Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 0a89d29cfa1eeefe6d17cc097ab3f5414d1d330b
https://github.com/WebKit/WebKit/commit/0a89d29cfa1eeefe6d17cc097ab3f5414d1d330b
Author: David Kilzer <[email protected]>
Date: 2026-02-03 (Tue, 03 Feb 2026)
Changed paths:
M Source/WebCore/loader/ContentFilter.cpp
M Source/WebCore/loader/ContentFilter.h
M Source/WebCore/loader/DocumentLoader.cpp
M Source/WebCore/loader/DocumentLoader.h
M Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
M Source/WebKit/NetworkProcess/NetworkResourceLoader.h
Log Message:
-----------
Cherry-pick 306652@main (4c8d209dd76f).
https://bugs.webkit.org/show_bug.cgi?id=306402
CheckedPtr crash in NetworkResourceLoader::contentFilterDidBlock() when
ContentFilter is deleted during delayed async callback
<https://bugs.webkit.org/show_bug.cgi?id=306402>
<rdar://165364915>
Reviewed by Per Arne Vollan and Chris Dumez.
Fix the crash by converting WebCore::ContentFilter from
CheckedPtr/WeakPtr to RefPtr so that the lifetime of the object can be
kept through callbacks.
Change WeakRef<ContentFilterClient> to WeakPtr<ContentFilterClient> as
well.
An attempt to construct a test was made, but it required changes to
shipping code to make it reproduce a similar crash.
* Source/WebCore/loader/ContentFilter.cpp:
(WebCore::ContentFilter::create):
(WebCore::ContentFilter::ContentFilterCallbackAggregator::~ContentFilterCallbackAggregator):
(WebCore::ContentFilter::ContentFilterCallbackAggregator::didReceivePlatformContentFilterDecision):
(WebCore::ContentFilter::continueAfterSubstituteDataRequest):
* Source/WebCore/loader/ContentFilter.h:
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::notifyFinished):
(WebCore::DocumentLoader::willSendRequest):
(WebCore::DocumentLoader::responseReceived):
(WebCore::DocumentLoader::dataReceived):
(WebCore::DocumentLoader::detachFromFrame):
(WebCore::DocumentLoader::clearMainResource):
(WebCore::DocumentLoader::becomeMainResourceClient):
(WebCore::DocumentLoader::contentFilterWillHandleProvisionalLoadFailure):
(WebCore::DocumentLoader::contentFilterHandleProvisionalLoadFailure):
* Source/WebCore/loader/DocumentLoader.h:
* Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::startContentFiltering):
(WebKit::NetworkResourceLoader::didReceiveResponse):
(WebKit::NetworkResourceLoader::didFinishLoading):
(WebKit::NetworkResourceLoader::willSendRedirectedRequestInternal):
(WebKit::NetworkResourceLoader::bufferingTimerFired):
(WebKit::NetworkResourceLoader::sendBuffer):
(WebKit::NetworkResourceLoader::didRetrieveCacheEntry):
(WebKit::NetworkResourceLoader::sendResultForCacheEntry):
(WebKit::NetworkResourceLoader::continueAfterServiceWorkerReceivedData):
(WebKit::NetworkResourceLoader::continueAfterServiceWorkerReceivedResponse):
(WebKit::NetworkResourceLoader::serviceWorkerDidFinish):
(WebKit::NetworkResourceLoader::contentFilterDidBlock):
(WebKit::NetworkResourceLoader::checkedContentFilter): Delete.
* Source/WebKit/NetworkProcess/NetworkResourceLoader.h:
Canonical link: https://commits.webkit.org/306652@main
Canonical link: https://commits.webkit.org/305877.42@webkitglib/2.52
Commit: 2fa362303fe848459565982c695498cd30cd329b
https://github.com/WebKit/WebKit/commit/2fa362303fe848459565982c695498cd30cd329b
Author: Alex Christensen <[email protected]>
Date: 2026-02-03 (Tue, 03 Feb 2026)
Changed paths:
M Source/WebCore/loader/DocumentPrefetcher.cpp
Log Message:
-----------
Cherry-pick 306219@main (5c2e1b9bf5e8).
https://bugs.webkit.org/show_bug.cgi?id=306282
Fix crash after enabling speculation rules prefetching
https://bugs.webkit.org/show_bug.cgi?id=306282
rdar://168835297
Reviewed by Wenson Hsieh.
Feeding a null URL into m_prefetchedData.contains causes a crash.
This moves the invalid URL check to before the contains check to
prevent such a crash.
* Source/WebCore/loader/DocumentPrefetcher.cpp:
(WebCore::DocumentPrefetcher::prefetch):
Canonical link: https://commits.webkit.org/306219@main
Canonical link: https://commits.webkit.org/305877.43@webkitglib/2.52
Commit: c1981d4ac6adab98687d853efb82f20f5290aecd
https://github.com/WebKit/WebKit/commit/c1981d4ac6adab98687d853efb82f20f5290aecd
Author: Fujii Hironori <[email protected]>
Date: 2026-02-03 (Tue, 03 Feb 2026)
Changed paths:
M Source/WTF/wtf/IntervalSet.h
Log Message:
-----------
Cherry-pick 305994@main (edcec34a35be).
https://bugs.webkit.org/show_bug.cgi?id=305682
WTF::IntervalSet : AddressSanitizer: invalid alignment requested in
aligned_alloc
https://bugs.webkit.org/show_bug.cgi?id=305682
Reviewed by Dan Hecht.
WTF::IntervalSet allocated a node with the following code:
> fastAlignedMalloc(cpuCacheLineSize, sizeof(NodeType))
ASan complained the size is not multiple of alignment. Use targetNodeSize
for
the size.
* Source/WTF/wtf/IntervalSet.h:
(WTF::IntervalSet::allocNode):
Canonical link: https://commits.webkit.org/305994@main
Canonical link: https://commits.webkit.org/305877.44@webkitglib/2.52
Compare: https://github.com/WebKit/WebKit/compare/c06abca9861e...c1981d4ac6ad
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
