Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 7b0940dfb681090139c7d33ed9b57306de3dd31b
https://github.com/WebKit/WebKit/commit/7b0940dfb681090139c7d33ed9b57306de3dd31b
Author: David Kilzer <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WebCore/platform/mediastream/RealtimeIncomingAudioSource.cpp
M Source/WebCore/platform/mediastream/RealtimeIncomingVideoSource.cpp
M
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingAudioSourceLibWebRTC.cpp
M
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingAudioSourceLibWebRTC.h
M
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingVideoSourceLibWebRTC.cpp
M
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingVideoSourceLibWebRTC.h
M
Source/WebCore/platform/mediastream/mac/RealtimeIncomingAudioSourceCocoa.cpp
M Source/WebCore/platform/mediastream/mac/RealtimeIncomingAudioSourceCocoa.h
M Source/WebCore/platform/mediastream/mac/RealtimeIncomingVideoSourceCocoa.h
M
Source/WebCore/platform/mediastream/mac/RealtimeIncomingVideoSourceCocoa.mm
Log Message:
-----------
Cherry-pick 305413.429@safari-7624-branch (6d6607033ebc).
https://bugs.webkit.org/show_bug.cgi?id=308636
Fix crashes in RealtimeIncoming*Source destructors by ensuring sink removal
before member destruction
<https://bugs.webkit.org/show_bug.cgi?id=308636>
<rdar://162084447>
Reviewed by Jean-Yves Avenard and Youenn Fablet.
Crashes occurred when WebRTC audio/video callbacks accessed destroyed
member variables during object destruction. The root cause is due to
C++ destruction-order behavior: the compiler-generated destructors in
derived classes (e.g. RealtimeIncomingAudioSourceCocoa) destroy derived
members before calling the base class destructor, but the base class
destructor's stop() call is what removes the audio/video track sink.
While RTCPeerConnection::doClose() normally stops sources via
requestToEnd(), there are code paths where the source can reach
destruction while still producing data -- for example,
requestToEnd() is blocked if any RealtimeMediaSourceObserver returns
true from preventSourceFromEnding(). If the source is still producing
data when destruction begins, the base class destructor's stop() does
call RemoveSink() (which properly synchronizes with in-progress OnData
callbacks via sink_lock_ in RemoteAudioSource), but by that point
derived members like m_audioBufferList are already destroyed.
The fix ensures derived destructors call stop() to remove sinks before
any member destruction occurs. The base class destructors now contain
ASSERT(!isProducingData()) to verify subclasses follow this pattern.
* Source/WebCore/platform/mediastream/RealtimeIncomingAudioSource.cpp:
(WebCore::RealtimeIncomingAudioSource::~RealtimeIncomingAudioSource):
* Source/WebCore/platform/mediastream/RealtimeIncomingVideoSource.cpp:
(WebCore::RealtimeIncomingVideoSource::~RealtimeIncomingVideoSource):
*
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingAudioSourceLibWebRTC.cpp:
(WebCore::RealtimeIncomingAudioSourceLibWebRTC::~RealtimeIncomingAudioSourceLibWebRTC):
Add.
*
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingAudioSourceLibWebRTC.h:
*
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingVideoSourceLibWebRTC.cpp:
(WebCore::RealtimeIncomingVideoSourceLibWebRTC::~RealtimeIncomingVideoSourceLibWebRTC):
Add.
*
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingVideoSourceLibWebRTC.h:
*
Source/WebCore/platform/mediastream/mac/RealtimeIncomingAudioSourceCocoa.cpp:
(WebCore::RealtimeIncomingAudioSourceCocoa::~RealtimeIncomingAudioSourceCocoa):
Add.
*
Source/WebCore/platform/mediastream/mac/RealtimeIncomingAudioSourceCocoa.h:
*
Source/WebCore/platform/mediastream/mac/RealtimeIncomingVideoSourceCocoa.h:
*
Source/WebCore/platform/mediastream/mac/RealtimeIncomingVideoSourceCocoa.mm:
(WebCore::RealtimeIncomingVideoSourceCocoa::~RealtimeIncomingVideoSourceCocoa):
Add.
Identifier: 305413.429@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.516@webkitglib/2.52
Commit: d09dbec2a9f205b64d7a62721743e2def4c13dad
https://github.com/WebKit/WebKit/commit/d09dbec2a9f205b64d7a62721743e2def4c13dad
Author: Youenn Fablet <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_encoder.c
M
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_mcomp.c
M
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_pickmode.c
Log Message:
-----------
Cherry-pick 305413.430@safari-7624-branch (04fc2fd260e5).
https://bugs.webkit.org/show_bug.cgi?id=308636
vp9_scale_references: fail if no free buffer is available (Potential
'overflow' issue committed to upstream libwebrtc)
rdar://171591634
Reviewed by Jean-Yves Avenard.
Cherry-pick of
https://github.com/webmproject/libvpx/commit/9a2d3d1f46afbdfa9b9820a9fd3aacb084e65e2f
Identifier: 305413.430@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.517@webkitglib/2.52
Commit: 6260312e6296d2908133f4d014d9efff630d7352
https://github.com/WebKit/WebKit/commit/6260312e6296d2908133f4d014d9efff630d7352
Author: Youenn Fablet <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/av1/encoder/extend.c
M
Source/ThirdParty/libwebrtc/Source/third_party/libaom/source/libaom/test/encode_api_test.cc
Log Message:
-----------
Cherry-pick 305413.431@safari-7624-branch (b61e7ccad2c2).
https://bugs.webkit.org/show_bug.cgi?id=308636
Use crop dimensions for extension calculation
rdar://171141150
Reviewed by Jean-Yves Avenard.
We cherry-pick
https://aomedia.googlesource.com/aom/+/7343efd164afc3c0f9f2a212052d77a3d7ea1a49.
Identifier: 305413.431@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.518@webkitglib/2.52
Commit: a6eb1898910fcc41e3088b97c25c1c790354c999
https://github.com/WebKit/WebKit/commit/a6eb1898910fcc41e3088b97c25c1c790354c999
Author: Chris Dumez <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WTF/wtf/SuspendableWorkQueue.cpp
M Source/WTF/wtf/SuspendableWorkQueue.h
M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp
Log Message:
-----------
Cherry-pick 305413.439@safari-7624-branch (33ae1ab583c7).
https://bugs.webkit.org/show_bug.cgi?id=309626
Bump QoS of the work queue during service worker registrations import
https://bugs.webkit.org/show_bug.cgi?id=309626
rdar://172236600
Reviewed by Sihui Liu.
Bump QoS of the work queue during service worker registrations import
from disk. Navigations are delayed until the import is complete and it
is thus important to treat the import with high (UserInitiated) priority.
* Source/WTF/wtf/SuspendableWorkQueue.cpp:
(WTF::SuspendableWorkQueue::dispatchWithQOS):
* Source/WTF/wtf/SuspendableWorkQueue.h:
* Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp:
(WebKit::NetworkStorageManager::importServiceWorkerRegistrations):
Identifier: 305413.439@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.519@webkitglib/2.52
Commit: 95373912dcb3ee611fad5567f0126bbef9e4f555
https://github.com/WebKit/WebKit/commit/95373912dcb3ee611fad5567f0126bbef9e4f555
Author: Brady Eidson <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
A LayoutTests/http/tests/broadcastchannel/.htaccess
A LayoutTests/http/tests/broadcastchannel/postmessage-array-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-array.html
A
LayoutTests/http/tests/broadcastchannel/postmessage-arraybuffer-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-arraybuffer.html
A LayoutTests/http/tests/broadcastchannel/postmessage-audiodata-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-audiodata.html
A LayoutTests/http/tests/broadcastchannel/postmessage-blob-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-blob.html
A LayoutTests/http/tests/broadcastchannel/postmessage-boolean-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-boolean.html
A LayoutTests/http/tests/broadcastchannel/postmessage-date-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-date.html
A
LayoutTests/http/tests/broadcastchannel/postmessage-domexception-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-domexception.html
A
LayoutTests/http/tests/broadcastchannel/postmessage-encodedaudiochunk-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-encodedaudiochunk.html
A
LayoutTests/http/tests/broadcastchannel/postmessage-encodedvideochunk-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-encodedvideochunk.html
A LayoutTests/http/tests/broadcastchannel/postmessage-error-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-error.html
A
LayoutTests/http/tests/broadcastchannel/postmessage-imagebitmap-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-imagebitmap.html
A LayoutTests/http/tests/broadcastchannel/postmessage-imagedata-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-imagedata.html
A LayoutTests/http/tests/broadcastchannel/postmessage-map-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-map.html
A
LayoutTests/http/tests/broadcastchannel/postmessage-mediastreamtrack-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-mediastreamtrack.html
A LayoutTests/http/tests/broadcastchannel/postmessage-null-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-null.html
A LayoutTests/http/tests/broadcastchannel/postmessage-number-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-number.html
A LayoutTests/http/tests/broadcastchannel/postmessage-object-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-object.html
A LayoutTests/http/tests/broadcastchannel/postmessage-regexp-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-regexp.html
A LayoutTests/http/tests/broadcastchannel/postmessage-set-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-set.html
A
LayoutTests/http/tests/broadcastchannel/postmessage-sharedarraybuffer-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-sharedarraybuffer.html
A
LayoutTests/http/tests/broadcastchannel/postmessage-sharedwasmmemory-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-sharedwasmmemory.html
A LayoutTests/http/tests/broadcastchannel/postmessage-string-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-string.html
A
LayoutTests/http/tests/broadcastchannel/postmessage-typedarray-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-typedarray.html
A
LayoutTests/http/tests/broadcastchannel/postmessage-videoframe-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-videoframe.html
A
LayoutTests/http/tests/broadcastchannel/postmessage-wasmmodule-expected.txt
A LayoutTests/http/tests/broadcastchannel/postmessage-wasmmodule.html
A
LayoutTests/http/tests/broadcastchannel/resources/broadcastchannel-test-harness.js
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
M Source/WebCore/bindings/js/SerializedScriptValue.h
M Source/WebCore/html/ImageBitmap.cpp
M Source/WebCore/html/ImageBitmap.h
M Source/WebCore/html/OffscreenCanvas.h
M Source/WebCore/platform/graphics/ImageBuffer.cpp
M Source/WebCore/platform/graphics/ImageBuffer.h
M Source/WebCore/platform/mediastream/MediaStreamTrackDataHolder.cpp
M Source/WebCore/platform/mediastream/MediaStreamTrackDataHolder.h
M Source/WebKit/WebProcess/GPU/graphics/RemoteImageBufferProxy.h
M Source/WebKit/WebProcess/WebCoreSupport/WebBroadcastChannelRegistry.cpp
Log Message:
-----------
Cherry-pick 305413.445@safari-7624-branch (5a0c6501d0f5).
https://bugs.webkit.org/show_bug.cgi?id=309626
`SerializedScriptValue::deserialize` cannot be called more than once
(affects BroadcastChannel postMessage())
rdar://171134726
Reviewed by Andy Estes and Ryosuke Niwa.
Since `::deserialize(...)` moves some of the
SerializedScriptValue::Internals members, it cannot be called twice.
This is normally fine, but when a single message has multiple recipients
via `BroadcastChannel.postMessage()`,
it ends up meaning that only the first recipient gets the complete message.
This patch adds SerializedScriptValue::clone() then uses it in the
BroadcastChannel case, making sure each recipient
gets a full copy of the message.
Covered by layout tests that exercise each supported
`SerializedScriptValue` type.
Tests: http/tests/broadcastchannel/postmessage-array.html
http/tests/broadcastchannel/postmessage-arraybuffer.html
http/tests/broadcastchannel/postmessage-audiodata.html
http/tests/broadcastchannel/postmessage-blob.html
http/tests/broadcastchannel/postmessage-boolean.html
http/tests/broadcastchannel/postmessage-date.html
http/tests/broadcastchannel/postmessage-domexception.html
http/tests/broadcastchannel/postmessage-encodedaudiochunk.html
http/tests/broadcastchannel/postmessage-encodedvideochunk.html
http/tests/broadcastchannel/postmessage-error.html
http/tests/broadcastchannel/postmessage-imagebitmap.html
http/tests/broadcastchannel/postmessage-imagedata.html
http/tests/broadcastchannel/postmessage-map.html
http/tests/broadcastchannel/postmessage-mediastreamtrack.html
http/tests/broadcastchannel/postmessage-null.html
http/tests/broadcastchannel/postmessage-number.html
http/tests/broadcastchannel/postmessage-object.html
http/tests/broadcastchannel/postmessage-regexp.html
http/tests/broadcastchannel/postmessage-set.html
http/tests/broadcastchannel/postmessage-sharedarraybuffer.html
http/tests/broadcastchannel/postmessage-sharedwasmmemory.html
http/tests/broadcastchannel/postmessage-string.html
http/tests/broadcastchannel/postmessage-typedarray.html
http/tests/broadcastchannel/postmessage-videoframe.html
http/tests/broadcastchannel/postmessage-wasmmodule.html
* LayoutTests/http/tests/broadcastchannel/.htaccess: Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-array-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-array.html: Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-arraybuffer-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-arraybuffer.html:
Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-audiodata-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-audiodata.html: Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-blob-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-blob.html: Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-boolean-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-boolean.html: Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-date-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-date.html: Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-domexception-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-domexception.html:
Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-encodedaudiochunk-expected.txt:
Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-encodedaudiochunk.html:
Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-encodedvideochunk-expected.txt:
Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-encodedvideochunk.html:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-error-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-error.html: Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-imagebitmap-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-imagebitmap.html:
Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-imagedata-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-imagedata.html: Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-map-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-map.html: Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-mediastreamtrack-expected.txt:
Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-mediastreamtrack.html:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-null-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-null.html: Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-number-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-number.html: Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-object-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-object.html: Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-regexp-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-regexp.html: Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-set-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-set.html: Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-sharedarraybuffer-expected.txt:
Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-sharedarraybuffer.html:
Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-sharedwasmmemory-expected.txt:
Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-sharedwasmmemory.html:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-string-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-string.html: Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-typedarray-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-typedarray.html:
Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-videoframe-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-videoframe.html:
Added.
*
LayoutTests/http/tests/broadcastchannel/postmessage-wasmmodule-expected.txt:
Added.
* LayoutTests/http/tests/broadcastchannel/postmessage-wasmmodule.html:
Added.
*
LayoutTests/http/tests/broadcastchannel/resources/broadcastchannel-test-harness.js:
Added.
(log):
(done):
(w.onmessage):
(w.onerror):
(postValue.try):
(postValue):
(checkResults):
(broadcastChannelTest):
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::copyArrayBufferContentsArray):
(WebCore::SerializedScriptValue::clone const):
(WebCore::SerializedScriptValue::Internals::clone const):
* Source/WebCore/bindings/js/SerializedScriptValue.h:
* Source/WebCore/html/ImageBitmap.cpp:
(WebCore::DetachedImageBitmap::DetachedImageBitmap):
* Source/WebCore/html/ImageBitmap.h:
* Source/WebCore/html/OffscreenCanvas.h:
(WebCore::DetachedOffscreenCanvas::placeholderSource const):
* Source/WebCore/platform/graphics/ImageBuffer.cpp:
* Source/WebCore/platform/graphics/ImageBuffer.h:
(WebCore::SerializedImageBuffer::clone const):
* Source/WebCore/platform/mediastream/MediaStreamTrackDataHolder.cpp:
(WebCore::MediaStreamTrackDataHolder::copy const):
* Source/WebCore/platform/mediastream/MediaStreamTrackDataHolder.h:
* Source/WebKit/WebProcess/GPU/graphics/RemoteImageBufferProxy.h:
(WebKit::RemoteSerializedImageBufferProxy::RemoteSerializedImageBufferProxy):
* Source/WebKit/WebProcess/WebCoreSupport/WebBroadcastChannelRegistry.cpp:
(WebKit::WebBroadcastChannelRegistry::postMessageLocally):
Identifier: 305413.445@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.520@webkitglib/2.52
Commit: 998931f6398f2cc9bf92e37608974a496364bf74
https://github.com/WebKit/WebKit/commit/998931f6398f2cc9bf92e37608974a496364bf74
Author: Chris Dumez <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/JavaScriptCore/dfg/DFGGraph.cpp
M Source/WTF/wtf/text/CString.cpp
M Source/WTF/wtf/text/CString.h
M Source/WTF/wtf/text/StringCommon.h
M Source/WebCore/accessibility/atspi/AccessibilityAtspi.cpp
M Source/WebKit/Shared/LogStream.cpp
M Source/WebKit/UIProcess/API/glib/WebKitSecurityOrigin.cpp
M Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm
M Tools/TestWebKitAPI/Tests/WTF/Vector.cpp
Log Message:
-----------
Cherry-pick 305413.450@safari-7624-branch (8f90147d2654).
https://bugs.webkit.org/show_bug.cgi?id=309665
[CoreIPC] TOCTOU in `logOnBehalfOfWebContent` leads to logging of OOB memory
https://bugs.webkit.org/show_bug.cgi?id=309665
rdar://170280919
Reviewed by Per Arne Vollan.
LogOnBehalfOfWebContent is IPC using Streaming IPC from the WebContent
process to the UIProcess. Some of the parameters are std::span<uint8_t>
which point to SharedMemory since this is what Streaming IPC is using.
This can cause trouble as a compromise WebProcess could modify the
string after sending it over IPC and remove the null terminator for
example. This can result in TOCTOU bugs since the recipient code relies
on the strings being null terminated.
To address the issue, we now:
1. Send regular spans over IPC, instead of null terminated spans
2. Upon receipt, we copy them into CStrings right away, which makes them
null terminated.
3. The recipient code only uses the CStrings from then on, not the
original spans.
This is slightly less efficient but I don't not see a way to address the
TOCTOU bugs without doing an extra copy of these strings.
* Source/JavaScriptCore/dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::dumpBlockHeader):
* Source/WTF/wtf/text/CString.cpp:
(WTF::operator==):
* Source/WTF/wtf/text/CString.h:
* Source/WTF/wtf/text/StringCommon.h:
(WTF::operator==):
* Source/WebKit/Shared/LogStream.cpp:
(WebKit::LogStream::logOnBehalfOfWebContent):
* Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::accessibilityFocusedUIElement):
* Tools/TestWebKitAPI/Tests/WTF/Vector.cpp:
(TestWebKitAPI::TEST(WTF_Vector, RemoveAll)):
Identifier: 305413.450@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.521@webkitglib/2.52
Commit: 326edf0ec425d01339400a01ace53cb301771734
https://github.com/WebKit/WebKit/commit/326edf0ec425d01339400a01ace53cb301771734
Author: Darryl Parkinson <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in
M Tools/TestWebKitAPI/Tests/WebKitCocoa/ContentFiltering.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm
M Tools/WebKitTestRunner/TestController.cpp
M Tools/WebKitTestRunner/TestOptions.cpp
M Tools/WebKitTestRunner/TestOptions.h
Log Message:
-----------
Cherry-pick 305413.453@safari-7624-branch (12bfbd5b45c3).
https://bugs.webkit.org/show_bug.cgi?id=309091
Gate InstallMockContentFilter IPC behind AllowTestOnlyIPC
https://bugs.webkit.org/show_bug.cgi?id=309091
rdar://171645964
Reviewed by Ryosuke Niwa.
InstallMockContentFilter IPC on NetworkConnectionToWebProcess overwrites
a process-global MockContentFilterSettings singleton, allowing a
compromised WebContent process to redirect or block navigations for all
connections in the NetworkProcess.
This message is only used by test infrastructure to configure mock
content filtering. Gate it behind EnabledBy=AllowTestOnlyIPC so it is
rejected unless the test-only flag is set
Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm
* Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml:
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in:
* Tools/TestWebKitAPI/Tests/WebKitCocoa/ContentFiltering.mm:
(configurationWithContentFilterSettings):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/IPCTestingAPI.mm:
(InstallMockContentFilterRequiresTestOnlyIPC)):
(InstallMockContentFilterRedirectsWithTestOnlyIPC)):
* Tools/WebKitTestRunner/TestController.cpp:
(WTR::TestController::resetPreferencesToConsistentValues):
* Tools/WebKitTestRunner/TestOptions.cpp:
(WTR::TestOptions::defaults):
(WTR::TestOptions::keyTypeMapping):
* Tools/WebKitTestRunner/TestOptions.h:
(WTR::TestOptions::allowTestOnlyMockContentFilterIPC const):
Identifier: 305413.453@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.522@webkitglib/2.52
Commit: b3f27af532ff6422a2317aaef5b5dd3faecfc103
https://github.com/WebKit/WebKit/commit/b3f27af532ff6422a2317aaef5b5dd3faecfc103
Author: Brady Eidson <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WebKit/UIProcess/ProvisionalPageProxy.cpp
M Source/WebKit/UIProcess/WebBackForwardList.cpp
M Source/WebKit/UIProcess/WebBackForwardList.h
Log Message:
-----------
Cherry-pick 305413.459@safari-7624-branch (6b53aa44e133).
https://bugs.webkit.org/show_bug.cgi?id=309091
MESSAGE_CHECK URLs passed in to WebBackForwardListItem
backForwardUpdateItem and backForwardSetChildItem
rdar://171104801
Reviewed by Ryosuke Niwa and Per Arne Vollan.
We do a MESSAGE_CHECK for unexpected file URLs in backForwardAddItemShared.
These two methods should get the same treatment.
No new tests (The "success" path of the test would be a crash, which we
can't add.)
* Source/WebKit/UIProcess/ProvisionalPageProxy.cpp:
(WebKit::ProvisionalPageProxy::didReceiveMessage):
* Source/WebKit/UIProcess/WebBackForwardList.cpp:
(WebKit::messageCheckItemURLs):
(WebKit::WebBackForwardList::backForwardAddItemShared):
(WebKit::WebBackForwardList::backForwardSetChildItem):
(WebKit::WebBackForwardList::backForwardUpdateItem):
(WebKit::WebBackForwardList::didReceiveProvisionalMessage):
* Source/WebKit/UIProcess/WebBackForwardList.h:
Identifier: 305413.459@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.523@webkitglib/2.52
Commit: 344d87a0a63c39d2ec35eecf62adc59df87d29ab
https://github.com/WebKit/WebKit/commit/344d87a0a63c39d2ec35eecf62adc59df87d29ab
Author: Ryosuke Niwa <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WebCore/bindings/js/JSSubscriberCustom.cpp
M Source/WebCore/dom/Subscriber.cpp
M Source/WebCore/dom/Subscriber.h
Log Message:
-----------
Cherry-pick 305413.461@safari-7624-branch (498a2ef7689e).
https://bugs.webkit.org/show_bug.cgi?id=309773
Race condition in JSSubscriber::visitAdditionalChildren during GC
https://bugs.webkit.org/show_bug.cgi?id=309773
<rdar://172278544>
Reviewed by Chris Dumez.
This PR fixes a race condition in JSSubscriber::visitAdditionalChildren
which results in
a use-after-free of VoidCallback objects in
JSSubscriber::visitAdditionalChildren.
While Subscriber::teardownCallbacksConcurrently grabs a lock and creates a
Vector of
VoidCallback*, the main thread can still go ahead and destroy VoidCallback
while
a GC thread is calling visitJSFunction on that VoidCallback.
No new tests since there is no reliable reproduction.
* Source/WebCore/bindings/js/JSSubscriberCustom.cpp:
(WebCore::JSSubscriber::visitAdditionalChildren):
* Source/WebCore/dom/Subscriber.cpp:
(WebCore::Subscriber::visitAdditionalChildren):
(): Deleted.
(WebCore::Subscriber::observerConcurrently): Deleted.
* Source/WebCore/dom/Subscriber.h:
Identifier: 305413.461@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.524@webkitglib/2.52
Commit: 254e0ec143b91b391d0197a1285b21b75ed27ae9
https://github.com/WebKit/WebKit/commit/254e0ec143b91b391d0197a1285b21b75ed27ae9
Author: Charlie Wolfe <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
A
LayoutTests/http/tests/storageAccess/no-gesture-rejection-should-not-grant-storage-access-under-opener.https-expected.txt
A
LayoutTests/http/tests/storageAccess/no-gesture-rejection-should-not-grant-storage-access-under-opener.https.html
A
LayoutTests/http/tests/storageAccess/resources/request-storage-access-without-gesture-and-report-back.html
A
LayoutTests/http/tests/storageAccess/resources/request-storage-access-without-gesture-in-iframe.html
M Source/WebCore/dom/DocumentStorageAccess.cpp
Log Message:
-----------
Cherry-pick 305413.463@safari-7624-branch (8360fe257449).
https://bugs.webkit.org/show_bug.cgi?id=309504
Don't log interaction from temporary gesture on storage access rejection
https://bugs.webkit.org/show_bug.cgi?id=309504
rdar://171546420
Reviewed by Abrar Rahman Protyasha.
The no-gesture requestStorageAccess() rejection path preserves the user
gesture so callers can still
perform gesture-gated actions like window.open(). However, the temporary
UserGestureIndicator was
created with ProcessInteractionStyle::Immediate, which logged user
interaction as a side effect. In
a popup with an opener, this fabricated interaction triggered
requestStorageAccessUnderOpener(),
silently granting storage access without a prompt.
Pass ProcessInteractionStyle::Never to prevent interaction logging from the
temporary gesture while
still preserving gesture-gated capabilities.
Test:
http/tests/storageAccess/no-gesture-rejection-should-not-grant-storage-access-under-opener.https.html
*
LayoutTests/http/tests/storageAccess/no-gesture-rejection-should-not-grant-storage-access-under-opener.https-expected.txt:
Added.
*
LayoutTests/http/tests/storageAccess/no-gesture-rejection-should-not-grant-storage-access-under-opener.https.html:
Added.
*
LayoutTests/http/tests/storageAccess/resources/request-storage-access-without-gesture-and-report-back.html:
Added.
*
LayoutTests/http/tests/storageAccess/resources/request-storage-access-without-gesture-in-iframe.html:
Added.
* Source/WebCore/dom/DocumentStorageAccess.cpp:
(WebCore::DocumentStorageAccess::enableTemporaryTimeUserGesture):
Identifier: 305413.463@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.525@webkitglib/2.52
Commit: 7626bd78be8a35f2aaaaae3eb257728c68a6a4d7
https://github.com/WebKit/WebKit/commit/7626bd78be8a35f2aaaaae3eb257728c68a6a4d7
Author: Shu-yu Guo <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M
JSTests/stress/growable-sharedarraybuffer-parallel-grow-during-prototype-methods.js
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h
Log Message:
-----------
Cherry-pick 305413.464@safari-7624-branch (a5a76108f55d).
https://bugs.webkit.org/show_bug.cgi?id=309861
[JSC] Use span's length in genericTypedArrayViewProtoFuncSortImpl
https://bugs.webkit.org/show_bug.cgi?id=309861
rdar://172430021
Reviewed by Yusuke Suzuki and Dan Hecht.
Constructing a span re-reads the length, which can race with a parallel
grow in
case the TypedArray is backed by a GSAB. Fix the race by using the span's
length.
*
JSTests/stress/growable-sharedarraybuffer-parallel-grow-during-prototype-methods.js:
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncSortImpl):
Identifier: 305413.464@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.526@webkitglib/2.52
Commit: 3de6996c3e141b7affca369cc12cfbad5988854c
https://github.com/WebKit/WebKit/commit/3de6996c3e141b7affca369cc12cfbad5988854c
Author: Charlie Wolfe <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
A LayoutTests/http/tests/contentextensions/block-embed-element-expected.txt
A LayoutTests/http/tests/contentextensions/block-embed-element.html
A LayoutTests/http/tests/contentextensions/block-embed-element.json
A LayoutTests/http/tests/contentextensions/block-object-element-expected.txt
A LayoutTests/http/tests/contentextensions/block-object-element.html
A LayoutTests/http/tests/contentextensions/block-object-element.json
M Source/WebCore/html/HTMLPlugInElement.cpp
Log Message:
-----------
Cherry-pick 305413.470@safari-7624-branch (f896e1bfd583).
https://bugs.webkit.org/show_bug.cgi?id=309880
Content extensions should block plugin loads from embed and object elements
https://bugs.webkit.org/show_bug.cgi?id=309880
rdar://169290430
Reviewed by Anne van Kesteren.
Plugin content loaded via <embed> and <object> elements was not checked
against content extension
rules. Add a content extension check in HTMLPlugInElement::canLoadURL so
that blocked URLs are
rejected before the wouldLoadAsPlugIn deferral in updateWidget.
Tests: http/tests/contentextensions/block-embed-element.html
http/tests/contentextensions/block-object-element.html
*
LayoutTests/http/tests/contentextensions/block-embed-element-expected.txt:
Added.
* LayoutTests/http/tests/contentextensions/block-embed-element.html: Added.
* LayoutTests/http/tests/contentextensions/block-embed-element.json: Added.
*
LayoutTests/http/tests/contentextensions/block-object-element-expected.txt:
Added.
* LayoutTests/http/tests/contentextensions/block-object-element.html: Added.
* LayoutTests/http/tests/contentextensions/block-object-element.json: Added.
* Source/WebCore/html/HTMLPlugInElement.cpp:
(WebCore::HTMLPlugInElement::canLoadURL const):
Identifier: 305413.470@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.527@webkitglib/2.52
Commit: d30e10424c7271a14fab46601551b7c8edf913d0
https://github.com/WebKit/WebKit/commit/d30e10424c7271a14fab46601551b7c8edf913d0
Author: Chris Dumez <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WebCore/Modules/streams/ReadableStreamDefaultReader.cpp
M Source/WebCore/Modules/streams/ReadableStreamDefaultReader.h
Log Message:
-----------
Cherry-pick 305413.472@safari-7624-branch (1a64bedb202e).
https://bugs.webkit.org/show_bug.cgi?id=309882
Potential use after free of m_stream in
ReadableStreamDefaultReader::visitAdditionalChildren()
https://bugs.webkit.org/show_bug.cgi?id=309882
rdar://172458992
Reviewed by Ryosuke Niwa.
ReadableStreamDefaultReader::visitAdditionalChildren() runs on the GC
thread but dereferences m_stream which can get nulled out of the main
thread.
Address the issue via locking since we cannot easily ref the stream on
the GC thread.
* Source/WebCore/Modules/streams/ReadableStreamDefaultReader.cpp:
(WebCore::ReadableStreamDefaultReader::~ReadableStreamDefaultReader):
(WebCore::ReadableStreamDefaultReader::read):
(WebCore::ReadableStreamDefaultReader::releaseLock):
(WebCore::ReadableStreamDefaultReader::setup):
(WebCore::ReadableStreamDefaultReader::genericRelease):
(WebCore::ReadableStreamDefaultReader::cancel):
(WebCore::ReadableStreamDefaultReader::genericCancel):
(WebCore::ReadableStreamDefaultReader::stream):
(WebCore::ReadableStreamDefaultReader::isReachableFromOpaqueRoots const):
(WebCore::ReadableStreamDefaultReader::visitAdditionalChildren):
* Source/WebCore/Modules/streams/ReadableStreamDefaultReader.h:
(WebCore::ReadableStreamDefaultReader::stream): Deleted.
Identifier: 305413.472@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.528@webkitglib/2.52
Commit: c622c635b4839041e54dc331ce0e019351304613
https://github.com/WebKit/WebKit/commit/c622c635b4839041e54dc331ce0e019351304613
Author: Ryosuke Niwa <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WebCore/bindings/js/JSXPathResultCustom.cpp
M Source/WebCore/xml/XPathResult.cpp
M Source/WebCore/xml/XPathResult.h
Log Message:
-----------
Cherry-pick 305413.475@safari-7624-branch (97ed68c66545).
https://bugs.webkit.org/show_bug.cgi?id=309776
Race condition in JSXPathResult::visitAdditionalChildren during GC
https://bugs.webkit.org/show_bug.cgi?id=309776
<rdar://172263146>
Reviewed by Chris Dumez.
This PR fixes a race condition in JSXPathResult::visitAdditionalChildren
which results in a use-after-free. The issue is that this function
iterates over XPathNodeList's internal vector but XPathNodeList's member
functions such as XPathNodeList::firstNode could mutate the vector via
XPathNodeList::sort, letting a GC thread to do a use-after-free.
Fixed the bug by guarding the access to m_nodeSet with a lock.
No new tests since there is no reliable reproduction.
* Source/WebCore/bindings/js/JSXPathResultCustom.cpp:
(WebCore::JSXPathResult::visitAdditionalChildren):
* Source/WebCore/xml/XPathResult.cpp:
(WebCore::XPathResult::XPathResult):
(WebCore::XPathResult::~XPathResult):
(WebCore::XPathResult::convertTo):
(WebCore::XPathResult::visitAdditionalChildren):
* Source/WebCore/xml/XPathResult.h:
Identifier: 305413.475@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.529@webkitglib/2.52
Commit: 8ab68c07ac0068863cfd9fab2acdec6514c64d3a
https://github.com/WebKit/WebKit/commit/8ab68c07ac0068863cfd9fab2acdec6514c64d3a
Author: Chris Dumez <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WebCore/Modules/streams/ReadableStreamBYOBReader.cpp
M Source/WebCore/Modules/streams/ReadableStreamBYOBReader.h
Log Message:
-----------
Cherry-pick 305413.476@safari-7624-branch (645b3e428ffb).
https://bugs.webkit.org/show_bug.cgi?id=309885
Potential use after free of m_stream in
ReadableStreamBYOBReader::visitAdditionalChildren()
https://bugs.webkit.org/show_bug.cgi?id=309885
rdar://172460621
Reviewed by Ryosuke Niwa and Youenn Fablet.
ReadableStreamBYOBReader::visitAdditionalChildren() runs on the GC
thread but dereferences m_stream which can get nulled out of the main
thread.
Address the issue via locking since we cannot easily ref the stream on
the GC thread.
* Source/WebCore/Modules/streams/ReadableStreamBYOBReader.cpp:
(WebCore::ReadableStreamBYOBReader::~ReadableStreamBYOBReader):
(WebCore::ReadableStreamBYOBReader::readForBindings):
(WebCore::ReadableStreamBYOBReader::releaseLock):
(WebCore::ReadableStreamBYOBReader::cancel):
(WebCore::ReadableStreamBYOBReader::initialize):
(WebCore::ReadableStreamBYOBReader::read):
(WebCore::ReadableStreamBYOBReader::genericRelease):
(WebCore::ReadableStreamBYOBReader::genericCancel):
(WebCore::ReadableStreamBYOBReader::isReachableFromOpaqueRoots const):
(WebCore::ReadableStreamBYOBReader::visitAdditionalChildren):
* Source/WebCore/Modules/streams/ReadableStreamBYOBReader.h:
Identifier: 305413.476@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.530@webkitglib/2.52
Commit: e0a2d4da9ed27cba79152522082b709215b55c3f
https://github.com/WebKit/WebKit/commit/e0a2d4da9ed27cba79152522082b709215b55c3f
Author: Chris Dumez <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WebCore/bindings/js/JSXMLHttpRequestCustom.cpp
M Source/WebCore/xml/XMLHttpRequest.cpp
M Source/WebCore/xml/XMLHttpRequest.h
Log Message:
-----------
Cherry-pick 305413.477@safari-7624-branch (0de76a6ef7c5).
https://bugs.webkit.org/show_bug.cgi?id=309947
Potential use after free of m_responseDocument in
XMLHttpRequest::visitAdditionalChildren()
https://bugs.webkit.org/show_bug.cgi?id=309947
rdar://172537101
Reviewed by Ryosuke Niwa.
Potential use after free of m_responseDocument in
XMLHttpRequest::visitAdditionalChildren()
due to multi-threading. visitAdditionalChildren() dereferences
m_responseDocument
on the GC thread while the main thread is running and may null out the
RefPtr.
Address the issue via locking.
* Source/WebCore/bindings/js/JSXMLHttpRequestCustom.cpp:
(WebCore::JSXMLHttpRequest::visitAdditionalChildren):
* Source/WebCore/xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::upload):
(WebCore::XMLHttpRequest::send):
(WebCore::XMLHttpRequest::sendBytesData):
(WebCore::XMLHttpRequest::createRequest):
(WebCore::XMLHttpRequest::clearResponseBuffers):
(WebCore::XMLHttpRequest::didSendData):
(WebCore::XMLHttpRequest::dispatchErrorEvents):
(WebCore::XMLHttpRequest::updateHasRelevantEventListener):
(WebCore::XMLHttpRequest::visitAdditionalChildren):
* Source/WebCore/xml/XMLHttpRequest.h:
Identifier: 305413.477@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.531@webkitglib/2.52
Commit: 87ccc4cf870ad77cce60440930a16194c022cc99
https://github.com/WebKit/WebKit/commit/87ccc4cf870ad77cce60440930a16194c022cc99
Author: Mike Wyrzykowski <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WebCore/html/canvas/GPUCanvasContextCocoa.mm
M Source/WebCore/platform/PlatformScreen.cpp
M Source/WebCore/platform/PlatformScreen.h
M Source/WebCore/platform/ScreenProperties.h
M Source/WebCore/platform/graphics/cocoa/VP9UtilitiesCocoa.mm
M Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp
M Source/WebCore/platform/gtk/PlatformScreenGtk.cpp
M Source/WebCore/platform/ios/PlatformScreenIOS.mm
M Source/WebCore/platform/mac/PlatformScreenMac.mm
M Source/WebCore/platform/wpe/PlatformScreenWPE.cpp
M Source/WebCore/testing/Internals.cpp
M Source/WebKit/UIProcess/API/glib/WebKitProtocolHandler.cpp
M Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm
M Source/WebKit/UIProcess/glib/ScreenManager.cpp
M Source/WebKit/UIProcess/glib/ScreenManager.h
M Source/WebKit/UIProcess/gtk/ScreenManagerGtk.cpp
M Source/WebKit/UIProcess/wpe/ScreenManagerWPE.cpp
M Source/WebKit/WebProcess/Plugins/PDF/UnifiedPDF/UnifiedPDFPlugin.mm
M Source/WebKit/WebProcess/WebProcess.h
M Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm
M Source/WebKit/WebProcess/glib/WebProcessGLib.cpp
Log Message:
-----------
Cherry-pick 305413.483@safari-7624-branch (962438e00d35).
https://bugs.webkit.org/show_bug.cgi?id=308476
Concurrent HashMap access leads to MTE crashes
https://bugs.webkit.org/show_bug.cgi?id=308476
rdar://163967950
Reviewed by Kimmo Kinnunen.
Remove free-standing getScreenProperties() and screenData() functions
from PlatformScreen which allow accessing either the container or iterators
within a HashMap as it was discovered in #4632
that these functions may be called off the main thread.
Replace with a singleton that has CoW semantics and is resettable, so in the
case a seperate thread is accessing PlatformScreen, we will have two, or
potentially K,
PlatformScreen instances alive until the other threads release their ref
counts.
* Source/WebCore/html/canvas/GPUCanvasContextCocoa.mm:
(WebCore::GPUCanvasContextCocoa::updateScreenHeadroomFromScreenProperties):
* Source/WebCore/platform/PlatformScreen.cpp:
(WebCore::platformScreenLock):
(WebCore::platformScreenInstance):
(WebCore::PlatformScreen::PlatformScreen):
(WebCore::PlatformScreen::create):
(WebCore::PlatformScreen::singleton):
(WebCore::PlatformScreen::screenData const):
(WebCore::PlatformScreen::primaryScreenDisplayID const):
(WebCore::PlatformScreen::screenProperties const):
(WebCore::PlatformScreen::screenContentsFormatsForTesting const):
(WebCore::PlatformScreen::updateSingletonProperties):
(WebCore::PlatformScreen::setScreenContentsFormatsForTesting):
(WebCore::screenProperties): Deleted.
(WebCore::getScreenProperties): Deleted.
(WebCore::primaryScreenDisplayID): Deleted.
(WebCore::setScreenProperties): Deleted.
(WebCore::screenData): Deleted.
(WebCore::setScreenContentsFormatsForTesting): Deleted.
(WebCore::screenContentsFormatsForTesting): Deleted.
* Source/WebCore/platform/PlatformScreen.h:
* Source/WebCore/platform/ScreenProperties.h:
* Source/WebCore/platform/graphics/cocoa/VP9UtilitiesCocoa.mm:
(WebCore::isVP9CodecConfigurationRecordSupported):
(WebCore::computeVPParameters):
* Source/WebCore/platform/graphics/gstreamer/GStreamerRegistryScanner.cpp:
(WebCore::GStreamerRegistryScanner::isConfigurationSupported const):
* Source/WebCore/platform/gtk/PlatformScreenGtk.cpp:
(WebCore::screenDepth):
(WebCore::screenDepthPerComponent):
(WebCore::fontDPI):
(WebCore::screenDPI):
(WebCore::screenRect):
(WebCore::screenAvailableRect):
* Source/WebCore/platform/ios/PlatformScreenIOS.mm:
(WebCore::screenHasInvertedColors):
(WebCore::screenSupportsExtendedColor):
(WebCore::screenSupportsHighDynamicRange):
(WebCore::currentEDRHeadroomForDisplay):
(WebCore::maxEDRHeadroomForDisplay):
(WebCore::suppressEDRForDisplay):
(WebCore::screenPPIFactor):
(WebCore::screenSize):
(WebCore::availableScreenSize):
* Source/WebCore/platform/mac/PlatformScreenMac.mm:
(WebCore::primaryOpenGLDisplayMask):
(WebCore::displayMaskForDisplay):
(WebCore::primaryGPUID):
(WebCore::gpuIDForDisplay):
(WebCore::screenIsMonochrome):
(WebCore::screenHasInvertedColors):
(WebCore::screenDepth):
(WebCore::screenDepthPerComponent):
(WebCore::screenRectForDisplay):
(WebCore::screenRectForPrimaryScreen):
(WebCore::currentEDRHeadroomForDisplay):
(WebCore::maxEDRHeadroomForDisplay):
(WebCore::suppressEDRForDisplay):
(WebCore::screenRect):
(WebCore::screenAvailableRect):
(WebCore::screenColorSpace):
(WebCore::screenSupportsExtendedColor):
(WebCore::screenSupportsHighDynamicRange):
(WebCore::preferredDynamicRangeMode):
(WebCore::toUserSpaceForPrimaryScreen):
(WebCore::screenProperties): Deleted.
* Source/WebCore/platform/wpe/PlatformScreenWPE.cpp:
(WebCore::screenDepth):
(WebCore::screenDepthPerComponent):
(WebCore::screenDPI):
(WebCore::screenRect):
(WebCore::screenAvailableRect):
* Source/WebCore/testing/Internals.cpp:
(WebCore::Internals::setScreenContentsFormatsForTesting):
(WebCore::Internals::primaryScreenDisplayID):
* Source/WebKit/UIProcess/gtk/ScreenManagerGtk.cpp:
(WebKit::ScreenManager::collectScreenProperties const):
* Source/WebKit/UIProcess/wpe/ScreenManagerWPE.cpp:
(WebKit::ScreenManager::collectScreenProperties const):
* Source/WebKit/WebProcess/Plugins/PDF/UnifiedPDF/UnifiedPDFPlugin.mm:
(WebKit::UnifiedPDFPlugin::scaleForActualSize const):
* Source/WebKit/WebProcess/WebProcess.h:
* Source/WebKit/WebProcess/cocoa/WebProcessCocoa.mm:
(WebKit::WebProcess::accessibilityFocusedUIElement):
* Source/WebKit/WebProcess/glib/WebProcessGLib.cpp:
(WebKit::WebProcess::platformInitializeWebProcess):
(WebKit::WebProcess::setScreenProperties):
Identifier: 305413.483@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.532@webkitglib/2.52
Commit: a49c9fd70bf24115487454aaa38a74d39a8debc1
https://github.com/WebKit/WebKit/commit/a49c9fd70bf24115487454aaa38a74d39a8debc1
Author: Mike Wyrzykowski <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WebCore/platform/PlatformScreen.cpp
Log Message:
-----------
Cherry-pick 305413.496@safari-7624-branch (892bd6055fcc).
https://bugs.webkit.org/show_bug.cgi?id=308476
Concurrent HashMap access leads to MTE crashes
https://bugs.webkit.org/show_bug.cgi?id=308476
rdar://172661039
Reviewed by Kimmo Kinnunen.
As noted in https://github.com/apple/WebKit/pull/4641#discussion_r2939229398
there is a leak introduced and resolve it by removing non-needed variable.
* Source/WebCore/platform/PlatformScreen.cpp:
(WebCore::WTF_REQUIRES_LOCK):
Identifier: 305413.496@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.533@webkitglib/2.52
Commit: 70638bafafc7963c4469590c7081106e9015ff39
https://github.com/WebKit/WebKit/commit/70638bafafc7963c4469590c7081106e9015ff39
Author: Chris Dumez <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WebKit/UIProcess/SpeechRecognitionServer.cpp
Log Message:
-----------
Cherry-pick 305413.502@safari-7624-branch (809e124bf1c2).
https://bugs.webkit.org/show_bug.cgi?id=310077
SpeechRecognition ASSERT Instead of MESSAGE_CHECK for Duplicate Client
https://bugs.webkit.org/show_bug.cgi?id=310077
rdar://172395253
Reviewed by Sihui Liu.
Use MESSAGE_CHECK instead of ASSERT to validate the incoming IPC data.
* Source/WebKit/UIProcess/SpeechRecognitionServer.cpp:
(WebKit::SpeechRecognitionServer::start):
Identifier: 305413.502@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.534@webkitglib/2.52
Commit: 3a8a0eb019dab12091f7aacad8c563d5084e759d
https://github.com/WebKit/WebKit/commit/3a8a0eb019dab12091f7aacad8c563d5084e759d
Author: Chris Dumez <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
Log Message:
-----------
Cherry-pick 305413.509@safari-7624-branch (246f60f4724f).
https://bugs.webkit.org/show_bug.cgi?id=310068
RELEASE_ASSERT in NetworkConnectionToWebProcess::scheduleResourceLoad() can
be abused
https://bugs.webkit.org/show_bug.cgi?id=310068
rdar://172058188
Reviewed by Ryosuke Niwa and Per Arne Vollan.
Use a MESSAGE_CHECK instead of a RELEASE_ASSERT() to crash the compromised
WebContent instead of the network process.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::scheduleResourceLoad):
Identifier: 305413.509@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.535@webkitglib/2.52
Commit: 849a4ed9acb7d549cb72f039dccd22bee9d31847
https://github.com/WebKit/WebKit/commit/849a4ed9acb7d549cb72f039dccd22bee9d31847
Author: David Kilzer <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
A LayoutTests/fast/loader/reload-on-pageswap-crash-expected.txt
A LayoutTests/fast/loader/reload-on-pageswap-crash.html
M Source/WebCore/page/Navigation.cpp
Log Message:
-----------
Cherry-pick 305413.511@safari-7624-branch (6381422ae099).
https://bugs.webkit.org/show_bug.cgi?id=309782
Crash in HistoryController::updateForCommit() when calling
navigation.reload() during pageswap event handler
<https://bugs.webkit.org/show_bug.cgi?id=309782>
<rdar://167842846>
Reviewed by Chris Dumez.
A reload transitioning to committed dispatches a pageswap event, and a
`navigation.reload()` call inside the pageswap handler does a sync
policy check that clears the provisional `DocumentLoader`. After the
event returns, `HistoryController::updateForCommit()` dereferences the
now-null `FrameLoader::provisionalDocumentLoader()`.
Extend the fix from Bug 303364 (which cancelled `navigation.navigate()`
during pageswap dispatch) to also cancel `navigation.reload()`. Do
this by adding the existing `isDispatchingPageSwapEvent()` guard to
`Navigation::reload()` to match the guard already present in
`Navigation::navigate()`.
Test: fast/loader/reload-on-pageswap-crash.html
* LayoutTests/fast/loader/reload-on-pageswap-crash-expected.txt: Add.
* LayoutTests/fast/loader/reload-on-pageswap-crash.html: Add.
* Source/WebCore/page/Navigation.cpp:
(WebCore::Navigation::reload):
Identifier: 305413.511@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.536@webkitglib/2.52
Commit: 96bda257d3184d70d9470e37c4e50bd1629d79de
https://github.com/WebKit/WebKit/commit/96bda257d3184d70d9470e37c4e50bd1629d79de
Author: Chris Dumez <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Cherry-pick 305413.512@safari-7624-branch (d1551df53d97).
https://bugs.webkit.org/show_bug.cgi?id=310073
didSameDocumentNavigationForFrame accepts arbitrary URL, enabling address
bar spoofing
https://bugs.webkit.org/show_bug.cgi?id=310073
rdar://172567659
Reviewed by Ryosuke Niwa.
Add a MESSAGE_CHECK to validate that the URL's protocol/host/port match
the current frame's URL.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didSameDocumentNavigationForFrameViaJS):
Identifier: 305413.512@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.537@webkitglib/2.52
Commit: 320280e6db8174cf0a813785a346e7b606dcc727
https://github.com/WebKit/WebKit/commit/320280e6db8174cf0a813785a346e7b606dcc727
Author: Chris Dumez <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.h
M Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabaseTransaction.h
M Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.cpp
M Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.h
M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp
M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.h
Log Message:
-----------
Cherry-pick 305413.515@safari-7624-branch (293e2d766d11).
https://bugs.webkit.org/show_bug.cgi?id=310076
IndexedDB Connection/Transaction Identifier Confusion
https://bugs.webkit.org/show_bug.cgi?id=310076
rdar://172392524
Reviewed by Brady Eidson.
NetworkStorageManager fails to validate that Connection/Transaction
identifiers belong to the IPC connection that sent the IPC. This could
lead to data leakage.
I added the MESSAGE_CHECK calls inside the IDBStorageRegistry::connection()
and IDBStorageRegistry::transaction() getter. Those are convenient
choke-points and it makes it way less likely we forget to add such
MESSAGE_CHECK when introducing new IPC.
* Source/WebCore/Modules/indexeddb/server/IDBConnectionToClient.h:
* Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabaseTransaction.h:
* Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.cpp:
(WebKit::IDBStorageRegistry::ensureConnectionToClient):
(WebKit::IDBStorageRegistry::isValidConnectionForIPC):
(WebKit::IDBStorageRegistry::connection):
(WebKit::IDBStorageRegistry::transaction):
* Source/WebKit/NetworkProcess/storage/IDBStorageRegistry.h:
* Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp:
(WebKit::NetworkStorageManager::openDatabase):
(WebKit::NetworkStorageManager::deleteDatabase):
(WebKit::NetworkStorageManager::establishTransaction):
(WebKit::NetworkStorageManager::databaseConnectionPendingClose):
(WebKit::NetworkStorageManager::databaseConnectionClosed):
(WebKit::NetworkStorageManager::abortOpenAndUpgradeNeeded):
(WebKit::NetworkStorageManager::didFireVersionChangeEvent):
(WebKit::NetworkStorageManager::didGenerateIndexKeyForRecord):
(WebKit::NetworkStorageManager::abortTransaction):
(WebKit::NetworkStorageManager::commitTransaction):
(WebKit::NetworkStorageManager::didFinishHandlingVersionChangeTransaction):
(WebKit::NetworkStorageManager::idbTransaction):
(WebKit::NetworkStorageManager::createObjectStore):
(WebKit::NetworkStorageManager::deleteObjectStore):
(WebKit::NetworkStorageManager::renameObjectStore):
(WebKit::NetworkStorageManager::clearObjectStore):
(WebKit::NetworkStorageManager::createIndex):
(WebKit::NetworkStorageManager::deleteIndex):
(WebKit::NetworkStorageManager::renameIndex):
(WebKit::NetworkStorageManager::putOrAdd):
(WebKit::NetworkStorageManager::getRecord):
(WebKit::NetworkStorageManager::getAllRecords):
(WebKit::NetworkStorageManager::getCount):
(WebKit::NetworkStorageManager::deleteRecord):
(WebKit::NetworkStorageManager::openCursor):
(WebKit::NetworkStorageManager::iterateCursor):
(WebKit::NetworkStorageManager::getAllDatabaseNamesAndVersions):
* Source/WebKit/NetworkProcess/storage/NetworkStorageManager.h:
Identifier: 305413.515@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.538@webkitglib/2.52
Commit: e41788ad7bba324d025cd286651a2b64e46dc968
https://github.com/WebKit/WebKit/commit/e41788ad7bba324d025cd286651a2b64e46dc968
Author: Chris Dumez <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WebCore/platform/network/cocoa/NetworkStorageSessionCocoa.mm
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
Log Message:
-----------
Cherry-pick 305413.517@safari-7624-branch (2f6654232966).
https://bugs.webkit.org/show_bug.cgi?id=310069
setRawCookie: cookie.domain unvalidated + commentURL crashes NetworkProcess
https://bugs.webkit.org/show_bug.cgi?id=310069
rdar://172508832
Reviewed by Rupin Mittal.
Add message checks in setRawCookie() to validate the Cookie being received.
Also expand the scope of BLOCK_OBJC_EXCEPTIONS in
NetworkStorageSession::setCookies()
to cover the call to createNSHTTPCookie().
* Source/WebCore/platform/network/cocoa/NetworkStorageSessionCocoa.mm:
(WebCore::NetworkStorageSession::setCookies):
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::setRawCookie):
Identifier: 305413.517@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.539@webkitglib/2.52
Commit: 7d2ba0ec5c0d33cd5c3412829887eb6f866cacd7
https://github.com/WebKit/WebKit/commit/7d2ba0ec5c0d33cd5c3412829887eb6f866cacd7
Author: Chris Dumez <[email protected]>
Date: 2026-05-18 (Mon, 18 May 2026)
Changed paths:
M Source/WebKit/UIProcess/WebPermissionControllerProxy.cpp
Log Message:
-----------
Cherry-pick 305413.519@safari-7624-branch (19c426cf207c).
https://bugs.webkit.org/show_bug.cgi?id=310175
Bad IPC from WebProcess could cause UIProcess to crash in
WebPermissionControllerProxy::mostReasonableWebPageProxy()
https://bugs.webkit.org/show_bug.cgi?id=310175
rdar://172058081
Reviewed by Sihui Liu and Rupin Mittal.
Use MESSAGE_CHECK() in WebPermissionControllerProxy::query() to terminate
the WebProcess in case of bad IPC instead of crashing the UIProcess.
* Source/WebKit/UIProcess/WebPermissionControllerProxy.cpp:
(WebKit::WebPermissionControllerProxy::query):
Identifier: 305413.519@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.540@webkitglib/2.52
Compare: https://github.com/WebKit/WebKit/compare/3f284fd9529b...7d2ba0ec5c0d
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
