Bug 223793

Summary: Nullptr crash in RTCRtpSFrameTransform::createStreams
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: WebRTCAssignee: Rob Buis <rbuis>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, cgarcia, darin, ews-feeder, fred.wang, ggaren, gpoo, product-security, rbuis, svillar, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Ryosuke Niwa
Reported 2021-03-26 03:45:49 PDT
<script> onload = () => { let writer = new SFrameTransform().writable.getWriter(); new AudioContext().audioWorklet.addModule('a').catch(() => { writer.write(); }); }; </script> results in the following crash under ASAN: ==28057==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x0006404c3a11 bp 0x7ffeec079390 sp 0x7ffeec079390 T0) #0 0x6404c3a11 in JSC::JSGlobalObject::vm() const+0x21 (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe9a11) #1 0x642ca44bf in WebCore::ExceptionOr<void> WebCore::RTCRtpSFrameTransform::createStreams(JSC::JSGlobalObject&)::$_1::operator()<WebCore::ScriptExecutionContext, JSC::JSValue>(WebCore::ScriptExecutionContext&, JSC::JSValue) const+0x10f (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28ca4bf) #2 0x642ca4243 in WTF::Detail::CallableWrapper<WebCore::RTCRtpSFrameTransform::createStreams(JSC::JSGlobalObject&)::$_1, WebCore::ExceptionOr<void>, WebCore::ScriptExecutionContext&, JSC::JSValue>::call(WebCore::ScriptExecutionContext&, JSC::JSValue)+0x113 (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28ca243) #3 0x642c913c8 in WTF::Function<WebCore::ExceptionOr<void> (WebCore::ScriptExecutionContext&, JSC::JSValue)>::operator()(WebCore::ScriptExecutionContext&, JSC::JSValue) const+0x148 (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28b73c8) <rdar://74859450>
Attachments
Patch (3.38 KB, patch)
2021-04-26 11:36 PDT, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (3.35 KB, patch)
2021-04-26 23:13 PDT, Rob Buis 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2021-03-26 03:46:57 PDT
I can reproduce this crash with ASAN build of WebKitTestRunner at r274459 and r274986 but not with DumpRenderTree.
Darin Adler
Comment 2 2021-03-26 10:24:08 PDT
Seems like this might be the incorrect line of code in RTCRtpSFrameTransform::createStreams: auto& globalObject = *JSC::jsCast<JSDOMGlobalObject*>(context.globalObject()); What guarantees globalObject can’t be null?
Ryosuke Niwa
Comment 3 2021-03-27 04:03:15 PDT
Yeah, I think this is yet another example of code where after navigating away from a document, we'd end up executing a promise for the previous page. At that point, document is no longer associated with a frame so ScriptExecutionContext::globalObject() will return nullptr. It is very odd that we're running a script in a document that had already been navigated away though (WebContent crashes after navigating to about:blank where we try to run the write.write() in the lambda.
Rob Buis
Comment 4 2021-04-26 11:36:44 PDT
Created attachment 427068 [details] Patch
youenn fablet
Comment 5 2021-04-26 13:37:09 PDT
Comment on attachment 427068 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=427068&action=review > LayoutTests/ChangeLog:8 > + Add test for this. Not needed
Rob Buis
Comment 6 2021-04-26 13:55:01 PDT
Comment on attachment 427068 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=427068&action=review >> LayoutTests/ChangeLog:8 >> + Add test for this. > > Not needed The test or the text?
youenn fablet
Comment 7 2021-04-26 13:57:49 PDT
The text, test is good :)
Rob Buis
Comment 8 2021-04-26 23:13:19 PDT
Created attachment 427122 [details] Patch
EWS
Comment 9 2021-04-27 00:42:56 PDT
Committed r276631 (237059@main): <https://commits.webkit.org/237059@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 427122 [details].
Note You need to log in before you can comment on or make changes to this bug.