Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b49b65901c3681e159e81f4374fd25fdc11b3290
https://github.com/WebKit/WebKit/commit/b49b65901c3681e159e81f4374fd25fdc11b3290
Author: Frédéric Wang <[email protected]>
Date: 2025-08-08 (Fri, 08 Aug 2025)
Changed paths:
A LayoutTests/fast/grid/layout-positioned-grid-items-001-crash-expected.txt
A LayoutTests/fast/grid/layout-positioned-grid-items-001-crash.html
A LayoutTests/fast/grid/layout-positioned-grid-items-002-crash-expected.txt
A LayoutTests/fast/grid/layout-positioned-grid-items-002-crash.html
A LayoutTests/fast/grid/layout-positioned-grid-items-003-crash-expected.txt
A LayoutTests/fast/grid/layout-positioned-grid-items-003-crash.html
Log Message:
-----------
Add non-regression tests for bugs 287481, 287482 and 287483.
https://bugs.webkit.org/show_bug.cgi?id=287481
Reviewed by Alan Baradlay.
This adds reduction of test cases for bugs reported by fuzzers:
- bug 287482 and bug 287483, fixed by https://commits.webkit.org/289863@main
- bug 287481, fixed by https://commits.webkit.org/290546@main.
* LayoutTests/fast/grid/layout-positioned-grid-items-001-crash-expected.txt:
Added.
* LayoutTests/fast/grid/layout-positioned-grid-items-001-crash.html: Added.
Reduced from test case of bug 287481.
* LayoutTests/fast/grid/layout-positioned-grid-items-002-crash.html: Added.
Reduced from test case of bug 287483.
* LayoutTests/fast/grid/layout-positioned-grid-items-003-crash.html: Added.
Reduced from test case of bug 287482.
Originally-landed-as: 292955.2@webkit-embargoed (56e799de94f9). rdar://157795614
Canonical link: https://commits.webkit.org/298377@main
Commit: 2ea747749a42d71c11e5ad6f36dde43f4de306b8
https://github.com/WebKit/WebKit/commit/2ea747749a42d71c11e5ad6f36dde43f4de306b8
Author: Rob Buis <[email protected]>
Date: 2025-08-08 (Fri, 08 Aug 2025)
Changed paths:
A LayoutTests/editing/deleting/delete-multiple-styling-elements-expected.txt
A LayoutTests/editing/deleting/delete-multiple-styling-elements.html
M Source/WebCore/editing/DeleteSelectionCommand.cpp
Log Message:
-----------
stack-overflow | WebCore::Calculation::copy; WebCore::Calculation::copy;
WebCore::Calculation::copy
https://bugs.webkit.org/show_bug.cgi?id=289378
rdar://144403520
Reviewed by Ryosuke Niwa.
The node loop in
makeStylingElementsDirectChildrenOfEditableRootToPreventStyleLoss can change
the DOM, so
split it up in two parts.
* LayoutTests/editing/deleting/delete-multiple-styling-elements-expected.txt:
Added.
* LayoutTests/editing/deleting/delete-multiple-styling-elements.html: Added.
* Source/WebCore/editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::makeStylingElementsDirectChildrenOfEditableRootToPreventStyleLoss):
Originally-landed-as: 292955.4@webkit-embargoed (55ed8716be7f). rdar://157795436
Canonical link: https://commits.webkit.org/298378@main
Commit: 83ab558246f2ebcaf4dc89f32e0668dfa85abc08
https://github.com/WebKit/WebKit/commit/83ab558246f2ebcaf4dc89f32e0668dfa85abc08
Author: Yusuke Suzuki <[email protected]>
Date: 2025-08-08 (Fri, 08 Aug 2025)
Changed paths:
A JSTests/stress/variable-initialization-error-check.js
M Source/JavaScriptCore/interpreter/Interpreter.cpp
M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
M Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h
M Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp
M Source/JavaScriptCore/runtime/JSObject.cpp
M Source/JavaScriptCore/runtime/JSTemplateObjectDescriptor.cpp
M Source/JavaScriptCore/runtime/ObjectPrototype.cpp
M Source/JavaScriptCore/runtime/ProgramExecutable.cpp
Log Message:
-----------
[JSC] ASSERTION FAILED: Unexpected exception observed on thread Thread
https://bugs.webkit.org/show_bug.cgi?id=291747
rdar://149546774
Reviewed by Yijia Huang.
Many of operations (e.g. JSObject::put with stack overflow detection)
can throw random errors. Thus, let's use RETURN_IF_EXCEPTION more
instead of assertNoExceptionExceptTermination.
* JSTests/stress/variable-initialization-error-check.js: Added.
(C0):
* Source/JavaScriptCore/interpreter/Interpreter.cpp:
(JSC::Interpreter::executeEval):
* Source/JavaScriptCore/runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::canDeclareGlobalFunction):
(JSC::JSGlobalObject::createGlobalFunctionBinding):
* Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h:
(JSC::JSGlobalObject::createGlobalVarBinding):
* Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp:
(JSC::JSModuleNamespaceObject::finishCreation):
* Source/JavaScriptCore/runtime/JSObject.cpp:
(JSC::JSObject::ordinaryToPrimitive const):
(JSC::JSObject::getOwnNonIndexPropertyNames):
* Source/JavaScriptCore/runtime/JSTemplateObjectDescriptor.cpp:
(JSC::JSTemplateObjectDescriptor::createTemplateObject):
* Source/JavaScriptCore/runtime/ObjectPrototype.cpp:
(JSC::objectPrototypeHasOwnProperty):
* Source/JavaScriptCore/runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::initializeGlobalProperties):
Originally-landed-as: 289651.444@safari-7621-branch (b850d2257e8d).
rdar://157795300
Canonical link: https://commits.webkit.org/298379@main
Commit: c1ec6110d0328f22d38353891c01b05be06f57b9
https://github.com/WebKit/WebKit/commit/c1ec6110d0328f22d38353891c01b05be06f57b9
Author: Ronan Turner <[email protected]>
Date: 2025-08-08 (Fri, 08 Aug 2025)
Changed paths:
M Source/WebKit/Shared/API/Cocoa/RemoteObjectRegistry.h
M Source/WebKit/Shared/API/Cocoa/RemoteObjectRegistry.mm
M Source/WebKit/Shared/API/Cocoa/WKRemoteObjectCoder.mm
M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
A
Tools/TestWebKitAPI/Tests/WebKitCocoa/RemoteObjectRegistry-BadReplyBlock.html
M Tools/TestWebKitAPI/Tests/WebKitCocoa/RemoteObjectRegistry.h
M Tools/TestWebKitAPI/Tests/WebKitCocoa/RemoteObjectRegistry.mm
A Tools/TestWebKitAPI/Tests/WebKitCocoa/coreipc-helpers.js
A Tools/TestWebKitAPI/Tests/WebKitCocoa/coreipc.js
Log Message:
-----------
RemoteObjectRegistry should decode an invocation with a ReplyBlock if
expected.
https://bugs.webkit.org/show_bug.cgi?id=290377
rdar://145728621
Reviewed by Alex Christensen.
RemoteObjectRegistry had a logic issue when decoding a RemoteInvocation.
If a CallReplyBlock message was received, this would contain an encoded
NSInvocation
representing the method to call and the arguments. It was possible to supply an
alternate selector, with differing arguments, and still have the original
ReplyBlock
called with these, leading to a mismatch in argument types.
The RemoteObjectRegistry should ensure the NSInvocation is decoded based on the
original
expected ReplyBlock, instead of accepting another selector from the wire.
Originally-landed-as: 289651.466@safari-7621-branch (4a186489a84d).
rdar://157795161
Canonical link: https://commits.webkit.org/298380@main
Commit: eee20c1971ee579f81ba731bcc3aee847f680aa4
https://github.com/WebKit/WebKit/commit/eee20c1971ee579f81ba731bcc3aee847f680aa4
Author: Rob Buis <[email protected]>
Date: 2025-08-08 (Fri, 08 Aug 2025)
Changed paths:
A
LayoutTests/fast/multicol/video-not-removed-from-fragmented-flow-crash-expected.txt
A
LayoutTests/fast/multicol/video-not-removed-from-fragmented-flow-crash.html
M Source/WebCore/rendering/RenderElement.cpp
Log Message:
-----------
ASAN_TRAP | WebCore::RenderFragmentedFlow::removeRenderBoxFragmentInfo;
WebCore::RenderFragmentedFlow::removeFlowChildInfo;
WebCore::RenderElement::removeFromRenderFragmentedFlowIncludingDescendants
https://bugs.webkit.org/show_bug.cgi?id=288447
Reviewed by Alan Baradlay.
In the test case the video element is added to a fragmented flow, but is not
properly removed
when it becomes out of flow due to the popover attribute. The logic in
RenderElement::adjustFragmentedFlowStateOnContainingBlockChangeIfNeeded
will not work for this kind of element since the fragmened flow container
information is not known anymore, the video having become a top-level element.
To properly remove renderers from their fragmented flow, detect this situation
in RenderElement::styleWillChange, and use the fragmented flow access (through
locateEnclosingFragmentedFlow())
before the containing block is changed.
*
LayoutTests/fast/multicol/video-not-removed-from-fragmented-flow-crash-expected.txt:
Added.
* LayoutTests/fast/multicol/video-not-removed-from-fragmented-flow-crash.html:
Added.
* Source/WebCore/rendering/RenderElement.cpp:
(WebCore::RenderElement::styleWillChange):
Originally-landed-as: 292955.3@webkit-embargoed (19b66665ae74). rdar://157795098
Canonical link: https://commits.webkit.org/298381@main
Compare: https://github.com/WebKit/WebKit/compare/4cc881d4933f...eee20c1971ee
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
