Bug 233174

Summary: Safari 15.1 regression: RTCRtpSender.replaceTrack with a disabled track crashes safari
Product: WebKit Reporter: Arjun Vade <avade>
Component: WebRTCAssignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Major CC: youennf
Priority: P2    
Version: Safari 15   
Hardware: Unspecified   
OS: Unspecified   

Description Arjun Vade 2021-11-15 22:57:36 PST 
Steps to reproduce:
1.Visit https://webrtc.github.io/samples/src/content/peerconnection/pc1/
2. Click on Start and Call buttons. Note that this app/demo exposes `pc1` on console which is a RTCPeerConnection object
3. Invoke the following code from the dev tools console:


black = ({ width = 640, height = 480 } = {}) => {
  const canvas = Object.assign(document.createElement('canvas'), { width, height });
  canvas.getContext('2d').fillRect(0, 0, width, height);
  const stream = canvas.captureStream();
  return Object.assign(stream.getVideoTracks()[0], { enabled: false }); // Note: changing enabled to true doesn't crash safari
};

dummyTrack = black();

pc1.getSenders()[0].replaceTrack(dummyTrack)

4. Notice that safari crashes.

Happens only on Safari 15.1, earlier versions were fine, so this is a regression. Happens both on BigSur and Monterey
Comment 1 youenn fablet 2021-11-16 07:02:54 PST 
Thanks for the report Arjun.
This should be fixed in latest iOS 15.2 beta.