Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9d60567537546eba3b8e490334a06b2fb3ecb0ae
https://github.com/WebKit/WebKit/commit/9d60567537546eba3b8e490334a06b2fb3ecb0ae
Author: Zak Ridouh <[email protected]>
Date: 2026-06-02 (Tue, 02 Jun 2026)
Changed paths:
A
LayoutTests/http/tests/site-isolation/remove-iframe-while-process-launching-crash-expected.txt
A
LayoutTests/http/tests/site-isolation/remove-iframe-while-process-launching-crash.html
M Source/WebKit/UIProcess/WebProcessProxy.cpp
Log Message:
-----------
Fix use-after-free in ~WebProcessProxy() when replying to pending IPC messages
https://bugs.webkit.org/show_bug.cgi?id=316154
rdar://178478856
Reviewed by Chris Dumez.
When a WebProcessProxy is torn down while its process is still launching,
~AuxiliaryProcessProxy() calls replyToPendingMessages() after WebProcessProxy's
own members have already been destroyed. Those reply handlers (e.g. the one
queued
by sendPageCloseMessage()) upgrade a WeakPtr<WebProcessProxy> that is still
live —
the WeakPtrFactory lives in a base class destroyed later — and read freed
members
such as m_pagesPendingClose, causing a heap-use-after-free.
Reply to the pending messages at the top of ~WebProcessProxy(), while our
members
are still intact. The later base-class call then finds an empty queue and is a
no-op.
*
LayoutTests/http/tests/site-isolation/remove-iframe-while-process-launching-crash-expected.txt:
Added.
*
LayoutTests/http/tests/site-isolation/remove-iframe-while-process-launching-crash.html:
Added.
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::~WebProcessProxy):
Canonical link: https://commits.webkit.org/314426@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
