Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 152a5a7fcd1057411f5f1d8f9ca7f99271c3905e
https://github.com/WebKit/WebKit/commit/152a5a7fcd1057411f5f1d8f9ca7f99271c3905e
Author: Aditya Keerthi <[email protected]>
Date: 2025-11-11 (Tue, 11 Nov 2025)
Changed paths:
M Source/WebKit/UIProcess/Cocoa/WKShareSheet.mm
Log Message:
-----------
[Cocoa] Fix thread safety issues with the Web Share API
https://bugs.webkit.org/show_bug.cgi?id=298063
rdar://159066364
Reviewed by Abrar Rahman Protyasha and Ryosuke Niwa.
Ensure use of `UIActivityItemProvider` and `NSPreviewRepresentingActivityItem`
happens only on the main thread. These APIs are not thread-safe.
* Source/WebKit/UIProcess/Cocoa/WKShareSheet.mm:
(appendFilesAsShareableURLs):
Make a slight behavior change to avoid `nil`-ing out the entire share
data array if an item for a file could not be successfully created. In this
scenario, the title/text/URL can still be shared.
Originally-landed-as: 297297.358@safari-7622-branch (60e047dee492).
rdar://164278361
Canonical link: https://commits.webkit.org/302880@main
Commit: 1e419fbe0c7af1486200ee8d2feaefc13ebd53bb
https://github.com/WebKit/WebKit/commit/1e419fbe0c7af1486200ee8d2feaefc13ebd53bb
Author: Daniel Liu <[email protected]>
Date: 2025-11-11 (Tue, 11 Nov 2025)
Changed paths:
M Source/JavaScriptCore/b3/B3WasmBoundsCheckValue.cpp
M Source/JavaScriptCore/b3/B3WasmBoundsCheckValue.h
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
Log Message:
-----------
OMG Wasm memory access should emit a full 64-bit immediate
https://bugs.webkit.org/show_bug.cgi?id=298129
rdar://159439036
Reviewed by Yusuke Suzuki.
Previously, OMG computed memory indices using a 32-bit integer, which could
overflow
at higher offsets. We switch this over to a 64-bit integer, allowing us to
avoid any
overflow conditions.
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::emitCheckAndPreparePointer):
Originally-landed-as: 297297.360@safari-7622-branch (f5ded472170d).
rdar://164278368
Canonical link: https://commits.webkit.org/302881@main
Commit: 78b31d59089f6578e9bac67c8101220b6b19bcdb
https://github.com/WebKit/WebKit/commit/78b31d59089f6578e9bac67c8101220b6b19bcdb
Author: Daniel Liu <[email protected]>
Date: 2025-11-11 (Tue, 11 Nov 2025)
Changed paths:
M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
Log Message:
-----------
DFG Constant Folding should ignore results of blocks which CFA has marked
unreachable
https://bugs.webkit.org/show_bug.cgi?id=298126
rdar://158662405
Reviewed by Yusuke Suzuki.
DFG's constant folding pass included value result information from blocks which
were found to be unreachable
through control flow analysis. This could lead to weaker type guarantees during
further analysis.
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
Originally-landed-as: 297297.362@safari-7622-branch (cb6fcc0b908c).
rdar://164278150
Canonical link: https://commits.webkit.org/302882@main
Commit: a339ef586913358995ac59b24dfb947ba7029e6a
https://github.com/WebKit/WebKit/commit/a339ef586913358995ac59b24dfb947ba7029e6a
Author: Antoine Quint <[email protected]>
Date: 2025-11-11 (Tue, 11 Nov 2025)
Changed paths:
A LayoutTests/webanimations/null-timeline-crash-expected.txt
A LayoutTests/webanimations/null-timeline-crash.html
M Source/WebCore/animation/ElementAnimationRareData.cpp
M Source/WebCore/animation/KeyframeEffect.cpp
M Source/WebCore/animation/KeyframeEffect.h
Log Message:
-----------
ASAN_ILL | WebCore::KeyframeEffectStack::allowsAcceleration;
WebCore::KeyframeEffectStack::removeEffect;
WebCore::KeyframeEffect::updateEffectStackMembership
https://bugs.webkit.org/show_bug.cgi?id=298317
rdar://157023038
Reviewed by Cameron McCormack.
When a document is torn down, we call into
`AnimationTimelinesController::detachFromDocument()` which
will call `AnimationTimeline::detachFromDocument()` for each known timeline and
then `WebAnimation::remove()`
for each animation associated with that timeline. This will eventually
disassociate animation effects
from the `KeyframeEffectStack` of their target, ensuring there are no null
references in the stack's
list of effects.
However, with the advent of scroll-driven animations, an animation's timeline
may be set to null, which
will not perform such a disassociation since that animation may remain
"relevant" [0]. However, since
the cleanup described above occurs for animations associated with a timeline,
such timeline-less
animations will not be processed and thus it's possible that an effect is
destroyed but a (weak)
reference remains in the effect stack.
To address this issue, we add logic in the `KeyframeEffect` destructor to
remove itself from any associated
effect stack, and add an assertion that it is indeed no longer in that stack.
Additionally, we now check
in the `ElementAnimationRareData` destructor that it no longer has an effect
stack or that the stack is empty.
[0] https://drafts.csswg.org/web-animations-1/#relevant-animations-section
* LayoutTests/webanimations/null-timeline-crash-expected.txt: Added.
* LayoutTests/webanimations/null-timeline-crash.html: Added.
* Source/WebCore/animation/ElementAnimationRareData.cpp:
(WebCore::ElementAnimationRareData::~ElementAnimationRareData):
* Source/WebCore/animation/KeyframeEffect.cpp:
(WebCore::KeyframeEffect::~KeyframeEffect):
* Source/WebCore/animation/KeyframeEffect.h:
Originally-landed-as: 297297.371@safari-7622-branch (02618abc17c4).
rdar://164278044
Canonical link: https://commits.webkit.org/302883@main
Commit: a179b3a3ac1bac852fae28f1d2d28e1c88d611de
https://github.com/WebKit/WebKit/commit/a179b3a3ac1bac852fae28f1d2d28e1c88d611de
Author: Antti Koivisto <[email protected]>
Date: 2025-11-11 (Tue, 11 Nov 2025)
Changed paths:
A
LayoutTests/fast/css/custom-properties/registered-custom-property-revert-layer-crash-expected.txt
A
LayoutTests/fast/css/custom-properties/registered-custom-property-revert-layer-crash.html
M Source/WebCore/style/StyleBuilder.cpp
Log Message:
-----------
Registered properties and revert-layer may dereference disengaged
std::optional
https://bugs.webkit.org/show_bug.cgi?id=298314
rdar://157023648
Reviewed by Alan Baradlay.
*
LayoutTests/fast/css/custom-properties/registered-custom-property-revert-layer-crash-expected.txt:
Added.
*
LayoutTests/fast/css/custom-properties/registered-custom-property-revert-layer-crash.html:
Added.
* Source/WebCore/style/StyleBuilder.cpp:
(WebCore::Style::Builder::applyRollbackCascadeCustomProperty):
With registered properties custom property resolution may fail. Return
guaranteed-invalid value in this case.
Originally-landed-as: 297297.373@safari-7622-branch (3800cebd8f22).
rdar://164277929
Canonical link: https://commits.webkit.org/302884@main
Compare: https://github.com/WebKit/WebKit/compare/9aa9b62d542c...a179b3a3ac1b
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
