From 0f81f021ce143ead7e42c531757be7400ad59b52 Mon Sep 17 00:00:00 2001 From: Andrew Kaster Date: Thu, 29 May 2025 16:39:43 -0600 Subject: [PATCH] LibWeb: Clean up main thread promise when exiting RenderingThreads Not cleaning these up by rejecting or resolving the promise causes the main thread to try to reject them at EventLoop::exit() time. If the RenderThread has already been destroyed by then, we get into use-after-free territory and segfault. --- Libraries/LibWeb/HTML/RenderingThread.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Libraries/LibWeb/HTML/RenderingThread.cpp b/Libraries/LibWeb/HTML/RenderingThread.cpp index 71c3d64c2c9..f65cbd5ae3e 100644 --- a/Libraries/LibWeb/HTML/RenderingThread.cpp +++ b/Libraries/LibWeb/HTML/RenderingThread.cpp @@ -26,8 +26,8 @@ RenderingThread::RenderingThread() RenderingThread::~RenderingThread() { - m_exit = true; - m_rendering_task_ready_wake_condition.signal(); + // Note: Promise rejection is expected to signal the thread to exit. + m_main_thread_exit_promise->reject(Error::from_errno(ECANCELED)); (void)m_thread->join(); }