File RenderFrameHostImpl-use-after-free.patch of Package nodejs-electron
--- src/content/browser/renderer_host/render_frame_host_impl.cc.orig 2023-02-08 21:38:09.974003318 +0100
+++ src/content/browser/renderer_host/render_frame_host_impl.cc 2023-02-13 14:13:50.217792624 +0100
@@ -8,6 +8,7 @@
#include <deque>
#include <limits>
#include <memory>
+#include <new>
#include <optional>
#include <tuple>
#include <unordered_map>
@@ -1818,7 +1819,12 @@ RenderFrameHostImpl::~RenderFrameHostImp
// `DocumentService` and `RenderFrameHostUserData` subclasses are still valid
// when their destructors run.
document_associated_data_->RemoveAllServices();
- document_associated_data_.reset();
+ // HACK: Using .reset() here works on MSVC and LLVM libc++ because the std::optional
+ // is still valid while the destructor runs. This does not work on GNU libstdc++
+ // however which invalidates the optional before calling the destructor, causing a crash.
+ // Upstream bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1415154
+ document_associated_data_->~DocumentAssociatedData();
+ new(&document_associated_data_) std::optional<DocumentAssociatedData>(std::nullopt);
// If this was the last active frame in the SiteInstanceGroup, the
// DecrementActiveFrameCount call will trigger the deletion of the
@@ -13254,7 +13260,9 @@ bool RenderFrameHostImpl::DidCommitNavig
// RenderFrameHost commits before the navigation commits. This happens
// when the current RenderFrameHost crashes before navigating to a new
// URL.
- document_associated_data_.emplace(*this,
+ // bsc#1227307 — same root cause as above
+ document_associated_data_->~DocumentAssociatedData();
+ new(&document_associated_data_) std::optional<DocumentAssociatedData>(std::in_place, *this,
navigation_request->GetDocumentToken());
} else {
// Cross-RenderFrameHost navigations that commit into a speculative