fix use-after-free in BridgeJS (#690)

diederich · web-flow · commit 0c4c45a78184 · 2026-03-04T12:34:30.000Z
fix use-after-free
diff --git a/Sources/JavaScriptKit/BridgeJSIntrinsics.swift b/Sources/JavaScriptKit/BridgeJSIntrinsics.swift
@@ -420,7 +420,12 @@ extension JSObject: _BridgedSwiftStackType {
     }
 
     @_spi(BridgeJS) public consuming func bridgeJSLowerReturn() -> Int32 {
-        return _swift_js_retain(Int32(bitPattern: self.id))
+        // withExtendedLifetime is required here to prevent a use-after-free.
+        // In a `consuming func`, Swift ARC may release `self` (and thus release
+        // the underlying JS reference) as soon as it extracts `self.id`, which
+        // happens *before* `_swift_js_retain` is called. `withExtendedLifetime` forces
+        // `self` to stay alive until after `_swift_js_retain` returns.
+        return withExtendedLifetime(self) { _swift_js_retain(Int32(bitPattern: self.id)) }
     }
 
     @_spi(BridgeJS) public consuming func bridgeJSStackPush() {

Original file line number	Diff line number	Diff line change
`@@ -420,7 +420,12 @@ extension JSObject: _BridgedSwiftStackType {`
`420`	`420`	`}`
`421`	`421`
`422`	`422`	`@_spi(BridgeJS) public consuming func bridgeJSLowerReturn() -> Int32 {`
`423`		`- return _swift_js_retain(Int32(bitPattern: self.id))`
	`423`	`+ // withExtendedLifetime is required here to prevent a use-after-free.`
	`424`	+ // In a `consuming func`, Swift ARC may release `self` (and thus release
	`425`	+ // the underlying JS reference) as soon as it extracts `self.id`, which
	`426`	+ // happens before `_swift_js_retain` is called. `withExtendedLifetime` forces
	`427`	+ // `self` to stay alive until after `_swift_js_retain` returns.
	`428`	`+ return withExtendedLifetime(self) { _swift_js_retain(Int32(bitPattern: self.id)) }`
`424`	`429`	`}`
`425`	`430`
`426`	`431`	`@_spi(BridgeJS) public consuming func bridgeJSStackPush() {`