Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 0d05dcbf7c29a56bdf660198c0ab4883cc1d1393
https://github.com/WebKit/WebKit/commit/0d05dcbf7c29a56bdf660198c0ab4883cc1d1393
Author: Rupin Mittal <[email protected]>
Date: 2026-06-13 (Sat, 13 Jun 2026)
Changed paths:
A
LayoutTests/fast/events/window-deactivation-onchange-blurs-focused-element-should-not-crash-expected.txt
A
LayoutTests/fast/events/window-deactivation-onchange-blurs-focused-element-should-not-crash.html
M Source/WebCore/page/FocusController.cpp
Log Message:
-----------
Cherry-pick 315028@main (ab52a089ca02).
https://bugs.webkit.org/show_bug.cgi?id=316860
StabilityTracer: com.apple.WebKit.WebContent at com.apple.WebCore:
WebCore::dispatchEventsOnWindowAndFocusedElement
https://bugs.webkit.org/show_bug.cgi?id=316860
rdar://179182828
Reviewed by Abrar Rahman Protyasha and Chris Dumez.
On this line in dispatchEventsOnWindowAndFocusedElement, the
focusedElement()
may be nullptr, resulting a null dereference:
document->focusedElement()->dispatchBlurEvent(nullptr);
We can reproduce the crash in this scenario: There is an input element on
the
page which is focused and has an onchange handler that blurs it. We type a
character in it, and then when we CMD+TAB to open and move to a new tab, the
crash happens.
When we move away from the this page,
dispatchEventsOnWindowAndFocusedElement()
is called, and since there is a HTMLFormControlElement on it, we call
dispatchFormControlChangeEvent() on it. This calls Element::blur(), which
sets
Document::m_focusedElement to nullptr. Then we unconditionally dereference
document->focusedElement() in the next line (the line shown above) and
crash.
This call to dispatchEventsOnWindowAndFocusedElement() was added in
308203@main.
We fix this by null checking focusedElement before using it. We add a test
that
mirrors this scenario.
Credit to Abrar Protyasha for finding the repro case.
*
LayoutTests/fast/events/window-deactivation-onchange-blurs-focused-element-should-not-crash-expected.txt:
Added.
*
LayoutTests/fast/events/window-deactivation-onchange-blurs-focused-element-should-not-crash.html:
Added.
* Source/WebCore/page/FocusController.cpp:
(WebCore::dispatchEventsOnWindowAndFocusedElement):
Canonical link: https://commits.webkit.org/315028@main
Canonical link: https://commits.webkit.org/305877.740@webkitglib/2.52
Commit: 8af2f1adc03a1ca55782edfde5d3e6237d9de953
https://github.com/WebKit/WebKit/commit/8af2f1adc03a1ca55782edfde5d3e6237d9de953
Author: Charlie Wolfe <[email protected]>
Date: 2026-06-13 (Sat, 13 Jun 2026)
Changed paths:
M Source/WebCore/platform/graphics/AV1Utilities.cpp
Log Message:
-----------
Cherry-pick 314944@main (74eb1295e28b).
https://bugs.webkit.org/show_bug.cgi?id=316766
Undefined left-shift in AV1 readULEBSize()
https://bugs.webkit.org/show_bug.cgi?id=316766
rdar://179211459
Reviewed by Pascoe.
decodedByte is a uint8_t that integer-promotes to a 32-bit int, so
decodedByte << (7 * cptr) is
undefined behavior for any shift count >= 32. Shift a size_t instead.
* Source/WebCore/platform/graphics/AV1Utilities.cpp:
(WebCore::readULEBSize):
Canonical link: https://commits.webkit.org/314944@main
Canonical link: https://commits.webkit.org/305877.741@webkitglib/2.52
Commit: db26f6947f9567221ddacbc08cb64bfd3ab3d8f4
https://github.com/WebKit/WebKit/commit/db26f6947f9567221ddacbc08cb64bfd3ab3d8f4
Author: Charlie Wolfe <[email protected]>
Date: 2026-06-13 (Sat, 13 Jun 2026)
Changed paths:
M Source/WebCore/platform/graphics/TrackPrivateBase.cpp
Log Message:
-----------
Cherry-pick 314942@main (d343d173217d).
https://bugs.webkit.org/show_bug.cgi?id=316765
TrackPrivateBase::removeClient has an inverted bounds check
https://bugs.webkit.org/show_bug.cgi?id=316765
rdar://179211106
Reviewed by Pascoe.
removeClient() bailed out when m_clients.size() > index -- i.e. for every
valid index, and only
reached the slot-clearing assignment when the index was out of bounds. Fix
the bounds check.
* Source/WebCore/platform/graphics/TrackPrivateBase.cpp:
(WebCore::TrackPrivateBase::removeClient):
Canonical link: https://commits.webkit.org/314942@main
Canonical link: https://commits.webkit.org/305877.742@webkitglib/2.52
Commit: 9cd327e6f60c9ff9757049760d34708a9c1464bf
https://github.com/WebKit/WebKit/commit/9cd327e6f60c9ff9757049760d34708a9c1464bf
Author: Charlie Wolfe <[email protected]>
Date: 2026-06-13 (Sat, 13 Jun 2026)
Changed paths:
M Source/WebCore/platform/graphics/Image.cpp
Log Message:
-----------
Cherry-pick 314937@main (6a12936c2791).
https://bugs.webkit.org/show_bug.cgi?id=316767
Null deref in Image::toShareableBitmap when ShareableBitmap::create() fails
https://bugs.webkit.org/show_bug.cgi?id=316767
rdar://179212122
Reviewed by Pascoe.
ShareableBitmap::create() can return null, but the result was dereferenced
without a check. Return
nullptr when creation fails.
* Source/WebCore/platform/graphics/Image.cpp:
(WebCore::Image::toShareableBitmap const):
Canonical link: https://commits.webkit.org/314937@main
Canonical link: https://commits.webkit.org/305877.743@webkitglib/2.52
Commit: ce0d174ed399031a1b804187c8eac99f722fa62f
https://github.com/WebKit/WebKit/commit/ce0d174ed399031a1b804187c8eac99f722fa62f
Author: Charlie Wolfe <[email protected]>
Date: 2026-06-13 (Sat, 13 Jun 2026)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkProcess.cpp
Log Message:
-----------
Cherry-pick 314934@main (82ef6d0843fe).
https://bugs.webkit.org/show_bug.cgi?id=316770
Possible null-deref in NetworkProcess::deleteWebsiteDataForOrigin with
ephemeral session
https://bugs.webkit.org/show_bug.cgi?id=316770
rdar://179219807
Reviewed by Pascoe.
networkSession(sessionID) returns null when no NetworkSession exists for
the given sessionID. Every
other branch in the same function and the sibling functions guard the
sesion dereference. Add the
same guard here.
* Source/WebKit/NetworkProcess/NetworkProcess.cpp:
(WebKit::NetworkProcess::deleteWebsiteDataForOrigin):
Canonical link: https://commits.webkit.org/314934@main
Canonical link: https://commits.webkit.org/305877.744@webkitglib/2.52
Commit: cf79e3ff1cc063893fac2481466c9599af1b1ffd
https://github.com/WebKit/WebKit/commit/cf79e3ff1cc063893fac2481466c9599af1b1ffd
Author: Charlie Wolfe <[email protected]>
Date: 2026-06-13 (Sat, 13 Jun 2026)
Changed paths:
M Source/WebCore/platform/graphics/GraphicsLayerAnimation.cpp
Log Message:
-----------
Cherry-pick 314933@main (c241847cce04).
https://bugs.webkit.org/show_bug.cgi?id=316761
GraphicsLayerAnimation TextStream dump iterationCount under "delay"
https://bugs.webkit.org/show_bug.cgi?id=316761
rdar://179208066
Reviewed by Pascoe.
The "delay" property dumped animation.iterationCount() instead of
animation.delay(), so the delay
was never reported and the iteration count appeared twice. Dump delay().
* Source/WebCore/platform/graphics/GraphicsLayerAnimation.cpp:
(WebCore::operator<<):
Canonical link: https://commits.webkit.org/314933@main
Canonical link: https://commits.webkit.org/305877.745@webkitglib/2.52
Commit: fd16d342f9b4f1e6d00ecc8fc0384f4941924e77
https://github.com/WebKit/WebKit/commit/fd16d342f9b4f1e6d00ecc8fc0384f4941924e77
Author: Charlie Wolfe <[email protected]>
Date: 2026-06-13 (Sat, 13 Jun 2026)
Changed paths:
M Source/WebKit/NetworkProcess/BackgroundFetchLoad.cpp
Log Message:
-----------
Cherry-pick 314931@main (6fc2044df388).
https://bugs.webkit.org/show_bug.cgi?id=316771
Possible null-deref in checkRedirection completion
https://bugs.webkit.org/show_bug.cgi?id=316771
rdar://179220373
Reviewed by Pascoe.
checkRedirection can complete asynchronously, so the BackgroundFetchLoad
may have been torn down by
the time the handler runs.
* Source/WebKit/NetworkProcess/BackgroundFetchLoad.cpp:
(WebKit::BackgroundFetchLoad::willPerformHTTPRedirection):
Canonical link: https://commits.webkit.org/314931@main
Canonical link: https://commits.webkit.org/305877.746@webkitglib/2.52
Commit: 61de36e134bb34d2dc7aeb86cd0cbfbc13cc6e1d
https://github.com/WebKit/WebKit/commit/61de36e134bb34d2dc7aeb86cd0cbfbc13cc6e1d
Author: Chris Dumez <[email protected]>
Date: 2026-06-13 (Sat, 13 Jun 2026)
Changed paths:
M Source/WTF/wtf/LazyRef.h
M Source/WTF/wtf/LazyUniqueRef.h
Log Message:
-----------
Cherry-pick 314767@main (6667782c52fa).
https://bugs.webkit.org/show_bug.cgi?id=316510
Add missing return statements in LazyRef.h and LazyUniqueRef.h
https://bugs.webkit.org/show_bug.cgi?id=316510
Reviewed by Darin Adler.
* Source/WTF/wtf/LazyRef.h:
* Source/WTF/wtf/LazyUniqueRef.h:
Canonical link: https://commits.webkit.org/314767@main
Canonical link: https://commits.webkit.org/305877.747@webkitglib/2.52
Commit: e441e8c5f6fd05d366de766c6b22816ae10604c1
https://github.com/WebKit/WebKit/commit/e441e8c5f6fd05d366de766c6b22816ae10604c1
Author: Chris Dumez <[email protected]>
Date: 2026-06-13 (Sat, 13 Jun 2026)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Cherry-pick 314764@main (3dffc69de57f).
https://bugs.webkit.org/show_bug.cgi?id=316514
Use-after-move of frameInfo in WebPageProxy::decidePolicyForResponseShared()
https://bugs.webkit.org/show_bug.cgi?id=316514
Reviewed by Rupin Mittal.
decidePolicyForResponseShared() consumed `frameInfo` by passing
WTF::move(frameInfo) to API::FrameInfo::create(), and then immediately
read `frameInfo.securityOrigin.securityOrigin()` for the COOP
browsing-context-group-switch check on the next line. API::FrameInfo's
constructor stores the FrameInfoData by move (m_data(WTF::move(data))),
so the SecurityOriginData's String members were left empty and the COOP
comparison saw an empty origin — typically a false negative, meaning we
failed to disown the opener and clear m_openedMainFrameName when COOP
required it. The same moved-from `frameInfo` was then captured by
WTF::move into the policy listener lambda, where it was further used
(e.g. by FrameInfoData { frameInfo } on the safe-browsing failure path).
Reorder the function so the COOP check runs first against a live
`frameInfo`, pass a copy to API::FrameInfo::create(), and let the
lambda's capture be the sole move.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::decidePolicyForResponseShared):
Canonical link: https://commits.webkit.org/314764@main
Canonical link: https://commits.webkit.org/305877.748@webkitglib/2.52
Commit: 8ded39b7705d25a6dd1f8d395a9f57d960111c42
https://github.com/WebKit/WebKit/commit/8ded39b7705d25a6dd1f8d395a9f57d960111c42
Author: Chris Dumez <[email protected]>
Date: 2026-06-13 (Sat, 13 Jun 2026)
Changed paths:
M
Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerToContextConnection.cpp
Log Message:
-----------
Cherry-pick 314728@main (ce339f1f9454).
https://bugs.webkit.org/show_bug.cgi?id=316523
Fix inverted condition in WebSWServerToContextConnection::workerTerminated
https://bugs.webkit.org/show_bug.cgi?id=316523
Reviewed by Youenn Fablet.
The condition guarding the EndServiceWorkerBackgroundProcessing message
was missing a `!`, so the message was sent on every decrement of
m_processingFunctionalEventCount *except* when the count reached zero —
the exact opposite of every other End-Background-Processing site in the
same file (firePushEvent, fireNotificationEvent, fireBackgroundFetchEvent,
fireBackgroundFetchClickEvent).
As a result, the background-processing assertion held while terminating
a service worker was never released for the last in-flight functional
event, while spurious End messages were sent during normal counting.
*
Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerToContextConnection.cpp:
(WebKit::WebSWServerToContextConnection::workerTerminated):
Canonical link: https://commits.webkit.org/314728@main
Canonical link: https://commits.webkit.org/305877.749@webkitglib/2.52
Compare: https://github.com/WebKit/WebKit/compare/0137d06b4270...8ded39b7705d
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
