249060 – Fix use-after-move in WebCore::SWClientConnection::postMessageToServiceWorkerClient()

Bug 249060 - Fix use-after-move in WebCore::SWClientConnection::postMessageToServiceWorkerClient()

Summary: Fix use-after-move in WebCore::SWClientConnection::postMessageToServiceWorker...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Service Workers (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	youenn fablet

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-12-09 18:22 PST by David Kilzer (:ddkilzer)
Modified:	2022-12-12 06:55 PST (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Kilzer (:ddkilzer) 2022-12-09 18:22:15 PST

Fix use-after-move in WebCore::SWClientConnection::postMessageToServiceWorkerClient() from Source/WebCore/workers/service/SWClientConnection.cpp.

The `message` variable is involved in a use-after-move when `wasDispatched` returns `false` in the method below.

```
void SWClientConnection::postMessageToServiceWorkerClient(ScriptExecutionContextIdentifier destinationContextIdentifier, MessageWithMessagePorts&& message, ServiceWorkerData&& sourceData, String&& sourceOrigin)
{
    ASSERT(isMainThread());

    if (auto* destinationDocument = Document::allDocumentsMap().get(destinationContextIdentifier)) {
        postMessageToContainer(*destinationDocument, WTFMove(message), WTFMove(sourceData), WTFMove(sourceOrigin));
        return;
    }

    bool wasDispatched = ScriptExecutionContext::postTaskTo(destinationContextIdentifier, [message = WTFMove(message), sourceData = WTFMove(sourceData).isolatedCopy(), sourceOrigin = WTFMove(sourceOrigin).isolatedCopy()](auto& context) mutable {
        postMessageToContainer(context, WTFMove(message), WTFMove(sourceData), WTFMove(sourceOrigin));
    });
    if (wasDispatched)
        return;

    if (auto* sharedWorker = SharedWorkerThreadProxy::byIdentifier(destinationContextIdentifier)) {
        sharedWorker->thread().runLoop().postTask([message = WTFMove(message), sourceData = WTFMove(sourceData).isolatedCopy(), sourceOrigin = WTFMove(sourceOrigin).isolatedCopy()] (auto& context) mutable {
            postMessageToContainer(context, WTFMove(message), WTFMove(sourceData), WTFMove(sourceOrigin));
        });
    }
}
```

Comment 1 Radar WebKit Bug Importer 2022-12-09 18:22:47 PST

<rdar://problem/103202263>

Comment 2 youenn fablet 2022-12-12 01:24:08 PST

Pull request: https://github.com/WebKit/WebKit/pull/7473

Comment 3 EWS 2022-12-12 06:55:20 PST

Committed 257728@main (34ebbe87e188): <https://commits.webkit.org/257728@main>

Reviewed commits have been landed. Closing PR #7473 and removing active labels.