Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: f93d156f7e30f199d220c52df21483f0f03cf817
https://github.com/WebKit/WebKit/commit/f93d156f7e30f199d220c52df21483f0f03cf817
Author: Chris Dumez <[email protected]>
Date: 2026-06-08 (Mon, 08 Jun 2026)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
WebPageProxy::flushPending{Mouse,Key}EventCallbacks can corrupt their
iteration on re-entry
https://bugs.webkit.org/show_bug.cgi?id=316515
Reviewed by Abrar Rahman Protyasha and Tim Horton.
flushPendingMouseEventCallbacks() and flushPendingKeyEventCallbacks()
iterated their callback Vectors by reference and cleared them after the
loop. The callbacks run arbitrary client/UI code, which can re-enter
doAfterProcessingAllPendingMouseEvents() / ...KeyEvents() and append a
new callback to the same vector. If the append triggers a Vector
reallocation, the `auto&` reference in the for-loop is left dangling
and the next iteration is a use-after-free. Even without reallocation,
re-entrant appends were silently dropped by the post-loop clear().
Switch both functions to the std::exchange(vec, { }) pattern already
used by WebPageProxy::processContextMenuCallbacks(): snapshot the
vector into a local before iterating, so the member is empty for the
duration of the callbacks. Re-entrant appends now land on the empty
member and will be flushed on the next round, and the iteration is
over a stable local copy.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::flushPendingMouseEventCallbacks):
(WebKit::WebPageProxy::flushPendingKeyEventCallbacks):
Canonical link: https://commits.webkit.org/314779@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
