Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 2df31cea43529187744a9e188879a06208f77797
https://github.com/WebKit/WebKit/commit/2df31cea43529187744a9e188879a06208f77797
Author: Abrar Rahman Protyasha <[email protected]>
Date: 2026-03-19 (Thu, 19 Mar 2026)
Changed paths:
M Source/WebCore/Modules/applepay/paymentrequest/ApplePayPaymentHandler.cpp
Log Message:
-----------
Apple Pay payment method change can crash web content process due to missing
JS API lock during modifier lookup
https://bugs.webkit.org/show_bug.cgi?id=310266
rdar://171377627
Reviewed by Keith Miller.
When the user changes their payment method during an Apple Pay session,
ApplePayPaymentHandler::firstApplicableModifier() parses modifier JSON
and converts it to a dictionary. The JSLockHolder scope only covered the
JSONParse call but not the subsequent convertDictionary<ApplePayModifier>
call. Since convertDictionary walks JS object properties — potentially
allocating on the JSC heap — the heap allocator asserts that the API
lock is held and crashes.
To fix, we extend the JSLockHolder scope to cover both JSONParse and
convertDictionary. Additionally, we add a missing JSLockHolder in the
complete() scope, which also calls both JSONParse and convertDictionary
- currently without any JS API lock!
Tested in ENABLE_GC_VALIDATION config with existing Apple Pay test
http/tests/ssl/applepay/ApplePayPaymentDetailsModifier.https.html.
* Source/WebCore/Modules/applepay/paymentrequest/ApplePayPaymentHandler.cpp:
(WebCore::ApplePayPaymentHandler::firstApplicableModifier const):
(WebCore::ApplePayPaymentHandler::complete):
Canonical link: https://commits.webkit.org/309587@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
