fix use-after-free

diederich · diederich · commit b010ac8506ae · 2026-02-23T10:34:19.000+01:00
diff --git a/Sources/JavaScriptKit/BridgeJSIntrinsics.swift b/Sources/JavaScriptKit/BridgeJSIntrinsics.swift
@@ -384,7 +384,12 @@ extension JSObject: _BridgedSwiftStackType {
     }
 
     @_spi(BridgeJS) public consuming func bridgeJSLowerReturn() -> Int32 {
-        return _swift_js_retain(Int32(bitPattern: self.id))
+        // withExtendedLifetime is required here to prevent a use-after-free.
+        // In a `consuming func`, Swift ARC may release `self` (and thus release
+        // the underlying JS reference) as soon as it extracts `self.id`, which
+        // happens *before* `_swift_js_retain` is called. `withExtendedLifetime` forces
+        // `self` to stay alive until after `_swift_js_retain` returns.
+        return withExtendedLifetime(self) { _swift_js_retain(Int32(bitPattern: self.id)) }
     }
 
     @_spi(BridgeJS) public consuming func bridgeJSStackPush() {

Original file line number	Diff line number	Diff line change
`@@ -384,7 +384,12 @@ extension JSObject: _BridgedSwiftStackType {`
`384`	`384`	`}`
`385`	`385`
`386`	`386`	`@_spi(BridgeJS) public consuming func bridgeJSLowerReturn() -> Int32 {`
`387`		`- return _swift_js_retain(Int32(bitPattern: self.id))`
	`387`	`+ // withExtendedLifetime is required here to prevent a use-after-free.`
	`388`	+ // In a `consuming func`, Swift ARC may release `self` (and thus release
	`389`	+ // the underlying JS reference) as soon as it extracts `self.id`, which
	`390`	+ // happens before `_swift_js_retain` is called. `withExtendedLifetime` forces
	`391`	+ // `self` to stay alive until after `_swift_js_retain` returns.
	`392`	`+ return withExtendedLifetime(self) { _swift_js_retain(Int32(bitPattern: self.id)) }`
`388`	`393`	`}`
`389`	`394`
`390`	`395`	`@_spi(BridgeJS) public consuming func bridgeJSStackPush() {`