From 969891c71cecb3728dfa48eda05d8eff4ffd8712 Mon Sep 17 00:00:00 2001 From: Pierre Tachoire Date: Fri, 23 Jan 2026 20:07:49 +0100 Subject: [PATCH] fix use after free during inspector contextCollected This commit fix the use after free crash into inspector contextCollected run in the pumpMessageLoop. Removing a context linked to an inspector triggers a contextCollected task in the message queue. But if the contextCollected task run after the GC it try to use free memory. Forcing the message loop to run before the GC fix the issue. --- src/browser/Page.zig | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/browser/Page.zig b/src/browser/Page.zig index b5bc29af..f3396101 100644 --- a/src/browser/Page.zig +++ b/src/browser/Page.zig @@ -225,12 +225,24 @@ pub fn deinit(self: *Page) void { fn reset(self: *Page, comptime initializing: bool) !void { if (comptime initializing == false) { + // Removins the context triggers the linked inspector. + // It seems to append a collect task to the message loop. self._session.executor.removeContext(); + + // We force running the message loop after removing the context b/c we + // will force a GC run just after. If we remove this part, the task + // will run after the GC and we will use memory after free. + self._session.browser.runMessageLoop(); + + // We force a garbage collection with lowMemoryNotification between + // page navigations to keep v8 memory usage as low as possible. + // Calling immediately after a runMessageLoop ensure + self._session.browser.env.lowMemoryNotification(); + self._script_manager.shutdown = true; self._session.browser.http_client.abort(); self._script_manager.deinit(); _ = self._session.browser.page_arena.reset(.{ .retain_with_limit = 1 * 1024 * 1024 }); - self._session.browser.env.lowMemoryNotification(); } self._factory = Factory.init(self);