Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 857093a57c0d19d51608001c95d5a1fa4bd8cd82
https://github.com/WebKit/WebKit/commit/857093a57c0d19d51608001c95d5a1fa4bd8cd82
Author: Fujii Hironori <[email protected]>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
M Source/WebCore/html/OffscreenCanvas.cpp
M Source/WebCore/html/OffscreenCanvas.h
Log Message:
-----------
Cherry-pick 313384@main (2be1403ca6cd).
https://bugs.webkit.org/show_bug.cgi?id=314269
Keep alive OffscreenCanvas's wrapper object until webglcontextlost event is
dispatched
https://bugs.webkit.org/show_bug.cgi?id=314269
Reviewed by Chris Dumez.
webgl/lose-context-after-context-lost.html randomly caused an assertion
failure
for GTK and WPE.
> ASSERTION FAILED: m_wrapper
> Source/WebCore/bindings/js/JSEventListener.h(171) :
> JSC::JSObject*
WebCore::JSEventListener::ensureJSFunction(WebCore::ScriptExecutionContext&)
const
OffscreenCanvas's wrapper object was reclaimed when the webglcontextlost
event
was dispatched.
222794@main fixed the same issue for HTMLCanvasElement by adding
HTMLCanvasElement::virtualHasPendingActivity(). Do the same for
OffscreenCanvas.
Tests: webgl/lose-context-after-context-lost.html
* LayoutTests/platform/glib/TestExpectations:
* Source/WebCore/html/OffscreenCanvas.cpp:
(WebCore::OffscreenCanvas::virtualHasPendingActivity const):
(WebCore::OffscreenCanvas::eventListenersDidChange):
* Source/WebCore/html/OffscreenCanvas.h:
Canonical link: https://commits.webkit.org/313384@main
Canonical link: https://commits.webkit.org/305877.571@webkitglib/2.52
Commit: 8967ed588e936104162400bff467fe623658a0e8
https://github.com/WebKit/WebKit/commit/8967ed588e936104162400bff467fe623658a0e8
Author: Simon Fraser <[email protected]>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/css/filter-effects/filter-overflow-transformed-child-001-expected.html
A
LayoutTests/imported/w3c/web-platform-tests/css/filter-effects/filter-overflow-transformed-child-001.html
A
LayoutTests/imported/w3c/web-platform-tests/css/filter-effects/reference/filter-overflow-transformed-child-001-ref.html
M Source/WebCore/rendering/RenderLayer.cpp
Log Message:
-----------
Cherry-pick 313316@main (42cae1dc020a).
https://bugs.webkit.org/show_bug.cgi?id=313665
REGRESSION (296844@main): drop-shadow and translation transforms render
incorrectly clipped
https://bugs.webkit.org/show_bug.cgi?id=313665
rdar://175905543
Reviewed by Brent Fulgham.
In setupFilters, calculateLayerBounds was called with {
PreserveAncestorFlags }. This flag causes
descendant layers to inherit the parent's empty flags, which crucially
omits IncludeSelfTransform.
Without that flag, CSS transforms on descendant layers (like the inner
circle's transform) are
ignored when computing the filter source image bounds. This makes the
filter source image buffer
positioned incorrectly, clipping parts of the painted content.
Fix by passing empty flags.
Tests:
imported/w3c/web-platform-tests/css/filter-effects/filter-overflow-transformed-child-001.html
imported/w3c/web-platform-tests/css/filter-effects/reference/filter-overflow-transformed-child-001-ref.html
*
LayoutTests/imported/w3c/web-platform-tests/css/filter-effects/filter-overflow-transformed-child-001-expected.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/filter-effects/filter-overflow-transformed-child-001.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/filter-effects/reference/filter-overflow-transformed-child-001-ref.html:
Added.
* Source/WebCore/rendering/RenderLayer.cpp:
(WebCore::RenderLayer::setupFilters):
Canonical link: https://commits.webkit.org/313316@main
Canonical link: https://commits.webkit.org/305877.572@webkitglib/2.52
Commit: 9399dfb8c46167a1df3ce93f2e8704c25d54cb2a
https://github.com/WebKit/WebKit/commit/9399dfb8c46167a1df3ce93f2e8704c25d54cb2a
Author: Anne van Kesteren <[email protected]>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
M LayoutTests/TestExpectations
A
LayoutTests/imported/w3c/web-platform-tests/xhr/send-redirect-bogus-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/xhr/send-redirect-to-cors-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/xhr/send-redirect-to-non-cors-expected.txt
M LayoutTests/platform/wpe/TestExpectations
M Source/WebCore/platform/network/HTTPHeaderMap.h
M Source/WebCore/platform/network/ResourceRequestBase.cpp
M Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp
M Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm
Log Message:
-----------
Cherry-pick 312092@main (0ae02b1bfe4a).
https://bugs.webkit.org/show_bug.cgi?id=169420
Fix Fetch 301 & 302 redirect behavior
https://bugs.webkit.org/show_bug.cgi?id=169420
rdar://98459882
Reviewed by Youenn Fablet and Chris Dumez.
We incorrectly dropped the request body too often and did not clear
HTTP headers sufficiently when the body should be dropped. Covered by
existing web-platform-tests, which we can finally enable on EWS.
Canonical link: https://commits.webkit.org/312092@main
Canonical link: https://commits.webkit.org/305877.573@webkitglib/2.52
Commit: 63bda658a9668ec12bd46d9a323b9dea4f9c1482
https://github.com/WebKit/WebKit/commit/63bda658a9668ec12bd46d9a323b9dea4f9c1482
Author: Sammy Gill <[email protected]>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/css/css-grid/grid-stale-layoutbox-crash.html
M Source/WebCore/layout/integration/grid/LayoutIntegrationGridLayout.cpp
M Source/WebCore/layout/integration/grid/LayoutIntegrationGridLayout.h
Log Message:
-----------
Cherry-pick 311552@main (889513d41a34).
https://bugs.webkit.org/show_bug.cgi?id=312602
canva.com: web content crash when moving elements around.
(WebCore::LayoutIntegration::BoxGeometryUpdater::updateLayoutBoxDimensions)
https://bugs.webkit.org/show_bug.cgi?id=312602
rdar://174932208
Reviewed by Brent Fulgham, Alan Baradlay, and Vitor Roriz.
When a grid item is removed from underneath a grid box we fail to
properly clean up the tree. This is because we do not have any
integration logic that hooks into the layout tree for grid when a
RenderGrid loses a renderer. This may end up causing a crash in the grid
integration code when we try to access a renderer that was removed from
the render tree.
For now we can just tear down the subtree at the end of grid layout,
which is what we currently do for FFC as well. We will probably want to
revisit this later but it is a good start to at least avoid these types
of crashes.
Test:
imported/w3c/web-platform-tests/css/css-grid/grid-stale-layoutbox-crash.html
Canonical link: https://commits.webkit.org/311552@main
Canonical link: https://commits.webkit.org/305877.574@webkitglib/2.52
Commit: 8c4a479f89c09ce82d430c7ca8ebebde502c91c3
https://github.com/WebKit/WebKit/commit/8c4a479f89c09ce82d430c7ca8ebebde502c91c3
Author: Karl Dubost <[email protected]>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
A LayoutTests/fast/css/expedia-group-animation-quirk-expected.txt
A LayoutTests/fast/css/expedia-group-animation-quirk.html
R LayoutTests/fast/css/hotels-animation-quirk-expected.txt
R LayoutTests/fast/css/hotels-animation-quirk.html
M Source/WebCore/page/Quirks.cpp
M Source/WebCore/page/Quirks.h
M Source/WebCore/page/QuirksData.h
M Source/WebCore/style/StyleAdjuster.cpp
Log Message:
-----------
Cherry-pick 311522@main (11d366a3775f).
https://bugs.webkit.org/show_bug.cgi?id=312549
[quirk] extend the hotels.com quirk to the full expedia group of sites
https://bugs.webkit.org/show_bug.cgi?id=312549
rdar://174852031
Reviewed by Brent Fulgham.
This extends the previous quirk done for https://webkit.org/b/312549 to
the full group of domains operated by Expedia Group. All these domains
exhibit exactly the same issue and luckily enough have the same markup
for the flickering menu.
This requires an outreach to Expedia to ask them to fix their code, which
targets Safari and create the issue in the first place. Once it is fixed
on their side, it will be simplify both expedia code and WebKit code.
Test: fast/css/expedia-group-animation-quirk.html
* LayoutTests/fast/css/expedia-group-animation-quirk-expected.txt: Added.
* LayoutTests/fast/css/expedia-group-animation-quirk.html: Added.
* LayoutTests/fast/css/hotels-animation-quirk-expected.txt: Removed.
* LayoutTests/fast/css/hotels-animation-quirk.html: Removed.
* Source/WebCore/page/Quirks.cpp:
* Source/WebCore/page/Quirks.h:
* Source/WebCore/page/QuirksData.h:
* Source/WebCore/style/StyleAdjuster.cpp:
(WebCore::Style::Adjuster::adjustForSiteSpecificQuirks const):
Canonical link: https://commits.webkit.org/311522@main
Canonical link: https://commits.webkit.org/305877.575@webkitglib/2.52
Commit: cd8463220c97a8a4674923a274ec15aeb5fd10ee
https://github.com/WebKit/WebKit/commit/cd8463220c97a8a4674923a274ec15aeb5fd10ee
Author: Youenn Fablet <[email protected]>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
M LayoutTests/http/wpt/fetch/resources/wrong-form-data.py
M LayoutTests/http/wpt/fetch/wrong-form-data-expected.txt
M LayoutTests/http/wpt/fetch/wrong-form-data.html
M Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp
Log Message:
-----------
Cherry-pick 311089@main (d9c3d2e9d1dd).
https://bugs.webkit.org/show_bug.cgi?id=312136
Multipart form data parser should not expect CRLF at the end
rdar://174348783
https://bugs.webkit.org/show_bug.cgi?id=312136
Reviewed by Chris Dumez.
Our checks added in rdar://172038722 were too strict.
While form generators include CRLF after the close delimiter, RFC 2046 does
not mandate this.
We update the implementation accordingly, which aligns with other UAs.
We also check for transport-padding as requested by RFC 2046, which aligns
with Chrome, not Firefox.
Finally, we keep allowing a start delimiter finishing with '--', which is
counted as a close delimiter.
The reason is that, even though not allowed by RFC and Chrome, it is
allowed by Firefox and is the way an empty FormData is serialized by User
Agents.
We add tests for close delimiter without CRLF and for transport-padding.
* LayoutTests/http/wpt/fetch/resources/wrong-form-data.py:
(main):
* LayoutTests/http/wpt/fetch/wrong-form-data-expected.txt:
* LayoutTests/http/wpt/fetch/wrong-form-data.html:
* Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp:
(WebCore::FetchBodyConsumer::packageFormData):
Canonical link: https://commits.webkit.org/311089@main
Canonical link: https://commits.webkit.org/305877.576@webkitglib/2.52
Commit: e030ff7b291e197a5363443139e490bb56c4fede
https://github.com/WebKit/WebKit/commit/e030ff7b291e197a5363443139e490bb56c4fede
Author: Sammy Gill <[email protected]>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/aspect-ratio-height-with-automatic-minimum-size-expected.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/aspect-ratio-height-with-automatic-minimum-size-tall-expected.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/aspect-ratio-height-with-automatic-minimum-size-tall-ref.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/aspect-ratio-height-with-automatic-minimum-size-tall.html
A
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/aspect-ratio-height-with-automatic-minimum-size.html
M Source/WebCore/rendering/RenderBox.cpp
Log Message:
-----------
Cherry-pick 310931@main (9ebcc420fbbe).
https://bugs.webkit.org/show_bug.cgi?id=311689
REGRESSION(302241@main): CSS "aspect-ratio" is not honored when window is
zoomed in
https://bugs.webkit.org/show_bug.cgi?id=311689
rdar://174361289
Reviewed by Alan Baradlay.
When we are computing a box's size in an axis (e.g. height) using an
aspect-ratio and its minimum size in that axis (e.g. min-height) is
auto, we need to compute its min-content size as the automatic minimum
size.
https://drafts.csswg.org/css-sizing-4/#aspect-ratio-minimum
For the logical height, we have this behavior implemented in
RenderBox::constrainLogicalHeightByMinMax.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/aspect-ratio-height-with-automatic-minimum-size-expected.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/aspect-ratio-height-with-automatic-minimum-size-tall-expected.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/aspect-ratio-height-with-automatic-minimum-size-tall-ref.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/aspect-ratio-height-with-automatic-minimum-size-tall.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/css/css-viewport/zoom/aspect-ratio-height-with-automatic-minimum-size.html:
Added.
* Source/WebCore/rendering/RenderBox.cpp:
(WebCore::RenderBox::constrainLogicalHeightByMinMax const):
When we are in the branch to compute the automatic minimum size we use
blockSizeFromAspectRatio to get the logical height we want from the
aspect-ratio. However, both this and intrinsicLogicalHeight are used
sizes, which means they are already zoomed. Constructing a
Style::MinimumSize::Fixed directly from these values results in the bug
since we will apply zoom *again* when it is evaluated. Instead, we
should remove the zoom from this value before constructing it.
Canonical link: https://commits.webkit.org/310931@main
Canonical link: https://commits.webkit.org/305877.577@webkitglib/2.52
Commit: fb39ecd0963a43ab2931d7f65281a39881782dd2
https://github.com/WebKit/WebKit/commit/fb39ecd0963a43ab2931d7f65281a39881782dd2
Author: Chris Dumez <[email protected]>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
M Source/WTF/wtf/CheckedArithmetic.h
M Tools/TestWebKitAPI/Tests/WTF/CheckedArithmeticOperations.cpp
Log Message:
-----------
Cherry-pick 310033@main (88e8afba6872).
https://bugs.webkit.org/show_bug.cgi?id=310811
Fix two overflow bugs in CheckedArithmetic's division operations
https://bugs.webkit.org/show_bug.cgi?id=310811
Reviewed by Geoffrey Garen.
Test: Tools/TestWebKitAPI/Tests/WTF/CheckedArithmeticOperations.cpp
* Source/WTF/wtf/CheckedArithmetic.h:
(WTF::ArithmeticOperations::divide): For signed types, detect INT_MIN / -1
as overflow instead of executing undefined behavior. On x86, this would
cause SIGFPE; on narrower types it silently wraps to the wrong value.
(WTF::ArithmeticOperations<int, unsigned>::divide): Add an isInBounds
check on the int64_t quotient before casting to ResultType. Without this,
dividing a negative int by an unsigned (e.g. -1 / 1u) silently produces
UINT_MAX instead of signaling overflow.
* Tools/TestWebKitAPI/Tests/WTF/CheckedArithmeticOperations.cpp:
(TestWebKitAPI::TEST(CheckedArithmeticTest,
SignedDivisionMinByNegativeOneShouldOverflow)):
(TestWebKitAPI::TEST(CheckedArithmeticTest,
MixedSignDivisionShouldOverflowWhenResultIsNegative)):
Canonical link: https://commits.webkit.org/310033@main
Canonical link: https://commits.webkit.org/305877.578@webkitglib/2.52
Compare: https://github.com/WebKit/WebKit/compare/e9754ced5605...fb39ecd0963a
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
