Branch: refs/heads/webkitglib/2.48
Home: https://github.com/WebKit/WebKit
Commit: d7fbe50cbcb3887731aced7762b472937bf35e49
https://github.com/WebKit/WebKit/commit/d7fbe50cbcb3887731aced7762b472937bf35e49
Author: Michael Catanzaro <mcatanz...@redhat.com>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/JavaScriptCore/wasm/WasmTypeDefinition.h
Log Message:
-----------
Suppress -Wunused-private-field warning in WasmTypeDefinition.h
Unreviewed stable branch commit.
This appears to be an LLVM bug, since the field is definitely used. The
bug does not occur on the main branch, so no sense in thinking too much
about it.
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:
Commit: a82e29688153935b81e08fd0554b32a6d4422475
https://github.com/WebKit/WebKit/commit/a82e29688153935b81e08fd0554b32a6d4422475
Author: Chris Dumez <cdu...@apple.com>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/WebCore/Modules/indexeddb/server/MemoryIDBBackingStore.cpp
M Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabaseTransaction.cpp
M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp
M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.h
Log Message:
-----------
Cherry-pick 283286.613@safari-7620-branch (5b3e0da4e98b).
https://bugs.webkit.org/show_bug.cgi?id=285853
[Hardening] Validate transaction type on release builds in
MemoryIDBBackingStore.cpp
https://bugs.webkit.org/show_bug.cgi?id=285853
rdar://142170053
Reviewed by Sihui Liu.
Validate transaction type on release builds in MemoryIDBBackingStore.cpp
since IPC
sent by a compromised WebProcess could cause this to happen, which would
lead to
corruption.
* Source/WebCore/Modules/indexeddb/server/MemoryIDBBackingStore.cpp:
(WebCore::IDBServer::MemoryIDBBackingStore::createObjectStore):
(WebCore::IDBServer::MemoryIDBBackingStore::deleteObjectStore):
(WebCore::IDBServer::MemoryIDBBackingStore::renameObjectStore):
(WebCore::IDBServer::MemoryIDBBackingStore::createIndex):
(WebCore::IDBServer::MemoryIDBBackingStore::deleteIndex):
(WebCore::IDBServer::MemoryIDBBackingStore::renameIndex):
* Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabaseTransaction.cpp:
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::createObjectStore):
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::deleteObjectStore):
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::renameObjectStore):
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::createIndex):
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::deleteIndex):
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::renameIndex):
* Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp:
(WebKit::NetworkStorageManager::createIndex):
(WebKit::NetworkStorageManager::deleteIndex):
(WebKit::NetworkStorageManager::renameIndex):
Canonical link: https://commits.webkit.org/283286.613@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.17@safari-7621-branch
Commit: 283d3b87e584de87b7391e47818ccea0f1bd90fd
https://github.com/WebKit/WebKit/commit/283d3b87e584de87b7391e47818ccea0f1bd90fd
Author: Keith Miller <keith_mil...@apple.com>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A JSTests/wasm/stress/js-to-wasm-calls-wrong-memory-mode.js
M Source/JavaScriptCore/interpreter/CalleeBits.h
M Source/JavaScriptCore/jsc.cpp
M Source/JavaScriptCore/llint/WebAssembly.asm
M Source/JavaScriptCore/offlineasm/arm64.rb
M Source/JavaScriptCore/offlineasm/cloop.rb
M Source/JavaScriptCore/offlineasm/instructions.rb
M Source/JavaScriptCore/offlineasm/x86.rb
M Source/JavaScriptCore/runtime/NativeCallee.h
M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp
M Source/JavaScriptCore/wasm/WasmCallee.cpp
M Source/JavaScriptCore/wasm/WasmCallee.h
M Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp
M Source/JavaScriptCore/wasm/WasmFormat.h
M Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp
M Source/JavaScriptCore/wasm/WasmMemory.cpp
M Source/JavaScriptCore/wasm/WasmMemory.h
M Source/JavaScriptCore/wasm/WasmOMGPlan.cpp
M Source/JavaScriptCore/wasm/WasmOperations.cpp
M Source/JavaScriptCore/wasm/js/JSToWasm.cpp
M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h
M Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.cpp
M Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.h
M Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp
Log Message:
-----------
Cherry-pick 289651.47@safari-7621-branch (8f74b8980eba).
https://bugs.webkit.org/show_bug.cgi?id=286946
JSToWasm non-IC entrypoints should load the entry point the same way as the
IC.
https://bugs.webkit.org/show_bug.cgi?id=286946
rdar://143456523
Reviewed by Yusuke Suzuki.
Right now when we tier up a function to BBQ/OMG we set the
JSEntrypointCallee's entrypoint
to the prologue of the newly compiled code. This is wrong because we share
JSEntrypointCallee
between BoundsChecking and Signaling instances. This means if tier up a
Signaling instance to
we could inadvertently call the Signaling code from a BoundsChecking
instance.
To fix this the interpreted/shared JIT JSToWasm entrypoints now do the same
logic as the
inline cache entrypoint and load the callee's entrypoint from the indirect
location. This
means we need to keep the JS WebAssemblyFunction until we're basically
ready to call the
into wasm.
Finally, since there's basically no scratches left I added a
BoxedNativeCalleePtrTraits
so the Ref<> of the target Callee can be saved as a boxed pointer rather
than as a raw
pointer. So now we no longer need to box the callee at runtime.
* Source/JavaScriptCore/interpreter/CalleeBits.h:
(JSC::CalleeBits::CalleeBits):
(JSC::CalleeBits::operator=):
(JSC::CalleeBits::operator bool const):
* Source/JavaScriptCore/llint/WebAssembly.asm:
* Source/JavaScriptCore/offlineasm/arm64.rb:
* Source/JavaScriptCore/offlineasm/cloop.rb:
* Source/JavaScriptCore/offlineasm/instructions.rb:
* Source/JavaScriptCore/offlineasm/x86.rb:
* Source/JavaScriptCore/runtime/NativeCallee.h:
(JSC::BoxedNativeCalleePtrTraits::unwrap):
(JSC::BoxedNativeCalleePtrTraits::exchange):
* Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::compileFunction):
* Source/JavaScriptCore/wasm/WasmCallee.cpp:
(JSC::Wasm::JSEntrypointCallee::JSEntrypointCallee):
* Source/JavaScriptCore/wasm/WasmCallee.h:
* Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp:
(JSC::Wasm::CalleeGroup::isBBQCalleeFromThisGroup const):
(JSC::Wasm::CalleeGroup::updateCallsitesToCallUs):
* Source/JavaScriptCore/wasm/WasmCalleeGroup.h:
* Source/JavaScriptCore/wasm/WasmFormat.h:
* Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp:
(JSC::IPInt::jitCompileAndSetHeuristics):
* Source/JavaScriptCore/wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* Source/JavaScriptCore/wasm/WasmOperations.cpp:
(JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
(JSC::Wasm::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
* Source/JavaScriptCore/wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmJITShared):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::initElementSegment):
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::create):
(JSC::WebAssemblyFunction::WebAssemblyFunction):
(JSC::m_frameSize):
(): Deleted.
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h:
* Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::initializeExports):
Canonical link: https://commits.webkit.org/289651.47@safari-7621-branch
Commit: 943d0ab40164ca814541c434135d321b1146d1e7
https://github.com/WebKit/WebKit/commit/943d0ab40164ca814541c434135d321b1146d1e7
Author: Daniel Liu <daniel_l...@apple.com>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/JavaScriptCore/yarr/YarrParser.h
M Source/JavaScriptCore/yarr/YarrPattern.cpp
M Source/JavaScriptCore/yarr/YarrSyntaxChecker.cpp
M Source/WebCore/contentextensions/URLFilterParser.cpp
Log Message:
-----------
Cherry-pick 289651.81@safari-7621-branch (84bb07bd2a22).
https://bugs.webkit.org/show_bug.cgi?id=287185
Allow YarrParser delegates to terminate the parser upon reaching an error
https://bugs.webkit.org/show_bug.cgi?id=287185
rdar://144252733
Reviewed by Mark Lam.
When a syntax error occurs in YarrPatternConstructor, there are cases
where the pattern constructor does not properly add terms to the
disjunction, since the pattern is invalid. Thus, we should terminate
pattern construction to avoid transformations on bad internal state.
* Source/JavaScriptCore/yarr/YarrParser.h:
(JSC::Yarr::Parser::parseTokens):
(JSC::Yarr::Parser::parse):
* Source/JavaScriptCore/yarr/YarrPattern.cpp:
(JSC::Yarr::CharacterClassConstructor::hasInvertedStrings):
(JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
(JSC::Yarr::YarrPatternConstructor::copyDisjunction):
(JSC::Yarr::YarrPatternConstructor::abortedDueToError const):
(JSC::Yarr::CharacterClassConstructor::hasInverteStrings): Deleted.
* Source/JavaScriptCore/yarr/YarrSyntaxChecker.cpp:
(JSC::Yarr::SyntaxChecker::abortedDueToError):
* Source/WebCore/contentextensions/URLFilterParser.cpp:
(WebCore::ContentExtensions::PatternParser::abortedDueToError):
Canonical link: https://commits.webkit.org/289651.81@safari-7621-branch
Commit: 80fc85dcfbc994e312c3ba307019549e209354c6
https://github.com/WebKit/WebKit/commit/80fc85dcfbc994e312c3ba307019549e209354c6
Author: Claudio Saavedra <csaave...@igalia.com>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/JavaScriptCore/jsc.cpp
M Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h
M Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
M Source/WebCore/Modules/webaudio/AudioBuffer.cpp
Log Message:
-----------
Cherry-pick 289651.7@webkit-2025.2-embargoed (d3ca3297d8b8).
https://bugs.webkit.org/show_bug.cgi?id=286835
ASAN_TRAP | JSArrayBufferView::ConstructionContext::ConstructionContext;
JSC::JSGenericTypedArrayView::create; JSC::GenericTypedArrayView::wrapImpl
https://bugs.webkit.org/show_bug.cgi?id=286835
Reviewed by Keith Miller.
Follow-up fix to 289651.4@webkit-2025.2-embargoed. Instead of modifying
the create() method, let's add a tryCreate() instead and use it when
calling wrapImpl() to wrap an impl array, to preserve the invariant from
the original method.
This partly reverts the changes in 289651.4@webkit-2025.2-embargoed to
preserve the invariant for other callers.
* Source/JavaScriptCore/jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::wrapImpl):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h:
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::create):
(JSC::JSGenericTypedArrayView<Adaptor>::tryCreate):
* Source/WebCore/Modules/webaudio/AudioBuffer.cpp:
(WebCore::AudioBuffer::getChannelData):
Canonical link: https://commits.webkit.org/289651.7@webkit-2025.2-embargoed
Canonical link: https://commits.webkit.org/289651.200@safari-7621-branch
Compare: https://github.com/WebKit/WebKit/compare/2569e17b04b3...80fc85dcfbc9
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
