Branch: refs/heads/webkitglib/2.52
  Home:   https://github.com/WebKit/WebKit
  Commit: 4803334d528e3b56a4be62c611b7cdf2771455b5
      
https://github.com/WebKit/WebKit/commit/4803334d528e3b56a4be62c611b7cdf2771455b5
  Author: Shu-yu Guo <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A JSTests/wasm/stress/wasm-resizable-buffer-resize-after-gc.js
    M Source/JavaScriptCore/runtime/ArrayBuffer.cpp
    M Source/JavaScriptCore/runtime/ArrayBuffer.h
    M Source/JavaScriptCore/runtime/JSArrayBuffer.cpp
    M Source/JavaScriptCore/runtime/JSArrayBuffer.h
    M Source/JavaScriptCore/runtime/JSArrayBufferPrototype.cpp
    M Source/JavaScriptCore/wasm/WasmMemory.cpp
    M Source/JavaScriptCore/wasm/WasmMemory.h
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.cpp

  Log Message:
  -----------
  Cherry-pick 095fa99180ff. https://bugs.webkit.org/show_bug.cgi?id=313473

[JSC] Keep JSWebAssemblyMemory alive from wasm-originated JSArrayBuffers
https://bugs.webkit.org/show_bug.cgi?id=313473
rdar://175674018

Reviewed by Keith Miller.

Currently, ArrayBuffers that are created by WebAssembly.Memory.p.
toResizableBuffer do not keep that WebAssembly.Memory instance alive. This is a
memory safety footgun. While JS-originated resizable ABs reserve the virtual
memory of their max size up front, wasm-originated resizable ABs can either be
bounds-checking which do not reserve virtual memory up front, or signaling,
which do. Currently, because wasm-originated ArrayBuffers do not keep their
WebAssembly.Memory alive, non-wasm ArrayBuffer code has to be aware of this
implementation in case the WebAssembly.Memory gets collected. This complicates
the object representation space and is error-prone.

This PR simplifies this set up by making wasm-originated ArrayBuffers and their
originator WebAssembly.Memory exist in a GC lifetime cycle. This means
wasm-originated ABs _always_ delegate resizing to WebAssembly.Memory.

The weak pointer to the underlying Wasm::Memory in ArrayBuffers is no longer
needed and removed.

The spot fix to keep WebAssembly.Memory alive for the duration of
ArrayBuffer.prototype.resize from 305413.660@safari-7624-branch is also
reverted as this fix removes the need for it.

Test: JSTests/wasm/stress/wasm-resizable-buffer-resize-after-gc.js

* JSTests/wasm/stress/wasm-resizable-buffer-resize-after-gc.js: Added.
(flushStackRoots):
* Source/JavaScriptCore/jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/ArrayBuffer.cpp:
(JSC::ArrayBuffer::resize):
(JSC::ArrayBuffer::setAssociatedWasmMemory): Deleted.
* Source/JavaScriptCore/runtime/ArrayBuffer.h:
* Source/JavaScriptCore/runtime/JSArrayBuffer.cpp:
(JSC::JSArrayBuffer::associatedWasmMemoryWrapper const):
(JSC::JSArrayBuffer::setAssociatedWasmMemoryWrapper):
(JSC::JSArrayBuffer::clearAssociatedWasmMemoryWrapper):
(JSC::JSArrayBuffer::visitChildrenImpl):
* Source/JavaScriptCore/runtime/JSArrayBuffer.h:
* Source/JavaScriptCore/runtime/JSArrayBufferPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::Memory):
(JSC::Wasm::Memory::create):
(JSC::Wasm::Memory::createZeroSized):
(JSC::Wasm::Memory::tryCreate):
(JSC::Wasm::Memory::growShared):
(JSC::Wasm::Memory::grow):
* Source/JavaScriptCore/wasm/WasmMemory.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::tryCreate):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.cpp:
(JSC::JSWebAssemblyMemory::adopt):
(JSC::JSWebAssemblyMemory::associateArrayBuffer):
(JSC::JSWebAssemblyMemory::disassociateArrayBuffer):
(JSC::JSWebAssemblyMemory::growSuccessCallback):
* Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.cpp:
(JSC::WebAssemblyMemoryConstructor::createMemoryFromDescriptor):
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::readTerminal):

Identifier: 305413.790@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.854@webkitglib/2.52


  Commit: 08f959f218a90fd267b4cbacf5ac4662ad7c1aa1
      
https://github.com/WebKit/WebKit/commit/08f959f218a90fd267b4cbacf5ac4662ad7c1aa1
  Author: Phinehas Fuachie <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A 
LayoutTests/webaudio/WaveShaper/waveshaper-nan-infinity-handling-expected.txt
    A LayoutTests/webaudio/WaveShaper/waveshaper-nan-infinity-handling.html
    M Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.cpp
    M Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.h
    M Source/WebCore/testing/Internals.cpp
    M Source/WebCore/testing/Internals.h
    M Source/WebCore/testing/Internals.idl

  Log Message:
  -----------
  Cherry-pick c0bd74757c6e. https://bugs.webkit.org/show_bug.cgi?id=305612

Web Audio WaveShaperNode: NaN input produces out-of-bounds read in 
processCurve()
https://bugs.webkit.org/show_bug.cgi?id=305612
rdar://164364161

Reviewed by Youenn Fablet.

NaN input samples bypass range checks since NaN comparisons always return 
false, causing
std::floor(NaN) to produce NaN which converts to a garbage unsigned index, 
resulting in an
out-of-bounds read.

Fix by guarding non-finite inputs and outputting silence (0.0f). Also clamp 
valid inputs to [-1, 1]
for additional safety.

The static helper processCurveWithData is introduced to allow unit testing the 
algorithm in
isolation without needing to instantiate a WaveShaperProcessor.

* 
LayoutTests/webaudio/WaveShaper/waveshaper-nan-infinity-handling-expected.txt: 
Added.
* LayoutTests/webaudio/WaveShaper/waveshaper-nan-infinity-handling.html: Added.
* Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.cpp:
(WebCore::WaveShaperDSPKernel::processCurve):
(WebCore::WaveShaperDSPKernel::processCurveWithData):
* Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.h:
* Source/WebCore/testing/Internals.cpp:
(WebCore::Internals::waveShaperProcessCurveWithData):
* Source/WebCore/testing/Internals.h:
* Source/WebCore/testing/Internals.idl:

Identifier: 305413.86@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.855@webkitglib/2.52


  Commit: f9e13512ae52d032b6722618aef76604b2a953d7
      
https://github.com/WebKit/WebKit/commit/f9e13512ae52d032b6722618aef76604b2a953d7
  Author: Ruthvik Konda <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A 
LayoutTests/webaudio/WaveShaper/waveshaper-curve-getter-during-rendering-crash-expected.txt
    A 
LayoutTests/webaudio/WaveShaper/waveshaper-curve-getter-during-rendering-crash.html
    M Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.cpp
    M Source/WebCore/Modules/webaudio/WaveShaperNode.cpp
    M Source/WebCore/Modules/webaudio/WaveShaperNode.h
    M Source/WebCore/Modules/webaudio/WaveShaperProcessor.cpp
    M Source/WebCore/Modules/webaudio/WaveShaperProcessor.h

  Log Message:
  -----------
  Cherry-pick 0dcea6bac528. https://bugs.webkit.org/show_bug.cgi?id=313528

[WebCore] Store WaveShaperProcessor curve as Vector<float> to avoid 
cross-thread RefCounted race
https://bugs.webkit.org/show_bug.cgi?id=313528
rdar://175171873

Reviewed by Chris Dumez.

WaveShaperProcessor::m_curve was a RefPtr<Float32Array>. Float32Array inherits
RefCounted<ArrayBufferView>, whose refcount is non-atomic. 296577@main changed
the audio-thread readers in WaveShaperDSPKernel::processCurve and
WaveShaperNode::propagatesSilence to wrap waveShaperProcessor()->curve() in a
local RefPtr; the main-thread getter WaveShaperNode::curveForBindings() already
did the same lockless. The concurrent non-atomic ref/deref races; a lost
increment leaves the count one too low; a subsequent deref frees m_curve out
from under the processor; the next render quantum is a heap-use-after-free in
processCurve.

On builds with ENABLE(SECURITY_ASSERTIONS), RefCountDebugger's threading
checker traps first; on plain Release the UAF is reachable from web content via
OfflineAudioContext + the WaveShaperNode.curve getter.

Fix by storing the curve as Vector<float> instead of RefPtr<Float32Array>. The
internal curve was already cloned on set and on get, so the Float32Array wrapper
was vestigial. With a Vector there is no RefCounted object on the audio-thread
path; m_processLock continues to guard buffer replacement against audio-thread
reads. This matches AudioParamTimeline::ParamEvent::m_curve and
IIRProcessor::m_feedforward.

Test: webaudio/WaveShaper/waveshaper-curve-getter-during-rendering-crash.html
* 
LayoutTests/webaudio/WaveShaper/waveshaper-curve-getter-during-rendering-crash-expected.txt:
 Added.
* 
LayoutTests/webaudio/WaveShaper/waveshaper-curve-getter-during-rendering-crash.html:
 Added.
* Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.cpp:
(WebCore::WaveShaperDSPKernel::processCurve):
* Source/WebCore/Modules/webaudio/WaveShaperNode.cpp:
(WebCore::WaveShaperNode::setCurveForBindings):
(WebCore::WaveShaperNode::curveForBindings):
(WebCore::WaveShaperNode::propagatesSilence const):
* Source/WebCore/Modules/webaudio/WaveShaperNode.h:
* Source/WebCore/Modules/webaudio/WaveShaperProcessor.cpp:
(WebCore::WaveShaperProcessor::setCurveForBindings):
* Source/WebCore/Modules/webaudio/WaveShaperProcessor.h:
(WebCore::WaveShaperProcessor::curveForBindings const):
(WebCore::WaveShaperProcessor::curve const):
(WebCore::WaveShaperProcessor::curveForBindings): Deleted.

Identifier: 305413.793@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.856@webkitglib/2.52


  Commit: 4b475ff6d70b037b305e86b200d7df4fc1322a2e
      
https://github.com/WebKit/WebKit/commit/4b475ff6d70b037b305e86b200d7df4fc1322a2e
  Author: Kiet Ho <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A 
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/scroll-compensation-crash.html
    M Source/WebCore/page/LocalFrameViewLayoutContext.cpp

  Log Message:
  -----------
  Cherry-pick 444a849510b9. https://bugs.webkit.org/show_bug.cgi?id=313528

[css-anchor-position-1] removeScrollerFromAnchorScrollAdjusters mutates array 
when iterating through it
rdar://175679565

Reviewed by Elika Etemad.

LocalFrameViewLayoutContext::removeScrollerFromAnchorScrollAdjusters iterates
through m_anchorScrollAdjusters, and unregisters adjusters belonging to the
scroller by calling unregisterAnchorScrollAdjusterFor. 
unregisterAnchorScrollAdjusterFor
in turn removes adjusters also from m_anchorScrollAdjusters, which is being 
iterated on.
Vectors are not safe to modify when iterating through. Change the loop to save 
the list
of adjusters to be removed in a HashSet, then remove the saved adjusters after.

Test: 
imported/w3c/web-platform-tests/css/css-anchor-position/scroll-compensation-crash.html

* 
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/scroll-compensation-crash.html:
 Added.
* Source/WebCore/page/LocalFrameViewLayoutContext.cpp:
(WebCore::LocalFrameViewLayoutContext::removeScrollerFromAnchorScrollAdjusters):

Identifier: 305413.802@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.857@webkitglib/2.52


  Commit: 705f90086aff3cfd50a1061f58ebd857ce570079
      
https://github.com/WebKit/WebKit/commit/705f90086aff3cfd50a1061f58ebd857ce570079
  Author: Jer Noble <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/WebCore/Modules/mediasource/MediaSource.cpp
    M Source/WebCore/platform/graphics/MediaPlayer.cpp
    M Source/WebCore/platform/graphics/MediaPlayer.h

  Log Message:
  -----------
  Cherry-pick c222f765786f. https://bugs.webkit.org/show_bug.cgi?id=313693

MediaEngineSupportParameters is passed across a thread boundary without making 
an isolatedCopy().
rdar://174652324
https://bugs.webkit.org/show_bug.cgi?id=313693

Reviewed by Jean-Yves Avenard.

Allow MediaEngineSupporrtParameters to be used cross-thread by adding an 
isolatedCopy() method.

* Source/WebCore/Modules/mediasource/MediaSource.cpp:
(WebCore::MediaSource::isTypeSupported):
* Source/WebCore/platform/graphics/MediaPlayer.cpp:
(WebCore::MediaEngineSupportParameters::isolatedCopy):
* Source/WebCore/platform/graphics/MediaPlayer.h:

Identifier: 305413.794@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.858@webkitglib/2.52


  Commit: d2361070280fa5110babefcdb986ae74c5267881
      
https://github.com/WebKit/WebKit/commit/d2361070280fa5110babefcdb986ae74c5267881
  Author: Ryosuke Niwa <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A LayoutTests/streams/readable-stream-cancel-fake-promise-crash-expected.txt
    A LayoutTests/streams/readable-stream-cancel-fake-promise-crash.html
    M Source/WebCore/Modules/streams/ReadableStream.cpp
    M Source/WebCore/Modules/streams/ReadableStreamDefaultReader.cpp

  Log Message:
  -----------
  Cherry-pick 3f06c62bc271. https://bugs.webkit.org/show_bug.cgi?id=313706

Type confusion in ReadableStream.cancel() via jsCast<JSPromise*>
https://bugs.webkit.org/show_bug.cgi?id=313706
rdar://174938744

Reviewed by Chris Dumez and Mark Lam.

Replaced the use of unconditional jsCast with jsDynamicCast to fix the bug.

Test: streams/readable-stream-cancel-fake-promise-crash.html

* LayoutTests/streams/readable-stream-cancel-fake-promise-crash-expected.txt: 
Added.
* LayoutTests/streams/readable-stream-cancel-fake-promise-crash.html: Added.
* Source/WebCore/Modules/streams/ReadableStream.cpp:
(WebCore::ReadableStream::cancel):
* Source/WebCore/Modules/streams/ReadableStreamDefaultReader.cpp:
(WebCore::ReadableStreamDefaultReader::read):

Identifier: 305413.806@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.859@webkitglib/2.52


  Commit: 1a39ad3eac8e497bb38d4683bb359ee543368b0c
      
https://github.com/WebKit/WebKit/commit/1a39ad3eac8e497bb38d4683bb359ee543368b0c
  Author: Ryosuke Niwa <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A 
LayoutTests/fast/events/new-focused-document-removal-during-blur-event-handler-crash-expected.txt
    A 
LayoutTests/fast/events/new-focused-document-removal-during-blur-event-handler-crash.html
    M Source/WebCore/page/FocusController.cpp

  Log Message:
  -----------
  Cherry-pick f9763c9248db. https://bugs.webkit.org/show_bug.cgi?id=313702

Use-after-free in FocusController::findAndFocusElementInDocumentOrder
https://bugs.webkit.org/show_bug.cgi?id=313702
rdar://175673194

Reviewed by Aditya Keerthi.

Fixed the bug by deploying a smart pointer.

Test: 
fast/events/new-focused-document-removal-during-blur-event-handler-crash.html

* 
LayoutTests/fast/events/new-focused-document-removal-during-blur-event-handler-crash-expected.txt:
 Added.
* 
LayoutTests/fast/events/new-focused-document-removal-during-blur-event-handler-crash.html:
 Added.
* Source/WebCore/page/FocusController.cpp:
(WebCore::FocusController::findAndFocusElementInDocumentOrderStartingWithFrame):

Identifier: 305413.804@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.860@webkitglib/2.52


  Commit: b46112e2df12e450c68c4650d52ffc862bab0a1b
      
https://github.com/WebKit/WebKit/commit/b46112e2df12e450c68c4650d52ffc862bab0a1b
  Author: Vignesh Rao <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/JavaScriptCore/wasm/WasmCallee.cpp
    M Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp

  Log Message:
  -----------
  Cherry-pick 84a5f91f00a5. https://bugs.webkit.org/show_bug.cgi?id=313063

[JSC] Unconditionally keep OMGOSREntryCallee alive while updating its callsites
https://bugs.webkit.org/show_bug.cgi?id=313063
rdar://174492346

Reviewed by Keith Miller.

After a re-tier, when a fresh BBQCallee replaces a retired one,
m_osrEntryCallees may hold a stale weak ref to an OMGOSREntryCallee not owned
by the current BBQCallee. Currently, updateCallsitesToCallUs will not track
this since it assumes that this OMGOSREntryCallee will be owned by the BBQCallee

This patch fixes it by unconditionally keeping the OMGOSREntryCallee alive
while we update all the callsites within it. The assert in ~BBQCallee is void
now since an OMGOSREntryCallee can now have multiple owners.

* Source/JavaScriptCore/wasm/WasmCallee.cpp:
(JSC::Wasm::BBQCallee::~BBQCallee):
* Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp:
(JSC::Wasm::CalleeGroup::updateCallsitesToCallUs):

Identifier: 305413.784@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.861@webkitglib/2.52


  Commit: 9ff892e9e199b8873d56653fae8daa936b121185
      
https://github.com/WebKit/WebKit/commit/9ff892e9e199b8873d56653fae8daa936b121185
  Author: Ryosuke Niwa <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A 
LayoutTests/editing/async-clipboard/clipboard-write-item-crash-expected.txt
    A LayoutTests/editing/async-clipboard/clipboard-write-item-crash.html
    M Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.cpp

  Log Message:
  -----------
  Cherry-pick 061b1c5b4012. https://bugs.webkit.org/show_bug.cgi?id=313691

Heap use-after-free in ClipboardItemBindingsDataSource::clearItemTypeLoaders()
https://bugs.webkit.org/show_bug.cgi?id=313691
rdar://174651164

Reviewed by Wenson Hsieh.

Avoid the use-after-free by moving the contents of Vector to a local variable.

Test: editing/async-clipboard/clipboard-write-item-crash.html

* LayoutTests/editing/async-clipboard/clipboard-write-item-crash-expected.txt: 
Added.
* LayoutTests/editing/async-clipboard/clipboard-write-item-crash.html: Added.
* Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.cpp:
(WebCore::ClipboardItemBindingsDataSource::clearItemTypeLoaders):

Identifier: 305413.812@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.862@webkitglib/2.52


  Commit: 8663cacd3ae7b109eb1935577199e827d5b2f516
      
https://github.com/WebKit/WebKit/commit/8663cacd3ae7b109eb1935577199e827d5b2f516
  Author: Jer Noble <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/WebCore/Modules/mediarecorder/BlobEvent.cpp
    M Source/WebCore/Modules/mediarecorder/BlobEvent.h

  Log Message:
  -----------
  Cherry-pick 0743320ceb0e. https://bugs.webkit.org/show_bug.cgi?id=313915

BlobEvent::Init::timecode missing initializer leaks 8 bytes of uninitialized 
stack memory
rdar://175759962
https://bugs.webkit.org/show_bug.cgi?id=313915

Reviewed by Simon Fraser.

* Source/WebCore/Modules/mediarecorder/BlobEvent.cpp:
(WebCore::BlobEvent::BlobEvent):
* Source/WebCore/Modules/mediarecorder/BlobEvent.h:

Identifier: 305413.809@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.863@webkitglib/2.52


Compare: https://github.com/WebKit/WebKit/compare/a059fc1ff7ac...8663cacd3ae7

To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to