Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 8282b7db8585bef0ee642079d79fbc33d732eea8
https://github.com/WebKit/WebKit/commit/8282b7db8585bef0ee642079d79fbc33d732eea8
Author: Anthony Tarbinian <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
A
LayoutTests/fast/mediasession/metadata/artwork-image-loader-callback-crash-expected.txt
A
LayoutTests/fast/mediasession/metadata/artwork-image-loader-callback-crash.html
M Source/WebCore/Modules/mediasession/MediaMetadata.cpp
M Source/WebCore/Modules/mediasession/MediaMetadata.h
Log Message:
-----------
Cherry-pick 9da5185f2406. https://bugs.webkit.org/show_bug.cgi?id=312480
[WebCore] Capture WeakPtr to this (MediaMetadata) in ArtworkImageLoader callback
https://bugs.webkit.org/show_bug.cgi?id=312480
rdar://174651594
Reviewed by Geoffrey Garen.
In media artwork image loading, it is possible for a
callback lambda to outlive the lifetime of the
MediaMetadata which it captures with a raw "this".
This callback is stored in ArtworkImageLoader::m_callback
and ArtworkImageLoader is owned by MediaMetadata.
The lambda captures a raw this to MediaMetadata during
MediaMetadata::tryNextArtworkImage.
However, it's possible for the lambda to outlive ArtworkImageLoader
and, in turn, MediaMetadata after beeing std::exchanged outside
of the artwork loader in ArtworkImageLoader::notifyFinished.
Then, it's possible for MediaMetadata to be destroyed while
the lambda has a dangling "this" pointer to the destroyed object.
This patch changes the lambda to capture a WeakPtr
to "this" (MediaMetadata) and returns early if it has
been destroyed. If weakThis is still alive, we keep it alive for the
duration of the lambda body with a RefPtr.
*
LayoutTests/fast/mediasession/metadata/artwork-image-loader-callback-crash-expected.txt:
Added.
*
LayoutTests/fast/mediasession/metadata/artwork-image-loader-callback-crash.html:
Added.
* Source/WebCore/Modules/mediasession/MediaMetadata.cpp:
(WebCore::MediaMetadata::tryNextArtworkImage):
Changed the artwork loader lambda to capture a WeakPtr
to "this" and early return if weakThis is null.
The rest of the lambda explicitly uses weakThis where needed.
* Source/WebCore/Modules/mediasession/MediaMetadata.h:
Changed MediaMetadata to inherit from CanMakeWeakPtr.
Identifier: 305413.695@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.834@webkitglib/2.52
Commit: 3b20bd23451c5c48d20f009075afbb7826a77aac
https://github.com/WebKit/WebKit/commit/3b20bd23451c5c48d20f009075afbb7826a77aac
Author: Basuke Suzuki <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
M Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServer.cpp
Log Message:
-----------
Cherry-pick 701d9d99f21d. https://bugs.webkit.org/show_bug.cgi?id=312480
[SharedWorker] Add MESSAGE_CHECK to establishSharedWorkerContextConnection
rdar://174708287
Reviewed by Per Arne Vollan (OOPS\!).
establishSharedWorkerContextConnection accepts a WebContent-supplied Site with
no
MESSAGE_CHECK, allowing a compromised web process to hijack SharedWorker context
connections for arbitrary domains. This mirrors the fix applied to the
ServiceWorker
equivalent (establishSWContextConnection) in rdar://107063897.
Two changes:
1. Add allowsFirstPartyForCookies validation with MESSAGE_CHECK_COMPLETION
before
creating the context connection, matching the ServiceWorker pattern.
2. In WebSharedWorkerServer::addContextConnection, skip
contextConnectionCreated when
the domain already has a registered connection (replace debug-only ASSERT
with
runtime guard).
No new tests. Covered by existing SharedWorker tests.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::establishSharedWorkerContextConnection):
* Source/WebKit/NetworkProcess/SharedWorker/WebSharedWorkerServer.cpp:
(WebKit::WebSharedWorkerServer::addContextConnection):
Identifier: 305413.712@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.835@webkitglib/2.52
Commit: 44500f3e61137bfe65a54f5609a1619b7d44a048
https://github.com/WebKit/WebKit/commit/44500f3e61137bfe65a54f5609a1619b7d44a048
Author: Marcus Plutowski <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
M Source/bmalloc/libpas/src/libpas/pas_mar_registry.c
M Source/bmalloc/libpas/src/libpas/pas_mar_registry.h
Log Message:
-----------
Cherry-pick 729d412ab091. https://bugs.webkit.org/show_bug.cgi?id=311600
[libpas] Fix OoBable code-paths in MAR code
https://bugs.webkit.org/show_bug.cgi?id=311600
rdar://173772317
Reviewed by Yusuke Suzuki.
In the case that the allocation record table is controlled by an
attacker, we cannot trust the offsets contained inside, and should
assert that we do not read out-of-bounds based on them.
Identifier: 305413.727@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.836@webkitglib/2.52
Commit: 3c26bb069924302ebad75a9abf3debef365fe3f9
https://github.com/WebKit/WebKit/commit/3c26bb069924302ebad75a9abf3debef365fe3f9
Author: Kai Tamkun <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
A JSTests/stress/regress-174630697.js
M Source/JavaScriptCore/bytecode/Repatch.cpp
Log Message:
-----------
Cherry-pick bb9e30e27a73. https://bugs.webkit.org/show_bug.cgi?id=312405
[JSC] Missing codeBlock->m_lock in repatchGetBySlowPathCall
https://bugs.webkit.org/show_bug.cgi?id=312405
rdar://174630697
Reviewed by Yusuke Suzuki.
Adds usage of GCSafeConcurrentJSLocker in three repatch methods.
This avoids a data race.
Test: JSTests/stress/regress-174630697.js
* JSTests/stress/regress-174630697.js: Added.
* Source/JavaScriptCore/bytecode/Repatch.cpp:
(JSC::repatchGetBySlowPathCall):
(JSC::repatchPutBySlowPathCall):
(JSC::repatchInBySlowPathCall):
Identifier: 305413.703@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.837@webkitglib/2.52
Commit: 4bd6b34f02974a38afc4037c9497b50ec6982374
https://github.com/WebKit/WebKit/commit/4bd6b34f02974a38afc4037c9497b50ec6982374
Author: Chris Dumez <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
A
LayoutTests/fast/history/popstate-add-iframes-during-history-back-expected.txt
A LayoutTests/fast/history/popstate-add-iframes-during-history-back.html
M Source/WebCore/loader/HistoryController.cpp
Log Message:
-----------
Cherry-pick 9fd7e69ed2c4. https://bugs.webkit.org/show_bug.cgi?id=313623
Use-after-free in HistoryController::recursiveGoToItem — popstate-reentrant
setChildItem reallocates iterated m_children
https://bugs.webkit.org/show_bug.cgi?id=313623
rdar://175673154
Reviewed by Ryosuke Niwa.
Iterate over a copy of the HistoryItem children vector since it can be
modified while looping.
Test: fast/history/popstate-add-iframes-during-history-back.html
*
LayoutTests/fast/history/popstate-add-iframes-during-history-back-expected.txt:
Added.
* LayoutTests/fast/history/popstate-add-iframes-during-history-back.html: Added.
* Source/WebCore/loader/HistoryController.cpp:
(WebCore::HistoryController::recursiveSetProvisionalItem):
(WebCore::HistoryController::recursiveGoToItem):
Identifier: 305413.764@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.838@webkitglib/2.52
Commit: 143e59252f0db9745e521835de3cb3f0b3c01340
https://github.com/WebKit/WebKit/commit/143e59252f0db9745e521835de3cb3f0b3c01340
Author: David Kilzer <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
A LayoutTests/fast/canvas/canvas-getContext-reentrant-expected.txt
A LayoutTests/fast/canvas/canvas-getContext-reentrant.html
M Source/WebCore/html/HTMLCanvasElement.cpp
M Source/WebCore/html/OffscreenCanvas.cpp
Log Message:
-----------
Cherry-pick 40941e46f2d4. https://bugs.webkit.org/show_bug.cgi?id=313175
Crash in CanvasRenderingContext::deref after reentrant getContext()
<https://bugs.webkit.org/show_bug.cgi?id=313175>
<rdar://175164594>
Reviewed by Said Abou-Hallawa.
`HTMLCanvasElement::getContext()` and `OffscreenCanvas::getContext()`
check `m_context` at the top, then call
`convert<IDLDictionary<...>>()` on the settings argument. Dictionary
conversion invokes JS property getters, which can re-enter
`getContext()` on the same canvas and assign `m_context`. The outer
call then proceeds to `createContext2d()`/`createContextWebGL()`/
`createContextBitmapRenderer()`, which overwrites `m_context` with a
new `unique_ptr`, destroying the inner context while its JS wrapper
is still alive. `CanvasRenderingContext` forwards `ref()`/`deref()`
to its owning `CanvasBase`, so the wrapper's ref does not keep the
context alive; on GC sweep the wrapper's `deref()` reads `m_canvas`
from a freed `this`.
Re-check `m_context` (and `m_detached` for `OffscreenCanvas`) after
dictionary conversion. If a re-entrant call set `m_context`, return
the existing context when the type matches and null otherwise,
matching the existing early-return semantics.
Also upgrade `ASSERT(!m_context)` to
`ASSERT_WITH_SECURITY_IMPLICATION(!m_context)` in all four
`createContext*()` methods. These asserts guard the same invariant
this bug violates -- that `m_context` is assigned at most once --
and a violation is security-relevant.
Test: fast/canvas/canvas-getContext-reentrant.html
* LayoutTests/fast/canvas/canvas-getContext-reentrant-expected.txt: Add.
* LayoutTests/fast/canvas/canvas-getContext-reentrant.html: Add.
* Source/WebCore/html/HTMLCanvasElement.cpp:
(WebCore::HTMLCanvasElement::getContext):
(WebCore::HTMLCanvasElement::createContext2d):
(WebCore::HTMLCanvasElement::createContextWebGL):
(WebCore::HTMLCanvasElement::createContextBitmapRenderer):
(WebCore::HTMLCanvasElement::createContextWebGPU):
* Source/WebCore/html/OffscreenCanvas.cpp:
(WebCore::OffscreenCanvas::getContext):
Identifier: 305413.763@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.839@webkitglib/2.52
Commit: 29f4e4d3ca4df95b99381ccec875461fe385472c
https://github.com/WebKit/WebKit/commit/29f4e4d3ca4df95b99381ccec875461fe385472c
Author: Chris Dumez <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
M Source/WebKit/Platform/IPC/Connection.cpp
M Source/WebKit/Platform/IPC/Connection.h
Log Message:
-----------
Cherry-pick 153d034e52b2. https://bugs.webkit.org/show_bug.cgi?id=313533
Fix data race on m_outgoingMessageQueueIsGrowingLargeCallback in IPC::Connection
https://bugs.webkit.org/show_bug.cgi?id=313533
rdar://175743852
Reviewed by Kimmo Kinnunen.
sendMessageImpl() is thread-safe but was reading and invoking
m_outgoingMessageQueueIsGrowingLargeCallback outside m_outgoingMessagesLock,
while invalidate() was clearing it on the dispatcher thread without holding
the lock. This is a data race on the Function object.
Wrap the callback in a Box<> (ThreadSafeRefCounted) so it can be safely copied
under
the lock and invoked outside it. Guard all accesses to the member with
m_outgoingMessagesLock.
* Source/WebKit/Platform/IPC/Connection.cpp:
(IPC::Connection::setOutgoingMessageQueueIsGrowingLargeCallback):
(IPC::Connection::invalidate):
(IPC::Connection::sendMessageImpl):
* Source/WebKit/Platform/IPC/Connection.h:
Identifier: 305413.761@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.840@webkitglib/2.52
Commit: e17194482bacb2a8c69eb7abdd4df05ac8a8a5a3
https://github.com/WebKit/WebKit/commit/e17194482bacb2a8c69eb7abdd4df05ac8a8a5a3
Author: Kai Tamkun <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
A JSTests/stress/array-indexof-ensure-still-alive.js
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
Cherry-pick db99db96e504. https://bugs.webkit.org/show_bug.cgi?id=313490
[JSC][FTL] compileArrayIndexOfOrArrayIncludes (UntypedUse + Array::Contiguous):
ensureStillAliveHere(base) placed before GC-capable vmCall
https://bugs.webkit.org/show_bug.cgi?id=313490
rdar://175674067
Reviewed by Yusuke Suzuki.
Delays an ensureStillAliveHere call until after a GC-capable function
invocation.
Test: JSTests/stress/array-indexof-ensure-still-alive.js
* JSTests/stress/array-indexof-ensure-still-alive.js: Added.
(opt):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOfOrArrayIncludes):
Identifier: 305413.767@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.841@webkitglib/2.52
Commit: 95ef4019680b649d6930ecf60bd746106a24321f
https://github.com/WebKit/WebKit/commit/95ef4019680b649d6930ecf60bd746106a24321f
Author: Chris Dumez <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
A LayoutTests/fast/dom/CloseWatcher-watcher-crash-expected.txt
A LayoutTests/fast/dom/CloseWatcher-watcher-crash.html
M Source/WebCore/html/closewatcher/CloseWatcher.cpp
Log Message:
-----------
Cherry-pick a2cb3a724645. https://bugs.webkit.org/show_bug.cgi?id=313626
use-after-free in CloseWatcher::destroy(): abort-signal algorithm calls
destroy() via WeakPtr while CloseWatcherManager holds the last Ref
https://bugs.webkit.org/show_bug.cgi?id=313626
rdar://175672431
Reviewed by Ryosuke Niwa.
Protect the watcher before calling destroy() on it.
Test: fast/dom/CloseWatcher-watcher-crash.html
* LayoutTests/fast/dom/CloseWatcher-watcher-crash-expected.txt: Added.
* LayoutTests/fast/dom/CloseWatcher-watcher-crash.html: Added.
* Source/WebCore/html/closewatcher/CloseWatcher.cpp:
(WebCore::CloseWatcher::create):
Identifier: 305413.770@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.842@webkitglib/2.52
Commit: d4581721a2eacefa9e48613323524d92e619389f
https://github.com/WebKit/WebKit/commit/d4581721a2eacefa9e48613323524d92e619389f
Author: Kai Tamkun <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
A JSTests/stress/spread-with-OnlyAtomStringsStructure.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Log Message:
-----------
Cherry-pick 62a1052dd1fe. https://bugs.webkit.org/show_bug.cgi?id=313252
[JSC] Spread operator doesn't account for cellButterflyOnlyAtomStringsStructure
in DFG
https://bugs.webkit.org/show_bug.cgi?id=313252
rdar://175498631
Reviewed by Yijia Huang.
This patch fixes the abstract interpreter's structure prediction for the spread
operator.
Instead of only cellButterflyStructure(CopyOnWriteArrayWithContiguous), it now
also takes
cellButterflyOnlyAtomStringsStructure into account.
Test: JSTests/stress/spread-with-OnlyAtomStringsStructure.js
* JSTests/stress/spread-with-OnlyAtomStringsStructure.js: Added.
(index):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
Identifier: 305413.768@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.843@webkitglib/2.52
Compare: https://github.com/WebKit/WebKit/compare/8d3dd4013894...d4581721a2ea
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications