This Week in WebKit — ISO Week 09, 2026 (Feb 23 – Mar 1, 2026)

The lock broker lives in the UI process and used to accept whichever ClientOrigin the renderer attached to its IPC, treating the field as ground truth. This patch routes every lock request through the committedOrigins set populated by didCommitLoad, so a compromised WebContent process can no longer claim a sibling origin's lock namespace. The mechanism is straightforward; the interesting questions are around the edges. Lifetime, registration paths for non-document committers, and the TOCTOU window between commit and lock IPC are all left to the reader.

The Await algorithm requires each microtask job's realm to be locked at the await site. JSC's resolveWithInternalMicrotask shortcut existed for the common same-realm case but applied unconditionally, so cross-realm awaits left subsequent thenable resolvers anchored to the settle site's globalObject instead of the awaiter's. The symptom is observable from JS: f.constructor inside a cross-realm then callback pointed at the foreign realm's Function. The fix derives the realm from the driven object — generator, result promise, or module — and inserts an extra microtask on the cross-realm path that changes async ordering in ways embedders should re-test.

LBSE puts SVG transforms through the standard CSS layout pipeline, so every attribute mutation used to fire repaintOrRelayoutAfterSVGTransformChange() synchronously. This patch queues mutations on LocalFrameViewLayoutContext and runs a three-phase flush — snapshot rects, mutate transforms, delta repaint — once per frame, with a dirty bit lazily recomputing getBBox(). The wrinkle: in updateLayoutIfDimensionsOutOfDate the flush runs before the isInRenderTreeLayout() guard, so re-entrant geometry queries during phase 2 can observe partially-mutated transform state mid-flush.

Variable-count parentheses with a non-zero floor used to bail out of the JIT and silently run on the interpreter. This commit ships native code for the count-enforcement path: when iteration falls below the minimum during backtracking, the engine re-enters the latest iteration's content to try other alternatives rather than failing outright. The new invariants live entirely in JIT-emitted branch logic — count register, ParenContext frame index, and capture-slot bookkeeping all under hand-allocated registers. Off-by-ones here produce matches with fewer iterations than the pattern requires, the exact failure mode that silently bypasses regex-based allow/deny filters.