Bug 223793

Summary: Nullptr crash in RTCRtpSFrameTransform::createStreams
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: WebRTCAssignee: Rob Buis <rbuis>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, cgarcia, darin, ews-feeder, fred.wang, ggaren, gpoo, product-security, rbuis, svillar, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Description Ryosuke Niwa 2021-03-26 03:45:49 PDT 
<script>
  onload = () => {
    let writer = new SFrameTransform().writable.getWriter();
    new AudioContext().audioWorklet.addModule('a').catch(() => {
      writer.write();
    });
  };
</script>

results in the following crash under ASAN:

==28057==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x0006404c3a11 bp 0x7ffeec079390 sp 0x7ffeec079390 T0)

    #0 0x6404c3a11 in JSC::JSGlobalObject::vm() const+0x21 (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe9a11)
    #1 0x642ca44bf in WebCore::ExceptionOr<void> WebCore::RTCRtpSFrameTransform::createStreams(JSC::JSGlobalObject&)::$_1::operator()<WebCore::ScriptExecutionContext, JSC::JSValue>(WebCore::ScriptExecutionContext&, JSC::JSValue) const+0x10f (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28ca4bf)
    #2 0x642ca4243 in WTF::Detail::CallableWrapper<WebCore::RTCRtpSFrameTransform::createStreams(JSC::JSGlobalObject&)::$_1, WebCore::ExceptionOr<void>, WebCore::ScriptExecutionContext&, JSC::JSValue>::call(WebCore::ScriptExecutionContext&, JSC::JSValue)+0x113 (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28ca243)
    #3 0x642c913c8 in WTF::Function<WebCore::ExceptionOr<void> (WebCore::ScriptExecutionContext&, JSC::JSValue)>::operator()(WebCore::ScriptExecutionContext&, JSC::JSValue) const+0x148 (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28b73c8)

<rdar://74859450>
Comment 1 Ryosuke Niwa 2021-03-26 03:46:57 PDT 
I can reproduce this crash with ASAN build of WebKitTestRunner at r274459 and r274986 but not with DumpRenderTree.
Comment 2 Darin Adler 2021-03-26 10:24:08 PDT 
Seems like this might be the incorrect line of code in RTCRtpSFrameTransform::createStreams:

        auto& globalObject = *JSC::jsCast<JSDOMGlobalObject*>(context.globalObject());

What guarantees globalObject can’t be null?
Comment 3 Ryosuke Niwa 2021-03-27 04:03:15 PDT 
Yeah, I think this is yet another example of code where after navigating away from a document, we'd end up executing a promise for the previous page. At that point, document is no longer associated with a frame so ScriptExecutionContext::globalObject() will return nullptr.

It is very odd that we're running a script in a document that had already been navigated away though (WebContent crashes after navigating to about:blank where we try to run the write.write() in the lambda.
Comment 4 Rob Buis 2021-04-26 11:36:44 PDT 
Created attachment 427068 [details]
Patch
Comment 5 youenn fablet 2021-04-26 13:37:09 PDT 
Comment on attachment 427068 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=427068&action=review

> LayoutTests/ChangeLog:8
> +        Add test for this.

Not needed
Comment 6 Rob Buis 2021-04-26 13:55:01 PDT 
Comment on attachment 427068 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=427068&action=review

>> LayoutTests/ChangeLog:8
>> +        Add test for this.
> 
> Not needed

The test or the text?
Comment 7 youenn fablet 2021-04-26 13:57:49 PDT 
The text, test is good :)
Comment 8 Rob Buis 2021-04-26 23:13:19 PDT 
Created attachment 427122 [details]
Patch
Comment 9 EWS 2021-04-27 00:42:56 PDT 
Committed r276631 (237059@main): <https://commits.webkit.org/237059@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 427122 [details].