[webkit-changes] [WebKit/WebKit] 686a6f: Use after free in NavigateEvent()

[Chris Dumez]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 686a6f29353693d1904ca05b8b9cc949de78e3db
      
https://github.com/WebKit/WebKit/commit/686a6f29353693d1904ca05b8b9cc949de78e3db
  Author: Chris Dumez <cdu...@apple.com>
  Date:   2025-12-17 (Wed, 17 Dec 2025)

  Changed paths:
    A LayoutTests/fast/loader/navigate-event-crash-expected.txt
    A LayoutTests/fast/loader/navigate-event-crash.html
    A LayoutTests/fast/loader/navigate-event-info-gc-expected.txt
    A LayoutTests/fast/loader/navigate-event-info-gc.html
    M Source/WebCore/bindings/js/JSNavigationCustom.cpp
    M Source/WebCore/page/Navigation.cpp
    M Source/WebCore/page/Navigation.h

  Log Message:
  -----------
  Use after free in NavigateEvent()
https://bugs.webkit.org/show_bug.cgi?id=301560
rdar://163476354

Reviewed by Ryosuke Niwa.

NavigationAPIMethodTracker was storing a raw JSValue as data member, with
nothing keeping it alive. Use JSValueInWrappedObject instead and visit
it whenever the Navigation object gets visited.

* LayoutTests/fast/loader/navigate-event-crash-expected.txt: Added.
* LayoutTests/fast/loader/navigate-event-crash.html: Added.
* LayoutTests/fast/loader/navigate-event-info-gc-expected.txt: Added.
* LayoutTests/fast/loader/navigate-event-info-gc.html: Added.
* Source/WebCore/bindings/js/JSNavigationCustom.cpp:
(WebCore::JSNavigation::visitAdditionalChildren):
* Source/WebCore/page/Navigation.cpp:
(WebCore::Navigation::maybeSetUpcomingNonTraversalTracker):
(WebCore::Navigation::addUpcomingTraverseAPIMethodTracker):
(WebCore::Navigation::navigate):
(WebCore::Navigation::performTraversal):
(WebCore::Navigation::updateForNavigation):
(WebCore::Navigation::promoteUpcomingAPIMethodTracker):
(WebCore::Navigation::cleanupAPIMethodTracker):
(WebCore::Navigation::upcomingTraverseMethodTracker const):
(WebCore::Navigation::abortOngoingNavigation):
(WebCore::Navigation::innerDispatchNavigateEvent):
(WebCore::Navigation::visitAdditionalChildren):
* Source/WebCore/page/Navigation.h:

Canonical link: https://commits.webkit.org/304582@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications