[backport] CVE-2025-5068 (1/2)

Ensure ParentObjectDestroyed() is in the same sequence of initialization

To understand if crbug.com/409059706#comment19 is true, let me add a
sequence checker to ensure DedicatedWorker::Dispose() is executed with
the same sequence with the worker thread initialization.

Bug: 409059706
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6456965
Change-Id: If4deff0e510bb050efef1b5901e7545bbc59fcc6
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/650559
Reviewed-by: Anu Aliyas <anu.aliyas@qt.io>

Author: yoshisatoyanagisawa

chromium/third_party/blink/renderer/core/workers/threaded_messaging_proxy_base.cc

@@ -66,6 +66,7 @@ void ThreadedMessagingProxyBase::InitializeWorkerThread(
     const std::optional<const blink::DedicatedWorkerToken>& token,
     std::unique_ptr<WorkerDevToolsParams> client_provided_devtools_params) {
   DCHECK(IsParentContextThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
   KURL script_url = global_scope_creation_params->script_url;
 
@@ -111,6 +112,7 @@ void ThreadedMessagingProxyBase::ReportConsoleMessage(
     const String& message,
     std::unique_ptr<SourceLocation> location) {
   DCHECK(IsParentContextThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   if (asked_to_terminate_)
     return;
   execution_context_->AddConsoleMessage(MakeGarbageCollected<ConsoleMessage>(
@@ -119,6 +121,7 @@ void ThreadedMessagingProxyBase::ReportConsoleMessage(
 
 void ThreadedMessagingProxyBase::ParentObjectDestroyed() {
   DCHECK(IsParentContextThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   if (worker_thread_) {
     // Request to terminate the global scope. This will eventually call
     // WorkerThreadTerminated().
@@ -130,6 +133,7 @@ void ThreadedMessagingProxyBase::ParentObjectDestroyed() {
 
 void ThreadedMessagingProxyBase::WorkerThreadTerminated() {
   DCHECK(IsParentContextThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
   // This method is always the last to be performed, so the proxy is not
   // needed for communication in either side any more. However, the parent
@@ -160,6 +164,7 @@ void ThreadedMessagingProxyBase::WorkerThreadTerminated() {
 
 void ThreadedMessagingProxyBase::TerminateGlobalScope() {
   DCHECK(IsParentContextThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
   if (asked_to_terminate_)
     return;
@@ -197,6 +202,7 @@ ThreadedMessagingProxyBase::GetParentAgentGroupTaskRunner() const {
 
 WorkerThread* ThreadedMessagingProxyBase::GetWorkerThread() const {
   DCHECK(IsParentContextThread());
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   return worker_thread_.get();
 }
 

chromium/third_party/blink/renderer/core/workers/threaded_messaging_proxy_base.h

@@ -7,6 +7,7 @@
 
 #include <optional>
 
+#include "base/sequence_checker.h"
 #include "third_party/blink/public/common/tokens/tokens.h"
 #include "third_party/blink/public/mojom/devtools/console_message.mojom-blink-forward.h"
 #include "third_party/blink/renderer/core/core_export.h"
@@ -118,6 +119,7 @@ class CORE_EXPORT ThreadedMessagingProxyBase
       parent_execution_context_task_runners_;
   scoped_refptr<base::SingleThreadTaskRunner> parent_agent_group_task_runner_;
 
+  SEQUENCE_CHECKER(sequence_checker_);
   std::unique_ptr<WorkerThread> worker_thread_;
 
   bool asked_to_terminate_ = false;