Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: e8db86ea1203dcc4109eece64cfe0434d21cf13a
https://github.com/WebKit/WebKit/commit/e8db86ea1203dcc4109eece64cfe0434d21cf13a
Author: Ryosuke Niwa <[email protected]>
Date: 2026-05-24 (Sun, 24 May 2026)
Changed paths:
M Source/WebCore/bindings/js/JSXPathResultCustom.cpp
M Source/WebCore/xml/XPathResult.cpp
M Source/WebCore/xml/XPathResult.h
Log Message:
-----------
Race condition in JSXPathResult::visitAdditionalChildren during GC
https://bugs.webkit.org/show_bug.cgi?id=309776
<rdar://172263146>
Reviewed by Chris Dumez.
This PR fixes a race condition in JSXPathResult::visitAdditionalChildren
which results in a use-after-free. The issue is that this function
iterates over XPathNodeList's internal vector but XPathNodeList's member
functions such as XPathNodeList::firstNode could mutate the vector via
XPathNodeList::sort, letting a GC thread to do a use-after-free.
Fixed the bug by guarding the access to m_nodeSet with a lock.
No new tests since there is no reliable reproduction.
* Source/WebCore/bindings/js/JSXPathResultCustom.cpp:
(WebCore::JSXPathResult::visitAdditionalChildren):
* Source/WebCore/xml/XPathResult.cpp:
(WebCore::XPathResult::XPathResult):
(WebCore::XPathResult::~XPathResult):
(WebCore::XPathResult::convertTo):
(WebCore::XPathResult::visitAdditionalChildren):
* Source/WebCore/xml/XPathResult.h:
Originally-landed-as: 305413.475@rapid/safari-7624.2.5.110-branch
(97ed68c66545). rdar://176062693
Canonical link: https://commits.webkit.org/313820@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
