Add UAF regression test for Response body with transferred ArrayBuffer#6579
Add UAF regression test for Response body with transferred ArrayBuffer#6579
Conversation
The previous commit fixed a use-after-free where constructing a Response from an ArrayBuffer, then transferring the buffer via structuredClone and triggering GC, caused the Response body read to access freed backing store memory. This adds a regression test that reproduces the original crash (heap-use-after-free READ of size 1024 under ASAN) and verifies the data remains intact after transfer + GC.
erikcorry
force-pushed
the
erikcorry/body-uaf-regression-test
branch
from
2460bb1 to
e62debb
Compare
![ask-bonk[bot]](https://avatars.githubusercontent.com/in/2454580?s=60&v=4){kind=small}
There was a problem hiding this comment.
I'm Bonk, and I've done a quick review of your PR.
This adds a regression test for a UAF when constructing a Response from an ArrayBuffer that is subsequently transferred and GC'd, plus an updated comment in http.c++ explaining the fix.
Issues (ranked by severity):
- Missing copyright header on the new test file
response-uaf-test.js. Every other.jstest file in this directory includes the standard Apache 2.0 header. - Extra blank line in
BUILD.bazelafter the newwd_testentry (double blank line vs single blank line convention used by every other entry).
|
Review posted successfully on PR #6579. Here's a summary of my findings: Two issues found:
Both have concrete suggestion comments attached. The C++ comment update in |
Merging this PR will improve performance by 39.29%
Performance Changes
Comparing 
Footnotes
|
3 participants
The previous commit fixed a use-after-free where constructing a Response from an ArrayBuffer, then transferring the buffer via structuredClone and triggering GC, caused the Response body read to access freed backing store memory. This adds a regression test that reproduces the original crash (heap-use-after-free READ of size 1024 under ASAN) and verifies the data remains intact after transfer + GC.