This CL fixes a use-after-free bug where we try to access an
`InjectedScript` object after it died. This can happen when we
transition into JS and back and the context group dies in the mean
time (e.g. because of a navigation). Normally we check for this but
we missed a call to `Promise#then`.
The access that triggers the UaF is when we try to stash away the
protocol callback function after returning from `Promise#then`.
The callback function is responsible for sending the protocol
response back to DevTools containing the result of the evaluation.
There are two objects with different lifetimes involved:
- InjectedScript: Owns the `EvaluationCallback`. We keep a
a reference in case the context group dies. This allows us to
cancel any pending evaluate requests.
- ProtocolPromiseHandler: Has a reference to `EvaluationCallback`.
The handler itself is managed by the V8 GC via `v8::External`
and a weak `v8::Global`.
When the `ProtocolPromiseHandler` wants use the callback to send
a response, it needs to take ownership first.
We could invert the ownership but it's preferable for evaluation
callbacks to die together with execution contexts and not when the
GC feels like it.
We fix the UaF by using an `InjectedSript::ContextScope` and reloading
the `InjectedScript` after we return from `Promise#then`. Then
we can take proper ownership of the callback and use it in case the
call failed.
R=jarin@chormium.org
Fixed: chromium:1366843
Change-Id: I3a68e8609a9681d7343c71f43cc6e67064f41530
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3925937
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83506}