Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 672cdd38781cce183724930a1d2e31ca4dc2008d
https://github.com/WebKit/WebKit/commit/672cdd38781cce183724930a1d2e31ca4dc2008d
Author: Shu-yu Guo <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A JSTests/stress/private-names-seal-freeze.js
M Source/JavaScriptCore/runtime/PropertyTable.cpp
Log Message:
-----------
[JSC] Don't set attributes on private fields when sealing/freezing
https://bugs.webkit.org/show_bug.cgi?id=303357
rdar://165252763
Reviewed by Yusuke Suzuki and Mark Lam.
This PR makes it such that when sealing and freezing objects, entries in the
PropertyTable that are private fields do not change their attributes. Private
fields are not properties from the spec's point of view, and thus don't have
attributes.
Ensuring private field entries simplifies assumptions in the JITs, as they can
assume having attributes when setting a property results in a structure
transition.
Test: JSTests/stress/private-names-seal-freeze.js
Originally-landed-as: 301765.343@safari-7623-branch (b6b02057f0c4).
rdar://171560076
Canonical link: https://commits.webkit.org/308512@main
Commit: 199f8663c39b5b9ff9dfd0be6369ac6ada7e9d87
https://github.com/WebKit/WebKit/commit/199f8663c39b5b9ff9dfd0be6369ac6ada7e9d87
Author: Abrar Rahman Protyasha <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm
Log Message:
-----------
UI process crash due to non-main thread UIGestureRecognizer access in
ImageAnalysisGestureDeferralToken
rdar://165459416
Reviewed by Ryosuke Niwa and Aditya Keerthi.
Due to system changes (likely under VKCImageAnalyzer), completions
passed to -processRequest:progressHandler:completionHandler: can now be
dispatched on background threads.
This means that ~ImageAnalysisGestureDeferralToken ends up executing on
said background thread, which ends up in a non-main thread access/write
of WKDeferringGestureRecognizer. This is against the UIGestureRecognizer
API contract.
To fix this, we simply ensure a main runloop hop before executing the
business logic in ~ImageAnalysisGestureDeferralToken.
No test since I was unable to force the request processing cleanup to
fire in a non-main thread.
* Source/WebKit/UIProcess/ios/WKContentViewInteraction.mm:
Originally-landed-as: 301765.349@safari-7623-branch (2da2d8c81eb9).
rdar://171559882
Canonical link: https://commits.webkit.org/308513@main
Commit: f45f20af9c44bf1de287a53dbfd644a7e75e3b38
https://github.com/WebKit/WebKit/commit/f45f20af9c44bf1de287a53dbfd644a7e75e3b38
Author: Anthony Tarbinian <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A LayoutTests/workers/worker-set-delete-terminate-crash-expected.txt
A LayoutTests/workers/worker-set-delete-terminate-crash.html
M Source/JavaScriptCore/runtime/OrderedHashTableHelper.h
Log Message:
-----------
[JSC] Modifying storage in OrderedHashTableHelper should
DeferTerminationForAWhile
https://bugs.webkit.org/show_bug.cgi?id=303658
rdar://162356649
Reviewed by Keith Miller.
When resizing storage in OrderedHashTableHelper (via addImpl or shinkIfNeeded),
it's possible to leave the storage in an inconsistent state if we handle a
termination exception. For consistency, we should DeferTerminationForAWhile
until the storage has been fully updated.
Test: workers/worker-set-delete-terminate-crash.html
* LayoutTests/workers/worker-set-delete-terminate-crash-expected.txt: Added.
* LayoutTests/workers/worker-set-delete-terminate-crash.html: Added.
* Source/JavaScriptCore/runtime/OrderedHashTableHelper.h:
(JSC::OrderedHashTableHelper::addImpl):
(JSC::OrderedHashTableHelper::shrinkIfNeeded):
Originally-landed-as: 301765.357@safari-7623-branch (eccc2eed44f9).
rdar://171559517
Canonical link: https://commits.webkit.org/308514@main
Commit: f37a6731b01fb0ea991fddc7091d9c9680daf9c2
https://github.com/WebKit/WebKit/commit/f37a6731b01fb0ea991fddc7091d9c9680daf9c2
Author: Jean-Yves Avenard <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/WebCore/platform/graphics/avfoundation/AudioVideoRendererAVFObjC.mm
Log Message:
-----------
com.apple.WebKit.GPU at WebCore: WebCore::AudioVideoRendererAVFObjC::addTrack
https://bugs.webkit.org/show_bug.cgi?id=302044
rdar://163901063
Reviewed by Youenn Fablet.
To get around a SaferCPP static analyser false-positive we had switched the
order of where the retain was being applied.
The underlying SaferCPP false positive has been silenced 299825@main
we no longer need that workaround.
In addition, should we fail to allocate the related layer (audio or video)
we will treat it as an error rather than fail silently and break playback.
* Source/WebCore/platform/graphics/avfoundation/AudioVideoRendererAVFObjC.mm:
(WebCore::AudioVideoRendererAVFObjC::AudioVideoRendererAVFObjC):
(WebCore::AudioVideoRendererAVFObjC::addAudioRenderer):
(WebCore::AudioVideoRendererAVFObjC::ensureLayer):
(WebCore::AudioVideoRendererAVFObjC::ensureVideoRenderer):
Originally-landed-as: 301765.360@safari-7623-branch (ab343b737e64).
rdar://171559110
Canonical link: https://commits.webkit.org/308515@main
Commit: 7afdc436a98c9771c5eb23a00db3211b7dcb3575
https://github.com/WebKit/WebKit/commit/7afdc436a98c9771c5eb23a00db3211b7dcb3575
Author: Jer Noble <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/WebCore/platform/audio/AudioResamplerKernel.cpp
Log Message:
-----------
Integer underflow in AudioResamplerKernel::getSourceSpan()
rdar://162552376
https://bugs.webkit.org/show_bug.cgi?id=303959
Reviewed by Eric Carlson.
Protect against underflows when calculating the number of
source frames needed using WTF::safeSub().
* Source/WebCore/platform/audio/AudioResamplerKernel.cpp:
(WebCore::AudioResamplerKernel::getSourceSpan):
Originally-landed-as: 301765.369@safari-7623-branch (ee36b92f6f9f).
rdar://171558934
Canonical link: https://commits.webkit.org/308516@main
Compare: https://github.com/WebKit/WebKit/compare/0cec9abc2b8a...7afdc436a98c
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
