Merge pull request #2361 from lightpanda-io/worker_deinit_order

Fix potential use-after-free by clearing worker AFTER frame context
2026-06-11 01:25:53 -04:00 · 2026-05-05 07:34:42 +08:00
parent 9c669974e4 d1d85e9f5d
commit 91074ea834
1 changed files with 6 additions and 4 deletions
--- a/src/browser/Frame.zig
+++ b/src/browser/Frame.zig
@@ -356,10 +356,6 @@ pub fn deinit(self: *Frame) void {
        frame.deinit();
    }

-    for (self.workers.items) |worker| {
-        worker.deinit();
-    }
-
    if (comptime IS_DEBUG) {
        log.debug(.frame, "frame.deinit", .{ .url = self.url, .type = self._type });

@@ -411,6 +407,12 @@ pub fn deinit(self: *Frame) void {
    const browser = page.session.browser;
    browser.env.destroyContext(self.js);

+    // Must be after context is destroyed. A finalizer can reach into the *Worker
+    // (e.g. Worker.ReceiveMessageCallback) so the worker must still be valid.
+    for (self.workers.items) |worker| {
+        worker.deinit();
+    }
+
    self._script_manager.base.shutdown = true;

    // don't abort pending frames.