Branch: refs/heads/webkitglib/2.52
  Home:   https://github.com/WebKit/WebKit
  Commit: ccff81d1a5490d19887a8d5506abc58327730b9f
      
https://github.com/WebKit/WebKit/commit/ccff81d1a5490d19887a8d5506abc58327730b9f
  Author: Said Abou-Hallawa <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/WebCore/platform/graphics/cpu/arm/filters/FEBlendNeonApplier.cpp
    M Source/WebCore/platform/graphics/filters/FilterImage.cpp
    M Source/WebCore/platform/graphics/filters/FilterImage.h

  Log Message:
  -----------
  Cherry-pick dbf10417aa9e. https://bugs.webkit.org/show_bug.cgi?id=314906

FilterImage may return uninitialized PixelBuffer
https://bugs.webkit.org/show_bug.cgi?id=314906
rdar://176813834

Reviewed by Darin Adler.

FilterImage provides three different representations of the image: ImageBuffer,
Unpremultiplied PixelBuffer and Premultiplied PixelBuffer. These three buffers
are lazily created. Each of them is created only when it is needed. But keep in
mind they are copies of each other. In other words, when one is created it has
to copy the pixels from the existing buffers. Otherwise it has to be 
zero-filled.

A problem may happen when copying the pixels from one buffer to a newly created
buffer fails. In this case we send uninitialized PixelBuffer which may expose 
user
private data. Not able to copy existing pixels to the PixelBuffer should be 
treated
as an error. So a null PixelBuffer should be returned in this case.

* Source/WebCore/platform/graphics/cpu/arm/filters/FEBlendNeonApplier.cpp:
(WebCore::FEBlendNeonApplier::apply const):
* Source/WebCore/platform/graphics/filters/FilterImage.cpp:
(WebCore::copyImageBytes):
(WebCore::FilterImage::pixelBuffer):
(WebCore::FilterImage::getPixelBuffer):
(WebCore::FilterImage::copyPixelBuffer):
* Source/WebCore/platform/graphics/filters/FilterImage.h:

Identifier: 305413.919@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.887@webkitglib/2.52


  Commit: 965d271f45c1e4ef886087721b20a4ed951913d9
      
https://github.com/WebKit/WebKit/commit/965d271f45c1e4ef886087721b20a4ed951913d9
  Author: Chris Dumez <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/WebKit/UIProcess/WebFrameProxy.cpp

  Log Message:
  -----------
  Cherry-pick 332b0cbb0bb4. https://bugs.webkit.org/show_bug.cgi?id=315006

Missing validation of frameInfo in WebFrameProxy::getFrameInfo()
https://bugs.webkit.org/show_bug.cgi?id=315006
rdar://176816153

Reviewed by Ryosuke Niwa.

Harden WebFrameProxy::getFrameInfo() so the security-relevant fields of
the FrameInfoData struct returned by WebProcess are now validated.
In case of mismatch, we overwrite with correct values and log an error
message instead of doing a MESSAGE_CHECK, to reduce risk.

* Source/WebKit/UIProcess/WebFrameProxy.cpp:
(WebKit::WebFrameProxy::getFrameInfo):

Identifier: 305413.931@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.888@webkitglib/2.52


  Commit: b5ec6fa781103e8e372a3a9318330b11df40672c
      
https://github.com/WebKit/WebKit/commit/b5ec6fa781103e8e372a3a9318330b11df40672c
  Author: Chris Dumez <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/WebCore/bindings/js/JSTextTrackCueCustom.cpp
    M Source/WebCore/html/track/InbandDataTextTrack.h
    M Source/WebCore/html/track/InbandGenericTextTrack.h
    M Source/WebCore/html/track/InbandTextTrack.h
    M Source/WebCore/html/track/InbandWebVTTTextTrack.h
    M Source/WebCore/html/track/LoadableTextTrack.h
    M Source/WebCore/html/track/TextTrack.h
    M Source/WebCore/html/track/TextTrackCue.cpp
    M Source/WebCore/html/track/TextTrackCue.h

  Log Message:
  -----------
  Cherry-pick 133b57500c3a. https://bugs.webkit.org/show_bug.cgi?id=314952

Data race in JSTextTrackCue::visitAdditionalChildrenInGCThread leading to 
use-after-free (variant of bug 311800)
https://bugs.webkit.org/show_bug.cgi?id=314952
rdar://177248996

Reviewed by Geoffrey Garen.

JSTextTrackCue::visitAdditionalChildrenInGCThread() was accessing
`TrackTraceCue::m_track` from the GC thread, even though it is a WeakPtr
which can get nulled out on the main thread.

To address the issue:
- Turn `TrackTraceCue::m_track` into a CheckedPtr. This is OK because the
  ~Track() destructor takes care of nulling out its cues' m_track pointer
  explicitly.
- Add a Lock to synchronize setting m_track on the main thread in
  `TextTrackCue::setTrack()` and accessing it on the GC thread.

* Source/WebCore/bindings/js/JSTextTrackCueCustom.cpp:
(WebCore::JSTextTrackCue::visitAdditionalChildren):
* Source/WebCore/html/track/InbandDataTextTrack.h:
* Source/WebCore/html/track/InbandGenericTextTrack.h:
* Source/WebCore/html/track/InbandTextTrack.h:
* Source/WebCore/html/track/InbandWebVTTTextTrack.h:
* Source/WebCore/html/track/LoadableTextTrack.h:
* Source/WebCore/html/track/TextTrack.h:
* Source/WebCore/html/track/TextTrackCue.cpp:
(WebCore::TextTrackCue::willChange):
(WebCore::TextTrackCue::didChange):
(WebCore::TextTrackCue::track const):
(WebCore::TextTrackCue::protectedTrack const):
(WebCore::TextTrackCue::setTrack):
(WebCore::TextTrackCue::cueIndex const):
(WebCore::TextTrackCue::hasEquivalentStartTime const):
(WebCore::TextTrackCue::visitAdditionalChildren):
* Source/WebCore/html/track/TextTrackCue.h:

Identifier: 305413.937@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.889@webkitglib/2.52


  Commit: f3c37d7ca6bd5771a3caaf4ea06da65436d4c6b8
      
https://github.com/WebKit/WebKit/commit/f3c37d7ca6bd5771a3caaf4ea06da65436d4c6b8
  Author: Anand Srinivasan <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A JSTests/wasm/stress/br-on-cast-reserved-flags.js
    M Source/JavaScriptCore/wasm/WasmFunctionParser.h

  Log Message:
  -----------
  Cherry-pick 6d5ae0fc9aa1. https://bugs.webkit.org/show_bug.cgi?id=315223

WasmGC should reject reserved bits in br_on_cast/br_on_cast_fail flags byte
https://bugs.webkit.org/show_bug.cgi?id=315223
rdar://176190526

Reviewed by Dan Hecht.

In br_on_cast and br_on_cast_fail flag bits other than 0 and 1 are
reserved. The validator currently does not check that reserved bits are
0 and IPInt assumes reserved bits are 0. This patch makes the validator
check the reserved bits.

Test: JSTests/wasm/stress/br-on-cast-reserved-flags.js

* JSTests/wasm/stress/br-on-cast-reserved-flags.js: Added.
* Source/JavaScriptCore/wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):

Identifier: 305413.945@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.890@webkitglib/2.52


  Commit: fc7f707775c1238b9cff03898cdfe6ab22e36534
      
https://github.com/WebKit/WebKit/commit/fc7f707775c1238b9cff03898cdfe6ab22e36534
  Author: Kai Tamkun <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h
    M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
    A Tools/TestWebKitAPI/Tests/WTF/bmalloc/MAR.cpp

  Log Message:
  -----------
  Cherry-pick d945beacb08e. https://bugs.webkit.org/show_bug.cgi?id=314679

[libpas] bmalloc_try_allocate_zeroed_inline calls PAS_MAR_TRACK_ALLOCATION 
instead of PAS_MAR_TRACK_ALLOCATION_AND_ZERO on MAR branch, returning unzeroed 
memory
rdar://175683200
https://bugs.webkit.org/show_bug.cgi?id=314679

Reviewed by Yusuke Suzuki.

This patch changes `bmalloc_try_allocate_zeroed_inline` so that it
zeroes the returned memory in the case where the MAR predicate matches.

Tests: Tools/TestWebKitAPI/Tests/WTF/bmalloc/MAR.cpp

* Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:
(bmalloc_try_allocate_zeroed_inline): Zero the returned memory.
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WTF/bmalloc/MAR.cpp: Added.
(TestWebKitAPI::pageIndexOf):
(TestWebKitAPI::testZeroedAllocationAfterPriming):
(TestWebKitAPI::TEST(bmalloc, MARZeroedAllocationWithMARDisabled)):
(TestWebKitAPI::TEST(bmalloc, MARZeroedAllocationWithMAREnabled)):

Identifier: 305413.946@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.891@webkitglib/2.52


  Commit: 62ebf28b87693f9cb042c968f3c8bcdad8d27913
      
https://github.com/WebKit/WebKit/commit/62ebf28b87693f9cb042c968f3c8bcdad8d27913
  Author: Antti Koivisto <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A 
LayoutTests/fast/custom-elements/xml-parser-reparent-during-construction-crash-expected.txt
    A 
LayoutTests/fast/custom-elements/xml-parser-reparent-during-construction-crash.xhtml
    M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

  Log Message:
  -----------
  Cherry-pick 19beaaec03d0. https://bugs.webkit.org/show_bug.cgi?id=314679

[WebCore] use-after-free in Style::TreeResolver — 
XMLDocumentParser::startElementNs missing parentNode re-check after 
custom-element upgrade
rdar://177479772

Reviewed by Ryosuke Niwa.

Draining the custom element reaction stack in startElementNs runs the
constructor synchronously, which can re-parent newElement, adopt it into
another document, or detach the current parser node. parserAppendChild
requires its argument to have no parent and to share our document, so
falling through into it leaves the tree linked into two child lists.

Re-check those invariants after the reaction stack drains and stop
parsing if any of them no longer holds. A spec-aligned follow-up should
route XML element creation through constructElementWithFallback like
HTMLDocumentParser does, which post-validates and falls back to
HTMLUnknownElement; a FIXME records that.

Test: fast/custom-elements/xml-parser-reparent-during-construction-crash.xhtml
* 
LayoutTests/fast/custom-elements/xml-parser-reparent-during-construction-crash-expected.txt:
 Added.
* 
LayoutTests/fast/custom-elements/xml-parser-reparent-during-construction-crash.xhtml:
 Added.
* Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::XMLDocumentParser::startElementNs):

Identifier: 305413.947@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.892@webkitglib/2.52


  Commit: 1cd01f7eccb9f4b1662f3a76c6d9ada1572ecbd1
      
https://github.com/WebKit/WebKit/commit/1cd01f7eccb9f4b1662f3a76c6d9ada1572ecbd1
  Author: Shu-yu Guo <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A JSTests/wasm/gc/private-fields-and-methods.js
    M Source/JavaScriptCore/runtime/JSObjectInlines.h

  Log Message:
  -----------
  Cherry-pick 525600a227a6. https://bugs.webkit.org/show_bug.cgi?id=314438

[JSC] Disallow defining private names on WasmGC objects
https://bugs.webkit.org/show_bug.cgi?id=314438
rdar://176445615

Reviewed by Yusuke Suzuki.

While the spec currently technically allows for defining private fields and
methods on WasmGC objects, this is against the spirit of those objects being
fixed-layout.

For compat, both V8 and SpiderMonkey also disallow addition of private names on
WasmGC objects.

Test: JSTests/wasm/gc/private-fields-and-methods.js

* JSTests/wasm/gc/private-fields-and-methods.js: Added.
(testPrivateMethodOnStruct.B):
(testPrivateMethodOnStruct.D.prototype.m):
(testPrivateMethodOnStruct.D):
(testPrivateMethodOnStruct):
(testPrivateFieldOnStruct.B):
(testPrivateFieldOnStruct.D):
(testPrivateFieldOnStruct):
(testPrivateMethodOnArray.B):
(testPrivateMethodOnArray.D.prototype.m):
(testPrivateMethodOnArray.D):
(testPrivateMethodOnArray):
(testPrivateFieldOnArray.B):
(testPrivateFieldOnArray.D):
(testPrivateFieldOnArray):
(testPrivateGetterOnStruct.B):
(testPrivateGetterOnStruct.D.prototype.get x):
(testPrivateGetterOnStruct.D):
(testPrivateGetterOnStruct):
(testGCSurvival.B):
(testGCSurvival.D.prototype.m):
(testGCSurvival.D):
(testGCSurvival):
* Source/JavaScriptCore/runtime/JSObjectInlines.h:
(JSC::JSObject::getPrivateField):
(JSC::JSObject::setPrivateField):
(JSC::JSObject::definePrivateField):
(JSC::JSObject::setPrivateBrand):

Identifier: 305413.881@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.893@webkitglib/2.52


  Commit: f0b744f0c4d106c6a6388f11c12bd92128fb8a2b
      
https://github.com/WebKit/WebKit/commit/f0b744f0c4d106c6a6388f11c12bd92128fb8a2b
  Author: Zak Ridouh <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A 
LayoutTests/webanimations/threaded-animations/scroll-driven-animation-registry-update-crash-expected.txt
    A 
LayoutTests/webanimations/threaded-animations/scroll-driven-animation-registry-update-crash.html
    M Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingTree.cpp
    M Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingTree.h

  Log Message:
  -----------
  Cherry-pick 3bff1cc45724. https://bugs.webkit.org/show_bug.cgi?id=314585

Fix Cross-thread use-after-free in 
RemoteScrollingTree::m_progressBasedTimelineRegistry
<https://bugs.webkit.org/show_bug.cgi?id=314585>
<rdar://176483524>

Reviewed by Antoine Quint.

m_progressBasedTimelineRegistry was freed on the main thread by
updateTimelinesRegistration() while the ScrollingThread read it via
serviceScrollAnimations -> updateProgressBasedTimelinesForNode,
producing an ASan heap-use-after-free. The reader held m_treeLock; the
writer held only m_animationLock, so the two paths were not serialized.

Add a dedicated m_progressBasedTimelineRegistryLock that guards the
registry pointer and is acquired by every reader and writer. A separate
lock avoids self-deadlock when scrollingTreeNodeDidScroll() reaches
updateProgressBasedTimelinesForNode from the commit path with
m_treeLock already held.

Test: 
webanimations/threaded-animations/scroll-driven-animation-registry-update-crash.html

* 
LayoutTests/webanimations/threaded-animations/scroll-driven-animation-registry-update-crash-expected.txt:
 Added.
* 
LayoutTests/webanimations/threaded-animations/scroll-driven-animation-registry-update-crash.html:
 Added.
* Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingTree.cpp:
(WebKit::RemoteScrollingTree::updateTimelinesRegistration):
(WebKit::RemoteScrollingTree::timeline const):
(WebKit::RemoteScrollingTree::updateProgressBasedTimelinesForNode):
(WebKit::RemoteScrollingTree::timelinesForScrollingNodeIDForTesting const):
* Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingTree.h:

Identifier: 305413.960@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.894@webkitglib/2.52


  Commit: 1c19f7b2abfd741b09e44fe8bdebb204118ac2be
      
https://github.com/WebKit/WebKit/commit/1c19f7b2abfd741b09e44fe8bdebb204118ac2be
  Author: Anand Srinivasan <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A JSTests/wasm/stress/streaming-compile-try-table-agreement.js
    M Source/JavaScriptCore/wasm/WasmEntryPlan.cpp
    M Source/JavaScriptCore/wasm/WasmEntryPlan.h
    M Source/JavaScriptCore/wasm/WasmIPIntPlan.cpp
    M Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp
    M Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.h

  Log Message:
  -----------
  Cherry-pick 55fe8eb4c2a9. https://bugs.webkit.org/show_bug.cgi?id=315365

Streaming compiler does not reject mixed legacy and spec-correct EH
https://bugs.webkit.org/show_bug.cgi?id=315365
rdar://177030377

Reviewed by Yijia Huang.

Legacy EH instructions are not defined in the wasm spec but are still
supported for backwards compatibility. Functions must either use legacy
or standards compliant EH instructions but not both, and the streaming
compiler needs to be updated to enforce this.

Test: JSTests/wasm/stress/streaming-compile-try-table-agreement.js

* JSTests/wasm/stress/streaming-compile-try-table-agreement.js: Added.
(compileNonStreaming):
(async compileStreaming):
(async main):
* Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:
(JSC::Wasm::EntryPlan::compileFunctions):
(JSC::Wasm::EntryPlan::failIfMixedExceptionHandlingProposals):
* Source/JavaScriptCore/wasm/WasmEntryPlan.h:
* Source/JavaScriptCore/wasm/WasmIPIntPlan.cpp:
(JSC::Wasm::IPIntPlan::completeInStreaming):
* Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp:
(JSC::IPInt::rethrowSlotForDepth):
(JSC::IPInt::WASM_IPINT_EXTERN_CPP_DECL):
* Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.h:

Identifier: 305413.963@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.895@webkitglib/2.52


  Commit: bc2c08c0be62fe91811ca2e285df031cf04eaec4
      
https://github.com/WebKit/WebKit/commit/bc2c08c0be62fe91811ca2e285df031cf04eaec4
  Author: Chris Dumez <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/WebKit/UIProcess/Extensions/API/WebExtensionContextAPIStorage.cpp

  Log Message:
  -----------
  Cherry-pick de9fb008197a. https://bugs.webkit.org/show_bug.cgi?id=315538

[WebKit Process Model] Use-after-free in WebExtensionContext::storageSet from 
HashMap mutation during keys() iteration
https://bugs.webkit.org/show_bug.cgi?id=315538
rdar://177375129

Reviewed by Timothy Hatcher.

When WebExtensionStorageSQLiteStore::setKeyedData hits an INSERT error
mid-batch (e.g. SQLITE_FULL), it returns a keysSuccessfullySet vector
that is non-empty but smaller than the input map. The completion lambda
in storageSet then iterated `data.keys()` while calling `data.remove()`
inside the loop. `keys()` returns a live iterator range backed by raw
pointers into the HashTable buffer, and remove() can shrink/rehash and
free that buffer, leaving the iterator dangling — a heap UAF in the UI
Process driven by IPC from the WebContent process.

Replace the iterate-and-mutate loop with HashMap::removeIf, which walks
the table safely.

* Source/WebKit/UIProcess/Extensions/API/WebExtensionContextAPIStorage.cpp:
(WebKit::WebExtensionContext::storageSet):

Identifier: 305413.961@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.896@webkitglib/2.52


Compare: https://github.com/WebKit/WebKit/compare/a3630df607da...bc2c08c0be62

To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to