Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: fcd2a8fc20dda5aaffe1890887462daa3048c950
https://github.com/WebKit/WebKit/commit/fcd2a8fc20dda5aaffe1890887462daa3048c950
Author: Yijia Huang <[email protected]>
Date: 2025-11-12 (Wed, 12 Nov 2025)
Changed paths:
A JSTests/stress/loop-unrolling-multi-get-and-put-by-offset.js
M Source/JavaScriptCore/dfg/DFGCloneHelper.cpp
M Source/JavaScriptCore/dfg/DFGCloneHelper.h
Log Message:
-----------
[JSC] Fix DFG node cloning to properly copy mutable data structures
rdar://160593174
https://bugs.webkit.org/show_bug.cgi?id=298851
Reviewed by Yusuke Suzuki.
The DFG clone helper was incorrectly sharing mutable data structures between
original and cloned nodes during loop unrolling optimizations. This caused
inconsistent state when subsequent optimization phases modified the shared data.
This patch ensures that nodes with mutable data structures are properly cloned
with
independent copies of their associated data.
Originally-landed-as: 297297.428@safari-7622-branch (0369cf4f5755).
rdar://164213886
Canonical link: https://commits.webkit.org/302915@main
Commit: 4ec6fc4dac06f56cabb9e18445aaa48a68a6a9b5
https://github.com/WebKit/WebKit/commit/4ec6fc4dac06f56cabb9e18445aaa48a68a6a9b5
Author: David Kilzer <[email protected]>
Date: 2025-11-12 (Wed, 12 Nov 2025)
Changed paths:
M Source/WebCore/platform/sql/SQLiteDatabase.cpp
Log Message:
-----------
Network process crash due to environment variable race in
libsystem_coreservices.dylib: _dirhelper_update_tmpdir
<https://bugs.webkit.org/show_bug.cgi?id=299218>
<rdar://160718740>
Reviewed by Per Arne Vollan and Darin Adler.
* Source/WebCore/platform/sql/SQLiteDatabase.cpp:
(WebCore::initializeSQLiteIfNecessary):
- Ensure that sqlite3_initialize() is called from the main thread to
avoid race conditions.
Originally-landed-as: 297297.445@safari-7622-branch (9acf4b8eff51).
rdar://164213590
Canonical link: https://commits.webkit.org/302916@main
Commit: 644a1faac1c53d8918c77d284c667c1ecb4e2b5e
https://github.com/WebKit/WebKit/commit/644a1faac1c53d8918c77d284c667c1ecb4e2b5e
Author: Youenn Fablet <[email protected]>
Date: 2025-11-12 (Wed, 12 Nov 2025)
Changed paths:
M
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/test/encode_api_test.cc
M
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
M
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_encodeframe.c
M
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_pickmode.c
Log Message:
-----------
Potential 'overflow' issue commited to upstream libwebrtc
rdar://159773684
Reviewed by Jean-Yves Avenard.
Cherry-picking of
https://github.com/webmproject/libvpx/commit/ba9dad15b83f791773452bc4889102cbdda50605
*
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/test/encode_api_test.cc:
*
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c:
*
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_encodeframe.c:
(choose_partitioning):
*
Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp9/encoder/vp9_pickmode.c:
(vp9_pick_intra_mode):
Originally-landed-as: 297297.446@safari-7622-branch (010e247adf52).
rdar://164213400
Canonical link: https://commits.webkit.org/302917@main
Commit: 413ed42394edad7c9ad55be6a842654448478525
https://github.com/WebKit/WebKit/commit/413ed42394edad7c9ad55be6a842654448478525
Author: Yusuke Suzuki <[email protected]>
Date: 2025-11-12 (Wed, 12 Nov 2025)
Changed paths:
A JSTests/stress/dfg-proto-fold-invalidate.js
A JSTests/stress/dfg-proto-fold-invalidate2.js
M Source/JavaScriptCore/bytecode/GetByStatus.cpp
Log Message:
-----------
[JSC] DFG compiler-side concurrent prototype access folding needs to validate
ObjectConditionSet
https://bugs.webkit.org/show_bug.cgi?id=299307
rdar://154481123
Reviewed by Yijia Huang.
DFG does concurrent prototype access folding. Before calling
generateConditionsForPrototypePropertyHitConcurrently,
DFG does its own lookup to avoid installing watchpoints for
non-beneficial cases (generateConditionsForPrototypePropertyHitConcurrently is
just creating ObjectConditionSet,
so in the most of cases, it succeeds regardless). But this lookup and
generateConditionsForPrototypePropertyHitConcurrently
are different, so we should validate the output
generateConditionsForPrototypePropertyHitConcurrently after calling it,
since generateConditionsForPrototypePropertyHitConcurrently may return
some weird ObjectConditionSet because of concurrent mutator. If
ObjectConditionSet is weried, installing this means we will
ensure that condition, but that does not mean that it can be usable for
prototype folding. So we should check whether the resulted
ObjectConditionSet is meeting the criteria we would like to guarantee
for prototype folding.
In this case, it is not necessary to strictly align ObjectConditionSet
to what we saw in the first lookup. What we must ensure is the output is
meeting some critical criteria. If they are met, then it is fine.
This patch adds these checks after ObjectConditionSet is created.
* JSTests/stress/dfg-proto-fold-invalidate.js: Added.
(opt):
(main):
* JSTests/stress/dfg-proto-fold-invalidate2.js: Added.
(opt):
(watchCalleeProperty):
(async sleep):
(createClonedArguments):
(async main):
* Source/JavaScriptCore/bytecode/GetByStatus.cpp:
(JSC::GetByStatus::computeFor):
Originally-landed-as: 297297.455@safari-7622-branch (fb078f3ea09e).
rdar://164213241
Canonical link: https://commits.webkit.org/302918@main
Commit: a8249e0ac40ba0fb33295f124f97d8604af864dc
https://github.com/WebKit/WebKit/commit/a8249e0ac40ba0fb33295f124f97d8604af864dc
Author: Aleksei Marchenko <[email protected]>
Date: 2025-11-12 (Wed, 12 Nov 2025)
Changed paths:
M Source/WebKit/ModelProcess/cocoa/ModelProcessModelPlayerProxy.mm
Log Message:
-----------
Fix crashing with UAF while setting IBL's memory attribution
https://bugs.webkit.org/show_bug.cgi?id=299304
rdar://160676142
Reviewed by Ada Chan and Mike Wyrzykowski.
The change guaranties that attributionIDString outlives all
REAssetSetMemoryAttributionTarget calls.
* Source/WebKit/ModelProcess/cocoa/ModelProcessModelPlayerProxy.mm:
(WebKit::setIBLAssetOwnership):
Originally-landed-as: 297297.457@safari-7622-branch (966231bb9c2e).
rdar://164213100
Canonical link: https://commits.webkit.org/302919@main
Compare: https://github.com/WebKit/WebKit/compare/0b65fe084bed...a8249e0ac40b
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
