Branch: refs/heads/webkitglib/2.50
Home: https://github.com/WebKit/WebKit
Commit: 7e492912e0dec7133ae8e19055ac263711f7181e
https://github.com/WebKit/WebKit/commit/7e492912e0dec7133ae8e19055ac263711f7181e
Author: Chris Dumez <[email protected]>
Date: 2026-03-31 (Tue, 31 Mar 2026)
Changed paths:
M Source/WTF/wtf/EmbeddedFixedVector.h
M Source/WTF/wtf/FixedVector.h
M Source/WTF/wtf/TrailingArray.h
M Tools/TestWebKitAPI/Tests/WTF/FixedVector.cpp
Log Message:
-----------
Cherry-pick 310167@main (422833beda07).
https://bugs.webkit.org/show_bug.cgi?id=310963
`FixedVector(size, value)` should not double-initialize non-POD elements
https://bugs.webkit.org/show_bug.cgi?id=310963
Reviewed by Sam Weinig.
The `FixedVector(size_t, const T&)` constructor was first
default-constructing all elements via `Storage::create(size)`, then
copy-assigning over them with `fill(value)`. For non-POD types, this
means N default constructions + N copy assignments instead of just
N copy constructions.
Fix this by adding a `createFilled()` factory to `EmbeddedFixedVector`
backed by a new `TrailingArray` FillWith constructor that uses
`VectorTypeOperations::uninitializedFill`, matching what
`Vector(size, val)` already does.
Also add API test coverage for this constructor, which had none.
Test: Tools/TestWebKitAPI/Tests/WTF/FixedVector.cpp
* Source/WTF/wtf/EmbeddedFixedVector.h:
* Source/WTF/wtf/FixedVector.h:
(WTF::FixedVector::FixedVector):
* Source/WTF/wtf/TrailingArray.h:
(WTF::TrailingArray::TrailingArray):
* Tools/TestWebKitAPI/Tests/WTF/FixedVector.cpp:
(TestWebKitAPI::TEST(WTF_FixedVector, SizeAndValueConstructorPOD)):
(TestWebKitAPI::TEST(WTF_FixedVector, SizeAndValueConstructorNonPOD)):
(TestWebKitAPI::TEST(WTF_FixedVector, SizeAndValueConstructorZeroSize)):
(TestWebKitAPI::TEST(WTF_FixedVector,
SizeAndValueConstructorSingleElement)):
Canonical link: https://commits.webkit.org/310167@main
Canonical link: https://commits.webkit.org/298234.524@webkitglib/2.50
Commit: 6860867160405fb03d0bf225fd4bfd1c8868640d
https://github.com/WebKit/WebKit/commit/6860867160405fb03d0bf225fd4bfd1c8868640d
Author: Abrar Rahman Protyasha <[email protected]>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M Source/WebCore/inspector/agents/InspectorIndexedDBAgent.cpp
Log Message:
-----------
Cherry-pick 310488@main (0125fbadd495).
https://bugs.webkit.org/show_bug.cgi?id=311364
IndexedDB inspection can silently fail when document has no IDB factory
https://bugs.webkit.org/show_bug.cgi?id=311364
rdar://173963020
Reviewed by Megan Gardner and Aditya Keerthi.
In InspectorIndexedDBAgent.cpp, `IDBFactoryFromDocument()` constructs an
error via `makeUnexpected(...)` when `idbFactory` is null, but fails to
actually return it.
This means the error is silently discarded and execution falls through to
the next line, which returns a null idbFactory as a success value.
As a result, when a document has no IndexedDB factory, instead of
propagating a descriptive error back to the Inspector frontend, the agent
returns a null pointer wrapped in a success result, which could cause a
null dereference in callers or silently break IndexedDB inspection.
We discovered this bug during the migration to std::unexpected, because
the standard analogue of that type has a nodiscard constructor.
* Source/WebCore/inspector/agents/InspectorIndexedDBAgent.cpp:
(WebCore::IDBFactoryFromDocument):
Canonical link: https://commits.webkit.org/310488@main
Canonical link: https://commits.webkit.org/298234.525@webkitglib/2.50
Commit: 91f807671c2bfe786ce5fbe4c4c68b4605ddc5e6
https://github.com/WebKit/WebKit/commit/91f807671c2bfe786ce5fbe4c4c68b4605ddc5e6
Author: Sosuke Suzuki <[email protected]>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
A JSTests/stress/dfg-arith-mul-bitand-negative-mask-unchecked.js
M Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
Log Message:
-----------
Cherry-pick 310678@main (83895848013f).
https://bugs.webkit.org/show_bug.cgi?id=311505
[JSC] `isWithinPowerOfTwo` is unsound for BitAnd with negative mask in DFG
BackwardsPropagation
https://bugs.webkit.org/show_bug.cgi?id=311505
Reviewed by Justin Michaud.
isWithinPowerOfTwo<power>() returned true for `x & c` whenever |c| <
2^power,
but this bound only holds when c is non-negative. A negative mask preserves
the sign bit, so `x & -4` can span the full int32 range. This caused
ArithMul
to drop NodeBytecodeUsesAsNumber and become Arith::Unchecked, producing the
low 32 bits of the exact product instead of the spec-mandated double-rounded
result.
function f(a, b) { return ((a & -4) * b) | 0; }
f(0x7ffffffc, 0x7ffffffc) // LLInt: 0, DFG/FTL: 16
Fix by requiring the BitAnd constant operand to be non-negative. Also remove
isWithinPowerOfTwoNonRecursive() which is now unused.
Test: JSTests/stress/dfg-arith-mul-bitand-negative-mask-unchecked.js
* JSTests/stress/dfg-arith-mul-bitand-negative-mask-unchecked.js: Added.
(testMaskRight):
(testMaskLeft):
(testMaskRightSwappedMul):
* Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
(JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoNonRecursive):
Deleted.
Canonical link: https://commits.webkit.org/310678@main
Canonical link: https://commits.webkit.org/298234.526@webkitglib/2.50
Commit: 12c589e245ebabc0d1d31110bd322cd7f92f3096
https://github.com/WebKit/WebKit/commit/12c589e245ebabc0d1d31110bd322cd7f92f3096
Author: Chris Dumez <[email protected]>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/css/cssom/caretPositionFromPoint-in-flex-container-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/css/cssom/caretPositionFromPoint-in-flex-container.html
M Source/WebCore/rendering/RenderBox.cpp
Log Message:
-----------
Cherry-pick 310626@main (9449d94cd8a3).
https://bugs.webkit.org/show_bug.cgi?id=311543
Fix inverted Y-axis comparison in RenderBox::positionForPoint
https://bugs.webkit.org/show_bug.cgi?id=311543
Reviewed by Alan Baradlay.
The exact-hit check for whether a point falls inside a child's content
box had the Y comparisons swapped: it required point.y() <= top AND
point.y() >= bottom, which is impossible when bottom > top (always true
since contentBoxHeight() is non-negative). This meant the early return
never fired, and the function always fell through to the distance-based
closest-child search.
The distance fallback computes the distance from the point to each
child's nearest edge. When the point is inside a tall child near its
top edge, the distance to that child's bottom edge can be very large,
while the distance to a short preceding sibling's bottom edge is small.
This causes the wrong child to be selected, misplacing the caret.
This is observable via caretPositionFromPoint on flex/grid containers
when the hit-test returns the container rather than a child (e.g. when
children have pointer-events: none).
Test:
imported/w3c/web-platform-tests/css/cssom/caretPositionFromPoint-in-flex-container.html
- This test is failing in shipping Safari but passing in Chrome and Firefox.
*
LayoutTests/imported/w3c/web-platform-tests/css/cssom/caretPositionFromPoint-in-flex-container-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/cssom/caretPositionFromPoint-in-flex-container.html:
Added.
* Source/WebCore/rendering/RenderBox.cpp:
(WebCore::RenderBox::positionForPoint):
Canonical link: https://commits.webkit.org/310626@main
Canonical link: https://commits.webkit.org/298234.527@webkitglib/2.50
Commit: 54a519d74cee0449df3f166f0efc94718b4c5758
https://github.com/WebKit/WebKit/commit/54a519d74cee0449df3f166f0efc94718b4c5758
Author: Sosuke Suzuki <[email protected]>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
A JSTests/stress/describe-null-butterfly.js
M Source/JavaScriptCore/runtime/JSCJSValue.cpp
Log Message:
-----------
Cherry-pick 310137@main (3f22094cdc45).
https://bugs.webkit.org/show_bug.cgi?id=310783
[JSC] Fix null butterfly dereference in
JSValue::dumpInContextAssumingStructure
https://bugs.webkit.org/show_bug.cgi?id=310783
Reviewed by Yusuke Suzuki.
JSValue::dumpInContextAssumingStructure unconditionally calls
butterfly()->base(structure) without checking if butterfly() returns
null. Objects with only inline properties (no indexed storage, no
out-of-line properties) have a null butterfly pointer. When the DFG
graph dump or describe() prints such objects, this triggers undefined
behavior caught by UBSAN:
Butterfly.h:182:21: runtime error: member call on null pointer of
type 'JSC::Butterfly *'
The call chain does only pointer arithmetic so it does not crash in
practice, but the output "(base=0xfffffffffffffff8)" is meaningless
and the member call on a null pointer is still UB.
Fix by checking if butterfly is null before computing the base address.
* JSTests/stress/describe-null-butterfly.js: Added.
* Source/JavaScriptCore/runtime/JSCJSValue.cpp:
(JSC::JSValue::dumpInContextAssumingStructure const):
Canonical link: https://commits.webkit.org/310137@main
Canonical link: https://commits.webkit.org/298234.528@webkitglib/2.50
Commit: 36c3a10cce3d97e747d1bf7375a5d0060f181bc7
https://github.com/WebKit/WebKit/commit/36c3a10cce3d97e747d1bf7375a5d0060f181bc7
Author: David Kilzer <[email protected]>
Date: 2026-04-08 (Wed, 08 Apr 2026)
Changed paths:
M Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp
Log Message:
-----------
Cherry-pick 310716@main (51448cf8aa95).
https://bugs.webkit.org/show_bug.cgi?id=311611
Add nullptr checks for m_objectStore.get() in
WebCore::IDBServer::MemoryIndex
<https://bugs.webkit.org/show_bug.cgi?id=311611>
<rdar://174209893>
Reviewed by Geoffrey Garen.
`m_objectStore` is a `WeakPtr<MemoryObjectStore>`. If the object store
is deallocated, `WeakPtr::get()` returns nullptr. Add nullptr checks to
`getResultForKeyRange()` and `getAllRecords()` to prevent crashes.
Unable to create a test case.
* Source/WebCore/Modules/indexeddb/server/MemoryIndex.cpp:
(WebCore::IDBServer::MemoryIndex::getResultForKeyRange):
(WebCore::IDBServer::MemoryIndex::getAllRecords):
Canonical link: https://commits.webkit.org/310716@main
Canonical link: https://commits.webkit.org/298234.529@webkitglib/2.50
Compare: https://github.com/WebKit/WebKit/compare/acfee9d3c15b...36c3a10cce3d
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
