Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 2d64f53d2e4766fa2ff899a03e3db9a3741d0f83
https://github.com/WebKit/WebKit/commit/2d64f53d2e4766fa2ff899a03e3db9a3741d0f83
Author: Kai Tamkun <[email protected]>
Date: 2026-03-05 (Thu, 05 Mar 2026)
Changed paths:
A JSTests/wasm/function-references/nullability.js
M Source/JavaScriptCore/wasm/WasmExceptionType.h
M Source/JavaScriptCore/wasm/WasmOperations.cpp
M Source/JavaScriptCore/wasm/js/WasmToJS.cpp
Log Message:
-----------
[WASM] Return-from-JS conversions should check the nullability
rdar://159086936
https://bugs.webkit.org/show_bug.cgi?id=304356
Reviewed by Yusuke Suzuki.
Adds a null check when returning from JS to Wasm and the expected
return type is a nonnullable reference type.
Test: JSTests/wasm/function-references/nullability.js
* JSTests/wasm/function-references/nullability.js: Added.
(module):
(async nullability): Tests whether the null check occurs
* Source/JavaScriptCore/wasm/WasmExceptionType.h: Added
ExceptionType::TypeErrorUnexpectedNullReference
(JSC::Wasm::isTypeErrorExceptionType):
* Source/JavaScriptCore/wasm/WasmOperations.cpp: Added null checks
(JSC::Wasm::operationWasmToJSExitMarshalReturnValues):
(JSC::Wasm::operationWasmToJSExitIterateResults):
(JSC::Wasm::operationIterateResults):
* Source/JavaScriptCore/wasm/js/WasmToJS.cpp: Added null check
(JSC::Wasm::wasmToJS): JIT now emits a null check when needed
Originally-landed-as: 301765.394@safari-7623-branch (f5681488766e).
rdar://171556806
Canonical link: https://commits.webkit.org/308705@main
Commit: bbec6de6445ff9480e343c7fdc7deb17bac37ed2
https://github.com/WebKit/WebKit/commit/bbec6de6445ff9480e343c7fdc7deb17bac37ed2
Author: David Kilzer <[email protected]>
Date: 2026-03-05 (Thu, 05 Mar 2026)
Changed paths:
A LayoutTests/crypto/subtle/rsa-import-pkcs8-empty-key-data-expected.txt
A LayoutTests/crypto/subtle/rsa-import-pkcs8-empty-key-data.html
A LayoutTests/crypto/subtle/rsa-import-pkcs8-invalid-length-expected.txt
A LayoutTests/crypto/subtle/rsa-import-pkcs8-invalid-length.html
A LayoutTests/crypto/subtle/rsa-import-pkcs8-truncated-key-expected.txt
A LayoutTests/crypto/subtle/rsa-import-pkcs8-truncated-key.html
A LayoutTests/crypto/subtle/rsa-import-spki-empty-key-data-expected.txt
A LayoutTests/crypto/subtle/rsa-import-spki-empty-key-data.html
A LayoutTests/crypto/subtle/rsa-import-spki-invalid-length-expected.txt
A LayoutTests/crypto/subtle/rsa-import-spki-invalid-length.html
A LayoutTests/crypto/subtle/rsa-import-spki-truncated-key-expected.txt
A LayoutTests/crypto/subtle/rsa-import-spki-truncated-key.html
M Source/WebCore/crypto/cocoa/CryptoKeyRSAMac.cpp
Log Message:
-----------
Crash under WebCore::SubtleCrypto::importKey() when using invalid keys
<https://bugs.webkit.org/show_bug.cgi?id=305035>
<rdar://167471255>
Reviewed by Pascoe.
CryptoKeyRSA::importSpki() and CryptoKeyRSA::importPkcs8() compute a
headerSize incrementally based on ASN.1 length encoding bytes, but
failed to verify that the final headerSize does not exceed the buffer
size before calling keyData.subspan(headerSize).
When importing malformed RSA keys with truncated or invalid ASN.1
length encoding, the computed headerSize could exceed the actual key
data size, causing std::span::subspan() to trigger a bounds check
failure (EXC_BREAKPOINT SIGTRAP) in builds with the hardened C++
runtime enabled.
Add a final bounds check after computing headerSize to reject keys
where keyData.size() < headerSize before attempting to create the
subspan.
Tests: crypto/subtle/rsa-import-pkcs8-empty-key-data.html
crypto/subtle/rsa-import-pkcs8-invalid-length.html
crypto/subtle/rsa-import-pkcs8-truncated-key.html
crypto/subtle/rsa-import-spki-empty-key-data.html
crypto/subtle/rsa-import-spki-invalid-length.html
crypto/subtle/rsa-import-spki-truncated-key.html
* LayoutTests/crypto/subtle/rsa-import-pkcs8-empty-key-data-expected.txt: Add.
* LayoutTests/crypto/subtle/rsa-import-pkcs8-empty-key-data.html: Add.
* LayoutTests/crypto/subtle/rsa-import-pkcs8-invalid-length-expected.txt: Add.
* LayoutTests/crypto/subtle/rsa-import-pkcs8-invalid-length.html: Add.
* LayoutTests/crypto/subtle/rsa-import-pkcs8-truncated-key-expected.txt: Add.
* LayoutTests/crypto/subtle/rsa-import-pkcs8-truncated-key.html: Add.
* LayoutTests/crypto/subtle/rsa-import-spki-empty-key-data-expected.txt: Add.
* LayoutTests/crypto/subtle/rsa-import-spki-empty-key-data.html: Add.
* LayoutTests/crypto/subtle/rsa-import-spki-invalid-length-expected.txt: Add.
* LayoutTests/crypto/subtle/rsa-import-spki-invalid-length.html: Add.
* LayoutTests/crypto/subtle/rsa-import-spki-truncated-key-expected.txt: Add.
* LayoutTests/crypto/subtle/rsa-import-spki-truncated-key.html: Add.
* Source/WebCore/crypto/cocoa/CryptoKeyRSAMac.cpp:
(WebCore::CryptoKeyRSA::importSpki):
(WebCore::CryptoKeyRSA::importPkcs8):
- Add bounds check after final headerSize computation.
Originally-landed-as: 301765.398@safari-7623-branch (314f967eebf3).
rdar://171556687
Canonical link: https://commits.webkit.org/308706@main
Commit: f2c5bf80637acde3b9a869f7e42e85c78af4b2a6
https://github.com/WebKit/WebKit/commit/f2c5bf80637acde3b9a869f7e42e85c78af4b2a6
Author: Shu-yu Guo <[email protected]>
Date: 2026-03-05 (Thu, 05 Mar 2026)
Changed paths:
A JSTests/stress/ftl-valuerepreduction-double-undefined.js
M Source/JavaScriptCore/dfg/DFGMultiGetByOffsetData.h
M Source/JavaScriptCore/dfg/DFGValueRepReductionPhase.cpp
Log Message:
-----------
[JSC] Convert MultiGetByOffsetMethod constants to double if needed
https://bugs.webkit.org/show_bug.cgi?id=305064
rdar://167109771
Reviewed by Keith Miller and Yusuke Suzuki.
FTL's ValueRep reduction phase can convert MultiGetByOffset nodes to
NodeResultDouble with non-Number constant values in its cases. These constants
are non-Cells and should be converted to Numbers.
Test: JSTests/stress/ftl-valuerepreduction-double-undefined.js
Originally-landed-as: 301765.399@safari-7623-branch (d32d4c76087a).
rdar://171556424
Canonical link: https://commits.webkit.org/308707@main
Commit: 101c8550132390bf6427713872bd85c5c5eab928
https://github.com/WebKit/WebKit/commit/101c8550132390bf6427713872bd85c5c5eab928
Author: David Kilzer <[email protected]>
Date: 2026-03-05 (Thu, 05 Mar 2026)
Changed paths:
M Source/WebCore/platform/gamepad/cocoa/GameControllerGamepad.h
M Source/WebCore/platform/gamepad/cocoa/GameControllerGamepad.mm
M Tools/TestWebKitAPI/Tests/mac/HIDGamepads.mm
Log Message:
-----------
[GameController] Fix crash in GameControllerGamepad callback blocks
<https://bugs.webkit.org/show_bug.cgi?id=305094>
<rdar://165613031>
Reviewed by Chris Dumez.
This fixes a crash that occurred when GameController framework callbacks
continued executing after GameControllerGamepad objects were destroyed.
The fix uses WeakPtr to safely capture the GameControllerGamepad object
in callback blocks and adds null checks before accessing object members.
A new destructor calls teardownElements() to clear all registered
handlers when the object is destroyed, preventing callbacks from
executing after deallocation.
Test: Tools/TestWebKitAPI/Tests/mac/HIDGamepads.mm
* Source/WebCore/platform/gamepad/cocoa/GameControllerGamepad.h:
(WTF::IsDeprecatedWeakRefSmartPointerException<WebCore::GameControllerGamepad>):
Add.
- Suppress static assert for using a WeakPtr without also implementing
CheckedPtr or RefPtr. This is only needed for the branch since
WebCore::PlatformGamepad implements CheckedPtr on main.
(WebCore::GameControllerGamepad::~GameControllerGamepad): Add declaration.
(WebCore::GameControllerGamepad::teardownElements): Add declaration.
* Source/WebCore/platform/gamepad/cocoa/GameControllerGamepad.mm:
(WebCore::GameControllerGamepad::~GameControllerGamepad): Add.
- Calls teardownElements().
(WebCore::GameControllerGamepad::setupElements):
- Use WeakPtr for handler blocks instead of this.
(WebCore::GameControllerGamepad::teardownElements): Add.
- Unregister all the handlers configured in setupElements().
* Tools/TestWebKitAPI/Tests/mac/HIDGamepads.mm:
(TestWebKitAPI::(Gamepad, DisconnectDuringInput)): Add.
- Add test. Reproduces rarely since this is a race condition.
Originally-landed-as: 301765.400@safari-7623-branch (a0cedddb8c35).
rdar://171556229
Canonical link: https://commits.webkit.org/308708@main
Compare: https://github.com/WebKit/WebKit/compare/3ab7cbf4600b...101c85501323
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
