Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 2c4dc30626cc1c80f9be8b1a04d0c7117aa6c622
https://github.com/WebKit/WebKit/commit/2c4dc30626cc1c80f9be8b1a04d0c7117aa6c622
Author: Ruthvik Konda <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A LayoutTests/ipc/create-audio-source-provider-twice-expected.txt
A LayoutTests/ipc/create-audio-source-provider-twice.html
M Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.cpp
Log Message:
-----------
Cherry-pick c5c267219314. https://bugs.webkit.org/show_bug.cgi?id=313571
RemoteMediaPlayerProxy::createAudioSourceProvider should reject duplicate IPC
https://bugs.webkit.org/show_bug.cgi?id=313571
rdar://175035393
Reviewed by Eric Carlson.
A well-behaved WebContent process sends CreateAudioSourceProvider at most once
per
RemoteMediaPlayerProxy. A second message reaches AudioSourceProviderAVFObjC's
setConfigureAudioStorageCallback / setAudioCallback, which overwrite the
callbacks
without taking tapStorage->lock while a MediaToolbox thread may be invoking them
under that lock, freeing the captured RemoteAudioSourceProviderProxy mid-use.
Reject the duplicate message with a MESSAGE_CHECK.
* LayoutTests/ipc/create-audio-source-provider-twice-expected.txt: Added.
* LayoutTests/ipc/create-audio-source-provider-twice.html: Added.
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.cpp:
(WebKit::RemoteMediaPlayerProxy::createAudioSourceProvider):
Identifier: 305413.810@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.866@webkitglib/2.52
Commit: 056433367a17df390898280567467727aaf8aadf
https://github.com/WebKit/WebKit/commit/056433367a17df390898280567467727aaf8aadf
Author: Youenn Fablet <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A LayoutTests/fast/mediastream/applyConstraints-with-takePhoto-expected.txt
A LayoutTests/fast/mediastream/applyConstraints-with-takePhoto.html
M Source/WebKit/GPUProcess/webrtc/UserMediaCaptureManagerProxy.cpp
Log Message:
-----------
Cherry-pick 207238632262. https://bugs.webkit.org/show_bug.cgi?id=313571
Heap UaF in GPU Process via MediaStreamTrack.clone() + ImageCapture.takePhoto()
+ applyConstraints()
rdar://176025005
Reviewed by Eric Carlson.
We store constraints in the callback by value instead of reference to make sure
that the constraints are valid if the callback is called asynchronously.
Test: fast/mediastream/applyConstraints-with-takePhoto.html
* LayoutTests/fast/mediastream/applyConstraints-with-takePhoto-expected.txt:
Added.
* LayoutTests/fast/mediastream/applyConstraints-with-takePhoto.html: Added.
* Source/WebKit/GPUProcess/webrtc/UserMediaCaptureManagerProxy.cpp:
Identifier: 305413.816@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.867@webkitglib/2.52
Commit: 12bc0eece89c125e3bec8c45a5d9b3fa9b3396d1
https://github.com/WebKit/WebKit/commit/12bc0eece89c125e3bec8c45a5d9b3fa9b3396d1
Author: Jer Noble <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
M Source/WebCore/platform/graphics/MIMETypeCache.cpp
M Source/WebCore/platform/graphics/MIMETypeCache.h
M
Source/WebCore/platform/graphics/avfoundation/objc/AVStreamDataParserMIMETypeCache.h
M
Source/WebCore/platform/graphics/avfoundation/objc/AVStreamDataParserMIMETypeCache.mm
Log Message:
-----------
Cherry-pick 720a8f0b10ab. https://bugs.webkit.org/show_bug.cgi?id=313842
Data race on MIMETypeCache::m_cachedResults / m_supportedTypes in
MIMETypeCache::canDecodeType
rdar://175674693
https://bugs.webkit.org/show_bug.cgi?id=313842
Reviewed by Eric Carlson.
It's unsafe to return a raw reference to an inner data member (without
BorrowChecker)
as the underlying object can be mutated or freed leaving a dangling reference.
Make two
changes to MIMETypeCache as a result:
- Require a lock be held to access the inner data member variable
- Return a copy of the inner member rather than a reference
* Source/WebCore/platform/graphics/MIMETypeCache.cpp:
(WebCore::MIMETypeCache::supportsContainerType):
(WebCore::MIMETypeCache::canDecodeType):
(WebCore::MIMETypeCache::addSupportedTypes):
(WebCore::MIMETypeCache::getCachedResult const):
(WebCore::MIMETypeCache::addCachedResult):
(WebCore::MIMETypeCache::supportedTypes):
(WebCore::MIMETypeCache::isEmpty const):
* Source/WebCore/platform/graphics/MIMETypeCache.h:
*
Source/WebCore/platform/graphics/avfoundation/objc/AVStreamDataParserMIMETypeCache.h:
*
Source/WebCore/platform/graphics/avfoundation/objc/AVStreamDataParserMIMETypeCache.mm:
(WebCore::AVStreamDataParserMIMETypeCache::supportedTypes):
(WebCore::AVStreamDataParserMIMETypeCache::canDecodeExtendedType):
Identifier: 305413.822@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.868@webkitglib/2.52
Commit: 9b151743c2552a6c6f09875979a3db08711fb7d0
https://github.com/WebKit/WebKit/commit/9b151743c2552a6c6f09875979a3db08711fb7d0
Author: Anand Srinivasan <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
M Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp
Log Message:
-----------
Cherry-pick d446d220d636. https://bugs.webkit.org/show_bug.cgi?id=313590
Change IPInt m_pendingOffset to std::optional and add metadata offset overflow
assertions
https://bugs.webkit.org/show_bug.cgi?id=313590
rdar://175673870
Reviewed by Dan Hecht.
IPIntControlType::m_pendingOffset was int32_t but stored values from
m_metadata->m_metadata.size(). A function within maxFunctionSize can
generate metadata exceeding INT32_MAX via repeated calls to functions
with large signatures.
Add overflow checks to the 32 bit computations to avoid silently
producing invalid metadata addresses, and change m_pendingOffset to use
std::optional instead of a sentinel value.
A practical test would take too long to include.
* Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp:
(JSC::Wasm::IPIntGenerator::tryToResolveBranchTarget):
(JSC::Wasm::IPIntGenerator::curPC):
(JSC::Wasm::IPIntGenerator::nextPC):
(JSC::Wasm::IPIntGenerator::curMC):
(JSC::Wasm::IPIntGenerator::checkedDelta):
(JSC::Wasm::IPIntGenerator::coalesceControlFlow):
(JSC::Wasm::IPIntGenerator::resolveEntryTarget):
(JSC::Wasm::IPIntGenerator::resolveExitTarget):
(JSC::Wasm::IPIntGenerator::addLoop):
(JSC::Wasm::IPIntGenerator::addIf):
(JSC::Wasm::IPIntGenerator::addElseToUnreachable):
(JSC::Wasm::IPIntGenerator::addCatchToUnreachable):
(JSC::Wasm::IPIntGenerator::addCatchAllToUnreachable):
(JSC::Wasm::IPIntGenerator::addDelegateToUnreachable):
(JSC::Wasm::IPIntGenerator::addEndToUnreachable):
Identifier: 305413.828@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.869@webkitglib/2.52
Commit: 6b38672514930d80d3145e7dfb64e98c2f04e187
https://github.com/WebKit/WebKit/commit/6b38672514930d80d3145e7dfb64e98c2f04e187
Author: Brady Eidson <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
M Source/WebKit/UIProcess/WebBackForwardList.cpp
M Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm
Log Message:
-----------
Cherry-pick 34c25063c9cf. https://bugs.webkit.org/show_bug.cgi?id=313590
Compromised WebContent process can gain arbitrary file URL access by spoofing
back/forward list messages
rdar://174512192
Reviewed by Ben Nham and Per Arne Vollan.
Instead of debug-only asserting that an updated item belongs to the process,
actaully message check it.
Test: Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm
* Source/WebKit/UIProcess/WebBackForwardList.cpp:
(WebKit::WebBackForwardList::backForwardUpdateItem):
* Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm:
(enableIPCTestingAPI):
(TEST(WKBackForwardList, BackForwardUpdateItemRejectsFileURL)):
Identifier: 305413.830@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.870@webkitglib/2.52
Commit: 52e0da7267e1da16c03edf8238922b5cef67dcdc
https://github.com/WebKit/WebKit/commit/52e0da7267e1da16c03edf8238922b5cef67dcdc
Author: Shu-yu Guo <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A JSTests/stress/megamorphic-get-by-id-overrides-getter-exception-check.js
M Source/JavaScriptCore/jit/JITOperations.cpp
Log Message:
-----------
Cherry-pick 6e81451ccd9a. https://bugs.webkit.org/show_bug.cgi?id=314002
[JSC] getByIdMegamorphic needs a throw scope
https://bugs.webkit.org/show_bug.cgi?id=314002
rdar://176129042
Reviewed by Darin Adler, Yijia Huang, and Yusuke Suzuki.
getByIdMegamorphic can trigger user-defined getters, which can throw, and so
needs a throw scope.
Test: JSTests/stress/megamorphic-get-by-id-overrides-getter-exception-check.js
* JSTests/stress/megamorphic-get-by-id-overrides-getter-exception-check.js:
Added.
(megamorphicGetById.get obj):
(megamorphicGetById):
* Source/JavaScriptCore/jit/JITOperations.cpp:
(JSC::getByIdMegamorphic):
Identifier: 305413.833@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.871@webkitglib/2.52
Commit: 55aa91bcc82096e6bdeacc1bbd8bff336b62f844
https://github.com/WebKit/WebKit/commit/55aa91bcc82096e6bdeacc1bbd8bff336b62f844
Author: Antoine Quint <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A
LayoutTests/webanimations/accelerated-animation-suspension-crash-expected.txt
A LayoutTests/webanimations/accelerated-animation-suspension-crash.html
M Source/WebCore/animation/AnimationTimelinesController.cpp
Log Message:
-----------
Cherry-pick f0d08798b749. https://bugs.webkit.org/show_bug.cgi?id=313961
[web-animations] use-after-free in
AnimationTimelinesController::suspendAnimations: m_timelines rehashes during
iteration when DocumentTimeline::suspendAnimations forces layout
https://bugs.webkit.org/show_bug.cgi?id=313961
rdar://175759878
Reviewed by Simon Fraser.
Calling `AnimationTimelinesController::suspendAnimations()` ends up calling
`DocumentTimeline::applyPendingAcceleratedAnimations()` which may trigger
a style recalculation for the targets of accelerated animations.
Such style recalculations may update the animation-to-timeline relationships
due to the `scroll-timeline` and `view-timeline` set of properties. This, in
turn, will cause `AnimationTimelinesController::suspendAnimations()` to have
the list of timelines it iterates over mutate. As such we now make a copy of
that list prior to iteration.
The new test was generated with AI assistance and adapted.
Test: webanimations/accelerated-animation-suspension-crash.html
*
LayoutTests/webanimations/accelerated-animation-suspension-crash-expected.txt:
Added.
* LayoutTests/webanimations/accelerated-animation-suspension-crash.html: Added.
* Source/WebCore/animation/AnimationTimelinesController.cpp:
(WebCore::AnimationTimelinesController::suspendAnimations):
Identifier: 305413.836@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.872@webkitglib/2.52
Commit: c3abddf6a1e00ff47696d34682811506326cbc9d
https://github.com/WebKit/WebKit/commit/c3abddf6a1e00ff47696d34682811506326cbc9d
Author: Dan Glastonbury <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A LayoutTests/webxr/xr-session-end-after-cross-realm-system-gc-expected.txt
A LayoutTests/webxr/xr-session-end-after-cross-realm-system-gc.html
M Source/WebCore/Modules/webxr/WebXRSession.cpp
M Source/WebCore/Modules/webxr/WebXRSession.h
Log Message:
-----------
Cherry-pick 99867d817a6d. https://bugs.webkit.org/show_bug.cgi?id=313961
[WebXR] Use-after-free when ending an XRSession whose owning WebXRSystem has
been garbage collected
rdar://175674872
Reviewed by REVIEWER.
WebXRSession held a raw reference (WebXRSystem&) to its owning WebXRSystem.
When a session's wrapper lives in one realm but the XRSystem belongs to a
cross-realm iframe (e.g. via XRSystem.prototype.requestSession.call(childXR,
...)),
destroying the iframe can collect the child realm's JSDOMWindow / Navigator /
WebXRSystem while the parent-realm XRSession is still alive. Calling
session.end() then dereferences the stale pointer in shutdown() when it calls
m_xrSystem.sessionEnded(*this).
Fix by changing m_xrSystem from a raw reference to a
WeakPtr<WebXRSystem, WeakPtrImplWithEventTargetData> and guarding the
sessionEnded() call with a null check.
Test: webxr/xr-session-end-after-cross-realm-system-gc.html
* Source/WebCore/Modules/webxr/WebXRSession.h: Change m_xrSystem to WeakPtr.
* Source/WebCore/Modules/webxr/WebXRSession.cpp:
(WebCore::WebXRSession::shutdown): Guard sessionEnded call with a WeakPtr null
check.
* LayoutTests/webxr/xr-session-end-after-cross-realm-system-gc.html: Added.
* LayoutTests/webxr/xr-session-end-after-cross-realm-system-gc-expected.txt:
Added.
Identifier: 305413.844@safari-7624-branch
Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.873@webkitglib/2.52
Compare: https://github.com/WebKit/WebKit/compare/4070ba127a8e...c3abddf6a1e0
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications