Branch: refs/heads/webkitglib/2.50
Home: https://github.com/WebKit/WebKit
Commit: 5584ef3efc4c6ace4676becbff90d1377755af4a
https://github.com/WebKit/WebKit/commit/5584ef3efc4c6ace4676becbff90d1377755af4a
Author: Antti Koivisto <an...@apple.com>
Date: 2025-08-22 (Fri, 22 Aug 2025)
Changed paths:
A LayoutTests/fast/selectors/attribute-invalidation-large-expected.txt
A LayoutTests/fast/selectors/attribute-invalidation-large.html
M Source/WebCore/css/CSSSelectorList.cpp
M Source/WebCore/css/CSSSelectorList.h
M Source/WebCore/style/StyleScopeRuleSets.cpp
Log Message:
-----------
Cherry-pick 299018@main (0ac2f442652f).
https://bugs.webkit.org/show_bug.cgi?id=297591
REGRESSION (294191@main): Extremely slow applying a large style
https://bugs.webkit.org/show_bug.cgi?id=297591
rdar://158700409
Reviewed by Alan Baradlay.
If there is a stylesheet with lots if attribute selectors like
[someattr *= foo1]
[someattr *= foo2]
...
targeting a single attribute then the invalidation selector list for that
attribute can grow large.
The current code for appending to this selector list is O(n^2) so things
can get slow when constructing
a large list.
* LayoutTests/fast/selectors/attribute-invalidation-large-expected.txt:
Added.
* LayoutTests/fast/selectors/attribute-invalidation-large.html: Added.
* Source/WebCore/css/CSSSelectorList.cpp:
(WebCore::CSSSelectorList::makeJoining):
Add a version of makeJoining that takes a vector of selector lists.
* Source/WebCore/css/CSSSelectorList.h:
* Source/WebCore/style/StyleScopeRuleSets.cpp:
(WebCore::Style::ensureInvalidationRuleSets):
Collect the relevant selector lists using a vector and only join them at
the end.
Canonical link: https://commits.webkit.org/299018@main
Canonical link: https://commits.webkit.org/298234.28@webkitglib/2.50
Commit: 1e65f8b6534103e871337673c2093cd0a6f043ba
https://github.com/WebKit/WebKit/commit/1e65f8b6534103e871337673c2093cd0a6f043ba
Author: Fujii Hironori <fu...@igalia.com>
Date: 2025-08-22 (Fri, 22 Aug 2025)
Changed paths:
A LayoutTests/css3/filters/drop-shadow-current-color-expected.html
A LayoutTests/css3/filters/drop-shadow-current-color.html
M LayoutTests/platform/mac-wk1/TestExpectations
M Source/WebCore/platform/graphics/texmap/GraphicsLayerTextureMapper.cpp
M
Source/WebCore/platform/graphics/texmap/coordinated/GraphicsLayerCoordinated.cpp
Log Message:
-----------
Cherry-pick 298987@main (b83400bc63a8).
https://bugs.webkit.org/show_bug.cgi?id=297499
[Coordinated Graphics][GraphicsLayerTextureMapper] Crash with an animation
of drop-shadow and currentColor
https://bugs.webkit.org/show_bug.cgi?id=297499
Reviewed by Miguel Gomez.
After <https://commits.webkit.org/293027@main> added a new filter type
DropShadowWithStyleColor to support the drop-shadow filter with
currentColor, a crash happened in
TextureMapperLayer::paintSelfAndChildrenWithIntermediateSurface if a
content has an animation of the filter.
GraphicsLayerCA doesn't accept animaitons of any drop-shadow filter.
Do the same thing for GraphicsLayerCoordinated and
GraphicsLayerTextureMapper too.
* LayoutTests/css3/filters/drop-shadow-current-color-expected.html: Added.
* LayoutTests/css3/filters/drop-shadow-current-color.html: Added.
* LayoutTests/platform/mac-wk1/TestExpectations:
* Source/WebCore/platform/graphics/texmap/GraphicsLayerTextureMapper.cpp:
(WebCore::GraphicsLayerTextureMapper::addAnimation):
*
Source/WebCore/platform/graphics/texmap/coordinated/GraphicsLayerCoordinated.cpp:
(WebCore::GraphicsLayerCoordinated::addAnimation):
Canonical link: https://commits.webkit.org/298987@main
Canonical link: https://commits.webkit.org/298234.29@webkitglib/2.50
Commit: faf811b2c797cfd1bb441c6ceb2a54c9098615b6
https://github.com/WebKit/WebKit/commit/faf811b2c797cfd1bb441c6ceb2a54c9098615b6
Author: Youenn Fablet <you...@apple.com>
Date: 2025-08-22 (Fri, 22 Aug 2025)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/webrtc/net/dcsctp/tx/outstanding_data.cc
M Source/ThirdParty/libwebrtc/Source/webrtc/net/dcsctp/tx/outstanding_data.h
Log Message:
-----------
Cherry-pick 298910@main (96745ccf6bd5).
https://bugs.webkit.org/show_bug.cgi?id=297499
com.apple.WebKit.WebContent use-after-free crash at libwebrtc.dylib:
dcsctp::TransmissionControlBlock::SendBufferedPackets
rdar://150587630
Reviewed by David Kilzer.
Instead of modifying outstanding_data_ while iterating it, we iterate
outstanding_data_ and put copies of its Items to be processed in a separate
deque.
We then iterate through the vector to do the processing.
We add an enqueue routine to share code between the two places where
outstanding_data_ is iterated/modified.
*
Source/ThirdParty/libwebrtc/Source/webrtc/net/dcsctp/tx/outstanding_data.cc:
*
Source/ThirdParty/libwebrtc/Source/webrtc/net/dcsctp/tx/outstanding_data.h:
Originally-landed-as: 289651.536@safari-7621-branch (c609e634bb2f).
rdar://157791161
Canonical link: https://commits.webkit.org/298910@main
Canonical link: https://commits.webkit.org/298234.30@webkitglib/2.50
Commit: 1d1f20a9d1dd286a40616708a680d1e72ea1bb9f
https://github.com/WebKit/WebKit/commit/1d1f20a9d1dd286a40616708a680d1e72ea1bb9f
Author: Brady Eidson <beid...@apple.com>
Date: 2025-08-22 (Fri, 22 Aug 2025)
Changed paths:
M Source/WebKit/UIProcess/Gamepad/UIGamepadProvider.cpp
Log Message:
-----------
Cherry-pick 298899@main (61dd570b221f).
https://bugs.webkit.org/show_bug.cgi?id=297595
Handle unexpected disconnect of a game controller in UIGamepadProvider
rdar://157688016
https://bugs.webkit.org/show_bug.cgi?id=297595
Reviewed by Alex Christensen.
Move from a hard crash to just logging the event, with an early return.
* Source/WebKit/UIProcess/Gamepad/UIGamepadProvider.cpp:
(WebKit::UIGamepadProvider::platformGamepadDisconnected):
Canonical link: https://commits.webkit.org/298899@main
Canonical link: https://commits.webkit.org/298234.31@webkitglib/2.50
Commit: 29dea4e32bfce7e53b3e6b400d777615855fe8d5
https://github.com/WebKit/WebKit/commit/29dea4e32bfce7e53b3e6b400d777615855fe8d5
Author: Matt Woodrow <mattwood...@apple.com>
Date: 2025-08-22 (Fri, 22 Aug 2025)
Changed paths:
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/Document.h
M Source/WebCore/dom/ViewTransition.cpp
Log Message:
-----------
Cherry-pick 298423@main (4b12cc4800e1).
https://bugs.webkit.org/show_bug.cgi?id=292314
heap-use-after-free | WebCore::forEachRendererInPaintOrder inside
ViewTransition::captureNewState.
https://bugs.webkit.org/show_bug.cgi?id=292314
<rdar://149686168>
Reviewed by Alan Baradlay.
captureNewStyle flushes style before iterating RenderLayer z-order lists and
reading style properties.
This calls into the ComputedStyleExtractor, which can call
updateLayoutIgnorePendingStylesheets which can do new style work that wasn't
captured in the previous flush (pending stylesheets, and content-visibility
relevancy).
This extra style flush can mutate renderers and invalidate the z-order lists
that are currently being iterated.
Adds a new helper updateStyleIfNeededIgnorePendingStylesheets, and use it
from
view-transitions, since we need the same level of flushing as inside the
iteration.
Also removes the updateLayout call from
Document::updateRelevancyOfContentVisibilityElements() since all existing
callers already flush layout directly after the call, except for the new
instance added in this patch (which doesn't want/need layout flushed).
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::updateStyleIfNeededIgnoringPendingStylesheets):
(WebCore::Document::updateRelevancyOfContentVisibilityElements):
* Source/WebCore/dom/Document.h:
* Source/WebCore/dom/ViewTransition.cpp:
(WebCore::forEachRendererInPaintOrder):
(WebCore::ViewTransition::captureOldState):
(WebCore::ViewTransition::activateViewTransition):
(WebCore::ViewTransition::updatePseudoElementRenderers):
Originally-landed-as: 289651.473@safari-7621-branch (927a0bf9a118).
rdar://157794459
Canonical link: https://commits.webkit.org/298423@main
Canonical link: https://commits.webkit.org/298234.32@webkitglib/2.50
Commit: 4eeb979d41d777101c9955d696e4003a6732bbaf
https://github.com/WebKit/WebKit/commit/4eeb979d41d777101c9955d696e4003a6732bbaf
Author: Pedro Varangot <pvaran...@apple.com>
Date: 2025-08-22 (Fri, 22 Aug 2025)
Changed paths:
A
LayoutTests/fast/css/viewtransition-copyelementbaseproperties-no-flushed-style-crash-expected.txt
A
LayoutTests/fast/css/viewtransition-copyelementbaseproperties-no-flushed-style-crash.html
M Source/WebCore/dom/ViewTransition.cpp
Log Message:
-----------
Cherry-pick 298924@main (634fd6d049d1).
https://bugs.webkit.org/show_bug.cgi?id=293303
Renderer is being used after free during ViewTransition
copyElementBaseProperties
rdar://150195159
https://bugs.webkit.org/show_bug.cgi?id=293303
Reviewed by Matt Woodrow.
This fixes the bug by adding an extra style flush
*
LayoutTests/fast/css/viewtransition-copyelementbaseproperties-no-flushed-style-crash-expected.txt:
Added.
*
LayoutTests/fast/css/viewtransition-copyelementbaseproperties-no-flushed-style-crash.html:
Added.
* Source/WebCore/dom/ViewTransition.cpp:
(WebCore::ViewTransition::updatePseudoElementStylesRead):
Originally-landed-as: 289651.537@safari-7621-branch (41211dd06597).
rdar://157791050
Canonical link: https://commits.webkit.org/298924@main
Canonical link: https://commits.webkit.org/298234.33@webkitglib/2.50
Compare: https://github.com/WebKit/WebKit/compare/580ccc8fee54...4eeb979d41d7
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
