[webkit-changes] [WebKit/WebKit] 60f12d: Cherry-pick 252432.1030 at safari-7614-branch (433db4...

Chris Dumez noreply at github.com
Tue Mar 28 16:54:19 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 60f12d4262f763634991e8c45652c55420be304d
      https://github.com/WebKit/WebKit/commit/60f12d4262f763634991e8c45652c55420be304d
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    M Source/WebCore/bindings/js/JSErrorHandler.cpp
    M Source/WebCore/bindings/js/JSEventListener.cpp
    M Source/WebCore/bindings/js/JSEventListener.h
    M Source/WebCore/bindings/js/JSLazyEventListener.cpp
    M Source/WebCore/bindings/js/WebCoreJSClientData.cpp
    M Source/WebCore/bindings/js/WebCoreJSClientData.h
    M Source/WebCore/dom/EventTarget.cpp
    M Source/WebCore/inspector/CommandLineAPIHost.cpp
    M Source/WebCore/inspector/WebInjectedScriptHost.cpp
    M Source/WebCore/inspector/agents/InspectorDOMAgent.cpp

  Log Message:
  -----------
  Cherry-pick 252432.1030 at safari-7614-branch (433db4f29219). rdar://problem/107335960

    Heap use-after-free in DOMWrapperWorld::~DOMWrapperWorld
    https://bugs.webkit.org/show_bug.cgi?id=246022
    rdar://100763856

    Reviewed by Jonathan Bedard and Ryosuke Niwa.

    Right before a worker terminates, it destroys its WorkerOrWorkletScriptController,
    which destroys the JS VM. Certain objects like DOMWrapperWorld cannot outlive
    the VM since they keep a `VM&' as data member. However, DOMWrapperWorld is
    refcounted and JSEventListeners hold a strong ref to their DOMWrapperWorld. If
    JSEventListeners outlive the VM, then it would lead to a use-after free in the
    DOMWrapperWorld destructor when destroying those JSEventListeners later on.

    We have previously made several attempts to try and unregister all event
    listeners before destroying the VM. However, those attempts were either
    incomplete or led to other crashes. I am therefore trying a different approach
    this time.

    JSEventListeners now register themselves as client of the JSVMClientData (which
    is owned by the VM) and the client gets a `willDestroyVM()` call before the
    VM gets destroyed. This allows JSEventListeners to clear out their data members
    which rely on the VM (DOMWrapperWorld and JSC::Weak data members).

    * Source/WebCore/bindings/js/JSErrorHandler.cpp:
    (WebCore::JSErrorHandler::handleEvent):
    * Source/WebCore/bindings/js/JSEventListener.cpp:
    (WebCore::JSEventListener::JSEventListener):
    (WebCore::JSEventListener::handleEvent):
    (WebCore::JSEventListener::functionName const):
    (WebCore::JSEventListener::willDestroyVM):
    * Source/WebCore/bindings/js/JSEventListener.h:
    (WebCore::JSEventListener::isolatedWorld const):
    (WebCore::JSEventListener::ensureJSFunction const):
    * Source/WebCore/bindings/js/JSLazyEventListener.cpp:
    (WebCore::JSLazyEventListener::initializeJSFunction const):
    * Source/WebCore/bindings/js/WebCoreJSClientData.cpp:
    (WebCore::JSVMClientData::~JSVMClientData):
    * Source/WebCore/bindings/js/WebCoreJSClientData.h:
    (WebCore::JSVMClientData::addClient):
    * Source/WebCore/dom/EventTarget.cpp:
    (WebCore::EventTarget::attributeEventListener):
    * Source/WebCore/inspector/CommandLineAPIHost.cpp:
    (WebCore::CommandLineAPIHost::getEventListeners):
    * Source/WebCore/inspector/WebInjectedScriptHost.cpp:
    (WebCore::objectForEventTargetListeners):
    * Source/WebCore/inspector/agents/InspectorDOMAgent.cpp:
    (WebCore::InspectorDOMAgent::buildObjectForEventListener):

    Canonical link: https://commits.webkit.org/252432.1030@safari-7614-branch

Canonical link: https://commits.webkit.org/262247@main

More information about the webkit-changes mailing list