Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 20441aae5f2364cea956c1523c32b31a21415720
https://github.com/WebKit/WebKit/commit/20441aae5f2364cea956c1523c32b31a21415720
Author: Youenn Fablet <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/WebCore/loader/cache/CachedResourceLoader.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/Navigation.mm
Log Message:
-----------
Cherry-pick 301765.328@safari-7623-branch (00c47cad6649). rdar://158416842
Safari allows CSRF by resetting the Sec-Fetch-Site header on refresh
rdar://158416842
Reviewed by Chris Dumez.
In case of form resubmition, we were recomputing Sec-Fetch-Site and friends
from the destination origin, which was wrong.
Instead, given we already computed the Sec headers, we reuse them when
resubmitting a form.
Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/Navigation.mm
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::shouldReuseExistingFetchMetadata):
(WebCore::shouldUpdateFetchMetadata):
(WebCore::CachedResourceLoader::updateHTTPRequestHeaders):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/Navigation.mm:
(TEST(Navigation, FormResubmited)):
Identifier: 301765.328@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.126@webkitglib/2.52
Commit: ab44c655e8bb71d4ab05ec3709f9e064476d62c4
https://github.com/WebKit/WebKit/commit/ab44c655e8bb71d4ab05ec3709f9e064476d62c4
Author: Shu-yu Guo <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M JSTests/stress/regexp-duplicate-named-captures.js
M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
M Source/JavaScriptCore/yarr/YarrJIT.cpp
M Source/JavaScriptCore/yarr/YarrPattern.cpp
M Source/JavaScriptCore/yarr/YarrPattern.h
Log Message:
-----------
Cherry-pick 301765.330@safari-7623-branch (3b3f8ae21a23).
https://bugs.webkit.org/show_bug.cgi?id=302560
[JSC] Distinguish named and numbered backreferences in Yarr
https://bugs.webkit.org/show_bug.cgi?id=302560
rdar://164402403
Reviewed by Keith Miller.
The duplicate named capture group feature added the ability to have
duplicate
capture group names so long as they're in different disjuncts. The
semantics is
to check if any of the capture groups with the same name matched. There
can be
a maximum of one match as they are restricted to different disjuncts. In
this
case, Yarr mints a special "duplicated named groups group" id along with an
indirection table that can check if any of the groups with the same name
matched.
Currently both named and numbered backreferences are compiled to the same
PatternTerm and ByteTerm type, with named capture groups resolved to the
numbers. If the capture group number is part of a duplicated name groups
group,
the special id is used instead.
The problem is that that duplicated named group resolution is done even when
the backreference was explicitly numbered. That is, in
/(?<k>...)|(?<k>...\1)/,
\1 is supposed to refer to the first parentheses, but ends up referring to
both
disjuncts. As shown in this example, this can be recursive!
This recursion can manifest as out of bounds when doing backtracking,
because
you can end up matching a group of size N, match a disjunct of size M, then
backtrack expecting to undo size N, but end up rewinding size M.
This PR fixes this issue by distinguishing numbered and named backreference
PatternTerms, and only performing the duplicate named group logic for named
backreferences.
A new test function is added to regexp-duplicate-named-capture.js
Identifier: 301765.330@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.127@webkitglib/2.52
Commit: ab0b9d426c2b9f150442bc94fbab9582221706ef
https://github.com/WebKit/WebKit/commit/ab0b9d426c2b9f150442bc94fbab9582221706ef
Author: Shu-yu Guo <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A JSTests/wasm/gc/struct-new-default-v128.js
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
Log Message:
-----------
Cherry-pick 301765.340@safari-7623-branch (4241fa8b2343).
https://bugs.webkit.org/show_bug.cgi?id=302906
[JSC] Initialize V128 correctly for struct.new_default
https://bugs.webkit.org/show_bug.cgi?id=302906
rdar://163912308
Reviewed by Yusuke Suzuki, Yijia Huang, and Dan Hecht.
Initialize v128 fields in struct.new_default with a v128_t { }.
Also drive-by changes array.new_default to use the constant() helper.
Test: JSTests/wasm/gc/struct-new-default-v128.js
Identifier: 301765.340@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.128@webkitglib/2.52
Commit: edaca0e74b78c210eef3b612697508e033376645
https://github.com/WebKit/WebKit/commit/edaca0e74b78c210eef3b612697508e033376645
Author: Shu-yu Guo <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A JSTests/stress/private-names-seal-freeze.js
M Source/JavaScriptCore/runtime/PropertyTable.cpp
Log Message:
-----------
Cherry-pick 301765.343@safari-7623-branch (b6b02057f0c4).
https://bugs.webkit.org/show_bug.cgi?id=303357
[JSC] Don't set attributes on private fields when sealing/freezing
https://bugs.webkit.org/show_bug.cgi?id=303357
rdar://165252763
Reviewed by Yusuke Suzuki and Mark Lam.
This PR makes it such that when sealing and freezing objects, entries in the
PropertyTable that are private fields do not change their attributes.
Private
fields are not properties from the spec's point of view, and thus don't have
attributes.
Ensuring private field entries simplifies assumptions in the JITs, as they
can
assume having attributes when setting a property results in a structure
transition.
Test: JSTests/stress/private-names-seal-freeze.js
Identifier: 301765.343@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.129@webkitglib/2.52
Commit: e43cdb17a7235c862216900e666e4be140444af9
https://github.com/WebKit/WebKit/commit/e43cdb17a7235c862216900e666e4be140444af9
Author: Chris Dumez <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/WebCore/html/canvas/EXTDisjointTimerQueryWebGL2.cpp
Log Message:
-----------
Cherry-pick 301765.347@safari-7623-branch (fabe69c2dcb4).
https://bugs.webkit.org/show_bug.cgi?id=303348
Unsafe argument capture in EXTDisjointTimerQueryWebGL2::queryCounterEXT()
https://bugs.webkit.org/show_bug.cgi?id=303348
rdar://165125247
Reviewed by Brent Fulgham.
The lambda runs asynchronously and it is thus unsafe to capture by reference
here. We need to capture a smart pointer to the query to make sure it is
kept
alive.
* Source/WebCore/html/canvas/EXTDisjointTimerQueryWebGL2.cpp:
(WebCore::EXTDisjointTimerQueryWebGL2::queryCounterEXT):
Identifier: 301765.347@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.130@webkitglib/2.52
Commit: 0d9daeff0303be766c417ced493943fcd8b6cc33
https://github.com/WebKit/WebKit/commit/0d9daeff0303be766c417ced493943fcd8b6cc33
Author: Anthony Tarbinian <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A LayoutTests/workers/worker-set-delete-terminate-crash-expected.txt
A LayoutTests/workers/worker-set-delete-terminate-crash.html
M Source/JavaScriptCore/runtime/OrderedHashTableHelper.h
Log Message:
-----------
Cherry-pick 301765.357@safari-7623-branch (eccc2eed44f9).
https://bugs.webkit.org/show_bug.cgi?id=303658
[JSC] Modifying storage in OrderedHashTableHelper should
DeferTerminationForAWhile
https://bugs.webkit.org/show_bug.cgi?id=303658
rdar://162356649
Reviewed by Keith Miller.
When resizing storage in OrderedHashTableHelper (via addImpl or
shinkIfNeeded),
it's possible to leave the storage in an inconsistent state if we handle a
termination exception. For consistency, we should DeferTerminationForAWhile
until the storage has been fully updated.
Test: workers/worker-set-delete-terminate-crash.html
* LayoutTests/workers/worker-set-delete-terminate-crash-expected.txt: Added.
* LayoutTests/workers/worker-set-delete-terminate-crash.html: Added.
* Source/JavaScriptCore/runtime/OrderedHashTableHelper.h:
(JSC::OrderedHashTableHelper::addImpl):
(JSC::OrderedHashTableHelper::shrinkIfNeeded):
Identifier: 301765.357@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.131@webkitglib/2.52
Commit: fbe943514eb0150d121f95dcdbc5b54aa5414239
https://github.com/WebKit/WebKit/commit/fbe943514eb0150d121f95dcdbc5b54aa5414239
Author: Jer Noble <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/WebCore/platform/audio/AudioResamplerKernel.cpp
Log Message:
-----------
Cherry-pick 301765.369@safari-7623-branch (ee36b92f6f9f).
https://bugs.webkit.org/show_bug.cgi?id=303959
Integer underflow in AudioResamplerKernel::getSourceSpan()
rdar://162552376
https://bugs.webkit.org/show_bug.cgi?id=303959
Reviewed by Eric Carlson.
Protect against underflows when calculating the number of
source frames needed using WTF::safeSub().
* Source/WebCore/platform/audio/AudioResamplerKernel.cpp:
(WebCore::AudioResamplerKernel::getSourceSpan):
Identifier: 301765.369@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.132@webkitglib/2.52
Commit: a594669c3c64aec432aa666df04145579b63e7a5
https://github.com/WebKit/WebKit/commit/a594669c3c64aec432aa666df04145579b63e7a5
Author: Shu-yu Guo <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
Log Message:
-----------
Cherry-pick 301765.371@safari-7623-branch (167074a8e936).
https://bugs.webkit.org/show_bug.cgi?id=304032
[JSC] Store float instead of double for F32 in OMG tail calls
https://bugs.webkit.org/show_bug.cgi?id=304032
rdar://166285942
Reviewed by Dan Hecht and Mark Lam.
F32 and F64 were both doing a double store when spilling in OMG tail calls,
while F32 should be doing a float store to avoid writing out of bounds of
the
spill slot.
No test as cannot reliably and observably test this temporary stack
corruption.
Identifier: 301765.371@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.133@webkitglib/2.52
Commit: 37167dbd5e9e68ecc5ea26c48b5c373d20710fe0
https://github.com/WebKit/WebKit/commit/37167dbd5e9e68ecc5ea26c48b5c373d20710fe0
Author: Shu-yu Guo <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A JSTests/wasm/gc/validate-unreachable-unset-local.js
M Source/JavaScriptCore/wasm/WasmFunctionParser.h
Log Message:
-----------
Cherry-pick 301765.372@safari-7623-branch (e2b2223e8a58).
https://bugs.webkit.org/show_bug.cgi?id=304086
[JSC] Fix Wasm validation of unreachable locals
https://bugs.webkit.org/show_bug.cgi?id=304086
rdar://166283484
Reviewed by Dan Hecht.
WebAssembly requires non-defaultable locals (i.e. locals with non-nullable
ref
types) to be set before they're used by local.get. Current implementation
incorrectly performs this validation in the case the local.get/set are
unreachable. While initialization is tracked in such unreachable local
instructions, the locals stack is not correctly reset at control flow merge
points. This PR resets the stack at such points.
Test: JSTests/wasm/gc/validate-unreachable-unset-local.js
Identifier: 301765.372@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.134@webkitglib/2.52
Commit: 42fe793caba9479b78534bf8bec4548aa4b45972
https://github.com/WebKit/WebKit/commit/42fe793caba9479b78534bf8bec4548aa4b45972
Author: Rob Buis <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A LayoutTests/fast/forms/onformdata-navigate-crash-expected.txt
A LayoutTests/fast/forms/onformdata-navigate-crash.html
M Source/WebCore/html/HTMLFormElement.cpp
M Source/WebCore/loader/FormSubmission.cpp
M Source/WebCore/loader/FormSubmission.h
Log Message:
-----------
Cherry-pick 301765.373@safari-7623-branch (1acabe11a6b0).
https://bugs.webkit.org/show_bug.cgi?id=301645
[WebKit][Main+SU] [ea2e11e05711c082] ASAN_ILL | WebCore::FormState::create;
WebCore::FormSubmission::create; WebCore::HTMLFormElement::submit
https://bugs.webkit.org/show_bug.cgi?id=301645
rdar://163480500
Reviewed by Chris Dumez.
When constructing FormSubmission the formdata event is dispatched. When
combined
with the Navigation API the event handling can cause the document frame to
be
detached, triggering a release assert in the FormState constructor. To fix
this
detect the frame removal after dispatching and end the submit operation
early.
* LayoutTests/fast/forms/onformdata-navigate-crash-expected.txt: Added.
* LayoutTests/fast/forms/onformdata-navigate-crash.html: Added.
* Source/WebCore/html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::submit):
* Source/WebCore/loader/FormSubmission.cpp:
(WebCore::FormSubmission::create):
* Source/WebCore/loader/FormSubmission.h:
Canonical link: https://commits.webkit.org/[email protected]
Identifier: 301765.373@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.135@webkitglib/2.52
Commit: 00fcca53cefaca9f948de039a528f0684e210fc9
https://github.com/WebKit/WebKit/commit/00fcca53cefaca9f948de039a528f0684e210fc9
Author: Frédéric Wang <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A
LayoutTests/fast/webcodecs/resetting-audio-decoder-with-unsupported-codec-crash-expected.txt
A
LayoutTests/fast/webcodecs/resetting-audio-decoder-with-unsupported-codec-crash.html
A
LayoutTests/fast/webcodecs/resetting-audio-encoder-with-unsupported-codec-crash-expected.txt
A
LayoutTests/fast/webcodecs/resetting-audio-encoder-with-unsupported-codec-crash.html
A
LayoutTests/fast/webcodecs/resetting-video-decoder-with-unsupported-codec-crash-expected.txt
A
LayoutTests/fast/webcodecs/resetting-video-decoder-with-unsupported-codec-crash.html
A
LayoutTests/fast/webcodecs/resetting-video-encoder-with-unsupported-codec-crash-expected.txt
A
LayoutTests/fast/webcodecs/resetting-video-encoder-with-unsupported-codec-crash.html
M Source/WebCore/Modules/webcodecs/WebCodecsAudioDecoder.cpp
M Source/WebCore/Modules/webcodecs/WebCodecsAudioEncoder.cpp
M Source/WebCore/Modules/webcodecs/WebCodecsBase.cpp
M Source/WebCore/Modules/webcodecs/WebCodecsVideoDecoder.cpp
M Source/WebCore/Modules/webcodecs/WebCodecsVideoEncoder.cpp
Log Message:
-----------
Cherry-pick 301765.374@safari-7623-branch (13f8cb5f9bd5).
https://bugs.webkit.org/show_bug.cgi?id=300958
ASAN_SEGV | WebCore::JSCallbackData::invokeCallback;
WebCore::JSWebCodecsErrorCallback::invoke;
WebCore::WebCodecsVideoDecoder::closeDecoder
https://bugs.webkit.org/show_bug.cgi?id=300958
Reviewed by Youenn Fablet.
When calling configure() on a webcodec with an unsupported config,
postTaskToCodec() is called to "queue a task to run the Close
AudioDecoder algorithm with NotSupportedError" as per
https://www.w3.org/TR/webcodecs.
If reset() is called before that task in dequeued, then the codec state
becomes Unconfigured and WebCodecsBase::virtualHasPendingActivity() no
longer ensures the JS wrapper stay alive, potentially causing a nullptr
crash when trying to execute the associated error callback:
```
bool WebCodecsBase::virtualHasPendingActivity() const
{
return m_state == WebCodecsCodecState::Configured &&
(m_codecControlMessagesPending || m_isMessageQueueBlocked);
}
```
This patch removes the assumption that the codec state must be
Configured in order to keep the JS wrapper alive and that addresses the
nullptr crash here. It makes sure that virtualHasPendingActivity()
would eventually be reset to false though.
Tests:
fast/webcodecs/resetting-audio-decoder-with-unsupported-codec-crash.html
fast/webcodecs/resetting-audio-encoder-with-unsupported-codec-crash.html
fast/webcodecs/resetting-video-decoder-with-unsupported-codec-crash.html
fast/webcodecs/resetting-video-encoder-with-unsupported-codec-crash.html
*
LayoutTests/fast/webcodecs/resetting-audio-decoder-with-unsupported-codec-crash-expected.txt:
Added.
*
LayoutTests/fast/webcodecs/resetting-audio-decoder-with-unsupported-codec-crash.html:
Added.
*
LayoutTests/fast/webcodecs/resetting-audio-encoder-with-unsupported-codec-crash-expected.txt:
Added.
*
LayoutTests/fast/webcodecs/resetting-audio-encoder-with-unsupported-codec-crash.html:
Added.
*
LayoutTests/fast/webcodecs/resetting-video-decoder-with-unsupported-codec-crash-expected.txt:
Added.
*
LayoutTests/fast/webcodecs/resetting-video-decoder-with-unsupported-codec-crash.html:
Added.
*
LayoutTests/fast/webcodecs/resetting-video-encoder-with-unsupported-codec-crash-expected.txt:
Added.
*
LayoutTests/fast/webcodecs/resetting-video-encoder-with-unsupported-codec-crash.html:
Added.
* Source/WebCore/Modules/webcodecs/WebCodecsBase.cpp:
(WebCore::WebCodecsBase::virtualHasPendingActivity const): Don't release
the codec when it's not in configured state.
* Source/WebCore/Modules/webcodecs/WebCodecsAudioDecoder.cpp:
(WebCore::WebCodecsAudioDecoder::configure): Ensure we clear
m_isMessageQueueBlocked when done.
* Source/WebCore/Modules/webcodecs/WebCodecsAudioEncoder.cpp:
(WebCore::WebCodecsAudioEncoder::configure): Ditto.
* Source/WebCore/Modules/webcodecs/WebCodecsVideoDecoder.cpp:
(WebCore::WebCodecsVideoDecoder::configure): Ditto.
* Source/WebCore/Modules/webcodecs/WebCodecsVideoEncoder.cpp:
(WebCore::WebCodecsVideoEncoder::configure): Ditto.
Canonical link: https://commits.webkit.org/[email protected]
Identifier: 301765.374@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.136@webkitglib/2.52
Commit: 4cc27c002e06134a13ce263747057c76df22f45e
https://github.com/WebKit/WebKit/commit/4cc27c002e06134a13ce263747057c76df22f45e
Author: Claudio Saavedra <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A LayoutTests/fast/rendering/collapsed-scrollbar-crash-expected.txt
A LayoutTests/fast/rendering/collapsed-scrollbar-crash.html
M Source/WebCore/rendering/RenderElement.h
M Source/WebCore/rendering/RenderScrollbarPart.h
Log Message:
-----------
Cherry-pick [email protected] (db1ee7ac4ada).
https://bugs.webkit.org/show_bug.cgi?id=302377
[WebKit][Main+SU] [292b7257c3a80358] ASAN_SEGV |
WebCore::RenderBox::localRectsForRepaint;
WebCore::RenderObject::clippedOverflowRect;
WebCore::RenderObject::repaintSlowRepaintObject
https://bugs.webkit.org/show_bug.cgi?id=302377
Reviewed by Simon Fraser.
RenderScrollbarPart doesn't have an enclosing layer,
so we can short-circuit the check in RenderElement
and return false always.
Test: fast/rendering/collapsed-scrollbar-crash.html
* LayoutTests/fast/rendering/collapsed-scrollbar-crash-expected.txt: Added.
* LayoutTests/fast/rendering/collapsed-scrollbar-crash.html: Added.
* Source/WebCore/rendering/RenderElement.h:
* Source/WebCore/rendering/RenderScrollbarPart.h:
Canonical link: https://commits.webkit.org/[email protected]
Identifier: 301765.379@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.137@webkitglib/2.52
Commit: 40c5aeb406ce1f46463de260c5af4f3f742d01f0
https://github.com/WebKit/WebKit/commit/40c5aeb406ce1f46463de260c5af4f3f742d01f0
Author: Claudio Saavedra <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A
LayoutTests/fast/css-grid-layout/subgrid-with-changing-writing-mode-crash-expected.txt
A
LayoutTests/fast/css-grid-layout/subgrid-with-changing-writing-mode-crash.html
M Source/WebCore/rendering/RenderGrid.cpp
Log Message:
-----------
Cherry-pick 301765.380@safari-7623-branch (3c710b2a33ae).
https://bugs.webkit.org/show_bug.cgi?id=301640
[WebKit][Main+SU] [80bcc69aeb72643f] ASAN_ILL |
WebCore::GridTrackSizingAlgorithm::copyUsedTrackSizesForSubgrid;
WebCore::GridTrackSizingAlgorithm::run; WebCore::RenderGrid::layoutGrid
https://bugs.webkit.org/show_bug.cgi?id=301640
Reviewed by Sammy Gill.
When the writing mode of a grid changes orthogonally, there might
be incongruences in how parent and subgrid tracks relate. This needs
to be taken into account so that later the track sizing algorithm can
try to copy the track sizes for its subgrid. If the writing mode direction
has changed during a style change for a grid, call setNeedsItemPlacement()
for subgrid children.
Test: fast/css-grid-layout/subgrid-with-changing-writing-mode-crash.html
*
LayoutTests/fast/css-grid-layout/subgrid-with-changing-writing-mode-crash-expected.txt:
Added.
*
LayoutTests/fast/css-grid-layout/subgrid-with-changing-writing-mode-crash.html:
Added.
* Source/WebCore/rendering/RenderGrid.cpp:
(WebCore::RenderGrid::styleDidChange):
Canonical link: https://commits.webkit.org/[email protected]
Identifier: 301765.380@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.138@webkitglib/2.52
Commit: d039d6161b78694ee3228f08f82c9d28ce7515bd
https://github.com/WebKit/WebKit/commit/d039d6161b78694ee3228f08f82c9d28ce7515bd
Author: Youenn Fablet <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_encoder.h
Log Message:
-----------
Cherry-pick 301765.383@safari-7623-branch (9d4b06b7a57c).
https://bugs.webkit.org/show_bug.cgi?id=302863
Potential 'out of bounds' issue committed to upstream libwebrtc
rdar://166200109
Reviewed by Chris Dumez.
Cherry-picking of
https://github.com/webmproject/libvpx/commit/d6e5cd7132d59d3cea86d06c9aae26f95fe00adb.
Identifier: 301765.383@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.139@webkitglib/2.52
Commit: 096d705ff415618ae1c9e661b3d1733770c7c57a
https://github.com/WebKit/WebKit/commit/096d705ff415618ae1c9e661b3d1733770c7c57a
Author: Yijia Huang <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A JSTests/stress/map-forEach.js
M Source/JavaScriptCore/dfg/DFGNodeType.h
Log Message:
-----------
Cherry-pick 301765.392@safari-7623-branch (47b55468bf82).
https://bugs.webkit.org/show_bug.cgi?id=304950
[JSC] MapIterationEntryKey should have NodeResultJS, not NodeResultInt32
https://bugs.webkit.org/show_bug.cgi?id=304950
rdar://167200795
Reviewed by Marcus Plutowski.
MapIterationEntryKey returns arbitrary JSValues (map keys can be any type),
so it should be declared with NodeResultJS to match MapIterationEntryValue.
Test: JSTests/stress/map-forEach.js
Identifier: 301765.392@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.140@webkitglib/2.52
Commit: 517d573084dc5dea120cd3fcc7cf20a1a32aec91
https://github.com/WebKit/WebKit/commit/517d573084dc5dea120cd3fcc7cf20a1a32aec91
Author: Yusuke Suzuki <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A JSTests/stress/stack-overflow-llint-large-params-and-large-locals.js
M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
Log Message:
-----------
Cherry-pick 301765.393@safari-7623-branch (a0aac3a0fa8f).
https://bugs.webkit.org/show_bug.cgi?id=304973
[JSC] LLInt arity fix needs to be done against sp
https://bugs.webkit.org/show_bug.cgi?id=304973
rdar://167110398
Reviewed by Yijia Huang.
When performing LLInt arity fixup, it is done after checking local
frame's adjustment. This means that we should do stack overflow check
with `newlyAddedSlots + sp` with soft-stack-limit instead of
`newlyAddedSlots + cfr`.
Note that JIT code is doing the right things already.
Test: JSTests/stress/stack-overflow-llint-large-params-and-large-locals.js
* JSTests/stress/stack-overflow-llint-large-params-and-large-locals.js:
Added.
(shouldThrow):
* Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:
(JSC::LLInt::arityCheckFor):
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
Identifier: 301765.393@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.141@webkitglib/2.52
Commit: b37590bc6144bf17216aba71f0647b753b86aef7
https://github.com/WebKit/WebKit/commit/b37590bc6144bf17216aba71f0647b753b86aef7
Author: Kai Tamkun <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A JSTests/wasm/function-references/nullability.js
M Source/JavaScriptCore/wasm/WasmExceptionType.h
M Source/JavaScriptCore/wasm/WasmOperations.cpp
M Source/JavaScriptCore/wasm/js/WasmToJS.cpp
Log Message:
-----------
Cherry-pick 301765.394@safari-7623-branch (f5681488766e).
https://bugs.webkit.org/show_bug.cgi?id=304356
[WASM] Return-from-JS conversions should check the nullability
rdar://159086936
https://bugs.webkit.org/show_bug.cgi?id=304356
Reviewed by Yusuke Suzuki.
Adds a null check when returning from JS to Wasm and the expected
return type is a nonnullable reference type.
Test: JSTests/wasm/function-references/nullability.js
* JSTests/wasm/function-references/nullability.js: Added.
(module):
(async nullability): Tests whether the null check occurs
* Source/JavaScriptCore/wasm/WasmExceptionType.h: Added
ExceptionType::TypeErrorUnexpectedNullReference
(JSC::Wasm::isTypeErrorExceptionType):
* Source/JavaScriptCore/wasm/WasmOperations.cpp: Added null checks
(JSC::Wasm::operationWasmToJSExitMarshalReturnValues):
(JSC::Wasm::operationWasmToJSExitIterateResults):
(JSC::Wasm::operationIterateResults):
* Source/JavaScriptCore/wasm/js/WasmToJS.cpp: Added null check
(JSC::Wasm::wasmToJS): JIT now emits a null check when needed
Identifier: 301765.394@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.142@webkitglib/2.52
Commit: 11384cc8e996bd50786c96ffd558a1bc84e6e710
https://github.com/WebKit/WebKit/commit/11384cc8e996bd50786c96ffd558a1bc84e6e710
Author: Ryosuke Niwa <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/WebCore/xml/XMLSerializer.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm
Log Message:
-----------
Cherry-pick 301765.396@safari-7623-branch (f6a3e33e70aa).
https://bugs.webkit.org/show_bug.cgi?id=305020
XMLSerializer.serializeToString leaks URLs used by web extensions
https://bugs.webkit.org/show_bug.cgi?id=305020
<rdar://165629762>
Reviewed by Chris Dumez and Wenson Hsieh.
Fix the bug by masking out custom scheme URLs in XMLSerializer.
Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm
* Source/WebCore/xml/XMLSerializer.cpp:
(WebCore::XMLSerializer::serializeToString):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewConfiguration.mm:
(TEST(WebKit, ConfigurationMaskedURLSchemes)):
Identifier: 301765.396@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.143@webkitglib/2.52
Commit: 5f674db4fab08e0608dc2c13e15c9f07c035eda8
https://github.com/WebKit/WebKit/commit/5f674db4fab08e0608dc2c13e15c9f07c035eda8
Author: Shu-yu Guo <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A JSTests/stress/ftl-valuerepreduction-double-undefined.js
M Source/JavaScriptCore/dfg/DFGMultiGetByOffsetData.h
M Source/JavaScriptCore/dfg/DFGValueRepReductionPhase.cpp
Log Message:
-----------
Cherry-pick 301765.399@safari-7623-branch (d32d4c76087a).
https://bugs.webkit.org/show_bug.cgi?id=305064
[JSC] Convert MultiGetByOffsetMethod constants to double if needed
https://bugs.webkit.org/show_bug.cgi?id=305064
rdar://167109771
Reviewed by Keith Miller and Yusuke Suzuki.
FTL's ValueRep reduction phase can convert MultiGetByOffset nodes to
NodeResultDouble with non-Number constant values in its cases. These
constants
are non-Cells and should be converted to Numbers.
Test: JSTests/stress/ftl-valuerepreduction-double-undefined.js
Identifier: 301765.399@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.144@webkitglib/2.52
Commit: d93b7bc3977ef3857fb4f36e3c38d305d13c8524
https://github.com/WebKit/WebKit/commit/d93b7bc3977ef3857fb4f36e3c38d305d13c8524
Author: Kai Tamkun <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A JSTests/stress/object-assign-inline-storage.js
M Source/JavaScriptCore/runtime/ObjectConstructorInlines.h
Log Message:
-----------
Cherry-pick 301765.401@safari-7623-branch (dabdca54351d).
https://bugs.webkit.org/show_bug.cgi?id=305094
Don't attempt to copy nonexistent inline storage in fast object cloning
rdar://167110652
Reviewed by Yusuke Suzuki.
This prevents an attempt to access inline storage in Object.assign when
there is no inline storage to copy.
Added a test that crashed with an assertion failure in debug mode
before these changes.
* JSTests/stress/object-assign-inline-storage.js: Added.
(shouldBe):
(C):
* Source/JavaScriptCore/runtime/ObjectConstructorInlines.h:
(JSC::checkStructureForClone): Renamed from checkStrucureForClone.
(JSC::objectCloneFast): Add a check for inline storage presence.
(JSC::tryCreateObjectViaCloning): Updated an invocation name.
(JSC::checkStrucureForClone): Renamed to checkStructureForClone.
Identifier: 301765.401@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.145@webkitglib/2.52
Commit: 8eecd3f655a42656521923f5c63e5203986384e0
https://github.com/WebKit/WebKit/commit/8eecd3f655a42656521923f5c63e5203986384e0
Author: Anand Srinivasan <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A JSTests/stress/dfg-miscompiles-new-regexp.js
M Source/JavaScriptCore/dfg/DFGOperations.cpp
Log Message:
-----------
Cherry-pick 301765.415@safari-7623-branch (4175b9cec24d).
https://bugs.webkit.org/show_bug.cgi?id=305161
operationNewRegExpUntyped should call constructRegExp with a newTarget
https://bugs.webkit.org/show_bug.cgi?id=305161
rdar://167199047
Reviewed by Mark Lam.
If the RegExp constructor is invoked using "new" then it must have a
valid newTarget, but not if it is invoked as a function call
("RegExp(...)" vs. "new RegExp(...)"). This patch updates DFG to
follow the specification correctly, since previously the code did not
pass in a newTarget to the RegExp constructor.
operationNewRegExpUntyped() is only called for the NewRegExpUntyped DFG
node.
NewRegExpUntyped is only emitted by the bytecode parser if newTargetNode !=
callTargetNode.
Hence, the newTarget value that should be passes is the callTargetNode i.e.
the RegExp constructor.
See https://262.ecma-international.org/#sec-regexp-pattern-flags
specifying what should be passed in newTarget.
```
2. If NewTarget is undefined, then
a. Let newTarget be the active function object.
```
Test: JSTests/stress/dfg-miscompiles-new-regexp.js
* JSTests/stress/dfg-miscompiles-new-regexp.js: Added.
(opt):
(main):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
Identifier: 301765.415@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.146@webkitglib/2.52
Commit: 126896bdc12c9501bee26e345f3e1f31c3dff3f6
https://github.com/WebKit/WebKit/commit/126896bdc12c9501bee26e345f3e1f31c3dff3f6
Author: Gerald Squelart <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
Log Message:
-----------
Cherry-pick 301765.416@safari-7623-branch (7c8da3f7f913).
https://bugs.webkit.org/show_bug.cgi?id=305033
Catch multiplication overflow in bytesPerRow() validator
https://bugs.webkit.org/show_bug.cgi?id=305033
rdar://167621238
Reviewed by Dan Glastonbury.
The multiplication `m_size->width() * *bytesPerPixel` could overflow
into a negative number, allowing the validation to pass for very large
widths.
Fixed by using `WTF::safeMultiply`, which checks for overflows relative
to the result type.
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
Identifier: 301765.416@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.147@webkitglib/2.52
Commit: e3b9c38b30698efccf8709d6e95f0aa370f85237
https://github.com/WebKit/WebKit/commit/e3b9c38b30698efccf8709d6e95f0aa370f85237
Author: Basuke Suzuki <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A LayoutTests/http/tests/security/resources/page-with-text.html
A
LayoutTests/http/tests/security/text-fragment/popup-cross-origin-blocked-expected.txt
A
LayoutTests/http/tests/security/text-fragment/popup-cross-origin-blocked.html
A
LayoutTests/http/tests/security/text-fragment/popup-same-origin-allowed-expected.txt
A
LayoutTests/http/tests/security/text-fragment/popup-same-origin-allowed.html
M Source/WebCore/page/LocalFrameView.cpp
Log Message:
-----------
Cherry-pick 301765.417@safari-7623-branch (75bcb9f43cbe).
https://bugs.webkit.org/show_bug.cgi?id=305033
Block text fragments in cross-origin window.open() popups.
rdar://163804356
Reviewed by Chris Dumez.
This implements a security defense against timing side-channel attacks
using Text Fragments in cross-origin popups.
The exploit pattern:
w = window.open("attacker.com");
w.location = "victim.com";
w.location = "victim.com#:~:text=secret";
w.location = "about:blank";
// Measure timing to detect if text was found
Defense mechanism:
- Add checkTextFragmentSecurity() in LocalFrameView.cpp
- Block text fragments when opener origin ≠ current document origin
- Allow text fragments in same-origin popups (legitimate use)
- Allow text fragments in top-level navigation (no opener)
This aligns with Chrome's 2019 defense (commit c0d3c4cca8b16),
which uses RelatedPages().size() check. WebKit uses a simpler
cross-origin check that achieves the same security goal.
The fix does not affect about:blank origin inheritance or WPT tests,
as those don't use text fragments.
Tests: http/tests/security/text-fragment/popup-cross-origin-blocked.html
http/tests/security/text-fragment/popup-same-origin-allowed.html
* LayoutTests/http/tests/security/resources/page-with-text.html: Added.
*
LayoutTests/http/tests/security/text-fragment/popup-cross-origin-blocked-expected.txt:
Added.
*
LayoutTests/http/tests/security/text-fragment/popup-cross-origin-blocked.html:
Added.
*
LayoutTests/http/tests/security/text-fragment/popup-same-origin-allowed-expected.txt:
Added.
*
LayoutTests/http/tests/security/text-fragment/popup-same-origin-allowed.html:
Added.
* Source/WebCore/page/LocalFrameView.cpp:
(WebCore::checkTextFragmentSecurity):
(WebCore::LocalFrameView::scrollToTextFragment):
Identifier: 301765.417@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.148@webkitglib/2.52
Commit: f8dba4532a836a799f909a4ece11c079362d797d
https://github.com/WebKit/WebKit/commit/f8dba4532a836a799f909a4ece11c079362d797d
Author: Shu-yu Guo <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A JSTests/wasm/stress/omg-tail-call-clobber-scratch-register-2.js
M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
Log Message:
-----------
Cherry-pick 301765.350@safari-7623-branch (271320645405).
https://bugs.webkit.org/show_bug.cgi?id=303444
[JSC] Clobber scratch register in OMG tail call on non-x64
https://bugs.webkit.org/show_bug.cgi?id=303444
rdar://165678403
Reviewed by Yusuke Suzuki.
The OMG tailcall patchpoint uses the scratch register. Currently, the
scratch
is not clobbered early because on x64 we exhaust all registers if we do so.
Because of that, prepareTailCallImpl has special handling for saving and
restoring the scratch if it happens to alias one of the inputs. This special
save and restore has issues on ARM as the stack pointer arithmetic itself
may
use the scratch, which complicates the restoring.
This PR makes the tail call patchpoint code architecture specific to confine
the save/restore complexity to x64. The special scratch register
save/restore
paths are kept only on x64. On non-x64 platforms, the scratch registers are
clobbered early so they can never alias an input.
There is also a drive-by fix for negating float32s on x64 in BBQ, as the
test
case also causes an assertion failure there.
Test: JSTests/wasm/stress/omg-tail-call-clobber-scratch-register-2.js
Identifier: 301765.350@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.149@webkitglib/2.52
Commit: d539944b2fd702f264905857b595dbca9c8b71c7
https://github.com/WebKit/WebKit/commit/d539944b2fd702f264905857b595dbca9c8b71c7
Author: Rob Buis <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A LayoutTests/svg/filters/filter-insert-button-crash-expected.txt
A LayoutTests/svg/filters/filter-insert-button-crash.html
M Source/WebCore/page/LocalFrameViewLayoutContext.cpp
M Source/WebCore/page/LocalFrameViewLayoutContext.h
M Source/WebCore/rendering/RenderObject.cpp
M Source/WebCore/rendering/updating/RenderTreeBuilderInline.cpp
Log Message:
-----------
Cherry-pick 301765.361@safari-7623-branch (e218dd58cf7e).
https://bugs.webkit.org/show_bug.cgi?id=301140
Cherry-pick [email protected] (6c8a256d475b).
rdar://137178583
[SVG] Don't repaint when referenced resources change if the renderer is
not in-tree yet
https://bugs.webkit.org/show_bug.cgi?id=301140
rdar://137178583
Reviewed by Alan Baradlay.
When moving svg resources around it's possible to end up
triggering a repaint before the renderer is in-tree. To
fix that, add API for blocking repaints and start using that
while in RenderTreeBuilder::Inline::splitFlow.
Test: svg/filters/filter-insert-button-crash.html
* LayoutTests/svg/filters/filter-insert-button-crash-expected.txt:
Added.
* LayoutTests/svg/filters/filter-insert-button-crash.html: Added.
* Source/WebCore/page/LocalFrameViewLayoutContext.cpp:
(WebCore::RepaintBlocker::RepaintBlocker):
(WebCore::RepaintBlocker::~RepaintBlocker):
* Source/WebCore/page/LocalFrameViewLayoutContext.h:
* Source/WebCore/rendering/RenderObject.cpp:
(WebCore::RenderObject::repaint const):
* Source/WebCore/rendering/updating/RenderTreeBuilderInline.cpp:
(WebCore::RenderTreeBuilder::Inline::splitFlow):
Canonical link:
https://commits.webkit.org/[email protected]
Identifier: 301765.361@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.150@webkitglib/2.52
Commit: 5a18bd80ccd0cde300bc8f4018cfe08d6f173664
https://github.com/WebKit/WebKit/commit/5a18bd80ccd0cde300bc8f4018cfe08d6f173664
Author: Claudio Saavedra <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A LayoutTests/highlight/highlight-crash-2-expected.txt
A LayoutTests/highlight/highlight-crash-2.html
M Source/WebCore/Modules/highlight/Highlight.cpp
Log Message:
-----------
Cherry-pick [email protected] (ae3502b8b960).
https://bugs.webkit.org/show_bug.cgi?id=304176
[WebKit][Main] [76d1bb47f067ac21] ASAN_SEGV |
WebCore::Highlight::clearFromSetLike; WebCore::HighlightRegistry::clear;
WebCore::Document::commonTeardown
https://bugs.webkit.org/show_bug.cgi?id=304176
Reviewed by Chris Dumez.
With the right disposing order, it is possible to cause reentrancy to
Highlight::clearFromSetLike(). This is due to the ownership relationship
between
Document->HighlightRegistry->Highlight->HighlightRange->Range->Document.
The attached test shows an example of how to achieve this (a dangling
document
that is only attached to a Range gets disposed during another Document's
disposing,
causing a reentrant call to Highlight::clearFromSetLike()).
Ensure Highlight::clearFromSetLike() is safely reentrant by exchanging
Highlight::m_highlightRanges with an empty vector so that any potentially
reentrant
call is a no-op.
Test: highlight/highlight-crash-2.html
* LayoutTests/highlight/highlight-crash-2-expected.txt: Added.
* LayoutTests/highlight/highlight-crash-2.html: Added.
* Source/WebCore/Modules/highlight/Highlight.cpp:
(WebCore::Highlight::clearFromSetLike):
Canonical link:
https://commits.webkit.org/[email protected]
Identifier: 301765.424@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.151@webkitglib/2.52
Commit: 47c3d50e6d98e7aad700f51697802b962b8cfebb
https://github.com/WebKit/WebKit/commit/47c3d50e6d98e7aad700f51697802b962b8cfebb
Author: Claudio Saavedra <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/WebCore/Modules/highlight/Highlight.cpp
Log Message:
-----------
Cherry-pick [email protected] (51b8db6618a3).
https://bugs.webkit.org/show_bug.cgi?id=304176
[WebKit][Main] [76d1bb47f067ac21] ASAN_SEGV |
WebCore::Highlight::clearFromSetLike; WebCore::HighlightRegistry::clear;
WebCore::Document::commonTeardown
https://bugs.webkit.org/show_bug.cgi?id=304176
Reviewed by Chris Dumez.
Follow-up after [email protected] to improve the bug fix.
Covered by existing test.
* Source/WebCore/Modules/highlight/Highlight.cpp:
(WebCore::Highlight::clearFromSetLike):
Canonical link:
https://commits.webkit.org/[email protected]
Identifier: 301765.426@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.152@webkitglib/2.52
Commit: 98747698f147c3bc4353029759c00b1bba1d3486
https://github.com/WebKit/WebKit/commit/98747698f147c3bc4353029759c00b1bba1d3486
Author: Yusuke Suzuki <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A JSTests/stress/dfg-proto-fold-invalidate3.js
M Source/JavaScriptCore/bytecode/GetByStatus.cpp
Log Message:
-----------
Cherry-pick 744106342146. https://bugs.webkit.org/show_bug.cgi?id=305521
[JSC] GetByStatus::computeFor has race condition around swapped object's
structure checks
https://bugs.webkit.org/show_bug.cgi?id=305521
rdar://155413221
Reviewed by Yijia Huang.
Now ObjectPropertyCondition is propertly created. But it is possible
that this finally registered ObjectPropertyCondition's structures are
not having a proper condition we would like. We are obtainining objects
from the condition and checking structure's characteristics.
Test: JSTests/stress/dfg-proto-fold-invalidate3.js
* JSTests/stress/dfg-proto-fold-invalidate3.js: Added.
(shouldBe):
(opt):
(watchCalleeProperty):
(async sleep):
(createClonedArguments):
(p):
(async main):
* Source/JavaScriptCore/bytecode/GetByStatus.cpp:
(JSC::GetByStatus::computeFor):
Identifier: 305413.33@safari-7624-branch
Canonical link: https://commits.webkit.org/301765.428@safari-7623-branch
Canonical link: https://commits.webkit.org/305877.153@webkitglib/2.52
Commit: a72089c954e43a6662f6f737a43a5192588b3430
https://github.com/WebKit/WebKit/commit/a72089c954e43a6662f6f737a43a5192588b3430
Author: Yusuke Suzuki <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
A JSTests/wasm/stress/ipint-variable-length-gc-opcodes.js
M Source/JavaScriptCore/llint/InPlaceInterpreter64.asm
M Source/JavaScriptCore/wasm/WasmBBQJIT.h
M Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp
M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp
M Source/JavaScriptCore/wasm/WasmConstExprGenerator.cpp
M Source/JavaScriptCore/wasm/WasmFunctionParser.h
M Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp
M Source/JavaScriptCore/wasm/WasmIPIntGenerator.h
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
Log Message:
-----------
Cherry-pick 37d2b52a42b9. https://bugs.webkit.org/show_bug.cgi?id=305813
[JSC] IPInt PC move should be recorded one for prefixed opcodes
https://bugs.webkit.org/show_bug.cgi?id=305813
rdar://168478682
Reviewed by Keith Miller and Dan Hecht.
Prefixed opcodes in IPInt (GC, SIMD, etc.) have subsequent sub-opcode to
dispatch actual instruction. However this sub-opcode is encoded via
VarUInt32 LEB. This means that opcode can have multiple different ways
to be encoded (e.g. one value can be represeted via 2 byte, 3 byte,
etc.). As a result, we should not use advancePC(constant) since
instruction is variable-length. This patch fixes the issue using
advancePC(constant).
Test: JSTests/wasm/stress/ipint-variable-length-gc-opcodes.js
* JSTests/wasm/stress/ipint-variable-length-gc-opcodes.js: Added.
(createRedundantLEB128):
(encodeVarUInt32):
(testRefI31RedundantEncoding):
(testI31GetRedundantEncoding):
(testArrayLenRedundantEncoding):
(testArrayFillRedundantEncoding):
(testArrayCopyRedundantEncoding):
(testExternAnyConvertRedundantEncoding):
* Source/JavaScriptCore/llint/InPlaceInterpreter64.asm:
* Source/JavaScriptCore/wasm/WasmBBQJIT.h:
* Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addSIMDConstant):
(JSC::Wasm::BBQJITImpl::BBQJIT::addSIMDExtractLane):
(JSC::Wasm::BBQJITImpl::BBQJIT::addSIMDReplaceLane):
(JSC::Wasm::BBQJITImpl::BBQJIT::addConstant): Deleted.
(JSC::Wasm::BBQJITImpl::BBQJIT::addExtractLane): Deleted.
(JSC::Wasm::BBQJITImpl::BBQJIT::addReplaceLane): Deleted.
* Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addSIMDConstant):
(JSC::Wasm::BBQJITImpl::BBQJIT::addSIMDExtractLane):
(JSC::Wasm::BBQJITImpl::BBQJIT::addSIMDReplaceLane):
(JSC::Wasm::BBQJITImpl::BBQJIT::addConstant): Deleted.
(JSC::Wasm::BBQJITImpl::BBQJIT::addExtractLane): Deleted.
(JSC::Wasm::BBQJITImpl::BBQJIT::addReplaceLane): Deleted.
* Source/JavaScriptCore/wasm/WasmConstExprGenerator.cpp:
(JSC::Wasm::ConstExprGenerator::addSIMDConstant):
* Source/JavaScriptCore/wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::simd):
* Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp:
(JSC::Wasm::IPIntGenerator::addSIMDSplat):
(JSC::Wasm::IPIntGenerator::addSIMDShuffle):
(JSC::Wasm::IPIntGenerator::addSIMDShift):
(JSC::Wasm::IPIntGenerator::addSIMDExtmul):
(JSC::Wasm::IPIntGenerator::addSIMDConstant):
(JSC::Wasm::IPIntGenerator::addSIMDExtractLane):
(JSC::Wasm::IPIntGenerator::addSIMDReplaceLane):
(JSC::Wasm::IPIntGenerator::addSIMDI_V):
(JSC::Wasm::IPIntGenerator::addSIMDV_V):
(JSC::Wasm::IPIntGenerator::addSIMDBitwiseSelect):
(JSC::Wasm::IPIntGenerator::addSIMDRelOp):
(JSC::Wasm::IPIntGenerator::addSIMDV_VV):
(JSC::Wasm::IPIntGenerator::addRefI31):
(JSC::Wasm::IPIntGenerator::addI31GetS):
(JSC::Wasm::IPIntGenerator::addI31GetU):
(JSC::Wasm::IPIntGenerator::addArrayLen):
(JSC::Wasm::IPIntGenerator::addArrayFill):
(JSC::Wasm::IPIntGenerator::addArrayCopy):
(JSC::Wasm::IPIntGenerator::addAnyConvertExtern):
(JSC::Wasm::IPIntGenerator::addExternConvertAny):
(JSC::Wasm::IPIntGenerator::addExtractLane): Deleted.
(JSC::Wasm::IPIntGenerator::addReplaceLane): Deleted.
* Source/JavaScriptCore/wasm/WasmIPIntGenerator.h:
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::addSIMDConstant):
(JSC::Wasm::OMGIRGenerator::addSIMDExtractLane):
(JSC::Wasm::OMGIRGenerator::addSIMDReplaceLane):
(JSC::Wasm::OMGIRGenerator::addExtractLane): Deleted.
(JSC::Wasm::OMGIRGenerator::addReplaceLane): Deleted.
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp:
(JSC::Wasm::OMGIRGenerator::addSIMDConstant):
(JSC::Wasm::OMGIRGenerator::addSIMDExtractLane):
(JSC::Wasm::OMGIRGenerator::addSIMDReplaceLane):
(JSC::Wasm::OMGIRGenerator::addExtractLane): Deleted.
(JSC::Wasm::OMGIRGenerator::addReplaceLane): Deleted.
Identifier: 301765.432@safari-7623-branch
Canonical link: https://commits.webkit.org/[email protected]
Canonical link: https://commits.webkit.org/305877.154@webkitglib/2.52
Commit: 1064341ff52b6a6d6cc9eb17c6132e8815d6ac2b
https://github.com/WebKit/WebKit/commit/1064341ff52b6a6d6cc9eb17c6132e8815d6ac2b
Author: Matthew Finkel <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkSession.cpp
M Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.h
M
Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.serialization.in
M
Source/WebKit/NetworkProcess/PrivateClickMeasurement/PrivateClickMeasurementManager.cpp
M
Source/WebKit/NetworkProcess/PrivateClickMeasurement/PrivateClickMeasurementManager.h
M
Source/WebKit/NetworkProcess/PrivateClickMeasurement/PrivateClickMeasurementManagerInterface.cpp
M
Source/WebKit/NetworkProcess/PrivateClickMeasurement/PrivateClickMeasurementManagerInterface.h
M
Source/WebKit/NetworkProcess/PrivateClickMeasurement/PrivateClickMeasurementNetworkLoader.cpp
M
Source/WebKit/NetworkProcess/PrivateClickMeasurement/PrivateClickMeasurementNetworkLoader.h
M
Source/WebKit/NetworkProcess/PrivateClickMeasurement/cocoa/PrivateClickMeasurementNetworkLoaderCocoa.mm
M
Source/WebKit/Shared/EntryPointUtilities/Cocoa/Daemon/PCMDaemonEntryPoint.mm
M Source/WebKit/UIProcess/WebsiteData/soup/WebsiteDataStoreSoup.cpp
Log Message:
-----------
Cherry-pick 22d708a2fd38. https://bugs.webkit.org/show_bug.cgi?id=305951
[PCM] Connections for Private Click Measurement are not proxied
https://bugs.webkit.org/show_bug.cgi?id=305951
rdar://168552975
Reviewed by Alex Christensen.
This has a couple missing pieces. The expectation is that reports are sent
via
a proxied connection, and requests for fraud prevention key material is
fetched
over a proxied connection. Currently, these connections are not proxied
because
they are not:
1) associated with the application bundle (e.g, Safari)
2) considered "third party" resource requests
This PR plumbs through the application bundle identifier or audit token,
depending on which one is available, and it sets the request as a cross-site
subresource request. As a safe guard, this patch also requires failing
closed
when the connection is not proxied.
* Source/WebKit/NetworkProcess/NetworkSession.cpp:
(WebKit::managerOrProxy):
*
Source/WebKit/NetworkProcess/PrivateClickMeasurement/PrivateClickMeasurementManager.cpp:
(WebKit::PrivateClickMeasurementManager::create):
(WebKit::PrivateClickMeasurementManager::PrivateClickMeasurementManager):
(WebKit::PrivateClickMeasurementManager::getTokenPublicKey):
(WebKit::PrivateClickMeasurementManager::getSignedUnlinkableTokenForSource):
(WebKit::PrivateClickMeasurementManager::getSignedUnlinkableTokenForDestination):
(WebKit::PrivateClickMeasurementManager::fireConversionRequestImpl):
*
Source/WebKit/NetworkProcess/PrivateClickMeasurement/PrivateClickMeasurementManager.h:
*
Source/WebKit/NetworkProcess/PrivateClickMeasurement/PrivateClickMeasurementManagerInterface.cpp:
(WebKit::PCM::initializePCMStorageInDirectory):
*
Source/WebKit/NetworkProcess/PrivateClickMeasurement/PrivateClickMeasurementManagerInterface.h:
*
Source/WebKit/NetworkProcess/PrivateClickMeasurement/PrivateClickMeasurementNetworkLoader.cpp:
(WebKit::PCM::NetworkLoader::start):
*
Source/WebKit/NetworkProcess/PrivateClickMeasurement/PrivateClickMeasurementNetworkLoader.h:
*
Source/WebKit/NetworkProcess/PrivateClickMeasurement/cocoa/PrivateClickMeasurementNetworkLoaderCocoa.mm:
(WebKit::PCM::statelessSessionWithoutRedirectsSingleton):
(WebKit::PCM::NetworkLoader::start):
*
Source/WebKit/Shared/EntryPointUtilities/Cocoa/Daemon/PCMDaemonEntryPoint.mm:
(WebKit::PCMDaemonMain):
Identifier: 301765.433@safari-7623-branch
(cherry picked from commit 22d708a2fd385c9649f4d2f1f96a1e2f76070649)
Canonical link:
https://commits.webkit.org/[email protected]
Canonical link: https://commits.webkit.org/305877.155@webkitglib/2.52
Commit: 41012f4a8dcdc319618f7264a964a4c7f96656b0
https://github.com/WebKit/WebKit/commit/41012f4a8dcdc319618f7264a964a4c7f96656b0
Author: Jer Noble <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M Source/WebCore/Modules/streams/ReadableStreamDefaultReader.cpp
Log Message:
-----------
Cherry-pick 308072@main (58e404642c05).
https://bugs.webkit.org/show_bug.cgi?id=308309
CRASH in WebCore::ReadableStream::state() const
rdar://170652029
https://bugs.webkit.org/show_bug.cgi?id=308309
Reviewed by Youenn Fablet.
The Streams specification states for the releaseLock() method
that the method should return early if `this.[[stream]]` is
undefined, but it was possible for releaseLock() to call
genericRelease() if m_stream was null, if m_internalDefaultReader
is also null.
Return early from releaseLock() if m_stream is null, and
due to the law of unintended consequences, also return early
from genericRelease() if m_stream is null, as well as from
genericCancel() and setup(), which have similar issues.
* Source/WebCore/Modules/streams/ReadableStreamDefaultReader.cpp:
(WebCore::ReadableStreamDefaultReader::releaseLock):
(WebCore::ReadableStreamDefaultReader::setup):
(WebCore::ReadableStreamDefaultReader::genericRelease):
Canonical link: https://commits.webkit.org/308072@main
Canonical link: https://commits.webkit.org/305877.156@webkitglib/2.52
Compare: https://github.com/WebKit/WebKit/compare/d6e6276f013a...41012f4a8dcd
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
