Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 8cf38683dcebfd5122ef7eb78af5f4c0cdfc02e9
https://github.com/WebKit/WebKit/commit/8cf38683dcebfd5122ef7eb78af5f4c0cdfc02e9
Author: Anne van Kesteren <[email protected]>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M LayoutTests/platform/mac-wk1/TestExpectations
A
LayoutTests/platform/mac/plugins/runtime-object-prevent-gc-crash-expected.txt
A LayoutTests/platform/mac/plugins/runtime-object-prevent-gc-crash.html
M LayoutTests/platform/wk2/TestExpectations
M Source/WebCore/bridge/runtime_root.cpp
Log Message:
-----------
Cherry-pick 310516@main (4be186fa2954).
https://bugs.webkit.org/show_bug.cgi?id=311409
REGRESSION(305023@main): cannot jsCast during finalize either
https://bugs.webkit.org/show_bug.cgi?id=311409
rdar://173949856
Reviewed by Keith Miller.
Test: platform/mac/plugins/runtime-object-prevent-gc-crash.html
Canonical link: https://commits.webkit.org/310516@main
Canonical link: https://commits.webkit.org/305877.374@webkitglib/2.52
Commit: 68f91860b8139d53044601d2b2c72e0f02b527e0
https://github.com/WebKit/WebKit/commit/68f91860b8139d53044601d2b2c72e0f02b527e0
Author: Chris Dumez <[email protected]>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M Source/WTF/wtf/MathExtras.h
M Source/WebKit/Shared/Cocoa/SharedCARingBuffer.cpp
M Tools/TestWebKitAPI/Tests/WTF/MathExtras.cpp
Log Message:
-----------
Cherry-pick 310337@main (3242d3d821c5).
https://bugs.webkit.org/show_bug.cgi?id=311090
roundUpToPowerOfTwo() truncates its return value to uint32_t
https://bugs.webkit.org/show_bug.cgi?id=311090
Reviewed by Darin Adler.
use `auto` for the return type so that the return type gets deduced from
whatever std::bit_ceil() returns.
Test: Tools/TestWebKitAPI/Tests/WTF/MathExtras.cpp
* Source/WTF/wtf/MathExtras.h:
(WTF::roundUpToPowerOfTwo):
* Source/WebKit/Shared/Cocoa/SharedCARingBuffer.cpp:
(WebKit::ConsumerSharedCARingBuffer::map):
* Tools/TestWebKitAPI/Tests/WTF/MathExtras.cpp:
(TestWebKitAPI::TEST(WTF, roundUpToPowerOfTwoSizeT)):
Canonical link: https://commits.webkit.org/310337@main
Canonical link: https://commits.webkit.org/305877.375@webkitglib/2.52
Commit: 4cf1542b90a5cdc2f2e06dd134b3fb8f8bad29d6
https://github.com/WebKit/WebKit/commit/4cf1542b90a5cdc2f2e06dd134b3fb8f8bad29d6
Author: Sammy Gill <[email protected]>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/css/css-flexbox/percentage-size-quirks-003-expected.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-flexbox/percentage-size-quirks-003.html
M Source/WebCore/rendering/RenderBox.cpp
Log Message:
-----------
Cherry-pick 310254@main (aeb2eadcea86).
https://bugs.webkit.org/show_bug.cgi?id=210791
Zoom.com: Copy Invitation button is difficult to click.
https://bugs.webkit.org/show_bug.cgi?id=210791
rdar://170479667
Reviewed by Alan Baradlay.
While inside a Zoom conference call, users can click an “Invite,"
button inside the participants panel, which opens up a new dialog with
an option to "Copy URL," that can be shared with others. However, it is
sometimes a bit difficult to click the button to copy the URL unless you
hover over it in the right spot. When looking at the content in the web
inspector, it looks like this is due to some other content in the DOM
that becomes too tall and protrudes into the "Copy URL," button.
This content ends up reducing into the attached test case, which is
about how percentage heights are supposed to resolve in a document that
is in quirks mode. In the reduced test case, the percentage height box is
inside of a flex item that gets flexed to take up the remaining space.
The problem is that in quirks mode, we fail to detect that this flex item
has a definite logical height that comes from the fact that its main
size, which is its logical height, has been resolved and end up skipping
it and continuing up the containing block chain in quirks mode.
RenderFlexibleBox keeps track of which part of flex layout it is in by
tracking each of the steps individually and setting them to to active
via SetForScope for a specific period of time. It then figures out which
step we are in by using this information in
canUseFlexItemForPercentageResolution
since the sizes of the flex item may become definite depending where we
are in flex layout. We can use this mechanism to decide if we can use
the flex item to resolve its descendants' percentage height.
Test:
imported/w3c/web-platform-tests/css/css-flexbox/percentage-size-quirks-003.html
Canonical link: https://commits.webkit.org/310254@main
Canonical link: https://commits.webkit.org/305877.376@webkitglib/2.52
Commit: 5df8a344cdc3d1957abcbd98e8182b29d7750241
https://github.com/WebKit/WebKit/commit/5df8a344cdc3d1957abcbd98e8182b29d7750241
Author: Ahmad Saleem <[email protected]>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M Source/WebCore/svg/SVGAnimationElement.cpp
Log Message:
-----------
Cherry-pick 310175@main (4e73e067c843).
https://bugs.webkit.org/show_bug.cgi?id=310972
Fix std::accumulate truncating float values in parseKeyTimes assertion
https://bugs.webkit.org/show_bug.cgi?id=310972
rdar://173577708
Reviewed by Antoine Quint.
The ASSERT used 0 (int) as the initial value, causing all float
values to be truncated to int during accumulation, making the
assertion always trivially pass. Use 0.0f instead.
* Source/WebCore/svg/SVGAnimationElement.cpp:
(WebCore::parseKeyTimes):
Canonical link: https://commits.webkit.org/310175@main
Canonical link: https://commits.webkit.org/305877.377@webkitglib/2.52
Commit: 6c9222d55c16b21fbfe8bb1fe63f28a69929f539
https://github.com/WebKit/WebKit/commit/6c9222d55c16b21fbfe8bb1fe63f28a69929f539
Author: Chris Dumez <[email protected]>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M Source/WTF/wtf/text/FastCharacterComparison.h
Log Message:
-----------
Cherry-pick 310196@main (6c46fce15cca).
https://bugs.webkit.org/show_bug.cgi?id=311047
Fix recursive macro in big-endian UCHARQUAD_TOUINT64
https://bugs.webkit.org/show_bug.cgi?id=311047
Reviewed by Yusuke Suzuki.
The big-endian definition of UCHARQUAD_TOUINT64 calls itself instead of
UCHARPAIR_TOUINT32, which would cause a preprocessor error on any
big-endian build. The little-endian definition was already correct.
* Source/WTF/wtf/text/FastCharacterComparison.h:
Canonical link: https://commits.webkit.org/310196@main
Canonical link: https://commits.webkit.org/305877.378@webkitglib/2.52
Commit: a87f584a14ff1c93d0aab82df1779f34b02d9625
https://github.com/WebKit/WebKit/commit/a87f584a14ff1c93d0aab82df1779f34b02d9625
Author: Sosuke Suzuki <[email protected]>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
A JSTests/stress/describe-null-butterfly.js
M Source/JavaScriptCore/runtime/JSCJSValue.cpp
Log Message:
-----------
Cherry-pick 310137@main (3f22094cdc45).
https://bugs.webkit.org/show_bug.cgi?id=310783
[JSC] Fix null butterfly dereference in
JSValue::dumpInContextAssumingStructure
https://bugs.webkit.org/show_bug.cgi?id=310783
Reviewed by Yusuke Suzuki.
JSValue::dumpInContextAssumingStructure unconditionally calls
butterfly()->base(structure) without checking if butterfly() returns
null. Objects with only inline properties (no indexed storage, no
out-of-line properties) have a null butterfly pointer. When the DFG
graph dump or describe() prints such objects, this triggers undefined
behavior caught by UBSAN:
Butterfly.h:182:21: runtime error: member call on null pointer of
type 'JSC::Butterfly *'
The call chain does only pointer arithmetic so it does not crash in
practice, but the output "(base=0xfffffffffffffff8)" is meaningless
and the member call on a null pointer is still UB.
Fix by checking if butterfly is null before computing the base address.
* JSTests/stress/describe-null-butterfly.js: Added.
* Source/JavaScriptCore/runtime/JSCJSValue.cpp:
(JSC::JSValue::dumpInContextAssumingStructure const):
Canonical link: https://commits.webkit.org/310137@main
Canonical link: https://commits.webkit.org/305877.379@webkitglib/2.52
Compare: https://github.com/WebKit/WebKit/compare/7df391f31714...a87f584a14ff
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
