Branch: refs/heads/webkitglib/2.52
  Home:   https://github.com/WebKit/WebKit
  Commit: 2c4dc30626cc1c80f9be8b1a04d0c7117aa6c622
      
https://github.com/WebKit/WebKit/commit/2c4dc30626cc1c80f9be8b1a04d0c7117aa6c622
  Author: Ruthvik Konda <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A LayoutTests/ipc/create-audio-source-provider-twice-expected.txt
    A LayoutTests/ipc/create-audio-source-provider-twice.html
    M Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.cpp

  Log Message:
  -----------
  Cherry-pick c5c267219314. https://bugs.webkit.org/show_bug.cgi?id=313571

RemoteMediaPlayerProxy::createAudioSourceProvider should reject duplicate IPC
https://bugs.webkit.org/show_bug.cgi?id=313571
rdar://175035393

Reviewed by Eric Carlson.

A well-behaved WebContent process sends CreateAudioSourceProvider at most once 
per
RemoteMediaPlayerProxy. A second message reaches AudioSourceProviderAVFObjC's
setConfigureAudioStorageCallback / setAudioCallback, which overwrite the 
callbacks
without taking tapStorage->lock while a MediaToolbox thread may be invoking them
under that lock, freeing the captured RemoteAudioSourceProviderProxy mid-use.
Reject the duplicate message with a MESSAGE_CHECK.

* LayoutTests/ipc/create-audio-source-provider-twice-expected.txt: Added.
* LayoutTests/ipc/create-audio-source-provider-twice.html: Added.
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerProxy.cpp:
(WebKit::RemoteMediaPlayerProxy::createAudioSourceProvider):

Identifier: 305413.810@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.866@webkitglib/2.52


  Commit: 056433367a17df390898280567467727aaf8aadf
      
https://github.com/WebKit/WebKit/commit/056433367a17df390898280567467727aaf8aadf
  Author: Youenn Fablet <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A LayoutTests/fast/mediastream/applyConstraints-with-takePhoto-expected.txt
    A LayoutTests/fast/mediastream/applyConstraints-with-takePhoto.html
    M Source/WebKit/GPUProcess/webrtc/UserMediaCaptureManagerProxy.cpp

  Log Message:
  -----------
  Cherry-pick 207238632262. https://bugs.webkit.org/show_bug.cgi?id=313571

Heap UaF in GPU Process via MediaStreamTrack.clone() + ImageCapture.takePhoto() 
+ applyConstraints()
rdar://176025005

Reviewed by Eric Carlson.

We store constraints in the callback by value instead of reference to make sure 
that the constraints are valid if the callback is called asynchronously.

Test: fast/mediastream/applyConstraints-with-takePhoto.html

* LayoutTests/fast/mediastream/applyConstraints-with-takePhoto-expected.txt: 
Added.
* LayoutTests/fast/mediastream/applyConstraints-with-takePhoto.html: Added.
* Source/WebKit/GPUProcess/webrtc/UserMediaCaptureManagerProxy.cpp:

Identifier: 305413.816@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.867@webkitglib/2.52


  Commit: 12bc0eece89c125e3bec8c45a5d9b3fa9b3396d1
      
https://github.com/WebKit/WebKit/commit/12bc0eece89c125e3bec8c45a5d9b3fa9b3396d1
  Author: Jer Noble <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/WebCore/platform/graphics/MIMETypeCache.cpp
    M Source/WebCore/platform/graphics/MIMETypeCache.h
    M 
Source/WebCore/platform/graphics/avfoundation/objc/AVStreamDataParserMIMETypeCache.h
    M 
Source/WebCore/platform/graphics/avfoundation/objc/AVStreamDataParserMIMETypeCache.mm

  Log Message:
  -----------
  Cherry-pick 720a8f0b10ab. https://bugs.webkit.org/show_bug.cgi?id=313842

Data race on MIMETypeCache::m_cachedResults / m_supportedTypes in 
MIMETypeCache::canDecodeType
rdar://175674693
https://bugs.webkit.org/show_bug.cgi?id=313842

Reviewed by Eric Carlson.

It's unsafe to return a raw reference to an inner data member (without 
BorrowChecker)
as the underlying object can be mutated or freed leaving a dangling reference. 
Make two
changes to MIMETypeCache as a result:
- Require a lock be held to access the inner data member variable
- Return a copy of the inner member rather than a reference

* Source/WebCore/platform/graphics/MIMETypeCache.cpp:
(WebCore::MIMETypeCache::supportsContainerType):
(WebCore::MIMETypeCache::canDecodeType):
(WebCore::MIMETypeCache::addSupportedTypes):
(WebCore::MIMETypeCache::getCachedResult const):
(WebCore::MIMETypeCache::addCachedResult):
(WebCore::MIMETypeCache::supportedTypes):
(WebCore::MIMETypeCache::isEmpty const):
* Source/WebCore/platform/graphics/MIMETypeCache.h:
* 
Source/WebCore/platform/graphics/avfoundation/objc/AVStreamDataParserMIMETypeCache.h:
* 
Source/WebCore/platform/graphics/avfoundation/objc/AVStreamDataParserMIMETypeCache.mm:
(WebCore::AVStreamDataParserMIMETypeCache::supportedTypes):
(WebCore::AVStreamDataParserMIMETypeCache::canDecodeExtendedType):

Identifier: 305413.822@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.868@webkitglib/2.52


  Commit: 9b151743c2552a6c6f09875979a3db08711fb7d0
      
https://github.com/WebKit/WebKit/commit/9b151743c2552a6c6f09875979a3db08711fb7d0
  Author: Anand Srinivasan <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp

  Log Message:
  -----------
  Cherry-pick d446d220d636. https://bugs.webkit.org/show_bug.cgi?id=313590

Change IPInt m_pendingOffset to std::optional and add metadata offset overflow 
assertions
https://bugs.webkit.org/show_bug.cgi?id=313590
rdar://175673870

Reviewed by Dan Hecht.

IPIntControlType::m_pendingOffset was int32_t but stored values from
m_metadata->m_metadata.size(). A function within maxFunctionSize can
generate metadata exceeding INT32_MAX via repeated calls to functions
with large signatures.

Add overflow checks to the 32 bit computations to avoid silently
producing invalid metadata addresses, and change m_pendingOffset to use
std::optional instead of a sentinel value.

A practical test would take too long to include.

* Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp:
(JSC::Wasm::IPIntGenerator::tryToResolveBranchTarget):
(JSC::Wasm::IPIntGenerator::curPC):
(JSC::Wasm::IPIntGenerator::nextPC):
(JSC::Wasm::IPIntGenerator::curMC):
(JSC::Wasm::IPIntGenerator::checkedDelta):
(JSC::Wasm::IPIntGenerator::coalesceControlFlow):
(JSC::Wasm::IPIntGenerator::resolveEntryTarget):
(JSC::Wasm::IPIntGenerator::resolveExitTarget):
(JSC::Wasm::IPIntGenerator::addLoop):
(JSC::Wasm::IPIntGenerator::addIf):
(JSC::Wasm::IPIntGenerator::addElseToUnreachable):
(JSC::Wasm::IPIntGenerator::addCatchToUnreachable):
(JSC::Wasm::IPIntGenerator::addCatchAllToUnreachable):
(JSC::Wasm::IPIntGenerator::addDelegateToUnreachable):
(JSC::Wasm::IPIntGenerator::addEndToUnreachable):

Identifier: 305413.828@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.869@webkitglib/2.52


  Commit: 6b38672514930d80d3145e7dfb64e98c2f04e187
      
https://github.com/WebKit/WebKit/commit/6b38672514930d80d3145e7dfb64e98c2f04e187
  Author: Brady Eidson <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    M Source/WebKit/UIProcess/WebBackForwardList.cpp
    M Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm

  Log Message:
  -----------
  Cherry-pick 34c25063c9cf. https://bugs.webkit.org/show_bug.cgi?id=313590

Compromised WebContent process can gain arbitrary file URL access by spoofing 
back/forward list messages
rdar://174512192

Reviewed by Ben Nham and Per Arne Vollan.

Instead of debug-only asserting that an updated item belongs to the process, 
actaully message check it.

Test: Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm

* Source/WebKit/UIProcess/WebBackForwardList.cpp:
(WebKit::WebBackForwardList::backForwardUpdateItem):
* Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm:
(enableIPCTestingAPI):
(TEST(WKBackForwardList, BackForwardUpdateItemRejectsFileURL)):

Identifier: 305413.830@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.870@webkitglib/2.52


  Commit: 52e0da7267e1da16c03edf8238922b5cef67dcdc
      
https://github.com/WebKit/WebKit/commit/52e0da7267e1da16c03edf8238922b5cef67dcdc
  Author: Shu-yu Guo <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A JSTests/stress/megamorphic-get-by-id-overrides-getter-exception-check.js
    M Source/JavaScriptCore/jit/JITOperations.cpp

  Log Message:
  -----------
  Cherry-pick 6e81451ccd9a. https://bugs.webkit.org/show_bug.cgi?id=314002

[JSC] getByIdMegamorphic needs a throw scope
https://bugs.webkit.org/show_bug.cgi?id=314002
rdar://176129042

Reviewed by Darin Adler, Yijia Huang, and Yusuke Suzuki.

getByIdMegamorphic can trigger user-defined getters, which can throw, and so
needs a throw scope.

Test: JSTests/stress/megamorphic-get-by-id-overrides-getter-exception-check.js

* JSTests/stress/megamorphic-get-by-id-overrides-getter-exception-check.js: 
Added.
(megamorphicGetById.get obj):
(megamorphicGetById):
* Source/JavaScriptCore/jit/JITOperations.cpp:
(JSC::getByIdMegamorphic):

Identifier: 305413.833@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.871@webkitglib/2.52


  Commit: 55aa91bcc82096e6bdeacc1bbd8bff336b62f844
      
https://github.com/WebKit/WebKit/commit/55aa91bcc82096e6bdeacc1bbd8bff336b62f844
  Author: Antoine Quint <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A 
LayoutTests/webanimations/accelerated-animation-suspension-crash-expected.txt
    A LayoutTests/webanimations/accelerated-animation-suspension-crash.html
    M Source/WebCore/animation/AnimationTimelinesController.cpp

  Log Message:
  -----------
  Cherry-pick f0d08798b749. https://bugs.webkit.org/show_bug.cgi?id=313961

[web-animations] use-after-free in 
AnimationTimelinesController::suspendAnimations: m_timelines rehashes during 
iteration when DocumentTimeline::suspendAnimations forces layout
https://bugs.webkit.org/show_bug.cgi?id=313961
rdar://175759878

Reviewed by Simon Fraser.

Calling `AnimationTimelinesController::suspendAnimations()` ends up calling
`DocumentTimeline::applyPendingAcceleratedAnimations()` which may trigger
a style recalculation for the targets of accelerated animations.

Such style recalculations may update the animation-to-timeline relationships
due to the `scroll-timeline` and `view-timeline` set of properties. This, in
turn, will cause `AnimationTimelinesController::suspendAnimations()` to have
the list of timelines it iterates over mutate. As such we now make a copy of
that list prior to iteration.

The new test was generated with AI assistance and adapted.

Test: webanimations/accelerated-animation-suspension-crash.html

* 
LayoutTests/webanimations/accelerated-animation-suspension-crash-expected.txt: 
Added.
* LayoutTests/webanimations/accelerated-animation-suspension-crash.html: Added.
* Source/WebCore/animation/AnimationTimelinesController.cpp:
(WebCore::AnimationTimelinesController::suspendAnimations):

Identifier: 305413.836@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.872@webkitglib/2.52


  Commit: c3abddf6a1e00ff47696d34682811506326cbc9d
      
https://github.com/WebKit/WebKit/commit/c3abddf6a1e00ff47696d34682811506326cbc9d
  Author: Dan Glastonbury <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A LayoutTests/webxr/xr-session-end-after-cross-realm-system-gc-expected.txt
    A LayoutTests/webxr/xr-session-end-after-cross-realm-system-gc.html
    M Source/WebCore/Modules/webxr/WebXRSession.cpp
    M Source/WebCore/Modules/webxr/WebXRSession.h

  Log Message:
  -----------
  Cherry-pick 99867d817a6d. https://bugs.webkit.org/show_bug.cgi?id=313961

[WebXR] Use-after-free when ending an XRSession whose owning WebXRSystem has 
been garbage collected
rdar://175674872

Reviewed by REVIEWER.

WebXRSession held a raw reference (WebXRSystem&) to its owning WebXRSystem.
When a session's wrapper lives in one realm but the XRSystem belongs to a
cross-realm iframe (e.g. via XRSystem.prototype.requestSession.call(childXR, 
...)),
destroying the iframe can collect the child realm's JSDOMWindow / Navigator /
WebXRSystem while the parent-realm XRSession is still alive. Calling
session.end() then dereferences the stale pointer in shutdown() when it calls
m_xrSystem.sessionEnded(*this).

Fix by changing m_xrSystem from a raw reference to a
WeakPtr<WebXRSystem, WeakPtrImplWithEventTargetData> and guarding the
sessionEnded() call with a null check.

Test: webxr/xr-session-end-after-cross-realm-system-gc.html

* Source/WebCore/Modules/webxr/WebXRSession.h: Change m_xrSystem to WeakPtr.
* Source/WebCore/Modules/webxr/WebXRSession.cpp:
(WebCore::WebXRSession::shutdown): Guard sessionEnded call with a WeakPtr null 
check.
* LayoutTests/webxr/xr-session-end-after-cross-realm-system-gc.html: Added.
* LayoutTests/webxr/xr-session-end-after-cross-realm-system-gc-expected.txt: 
Added.

Identifier: 305413.844@safari-7624-branch

Identifier: [email protected]
Canonical link: https://commits.webkit.org/305877.873@webkitglib/2.52


Compare: https://github.com/WebKit/WebKit/compare/4070ba127a8e...c3abddf6a1e0

To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to