Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0c60c77c0c3d01dcfb95c0c1e0bd40d9fb6562c6
https://github.com/WebKit/WebKit/commit/0c60c77c0c3d01dcfb95c0c1e0bd40d9fb6562c6
Author: Kai Tamkun <[email protected]>
Date: 2026-03-05 (Thu, 05 Mar 2026)
Changed paths:
A JSTests/stress/object-assign-inline-storage.js
M Source/JavaScriptCore/runtime/ObjectConstructorInlines.h
Log Message:
-----------
Don't attempt to copy nonexistent inline storage in fast object cloning
rdar://167110652
Reviewed by Yusuke Suzuki.
This prevents an attempt to access inline storage in Object.assign when
there is no inline storage to copy.
Added a test that crashed with an assertion failure in debug mode
before these changes.
* JSTests/stress/object-assign-inline-storage.js: Added.
(shouldBe):
(C):
* Source/JavaScriptCore/runtime/ObjectConstructorInlines.h:
(JSC::checkStructureForClone): Renamed from checkStrucureForClone.
(JSC::objectCloneFast): Add a check for inline storage presence.
(JSC::tryCreateObjectViaCloning): Updated an invocation name.
(JSC::checkStrucureForClone): Renamed to checkStructureForClone.
Originally-landed-as: 301765.401@safari-7623-branch (dabdca54351d).
rdar://171556071
Canonical link: https://commits.webkit.org/308716@main
Commit: 47b17ca50c7b3c8bb070f9c8ecf551cf3615a5a2
https://github.com/WebKit/WebKit/commit/47b17ca50c7b3c8bb070f9c8ecf551cf3615a5a2
Author: Anand Srinivasan <[email protected]>
Date: 2026-03-05 (Thu, 05 Mar 2026)
Changed paths:
A JSTests/stress/dfg-miscompiles-new-regexp.js
M Source/JavaScriptCore/dfg/DFGOperations.cpp
Log Message:
-----------
operationNewRegExpUntyped should call constructRegExp with a newTarget
https://bugs.webkit.org/show_bug.cgi?id=305161
rdar://167199047
Reviewed by Mark Lam.
If the RegExp constructor is invoked using "new" then it must have a
valid newTarget, but not if it is invoked as a function call
("RegExp(...)" vs. "new RegExp(...)"). This patch updates DFG to
follow the specification correctly, since previously the code did not
pass in a newTarget to the RegExp constructor.
operationNewRegExpUntyped() is only called for the NewRegExpUntyped DFG node.
NewRegExpUntyped is only emitted by the bytecode parser if newTargetNode !=
callTargetNode.
Hence, the newTarget value that should be passes is the callTargetNode i.e. the
RegExp constructor.
See https://262.ecma-international.org/#sec-regexp-pattern-flags
specifying what should be passed in newTarget.
```
2. If NewTarget is undefined, then
a. Let newTarget be the active function object.
```
Test: JSTests/stress/dfg-miscompiles-new-regexp.js
* JSTests/stress/dfg-miscompiles-new-regexp.js: Added.
(opt):
(main):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
Originally-landed-as: 301765.415@safari-7623-branch (4175b9cec24d).
rdar://167199047
Canonical link: https://commits.webkit.org/308717@main
Commit: 3d2be34257ec9aa21c645e4c0eac25b8117240c6
https://github.com/WebKit/WebKit/commit/3d2be34257ec9aa21c645e4c0eac25b8117240c6
Author: Gerald Squelart <[email protected]>
Date: 2026-03-05 (Thu, 05 Mar 2026)
Changed paths:
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
Log Message:
-----------
Catch multiplication overflow in bytesPerRow() validator
https://bugs.webkit.org/show_bug.cgi?id=305033
rdar://167621238
Reviewed by Dan Glastonbury.
The multiplication `m_size->width() * *bytesPerPixel` could overflow
into a negative number, allowing the validation to pass for very large
widths.
Fixed by using `WTF::safeMultiply`, which checks for overflows relative
to the result type.
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
Originally-landed-as: 301765.416@safari-7623-branch (7c8da3f7f913).
rdar://171555967
Canonical link: https://commits.webkit.org/308718@main
Commit: 13d284abcfcb276e9340d5e338ee479ab7927522
https://github.com/WebKit/WebKit/commit/13d284abcfcb276e9340d5e338ee479ab7927522
Author: Claudio Saavedra <[email protected]>
Date: 2026-03-05 (Thu, 05 Mar 2026)
Changed paths:
M Source/WebCore/Modules/highlight/Highlight.cpp
Log Message:
-----------
[WebKit][Main] [76d1bb47f067ac21] ASAN_SEGV |
WebCore::Highlight::clearFromSetLike; WebCore::HighlightRegistry::clear;
WebCore::Document::commonTeardown
https://bugs.webkit.org/show_bug.cgi?id=304176
rdar://166163089
Reviewed by Chris Dumez.
Follow-up after [email protected] to improve the bug fix.
Covered by existing test.
* Source/WebCore/Modules/highlight/Highlight.cpp:
(WebCore::Highlight::clearFromSetLike):
Originally-landed-as: [email protected] (51b8db6618a3).
rdar://170272051
Canonical link: https://commits.webkit.org/308719@main
Commit: 3330a93a8523304755eb9603f3ff52ea8eb1e648
https://github.com/WebKit/WebKit/commit/3330a93a8523304755eb9603f3ff52ea8eb1e648
Author: Yusuke Suzuki <[email protected]>
Date: 2026-03-05 (Thu, 05 Mar 2026)
Changed paths:
A JSTests/stress/dfg-proto-fold-invalidate3.js
M Source/JavaScriptCore/bytecode/GetByStatus.cpp
Log Message:
-----------
[JSC] GetByStatus::computeFor has race condition around swapped object's
structure checks
https://bugs.webkit.org/show_bug.cgi?id=305521
rdar://155413221
Reviewed by Yijia Huang.
Now ObjectPropertyCondition is propertly created. But it is possible
that this finally registered ObjectPropertyCondition's structures are
not having a proper condition we would like. We are obtainining objects
from the condition and checking structure's characteristics.
Test: JSTests/stress/dfg-proto-fold-invalidate3.js
* JSTests/stress/dfg-proto-fold-invalidate3.js: Added.
(shouldBe):
(opt):
(watchCalleeProperty):
(async sleep):
(createClonedArguments):
(p):
(async main):
* Source/JavaScriptCore/bytecode/GetByStatus.cpp:
(JSC::GetByStatus::computeFor):
Originally-landed-as: 305413.33@safari-7624-branch (744106342146).
rdar://170270523
Canonical link: https://commits.webkit.org/308720@main
Compare: https://github.com/WebKit/WebKit/compare/01d8e1eba767...3330a93a8523
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
