Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 94b0d0f626a15a3b8acba7e48c75cc67ddd4b81c
https://github.com/WebKit/WebKit/commit/94b0d0f626a15a3b8acba7e48c75cc67ddd4b81c
Author: Said Abou-Hallawa <[email protected]>
Date: 2025-08-08 (Fri, 08 Aug 2025)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/ipc/invalid-feConvolveMatrix-crash-expected.txt
A LayoutTests/ipc/invalid-feConvolveMatrix-crash.html
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
Log Message:
-----------
Validate the decoded FEConvolveMatrix
https://bugs.webkit.org/show_bug.cgi?id=293707
rdar://149463698
Reviewed by Simon Fraser.
Adopt the validations of SVGFEConvolveMatrixElement::createFilterEffect() to the
decoded FEConvolveMatrix to ensure the filter effect rectangle is within the
dimension of FilterImage. These validators should be enforced.
1. x of kernelSize > 0
2. 0 <= targetX < x of kernelSize
3. divisor != 0
4. kernelUnitLength cannot be negative or zero
5. kernelSize is the dimension of the flattened kernel
* LayoutTests/TestExpectations:
* LayoutTests/ipc/invalid-feConvolveMatrix-crash-expected.txt: Added.
* LayoutTests/ipc/invalid-feConvolveMatrix-crash.html: Added.
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
Originally-landed-as: 289651.546@safari-7621-branch (3620d2286f59).
rdar://157790633
Canonical link: https://commits.webkit.org/298461@main
Commit: 8857f57673cdf461f55124d8c8c65e0916c96b84
https://github.com/WebKit/WebKit/commit/8857f57673cdf461f55124d8c8c65e0916c96b84
Author: Daniel Liu <[email protected]>
Date: 2025-08-08 (Fri, 08 Aug 2025)
Changed paths:
A JSTests/stress/json-const-raw-json-should-be-const.js
M Source/JavaScriptCore/runtime/StructureInlines.h
Log Message:
-----------
addPropertyWithoutTransition doesn't call setContainsReadOnlyProperties
https://bugs.webkit.org/show_bug.cgi?id=293970
rdar://152417321
Reviewed by Keith Miller and Mark Lam.
When a JSRawJSONObject is initialized, its property `rawJSON` should be
read-only. However,
the object does not update its structure to indicate it has a read-only
property. This hits
an assertion failure when we try to use the object in certain scenarios. We
should make the
Structure correctly register read-only properties when they are added.
* JSTests/stress/json-const-raw-json-should-be-const.js: Added.
* Source/JavaScriptCore/runtime/StructureInlines.h:
(JSC::Structure::add):
(JSC::Structure::addOrReplacePropertyWithoutTransition):
Originally-landed-as: 289651.553@safari-7621-branch (62d3336558aa).
rdar://157790460
Canonical link: https://commits.webkit.org/298462@main
Commit: 58218eebdaf5770a7c89bd3e09007a3c260b38f1
https://github.com/WebKit/WebKit/commit/58218eebdaf5770a7c89bd3e09007a3c260b38f1
Author: Yusuke Suzuki <[email protected]>
Date: 2025-08-08 (Fri, 08 Aug 2025)
Changed paths:
A JSTests/stress/string-replace-speculate-string.js
M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Log Message:
-----------
DFG ASSERTION FAILED: Edge verification error: Node was expected to have type
String but has type Cell
https://bugs.webkit.org/show_bug.cgi?id=293730
rdar://152217438
Reviewed by Yijia Huang.
We should correctly do speculateString when edge says StringUse
regardless. It is possible that leading Check:String can be removed.
* JSTests/stress/string-replace-speculate-string.js: Added.
(catch):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
Originally-landed-as: 289651.555@safari-7621-branch (b3f27c30ba5e).
rdar://157790307
Canonical link: https://commits.webkit.org/298463@main
Commit: b5ecfaf8e75a6bec4d9db9cd9b479643cb39b46d
https://github.com/WebKit/WebKit/commit/b5ecfaf8e75a6bec4d9db9cd9b479643cb39b46d
Author: Youenn Fablet <[email protected]>
Date: 2025-08-08 (Fri, 08 Aug 2025)
Changed paths:
A LayoutTests/ipc/videoEncode-expected.txt
A LayoutTests/ipc/videoEncode.html
M Source/WebKit/GPUProcess/webrtc/LibWebRTCCodecsProxy.h
M Source/WebKit/GPUProcess/webrtc/LibWebRTCCodecsProxy.mm
Log Message:
-----------
rdar://152426694 ([CoreIPC] VTEncoderXPCService crash in
PreEncoderAve::InitBlkScanOrdrMapping_h264)
Reviewed by Eric Carlson and Jean-Yves Avenard.
H264 can only process up to 139264 macroblocks, which puts a hard limit on
frame size.
VTB has limits as well which are below this.
We are adding a check that width should be equal or below 8680 and height equal
or below 4320.
>From testing, we do not need to add a similar check in
>LibWebRTCCodecsProxy::encodeFrame.
We do not add HEVC checks since we are protected by width and height being
uint16_t values.
* LayoutTests/ipc/videoEncode-expected.txt: Added.
* LayoutTests/ipc/videoEncode.html: Added.
* Source/WebKit/GPUProcess/webrtc/LibWebRTCCodecsProxy.h:
* Source/WebKit/GPUProcess/webrtc/LibWebRTCCodecsProxy.mm:
(WebKit::LibWebRTCCodecsProxy::createEncoder):
(WebKit::validateEncoderInitializationData):
(WebKit::LibWebRTCCodecsProxy::initializeEncoder):
(WebKit::LibWebRTCCodecsProxy::encodeFrame):
Originally-landed-as: 289651.557@safari-7621-branch (958622210a02).
rdar://157790143
Canonical link: https://commits.webkit.org/298464@main
Commit: 632a293bf775414759bae05c34f380f2e624a2f6
https://github.com/WebKit/WebKit/commit/632a293bf775414759bae05c34f380f2e624a2f6
Author: Pascoe <[email protected]>
Date: 2025-08-08 (Fri, 08 Aug 2025)
Changed paths:
M Source/WebKit/UIProcess/PageClient.h
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/ios/PageClientImplIOS.h
M Source/WebKit/UIProcess/ios/PageClientImplIOS.mm
Log Message:
-----------
File picker dialog can create confusion about which page got the file
https://bugs.webkit.org/show_bug.cgi?id=294374
rdar://134570800
Reviewed by Chris Dumez.
Whenever a window is created via window.open while a file picker dialog is up,
the window that was opened will be shown after the dialog is
fulfilled/dismissed.
This can create confusion about which page got the file because the page shown
wasn't the page that got the file. This patch fixes that by closing any open
file
pickers whenever a new window is created.
* Source/WebKit/UIProcess/PageClient.h:
(WebKit::PageClient::dismissAnyOpenPickers):
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::createNewPage):
* Source/WebKit/UIProcess/ios/PageClientImplIOS.h:
* Source/WebKit/UIProcess/ios/PageClientImplIOS.mm:
(WebKit::PageClientImpl::dismissAnyOpenPicker):
Originally-landed-as: 289651.572@safari-7621-branch (bcdb1e3948f7).
rdar://157789714
Canonical link: https://commits.webkit.org/298465@main
Commit: 666b647c850902c8bfae1f748756cfb8c539c607
https://github.com/WebKit/WebKit/commit/666b647c850902c8bfae1f748756cfb8c539c607
Author: Rob Buis <[email protected]>
Date: 2025-08-08 (Fri, 08 Aug 2025)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/ipc/restore-empty-stack-crash-expected.txt
A LayoutTests/ipc/restore-empty-stack-crash.html
M Source/WebCore/platform/graphics/displaylists/DisplayListRecorderImpl.cpp
Log Message:
-----------
Release assert in Vector::at via DisplayList::Recorder::didUpdateSingleState
https://bugs.webkit.org/show_bug.cgi?id=293971
Reviewed by Said Abou-Hallawa.
Restore should not clear the last state stack entry if the state stack entry is
zero or one.
* LayoutTests/TestExpectations:
* LayoutTests/ipc/restore-empty-stack-crash-expected.txt: Added.
* LayoutTests/ipc/restore-empty-stack-crash.html: Added.
* Source/WebCore/platform/graphics/displaylists/DisplayListRecorderImpl.cpp:
(WebCore::DisplayList::RecorderImpl::restore):
Originally-landed-as: [email protected] (0f1f962ca278).
rdar://157789154
Canonical link: https://commits.webkit.org/298466@main
Compare: https://github.com/WebKit/WebKit/compare/9ced4cd71b21...666b647c8509
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
