Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 37e24535f59a77509b5ac0ab09dc94cd4d47917d
https://github.com/WebKit/WebKit/commit/37e24535f59a77509b5ac0ab09dc94cd4d47917d
Author: Claudio Saavedra <[email protected]>
Date: 2026-03-05 (Thu, 05 Mar 2026)
Changed paths:
A
LayoutTests/fast/css-grid-layout/subgrid-with-changing-writing-mode-crash-expected.txt
A
LayoutTests/fast/css-grid-layout/subgrid-with-changing-writing-mode-crash.html
M Source/WebCore/rendering/RenderGrid.cpp
Log Message:
-----------
[WebKit][Main+SU] [80bcc69aeb72643f] ASAN_ILL |
WebCore::GridTrackSizingAlgorithm::copyUsedTrackSizesForSubgrid;
WebCore::GridTrackSizingAlgorithm::run; WebCore::RenderGrid::layoutGrid
https://bugs.webkit.org/show_bug.cgi?id=301640
rdar://163483172
Reviewed by Sammy Gill.
When the writing mode of a grid changes orthogonally, there might
be incongruences in how parent and subgrid tracks relate. This needs
to be taken into account so that later the track sizing algorithm can
try to copy the track sizes for its subgrid. If the writing mode direction
has changed during a style change for a grid, call setNeedsItemPlacement()
for subgrid children.
Test: fast/css-grid-layout/subgrid-with-changing-writing-mode-crash.html
*
LayoutTests/fast/css-grid-layout/subgrid-with-changing-writing-mode-crash-expected.txt:
Added.
*
LayoutTests/fast/css-grid-layout/subgrid-with-changing-writing-mode-crash.html:
Added.
* Source/WebCore/rendering/RenderGrid.cpp:
(WebCore::RenderGrid::styleDidChange):
Originally-landed-as: 301765.380@safari-7623-branch (3c710b2a33ae).
rdar://171557925
Canonical link: https://commits.webkit.org/308709@main
Commit: aaa0cd37c6fc8d897531171b05059a7228ac06b6
https://github.com/WebKit/WebKit/commit/aaa0cd37c6fc8d897531171b05059a7228ac06b6
Author: Youenn Fablet <[email protected]>
Date: 2026-03-05 (Thu, 05 Mar 2026)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_encoder.h
Log Message:
-----------
Potential 'out of bounds' issue committed to upstream libwebrtc
rdar://166200109
Reviewed by Chris Dumez.
Cherry-picking of
https://github.com/webmproject/libvpx/commit/d6e5cd7132d59d3cea86d06c9aae26f95fe00adb.
Originally-landed-as: 301765.383@safari-7623-branch (9d4b06b7a57c).
rdar://171557582
Canonical link: https://commits.webkit.org/308710@main
Commit: d13215b96086b62d5bedc97e5da2848853b70e38
https://github.com/WebKit/WebKit/commit/d13215b96086b62d5bedc97e5da2848853b70e38
Author: David Kilzer <[email protected]>
Date: 2026-03-05 (Thu, 05 Mar 2026)
Changed paths:
M Source/ThirdParty/libwebrtc/Configurations/boringssl.xcconfig
M Source/ThirdParty/libwebrtc/libwebrtc.xcodeproj/project.pbxproj
Log Message:
-----------
Re-land: Enable PAC (return address signing) when building boringssl
<https://bugs.webkit.org/show_bug.cgi?id=303938>
<rdar://165647215>
Reviewed by Mark Lam.
* Source/ThirdParty/libwebrtc/Configurations/boringssl.xcconfig:
(EXCLUDED_SOURCE_FILE_NAMES[arch=arm64*]): Add.
(EXCLUDED_SOURCE_FILE_NAMES[arch=x86_64*]): Add.
- Exclude platform-specific assembly files on Intel and Apple silicon.
This makes using per-file compiler flags possible.
* Source/ThirdParty/libwebrtc/libwebrtc.xcodeproj/project.pbxproj:
- Add per-file compiler flags to limit the scope of this change. For
consistency, the flags were added to armv8 files even if the assembly
file did not include PAC macros.
- Make sure to disable -fptrauth-returns since it's not compatible with
-mbranch-protection=pac-ret.
- Use -mbranch-protection=pac-ret+b-key since we want B-key signing.
Originally-landed-as: 301765.390@safari-7623-branch (31b8ded4fe0d).
rdar://171557422
Canonical link: https://commits.webkit.org/308711@main
Commit: 2a07f263519fa36f5462af80e8e1388a266675bf
https://github.com/WebKit/WebKit/commit/2a07f263519fa36f5462af80e8e1388a266675bf
Author: Yusuke Suzuki <[email protected]>
Date: 2026-03-05 (Thu, 05 Mar 2026)
Changed paths:
A JSTests/stress/stack-overflow-llint-large-params-and-large-locals.js
M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
Log Message:
-----------
[JSC] LLInt arity fix needs to be done against sp
https://bugs.webkit.org/show_bug.cgi?id=304973
rdar://167110398
Reviewed by Yijia Huang.
When performing LLInt arity fixup, it is done after checking local
frame's adjustment. This means that we should do stack overflow check
with `newlyAddedSlots + sp` with soft-stack-limit instead of
`newlyAddedSlots + cfr`.
Note that JIT code is doing the right things already.
Test: JSTests/stress/stack-overflow-llint-large-params-and-large-locals.js
* JSTests/stress/stack-overflow-llint-large-params-and-large-locals.js: Added.
(shouldThrow):
* Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:
(JSC::LLInt::arityCheckFor):
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
Originally-landed-as: 301765.393@safari-7623-branch (a0aac3a0fa8f).
rdar://171556975
Canonical link: https://commits.webkit.org/308712@main
Compare: https://github.com/WebKit/WebKit/compare/101c85501323...2a07f263519f
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
