Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a814080321a1e3031e47b654288281324fd923f9
https://github.com/WebKit/WebKit/commit/a814080321a1e3031e47b654288281324fd923f9
Author: Chris Dumez <[email protected]>
Date: 2026-05-28 (Thu, 28 May 2026)
Changed paths:
M Source/WebCore/bindings/js/JSXMLHttpRequestCustom.cpp
M Source/WebCore/xml/XMLHttpRequest.cpp
M Source/WebCore/xml/XMLHttpRequest.h
Log Message:
-----------
Potential use after free of m_responseDocument in
XMLHttpRequest::visitAdditionalChildren()
https://bugs.webkit.org/show_bug.cgi?id=309947
rdar://172537101
Reviewed by Ryosuke Niwa.
Potential use after free of m_responseDocument in
XMLHttpRequest::visitAdditionalChildren()
due to multi-threading. visitAdditionalChildren() dereferences
m_responseDocument
on the GC thread while the main thread is running and may null out the RefPtr.
Address the issue via locking.
* Source/WebCore/bindings/js/JSXMLHttpRequestCustom.cpp:
(WebCore::JSXMLHttpRequest::visitAdditionalChildren):
* Source/WebCore/xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::upload):
(WebCore::XMLHttpRequest::send):
(WebCore::XMLHttpRequest::sendBytesData):
(WebCore::XMLHttpRequest::createRequest):
(WebCore::XMLHttpRequest::clearResponseBuffers):
(WebCore::XMLHttpRequest::didSendData):
(WebCore::XMLHttpRequest::dispatchErrorEvents):
(WebCore::XMLHttpRequest::updateHasRelevantEventListener):
(WebCore::XMLHttpRequest::visitAdditionalChildren):
* Source/WebCore/xml/XMLHttpRequest.h:
Originally-landed-as: 305413.477@rapid/safari-7624.2.5.110-branch
(0de76a6ef7c5). rdar://176062384
Canonical link: https://commits.webkit.org/314040@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
