Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 597af50a6484453da5c501a12f8145eb07f3fcf7
https://github.com/WebKit/WebKit/commit/597af50a6484453da5c501a12f8145eb07f3fcf7
Author: Chris Dumez <[email protected]>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
M Source/WebCore/Modules/streams/ReadableStreamBYOBReader.cpp
M Source/WebCore/Modules/streams/ReadableStreamBYOBReader.h
Log Message:
-----------
Potential use after free of m_stream in
ReadableStreamBYOBReader::visitAdditionalChildren()
https://bugs.webkit.org/show_bug.cgi?id=309885
rdar://172460621
Reviewed by Ryosuke Niwa and Youenn Fablet.
ReadableStreamBYOBReader::visitAdditionalChildren() runs on the GC
thread but dereferences m_stream which can get nulled out of the main
thread.
Address the issue via locking since we cannot easily ref the stream on
the GC thread.
* Source/WebCore/Modules/streams/ReadableStreamBYOBReader.cpp:
(WebCore::ReadableStreamBYOBReader::~ReadableStreamBYOBReader):
(WebCore::ReadableStreamBYOBReader::readForBindings):
(WebCore::ReadableStreamBYOBReader::releaseLock):
(WebCore::ReadableStreamBYOBReader::cancel):
(WebCore::ReadableStreamBYOBReader::initialize):
(WebCore::ReadableStreamBYOBReader::read):
(WebCore::ReadableStreamBYOBReader::genericRelease):
(WebCore::ReadableStreamBYOBReader::genericCancel):
(WebCore::ReadableStreamBYOBReader::isReachableFromOpaqueRoots const):
(WebCore::ReadableStreamBYOBReader::visitAdditionalChildren):
* Source/WebCore/Modules/streams/ReadableStreamBYOBReader.h:
Originally-landed-as: 305413.476@rapid/safari-7624.2.5.110-branch
(645b3e428ffb). rdar://176061793
Canonical link: https://commits.webkit.org/313947@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
