Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: acee67e9af1df229a33b0667c765e32afb4d0d81
https://github.com/WebKit/WebKit/commit/acee67e9af1df229a33b0667c765e32afb4d0d81
Author: Vassili Bykov <[email protected]>
Date: 2026-06-16 (Tue, 16 Jun 2026)
Changed paths:
M Source/JavaScriptCore/wasm/WasmStreamingCompiler.cpp
M Source/JavaScriptCore/wasm/WasmStreamingCompiler.h
M Source/WebCore/bindings/js/JSDOMGlobalObject.cpp
Log Message:
-----------
Use-after-free of StreamingCompiler::m_ticket
https://bugs.webkit.org/show_bug.cgi?id=309590
rdar://172087002
Reviewed by Marcus Plutowski.
This patch fixes the possibility of a UAF when Wasm streaming compiler is
invoked in an
iframe which is disposed of before compilation finishes.
The result of streaming compilation is expected by a lambda created when the
compilation
starts. The lambda captures a raw pointer to the globalObject and (transitively
via the
streaming compiler) a raw pointer to the TicketData associated with the
compilation
request. However, it's possible for the lambda to outlive those two objects.
This happens
in the context of an iframe if the iframe is removed before the compilation
finishes. In
that case the globalObject of the iframe is collected and the ticket is
cancelled and
destroyed. When compilation finishes, the lambda ends up dereferencing dangling
pointers.
This patch makes the following changes:
StreamingCompiler now holds TicketData via a ThreadSafeWeakPtr<TicketData>.
Every use site
promotes that weak pointer to a RefPtr and checks for both null (ticket
destroyed) and
isCancelled (ticket present but cancelled). This promote-and-check sequence is
factored
into a private takeTicketIfActive() helper.
In JSDOMGlobalObject.cpp, the lambda does not capture the raw globalObject
pointer.
Instead, it fetches the globalObject from the ticket via the compiler using the
streaming
compiler's new method globalObjectIfActive(). The method returns a nullptr if
the ticket
is no longer there or has been cancelled.
Testing: the failure scenario is not directly testable.
* Source/JavaScriptCore/wasm/WasmStreamingCompiler.cpp:
(JSC::Wasm::StreamingCompiler::StreamingCompiler):
(JSC::Wasm::StreamingCompiler::~StreamingCompiler):
(JSC::Wasm::StreamingCompiler::didComplete):
(JSC::Wasm::StreamingCompiler::fail):
(JSC::Wasm::StreamingCompiler::cancel):
(JSC::Wasm::StreamingCompiler::takeTicketIfActive):
(JSC::Wasm::StreamingCompiler::globalObjectIfActive):
* Source/JavaScriptCore/wasm/WasmStreamingCompiler.h:
* Source/WebCore/bindings/js/JSDOMGlobalObject.cpp:
(WebCore::handleResponseOnStreamingAction):
Originally-landed-as: 305413.457@safari-7624-branch (0e0b5050073d).
rdar://176062632
Canonical link: https://commits.webkit.org/315321@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
