Branch: refs/heads/webkitglib/2.50
Home: https://github.com/WebKit/WebKit
Commit: 2ef96d40eee1f27d782856ce63bd65ec833834e3
https://github.com/WebKit/WebKit/commit/2ef96d40eee1f27d782856ce63bd65ec833834e3
Author: Daniel Liu <danl...@umich.edu>
Date: 2025-08-15 (Fri, 15 Aug 2025)
Changed paths:
A JSTests/stress/json-const-raw-json-should-be-const.js
M Source/JavaScriptCore/runtime/StructureInlines.h
Log Message:
-----------
Cherry-pick 289651.553@safari-7621-branch (62d3336558aa).
https://bugs.webkit.org/show_bug.cgi?id=293970
addPropertyWithoutTransition doesn't call setContainsReadOnlyProperties
https://bugs.webkit.org/show_bug.cgi?id=293970
rdar://152417321
Reviewed by Keith Miller and Mark Lam.
When a JSRawJSONObject is initialized, its property `rawJSON` should be
read-only. However,
the object does not update its structure to indicate it has a read-only
property. This hits
an assertion failure when we try to use the object in certain scenarios. We
should make the
Structure correctly register read-only properties when they are added.
* JSTests/stress/json-const-raw-json-should-be-const.js: Added.
* Source/JavaScriptCore/runtime/StructureInlines.h:
(JSC::Structure::add):
(JSC::Structure::addOrReplacePropertyWithoutTransition):
Canonical link: https://commits.webkit.org/289651.553@safari-7621-branch
Canonical link: https://commits.webkit.org/298234.20@webkitglib/2.50
Commit: c683969795c0168fc925a069cad990ecffe2bda4
https://github.com/WebKit/WebKit/commit/c683969795c0168fc925a069cad990ecffe2bda4
Author: Said Abou-Hallawa <s...@apple.com>
Date: 2025-08-15 (Fri, 15 Aug 2025)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/ipc/invalid-feConvolveMatrix-crash-expected.txt
A LayoutTests/ipc/invalid-feConvolveMatrix-crash.html
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
Log Message:
-----------
Cherry-pick 298461@main (94b0d0f626a1).
https://bugs.webkit.org/show_bug.cgi?id=293707
Validate the decoded FEConvolveMatrix
https://bugs.webkit.org/show_bug.cgi?id=293707
rdar://149463698
Reviewed by Simon Fraser.
Adopt the validations of SVGFEConvolveMatrixElement::createFilterEffect()
to the
decoded FEConvolveMatrix to ensure the filter effect rectangle is within the
dimension of FilterImage. These validators should be enforced.
1. x of kernelSize > 0
2. 0 <= targetX < x of kernelSize
3. divisor != 0
4. kernelUnitLength cannot be negative or zero
5. kernelSize is the dimension of the flattened kernel
* LayoutTests/TestExpectations:
* LayoutTests/ipc/invalid-feConvolveMatrix-crash-expected.txt: Added.
* LayoutTests/ipc/invalid-feConvolveMatrix-crash.html: Added.
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
Originally-landed-as: 289651.546@safari-7621-branch (3620d2286f59).
rdar://157790633
Canonical link: https://commits.webkit.org/298461@main
Canonical link: https://commits.webkit.org/298234.21@webkitglib/2.50
Commit: e89ed3aa3471ac8d7a1a7366fba65873707e641f
https://github.com/WebKit/WebKit/commit/e89ed3aa3471ac8d7a1a7366fba65873707e641f
Author: Yusuke Suzuki <ysuz...@apple.com>
Date: 2025-08-15 (Fri, 15 Aug 2025)
Changed paths:
A JSTests/stress/string-replace-speculate-string.js
M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Log Message:
-----------
Cherry-pick 298463@main (58218eebdaf5).
https://bugs.webkit.org/show_bug.cgi?id=293730
DFG ASSERTION FAILED: Edge verification error: Node was expected to have
type String but has type Cell
https://bugs.webkit.org/show_bug.cgi?id=293730
rdar://152217438
Reviewed by Yijia Huang.
We should correctly do speculateString when edge says StringUse
regardless. It is possible that leading Check:String can be removed.
* JSTests/stress/string-replace-speculate-string.js: Added.
(catch):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
Originally-landed-as: 289651.555@safari-7621-branch (b3f27c30ba5e).
rdar://157790307
Canonical link: https://commits.webkit.org/298463@main
Canonical link: https://commits.webkit.org/298234.22@webkitglib/2.50
Commit: a9117a4726f4fcc288b5faaa4552e33ece9e9b09
https://github.com/WebKit/WebKit/commit/a9117a4726f4fcc288b5faaa4552e33ece9e9b09
Author: Pascoe <pas...@apple.com>
Date: 2025-08-15 (Fri, 15 Aug 2025)
Changed paths:
M Source/WebKit/UIProcess/PageClient.h
M Source/WebKit/UIProcess/WebPageProxy.cpp
M Source/WebKit/UIProcess/ios/PageClientImplIOS.h
M Source/WebKit/UIProcess/ios/PageClientImplIOS.mm
Log Message:
-----------
Cherry-pick 298465@main (632a293bf775).
https://bugs.webkit.org/show_bug.cgi?id=294374
File picker dialog can create confusion about which page got the file
https://bugs.webkit.org/show_bug.cgi?id=294374
rdar://134570800
Reviewed by Chris Dumez.
Whenever a window is created via window.open while a file picker dialog is
up,
the window that was opened will be shown after the dialog is
fulfilled/dismissed.
This can create confusion about which page got the file because the page
shown
wasn't the page that got the file. This patch fixes that by closing any
open file
pickers whenever a new window is created.
* Source/WebKit/UIProcess/PageClient.h:
(WebKit::PageClient::dismissAnyOpenPickers):
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::createNewPage):
* Source/WebKit/UIProcess/ios/PageClientImplIOS.h:
* Source/WebKit/UIProcess/ios/PageClientImplIOS.mm:
(WebKit::PageClientImpl::dismissAnyOpenPicker):
Originally-landed-as: 289651.572@safari-7621-branch (bcdb1e3948f7).
rdar://157789714
Canonical link: https://commits.webkit.org/298465@main
Canonical link: https://commits.webkit.org/298234.23@webkitglib/2.50
Compare: https://github.com/WebKit/WebKit/compare/b5d1062d6264...a9117a4726f4
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
