Branch: refs/heads/webkitglib/2.48
Home: https://github.com/WebKit/WebKit
Commit: d7fbe50cbcb3887731aced7762b472937bf35e49
https://github.com/WebKit/WebKit/commit/d7fbe50cbcb3887731aced7762b472937bf35e49
Author: Michael Catanzaro <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/JavaScriptCore/wasm/WasmTypeDefinition.h
Log Message:
-----------
Suppress -Wunused-private-field warning in WasmTypeDefinition.h
Unreviewed stable branch commit.
This appears to be an LLVM bug, since the field is definitely used. The
bug does not occur on the main branch, so no sense in thinking too much
about it.
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:
Commit: a82e29688153935b81e08fd0554b32a6d4422475
https://github.com/WebKit/WebKit/commit/a82e29688153935b81e08fd0554b32a6d4422475
Author: Chris Dumez <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/WebCore/Modules/indexeddb/server/MemoryIDBBackingStore.cpp
M Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabaseTransaction.cpp
M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp
M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.h
Log Message:
-----------
Cherry-pick 283286.613@safari-7620-branch (5b3e0da4e98b).
https://bugs.webkit.org/show_bug.cgi?id=285853
[Hardening] Validate transaction type on release builds in
MemoryIDBBackingStore.cpp
https://bugs.webkit.org/show_bug.cgi?id=285853
rdar://142170053
Reviewed by Sihui Liu.
Validate transaction type on release builds in MemoryIDBBackingStore.cpp
since IPC
sent by a compromised WebProcess could cause this to happen, which would
lead to
corruption.
* Source/WebCore/Modules/indexeddb/server/MemoryIDBBackingStore.cpp:
(WebCore::IDBServer::MemoryIDBBackingStore::createObjectStore):
(WebCore::IDBServer::MemoryIDBBackingStore::deleteObjectStore):
(WebCore::IDBServer::MemoryIDBBackingStore::renameObjectStore):
(WebCore::IDBServer::MemoryIDBBackingStore::createIndex):
(WebCore::IDBServer::MemoryIDBBackingStore::deleteIndex):
(WebCore::IDBServer::MemoryIDBBackingStore::renameIndex):
* Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabaseTransaction.cpp:
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::createObjectStore):
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::deleteObjectStore):
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::renameObjectStore):
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::createIndex):
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::deleteIndex):
(WebCore::IDBServer::UniqueIDBDatabaseTransaction::renameIndex):
* Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp:
(WebKit::NetworkStorageManager::createIndex):
(WebKit::NetworkStorageManager::deleteIndex):
(WebKit::NetworkStorageManager::renameIndex):
Canonical link: https://commits.webkit.org/283286.613@safari-7620-branch
Canonical link: https://commits.webkit.org/289651.17@safari-7621-branch
Commit: 283d3b87e584de87b7391e47818ccea0f1bd90fd
https://github.com/WebKit/WebKit/commit/283d3b87e584de87b7391e47818ccea0f1bd90fd
Author: Keith Miller <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
A JSTests/wasm/stress/js-to-wasm-calls-wrong-memory-mode.js
M Source/JavaScriptCore/interpreter/CalleeBits.h
M Source/JavaScriptCore/jsc.cpp
M Source/JavaScriptCore/llint/WebAssembly.asm
M Source/JavaScriptCore/offlineasm/arm64.rb
M Source/JavaScriptCore/offlineasm/cloop.rb
M Source/JavaScriptCore/offlineasm/instructions.rb
M Source/JavaScriptCore/offlineasm/x86.rb
M Source/JavaScriptCore/runtime/NativeCallee.h
M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp
M Source/JavaScriptCore/wasm/WasmCallee.cpp
M Source/JavaScriptCore/wasm/WasmCallee.h
M Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp
M Source/JavaScriptCore/wasm/WasmFormat.h
M Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp
M Source/JavaScriptCore/wasm/WasmMemory.cpp
M Source/JavaScriptCore/wasm/WasmMemory.h
M Source/JavaScriptCore/wasm/WasmOMGPlan.cpp
M Source/JavaScriptCore/wasm/WasmOperations.cpp
M Source/JavaScriptCore/wasm/js/JSToWasm.cpp
M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h
M Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.cpp
M Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.h
M Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp
Log Message:
-----------
Cherry-pick 289651.47@safari-7621-branch (8f74b8980eba).
https://bugs.webkit.org/show_bug.cgi?id=286946
JSToWasm non-IC entrypoints should load the entry point the same way as the
IC.
https://bugs.webkit.org/show_bug.cgi?id=286946
rdar://143456523
Reviewed by Yusuke Suzuki.
Right now when we tier up a function to BBQ/OMG we set the
JSEntrypointCallee's entrypoint
to the prologue of the newly compiled code. This is wrong because we share
JSEntrypointCallee
between BoundsChecking and Signaling instances. This means if tier up a
Signaling instance to
we could inadvertently call the Signaling code from a BoundsChecking
instance.
To fix this the interpreted/shared JIT JSToWasm entrypoints now do the same
logic as the
inline cache entrypoint and load the callee's entrypoint from the indirect
location. This
means we need to keep the JS WebAssemblyFunction until we're basically
ready to call the
into wasm.
Finally, since there's basically no scratches left I added a
BoxedNativeCalleePtrTraits
so the Ref<> of the target Callee can be saved as a boxed pointer rather
than as a raw
pointer. So now we no longer need to box the callee at runtime.
* Source/JavaScriptCore/interpreter/CalleeBits.h:
(JSC::CalleeBits::CalleeBits):
(JSC::CalleeBits::operator=):
(JSC::CalleeBits::operator bool const):
* Source/JavaScriptCore/llint/WebAssembly.asm:
* Source/JavaScriptCore/offlineasm/arm64.rb:
* Source/JavaScriptCore/offlineasm/cloop.rb:
* Source/JavaScriptCore/offlineasm/instructions.rb:
* Source/JavaScriptCore/offlineasm/x86.rb:
* Source/JavaScriptCore/runtime/NativeCallee.h:
(JSC::BoxedNativeCalleePtrTraits::unwrap):
(JSC::BoxedNativeCalleePtrTraits::exchange):
* Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::compileFunction):
* Source/JavaScriptCore/wasm/WasmCallee.cpp:
(JSC::Wasm::JSEntrypointCallee::JSEntrypointCallee):
* Source/JavaScriptCore/wasm/WasmCallee.h:
* Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp:
(JSC::Wasm::CalleeGroup::isBBQCalleeFromThisGroup const):
(JSC::Wasm::CalleeGroup::updateCallsitesToCallUs):
* Source/JavaScriptCore/wasm/WasmCalleeGroup.h:
* Source/JavaScriptCore/wasm/WasmFormat.h:
* Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp:
(JSC::IPInt::jitCompileAndSetHeuristics):
* Source/JavaScriptCore/wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* Source/JavaScriptCore/wasm/WasmOperations.cpp:
(JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
(JSC::Wasm::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
* Source/JavaScriptCore/wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmJITShared):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::initElementSegment):
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::create):
(JSC::WebAssemblyFunction::WebAssemblyFunction):
(JSC::m_frameSize):
(): Deleted.
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h:
* Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::initializeExports):
Canonical link: https://commits.webkit.org/289651.47@safari-7621-branch
Commit: 943d0ab40164ca814541c434135d321b1146d1e7
https://github.com/WebKit/WebKit/commit/943d0ab40164ca814541c434135d321b1146d1e7
Author: Daniel Liu <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/JavaScriptCore/yarr/YarrParser.h
M Source/JavaScriptCore/yarr/YarrPattern.cpp
M Source/JavaScriptCore/yarr/YarrSyntaxChecker.cpp
M Source/WebCore/contentextensions/URLFilterParser.cpp
Log Message:
-----------
Cherry-pick 289651.81@safari-7621-branch (84bb07bd2a22).
https://bugs.webkit.org/show_bug.cgi?id=287185
Allow YarrParser delegates to terminate the parser upon reaching an error
https://bugs.webkit.org/show_bug.cgi?id=287185
rdar://144252733
Reviewed by Mark Lam.
When a syntax error occurs in YarrPatternConstructor, there are cases
where the pattern constructor does not properly add terms to the
disjunction, since the pattern is invalid. Thus, we should terminate
pattern construction to avoid transformations on bad internal state.
* Source/JavaScriptCore/yarr/YarrParser.h:
(JSC::Yarr::Parser::parseTokens):
(JSC::Yarr::Parser::parse):
* Source/JavaScriptCore/yarr/YarrPattern.cpp:
(JSC::Yarr::CharacterClassConstructor::hasInvertedStrings):
(JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
(JSC::Yarr::YarrPatternConstructor::copyDisjunction):
(JSC::Yarr::YarrPatternConstructor::abortedDueToError const):
(JSC::Yarr::CharacterClassConstructor::hasInverteStrings): Deleted.
* Source/JavaScriptCore/yarr/YarrSyntaxChecker.cpp:
(JSC::Yarr::SyntaxChecker::abortedDueToError):
* Source/WebCore/contentextensions/URLFilterParser.cpp:
(WebCore::ContentExtensions::PatternParser::abortedDueToError):
Canonical link: https://commits.webkit.org/289651.81@safari-7621-branch
Commit: 80fc85dcfbc994e312c3ba307019549e209354c6
https://github.com/WebKit/WebKit/commit/80fc85dcfbc994e312c3ba307019549e209354c6
Author: Claudio Saavedra <[email protected]>
Date: 2025-04-01 (Tue, 01 Apr 2025)
Changed paths:
M Source/JavaScriptCore/jsc.cpp
M Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h
M Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
M Source/WebCore/Modules/webaudio/AudioBuffer.cpp
Log Message:
-----------
Cherry-pick [email protected] (d3ca3297d8b8).
https://bugs.webkit.org/show_bug.cgi?id=286835
ASAN_TRAP | JSArrayBufferView::ConstructionContext::ConstructionContext;
JSC::JSGenericTypedArrayView::create; JSC::GenericTypedArrayView::wrapImpl
https://bugs.webkit.org/show_bug.cgi?id=286835
Reviewed by Keith Miller.
Follow-up fix to [email protected]. Instead of modifying
the create() method, let's add a tryCreate() instead and use it when
calling wrapImpl() to wrap an impl array, to preserve the invariant from
the original method.
This partly reverts the changes in [email protected] to
preserve the invariant for other callers.
* Source/JavaScriptCore/jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::wrapImpl):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h:
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::create):
(JSC::JSGenericTypedArrayView<Adaptor>::tryCreate):
* Source/WebCore/Modules/webaudio/AudioBuffer.cpp:
(WebCore::AudioBuffer::getChannelData):
Canonical link: https://commits.webkit.org/[email protected]
Canonical link: https://commits.webkit.org/289651.200@safari-7621-branch
Compare: https://github.com/WebKit/WebKit/compare/2569e17b04b3...80fc85dcfbc9
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
