Branch: refs/heads/webkitglib/2.50
Home: https://github.com/WebKit/WebKit
Commit: 900aebdc0cb07a14d4425ad20558a0432a3ff2c1
https://github.com/WebKit/WebKit/commit/900aebdc0cb07a14d4425ad20558a0432a3ff2c1
Author: Fady Farag <[email protected]>
Date: 2026-02-28 (Sat, 28 Feb 2026)
Changed paths:
M
Source/WebCore/style/values/primitives/StylePrimitiveNumericTypes+Conversions.h
Log Message:
-----------
Cherry-pick 308334@main (e7eeb67afdd4).
https://bugs.webkit.org/show_bug.cgi?id=308791
Address Use-After-Move in primitives/StylePrimitiveNumericTypes+Conversions
https://bugs.webkit.org/show_bug.cgi?id=308791
rdar://171322473
Reviewed by Chris Dumez.
This fixes a use-after-move where the use and forward are unsequenced.
*
Source/WebCore/style/values/primitives/StylePrimitiveNumericTypes+Conversions.h:
Canonical link: https://commits.webkit.org/308334@main
Canonical link: https://commits.webkit.org/298234.438@webkitglib/2.50
Commit: 13043d084ac1a6ddb1613fad10de4c78a76f2135
https://github.com/WebKit/WebKit/commit/13043d084ac1a6ddb1613fad10de4c78a76f2135
Author: Philippe Normand <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M
Source/WebCore/platform/mediastream/gstreamer/GStreamerMediaStreamSource.cpp
Log Message:
-----------
Cherry-pick 308191@main (537ca0fddc86).
https://bugs.webkit.org/show_bug.cgi?id=285752
[GTK][WPE][GStreamer]
imported/w3c/web-platform-tests/mediacapture-record/MediaRecorder-mimetype.html
flaky crash
https://bugs.webkit.org/show_bug.cgi?id=285752
Reviewed by Xabier Rodriguez-Calvar.
Create new stream-start events within the mediastreamsrc pad probe in order
to avoid potentially
undefined behavior of data->streamStartEvent re-assignments leading to rare
flaky crashes.
* LayoutTests/platform/glib/TestExpectations:
*
Source/WebCore/platform/mediastream/gstreamer/GStreamerMediaStreamSource.cpp:
(webkitMediaStreamSrcPadProbeCb):
(webkitMediaStreamSrcAddTrack):
Canonical link: https://commits.webkit.org/308191@main
Canonical link: https://commits.webkit.org/298234.439@webkitglib/2.50
Commit: ff1f645fc0149e755b0515139e9f86d4d890280b
https://github.com/WebKit/WebKit/commit/ff1f645fc0149e755b0515139e9f86d4d890280b
Author: Charlie Wolfe <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Cherry-pick 308176@main (be4914eab1fe).
https://bugs.webkit.org/show_bug.cgi?id=308572
Crash in `WebPageProxy::viewWillStartLiveResize`
https://bugs.webkit.org/show_bug.cgi?id=308572
rdar://170836812
Reviewed by Rupin Mittal.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::viewWillStartLiveResize):
(WebKit::WebPageProxy::viewWillEndLiveResize):
Canonical link: https://commits.webkit.org/308176@main
Canonical link: https://commits.webkit.org/298234.440@webkitglib/2.50
Commit: b57249090d0156545bc94a2f91724ef409e72d4d
https://github.com/WebKit/WebKit/commit/b57249090d0156545bc94a2f91724ef409e72d4d
Author: Fady Farag <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
Log Message:
-----------
Cherry-pick 308285@main (972d0abe03ba).
https://bugs.webkit.org/show_bug.cgi?id=308697
Address Use-After-Move in csp/ContentSecurityPolicy
https://bugs.webkit.org/show_bug.cgi?id=308697
rdar://171230905
Reviewed by Chris Dumez.
This fixes a use-after-move where the use happens in a
later loop iteration than the forward.
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::requires):
(WebCore::ContentSecurityPolicy::allPoliciesWithDispositionAllow const):
(WebCore::ContentSecurityPolicy::allPoliciesAllow const):
Canonical link: https://commits.webkit.org/308285@main
Canonical link: https://commits.webkit.org/298234.441@webkitglib/2.50
Commit: 982f64c4b94ba63fb617724580cf668e9a459dd6
https://github.com/WebKit/WebKit/commit/982f64c4b94ba63fb617724580cf668e9a459dd6
Author: Megan Gardner <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/WebCore/page/LocalFrameView.cpp
Log Message:
-----------
Cherry-pick 307309@main (bd51478378ae).
https://bugs.webkit.org/show_bug.cgi?id=307565
CrashTracer: com.apple.WebKit.WebContent.Development at com.apple.WebCore:
WebCore::LocalFrameView::scrollToPendingTextFragmentRange
https://bugs.webkit.org/show_bug.cgi?id=307565
rdar://170031653
Reviewed by Aditya Keerthi.
Speculative Fix.
* Source/WebCore/page/LocalFrameView.cpp:
(WebCore::LocalFrameView::scrollToPendingTextFragmentRange):
Canonical link: https://commits.webkit.org/307309@main
Canonical link: https://commits.webkit.org/298234.442@webkitglib/2.50
Commit: 5d0279ac3d814f04d481ce6256fdaa116f8a1242
https://github.com/WebKit/WebKit/commit/5d0279ac3d814f04d481ce6256fdaa116f8a1242
Author: Charlie Wolfe <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/WebKit/UIProcess/SpeechRecognitionServer.cpp
Log Message:
-----------
Cherry-pick 308166@main (fc1b5e8317bd).
https://bugs.webkit.org/show_bug.cgi?id=308570
Crash in `SpeechRecognitionServer::sendUpdate`
https://bugs.webkit.org/show_bug.cgi?id=308570
rdar://140082708
Reviewed by Rupin Mittal.
sendUpdate() can be called after the web process has been terminated. Don't
send a message in this
case to avoid crashing.
* Source/WebKit/UIProcess/SpeechRecognitionServer.cpp:
(WebKit::SpeechRecognitionServer::sendUpdate):
Canonical link: https://commits.webkit.org/308166@main
Canonical link: https://commits.webkit.org/298234.443@webkitglib/2.50
Commit: 8a2c8a97dfd3af0fdb68d49fc58e1163aca8085a
https://github.com/WebKit/WebKit/commit/8a2c8a97dfd3af0fdb68d49fc58e1163aca8085a
Author: Sosuke Suzuki <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp
M Source/JavaScriptCore/runtime/IntlObject.cpp
Log Message:
-----------
Cherry-pick 308423@main (1566af375f80).
https://bugs.webkit.org/show_bug.cgi?id=308919
[JSC] Use `std::unique_ptr` for ICU resources in Intl to fix `UEnumeration`
leak
https://bugs.webkit.org/show_bug.cgi?id=308919
Reviewed by Yusuke Suzuki.
availableNamedTimeZoneIdentifier() leaks a UEnumeration on every call
with a valid timezone name, because the early return on match skips
uenum_close(). Measured leak is ~210 bytes per Intl.DateTimeFormat
creation with a named timeZone.
Also convert the other raw ICU pointers in these files to
std::unique_ptr with ICUDeleter for consistency. They were not leaking,
but the same file already uses std::unique_ptr for the same ICU APIs
elsewhere.
* Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp:
(JSC::availableNamedTimeZoneIdentifier):
(JSC::IntlDateTimeFormat::localeData):
* Source/JavaScriptCore/runtime/IntlObject.cpp:
(JSC::numberingSystemsForLocale):
Canonical link: https://commits.webkit.org/308423@main
Canonical link: https://commits.webkit.org/298234.444@webkitglib/2.50
Commit: e8cd0f61201fdd07c5043c929fc797df24ed82aa
https://github.com/WebKit/WebKit/commit/e8cd0f61201fdd07c5043c929fc797df24ed82aa
Author: Yusuke Suzuki <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A JSTests/wasm/stress/b3-reduceStrength-trunc-sshr-add-unaligned.js
M Source/JavaScriptCore/b3/B3ReduceStrength.cpp
M Source/JavaScriptCore/b3/testb3.h
M Source/JavaScriptCore/b3/testb3_1.cpp
M Source/JavaScriptCore/b3/testb3_7.cpp
Log Message:
-----------
Cherry-pick 308417@main (1c537b0aea64).
https://bugs.webkit.org/show_bug.cgi?id=308722
[JSC] Unsound optimization in ReduceStrength regarding Int52-to-Int32
conversion pattern
https://bugs.webkit.org/show_bug.cgi?id=308722
rdar://171147977
Reviewed by Yijia Huang and Keith Miller.
The optimization is assuming that constant value's lower 12 bits are
zero, otherwise, addition can carry one bit. This patch ensures that
constant is not having lower 12 bits.
Tests: JSTests/wasm/stress/b3-reduceStrength-trunc-sshr-add-unaligned.js
Source/JavaScriptCore/b3/testb3_1.cpp
Source/JavaScriptCore/b3/testb3_7.cpp
* JSTests/wasm/stress/b3-reduceStrength-trunc-sshr-add-unaligned.js: Added.
(expected):
* Source/JavaScriptCore/b3/B3ReduceStrength.cpp:
* Source/JavaScriptCore/b3/testb3.h:
* Source/JavaScriptCore/b3/testb3_1.cpp:
(run):
* Source/JavaScriptCore/b3/testb3_7.cpp:
(testTruncSShrAddUnalignedConstant):
Canonical link: https://commits.webkit.org/308417@main
Canonical link: https://commits.webkit.org/298234.445@webkitglib/2.50
Compare: https://github.com/WebKit/WebKit/compare/f7749db9c9cc...e8cd0f61201f
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
