Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: ba2cb3ccac962cb8440ec2a1b268769eb30b0734
https://github.com/WebKit/WebKit/commit/ba2cb3ccac962cb8440ec2a1b268769eb30b0734
Author: Youenn Fablet <[email protected]>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
M Source/WebCore/Modules/streams/ReadableByteStreamController.cpp
M Source/WebCore/Modules/streams/ReadableStreamBYOBRequest.cpp
M Source/WebCore/Modules/streams/ReadableStreamBYOBRequest.h
Log Message:
-----------
Cherry-pick 305413.480@safari-7624-branch (5d62bc6b2841).
https://bugs.webkit.org/show_bug.cgi?id=312938
Potential use after free of m_controller under
ReadableStreamBYOBRequest::visitAdditionalChildren()
rdar://172462937
Reviewed by Chris Dumez.
m_controller can be nullified while being used in GC thread.
We remove usage of m_controller in the GC thread.
Instead, request will store its stream as a JSValueInWrappedObject, and we
will use this JSValueInWrappedObject in the GC thread.
We make sure to clear the JSValueInWrappedObject when the request gets
invalidated.
Identifier: 305413.480@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.681@webkitglib/2.52
Commit: 2c8d7528b97f9c206242cb52088b3721b7e8d167
https://github.com/WebKit/WebKit/commit/2c8d7528b97f9c206242cb52088b3721b7e8d167
Author: Philippe Normand <[email protected]>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
M Source/WebCore/Modules/mediastream/gstreamer/GStreamerIceAgent.cpp
M Source/WebCore/Modules/mediastream/gstreamer/GStreamerIceStream.cpp
M Source/WebCore/Modules/mediastream/gstreamer/GStreamerRtpSenderBackend.cpp
Log Message:
-----------
Cherry-pick 312189@main (6ff991b88b5f).
https://bugs.webkit.org/show_bug.cgi?id=312269
[GStreamer][Rice] Flaky crash in
`rice_proto::conncheck::ConnCheckList::add_local_candidate_internal()`
https://bugs.webkit.org/show_bug.cgi?id=312269
Reviewed by Xabier Rodriguez-Calvar.
There was a race condition where the agent would start closing, wake-up it
main loop and that would
trigger a local candidate notification after rice_agent_close() was called.
We now distinguish the
"closing" case from the "closed" case using an enum that can be checked
before processing local
candidate notifications.
* LayoutTests/platform/gtk/TestExpectations:
* Source/WebCore/Modules/mediastream/gstreamer/GStreamerIceAgent.cpp:
(_WebKitGstIceAgentPrivate::WTF_GUARDED_BY_LOCK):
(webkitGstWebRTCIceAgentAddStream):
(webkitGstWebRTCIceAgentClosed):
(webkitGstWebRTCIceAgentClose):
(webkitGstWebRTCIceAgentConstructed):
(webkitGstWebRTCIceAgentLocalCandidateGatheredForStream):
* Source/WebCore/Modules/mediastream/gstreamer/GStreamerIceStream.cpp:
(webkitGstWebRTCIceStreamAddLocalGatheredCandidate):
*
Source/WebCore/Modules/mediastream/gstreamer/GStreamerRtpSenderBackend.cpp:
(WebCore::GStreamerRtpSenderBackend::getParameters const):
Canonical link: https://commits.webkit.org/312189@main
Canonical link: https://commits.webkit.org/305877.682@webkitglib/2.52
Commit: e2cc88b2940e0ac40426e1ee026785b7b55096b9
https://github.com/WebKit/WebKit/commit/e2cc88b2940e0ac40426e1ee026785b7b55096b9
Author: Philippe Normand <[email protected]>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
M Source/WebCore/Modules/mediastream/gstreamer/GStreamerIceAgent.cpp
Log Message:
-----------
Cherry-pick 313836@main (f9a8c97fce94).
https://bugs.webkit.org/show_bug.cgi?id=315469
[GStreamer][WebRTC][Rice]
imported/w3c/web-platform-tests/webrtc/RTCDataChannel-send-close-array-buffer.window.html
flaky crashes
https://bugs.webkit.org/show_bug.cgi?id=315469
Reviewed by Xabier Rodriguez-Calvar.
Protect access to the streams hashmap using a mutex, otherwise we might
crash when being notified of
incoming data while a close procedure is on-going.
* Source/WebCore/Modules/mediastream/gstreamer/GStreamerIceAgent.cpp:
(webkitGstWebRTCIceAgentAddStream):
(webkitGstWebRTCIceAgentSetTos):
(webkitGstWebRTCIceAgentClosed):
(findStreamAndApply):
(webkitGstWebRTCIceAgentConfigure):
(webkitGstWebRTCIceAgentGatheringDoneForStream):
(webkitGstWebRTCIceAgentLocalCandidateGatheredForStream):
(webkitGstWebRTCIceAgentNewSelectedPairForStream):
(webkitGstWebRTCIceAgentComponentStateChangedForStream):
Canonical link: https://commits.webkit.org/313836@main
Canonical link: https://commits.webkit.org/305877.683@webkitglib/2.52
Commit: d859d3f7bc1206fcded3b464780e459342cd47d3
https://github.com/WebKit/WebKit/commit/d859d3f7bc1206fcded3b464780e459342cd47d3
Author: Aditya Keerthi <[email protected]>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
A
LayoutTests/fast/forms/date/date-editable-components/date-editable-components-change-type-on-input-event-expected.txt
A
LayoutTests/fast/forms/date/date-editable-components/date-editable-components-change-type-on-input-event.html
M LayoutTests/platform/gtk/TestExpectations
M Source/WebCore/html/BaseDateAndTimeInputType.cpp
M Source/WebCore/html/BaseDateAndTimeInputType.h
M Source/WebCore/html/shadow/DateTimeEditElement.cpp
M Source/WebCore/html/shadow/DateTimeEditElement.h
Log Message:
-----------
Cherry-pick 305413.565@safari-7624-branch (f49e83162fdd).
https://bugs.webkit.org/show_bug.cgi?id=310544
Use-After-Free in `BaseDateAndTimeInputType::didChangeValueFromControl`
https://bugs.webkit.org/show_bug.cgi?id=310544
rdar://173012873
Reviewed by Abrar Rahman Protyasha and Lily Spiniolas.
`BaseDateAndTimeInputType::didChangeValueFromControl()` dispatches `input`
events without protecting itself. An event handler can change the input's
type
(e.g., from `date` to `text`), which replaces
`HTMLInputElement::m_inputType`
and destroys the `BaseDateAndTimeInputType` instance. After the event
handler
returns, the function continues executing `setupDateTimeChooserParameters()`
and `showDateTimeChooser()` on the freed object, resulting in a
use-after-free.
Fix by holding a `RefPtr` to the input type on the stack prior to calling
`didChangeValueFromControl()`.
Test:
fast/forms/date/date-editable-components/date-editable-components-change-type-on-input-event.html
*
LayoutTests/fast/forms/date/date-editable-components/date-editable-components-change-type-on-input-event-expected.txt:
Added.
*
LayoutTests/fast/forms/date/date-editable-components/date-editable-components-change-type-on-input-event.html:
Added.
* Source/WebCore/html/BaseDateAndTimeInputType.cpp:
(WebCore::BaseDateAndTimeInputType::setupDateTimeChooserParameters):
Fix `setupDateTimeChooserParameters` to null-check element() instead of
of asserting, since the element may be gone after the type change.
* Source/WebCore/html/BaseDateAndTimeInputType.h:
* Source/WebCore/html/shadow/DateTimeEditElement.cpp:
(WebCore::DateTimeEditElement::defaultEventHandler):
(WebCore::DateTimeEditElement::didBlurFromField):
(WebCore::DateTimeEditElement::fieldValueChanged):
(WebCore::DateTimeEditElement::isFieldOwnerDisabled const):
(WebCore::DateTimeEditElement::isFieldOwnerReadOnly const):
(WebCore::DateTimeEditElement::didFieldOwnerTransferFocusToPicker):
(WebCore::DateTimeEditElement::didSuppressBlurDueToPickerFocusTransfer):
(WebCore::DateTimeEditElement::localeIdentifier const):
(WebCore::DateTimeEditElement::value const):
(WebCore::DateTimeEditElement::placeholderValue const):
* Source/WebCore/html/shadow/DateTimeEditElement.h:
Change the base class of `DateTimeEditElementEditControlOwner` from
`CanMakeWeakPtr<DateTimeEditElementEditControlOwner>` to
`AbstractRefCountedAndCanMakeWeakPtr<DateTimeEditElementEditControlOwner>`,
so that the object may be ref-counted.
Remove the `IsDeprecatedWeakRefSmartPointerException` exception, since
`DateTimeEditElementEditControlOwner` needs to be ref-counted to avoid
use-after-free.
Identifier: 305413.565@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.684@webkitglib/2.52
Compare: https://github.com/WebKit/WebKit/compare/29ec063b6563...d859d3f7bc12
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
