Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 024280c2ff921692b8d08bc06bb2a03a4c91e84f
https://github.com/WebKit/WebKit/commit/024280c2ff921692b8d08bc06bb2a03a4c91e84f
Author: Shu-yu Guo <[email protected]>
Date: 2026-03-04 (Wed, 04 Mar 2026)
Changed paths:
A JSTests/wasm/gc/validate-unreachable-unset-local.js
M Source/JavaScriptCore/wasm/WasmFunctionParser.h
Log Message:
-----------
[JSC] Fix Wasm validation of unreachable locals
https://bugs.webkit.org/show_bug.cgi?id=304086
rdar://166283484
Reviewed by Dan Hecht.
WebAssembly requires non-defaultable locals (i.e. locals with non-nullable ref
types) to be set before they're used by local.get. Current implementation
incorrectly performs this validation in the case the local.get/set are
unreachable. While initialization is tracked in such unreachable local
instructions, the locals stack is not correctly reset at control flow merge
points. This PR resets the stack at such points.
Test: JSTests/wasm/gc/validate-unreachable-unset-local.js
Originally-landed-as: 301765.372@safari-7623-branch (e2b2223e8a58).
rdar://171558798
Canonical link: https://commits.webkit.org/308637@main
Commit: a850dfefa3e9092788ad14637f911097b98488ce
https://github.com/WebKit/WebKit/commit/a850dfefa3e9092788ad14637f911097b98488ce
Author: Rob Buis <[email protected]>
Date: 2026-03-04 (Wed, 04 Mar 2026)
Changed paths:
A LayoutTests/fast/forms/onformdata-navigate-crash-expected.txt
A LayoutTests/fast/forms/onformdata-navigate-crash.html
M Source/WebCore/html/HTMLFormElement.cpp
M Source/WebCore/loader/FormSubmission.cpp
M Source/WebCore/loader/FormSubmission.h
Log Message:
-----------
[WebKit][Main+SU] [ea2e11e05711c082] ASAN_ILL | WebCore::FormState::create;
WebCore::FormSubmission::create; WebCore::HTMLFormElement::submit
https://bugs.webkit.org/show_bug.cgi?id=301645
rdar://163480500
Reviewed by Chris Dumez.
When constructing FormSubmission the formdata event is dispatched. When combined
with the Navigation API the event handling can cause the document frame to be
detached, triggering a release assert in the FormState constructor. To fix this
detect the frame removal after dispatching and end the submit operation early.
* LayoutTests/fast/forms/onformdata-navigate-crash-expected.txt: Added.
* LayoutTests/fast/forms/onformdata-navigate-crash.html: Added.
* Source/WebCore/html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::submit):
* Source/WebCore/loader/FormSubmission.cpp:
(WebCore::FormSubmission::create):
* Source/WebCore/loader/FormSubmission.h:
Originally-landed-as: 301765.373@safari-7623-branch (1acabe11a6b0).
rdar://171558526
Canonical link: https://commits.webkit.org/308638@main
Commit: 4555be60f06736997fbc80298daa23e3f6614e26
https://github.com/WebKit/WebKit/commit/4555be60f06736997fbc80298daa23e3f6614e26
Author: Frédéric Wang <[email protected]>
Date: 2026-03-04 (Wed, 04 Mar 2026)
Changed paths:
A
LayoutTests/fast/webcodecs/resetting-audio-decoder-with-unsupported-codec-crash-expected.txt
A
LayoutTests/fast/webcodecs/resetting-audio-decoder-with-unsupported-codec-crash.html
A
LayoutTests/fast/webcodecs/resetting-audio-encoder-with-unsupported-codec-crash-expected.txt
A
LayoutTests/fast/webcodecs/resetting-audio-encoder-with-unsupported-codec-crash.html
A
LayoutTests/fast/webcodecs/resetting-video-decoder-with-unsupported-codec-crash-expected.txt
A
LayoutTests/fast/webcodecs/resetting-video-decoder-with-unsupported-codec-crash.html
A
LayoutTests/fast/webcodecs/resetting-video-encoder-with-unsupported-codec-crash-expected.txt
A
LayoutTests/fast/webcodecs/resetting-video-encoder-with-unsupported-codec-crash.html
M Source/WebCore/Modules/webcodecs/WebCodecsAudioDecoder.cpp
M Source/WebCore/Modules/webcodecs/WebCodecsAudioEncoder.cpp
M Source/WebCore/Modules/webcodecs/WebCodecsBase.cpp
M Source/WebCore/Modules/webcodecs/WebCodecsVideoDecoder.cpp
M Source/WebCore/Modules/webcodecs/WebCodecsVideoEncoder.cpp
Log Message:
-----------
ASAN_SEGV | WebCore::JSCallbackData::invokeCallback;
WebCore::JSWebCodecsErrorCallback::invoke;
WebCore::WebCodecsVideoDecoder::closeDecoder
https://bugs.webkit.org/show_bug.cgi?id=300958
rdar://158135449
Reviewed by Youenn Fablet.
When calling configure() on a webcodec with an unsupported config,
postTaskToCodec() is called to "queue a task to run the Close
AudioDecoder algorithm with NotSupportedError" as per
https://www.w3.org/TR/webcodecs.
If reset() is called before that task in dequeued, then the codec state
becomes Unconfigured and WebCodecsBase::virtualHasPendingActivity() no
longer ensures the JS wrapper stay alive, potentially causing a nullptr
crash when trying to execute the associated error callback:
```
bool WebCodecsBase::virtualHasPendingActivity() const
{
return m_state == WebCodecsCodecState::Configured &&
(m_codecControlMessagesPending || m_isMessageQueueBlocked);
}
```
This patch removes the assumption that the codec state must be
Configured in order to keep the JS wrapper alive and that addresses the
nullptr crash here. It makes sure that virtualHasPendingActivity()
would eventually be reset to false though.
Tests: fast/webcodecs/resetting-audio-decoder-with-unsupported-codec-crash.html
fast/webcodecs/resetting-audio-encoder-with-unsupported-codec-crash.html
fast/webcodecs/resetting-video-decoder-with-unsupported-codec-crash.html
fast/webcodecs/resetting-video-encoder-with-unsupported-codec-crash.html
*
LayoutTests/fast/webcodecs/resetting-audio-decoder-with-unsupported-codec-crash-expected.txt:
Added.
*
LayoutTests/fast/webcodecs/resetting-audio-decoder-with-unsupported-codec-crash.html:
Added.
*
LayoutTests/fast/webcodecs/resetting-audio-encoder-with-unsupported-codec-crash-expected.txt:
Added.
*
LayoutTests/fast/webcodecs/resetting-audio-encoder-with-unsupported-codec-crash.html:
Added.
*
LayoutTests/fast/webcodecs/resetting-video-decoder-with-unsupported-codec-crash-expected.txt:
Added.
*
LayoutTests/fast/webcodecs/resetting-video-decoder-with-unsupported-codec-crash.html:
Added.
*
LayoutTests/fast/webcodecs/resetting-video-encoder-with-unsupported-codec-crash-expected.txt:
Added.
*
LayoutTests/fast/webcodecs/resetting-video-encoder-with-unsupported-codec-crash.html:
Added.
* Source/WebCore/Modules/webcodecs/WebCodecsBase.cpp:
(WebCore::WebCodecsBase::virtualHasPendingActivity const): Don't release the
codec when it's not in configured state.
* Source/WebCore/Modules/webcodecs/WebCodecsAudioDecoder.cpp:
(WebCore::WebCodecsAudioDecoder::configure): Ensure we clear
m_isMessageQueueBlocked when done.
* Source/WebCore/Modules/webcodecs/WebCodecsAudioEncoder.cpp:
(WebCore::WebCodecsAudioEncoder::configure): Ditto.
* Source/WebCore/Modules/webcodecs/WebCodecsVideoDecoder.cpp:
(WebCore::WebCodecsVideoDecoder::configure): Ditto.
* Source/WebCore/Modules/webcodecs/WebCodecsVideoEncoder.cpp:
(WebCore::WebCodecsVideoEncoder::configure): Ditto.
Originally-landed-as: 301765.374@safari-7623-branch (13f8cb5f9bd5).
rdar://171558400
Canonical link: https://commits.webkit.org/308639@main
Commit: 15ddef0e0842077aa6ce74a5819ed8604d4ed7e4
https://github.com/WebKit/WebKit/commit/15ddef0e0842077aa6ce74a5819ed8604d4ed7e4
Author: Mike Wyrzykowski <[email protected]>
Date: 2026-03-04 (Wed, 04 Mar 2026)
Changed paths:
M Source/WebGPU/WebGPU/Buffer.mm
Log Message:
-----------
Incorrect logic in Buffer::needsIndexValidation leads to shader OOB access
https://bugs.webkit.org/show_bug.cgi?id=304184
rdar://166533571
Reviewed by Dan Glastonbury.
Comparison was flipped, leading to potential OOB shader loads from vertex
buffers
during drawIndexed calls.
* Source/WebGPU/WebGPU/Buffer.mm:
(WebGPU::Buffer::needsIndexValidation):
Originally-landed-as: 301765.376@safari-7623-branch (9093f17975f8).
rdar://171558280
Canonical link: https://commits.webkit.org/308640@main
Commit: eaf2c797417f3da6687f4654bfed09bd9b1e955f
https://github.com/WebKit/WebKit/commit/eaf2c797417f3da6687f4654bfed09bd9b1e955f
Author: Claudio Saavedra <[email protected]>
Date: 2026-03-04 (Wed, 04 Mar 2026)
Changed paths:
A LayoutTests/fast/rendering/collapsed-scrollbar-crash-expected.txt
A LayoutTests/fast/rendering/collapsed-scrollbar-crash.html
M Source/WebCore/rendering/RenderElement.h
M Source/WebCore/rendering/RenderScrollbarPart.h
Log Message:
-----------
[WebKit][Main+SU] [292b7257c3a80358] ASAN_SEGV |
WebCore::RenderBox::localRectsForRepaint;
WebCore::RenderObject::clippedOverflowRect;
WebCore::RenderObject::repaintSlowRepaintObject
https://bugs.webkit.org/show_bug.cgi?id=302377
rdar://164467732
Reviewed by Simon Fraser.
RenderScrollbarPart doesn't have an enclosing layer,
so we can short-circuit the check in RenderElement
and return false always.
Test: fast/rendering/collapsed-scrollbar-crash.html
* LayoutTests/fast/rendering/collapsed-scrollbar-crash-expected.txt: Added.
* LayoutTests/fast/rendering/collapsed-scrollbar-crash.html: Added.
* Source/WebCore/rendering/RenderElement.h:
* Source/WebCore/rendering/RenderScrollbarPart.h:
Originally-landed-as: [email protected] (db1ee7ac4ada).
rdar://171558367
Canonical link: https://commits.webkit.org/308641@main
Compare: https://github.com/WebKit/WebKit/compare/c1df92d228fc...eaf2c797417f
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
