Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 42ec79c1b6c50d5e0493fb3cda49d111ccc6d91d
https://github.com/WebKit/WebKit/commit/42ec79c1b6c50d5e0493fb3cda49d111ccc6d91d
Author: Youenn Fablet <[email protected]>
Date: 2026-06-10 (Wed, 10 Jun 2026)
Changed paths:
M Source/WebCore/Modules/streams/ReadableByteStreamController.cpp
M Source/WebCore/Modules/streams/ReadableStreamBYOBRequest.cpp
M Source/WebCore/Modules/streams/ReadableStreamBYOBRequest.h
Log Message:
-----------
Potential use after free of m_controller under
ReadableStreamBYOBRequest::visitAdditionalChildren()
rdar://172462937
Reviewed by Chris Dumez.
m_controller can be nullified while being used in GC thread.
We remove usage of m_controller in the GC thread.
Instead, request will store its stream as a JSValueInWrappedObject, and we will
use this JSValueInWrappedObject in the GC thread.
We make sure to clear the JSValueInWrappedObject when the request gets
invalidated.
Originally-landed-as: 305413.480@rapid/safari-7624.2.5.110-branch
(5d62bc6b2841). rdar://176062477
Canonical link: https://commits.webkit.org/314990@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
