Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 9bb8e6006c96b6ef224b0b7b836dbe50fd527674
https://github.com/WebKit/WebKit/commit/9bb8e6006c96b6ef224b0b7b836dbe50fd527674
Author: Matthew Finkel <[email protected]>
Date: 2026-06-21 (Sun, 21 Jun 2026)
Changed paths:
M Source/WebKit/UIProcess/WebsiteData/WebsiteDataStore.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/Navigation.mm
Log Message:
-----------
Cherry-pick 315043@main (39679d6a6e43).
https://bugs.webkit.org/show_bug.cgi?id=316066
Partitioned cookies may not be sent on resource requests
https://bugs.webkit.org/show_bug.cgi?id=316066
rdar://175507450
Reviewed by Charlie Wolfe.
There is a problem with how we compute and synchronize across processes the
preference's state that controls whether partitioned cookies are enabled.
There
is a case where we can erroneously disable partitioned cookies if we are in
a
situation where we don't have any WebPageProxy, but we have an active
provisional load. That gap may result in some resource requests where a
partitioned cookie is absent.
The current behavior relies on a WebPageProxy existing. This patch resolves
that issue, and a couple others, by calling propagateSettingUpdates() when a
page is added or removed from a WebsiteDataStore, and immediately after a
network process is created.
* Source/WebKit/UIProcess/WebsiteData/WebsiteDataStore.cpp:
(WebKit::WebsiteDataStore::networkProcess):
(WebKit::WebsiteDataStore::addPage):
(WebKit::WebsiteDataStore::removePage):
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/Navigation.mm:
(TEST(WKNavigation, PartitionedCookieSentOnTopLevelRedirect)):
(TEST(WKNavigation,
PartitionedCookieSentWhenNetworkProcessExistsBeforePage)):
(TEST(WKNavigation, PartitionedCookieAfterRedirect)):
Canonical link: https://commits.webkit.org/315043@main
Canonical link: https://commits.webkit.org/305877.764@webkitglib/2.52
Commit: 3dfa3aa802ac3a4c05f6bbca536ac50549e770ca
https://github.com/WebKit/WebKit/commit/3dfa3aa802ac3a4c05f6bbca536ac50549e770ca
Author: Sihui Liu <[email protected]>
Date: 2026-06-21 (Sun, 21 Jun 2026)
Changed paths:
M Source/WebCore/html/HTMLMediaElement.cpp
M Source/WebCore/html/HTMLMediaElement.h
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WebsitePolicies.mm
A Tools/TestWebKitAPI/Tests/WebKitCocoa/autoplay-quirk-pause-fires-once.html
Log Message:
-----------
Cherry-pick 314984@main (412a8234329f).
https://bugs.webkit.org/show_bug.cgi?id=316746
Prevent re-entrant calls to dispatchPlayPauseEventsIfNeedsQuirks()
https://bugs.webkit.org/show_bug.cgi?id=316746
rdar://179191475
Reviewed by Ryosuke Niwa.
dispatchPlayPauseEventsIfNeedsQuirks() dispatches synthesized `playing` and
`pause` events to satisfy sites whose JS
player state machines rely on these events to detect that autoplay was
prevented (SynthesizedPauseEvents), or to
recover after being restored from the back/forward cache (rdar://68938833).
The function was not re-entrant-safe because a common JS pattern is to call
video.play() from a `pause` event handler to
retry playback. When autoplay was blocked, the sequence was:
1. setAutoplayEventPlaybackState(PreventedAutoplay) =>
dispatchPlayPauseEventsIfNeedsQuirks() // schedule playing +
pause events
2. `pause` event fires, JS handler calls video.play() // autoplay blocked
again
3. setAutoplayEventPlaybackState(PreventedAutoplay) =>
dispatchPlayPauseEventsIfNeedsQuirks() // schedule playing +
pause events again, and cause infinite loop
This can produce hundreds of log entries per millisecond and could trigger
logd's per-process quarantine on affected
pages. To fix this, this patch adds a bool guard
m_isDispatchingAutoplayPlayPauseQuirkEvents and consolidates two
scheduleEvent() calls into a single queued task that ispatches both events
synchronously via dispatchEvent(). A
SetForScope sets the guard for the duration of the task, covering the
entire JS execution window. Any re-entrant call to
dispatchPlayPauseEventsIfNeedsQuirks() during that window — whether from
the `playing` or the `pause` handler — returns
immediately.
API Test: WebpagePreferences.WebsitePoliciesSynthesizedPauseEventFiresOnce
* Source/WebCore/html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::dispatchPlayPauseEventsIfNeedsQuirks):
* Source/WebCore/html/HTMLMediaElement.h:
* Tools/TestWebKitAPI/Resources/cocoa/autoplay-quirk-pause-fires-once.html:
Added.
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WebsitePolicies.mm:
(TEST(WebpagePreferences, WebsitePoliciesSynthesizedPauseEventFiresOnce)):
Canonical link: https://commits.webkit.org/314984@main
Canonical link: https://commits.webkit.org/305877.765@webkitglib/2.52
Commit: 194d83a90fe7ba39393b0eec9c1066b79ef596a5
https://github.com/WebKit/WebKit/commit/194d83a90fe7ba39393b0eec9c1066b79ef596a5
Author: Tyler Wilcock <[email protected]>
Date: 2026-06-21 (Sun, 21 Jun 2026)
Changed paths:
A
LayoutTests/accessibility/aria-owns-crash-after-subtree-update-expected.txt
A LayoutTests/accessibility/aria-owns-crash-after-subtree-update.html
M Source/WebCore/accessibility/AXObjectCache.cpp
M Source/WebCore/accessibility/AccessibilityNodeObject.cpp
Log Message:
-----------
Cherry-pick 314865@main (5472527c2f96).
https://bugs.webkit.org/show_bug.cgi?id=316542
AX: In rare circumstances, WebKit can loop infinitely downstream of
updateOwnedChildrenIfNecessary(), causing stack overflow crashes
https://bugs.webkit.org/show_bug.cgi?id=316542
rdar://172763724
Reviewed by Dominic Mazzoni and Andres Gonzalez.
For a long while now, we have observed rare stack overflow crashes
originating from updateOwnedChildrenIfNecessary(). It's unclear how
these crashes are ocurring, since existing function relationCausesCycle
should (and does in all known situations) prevent an aria-owns
relationship from being established if it would cause a cycle.
The current theory is that these crashes happen when the tree is dirty and
in the process of being rebuilt after dynamic DOM changes (which may
introduce
cycles that relationCausesCycle didn't and couldn't possibly have
checked for at relations-creation time). But I haven't been able to
construct markup that actually reproduces this, including the new layout
test, which passes with and without the newly added guard (described below).
The speculative fix taken by this commit is the addition of a per-traversal
visited
set in updateOwnedChildrenIfNecessary, breaking if we encounter a node
we've already seen.
*
LayoutTests/accessibility/aria-owns-crash-after-subtree-update-expected.txt:
Added.
* LayoutTests/accessibility/aria-owns-crash-after-subtree-update.html:
Added.
* Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
(WebCore::AccessibilityNodeObject::updateOwnedChildrenIfNecessary):
Canonical link: https://commits.webkit.org/314865@main
Canonical link: https://commits.webkit.org/305877.766@webkitglib/2.52
Commit: b0b779d817465f425cec02e725370251f2536409
https://github.com/WebKit/WebKit/commit/b0b779d817465f425cec02e725370251f2536409
Author: Chris Dumez <[email protected]>
Date: 2026-06-21 (Sun, 21 Jun 2026)
Changed paths:
M
Source/WebKit/WebProcess/Storage/WebSharedWorkerContextManagerConnection.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/CustomUserAgent.mm
Log Message:
-----------
Cherry-pick 314858@main (fbd2160cf1ac).
https://bugs.webkit.org/show_bug.cgi?id=316637
SharedWorker's navigator.userAgent ignores per-navigation _customUserAgent
https://bugs.webkit.org/show_bug.cgi?id=316637
Reviewed by Youenn Fablet.
WebSharedWorkerContextManagerConnection::launchSharedWorker() applied an
inverted user-agent fallback:
```
if (!initializationData.userAgent.isEmpty())
initializationData.userAgent = m_userAgent;
```
The intent (matching the parallel logic in WebSWContextManagerConnection's
installServiceWorker, which uses `if (effectiveUserAgent.isNull())`) is to
fall back to the host's m_userAgent only when the value supplied by the
network process is empty. The condition was negated, so a non-empty
page-supplied UA was overwritten by the host's default, while an empty UA
was left empty.
The page-level WKWebView.customUserAgent path masks the bug because
WebProcessPool::updateRemoteWorkerUserAgent pushes that UA to every remote-
worker host via
Messages::WebSharedWorkerContextManagerConnection::SetUserAgent,
keeping the host's m_userAgent in sync with the page UA so the buggy
assignment becomes a no-op. The bug is observable through any UA path that
does NOT round-trip through WebPageProxy::setUserAgent — most notably
WKWebpagePreferences._customUserAgent (per-navigation), which is stored on
the page's DocumentLoader and flows into WorkerScriptLoader::
userAgentForSharedWorker() but never updates the host process. In that
configuration the SharedWorker's navigator.userAgent reported the host's
standard UA instead of the per-navigation override.
Invert the condition so initializationData.userAgent is preserved when
non-empty and only filled in from m_userAgent when empty.
*
Source/WebKit/WebProcess/Storage/WebSharedWorkerContextManagerConnection.cpp:
(WebKit::WebSharedWorkerContextManagerConnection::launchSharedWorker):
Fall back to m_userAgent only when initializationData.userAgent is empty.
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/CustomUserAgent.mm:
(TEST(CustomUserAgent, SharedWorkerNavigatorUserAgent)):
Add a regression test that uses WKWebpagePreferences._customUserAgent so
the page UA diverges from the host's m_userAgent, and asserts that a
SharedWorker created from that page observes the per-navigation UA via
navigator.userAgent.
Canonical link: https://commits.webkit.org/314858@main
Canonical link: https://commits.webkit.org/305877.767@webkitglib/2.52
Commit: 8c84f914883d3389dea52e339f500a0e389d4e92
https://github.com/WebKit/WebKit/commit/8c84f914883d3389dea52e339f500a0e389d4e92
Author: Chris Dumez <[email protected]>
Date: 2026-06-21 (Sun, 21 Jun 2026)
Changed paths:
M Source/WebCore/platform/graphics/Region.cpp
M Tools/TestWebKitAPI/Tests/WebCore/RegionTests.cpp
Log Message:
-----------
Cherry-pick 314594@main (5eacd591f79b).
https://bugs.webkit.org/show_bug.cgi?id=316188
Region::totalArea overflows when a single rect's area exceeds INT_MAX
https://bugs.webkit.org/show_bug.cgi?id=316188
Reviewed by Kimmo Kinnunen.
Region::totalArea() accumulates rect.width() * rect.height() into a
uint64_t. Both width() and height() return int, so the multiplication
is performed in int and only the result is widened. Any rect whose
area exceeds INT_MAX (e.g. 50000 x 50000 == 2,500,000,000) overflows
the int multiplication before the assignment, then sign-extends into
uint64_t and corrupts the running total.
Cast one operand to uint64_t so the multiplication itself happens in
64 bits. Add an API test that exercises the overflow case.
Test: RegionTests.TotalAreaDoesNotOverflowSignedInt
* Source/WebCore/platform/graphics/Region.cpp:
(WebCore::Region::totalArea const):
* Tools/TestWebKitAPI/Tests/WebCore/RegionTests.cpp:
(TestWebKitAPI::TEST(RegionTests, TotalAreaDoesNotOverflowSignedInt)):
Canonical link: https://commits.webkit.org/314594@main
Canonical link: https://commits.webkit.org/305877.768@webkitglib/2.52
Commit: fd9fc45e167ca00a6681945f23f6e59db8e3e6e7
https://github.com/WebKit/WebKit/commit/fd9fc45e167ca00a6681945f23f6e59db8e3e6e7
Author: Brady Eidson <[email protected]>
Date: 2026-06-21 (Sun, 21 Jun 2026)
Changed paths:
M Source/WebCore/dom/MessagePort.cpp
M Source/WebCore/dom/MessagePort.h
M Source/WebKit/WebProcess/WebCoreSupport/WebMessagePortChannelProvider.cpp
M Source/WebKit/WebProcess/WebCoreSupport/WebMessagePortChannelProvider.h
M Source/WebKit/WebProcess/WebProcess.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/MessagePortSecurity.mm
Log Message:
-----------
Cherry-pick 314573@main (67117c4975bb).
https://bugs.webkit.org/show_bug.cgi?id=315221
MessagePorts a WebContent process already has should be invalidated if the
Networking process disconnects
rdar://177440317
https://bugs.webkit.org/show_bug.cgi?id=315221
Reviewed by Basuke Suzuki.
The scenario is:
1 - A MessageChannel is created, and therefore registered with the
networking process.
2 - The Networking process disconnects (crash, jetsam, suspend, etc)
3 - A new Networking process is fired up and connects to the old WebContent
process
4 - The WebContent process tries a message channel operation in the new
Networking process on a port
the new Networking process doesn't know about.
https://commits.webkit.org/305413.547@safari-7624-branch added more
aggressive MESSAGE_CHECKs to the
networking process to protect against message port spoofs from compromised
web content processes.
The above scenario is WebKit in normal operation and unfortunately
triggering those MESSAGE_CHECKs
So this PR teaches web content processes to invalidate current message
ports if the Networking process
goes away. It handles normal message port operation, worker use, and works
with site isolation.
Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/MessagePortSecurity.mm
* Source/WebCore/dom/MessagePort.cpp:
(WebCore::MessagePort::notifyAllConnectionsClosed):
* Source/WebCore/dom/MessagePort.h:
* Source/WebKit/WebProcess/WebCoreSupport/WebMessagePortChannelProvider.cpp:
(WebKit::WebMessagePortChannelProvider::createNewMessagePortChannel):
(WebKit::WebMessagePortChannelProvider::entangleLocalPortInThisProcessToRemote):
(WebKit::WebMessagePortChannelProvider::messagePortDisentangled):
(WebKit::WebMessagePortChannelProvider::networkProcessConnectionClosed):
(WebKit::WebMessagePortChannelProvider::messagePortClosed):
(WebKit::WebMessagePortChannelProvider::takeAllMessagesForPort):
* Source/WebKit/WebProcess/WebCoreSupport/WebMessagePortChannelProvider.h:
* Source/WebKit/WebProcess/WebProcess.cpp:
(WebKit::WebProcess::networkProcessConnectionClosed):
* Tools/TestWebKitAPI/Resources/cocoa/MessagePortSecurity.mm:
((MessagePortSecurity, CrossProcessMessageTheftViaTakeAllMessagesForPort)):
((MessagePortSecurity, MessagePortsSurviveNetworkProcessRestart)):
((MessagePortSecurity,
MessagePortsSurviveNetworkProcessRestartWithSiteIsolation)):
((MessagePortSecurity, WorkerMessagePortsSurviveNetworkProcessRestart)):
Originally-landed-as: 305413.972@safari-7624-branch (b90cdae5a91d).
rdar://178741244
Canonical link: https://commits.webkit.org/314573@main
Canonical link: https://commits.webkit.org/305877.769@webkitglib/2.52
Commit: 521b55ce447f0c74798387c5633c5dd576764c0d
https://github.com/WebKit/WebKit/commit/521b55ce447f0c74798387c5633c5dd576764c0d
Author: Rupin Mittal <[email protected]>
Date: 2026-06-21 (Sun, 21 Jun 2026)
Changed paths:
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
Log Message:
-----------
Cherry-pick 314583@main (e30ca29fe973).
https://bugs.webkit.org/show_bug.cgi?id=314298
Add cookie access validation to startDownload() and
convertMainResourceLoadToDownload() to prevent CSRF
https://bugs.webkit.org/show_bug.cgi?id=314298
rdar://173378006
Reviewed by Alex Christensen.
NetworkConnectionToWebProcess::startDownload() and
NetworkConnectionToWebProcess::convertMainResourceLoadToDownload() do not
validate the firstPartyForCookies in the requests sent to them by the web
process. So a web process could send in a cross-site origin, leading to
requests being sent to this cross-site origin that contain the cookies for
this origin. So these requests would be seen as legitimate even though they
did not come from the user. We fix this by adding message checks to confirm
that the web process indeed has cookie access to the origin it is sending
as the firstPartyForCookies.
This breaks a number of tests. For example,
TEST(_WKDownload, DownloadRequestOriginalURLDirectDownload), crashes at the
ASSERT_NOT_REACHED(); in NetworkProcess::allowsFirstPartyForCookies because
the web process hasn't been added to the map (Since the policy decision is
PolicyAction::Download and that codepath doesn't add the web process to the
map. So we modify the MESSAGE_CHECK to only occur if the passed in request
contains a non-empty firstPartyForCookies. That way, we guard against an
arbitrary domain being used.
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::startDownload):
(WebKit::NetworkConnectionToWebProcess::convertMainResourceLoadToDownload):
Originally-landed-as: 305413.882@safari-7624-branch (12dccb08af3d).
rdar://173378006
Canonical link: https://commits.webkit.org/314583@main
Canonical link: https://commits.webkit.org/305877.770@webkitglib/2.52
Commit: 406a3327db30ca4021b8d2608e18348594556cfb
https://github.com/WebKit/WebKit/commit/406a3327db30ca4021b8d2608e18348594556cfb
Author: Rupin Mittal <[email protected]>
Date: 2026-06-21 (Sun, 21 Jun 2026)
Changed paths:
M Source/WebKit/WebProcess/WebPage/WebCookieJar.cpp
Log Message:
-----------
Cherry-pick 314550@main (28ea4d7f92e5).
https://bugs.webkit.org/show_bug.cgi?id=316231
WebCookieJar contains duplicate shouldBlockCookies() call
https://bugs.webkit.org/show_bug.cgi?id=316231
rdar://178655565
Reviewed by Charlie Wolfe.
There is no need to recompute shouldBlockCookies. We can reuse the stored
result.
* Source/WebKit/WebProcess/WebPage/WebCookieJar.cpp:
(WebKit::WebCookieJar::cookiesEnabled):
Canonical link: https://commits.webkit.org/314550@main
Canonical link: https://commits.webkit.org/305877.771@webkitglib/2.52
Commit: eac069eefa82ab673c295a255926056728823d2e
https://github.com/WebKit/WebKit/commit/eac069eefa82ab673c295a255926056728823d2e
Author: Chris Dumez <[email protected]>
Date: 2026-06-21 (Sun, 21 Jun 2026)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-clone-readable-stream-body.any-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-clone-readable-stream-body.any.html
A
LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-clone-readable-stream-body.any.js
A
LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-clone-readable-stream-body.any.worker-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-clone-readable-stream-body.any.worker.html
M Source/WebCore/Modules/fetch/FetchBody.cpp
Log Message:
-----------
Cherry-pick 314442@main (5d8c7f0a38c9).
https://bugs.webkit.org/show_bug.cgi?id=316159
FetchBody::clone() leaves m_data and m_readableStream desynchronized
https://bugs.webkit.org/show_bug.cgi?id=316159
Reviewed by Anne van Kesteren.
When cloning a FetchBody whose body is a ReadableStream, only the
m_readableStream field was updated to point at the new tee branches;
m_data still held the original (now disturbed) stream on the source,
and was left as the default nullptr variant on the clone. This broke
the invariant established by FetchBody(Ref<ReadableStream>&&) that
m_data and m_readableStream refer to the same stream, causing
isReadableStream() and hasReadableStream() to disagree.
The visible consequence is that constructing a new Request from a
cloned Request silently dropped the body: FetchBody::createProxy()
keys off isReadableStream(), which returned false on the clone, so
the proxy short-circuited before piping the readable stream through.
Set m_data alongside m_readableStream on both branches of the tee
to keep the two fields in sync.
This aligns our behavior with Chrome.
Tests:
imported/w3c/web-platform-tests/fetch/api/request/request-clone-readable-stream-body.any.html
imported/w3c/web-platform-tests/fetch/api/request/request-clone-readable-stream-body.any.worker.html
*
LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-clone-readable-stream-body.any-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-clone-readable-stream-body.any.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-clone-readable-stream-body.any.js:
Added.
(promise_test.async const):
(promise_test):
*
LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-clone-readable-stream-body.any.worker-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-clone-readable-stream-body.any.worker.html:
Added.
* Source/WebCore/Modules/fetch/FetchBody.cpp:
(WebCore::FetchBody::clone):
Canonical link: https://commits.webkit.org/314442@main
Canonical link: https://commits.webkit.org/305877.772@webkitglib/2.52
Commit: e6197d2b43346da3a512830a0f412e44ec6a232d
https://github.com/WebKit/WebKit/commit/e6197d2b43346da3a512830a0f412e44ec6a232d
Author: Zak Ridouh <[email protected]>
Date: 2026-06-21 (Sun, 21 Jun 2026)
Changed paths:
A
LayoutTests/http/tests/site-isolation/remove-iframe-while-process-launching-crash-expected.txt
A
LayoutTests/http/tests/site-isolation/remove-iframe-while-process-launching-crash.html
M Source/WebKit/UIProcess/WebProcessProxy.cpp
Log Message:
-----------
Cherry-pick 314426@main (9d6056753754).
https://bugs.webkit.org/show_bug.cgi?id=316154
Fix use-after-free in ~WebProcessProxy() when replying to pending IPC
messages
https://bugs.webkit.org/show_bug.cgi?id=316154
rdar://178478856
Reviewed by Chris Dumez.
When a WebProcessProxy is torn down while its process is still launching,
~AuxiliaryProcessProxy() calls replyToPendingMessages() after
WebProcessProxy's
own members have already been destroyed. Those reply handlers (e.g. the one
queued
by sendPageCloseMessage()) upgrade a WeakPtr<WebProcessProxy> that is still
live —
the WeakPtrFactory lives in a base class destroyed later — and read freed
members
such as m_pagesPendingClose, causing a heap-use-after-free.
Reply to the pending messages at the top of ~WebProcessProxy(), while our
members
are still intact. The later base-class call then finds an empty queue and
is a no-op.
*
LayoutTests/http/tests/site-isolation/remove-iframe-while-process-launching-crash-expected.txt:
Added.
*
LayoutTests/http/tests/site-isolation/remove-iframe-while-process-launching-crash.html:
Added.
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::~WebProcessProxy):
Canonical link: https://commits.webkit.org/314426@main
Canonical link: https://commits.webkit.org/305877.773@webkitglib/2.52
Commit: 1f39a3c35acf07a422650fe1f81966c9638f2aa8
https://github.com/WebKit/WebKit/commit/1f39a3c35acf07a422650fe1f81966c9638f2aa8
Author: Claudio Saavedra <[email protected]>
Date: 2026-06-21 (Sun, 21 Jun 2026)
Changed paths:
M Source/WebCore/Modules/webaudio/AudioNodeInput.cpp
Log Message:
-----------
Cherry-pick 314410@main (7ff2120302f0).
https://bugs.webkit.org/show_bug.cgi?id=316093
webaudio/AudioBufferSource/audiobuffersource-playbackrate.html is a flaky
crash
https://bugs.webkit.org/show_bug.cgi?id=316093
Reviewed by Philippe Normand and Chris Dumez.
AudioDestinationNode::renderQuantum() runs the audio thread inside a
ForbidMallocUseForCurrentThreadScope, which extends through
handlePostRenderTasks() and the node-deletion bookkeeping it performs. The
fallback in AudioNodeInput::disconnect() calls m_disabledOutputs.remove()
without a DisableMallocRestrictionsForCurrentThreadScope; HashSet::remove()
may shrink and rehash, allocating, and trips the assertion.
AudioSummingJunction::removeOutput() and AudioNodeInput::disable() /
enable()
already wrap their hash-set mutations the same way; do the same for the
disabled-list fallback in disconnect().
* Source/WebCore/Modules/webaudio/AudioNodeInput.cpp:
(WebCore::AudioNodeInput::disconnect):
Canonical link: https://commits.webkit.org/314410@main
Canonical link: https://commits.webkit.org/305877.774@webkitglib/2.52
Commit: ff4bc7858b3e61f4fa9bcbd5ff011615562ce9f4
https://github.com/WebKit/WebKit/commit/ff4bc7858b3e61f4fa9bcbd5ff011615562ce9f4
Author: Philippe Normand <[email protected]>
Date: 2026-06-21 (Sun, 21 Jun 2026)
Changed paths:
M Source/WebCore/Modules/mediastream/gstreamer/GStreamerMediaEndpoint.cpp
Log Message:
-----------
Cherry-pick 314369@main (afa9356bdfb2).
https://bugs.webkit.org/show_bug.cgi?id=316096
REGRESSION(314285@main): [GStreamer]
imported/w3c/web-platform-tests/webrtc/RTCPeerConnection-addTransceiver-renegotiation.https.html
crashes
https://bugs.webkit.org/show_bug.cgi?id=316096
Reviewed by Claudio Saavedra.
The transceiver codec-preferences can be un-set, so that should be checked
before usage.
* Source/WebCore/Modules/mediastream/gstreamer/GStreamerMediaEndpoint.cpp:
(WebCore::GStreamerMediaEndpoint::trackWasReplaced):
Canonical link: https://commits.webkit.org/314369@main
Canonical link: https://commits.webkit.org/305877.775@webkitglib/2.52
Commit: c9159513d8793809cc2d30906b7e96f12c9b2d43
https://github.com/WebKit/WebKit/commit/c9159513d8793809cc2d30906b7e96f12c9b2d43
Author: Sosuke Suzuki <[email protected]>
Date: 2026-06-21 (Sun, 21 Jun 2026)
Changed paths:
M Source/bmalloc/libpas/src/libpas/pas_bitfit_directory.c
M Source/bmalloc/libpas/src/libpas/pas_race_test_hooks.h
M Source/bmalloc/libpas/src/test/BitfitTests.cpp
Log Message:
-----------
Cherry-pick 312830@main (6e299de4c1ae).
https://bugs.webkit.org/show_bug.cgi?id=314271
[libpas] Fix race in `pas_bitfit_directory_take_last_empty`
https://bugs.webkit.org/show_bug.cgi?id=314271
Reviewed by Marcus Plutowski.
pas_bitfit_directory_take_last_empty read last_empty_plus_one with
pas_versioned_field_read instead of pas_versioned_field_read_to_watch,
so the final pas_versioned_field_try_write could not detect a
concurrent view_did_become_empty_at_index between the scan and the
write. The try_write succeeded on a stale version and zeroed
last_empty_plus_one with empty bits still set, stranding the page.
The matching segregated-directory path already uses read_to_watch.
Add a regression test that uses pas_race_test_hooks to inject the
empty event between the scan and the write.
* Source/bmalloc/libpas/src/libpas/pas_bitfit_directory.c:
(pas_bitfit_directory_take_last_empty):
* Source/bmalloc/libpas/src/libpas/pas_race_test_hooks.h:
(pas_race_test_hook_kind_get_string):
* Source/bmalloc/libpas/src/test/BitfitTests.cpp:
(std::takeLastEmptyRaceHook):
(std::testTakeLastEmptyLastEmptyPlusOneWatchRace):
(addBitfitTests):
Canonical link: https://commits.webkit.org/312830@main
Canonical link: https://commits.webkit.org/305877.776@webkitglib/2.52
Commit: 22c6d14dfc28f504ff95012bf027fae54d8d9f5d
https://github.com/WebKit/WebKit/commit/22c6d14dfc28f504ff95012bf027fae54d8d9f5d
Author: David Kilzer <[email protected]>
Date: 2026-06-21 (Sun, 21 Jun 2026)
Changed paths:
M Source/WebCore/workers/WorkerMessagingProxy.cpp
Log Message:
-----------
Cherry-pick 312256@main (80cc99fb32cb).
https://bugs.webkit.org/show_bug.cgi?id=313389
WorkerMessagingProxy objects leak after calling worker.terminate() from
JavaScript
<https://bugs.webkit.org/show_bug.cgi?id=313389>
<rdar://175652847>
Reviewed by Chris Dumez.
Handle the case in `workerObjectDestroyed()` where
`workerGlobalScopeDestroyedInternal()` has already run. When
that happens, the proxy's thread, context, and identifier are
already cleaned up -- the only remaining work is releasing the
initial construction ref via `deref()`. Without this,
`workerObjectDestroyed()` returns early on the nullopt
identifier, leaving the ref permanently held.
Also clear `m_queuedEarlyTasks` in
`workerGlobalScopeDestroyedInternal()` because tasks queued
before the worker thread is created capture `Ref { *this }`,
forming a retain cycle through the proxy's own member vector
that prevents destruction even after `deref()` is called.
The leak was introduced in Bug 22723 (254597@main) which added
the null-context early return to `workerObjectDestroyed()` and
added `m_scriptExecutionContext = nullptr` to
`workerGlobalScopeDestroyedInternal()` as part of implementing
nested dedicated workers.
Test using `run-webkit-tests --leaks` with:
- workers/worker-set-delete-terminate-crash.html
- workers/worker-terminate-crash.html
* Source/WebCore/workers/WorkerMessagingProxy.cpp:
(WebCore::WorkerMessagingProxy::workerObjectDestroyed):
(WebCore::WorkerMessagingProxy::workerGlobalScopeDestroyedInternal):
Canonical link: https://commits.webkit.org/312256@main
Canonical link: https://commits.webkit.org/305877.777@webkitglib/2.52
Commit: 0480a37c76c81dbfee40160990e3442f5cd5bf5c
https://github.com/WebKit/WebKit/commit/0480a37c76c81dbfee40160990e3442f5cd5bf5c
Author: Youenn Fablet <[email protected]>
Date: 2026-06-21 (Sun, 21 Jun 2026)
Changed paths:
M Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp
M Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.h
Log Message:
-----------
Cherry-pick 311277@main (5205050c09a9).
https://bugs.webkit.org/show_bug.cgi?id=312253
Callers of WebSWServerConnection::checkTopOrigin should return early if
check fails
https://bugs.webkit.org/show_bug.cgi?id=312253
rdar://174495602
Reviewed by Chris Dumez.
We make checkTopOrigin return false if a MESSAGE_CHECK fails and make
callers of checkTopOrigin bail out if it returns false.
* Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp:
(WebKit::WebSWServerConnection::resolveUnregistrationJobInClient):
* Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.h:
Canonical link: https://commits.webkit.org/311277@main
Canonical link: https://commits.webkit.org/305877.778@webkitglib/2.52
Compare: https://github.com/WebKit/WebKit/compare/bc22e64695c7...0480a37c76c8
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications