Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 09f4248f50addb226b8b20a40040d7c1ffee9542
https://github.com/WebKit/WebKit/commit/09f4248f50addb226b8b20a40040d7c1ffee9542
Author: David Kilzer <[email protected]>
Date: 2026-04-17 (Fri, 17 Apr 2026)
Changed paths:
M Source/WebCore/workers/service/server/SWServer.cpp
Log Message:
-----------
Crash in SWServer::unregisterServiceWorkerClient() when client doesn't exist
<https://bugs.webkit.org/show_bug.cgi?id=305878>
<rdar://154918456>
Reviewed by Youenn Fablet and Chris Dumez.
A crash in SWServer::unregisterServiceWorkerClientInternal() occurred
when clientRegistrableDomain was not found in
m_clientsByRegistrableDomain.
Fix this by adding an iterator check for end(), and skipping code that
used the iterator when that was true. We also add an iterator end()
check in a second place in the same method.
No test since this is a race condition with no known steps to reproduce.
However, a similar crash was reproduced temporarily by adding code to
call SWServer::unregisterServiceWorkerClient() twice.
* Source/WebCore/workers/service/server/SWServer.cpp:
(WebCore::SWServer::unregisterServiceWorkerClientInternal):
- Add end() checks for iterators and skip code that assumed a match was
found.
(WebCore::SWServer::unregisterServiceWorkerClient):
- Add comment that we're purposely calling
unregisterServiceWorkerClientInternal() when the client identifier is
not found in case maps get out-of-sync.
Originally-landed-as: 305413.160@safari-7624-branch (561472a83605).
rdar://173974083
Canonical link: https://commits.webkit.org/311487@main
Commit: c8f9e83e6437825f8973dcd5b189d927d776bf87
https://github.com/WebKit/WebKit/commit/c8f9e83e6437825f8973dcd5b189d927d776bf87
Author: Roberto Rodriguez <[email protected]>
Date: 2026-04-17 (Fri, 17 Apr 2026)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_render_utils.mm
M Source/ThirdParty/ANGLE/src/tests/gl_tests/VertexAttributeTest.cpp
Log Message:
-----------
[ANGLE] Validate Metal compute dispatch thread count before threadgroup
rounding
https://bugs.webkit.org/show_bug.cgi?id=306780
rdar://168452936
Reviewed by Kimmo Kinnunen.
Prevent Metal compute dispatch from crashing when vertex format conversion
produces a vertex count that would overflow uint32_t after threadgroup rounding.
Metal's thread_position_in_grid builtin is uint32_t, and Metal validates that
the rounded grid size (numGroups * threadgroupWidth) fits within this limit
for both uniform and non-uniform dispatch.
The fix adds SafeThreadgroupWidth() which finds the largest power-of-two
threadgroup width where the rounded thread count won't overflow. It iteratively
halves the width until numGroups * width <= UINT32_MAX.
* Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_render_utils.mm:
* Source/ThirdParty/ANGLE/src/tests/gl_tests/VertexAttributeTest.cpp:
Originally-landed-as: 305413.265@safari-7624-branch (071768956961).
rdar://173969297
Canonical link: https://commits.webkit.org/311488@main
Commit: 3b05441afa504ffb42aaafcdb46950754652ef3d
https://github.com/WebKit/WebKit/commit/3b05441afa504ffb42aaafcdb46950754652ef3d
Author: Kristian Monsen <[email protected]>
Date: 2026-04-17 (Fri, 17 Apr 2026)
Changed paths:
M Source/WTF/wtf/Vector.h
Log Message:
-----------
Upgrade vector.grow() assert to release assert
https://bugs.webkit.org/show_bug.cgi?id=305884
rdar://168546677
Reviewed by Vitor Roriz and Alan Baradlay.
Making the assert a RELEASE_ assert means it is always protecting the user.
* Source/WTF/wtf/Vector.h:
(WTF::Malloc>::growImpl):
Originally-landed-as: 305413.213@safari-7624-branch (51da13afbf99).
rdar://173969293
Canonical link: https://commits.webkit.org/311489@main
Commit: c2a306acc0a63c17f16d969e7175b33a7f11145d
https://github.com/WebKit/WebKit/commit/c2a306acc0a63c17f16d969e7175b33a7f11145d
Author: Simon Lewis <[email protected]>
Date: 2026-04-17 (Fri, 17 Apr 2026)
Changed paths:
M LayoutTests/TestExpectations
A LayoutTests/http/tests/security/registerBlobURL-expected.txt
A LayoutTests/http/tests/security/registerBlobURL.html
M LayoutTests/platform/mac/TestExpectations
M Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
Log Message:
-----------
NetworkConnectionToWebProcess::registerInternalFileBlobURL should check
whether accessing replacementPath is allowed or not
https://bugs.webkit.org/show_bug.cgi?id=305353
rdar://134025127
Reviewed by Per Arne Vollan and Chris Dumez.
Adding a MESSAGE_CHECK for parameter: replacementPath.
* LayoutTests/TestExpectations:
* LayoutTests/http/tests/security/registerBlobURL-expected.txt: Added.
* LayoutTests/http/tests/security/registerBlobURL.html: Added.
* LayoutTests/platform/mac/TestExpectations:
* Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::registerInternalFileBlobURL):
Originally-landed-as: 305413.85@safari-7624-branch (1dfe7a1fcb33).
rdar://173969169
Canonical link: https://commits.webkit.org/311490@main
Commit: a0d2715d206032964136650f6cdf1e43931de38d
https://github.com/WebKit/WebKit/commit/a0d2715d206032964136650f6cdf1e43931de38d
Author: Vassili Bykov <[email protected]>
Date: 2026-04-17 (Fri, 17 Apr 2026)
Changed paths:
M Source/JavaScriptCore/wasm/js/WebAssemblyGCStructure.cpp
Log Message:
-----------
[JSC] `WebAssemblyGCStructureTypeDependencies::process` should traverse
expanded types
https://bugs.webkit.org/show_bug.cgi?id=306479
rdar://165898811
Reviewed by Yusuke Suzuki.
The patch changes WebAssemblyGCStructureTypeDependencies::process so that the
type added to the work
list is the effective (expanded) type of a field. Without the patch, if the
type is a Subtype, the
effective type is not reached and never scanned for dependencies.
Testing: not testable directly. The original steps to reproduce require a
Debug+ASan build with a
special diagnostic patch applied to StructParameterTypes::equal().
Originally-landed-as: 305413.210@safari-7624-branch (f0eba4757433).
rdar://173969133
Canonical link: https://commits.webkit.org/311491@main
Compare: https://github.com/WebKit/WebKit/compare/a9f2dfaaf8a7...a0d2715d2060
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
