Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 2efbd919e75cb36a5e50ebaeef2ba26f7565f2fb
https://github.com/WebKit/WebKit/commit/2efbd919e75cb36a5e50ebaeef2ba26f7565f2fb
Author: Rob Buis <[email protected]>
Date: 2026-03-07 (Sat, 07 Mar 2026)
Changed paths:
A LayoutTests/svg/filters/filter-insert-button-crash-expected.txt
A LayoutTests/svg/filters/filter-insert-button-crash.html
M Source/WebCore/page/LocalFrameViewLayoutContext.cpp
M Source/WebCore/page/LocalFrameViewLayoutContext.h
M Source/WebCore/rendering/RenderObject.cpp
M Source/WebCore/rendering/updating/RenderTreeBuilderInline.cpp
Log Message:
-----------
Cherry-pick [email protected] (6c8a256d475b). rdar://137178583
[SVG] Don't repaint when referenced resources change if the renderer is not
in-tree yet
https://bugs.webkit.org/show_bug.cgi?id=301140
rdar://137178583
Reviewed by Alan Baradlay.
When moving svg resources around it's possible to end up
triggering a repaint before the renderer is in-tree. To
fix that, add API for blocking repaints and start using that
while in RenderTreeBuilder::Inline::splitFlow.
Test: svg/filters/filter-insert-button-crash.html
* LayoutTests/svg/filters/filter-insert-button-crash-expected.txt: Added.
* LayoutTests/svg/filters/filter-insert-button-crash.html: Added.
* Source/WebCore/page/LocalFrameViewLayoutContext.cpp:
(WebCore::RepaintBlocker::RepaintBlocker):
(WebCore::RepaintBlocker::~RepaintBlocker):
* Source/WebCore/page/LocalFrameViewLayoutContext.h:
* Source/WebCore/rendering/RenderObject.cpp:
(WebCore::RenderObject::repaint const):
* Source/WebCore/rendering/updating/RenderTreeBuilderInline.cpp:
(WebCore::RenderTreeBuilder::Inline::splitFlow):
Canonical link: https://commits.webkit.org/[email protected]
Originally-landed-as: 301765.361@safari-7623-branch (e218dd58cf7e).
rdar://171559006
Canonical link: https://commits.webkit.org/308852@main
Commit: 3f6f7836068abd20f974c605e04af3c7c5ce88fa
https://github.com/WebKit/WebKit/commit/3f6f7836068abd20f974c605e04af3c7c5ce88fa
Author: Yijia Huang <[email protected]>
Date: 2026-03-07 (Sat, 07 Mar 2026)
Changed paths:
A JSTests/stress/map-forEach.js
M Source/JavaScriptCore/dfg/DFGNodeType.h
Log Message:
-----------
[JSC] MapIterationEntryKey should have NodeResultJS, not NodeResultInt32
https://bugs.webkit.org/show_bug.cgi?id=304950
rdar://167200795
Reviewed by Marcus Plutowski.
MapIterationEntryKey returns arbitrary JSValues (map keys can be any type),
so it should be declared with NodeResultJS to match MapIterationEntryValue.
Test: JSTests/stress/map-forEach.js
Originally-landed-as: 301765.392@safari-7623-branch (47b55468bf82).
rdar://171557100
Canonical link: https://commits.webkit.org/308853@main
Commit: e01d2548ff09a4ef0e2ad56fd736e804670ae0f3
https://github.com/WebKit/WebKit/commit/e01d2548ff09a4ef0e2ad56fd736e804670ae0f3
Author: Claudio Saavedra <[email protected]>
Date: 2026-03-07 (Sat, 07 Mar 2026)
Changed paths:
A LayoutTests/highlight/highlight-crash-2-expected.txt
A LayoutTests/highlight/highlight-crash-2.html
M Source/WebCore/Modules/highlight/Highlight.cpp
Log Message:
-----------
[WebKit][Main] [76d1bb47f067ac21] ASAN_SEGV |
WebCore::Highlight::clearFromSetLike; WebCore::HighlightRegistry::clear;
WebCore::Document::commonTeardown
https://bugs.webkit.org/show_bug.cgi?id=304176
rdar://166163089
Reviewed by Chris Dumez.
With the right disposing order, it is possible to cause reentrancy to
Highlight::clearFromSetLike(). This is due to the ownership relationship
between Document->HighlightRegistry->Highlight->HighlightRange->Range->Document.
The attached test shows an example of how to achieve this (a dangling document
that is only attached to a Range gets disposed during another Document's
disposing,
causing a reentrant call to Highlight::clearFromSetLike()).
Ensure Highlight::clearFromSetLike() is safely reentrant by exchanging
Highlight::m_highlightRanges with an empty vector so that any potentially
reentrant
call is a no-op.
Test: highlight/highlight-crash-2.html
* LayoutTests/highlight/highlight-crash-2-expected.txt: Added.
* LayoutTests/highlight/highlight-crash-2.html: Added.
* Source/WebCore/Modules/highlight/Highlight.cpp:
(WebCore::Highlight::clearFromSetLike):
Originally-landed-as: [email protected] (ae3502b8b960).
rdar://170270576
Canonical link: https://commits.webkit.org/308854@main
Compare: https://github.com/WebKit/WebKit/compare/8be1a0836758...e01d2548ff09
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
