Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 4803334d528e3b56a4be62c611b7cdf2771455b5
https://github.com/WebKit/WebKit/commit/4803334d528e3b56a4be62c611b7cdf2771455b5
Author: Shu-yu Guo <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A JSTests/wasm/stress/wasm-resizable-buffer-resize-after-gc.js
M Source/JavaScriptCore/runtime/ArrayBuffer.cpp
M Source/JavaScriptCore/runtime/ArrayBuffer.h
M Source/JavaScriptCore/runtime/JSArrayBuffer.cpp
M Source/JavaScriptCore/runtime/JSArrayBuffer.h
M Source/JavaScriptCore/runtime/JSArrayBufferPrototype.cpp
M Source/JavaScriptCore/wasm/WasmMemory.cpp
M Source/JavaScriptCore/wasm/WasmMemory.h
M Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.cpp
M Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.cpp
Log Message:
-----------
Cherry-pick 095fa99180ff. https://bugs.webkit.org/show_bug.cgi?id=313473
[JSC] Keep JSWebAssemblyMemory alive from wasm-originated JSArrayBuffers
https://bugs.webkit.org/show_bug.cgi?id=313473
rdar://175674018
Reviewed by Keith Miller.
Currently, ArrayBuffers that are created by WebAssembly.Memory.p.
toResizableBuffer do not keep that WebAssembly.Memory instance alive. This is a
memory safety footgun. While JS-originated resizable ABs reserve the virtual
memory of their max size up front, wasm-originated resizable ABs can either be
bounds-checking which do not reserve virtual memory up front, or signaling,
which do. Currently, because wasm-originated ArrayBuffers do not keep their
WebAssembly.Memory alive, non-wasm ArrayBuffer code has to be aware of this
implementation in case the WebAssembly.Memory gets collected. This complicates
the object representation space and is error-prone.
This PR simplifies this set up by making wasm-originated ArrayBuffers and their
originator WebAssembly.Memory exist in a GC lifetime cycle. This means
wasm-originated ABs _always_ delegate resizing to WebAssembly.Memory.
The weak pointer to the underlying Wasm::Memory in ArrayBuffers is no longer
needed and removed.
The spot fix to keep WebAssembly.Memory alive for the duration of
ArrayBuffer.prototype.resize from 305413.660@safari-7624-branch is also
reverted as this fix removes the need for it.
Test: JSTests/wasm/stress/wasm-resizable-buffer-resize-after-gc.js
* JSTests/wasm/stress/wasm-resizable-buffer-resize-after-gc.js: Added.
(flushStackRoots):
* Source/JavaScriptCore/jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/ArrayBuffer.cpp:
(JSC::ArrayBuffer::resize):
(JSC::ArrayBuffer::setAssociatedWasmMemory): Deleted.
* Source/JavaScriptCore/runtime/ArrayBuffer.h:
* Source/JavaScriptCore/runtime/JSArrayBuffer.cpp:
(JSC::JSArrayBuffer::associatedWasmMemoryWrapper const):
(JSC::JSArrayBuffer::setAssociatedWasmMemoryWrapper):
(JSC::JSArrayBuffer::clearAssociatedWasmMemoryWrapper):
(JSC::JSArrayBuffer::visitChildrenImpl):
* Source/JavaScriptCore/runtime/JSArrayBuffer.h:
* Source/JavaScriptCore/runtime/JSArrayBufferPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::Memory):
(JSC::Wasm::Memory::create):
(JSC::Wasm::Memory::createZeroSized):
(JSC::Wasm::Memory::tryCreate):
(JSC::Wasm::Memory::growShared):
(JSC::Wasm::Memory::grow):
* Source/JavaScriptCore/wasm/WasmMemory.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::tryCreate):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.cpp:
(JSC::JSWebAssemblyMemory::adopt):
(JSC::JSWebAssemblyMemory::associateArrayBuffer):
(JSC::JSWebAssemblyMemory::disassociateArrayBuffer):
(JSC::JSWebAssemblyMemory::growSuccessCallback):
* Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.cpp:
(JSC::WebAssemblyMemoryConstructor::createMemoryFromDescriptor):
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::readTerminal):
Identifier: 305413.790@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.854@webkitglib/2.52
Commit: 08f959f218a90fd267b4cbacf5ac4662ad7c1aa1
https://github.com/WebKit/WebKit/commit/08f959f218a90fd267b4cbacf5ac4662ad7c1aa1
Author: Phinehas Fuachie <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A
LayoutTests/webaudio/WaveShaper/waveshaper-nan-infinity-handling-expected.txt
A LayoutTests/webaudio/WaveShaper/waveshaper-nan-infinity-handling.html
M Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.cpp
M Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.h
M Source/WebCore/testing/Internals.cpp
M Source/WebCore/testing/Internals.h
M Source/WebCore/testing/Internals.idl
Log Message:
-----------
Cherry-pick c0bd74757c6e. https://bugs.webkit.org/show_bug.cgi?id=305612
Web Audio WaveShaperNode: NaN input produces out-of-bounds read in
processCurve()
https://bugs.webkit.org/show_bug.cgi?id=305612
rdar://164364161
Reviewed by Youenn Fablet.
NaN input samples bypass range checks since NaN comparisons always return
false, causing
std::floor(NaN) to produce NaN which converts to a garbage unsigned index,
resulting in an
out-of-bounds read.
Fix by guarding non-finite inputs and outputting silence (0.0f). Also clamp
valid inputs to [-1, 1]
for additional safety.
The static helper processCurveWithData is introduced to allow unit testing the
algorithm in
isolation without needing to instantiate a WaveShaperProcessor.
*
LayoutTests/webaudio/WaveShaper/waveshaper-nan-infinity-handling-expected.txt:
Added.
* LayoutTests/webaudio/WaveShaper/waveshaper-nan-infinity-handling.html: Added.
* Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.cpp:
(WebCore::WaveShaperDSPKernel::processCurve):
(WebCore::WaveShaperDSPKernel::processCurveWithData):
* Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.h:
* Source/WebCore/testing/Internals.cpp:
(WebCore::Internals::waveShaperProcessCurveWithData):
* Source/WebCore/testing/Internals.h:
* Source/WebCore/testing/Internals.idl:
Identifier: 305413.86@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.855@webkitglib/2.52
Commit: f9e13512ae52d032b6722618aef76604b2a953d7
https://github.com/WebKit/WebKit/commit/f9e13512ae52d032b6722618aef76604b2a953d7
Author: Ruthvik Konda <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A
LayoutTests/webaudio/WaveShaper/waveshaper-curve-getter-during-rendering-crash-expected.txt
A
LayoutTests/webaudio/WaveShaper/waveshaper-curve-getter-during-rendering-crash.html
M Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.cpp
M Source/WebCore/Modules/webaudio/WaveShaperNode.cpp
M Source/WebCore/Modules/webaudio/WaveShaperNode.h
M Source/WebCore/Modules/webaudio/WaveShaperProcessor.cpp
M Source/WebCore/Modules/webaudio/WaveShaperProcessor.h
Log Message:
-----------
Cherry-pick 0dcea6bac528. https://bugs.webkit.org/show_bug.cgi?id=313528
[WebCore] Store WaveShaperProcessor curve as Vector<float> to avoid
cross-thread RefCounted race
https://bugs.webkit.org/show_bug.cgi?id=313528
rdar://175171873
Reviewed by Chris Dumez.
WaveShaperProcessor::m_curve was a RefPtr<Float32Array>. Float32Array inherits
RefCounted<ArrayBufferView>, whose refcount is non-atomic. 296577@main changed
the audio-thread readers in WaveShaperDSPKernel::processCurve and
WaveShaperNode::propagatesSilence to wrap waveShaperProcessor()->curve() in a
local RefPtr; the main-thread getter WaveShaperNode::curveForBindings() already
did the same lockless. The concurrent non-atomic ref/deref races; a lost
increment leaves the count one too low; a subsequent deref frees m_curve out
from under the processor; the next render quantum is a heap-use-after-free in
processCurve.
On builds with ENABLE(SECURITY_ASSERTIONS), RefCountDebugger's threading
checker traps first; on plain Release the UAF is reachable from web content via
OfflineAudioContext + the WaveShaperNode.curve getter.
Fix by storing the curve as Vector<float> instead of RefPtr<Float32Array>. The
internal curve was already cloned on set and on get, so the Float32Array wrapper
was vestigial. With a Vector there is no RefCounted object on the audio-thread
path; m_processLock continues to guard buffer replacement against audio-thread
reads. This matches AudioParamTimeline::ParamEvent::m_curve and
IIRProcessor::m_feedforward.
Test: webaudio/WaveShaper/waveshaper-curve-getter-during-rendering-crash.html
*
LayoutTests/webaudio/WaveShaper/waveshaper-curve-getter-during-rendering-crash-expected.txt:
Added.
*
LayoutTests/webaudio/WaveShaper/waveshaper-curve-getter-during-rendering-crash.html:
Added.
* Source/WebCore/Modules/webaudio/WaveShaperDSPKernel.cpp:
(WebCore::WaveShaperDSPKernel::processCurve):
* Source/WebCore/Modules/webaudio/WaveShaperNode.cpp:
(WebCore::WaveShaperNode::setCurveForBindings):
(WebCore::WaveShaperNode::curveForBindings):
(WebCore::WaveShaperNode::propagatesSilence const):
* Source/WebCore/Modules/webaudio/WaveShaperNode.h:
* Source/WebCore/Modules/webaudio/WaveShaperProcessor.cpp:
(WebCore::WaveShaperProcessor::setCurveForBindings):
* Source/WebCore/Modules/webaudio/WaveShaperProcessor.h:
(WebCore::WaveShaperProcessor::curveForBindings const):
(WebCore::WaveShaperProcessor::curve const):
(WebCore::WaveShaperProcessor::curveForBindings): Deleted.
Identifier: 305413.793@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.856@webkitglib/2.52
Commit: 4b475ff6d70b037b305e86b200d7df4fc1322a2e
https://github.com/WebKit/WebKit/commit/4b475ff6d70b037b305e86b200d7df4fc1322a2e
Author: Kiet Ho <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/scroll-compensation-crash.html
M Source/WebCore/page/LocalFrameViewLayoutContext.cpp
Log Message:
-----------
Cherry-pick 444a849510b9. https://bugs.webkit.org/show_bug.cgi?id=313528
[css-anchor-position-1] removeScrollerFromAnchorScrollAdjusters mutates array
when iterating through it
rdar://175679565
Reviewed by Elika Etemad.
LocalFrameViewLayoutContext::removeScrollerFromAnchorScrollAdjusters iterates
through m_anchorScrollAdjusters, and unregisters adjusters belonging to the
scroller by calling unregisterAnchorScrollAdjusterFor.
unregisterAnchorScrollAdjusterFor
in turn removes adjusters also from m_anchorScrollAdjusters, which is being
iterated on.
Vectors are not safe to modify when iterating through. Change the loop to save
the list
of adjusters to be removed in a HashSet, then remove the saved adjusters after.
Test:
imported/w3c/web-platform-tests/css/css-anchor-position/scroll-compensation-crash.html
*
LayoutTests/imported/w3c/web-platform-tests/css/css-anchor-position/scroll-compensation-crash.html:
Added.
* Source/WebCore/page/LocalFrameViewLayoutContext.cpp:
(WebCore::LocalFrameViewLayoutContext::removeScrollerFromAnchorScrollAdjusters):
Identifier: 305413.802@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.857@webkitglib/2.52
Commit: 705f90086aff3cfd50a1061f58ebd857ce570079
https://github.com/WebKit/WebKit/commit/705f90086aff3cfd50a1061f58ebd857ce570079
Author: Jer Noble <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
M Source/WebCore/Modules/mediasource/MediaSource.cpp
M Source/WebCore/platform/graphics/MediaPlayer.cpp
M Source/WebCore/platform/graphics/MediaPlayer.h
Log Message:
-----------
Cherry-pick c222f765786f. https://bugs.webkit.org/show_bug.cgi?id=313693
MediaEngineSupportParameters is passed across a thread boundary without making
an isolatedCopy().
rdar://174652324
https://bugs.webkit.org/show_bug.cgi?id=313693
Reviewed by Jean-Yves Avenard.
Allow MediaEngineSupporrtParameters to be used cross-thread by adding an
isolatedCopy() method.
* Source/WebCore/Modules/mediasource/MediaSource.cpp:
(WebCore::MediaSource::isTypeSupported):
* Source/WebCore/platform/graphics/MediaPlayer.cpp:
(WebCore::MediaEngineSupportParameters::isolatedCopy):
* Source/WebCore/platform/graphics/MediaPlayer.h:
Identifier: 305413.794@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.858@webkitglib/2.52
Commit: d2361070280fa5110babefcdb986ae74c5267881
https://github.com/WebKit/WebKit/commit/d2361070280fa5110babefcdb986ae74c5267881
Author: Ryosuke Niwa <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A LayoutTests/streams/readable-stream-cancel-fake-promise-crash-expected.txt
A LayoutTests/streams/readable-stream-cancel-fake-promise-crash.html
M Source/WebCore/Modules/streams/ReadableStream.cpp
M Source/WebCore/Modules/streams/ReadableStreamDefaultReader.cpp
Log Message:
-----------
Cherry-pick 3f06c62bc271. https://bugs.webkit.org/show_bug.cgi?id=313706
Type confusion in ReadableStream.cancel() via jsCast<JSPromise*>
https://bugs.webkit.org/show_bug.cgi?id=313706
rdar://174938744
Reviewed by Chris Dumez and Mark Lam.
Replaced the use of unconditional jsCast with jsDynamicCast to fix the bug.
Test: streams/readable-stream-cancel-fake-promise-crash.html
* LayoutTests/streams/readable-stream-cancel-fake-promise-crash-expected.txt:
Added.
* LayoutTests/streams/readable-stream-cancel-fake-promise-crash.html: Added.
* Source/WebCore/Modules/streams/ReadableStream.cpp:
(WebCore::ReadableStream::cancel):
* Source/WebCore/Modules/streams/ReadableStreamDefaultReader.cpp:
(WebCore::ReadableStreamDefaultReader::read):
Identifier: 305413.806@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.859@webkitglib/2.52
Commit: 1a39ad3eac8e497bb38d4683bb359ee543368b0c
https://github.com/WebKit/WebKit/commit/1a39ad3eac8e497bb38d4683bb359ee543368b0c
Author: Ryosuke Niwa <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A
LayoutTests/fast/events/new-focused-document-removal-during-blur-event-handler-crash-expected.txt
A
LayoutTests/fast/events/new-focused-document-removal-during-blur-event-handler-crash.html
M Source/WebCore/page/FocusController.cpp
Log Message:
-----------
Cherry-pick f9763c9248db. https://bugs.webkit.org/show_bug.cgi?id=313702
Use-after-free in FocusController::findAndFocusElementInDocumentOrder
https://bugs.webkit.org/show_bug.cgi?id=313702
rdar://175673194
Reviewed by Aditya Keerthi.
Fixed the bug by deploying a smart pointer.
Test:
fast/events/new-focused-document-removal-during-blur-event-handler-crash.html
*
LayoutTests/fast/events/new-focused-document-removal-during-blur-event-handler-crash-expected.txt:
Added.
*
LayoutTests/fast/events/new-focused-document-removal-during-blur-event-handler-crash.html:
Added.
* Source/WebCore/page/FocusController.cpp:
(WebCore::FocusController::findAndFocusElementInDocumentOrderStartingWithFrame):
Identifier: 305413.804@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.860@webkitglib/2.52
Commit: b46112e2df12e450c68c4650d52ffc862bab0a1b
https://github.com/WebKit/WebKit/commit/b46112e2df12e450c68c4650d52ffc862bab0a1b
Author: Vignesh Rao <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
M Source/JavaScriptCore/wasm/WasmCallee.cpp
M Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp
Log Message:
-----------
Cherry-pick 84a5f91f00a5. https://bugs.webkit.org/show_bug.cgi?id=313063
[JSC] Unconditionally keep OMGOSREntryCallee alive while updating its callsites
https://bugs.webkit.org/show_bug.cgi?id=313063
rdar://174492346
Reviewed by Keith Miller.
After a re-tier, when a fresh BBQCallee replaces a retired one,
m_osrEntryCallees may hold a stale weak ref to an OMGOSREntryCallee not owned
by the current BBQCallee. Currently, updateCallsitesToCallUs will not track
this since it assumes that this OMGOSREntryCallee will be owned by the BBQCallee
This patch fixes it by unconditionally keeping the OMGOSREntryCallee alive
while we update all the callsites within it. The assert in ~BBQCallee is void
now since an OMGOSREntryCallee can now have multiple owners.
* Source/JavaScriptCore/wasm/WasmCallee.cpp:
(JSC::Wasm::BBQCallee::~BBQCallee):
* Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp:
(JSC::Wasm::CalleeGroup::updateCallsitesToCallUs):
Identifier: 305413.784@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.861@webkitglib/2.52
Commit: 9ff892e9e199b8873d56653fae8daa936b121185
https://github.com/WebKit/WebKit/commit/9ff892e9e199b8873d56653fae8daa936b121185
Author: Ryosuke Niwa <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A
LayoutTests/editing/async-clipboard/clipboard-write-item-crash-expected.txt
A LayoutTests/editing/async-clipboard/clipboard-write-item-crash.html
M Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.cpp
Log Message:
-----------
Cherry-pick 061b1c5b4012. https://bugs.webkit.org/show_bug.cgi?id=313691
Heap use-after-free in ClipboardItemBindingsDataSource::clearItemTypeLoaders()
https://bugs.webkit.org/show_bug.cgi?id=313691
rdar://174651164
Reviewed by Wenson Hsieh.
Avoid the use-after-free by moving the contents of Vector to a local variable.
Test: editing/async-clipboard/clipboard-write-item-crash.html
* LayoutTests/editing/async-clipboard/clipboard-write-item-crash-expected.txt:
Added.
* LayoutTests/editing/async-clipboard/clipboard-write-item-crash.html: Added.
* Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.cpp:
(WebCore::ClipboardItemBindingsDataSource::clearItemTypeLoaders):
Identifier: 305413.812@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.862@webkitglib/2.52
Commit: 8663cacd3ae7b109eb1935577199e827d5b2f516
https://github.com/WebKit/WebKit/commit/8663cacd3ae7b109eb1935577199e827d5b2f516
Author: Jer Noble <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
M Source/WebCore/Modules/mediarecorder/BlobEvent.cpp
M Source/WebCore/Modules/mediarecorder/BlobEvent.h
Log Message:
-----------
Cherry-pick 0743320ceb0e. https://bugs.webkit.org/show_bug.cgi?id=313915
BlobEvent::Init::timecode missing initializer leaks 8 bytes of uninitialized
stack memory
rdar://175759962
https://bugs.webkit.org/show_bug.cgi?id=313915
Reviewed by Simon Fraser.
* Source/WebCore/Modules/mediarecorder/BlobEvent.cpp:
(WebCore::BlobEvent::BlobEvent):
* Source/WebCore/Modules/mediarecorder/BlobEvent.h:
Identifier: 305413.809@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.863@webkitglib/2.52
Compare: https://github.com/WebKit/WebKit/compare/a059fc1ff7ac...8663cacd3ae7
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications