dom/Node.h:
* Source/WebCore/dom/NodeInlines.h:
(WebCore::Node::isBeforePseudoElement const):
(WebCore::Node::isAfterPseudoElement const):
(WebCore::Node::pseudoElementType const):
(WebCore::Node::pseudoElementIdentifier const):
(WebCore::Node::pseudoId const): Deleted.
* Source/WebCore/dom/PseudoElement.cpp:
(WebCore::PseudoElement::PseudoElement):
(WebCore::m_pseudoElementType):
(WebCore::PseudoElement::create):
(WebCore::PseudoElement::rendererIsNeeded):
(WebCore::m_pseudoId): Deleted.
* Source/WebCore/dom/PseudoElement.h:
* Source/WebCore/dom/ViewTransition.cpp:
(WebCore::ViewTransition::handleTransitionFrame):
(WebCore::ViewTransition::updatePseudoElementRenderers):
(WebCore::ViewTransition::viewTransitionNewPseudoForCapturedElement):
* Source/WebCore/inspector/agents/InspectorCSSAgent.cpp:
(WebCore::InspectorCSSAgent::protocolValueForPseudoId):
(WebCore::InspectorCSSAgent::getMatchedStylesForNode):
* Source/WebCore/inspector/agents/InspectorCSSAgent.h:
* Source/WebCore/inspector/agents/InspectorDOMAgent.cpp:
(WebCore::elementToPushForStyleable):
(WebCore::InspectorDOMAgent::pushStyleablePathToFrontend):
(WebCore::InspectorDOMAgent::highlightSelector):
(WebCore::pseudoElementType):
(WebCore::InspectorDOMAgent::buildObjectForNode):
* Source/WebCore/inspector/agents/InspectorLayerTreeAgent.cpp:
(WebCore::InspectorLayerTreeAgent::buildObjectForLayer):
* Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp:
(WebCore::Layout::LineBuilder::adjustLineRectForInitialLetterIfApplicable):
*
Source/WebCore/layout/formattingContexts/inline/invalidation/InlineInvalidation.cpp:
(WebCore::Layout::InlineInvalidation::rootStyleWillChange):
* Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp:
(WebCore::LayoutIntegration::shouldInvalidateLineLayoutAfterChangeFor):
(WebCore::LayoutIntegration::LineLayout::updateRenderTreePositions):
* Source/WebCore/page/LocalFrameView.cpp:
(WebCore::LocalFrameView::styleHidesScrollbarWithOrientation const):
(WebCore::LocalFrameView::updateScrollCorner):
* Source/WebCore/rendering/MarkedText.cpp:
(WebCore::MarkedText::collectForHighlights):
* Source/WebCore/rendering/RenderBlock.cpp:
(WebCore::RenderBlock::nodeForHitTest const):
(WebCore::findFirstLetterBlock):
(WebCore::RenderBlock::debugDescription const):
* Source/WebCore/rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::adjustForUnsplittableChild):
(WebCore::RenderBlockFlow::computeLogicalLocationForFloat):
(WebCore::RenderBlockFlow::lowestInitialLetterLogicalBottom const):
* Source/WebCore/rendering/RenderBox.cpp:
(WebCore::RenderBox::imageChanged):
(WebCore::RenderBox::isUnsplittableForPagination const):
* Source/WebCore/rendering/RenderBoxModelObject.h:
* Source/WebCore/rendering/RenderCounter.cpp:
(WebCore::planCounter):
(WebCore::RenderCounter::updateCounter):
* Source/WebCore/rendering/RenderElement.cpp:
(WebCore::RenderElement::firstLineStyle const):
(WebCore::RenderElement::styleDidChange):
(WebCore::RenderElement::willBeDestroyed):
(WebCore::RenderElement::getCachedPseudoStyle const):
(WebCore::RenderElement::getUncachedPseudoStyle const):
(WebCore::RenderElement::textSegmentPseudoStyle const):
(WebCore::RenderElement::selectionPseudoStyle const):
(WebCore::RenderElement::spellingErrorPseudoStyle const):
(WebCore::RenderElement::grammarErrorPseudoStyle const):
(WebCore::RenderElement::targetTextPseudoStyle const):
(WebCore::RenderElement::isViewTransitionRoot const):
* Source/WebCore/rendering/RenderElement.h:
(WebCore::RenderElement::isViewTransitionContainer const):
* Source/WebCore/rendering/RenderElementInlines.h:
(WebCore::RenderElement::isBeforeContent const):
(WebCore::RenderElement::isAfterContent const):
* Source/WebCore/rendering/RenderInline.cpp:
(WebCore::RenderInline::clippedOverflowRect const):
* Source/WebCore/rendering/RenderLayerBacking.cpp:
(WebCore::RenderLayerBacking::RenderLayerBacking):
(WebCore::RenderLayerBacking::shouldClipCompositedBounds const):
* Source/WebCore/rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::collectViewTransitionNewContentLayers):
(WebCore::RenderLayerCompositor::clipsCompositingDescendants):
* Source/WebCore/rendering/RenderLayerScrollableArea.cpp:
(WebCore::RenderLayerScrollableArea::updateScrollCornerStyle):
(WebCore::RenderLayerScrollableArea::updateResizerStyle):
* Source/WebCore/rendering/RenderListItem.cpp:
(WebCore::RenderListItem::computeMarkerStyle const):
* Source/WebCore/rendering/RenderReplaced.cpp:
(WebCore::RenderReplaced::calculateHighlightColor const):
* Source/WebCore/rendering/RenderScrollbar.cpp:
(WebCore::RenderScrollbar::getScrollbarPseudoStyle const):
(WebCore::pseudoForScrollbarPart):
* Source/WebCore/rendering/RenderScrollbar.h:
* Source/WebCore/rendering/RenderTextFragment.cpp:
(WebCore::RenderTextFragment::blockForAccompanyingFirstLetter):
* Source/WebCore/rendering/RenderViewTransitionCapture.cpp:
(WebCore::RenderViewTransitionCapture::updateFromStyle):
(WebCore::RenderViewTransitionCapture::paintsContent const):
(WebCore::RenderViewTransitionCapture::debugDescription const):
* Source/WebCore/rendering/StyledMarkedText.cpp:
(WebCore::resolveStyleForMarkedText):
* Source/WebCore/rendering/TextAutoSizing.cpp:
(WebCore::cloneRenderStyleWithState):
(WebCore::TextAutoSizingValue::adjustTextNodeSizes):
* Source/WebCore/rendering/TextDecorationPainter.cpp:
(WebCore::collectStylesForRenderer):
(WebCore::TextDecorationPainter::stylesForRenderer):
* Source/WebCore/rendering/TextDecorationPainter.h:
(WebCore::TextDecorationPainter::stylesForRenderer):
* Source/WebCore/rendering/style/RenderStyle.cpp:
(WebCore::RenderStyle::createStyleInheritingFromPseudoStyle):
(WebCore::RenderStyle::changeRequiresLayout const):
* Source/WebCore/rendering/style/RenderStyle.h:
* Source/WebCore/rendering/style/RenderStyleConstants.cpp:
(WebCore::operator<<):
* Source/WebCore/rendering/style/RenderStyleConstants.h:
(WebCore::parentPseudoElement):
* Source/WebCore/rendering/style/RenderStyleInlines.h:
(WebCore::RenderStyle::hasUsedContentNone const):
(WebCore::RenderStyle::hasPseudoStyle const):
(WebCore::RenderStyle::pseudoElementType const):
(WebCore::RenderStyle::usesLegacyScrollbarStyle const):
(WebCore::RenderStyle::NonInheritedFlags::hasPseudoStyle const):
* Source/WebCore/rendering/style/RenderStyleSetters.h:
(WebCore::RenderStyle::setHasPseudoStyles):
(WebCore::RenderStyle::NonInheritedFlags::setHasPseudoStyles):
(WebCore::RenderStyle::setPseudoElementIdentifier):
* Source/WebCore/rendering/svg/SVGTextBoxPainter.cpp:
(WebCore::SVGTextBoxPainter<TextBoxPath>::paint):
* Source/WebCore/rendering/updating/RenderTreeBuilderFirstLetter.cpp:
(WebCore::styleForFirstLetter):
(WebCore::RenderTreeBuilder::FirstLetter::updateAfterDescendants):
* Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::updateBeforeDescendants):
(WebCore::RenderTreeUpdater::updateAfterDescendants):
(WebCore::RenderTreeUpdater::tearDownRenderers):
* Source/WebCore/rendering/updating/RenderTreeUpdaterGeneratedContent.cpp:
(WebCore::keyframeEffectStackForPseudoElement):
(WebCore::needsPseudoElementForAnimation):
(WebCore::createContentRenderers):
(WebCore::RenderTreeUpdater::GeneratedContent::updateBeforeOrAfterPseudoElement):
(WebCore::RenderTreeUpdater::GeneratedContent::updateBackdropRenderer):
(WebCore::RenderTreeUpdater::GeneratedContent::updateWritingSuggestionsRenderer):
(WebCore::keyframeEffectStackForElementAndPseudoId): Deleted.
* Source/WebCore/rendering/updating/RenderTreeUpdaterGeneratedContent.h:
* Source/WebCore/rendering/updating/RenderTreeUpdaterViewTransition.cpp:
(WebCore::RenderTreeUpdater::ViewTransition::updatePseudoElementTree):
(WebCore::createRendererIfNeeded):
(WebCore::RenderTreeUpdater::ViewTransition::buildPseudoElementGroup):
(WebCore::RenderTreeUpdater::ViewTransition::updatePseudoElementGroup):
* Source/WebCore/style/AnchorPositionEvaluator.cpp:
(WebCore::Style::AnchorPositionEvaluator::findAnchorForAnchorFunctionAndAttemptResolution):
(WebCore::Style::AnchorPositionEvaluator::keyForElementOrPseudoElement):
(WebCore::Style::AnchorPositionEvaluator::isImplicitAnchor):
* Source/WebCore/style/ElementRuleCollector.cpp:
(WebCore::Style::ElementRuleCollector::ruleMatches):
(WebCore::Style::ElementRuleCollector::addAuthorKeyframeRules):
* Source/WebCore/style/ElementRuleCollector.h:
(WebCore::Style::ElementRuleCollector::matchedPseudoElements const):
(WebCore::Style::ElementRuleCollector::matchedPseudoElementIds const):
Deleted.
* Source/WebCore/style/MatchedDeclarationsCache.cpp:
(WebCore::Style::MatchedDeclarationsCache::isCacheable):
* Source/WebCore/style/PropertyAllowlist.cpp:
(WebCore::Style::propertyAllowlistForPseudoElement):
(WebCore::Style::propertyAllowlistForPseudoId): Deleted.
* Source/WebCore/style/PropertyAllowlist.h:
* Source/WebCore/style/PseudoElementIdentifier.h:
(WebCore::Style::add):
(WebCore::Style::operator<<):
(WebCore::Style::isNamedViewTransitionPseudoElement):
* Source/WebCore/style/PseudoElementRequest.h:
(WebCore::Style::PseudoElementRequest::PseudoElementRequest):
(WebCore::Style::PseudoElementRequest::type const):
(WebCore::Style::PseudoElementRequest::pseudoId const): Deleted.
* Source/WebCore/style/RuleData.cpp:
(WebCore::Style::determinePropertyAllowlist):
* Source/WebCore/style/StylableInlines.h:
(WebCore::Styleable::fromElement):
* Source/WebCore/style/StyleAdjuster.cpp:
(WebCore::Style::Adjuster::adjustFirstLetterStyle):
(WebCore::Style::Adjuster::adjustDisplayContentsStyle const):
(WebCore::Style::Adjuster::adjustVisibilityForPseudoElement):
* Source/WebCore/style/StyleBuilderState.cpp:
(WebCore::Style::BuilderState::registerContentAttribute):
* Source/WebCore/style/StyleChange.cpp:
(WebCore::Style::determineChanges):
* Source/WebCore/style/StylePendingResources.cpp:
(WebCore::Style::loadPendingResources):
* Source/WebCore/style/StyleResolver.cpp:
(WebCore::Style::Resolver::unadjustedStyleForElement):
(WebCore::Style::Resolver::styleForPseudoElement):
* Source/WebCore/style/StyleTreeResolver.cpp:
(WebCore::Style::TreeResolver::resolveElement):
(WebCore::Style::TreeResolver::resolvePseudoElement):
(WebCore::Style::TreeResolver::resolveAncestorPseudoElement):
(WebCore::Style::TreeResolver::resolveAncestorFirstLinePseudoElement):
(WebCore::Style::TreeResolver::resolveAncestorFirstLetterPseudoElement):
(WebCore::Style::TreeResolver::makeResolutionContextForPseudoElement):
(WebCore::Style::TreeResolver::makeResolutionContextForInheritedFirstLine):
(WebCore::Style::TreeResolver::updateAnchorPositioningState):
* Source/WebCore/style/Styleable.cpp:
(WebCore::Styleable::fromRenderer):
(WebCore::Styleable::renderer const):
* Source/WebCore/testing/Internals.cpp:
(WebCore::Internals::highlightPseudoElementColor):
Canonical link: https://commits.webkit.org/301770@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: c7e932c36694483abd63cb2ecea93923dfc8a163
https://github.com/WebKit/WebKit/commit/c7e932c36694483abd63cb2ecea93923dfc8a163
Author: Dan Robson <[email protected]>
Date: 2025-11-07 (Fri, 07 Nov 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: 547a2d76c407916fc0eeefadfc3964a2e088ba63
https://github.com/WebKit/WebKit/commit/547a2d76c407916fc0eeefadfc3964a2e088ba63
Author: Jean-Yves Avenard <[email protected]>
Date: 2025-11-07 (Fri, 07 Nov 2025)
Changed paths:
A LayoutTests/media/content/vp9-opus-good-3tracks.webm
A LayoutTests/media/media-multi-audio-tracks-webm-expected.txt
A LayoutTests/media/media-multi-audio-tracks-webm.html
M LayoutTests/platform/mac-site-isolation/TestExpectations
M LayoutTests/platform/mac-wk1/TestExpectations
M Source/WebCore/platform/graphics/cocoa/MediaPlayerPrivateWebM.h
M Source/WebCore/platform/graphics/cocoa/MediaPlayerPrivateWebM.mm
Log Message:
-----------
Cherry-pick 64f63548cbdb. rdar://164254018
com.apple.WebKit.GPU at WebCore:
WebCore::MediaPlayerPrivateWebM::notifyClientWhenReadyForMoreSamples
https://bugs.webkit.org/show_bug.cgi?id=302074
rdar://163061241
Reviewed by Youenn Fablet.
If a samples was demuxed from a track not yet activated, it will cause the
MediaPlayerPrivateWebM
to use an invalid iterator to retrieve the track number.
This condition will easily occur if the webm had more than 1 track of each
kind.
We abort notifyClientWhenReadyForMoreSamples method, if the tracks isn't
enabled yet.
Test: media/media-multi-audio-tracks-webm.html
* LayoutTests/media/content/vp9-opus-good-3tracks.webm: Added.
* LayoutTests/media/media-multi-audio-tracks-webm-expected.txt: Added.
* LayoutTests/media/media-multi-audio-tracks-webm.html: Added.
* Source/WebCore/platform/graphics/cocoa/MediaPlayerPrivateWebM.h:
* Source/WebCore/platform/graphics/cocoa/MediaPlayerPrivateWebM.mm:
(WebCore::MediaPlayerPrivateWebM::notifyClientWhenReadyForMoreSamples):
(WebCore::MediaPlayerPrivateWebM::isReadyForMoreSamples):
(WebCore::MediaPlayerPrivateWebM::maybeTrackIdentifierFor const):
Canonical link: https://commits.webkit.org/302672@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: a3a58cf10d4af3480429b1d0bf84307a94c330ff
https://github.com/WebKit/WebKit/commit/a3a58cf10d4af3480429b1d0bf84307a94c330ff
Author: Jessica Lee <[email protected]>
Date: 2025-11-07 (Fri, 07 Nov 2025)
Changed paths:
M Source/WebKitLegacy/mac/WebView/WebView.mm
Log Message:
-----------
Cherry-pick cfc6df9eb93c. rdar://164022564
WebView willStartRenderingUpdateDisplay crashes when _private->page is null
https://bugs.webkit.org/show_bug.cgi?id=302069
rdar://164022564
Reviewed by Chris Dumez and Ryosuke Niwa.
In the function WebView::_willStartRenderingUpdateDisplay (in
WebkitLegacy), the page can become null between when it is originally
null-checked if (_private->page) and when willStartRenderingUpdateDisplay
starts executing. This is due to an increased delay from WebThreadLock();
We should move WebThreadLock() before page->willStartRenderingUpdateDisplay
starts executing so that the page cannot be manipulated by the WebThread before
page->willStartRenderingUpdateDisplay runs.
* Source/WebKitLegacy/mac/WebView/WebView.mm:
(-[WebView _willStartRenderingUpdateDisplay]):
Identifier: 301765.266@safari-7623-branch
Canonical link: https://commits.webkit.org/[email protected]
Commit: 81b03f9052258685e8ec1987d125c8fdb476cf46
https://github.com/WebKit/WebKit/commit/81b03f9052258685e8ec1987d125c8fdb476cf46
Author: Sihui Liu <[email protected]>
Date: 2025-11-07 (Fri, 07 Nov 2025)
Changed paths:
M Source/WebCore/loader/archive/cf/LegacyWebArchive.cpp
M Source/WebCore/loader/archive/cf/LegacyWebArchive.h
M Source/WebKitLegacy/mac/WebView/WebArchive.mm
Log Message:
-----------
Cherry-pick 581d4c4b6449. rdar://164216392
Null pointer dereference in LegacyWebArchive::protectedMainResource()
https://bugs.webkit.org/show_bug.cgi?id=302063
rdar://164088405
Reviewed by Ryosuke Niwa and Anne van Kesteren.
Archive::mainResource() can return nullptr and
LegacyWebArchive::protectedMainResource() currently defererences it
without null check, so we are seeing crashes. However, LegacyWebArchive
should not be created with null main resource,
as it cannot be loaded anyways. So instead of adding null check in
protectedMainResource(), this patch fixes the crash
by ensuring LegacyWebArchive is always created non-null main resource:
LegacyWebArchive::create*() functions now returns
nullptr instead of default LegacyWebArchive object on error.
* Source/WebCore/loader/archive/cf/LegacyWebArchive.cpp:
(WebCore::LegacyWebArchive::create):
(WebCore::LegacyWebArchive::createInternal):
(WebCore::LegacyWebArchive::extract): Deleted.
* Source/WebCore/loader/archive/cf/LegacyWebArchive.h:
* Source/WebKitLegacy/mac/WebView/WebArchive.mm:
(-[WebArchivePrivate init]):
Canonical link: https://commits.webkit.org/302691@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 15504885ac8a936e8ca2497a4940cb08fce3df11
https://github.com/WebKit/WebKit/commit/15504885ac8a936e8ca2497a4940cb08fce3df11
Author: Franco Vieira de Souza <[email protected]>
Date: 2025-11-07 (Fri, 07 Nov 2025)
Changed paths:
M Source/WebKit/UIProcess/ios/WKTouchEventsGestureRecognizer.mm
Log Message:
-----------
Cherry-pick 4635cf86519a. rdar://164257558
Stop using WallTime on WKTouchEvent
https://bugs.webkit.org/show_bug.cgi?id=302135
rdar://164214808
Reviewed by Abrar Rahman Protyasha.
The conversion from MonotonicTime to WallTime was removed. The
conversion has been wrong since 299753@main, which changed
WebEvent's timestamp from WallTime to MonotonicTime.
* Source/WebKit/UIProcess/ios/WKTouchEventsGestureRecognizer.mm:
(-[WKTouchEventsGestureRecognizer _touchEventForChildTouch:withParent:]):
(-[WKTouchEventsGestureRecognizer _recordTouches:ofType:forEvent:]):
(approximateWallTime): Deleted.
Canonical link: https://commits.webkit.org/302718@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: bb03593a8cff3488500111b0b1e53fd9afb1c437
https://github.com/WebKit/WebKit/commit/bb03593a8cff3488500111b0b1e53fd9afb1c437
Author: Ben Nham <[email protected]>
Date: 2025-11-07 (Fri, 07 Nov 2025)
Changed paths:
M Source/WebKit/UIProcess/API/Cocoa/WKProcessPool.mm
M Source/WebKit/UIProcess/API/Cocoa/WKProcessPoolPrivate.h
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/WebProcessPool.h
Log Message:
-----------
Cherry-pick 0300d4826f85. rdar://164273465
Make PLT debounce interval configurable
https://bugs.webkit.org/show_bug.cgi?id=302115
rdar://164196747
Reviewed by Ryosuke Niwa.
When running PLT, there is a parameter that controls the amount of time
that the main thread waits
after the last handled network request before declaring the page load done.
Currently customizing
this requires recompiling. We should be able to change this with a
preference instead.
* Source/WebKit/UIProcess/API/Cocoa/WKProcessPool.mm:
(-[WKProcessPool _setPLTResourceDelayIntervalForTesting:]):
* Source/WebKit/UIProcess/API/Cocoa/WKProcessPoolPrivate.h:
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::generatePageLoadTimingSoonImpl):
* Source/WebKit/UIProcess/WebProcessPool.h:
Canonical link: https://commits.webkit.org/302707@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 2bcfb339b6151a26bc11d7473dcf9461956ee6d8
https://github.com/WebKit/WebKit/commit/2bcfb339b6151a26bc11d7473dcf9461956ee6d8
Author: Kimmo Kinnunen <[email protected]>
Date: 2025-11-07 (Fri, 07 Nov 2025)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/capture/capture_gles_2_0_params.cpp
M Source/ThirdParty/ANGLE/src/libANGLE/formatutils.cpp
M Source/ThirdParty/ANGLE/src/libANGLE/formatutils.h
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/d3d/FramebufferD3D.cpp
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/d3d/d3d11/Image11.cpp
M
Source/ThirdParty/ANGLE/src/libANGLE/renderer/d3d/d3d11/TextureStorage11.cpp
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/FramebufferGL.cpp
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/FrameBufferMtl.mm
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/TextureMtl.mm
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/null/FramebufferNULL.cpp
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/vulkan/vk_helpers.cpp
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/wgpu/TextureWgpu.cpp
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/wgpu/wgpu_helpers.cpp
M Source/ThirdParty/ANGLE/src/tests/gl_tests/TextureTest.cpp
Log Message:
-----------
Cherry-pick 02d2cd92abb8. rdar://164155603
ANGLE: Avoid using UNPACK_SKIP_IMAGES, UNPACK_IMAGE_HEIGHT for non-3d
textures <rdar://164155603>
Reviewed by Mike Wyrzykowski.
Avoid using UNPACK_SKIP_IMAGES, UNPACK_IMAGE_HEIGHT when uploading
textures with TexImage2D. The UNPACK_IMAGE_HEIGHT was being
being used in Metal texture uploads even when slices was == 1. This
causes validation failure. During TexImage2D the values are not
validated at ANGLE validation level since they are not supposed to
affect anything.
Consider pattern:
formatInfo.computeRowPitch(type, area.width, unpack.alignment,
unpack.rowLength, &rowPitch);
formatInfo.computeDepthPitch(area.height, unpack.imageHeight,
sourceRowPitch, &depthPitch);
formatInfo.computeSkipBytes(type, sourceRowPitch, sourceDepthPitch,
unpack, index.usesTex3D(), &sourceSkipBytes);
Computing the depthPitch would not take into account wheter the
originating command was Tex*Image2D or Tex*Image3D. It would
unconditionally use UNPACK_SKIP_IMAGES, UNPACK_IMAGE_HEIGHT.
The computed depthPitch would then be used to size buffers, read amounts
and write amounts by the implementations.
Combine the pattern to InternalFormat::computeRowDepthSkipBytes(...)
call that uses PixelUnpackState::imageHeight,
PixelUnpackState::imageSkip only for 3D texture uploads.
Compine the pack buffer parameter resolution logic other to function:
InternalFormat::computeRowSkipBytes(..., PixelPackState&,...).
* Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp:
(gl::Context::texImage2D):
* Source/ThirdParty/ANGLE/src/libANGLE/capture/capture_gles_2_0_params.cpp:
(gl::CaptureTexImage2D_pixels):
* Source/ThirdParty/ANGLE/src/libANGLE/formatutils.cpp:
(gl::InternalFormat::computeRowDepthSkipBytes const):
(gl::InternalFormat::computeSkipBytes const):
(gl::InternalFormat::computePackUnpackEndByte const):
* Source/ThirdParty/ANGLE/src/libANGLE/formatutils.h:
* Source/ThirdParty/ANGLE/src/libANGLE/renderer/d3d/d3d11/Image11.cpp:
(rx::Image11::loadData):
* Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp:
(rx::TextureGL::setSubImageRowByRowWorkaround):
* Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/TextureMtl.mm:
(rx::TextureMtl::setSubImageImpl):
* Source/ThirdParty/ANGLE/src/libANGLE/renderer/vulkan/vk_helpers.cpp:
(rx::vk::ImageHelper::calculateBufferInfo):
Change-Id: Iefac5156412787709ee577a9a71f19a480778e78
Identifier: 301765.268@safari-7623-branch
Canonical link: https://commits.webkit.org/[email protected]
Commit: ff99acda1cba4b30200ed3c468dafa584731dcb4
https://github.com/WebKit/WebKit/commit/ff99acda1cba4b30200ed3c468dafa584731dcb4
Author: Dan Robson <[email protected]>
Date: 2025-11-07 (Fri, 07 Nov 2025)
Changed paths:
M Source/WebKitLegacy/mac/WebView/WebView.mm
Log Message:
-----------
Revert cfc6df9eb93c. rdar://164022564
This reverts commit 52ba1d802ec057c758b671bf1c6b9d47a4b60acf.
Canonical link: https://commits.webkit.org/[email protected]
Commit: cf49f53ccf3d14d43134fe725b04247b1fd22ee2
https://github.com/WebKit/WebKit/commit/cf49f53ccf3d14d43134fe725b04247b1fd22ee2
Author: Dan Robson <[email protected]>
Date: 2025-11-10 (Mon, 10 Nov 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: 49f1f547c4ca313c7c4b15d52734424f8282bcbc
https://github.com/WebKit/WebKit/commit/49f1f547c4ca313c7c4b15d52734424f8282bcbc
Author: Chris Dumez <[email protected]>
Date: 2025-11-10 (Mon, 10 Nov 2025)
Changed paths:
M Source/WebKit/WebProcess/Extensions/WebExtensionContextProxy.cpp
Log Message:
-----------
Cherry-pick acda47626961. rdar://164294666
RELEASE_ASSERT() under WebCore::Page::serviceWorkerGlobalObject
https://bugs.webkit.org/show_bug.cgi?id=302189
rdar://164059424
Reviewed by Youenn Fablet and Timothy Hatcher.
We're hitting an assertion inside Page::serviceWorkerGlobalObject() because
WebExtensions code is calling this function with an isolated world and this
is something we don't support and have never supported.
To address the issue, I am bailing out at the call site when the world is
not the normal one.
* Source/WebKit/WebProcess/Extensions/WebExtensionContextProxy.cpp:
(WebKit::WebExtensionContextProxy::enumerateFramesAndNamespaceObjects):
Canonical link: https://commits.webkit.org/302758@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 7fd0327abb9dbcfe7ac0ef35a1f8d7ff76b14445
https://github.com/WebKit/WebKit/commit/7fd0327abb9dbcfe7ac0ef35a1f8d7ff76b14445
Author: Chris Dumez <[email protected]>
Date: 2025-11-10 (Mon, 10 Nov 2025)
Changed paths:
M Source/WebCore/page/ResizeObservation.cpp
M Source/WebCore/page/ResizeObserver.cpp
M Source/WebCore/page/ResizeObserverEntry.h
Log Message:
-----------
Cherry-pick a1c0f13ff6a0. rdar://164314918
Regression(301243@main?) Potential null dereference of m_target in
ResizeObservation::computeTargetLocation()
https://bugs.webkit.org/show_bug.cgi?id=302197
rdar://164271295
Reviewed by Ryosuke Niwa.
From the crash, we can tell that we're doing a null dereference of m_target
in ResizeObservation::computeTargetLocation(), m_target being a WeakPtr.
I suspect this is a regression from 301243@main. The targets used to be kept
alive via the `m_activeObservationTargets` Vector, which used to contain
`GCReacheableRef<Element>` types. 301243@main updated the Vector to contain
`WeakPtr<Element>` and then relied on
`JSResizeObserver::visitAdditionalChildren()`
to visit the targets in the Vector. Something must be wrong with the leak
fix in
301243@main. In particular, I think that updating the stack Vectors in
`ResizeObserver::deliverObservations()` to also use WeakPtr instead of
GCReacheableRef
was a mistake. The Vectors seemed useless after 301243@main as they
contained
WeakPtrs and were unused. I think those vectors have to keep using
GCReacheableRef
to make sure the targets and their JS wrappers are kept alive while we
deliver the
observations. We need those vectors on the stack because the function clears
`m_activeObservationTargets` before delivering the observations and thus
`JSResizeObserver::visitAdditionalChildren()` will no longer be able to
visit the
targets on the GC thread.
Because my fix above may be insufficient and is speculative since we do not
have
a reproduction case, I also added a null check in
ResizeObservation::computeTargetLocation()
to avoid the null dereference. I also updated the call site to avoid
constructing a
ResizeObserverEntry for a target that has already been destroyed, since
there
is no point and it may cause trouble later on since the code may expect the
target to be still alive.
* Source/WebCore/page/ResizeObservation.cpp:
(WebCore::ResizeObservation::computeTargetLocation const):
* Source/WebCore/page/ResizeObserver.cpp:
(WebCore::ResizeObserver::deliverObservations):
* Source/WebCore/page/ResizeObserverEntry.h:
(WebCore::ResizeObserverEntry::create):
(WebCore::ResizeObserverEntry::target const):
(WebCore::ResizeObserverEntry::ResizeObserverEntry):
Canonical link: https://commits.webkit.org/302765@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: f76d6bde850d4c022928d36c5aad5e707fbd2c9d
https://github.com/WebKit/WebKit/commit/f76d6bde850d4c022928d36c5aad5e707fbd2c9d
Author: Abrar Rahman Protyasha <[email protected]>
Date: 2025-11-10 (Mon, 10 Nov 2025)
Changed paths:
M Source/WebCore/page/EventHandler.cpp
Log Message:
-----------
Cherry-pick a41d14417920. rdar://164366267
REGRESSION(299567@main): Web content process sometimes crashes under
WebPage::didDispatchClickEvent()
https://bugs.webkit.org/show_bug.cgi?id=302199
rdar://164271251
Reviewed by Wenson Hsieh.
In 299567@main, swallowAnyClickEvent was changed to allow execution when
nodeToClick is null but m_clickCaptureElement is set, to properly handle
click events during pointer capture. However, the function unconditionally
dereferenced nodeToClick when calling didDispatchClickEvent, leading to
crashes when clicking with pointer capture active but no node under the
pointer.
The fix introduces a dispatchNode variable that is set to nodeToClick when
available (since it represents the actual physical click location needed
for touch event synthesis), or falls back to clickCaptureElement otherwise.
The call to didDispatchClickEvent is now guarded to only occur when
dispatchNode is non-null.
I was unable to produce an automated test to reproduce the crash. It
seems there is a right timing window we must thread between setting
pointer capture, removing the hit tested node, and dispatching a new
click event to the pointer captured node on a successive tap.
* Source/WebCore/page/EventHandler.cpp:
(WebCore::EventHandler::swallowAnyClickEvent):
Canonical link: https://commits.webkit.org/302771@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 2e6a278a49e4ae724895a990df4ca1a012e1721c
https://github.com/WebKit/WebKit/commit/2e6a278a49e4ae724895a990df4ca1a012e1721c
Author: Jean-Yves Avenard <[email protected]>
Date: 2025-11-10 (Mon, 10 Nov 2025)
Changed paths:
M
Source/WebCore/platform/mediarecorder/cocoa/MediaRecorderPrivateWriterAVFObjC.h
M
Source/WebCore/platform/mediarecorder/cocoa/MediaRecorderPrivateWriterAVFObjC.mm
Log Message:
-----------
Cherry-pick cbd4da15ac4a. rdar://164414107
Crash: com.apple.WebKit.WebContent at AVFCore: -[AVAssetWriterInputHelper
requestMediaDataWhenReadyOnQueue:usingBlock:]
https://bugs.webkit.org/show_bug.cgi?id=302226
rdar://164271457
Reviewed by Youenn Fablet and Eric Carlson.
Don't attempt to write to the AVAssetWriter when closing when an error
occurred.
From the documentation "Before calling this method, you must ensure that
the receiver is attached to an AVAssetWriter via a prior call to -addInput: and
that -startWriting has been called on the asset writer."
so also add handling to ignore any remaining samples if it's not possible
to use the writer any longer.
*
Source/WebCore/platform/mediarecorder/cocoa/MediaRecorderPrivateWriterAVFObjC.h:
*
Source/WebCore/platform/mediarecorder/cocoa/MediaRecorderPrivateWriterAVFObjC.mm:
(WebCore::MediaRecorderPrivateWriterAVFObjC::addAudioTrack):
(WebCore::MediaRecorderPrivateWriterAVFObjC::addVideoTrack):
(WebCore::MediaRecorderPrivateWriterAVFObjC::allTracksAdded):
(WebCore::MediaRecorderPrivateWriterAVFObjC::close):
Canonical link: https://commits.webkit.org/302779@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 16286a13b527a21e419e24d678f852bf347167f4
https://github.com/WebKit/WebKit/commit/16286a13b527a21e419e24d678f852bf347167f4
Author: Alex Christensen <[email protected]>
Date: 2025-11-10 (Mon, 10 Nov 2025)
Changed paths:
M Source/WebKit/Shared/JavaScriptEvaluationResult.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewEvaluateJavaScript.mm
Log Message:
-----------
Cherry-pick b29de83f5f56. rdar://164381431
Check exceptions when accessing objects in JavaScriptEvaluationResult
https://bugs.webkit.org/show_bug.cgi?id=302233
rdar://164271319
Reviewed by Chris Dumez.
This fixes a crash I introduced with JavaScriptEvaluationResult.
SerializedScript value has many checks like this:
if (scope.exception()) [[unlikely]]
This introduces equivalent checks, but they look a little different
because in JavaScriptEvaluationResult we're using the C API of JS.
Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewEvaluateJavaScript.mm
* Source/WebKit/Shared/JavaScriptEvaluationResult.cpp:
(WebKit::JavaScriptEvaluationResult::JSExtractor::toValue):
(WebKit::JavaScriptEvaluationResult::JSInserter::toJS):
(WebKit::JavaScriptEvaluationResult::toJS):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewEvaluateJavaScript.mm:
(ExceptionAccessingProperty)):
Canonical link: https://commits.webkit.org/302783@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 5fbe78fe9a6b6421dbd42f3f8e2c01bedfc53864
https://github.com/WebKit/WebKit/commit/5fbe78fe9a6b6421dbd42f3f8e2c01bedfc53864
Author: Taher Ali <[email protected]>
Date: 2025-11-10 (Mon, 10 Nov 2025)
Changed paths:
M LayoutTests/TestExpectations
M
LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/animations/border-width-interpolation-expected.txt
R
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/border-image-width-expected.html
R
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/border-image-width-ref.html
R
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/border-image-width.html
R
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/border-width-expected.html
R
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/border-width-ref.html
R
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/border-width.html
R
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/mask-border-width-expected.html
R
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/mask-border-width-ref.html
R
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/mask-border-width.html
M
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/svg-computed-style-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/svg-computed-style.html
M Source/WebCore/layout/formattingContexts/FormattingGeometry.cpp
M Source/WebCore/layout/formattingContexts/block/BlockFormattingGeometry.cpp
M Source/WebCore/layout/formattingContexts/inline/InlineLevelBox.h
M Source/WebCore/layout/integration/LayoutIntegrationBoxGeometryUpdater.cpp
M Source/WebCore/page/LocalFrameView.cpp
M Source/WebCore/page/SpatialNavigation.cpp
M Source/WebCore/rendering/BorderEdge.cpp
M Source/WebCore/rendering/BorderPainter.cpp
M Source/WebCore/rendering/BorderShape.cpp
M Source/WebCore/rendering/NinePieceImagePainter.cpp
M Source/WebCore/rendering/RenderBoxModelObjectInlines.h
M Source/WebCore/rendering/RenderElement.cpp
M Source/WebCore/rendering/RenderImage.cpp
M Source/WebCore/rendering/RenderMultiColumnSet.cpp
M Source/WebCore/rendering/RenderTable.cpp
M Source/WebCore/rendering/RenderTableCell.cpp
M Source/WebCore/rendering/RenderTableCell.h
M Source/WebCore/rendering/RenderTableSection.cpp
M Source/WebCore/rendering/RenderTheme.cpp
M Source/WebCore/rendering/TextAutoSizing.cpp
M Source/WebCore/rendering/cocoa/RenderThemeCocoa.mm
M Source/WebCore/rendering/ios/RenderThemeIOS.mm
M Source/WebCore/rendering/style/CollapsedBorderValue.h
M Source/WebCore/rendering/style/RenderStyle.cpp
M Source/WebCore/rendering/style/RenderStyle.h
M Source/WebCore/rendering/style/RenderStyleInlines.h
M Source/WebCore/rendering/style/StyleRareInheritedData.cpp
M Source/WebCore/rendering/style/StyleRareInheritedData.h
M Source/WebCore/rendering/svg/SVGRenderSupport.cpp
M Source/WebCore/style/StyleAdjuster.cpp
M Source/WebCore/style/StyleResolveForDocument.cpp
M Source/WebCore/style/values/backgrounds/StyleBorderImageWidth.h
M Source/WebCore/style/values/backgrounds/StyleLineWidth.cpp
M Source/WebCore/style/values/backgrounds/StyleLineWidth.h
M Source/WebCore/style/values/masking/StyleMaskBorderWidth.h
M Source/WebCore/style/values/primitives/StyleZoomPrimitives.h
M Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm
M Source/WebKitLegacy/mac/DOM/DOM.mm
Log Message:
-----------
Cherry-pick ae7fb5405090. rdar://164266574
REGRESSION(301536@main): Speedometer3, MotionMark regression.
rdar://164266574
Reviewed by Brent Fulgham.
This reverts commit c38095e as it's cuasing perf regression.
* LayoutTests/TestExpectations:
*
LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/animations/border-width-interpolation-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/border-image-width-expected.html:
Removed.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/border-image-width-ref.html:
Removed.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/border-image-width.html:
Removed.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/border-width-expected.html:
Removed.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/border-width-ref.html:
Removed.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/border-width.html:
Removed.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/mask-border-width-expected.html:
Removed.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/mask-border-width-ref.html:
Removed.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/mask-border-width.html:
Removed.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/svg-computed-style-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/svg-computed-style.html:
* Source/WebCore/layout/formattingContexts/FormattingGeometry.cpp:
(WebCore::Layout::FormattingGeometry::computedBorder const):
*
Source/WebCore/layout/formattingContexts/block/BlockFormattingGeometry.cpp:
(WebCore::Layout::BlockFormattingGeometry::intrinsicWidthConstraints const):
* Source/WebCore/layout/integration/LayoutIntegrationBoxGeometryUpdater.cpp:
(WebCore::LayoutIntegration::BoxGeometryUpdater::logicalBorder):
* Source/WebCore/page/LocalFrameView.cpp:
(WebCore::LocalFrameView::fixedContainerEdges const):
* Source/WebCore/page/SpatialNavigation.cpp:
(WebCore::nodeRectInAbsoluteCoordinates):
* Source/WebCore/rendering/BorderEdge.cpp:
(WebCore::borderEdges):
(WebCore::borderEdgesForOutline):
* Source/WebCore/rendering/BorderPainter.cpp:
(WebCore::BorderPainter::paintOutline const):
* Source/WebCore/rendering/BorderShape.cpp:
(WebCore::BorderShape::shapeForBorderRect):
* Source/WebCore/rendering/NinePieceImagePainter.cpp:
(WebCore::computeSlice):
(WebCore::computeSlices):
(WebCore::paintNinePieceImage):
* Source/WebCore/rendering/RenderBoxModelObjectInlines.h:
(WebCore::RenderBoxModelObject::borderAfter const):
(WebCore::RenderBoxModelObject::borderBefore const):
(WebCore::RenderBoxModelObject::borderBottom const):
(WebCore::RenderBoxModelObject::borderEnd const):
(WebCore::RenderBoxModelObject::borderLeft const):
(WebCore::RenderBoxModelObject::borderRight const):
(WebCore::RenderBoxModelObject::borderStart const):
(WebCore::RenderBoxModelObject::borderTop const):
(WebCore::RenderBoxModelObject::borderWidths const):
* Source/WebCore/rendering/RenderElement.cpp:
(WebCore::drawFocusRing):
* Source/WebCore/rendering/RenderImage.cpp:
(WebCore::RenderImage::paintAreaElementFocusRing):
* Source/WebCore/rendering/RenderMultiColumnSet.cpp:
(WebCore::RenderMultiColumnSet::paintColumnRules):
* Source/WebCore/rendering/RenderTable.cpp:
(WebCore::RenderTable::calcBorderStart const):
(WebCore::RenderTable::calcBorderEnd const):
(WebCore::RenderTable::outerBorderBefore const):
(WebCore::RenderTable::outerBorderAfter const):
(WebCore::RenderTable::outerBorderStart const):
(WebCore::RenderTable::outerBorderEnd const):
* Source/WebCore/rendering/RenderTableCell.cpp:
(WebCore::emptyBorder):
(WebCore::RenderTableCell::computeCollapsedStartBorder const):
(WebCore::RenderTableCell::computeCollapsedEndBorder const):
(WebCore::RenderTableCell::computeCollapsedBeforeBorder const):
(WebCore::RenderTableCell::computeCollapsedAfterBorder const):
(WebCore::RenderTableCell::emptyBorder const): Deleted.
* Source/WebCore/rendering/RenderTableCell.h:
* Source/WebCore/rendering/RenderTableSection.cpp:
(WebCore::RenderTableSection::calcBlockDirectionOuterBorder const):
(WebCore::RenderTableSection::calcInlineDirectionOuterBorder const):
(WebCore::RenderTableSection::paintRowGroupBorderIfRequired):
(WebCore::RenderTableSection::cachedCollapsedBorder):
* Source/WebCore/rendering/RenderTheme.cpp:
(WebCore::RenderTheme::extractControlStyleForRenderer const):
(WebCore::RenderTheme::adjustButtonOrCheckboxOrColorWellOrInnerSpinButtonOrRadioStyle
const):
* Source/WebCore/rendering/cocoa/RenderThemeCocoa.mm:
(WebCore::RenderThemeCocoa::paintMenuListButtonDecorationsForVectorBasedControls):
* Source/WebCore/rendering/ios/RenderThemeIOS.mm:
(WebCore::RenderThemeIOS::popupInternalPaddingBox const):
(WebCore::RenderThemeIOS::paintMenuListButtonDecorations):
* Source/WebCore/rendering/style/CollapsedBorderValue.h:
(WebCore::CollapsedBorderValue::CollapsedBorderValue):
* Source/WebCore/rendering/style/RenderStyle.cpp:
(WebCore::RenderStyle::imageOutsets const):
(WebCore::RenderStyle::outlineWidth const):
(WebCore::RenderStyle::outlineOffset const):
(WebCore::RenderStyle::outlineSize const):
(WebCore::RenderStyle::setDeviceScaleFactor): Deleted.
* Source/WebCore/rendering/style/RenderStyle.h:
* Source/WebCore/rendering/style/RenderStyleInlines.h:
(WebCore::RenderStyle::usedZoomForLength const):
(WebCore::RenderStyle::deviceScaleFactor const): Deleted.
* Source/WebCore/rendering/style/StyleRareInheritedData.cpp:
(WebCore::StyleRareInheritedData::StyleRareInheritedData):
(WebCore::StyleRareInheritedData::operator== const):
(WebCore::StyleRareInheritedData::dumpDifferences const):
* Source/WebCore/rendering/style/StyleRareInheritedData.h:
* Source/WebCore/rendering/svg/SVGRenderSupport.cpp:
(WebCore::SVGRenderSupport::computeFloatVisibleRectInContainer):
* Source/WebCore/style/StyleResolveForDocument.cpp:
(WebCore::Style::resolveForDocument):
* Source/WebCore/style/values/backgrounds/StyleBorderImageWidth.h:
* Source/WebCore/style/values/backgrounds/StyleLineWidth.cpp:
(WebCore::Style::CSSValueConversion<LineWidth>::operator):
(WebCore::Style::FloatBoxExtent>::operator):
(WebCore::Style::LayoutBoxExtent>::operator):
(WebCore::Style::Serialize<LineWidth>::operator): Deleted.
* Source/WebCore/style/values/backgrounds/StyleLineWidth.h:
(WebCore::Style::LineWidth::LineWidth):
* Source/WebCore/style/values/masking/StyleMaskBorderWidth.h:
* Source/WebCore/style/values/primitives/StyleZoomPrimitives.h:
(WebCore::Style::ZoomFactor::ZoomFactor):
(): Deleted.
* Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm:
(WebKit::WebPage::absoluteInteractionBounds):
* Source/WebKitLegacy/mac/DOM/DOM.mm:
(-[DOMNode innerFrameQuad]):
Identifier: 301765.288@safari-7623-branch
Canonical link: https://commits.webkit.org/[email protected]
Commit: 6f61a491c423220ea4e507703ae5d9734b385705
https://github.com/WebKit/WebKit/commit/6f61a491c423220ea4e507703ae5d9734b385705
Author: Daniel Liu <[email protected]>
Date: 2025-11-10 (Mon, 10 Nov 2025)
Changed paths:
M Source/JavaScriptCore/API/MARReportCrashPrivate.h
M Source/bmalloc/libpas/src/libpas/pas_report_crash_pgm_report.h
Log Message:
-----------
Cherry-pick 8f45008386bc. rdar://164275494
Remove redundant OS(DARWIN) macro check in MARReportCrashPrivate
https://bugs.webkit.org/show_bug.cgi?id=302173
rdar://164275494
Unreviewed, build fix.
The use of the `OS` macro led to issues with C++ modules during build.
* Source/JavaScriptCore/API/MARReportCrashPrivate.h:
Identifier: 301765.289@safari-7623-branch
Canonical link: https://commits.webkit.org/[email protected]
Commit: 50eac38de07e8ee954961748fbf25192d1b2670c
https://github.com/WebKit/WebKit/commit/50eac38de07e8ee954961748fbf25192d1b2670c
Author: Dan Robson <[email protected]>
Date: 2025-11-10 (Mon, 10 Nov 2025)
Changed paths:
M Source/JavaScriptCore/API/MARReportCrashPrivate.h
M Source/bmalloc/libpas/src/libpas/pas_report_crash_pgm_report.h
Log Message:
-----------
Revert 8f45008386bc. rdar://164275494
This reverts commit 6f61a491c423220ea4e507703ae5d9734b385705.
Canonical link: https://commits.webkit.org/[email protected]
Commit: e93967ef8cb65b25ba11f98b00f95c9656df758b
https://github.com/WebKit/WebKit/commit/e93967ef8cb65b25ba11f98b00f95c9656df758b
Author: Mohsin Qureshi <[email protected]>
Date: 2025-11-11 (Tue, 11 Nov 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: 6637d428b834170bf55b7692af630fa1f8c5144e
https://github.com/WebKit/WebKit/commit/6637d428b834170bf55b7692af630fa1f8c5144e
Author: Elijah Sawyers <[email protected]>
Date: 2025-11-11 (Tue, 11 Nov 2025)
Changed paths:
M Source/WebKit/Shared/Extensions/WebExtensionSQLiteStore.cpp
M
Source/WebKit/UIProcess/Extensions/API/WebExtensionContextAPIDeclarativeNetRequest.cpp
Log Message:
-----------
Cherry-pick 2c40b8db2d24. rdar://164436702
Crash in WebKit:
WTF::Detail::CallableWrapper<WebKit::WebExtensionContext::updateDeclarativeNetRequestRulesInStorage
https://bugs.webkit.org/show_bug.cgi?id=302274
rdar://164266092
Reviewed by Timothy Hatcher.
This patch fixes a crash where the savepoint identifier is being accessed
without first checking
that it's non-null. To fix this, return an error if we don't have a
savepoint identifier.
These changes also include cleanup to use isEmpty rather than length when
checking for an error
message.
* Source/WebKit/Shared/Extensions/WebExtensionSQLiteStore.cpp:
(WebKit::WebExtensionSQLiteStore::deleteDatabase):
(WebKit::WebExtensionSQLiteStore::createSavepoint):
*
Source/WebKit/UIProcess/Extensions/API/WebExtensionContextAPIDeclarativeNetRequest.cpp:
(WebKit::WebExtensionContext::updateDeclarativeNetRequestRulesInStorage):
(WebKit::WebExtensionContext::declarativeNetRequestGetDynamicRules):
(WebKit::WebExtensionContext::declarativeNetRequestGetSessionRules):
Canonical link: https://commits.webkit.org/302816@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: d3c76d80e192a44545fce150cb87f10024476bc2
https://github.com/WebKit/WebKit/commit/d3c76d80e192a44545fce150cb87f10024476bc2
Author: Keith Miller <[email protected]>
Date: 2025-11-11 (Tue, 11 Nov 2025)
Changed paths:
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
Cherry-pick 6d14496d4801. rdar://164506723
Validate proven values for MaterializeNewArrayWithButterfly at FTL lowering
time
https://bugs.webkit.org/show_bug.cgi?id=302338
rdar://164352313
Reviewed by Yijia Huang.
We're seeing crashes in that ASSERT in the AbstractInterpreter. Let's try
moving the validation to where it's actually important that it's true,
which is at lowering.
No new tests, speculative fix.
Canonical link: https://commits.webkit.org/302860@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: a2033bd0d7b19efc815a84f9bbf38d55df3bea66
https://github.com/WebKit/WebKit/commit/a2033bd0d7b19efc815a84f9bbf38d55df3bea66
Author: Mohsin Qureshi <[email protected]>
Date: 2025-11-11 (Tue, 11 Nov 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: f10444edf3eb36837547fe5f7f5ac22cd53d5a13
https://github.com/WebKit/WebKit/commit/f10444edf3eb36837547fe5f7f5ac22cd53d5a13
Author: Russell Epstein <[email protected]>
Date: 2025-11-12 (Wed, 12 Nov 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7623.1.14.10.5
Canonical link: https://commits.webkit.org/[email protected]
Commit: 86521be4e326427a45cfa61b4cce634ed762496b
https://github.com/WebKit/WebKit/commit/86521be4e326427a45cfa61b4cce634ed762496b
Author: Mohsin Qureshi <[email protected]>
Date: 2025-11-12 (Wed, 12 Nov 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: 69353dbe417e4fbdb7c8e026233723eb371f3a49
https://github.com/WebKit/WebKit/commit/69353dbe417e4fbdb7c8e026233723eb371f3a49
Author: Simon Fraser <[email protected]>
Date: 2025-11-12 (Wed, 12 Nov 2025)
Changed paths:
M Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm
Log Message:
-----------
Cherry-pick 83f756682c28. rdar://164567093
Possible crash in WebPage::updateVisibleContentRects()
https://bugs.webkit.org/show_bug.cgi?id=302349
rdar://164259731
Reviewed by Abrar Rahman Protyasha.
Crash data suggest we can crash accessing `*frameView.scrollingNodeID()`.
Protect against
this in two ways. First, ensure the FrameView is kept alive with a RefPtr
on the stack.
Second, check that `frameView.scrollingNodeID()` is set before accessing it.
* Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm:
(WebKit::WebPage::updateVisibleContentRects):
Canonical link: https://commits.webkit.org/302911@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: fe55d78d0f06d6c425dec75589df4e2261ce1feb
https://github.com/WebKit/WebKit/commit/fe55d78d0f06d6c425dec75589df4e2261ce1feb
Author: Antti Koivisto <[email protected]>
Date: 2025-11-12 (Wed, 12 Nov 2025)
Changed paths:
M Source/WebCore/style/calc/StyleCalculationTree+Traversal.h
M Source/WebCore/style/calc/StyleCalculationTree.cpp
M Source/WebCore/style/calc/StyleCalculationTree.h
M Source/WebCore/style/values/primitives/StyleLengthWrapper+Blending.h
Log Message:
-----------
Cherry-pick 63f824e54433. rdar://164573499
Limit tree depth when blending Calculation tree with Blend node
https://bugs.webkit.org/show_bug.cgi?id=302401
rdar://164138229
Reviewed by Sam Weinig.
When blending calc() values we in complex cases add Blend(treeA, treeB,
percent) nodes
to the calculation tree. The values being blended may themselves have been
output of blending
and contain Blend nodes already. It is possible for the nodes to accumulate
creating
a very deep tree. Recursive algorithms on such tree may blow up the stack.
* Source/WebCore/style/calc/StyleCalculationTree+Traversal.h:
(WebCore::Style::Calculation::forAllChildren):
Fix this to work in general case.
* Source/WebCore/style/calc/StyleCalculationTree.cpp:
(WebCore::Style::Calculation::computeDepth):
Add a function for computing the tree depth.
* Source/WebCore/style/calc/StyleCalculationTree.h:
* Source/WebCore/style/values/primitives/StyleLengthWrapper+Blending.h:
(WebCore::Style::LengthWrapperBlendingSupport::blendMixedSpecifiedTypes):
If the tree depth is already >128 don't create a Blend node and just return
the target tree.
Canonical link: https://commits.webkit.org/302921@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: ac53c6086f25d39b8642480fb6b5a69eebfbdf1c
https://github.com/WebKit/WebKit/commit/ac53c6086f25d39b8642480fb6b5a69eebfbdf1c
Author: Alan Baradlay <[email protected]>
Date: 2025-11-12 (Wed, 12 Nov 2025)
Changed paths:
M Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp
M Source/WebCore/rendering/FloatingObjects.cpp
M Source/WebCore/rendering/FloatingObjects.h
M Source/WebCore/rendering/RenderBlockFlow.cpp
M Source/WebCore/rendering/RenderBox.cpp
M Source/WebCore/rendering/updating/RenderTreeBuilder.cpp
Log Message:
-----------
Cherry-pick ccb42032033b. rdar://164557986
Cherry-pick 7825665ffb56. rdar://164558496
Crash in WebCore::RenderBox::removeFloatingAndInvalidateForLayout
https://bugs.webkit.org/show_bug.cgi?id=302360
Reviewed by Antti Koivisto.
This is a speculative fix to avoid null-deref in
FloatingObject::renderer().
(Normally a renderer should not outlive its FloatingObject(s), but it
may happen when an
overhanging float generates many FloatingObject across different
subtrees and we fail
to invalidate those subtrees when the renderer goes out of scope.)
*
Source/WebCore/layout/integration/LayoutIntegrationFormattingContextLayout.cpp:
(WebCore::LayoutIntegration::layoutWithFormattingContextForBlockInInline):
*
Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp:
(WebCore::LayoutIntegration::LineLayout::preparePlacedFloats):
* Source/WebCore/rendering/FloatingObjects.cpp:
(WebCore::FloatingObject::copyToNewContainer const):
(WebCore::FloatingObject::cloneForNewParent const):
callers ensure we've got valid renderer here.
(WebCore::FloatingObject::translationOffsetToAncestor const):
(WebCore::operator<<):
(WebCore::FindNextFloatLogicalBottomAdapter::collectIfNeeded):
(WebCore::FloatingObjects::shiftFloatsBy):
(WebCore::ComputeFloatOffsetForLineLayoutAdapter<FloatingObject::FloatLeft>::updateOffsetIfNeeded):
(WebCore::ComputeFloatOffsetForLineLayoutAdapter<FloatingObject::FloatRight>::updateOffsetIfNeeded):
* Source/WebCore/rendering/FloatingObjects.h:
(WebCore::FloatingObject::renderer const):
(WebCore::FloatingObjectHashFunctions::hash):
(WebCore::FloatingObjectHashFunctions::equal):
(WebCore::FloatingObjectHashTranslator::equal):
* Source/WebCore/rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::rebuildFloatingObjectSetFromIntrudingFloats):
(WebCore::RenderBlockFlow::styleDidChange):
(WebCore::RenderBlockFlow::addFloatsToNewParent const):
(WebCore::RenderBlockFlow::repaintOverhangingFloats):
(WebCore::RenderBlockFlow::paintFloats):
(WebCore::RenderBlockFlow::clipOutFloatingBoxes):
(WebCore::RenderBlockFlow::computeLogicalLocationForFloat):
(WebCore::RenderBlockFlow::positionNewFloats):
(WebCore::RenderBlockFlow::lowestInitialLetterLogicalBottom const):
(WebCore::RenderBlockFlow::addOverhangingFloats):
(WebCore::RenderBlockFlow::addIntrudingFloats):
(WebCore::RenderBlockFlow::markSiblingsWithFloatsForLayout):
(WebCore::RenderBlockFlow::flipFloatForWritingModeForChild const):
(WebCore::RenderBlockFlow::hitTestFloats):
* Source/WebCore/rendering/RenderBox.cpp:
(WebCore::RenderBox::addOverflowFromFloatBox):
(WebCore::RenderBox::updateFloatPainterAfterSelfPaintingLayerChange):
* Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:
(WebCore::RenderTreeBuilder::removeFloatingObjects):
Canonical link: https://commits.webkit.org/302908@main
Identifier: 301765.305@safari-7623-branch
Canonical link: https://commits.webkit.org/[email protected]
Commit: 340fc380f548e4edd1e3c5683ea28f1227106931
https://github.com/WebKit/WebKit/commit/340fc380f548e4edd1e3c5683ea28f1227106931
Author: Mohsin Qureshi <[email protected]>
Date: 2025-11-12 (Wed, 12 Nov 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: f8b69b1e7839ee67c91bace0b5e82b933f6c69de
https://github.com/WebKit/WebKit/commit/f8b69b1e7839ee67c91bace0b5e82b933f6c69de
Author: Jessica Lee <[email protected]>
Date: 2025-11-12 (Wed, 12 Nov 2025)
Changed paths:
M Source/WebKitLegacy/mac/WebView/WebView.mm
Log Message:
-----------
Cherry-pick cfc6df9eb93c. rdar://164575733
WebView willStartRenderingUpdateDisplay crashes when _private->page is null
https://bugs.webkit.org/show_bug.cgi?id=302069
rdar://164022564
Reviewed by Chris Dumez and Ryosuke Niwa.
In the function WebView::_willStartRenderingUpdateDisplay (in
WebkitLegacy), the page can become null between when it is originally
null-checked if (_private->page) and when willStartRenderingUpdateDisplay
starts executing. This is due to an increased delay from WebThreadLock();
We should move WebThreadLock() before page->willStartRenderingUpdateDisplay
starts executing so that the page cannot be manipulated by the WebThread before
page->willStartRenderingUpdateDisplay runs.
* Source/WebKitLegacy/mac/WebView/WebView.mm:
(-[WebView _willStartRenderingUpdateDisplay]):
Identifier: 301765.266@safari-7623-branch
Canonical link: https://commits.webkit.org/[email protected]
Commit: 5fc11853392c094026e6e158dc11c8c69352b1b8
https://github.com/WebKit/WebKit/commit/5fc11853392c094026e6e158dc11c8c69352b1b8
Author: Mohsin Qureshi <[email protected]>
Date: 2025-11-13 (Thu, 13 Nov 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: a85be0c8bfd8e42f27ce3bfa140572d3e3dc2ab1
https://github.com/WebKit/WebKit/commit/a85be0c8bfd8e42f27ce3bfa140572d3e3dc2ab1
Author: Kimmo Kinnunen <[email protected]>
Date: 2025-11-13 (Thu, 13 Nov 2025)
Changed paths:
M Source/WebKit/WebProcess/GPU/graphics/RemoteGraphicsContextProxy.cpp
M Source/WebKit/WebProcess/GPU/graphics/RemoteGraphicsContextProxy.h
M Source/WebKit/WebProcess/GPU/graphics/RemoteResourceCacheProxy.cpp
M Source/WebKit/WebProcess/GPU/graphics/RemoteResourceCacheProxy.h
Log Message:
-----------
Cherry-pick 4cd951ea3ba2. rdar://164649563
GPUP: Avoid message check failures on failure to send NativeImages to GPUP
https://bugs.webkit.org/show_bug.cgi?id=301999
rdar://164076543
Reviewed by Mike Wyrzykowski.
NativeImage send to GPUP might fail due to resource exhausition (memory,
file handles) or due to the image not existing due to previous GPUP
crash.
Add return value to recordResourceUse() to check if the image was sent
successfully, and only issue the respective RemoteGraphicsContext
rendering command in case it was.
* Source/WebKit/WebProcess/GPU/graphics/RemoteGraphicsContextProxy.cpp:
(WebKit::RemoteGraphicsContextProxy::clipToImageBuffer):
(WebKit::RemoteGraphicsContextProxy::drawNativeImage):
(WebKit::RemoteGraphicsContextProxy::drawSystemImage):
(WebKit::RemoteGraphicsContextProxy::drawPattern):
(WebKit::RemoteGraphicsContextProxy::recordResourceUse):
* Source/WebKit/WebProcess/GPU/graphics/RemoteGraphicsContextProxy.h:
* Source/WebKit/WebProcess/GPU/graphics/RemoteResourceCacheProxy.cpp:
(WebKit::RemoteResourceCacheProxy::recordNativeImageUse):
* Source/WebKit/WebProcess/GPU/graphics/RemoteResourceCacheProxy.h:
Canonical link: https://commits.webkit.org/302636@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 99de46dffc246a64ea75cf524472daedf90f283a
https://github.com/WebKit/WebKit/commit/99de46dffc246a64ea75cf524472daedf90f283a
Author: Mohsin Qureshi <[email protected]>
Date: 2025-11-13 (Thu, 13 Nov 2025)
Changed paths:
M Source/WebKit/WebProcess/GPU/graphics/RemoteGraphicsContextProxy.cpp
M Source/WebKit/WebProcess/GPU/graphics/RemoteGraphicsContextProxy.h
M Source/WebKit/WebProcess/GPU/graphics/RemoteResourceCacheProxy.cpp
M Source/WebKit/WebProcess/GPU/graphics/RemoteResourceCacheProxy.h
Log Message:
-----------
Revert 4cd951ea3ba2. rdar://164649563
This reverts commit a85be0c8bfd8e42f27ce3bfa140572d3e3dc2ab1.
Canonical link: https://commits.webkit.org/[email protected]
Commit: 51ddab9383e3eab979713598b2bab19c7f787c3d
https://github.com/WebKit/WebKit/commit/51ddab9383e3eab979713598b2bab19c7f787c3d
Author: Brady Eidson <[email protected]>
Date: 2025-11-13 (Thu, 13 Nov 2025)
Changed paths:
M Source/WebKit/Shared/JavaScriptEvaluationResult.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewEvaluateJavaScript.mm
Log Message:
-----------
Cherry-pick ea5b70ec2dab. rdar://164138230
Teach JSExtractor to avoid stack overflow when serializing particularly
deep objects
rdar://164138230
Reviewed by Geoffrey Garen.
By being recursive when serializing JavaScript objects for IPC, we became
limited by
stack depth.
We'll switch JSExtractor to be iterative in rdar://164658717, but for now
let's avoid
crashing the WebContent process by detecting whether or not it is safe to
keep recursing.
Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewEvaluateJavaScript.mm
* Source/WebKit/Shared/JavaScriptEvaluationResult.cpp:
(WebKit::JavaScriptEvaluationResult::JSExtractor::isSafeToRecurse):
(WebKit::JavaScriptEvaluationResult::JSExtractor::addObjectToMap):
(WebKit::JavaScriptEvaluationResult::JSExtractor::toValue):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewEvaluateJavaScript.mm:
((EvaluateJavaScript, Serialization)):
Canonical link: https://commits.webkit.org/303006@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: ccb6fffef3630c18a49f107b36f9b11fff2eabbe
https://github.com/WebKit/WebKit/commit/ccb6fffef3630c18a49f107b36f9b11fff2eabbe
Author: Mohsin Qureshi <[email protected]>
Date: 2025-11-14 (Fri, 14 Nov 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: da87dab831eb7d98dd4a9dbf2dc5f1b9c14e8cb1
https://github.com/WebKit/WebKit/commit/da87dab831eb7d98dd4a9dbf2dc5f1b9c14e8cb1
Author: Yusuke Suzuki <[email protected]>
Date: 2025-11-14 (Fri, 14 Nov 2025)
Changed paths:
M Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp
Log Message:
-----------
Cherry-pick 0cfb4a033f7e. rdar://164593392
[JSC] StoreBarrierInsertionPhase's escape should mark all transitively
incoming values to phi
https://bugs.webkit.org/show_bug.cgi?id=302502
rdar://164593392
Reviewed by Keith Miller and Mark Lam.
Let's have the following code.
BB#1
a: NewObject
b: NewObject
...
c: Upsilon(@b, ^f)
Branch(BB#2, BB#3)
BB#2
...
d: Something
e: Upsilon(@d, ^f)
Jump(BB#3)
BB#3
f: Phi(@c, @e)
...
g: PutByOffset(@a, @f)
...
h: PutByOffset(@b, ...)
...
Since @b can cause GC, epoch is bumped and @a can be in the old region.
As a result, in @g, we should insert a StoreBarrier after that. And
because this old @a can leak @f to the world scanned by concurrent GC,
we need to escape @f and subsequent code must insert a StoreBarrier when
@f's properties are modified. However we are marking @f, but not marking
all incoming values @b and @d propagated through Upsilon. As a result,
@h can use @b directly (since BB#3 is dominated by BB#1, it is fine),
and we failed to insert a StoreBarrier after @h since @b is not marked!
This patch fixes it by marking all transitively incoming values for the
escaped one. The code will mark the node itself, and then mark all
incoming nodes when the node is Phi.
* Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp:
Identifier: 301765.315@safari-7623-branch
Canonical link: https://commits.webkit.org/[email protected]
Commit: 31082674a9a715edea0cc288515dee03518e0a9e
https://github.com/WebKit/WebKit/commit/31082674a9a715edea0cc288515dee03518e0a9e
Author: Mark Lam <[email protected]>
Date: 2025-11-14 (Fri, 14 Nov 2025)
Changed paths:
M Source/JavaScriptCore/runtime/VMManager.cpp
M Source/JavaScriptCore/runtime/VMManager.h
Log Message:
-----------
Cherry-pick 01e8c830aad1. rdar://164746049
VMManager::singleton() is not thread safe.
https://bugs.webkit.org/show_bug.cgi?id=302540
rdar://164580639
Reviewed by Keith Miller.
VMManager::singleton() may be called concurrently from multiple threads.
Hence,
the initialization of the singleton instance needs to be done in a thread
safe
manner. To fix this, we'll switch from using a NeverDestroyed<VMManager>
to a
LazyNeverDestroyed<VMManager>, and initialize it within a std::call_once,
which
is thread safe.
Testing this requires a race condition that is hard to reproduce.
Will try to create a test for this in a separate path.
* Source/JavaScriptCore/runtime/VMManager.cpp:
(JSC::VMManager::singleton):
* Source/JavaScriptCore/runtime/VMManager.h:
Canonical link: https://commits.webkit.org/303054@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 0741f6daafb8a03bda4f5687e286e90db66ab616
https://github.com/WebKit/WebKit/commit/0741f6daafb8a03bda4f5687e286e90db66ab616
Author: Mohsin Qureshi <[email protected]>
Date: 2025-11-14 (Fri, 14 Nov 2025)
Changed paths:
M Source/JavaScriptCore/runtime/VMManager.cpp
M Source/JavaScriptCore/runtime/VMManager.h
Log Message:
-----------
Revert 01e8c830aad1. rdar://164746049
This reverts commit 31082674a9a715edea0cc288515dee03518e0a9e.
Canonical link: https://commits.webkit.org/[email protected]
Commit: b0e19096934750dbb370d103565442295972712b
https://github.com/WebKit/WebKit/commit/b0e19096934750dbb370d103565442295972712b
Author: Mohsin Qureshi <[email protected]>
Date: 2025-11-17 (Mon, 17 Nov 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: 1ba13fd5f3229ccccb04a05d71cb48a8bf1d6adb
https://github.com/WebKit/WebKit/commit/1ba13fd5f3229ccccb04a05d71cb48a8bf1d6adb
Author: Yulun Wu <[email protected]>
Date: 2025-11-17 (Mon, 17 Nov 2025)
Changed paths:
A
LayoutTests/fast/css3-text/css3-text-wrap/text-wrap-pretty-line-break-crash-4-expected.txt
A
LayoutTests/fast/css3-text/css3-text-wrap/text-wrap-pretty-line-break-crash-4.html
A
LayoutTests/fast/css3-text/css3-text-wrap/text-wrap-pretty-line-break-crash-5-expected.txt
A
LayoutTests/fast/css3-text/css3-text-wrap/text-wrap-pretty-line-break-crash-5.html
M
Source/WebCore/layout/formattingContexts/inline/InlineContentConstrainer.cpp
Log Message:
-----------
Cherry-pick 44bd78d54f85. rdar://164901509
[text-wrap][pretty] Fix incorrect index in InlineContentConstrainer
hyphenation fallback
https://bugs.webkit.org/show_bug.cgi?id=302553
<rdar://164680038>
Reviewed by Alan Baradlay.
This PR fixes a bug where the hyphenation fallback was using the wrong
starting inline item position. We should use:
breakOpportunities[lastValidStateIndex]
to correctly look up the actual inline item index from
the break opportunities array.
This PR also adds bounds checks before accessing the arrays.
Combined changes:
*
LayoutTests/fast/css3-text/css3-text-wrap/text-wrap-pretty-line-break-crash-4-expected.txt:
Added.
*
LayoutTests/fast/css3-text/css3-text-wrap/text-wrap-pretty-line-break-crash-4.html:
Added.
*
LayoutTests/fast/css3-text/css3-text-wrap/text-wrap-pretty-line-break-crash-5-expected.txt:
Added.
*
LayoutTests/fast/css3-text/css3-text-wrap/text-wrap-pretty-line-break-crash-5.html:
Added.
*
Source/WebCore/layout/formattingContexts/inline/InlineContentConstrainer.cpp:
(WebCore::Layout::InlineContentConstrainer::prettifyRange):
Canonical link: https://commits.webkit.org/303130@main
Canonical link: https://commits.webkit.org/[email protected]
Commit: 14bb2866af7a2b2085c4cac5b12bcf46b5b52919
https://github.com/WebKit/WebKit/commit/14bb2866af7a2b2085c4cac5b12bcf46b5b52919
Author: Mohsin Qureshi <[email protected]>
Date: 2025-11-18 (Tue, 18 Nov 2025)
Changed paths:
M Configurations/Version.xcconfig
Log Message:
-----------
Versioning.
WebKit-7
Canonical link: https://commits.webkit.org/[email protected]
Commit: 236437e74d367d502665cff9fc81bfe92585d16a
https://github.com/WebKit/WebKit/commit/236437e74d367d502665cff9fc81bfe92585d16a
Author: Sihui Liu <[email protected]>
Date: 2025-11-18 (Tue, 18 Nov 2025)
Changed paths:
M Source/WebCore/loader/FrameLoader.cpp
Log Message:
-----------
Cherry-pick a8867a943aab. rdar://164964499
Null dereference of m_policyDocumentLoader in
FrameLoader::continueLoadAfterNavigationPolicy()
rdar://164964499
https://bugs.webkit.org/show_bug.cgi?id=302721
Reviewed by Rupin Mittal, Per Arne Vollan, and Matthew Finkel.
Add a null check for m_policyDocumentLoader before accessing it.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::continueLoadAfterNavigationPolicy):
Canonical link: https://commits.webkit.org/303212@main
Canonical link: https://commits.webkit.org/[email protected]
Compare: https://github.com/WebKit/WebKit/compare/17ab777a94b5%5E...236437e74d36
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
