File RenderFrameHostImpl-use-after-free.patch of Package nodejs-electron
--- src/content/browser/renderer_host/render_frame_host_impl.cc.orig 2024-12-08 18:45:24.018025513 +0100
+++ src/content/browser/renderer_host/render_frame_host_impl.cc 2024-12-20 14:29:00.900380913 +0100
@@ -8,6 +8,7 @@
#include <deque>
#include <limits>
#include <memory>
+#include <new>
#include <optional>
#include <string_view>
#include <tuple>
@@ -2276,7 +2277,12 @@ RenderFrameHostImpl::~RenderFrameHostImp
// completes. Among other things, this ensures that any `SafeRef`s from
// `DocumentService` and `RenderFrameHostUserData` subclasses are still valid
// when their destructors run.
- document_associated_data_.reset();
+ // HACK: Using .reset() here works on MSVC and LLVM libc++ because the std::optional
+ // is still valid while the destructor runs. This does not work on GNU libstdc++
+ // however which invalidates the optional before calling the destructor, causing a crash.
+ // Upstream bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1415154
+ document_associated_data_->~DocumentAssociatedData();
+ new(&document_associated_data_) std::optional<DocumentAssociatedData>(std::nullopt);
// If this was the last active frame in the SiteInstanceGroup, the
// DecrementActiveFrameCount call will trigger the deletion of the
@@ -14482,7 +14488,9 @@ bool RenderFrameHostImpl::DidCommitNavig
// RenderFrameHost commits before the navigation commits. This happens
// when the current RenderFrameHost crashes before navigating to a new
// URL.
- document_associated_data_.emplace(*this,
+ // bsc#1227307 — same root cause as above
+ document_associated_data_->~DocumentAssociatedData();
+ new(&document_associated_data_) std::optional<DocumentAssociatedData>(std::in_place, *this,
navigation_request->GetDocumentToken());
} else {
// Cross-RenderFrameHost navigations that commit into a speculative