Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ad57b514bb0d020862e28ac3a5f5fb876b635c4d
https://github.com/WebKit/WebKit/commit/ad57b514bb0d020862e28ac3a5f5fb876b635c4d
Author: Chris Dumez <[email protected]>
Date: 2026-05-28 (Thu, 28 May 2026)
Changed paths:
M Source/WebCore/Modules/streams/ReadableStream.cpp
M Source/WebCore/Modules/streams/ReadableStreamDefaultReader.cpp
M Source/WebCore/Modules/streams/ReadableStreamDefaultReader.h
Log Message:
-----------
Potential use after free of m_stream in
ReadableStreamDefaultReader::visitAdditionalChildren()
https://bugs.webkit.org/show_bug.cgi?id=309882
rdar://172458992
Reviewed by Ryosuke Niwa.
ReadableStreamDefaultReader::visitAdditionalChildren() runs on the GC
thread but dereferences m_stream which can get nulled out of the main
thread.
Address the issue via locking since we cannot easily ref the stream on
the GC thread.
* Source/WebCore/Modules/streams/ReadableStreamDefaultReader.cpp:
(WebCore::ReadableStreamDefaultReader::~ReadableStreamDefaultReader):
(WebCore::ReadableStreamDefaultReader::read):
(WebCore::ReadableStreamDefaultReader::releaseLock):
(WebCore::ReadableStreamDefaultReader::setup):
(WebCore::ReadableStreamDefaultReader::genericRelease):
(WebCore::ReadableStreamDefaultReader::cancel):
(WebCore::ReadableStreamDefaultReader::genericCancel):
(WebCore::ReadableStreamDefaultReader::stream):
(WebCore::ReadableStreamDefaultReader::isReachableFromOpaqueRoots const):
(WebCore::ReadableStreamDefaultReader::visitAdditionalChildren):
* Source/WebCore/Modules/streams/ReadableStreamDefaultReader.h:
(WebCore::ReadableStreamDefaultReader::stream): Deleted.
Originally-landed-as: 305413.472@rapid/safari-7624.2.5.110-branch
(1a64bedb202e). rdar://176061976
Canonical link: https://commits.webkit.org/314030@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
