Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ab0c1f873ad345799d5349202b340d13d3bea599
https://github.com/WebKit/WebKit/commit/ab0c1f873ad345799d5349202b340d13d3bea599
Author: Chris Dumez <[email protected]>
Date: 2026-06-14 (Sun, 14 Jun 2026)
Changed paths:
M Source/WebCore/platform/graphics/GraphicsContext.cpp
M Source/WebCore/platform/graphics/controls/ControlFactory.h
Log Message:
-----------
[CoreIPC][GPU] Use-after-free on `ControlFactory::singleton()` due to usage
of non-thread-safe RefCounted
https://bugs.webkit.org/show_bug.cgi?id=309218
rdar://169706356
Reviewed by Ryosuke Niwa.
ControlFactory is ref'd / deref'd from several threads concurrently but
subclasses RefCounted.
* Source/WebCore/platform/graphics/GraphicsContext.cpp:
(WebCore::GraphicsContext::drawDisplayList):
Drop unnecessary ref'ing of of ControlFactory::singleton() on a background
thread.
* Source/WebCore/platform/graphics/controls/ControlFactory.h:
Subclass ThreadSafeRefCounted instead of RefCounted.
Originally-landed-as: 305413.407@rapid/safari-7624.2.5.110-branch
(338ced72faee). rdar://176067031
Canonical link: https://commits.webkit.org/315203@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
