[Backport] CVE-2021-21157: Use after free in Web Sockets

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2655089:
WebSocket: Don't clear event queue on destruction

It's unnecessary to clear the event queue as it will be garbage
collected anyway. Stop doing it.

Also add a unit test for GC with pending events. This can only happen if
the execution context changes while the events are pending.

BUG=1170657

Change-Id: I01e5a687587f7471e88640c43f0dfe83e5c01bd1
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Commit-Queue: Adam Rice <ricea@chromium.org>
Cr-Commit-Position: refs/heads/master@{#848065}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 2 insertions, 2 deletions

diff --git a/chromium/third_party/blink/renderer/modules/websockets/dom_websocket.cc b/chromium/third_party/blink/renderer/modules/websockets/dom_websocket.cc
index 7c97e3bc815..28c6c4d179e 100644
--- a/chromium/third_party/blink/renderer/modules/websockets/dom_websocket.cc
+++ b/chromium/third_party/blink/renderer/modules/websockets/dom_websocket.cc
@@ -75,8 +75,8 @@ DOMWebSocket::EventQueue::EventQueue(EventTarget* target)
           this,
           &EventQueue::ResumeTimerFired) {}
 
-DOMWebSocket::EventQueue::~EventQueue() {
-  ContextDestroyed();
+DOMWebSocket::EventQueue::~EventQueue()  {
+  resume_timer_.Stop();
 }
 
 void DOMWebSocket::EventQueue::Dispatch(Event* event) {