Bug 302854

Here is an expanded backtrace: #0 0x00007fbe91912291 in WTF::HashTable<WTF::String, WTF::KeyValuePair<WTF::String, WTF::RefPtr<InternalSource, WTF::RawPtrTraits<InternalSource>, WTF::DefaultRefDerefTraits<InternalSource> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::String, WTF::RefPtr<InternalSource, WTF::RawPtrTraits<InternalSource>, WTF::DefaultRefDerefTraits<InternalSource> > > >, WTF::DefaultHash<WTF::String>, WTF::HashMap<WTF::String, WTF::RefPtr<InternalSource, WTF::RawPtrTraits<InternalSource>, WTF::DefaultRefDerefTraits<InternalSource> >, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::RefPtr<InternalSource, WTF::RawPtrTraits<InternalSource>, WTF::DefaultRefDerefTraits<InternalSource> > >, WTF::HashTableTraits, (WTF::ShouldValidateKey)1, WTF::FastMalloc>::KeyValuePairTraits, WTF::HashTraits<WTF::String>, WTF::FastMalloc>::keyCount (this=0x557408ea4b28) at WTF/Headers/wtf/HashTable.h:623 #1 0x00007fbe91912185 in WTF::HashTable<WTF::String, WTF::KeyValuePair<WTF::String, WTF::RefPtr<InternalSource, WTF::RawPtrTraits<InternalSource>, WTF::DefaultRefDerefTraits<InternalSource> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::String, WTF::RefPtr<InternalSource, WTF::RawPtrTraits<InternalSource>, WTF::DefaultRefDerefTraits<InternalSource> > > >, WTF::DefaultHash<WTF::String>, WTF::HashMap<WTF::String, WTF::RefPtr<InternalSource, WTF::RawPtrTraits<InternalSource>, WTF::DefaultRefDerefTraits<InternalSource> >, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::RefPtr<InternalSource, WTF::RawPtrTraits<InternalSource>, WTF::DefaultRefDerefTraits<InternalSource> > >, WTF::HashTableTraits, (WTF::ShouldValidateKey)1, WTF::FastMalloc>::KeyValuePairTraits, WTF::HashTraits<WTF::String>, WTF::FastMalloc>::isEmpty (this=0x557408ea4b28) at WTF/Headers/wtf/HashTable.h:489 #2 0x00007fbe919120f8 in WTF::HashTable<WTF::String, WTF::KeyValuePair<WTF::String, WTF::RefPtr<InternalSource, WTF::RawPtrTraits<InternalSource>, WTF::DefaultRefDerefTraits<InternalSource> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::String, WTF::RefPtr<InternalSource, WTF::RawPtrTraits<InternalSource>, WTF::DefaultRefDerefTraits<InternalSource> > > >, WTF::DefaultHash<WTF::String>, WTF::HashMap<WTF::String, WTF::RefPtr<InternalSource, WTF::RawPtrTraits<InternalSource>, WTF::DefaultRefDerefTraits<InternalSource> >, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::RefPtr<InternalSource, WTF::RawPtrTraits<InternalSource>, WTF::DefaultRefDerefTraits<InternalSource> > >, WTF::HashTableTraits, (WTF::ShouldValidateKey)1, WTF::FastMalloc>::KeyValuePairTraits, WTF::HashTraits<WTF::String>, WTF::FastMalloc>::begin (this=0x557408ea4b28) at WTF/Headers/wtf/HashTable.h:467 #3 0x00007fbe918ecd98 in WTF::HashMap<WTF::String, WTF::RefPtr<InternalSource, WTF::RawPtrTraits<InternalSource>, WTF::DefaultRefDerefTraits<InternalSource> >, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::RefPtr<InternalSource, WTF::RawPtrTraits<InternalSource>, WTF::DefaultRefDerefTraits<InternalSource> > >, WTF::HashTableTraits, (WTF::ShouldValidateKey)1, WTF::FastMalloc>::begin (this=0x557408ea4b28) at WTF/Headers/wtf/HashMap.h:336 #4 0x00007fbe918eca27 in WebKitMediaStreamObserver::didRemoveTrack (this=0x7fbe6727ea30, track=...) at /host/home/ntrrgc/Apps/webkit/Source/WebCore/platform/mediastream/gstreamer/GStreamerMediaStreamSource.cpp:871 #5 0x00007fbe9186d171 in WebCore::MediaStreamPrivate::removeTrack(WebCore::MediaStreamTrackPrivate&)::$_0::operator()<WebCore::MediaStreamPrivateObserver>(WebCore::MediaStreamPrivateObserver&) const (this=0x7fbe6747d118, observer=...) at /host/home/ntrrgc/Apps/webkit/Source/WebCore/platform/mediastream/MediaStreamPrivate.cpp:178 #6 0x00007fbe9186d141 in WTF::Detail::CallableWrapper<WebCore::MediaStreamPrivate::removeTrack(WebCore::MediaStreamTrackPrivate&)::$_0, void, WebCore::MediaStreamPrivateObserver&>::call(WebCore::MediaStreamPrivateObserver&) (this=0x7fbe6747d110, in=...) at WTF/Headers/wtf/Function.h:59 #7 0x00007fbe9186941f in WTF::Function<void (WebCore::MediaStreamPrivateObserver&)>::operator()(WebCore::MediaStreamPrivateObserver&) const (this=0x7fffac51b758, in=...) at WTF/Headers/wtf/Function.h:103 #8 0x00007fbe91848c66 in _ZN3WTF11WeakHashSetIN7WebCore26MediaStreamPrivateObserverENS_18DefaultWeakPtrImplELNS_32EnableWeakPtrThreadingAssertionsE1EE7forEachERKNS_8FunctionIFvRS2_EEEQsr3WTF24HasRefPtrMemberFunctionsIT_EE5value (this=0x7fbe6700fe48, callback=...) at WTF/Headers/wtf/WeakHashSet.h:203 #9 0x00007fbe91848b93 in WebCore::MediaStreamPrivate::forEachObserver(WTF::Function<void (WebCore::MediaStreamPrivateObserver&)> const&) (this=0x7fbe6700fe20, apply=...) at /host/home/ntrrgc/Apps/webkit/Source/WebCore/platform/mediastream/MediaStreamPrivate.cpp:108 #10 0x00007fbe918496cb in WebCore::MediaStreamPrivate::removeTrack (this=0x7fbe6700fe20, track=...) at /host/home/ntrrgc/Apps/webkit/Source/WebCore/platform/mediastream/MediaStreamPrivate.cpp:177 #11 0x00007fbe21b5d5ef in WebCore::Internals::removeMediaStreamTrack (this=0x7fbe6705f7b0, stream=..., track=...) at /host/home/ntrrgc/Apps/webkit/Source/WebCore/testing/Internals.cpp:6437 #12 0x00007fbe21e256a8 in WebCore::jsInternalsPrototypeFunction_removeMediaStreamTrackBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSInternals*)::{lambda()#1}::operator()() const (this=0x7fffac51b898) at /host/home/ntrrgc/Apps/webkit/WebKitBuild/GTK/Debug/WebCore/DerivedSources/JSInternals.cpp:15523 #13 0x00007fbe21e24a4d in WebCore::toJS<WebCore::IDLUndefined, WebCore::jsInternalsPrototypeFunction_removeMediaStreamTrackBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSInternals*)::{lambda()#1}>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsInternalsPrototypeFunction_removeMediaStreamTrackBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSInternals*)::{lambda()#1}&&) (lexicalGlobalObject=..., throwScope=..., valueOrFunctor=...) at WebCore/PrivateHeaders/WebCore/JSDOMConvertBase.h:190 #14 0x00007fbe21e24789 in WebCore::jsInternalsPrototypeFunction_removeMediaStreamTrackBody (lexicalGlobalObject=0x7fbe651c5088, callFrame=0x7fffac51bad0, castedThis=0x7fbe67300748) at /host/home/ntrrgc/Apps/webkit/WebKitBuild/GTK/Debug/WebCore/DerivedSources/JSInternals.cpp:15523 #15 0x00007fbe21e244e6 in WebCore::IDLOperation<WebCore::JSInternals>::call<&WebCore::jsInternalsPrototypeFunction_removeMediaStreamTrackBody, (WebCore::CastedThisErrorBehavior)0> (lexicalGlobalObject=..., callFrame=..., operationName=0x7fbe217a674f "removeMediaStreamTrack") at /host/home/ntrrgc/Apps/webkit/Source/WebCore/bindings/js/JSDOMOperation.h:63 #16 0x00007fbe21d03bf4 in WebCore::jsInternalsPrototypeFunction_removeMediaStreamTrack (lexicalGlobalObject=0x7fbe651c5088, callFrame=0x7fffac51bad0) at /host/home/ntrrgc/Apps/webkit/WebKitBuild/GTK/Debug/WebCore/DerivedSources/JSInternals.cpp:15528 #17 0x00007fbe24a0c038 in ??? () #18 0x00007fffac51bb60 in ??? () #19 0x00007fbe7ae4b056 in llint_op_call_ignore_result () at /host/home/ntrrgc/Apps/webkit/WebKitBuild/GTK/Debug/lib/libjavascriptcoregtk-6.0.so.1 #20 0x0000000000000000 in ??? ()

In particular, it is crashing inside the keyCount() function while trying to start to iterate the priv->sources HashMap: unsigned keyCount() const { return m_table ? reinterpret_cast_ptr<unsigned*>(m_table)[keyCountOffset] : 0; } (gdb) p (void*)m_table $3 = (void *) 0xbbadbeef 0xbbadbeef was likely set from the HashTable destructor. ~HashTable() { invalidateIterators(this); if (m_table) deallocateTable(m_table); #if CHECK_HASHTABLE_USE_AFTER_DESTRUCTION m_table = (ValueType*)(uintptr_t)0xbbadbeef; #endif }

ASan report: ==811638==ERROR: AddressSanitizer: heap-use-after-free on address 0x7cbf127216f8 at pc 0x7f6f490fee74 bp 0x7ffcb5fa0170 sp 0x7ffcb5fa0168 READ of size 8 at 0x7cbf127216f8 thread T0 #0 0x7f6f490fee73 in WebKitMediaStreamObserver::didRemoveTrack(WebCore::MediaStreamTrackPrivate&) WebKitBuild/GTK/Debug/./Source/WebCore/platform/mediastream/gstreamer/GStreamerMediaStreamSource.cpp:866:23 #1 0x7f6f490177bd in _ZZN7WebCore18MediaStreamPrivate11removeTrackERNS_23MediaStreamTrackPrivateEENK3$_0clINS_26MediaStreamPrivateObserverEEEDaRT_ WebKitBuild/GTK/Debug/./Source/WebCore/platform/mediastream/MediaStreamPrivate.cpp:178:18 #2 0x7f6f49017720 in WTF::Detail::CallableWrapper<WebCore::MediaStreamPrivate::removeTrack(WebCore::MediaStreamTrackPrivate&)::$_0, void, WebCore::MediaStreamPrivateObserver&>::call(WebCore::MediaStreamPrivateObserver&) WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:59:39 #3 0x7f6f490110de in WTF::Function<void (WebCore::MediaStreamPrivateObserver&)>::operator()(WebCore::MediaStreamPrivateObserver&) const WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:103:35 #4 0x7f6f48fda5c5 in WTF::WeakHashSet<WebCore::MediaStreamPrivateObserver, WTF::DefaultWeakPtrImpl, (WTF::EnableWeakPtrThreadingAssertions)1>::forEach(WTF::Function<void (WebCore::MediaStreamPrivateObserver&)> const&) requires WTF::HasRefPtrMemberFunctions<T>::value WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/WeakHashSet.h:203:13 #5 0x7f6f48fda3c8 in WebCore::MediaStreamPrivate::forEachObserver(WTF::Function<void (WebCore::MediaStreamPrivateObserver&)> const&) WebKitBuild/GTK/Debug/./Source/WebCore/platform/mediastream/MediaStreamPrivate.cpp:108:17 #6 0x7f6f48fdbfba in WebCore::MediaStreamPrivate::removeTrack(WebCore::MediaStreamTrackPrivate&) WebKitBuild/GTK/Debug/./Source/WebCore/platform/mediastream/MediaStreamPrivate.cpp:177:5 #7 0x7b6ebfc4610e in WebCore::Internals::removeMediaStreamTrack(WebCore::MediaStream&, WebCore::MediaStreamTrack&) WebKitBuild/GTK/Debug/./Source/WebCore/testing/Internals.cpp:6463:28 #8 0x7b6ec0133e93 in WebCore::jsInternalsPrototypeFunction_removeMediaStreamTrackBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSInternals*)::'lambda'()::operator()() const WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WebCore/DerivedSources/JSInternals.cpp:15556:146 #9 0x7b6ec0132b7c in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsInternalsPrototypeFunction_removeMediaStreamTrackBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSInternals*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsInternalsPrototypeFunction_removeMediaStreamTrackBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSInternals*)::'lambda'()&&) WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WebCore/PrivateHeaders/WebCore/JSDOMConvertBase.h:190:13 #10 0x7b6ec01327c3 in WebCore::jsInternalsPrototypeFunction_removeMediaStreamTrackBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSInternals*) WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WebCore/DerivedSources/JSInternals.cpp:15556:55 #11 0x7b6ec01321d2 in long WebCore::IDLOperation<WebCore::JSInternals>::call<&WebCore::jsInternalsPrototypeFunction_removeMediaStreamTrackBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSInternals*), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) WebKitBuild/GTK/Debug/./Source/WebCore/bindings/js/JSDOMOperation.h:63:44 #12 0x7b6ebff57183 in WebCore::jsInternalsPrototypeFunction_removeMediaStreamTrack(JSC::JSGlobalObject*, JSC::CallFrame*) WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WebCore/DerivedSources/JSInternals.cpp:15561:12 #13 0x7b6ecfa2c037 (<unknown module>) 0x7cbf127216f8 is located 504 bytes inside of 512-byte region [0x7cbf12721500,0x7cbf12721700) freed by thread T0 here: #0 0x0000003085ca in free (/var/home/phil/WebKit/WebKitBuild/GTK/Debug/bin/WebKitWebProcess+0x3085ca) (BuildId: 3023e3fcd37354c191cc601e4c00551fef4b28cd) #1 0x7f6f245fcf84 in g_free_sized (/lib64/libglib-2.0.so.0+0x41f84) (BuildId: e06d79ca6a0879accff6de7371a1576511f00c6a) #2 0x7f6f2473d092 in g_type_free_instance (/lib64/libgobject-2.0.so.0+0x2c092) (BuildId: 7c82aed2ec76dac0449e3fefa5da8328eeae2676) #3 0x7f6f24727e8c in g_object_unref (/lib64/libgobject-2.0.so.0+0x16e8c) (BuildId: 7c82aed2ec76dac0449e3fefa5da8328eeae2676) #4 0x7f6f3e3310db in WTF::GRefPtrDefaultRefDerefTraits<_GstElement>::derefIfNotNull(_GstElement*) WebKitBuild/GTK/Debug/./Source/WebCore/platform/graphics/gstreamer/GRefPtrGStreamer.h:55:253 #5 0x7f6f3e331064 in WTF::GRefPtr<_GstElement, WTF::GRefPtrDefaultRefDerefTraits<_GstElement>>::clear() WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/glib/GRefPtr.h:131:9 #6 0x7f6f3e32a544 in WTF::GRefPtr<_GstElement, WTF::GRefPtrDefaultRefDerefTraits<_GstElement>>::~GRefPtr() WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/glib/GRefPtr.h:126:9 #7 0x7f6f48cc5a4c in WebCore::MediaPlayerPrivateGStreamer::~MediaPlayerPrivateGStreamer() WebKitBuild/GTK/Debug/./Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:214:1 #8 0x7f6f48cc6da8 in WebCore::MediaPlayerPrivateGStreamer::~MediaPlayerPrivateGStreamer() WebKitBuild/GTK/Debug/./Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:212:1 #9 0x7f6f48c89af8 in void WTF::ThreadSafeWeakPtrControlBlock::strongDeref<WebCore::MediaPlayerPrivateGStreamer, (WTF::DestructionThread)1>() const::'lambda'()::operator()() const WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/ThreadSafeWeakPtr.h:94:13 #10 0x7f6f48c89998 in WTF::Detail::CallableWrapper<void WTF::ThreadSafeWeakPtrControlBlock::strongDeref<WebCore::MediaPlayerPrivateGStreamer, (WTF::DestructionThread)1>() const::'lambda'(), void>::call() WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:59:39 #11 0x7f6f1f44d77e in WTF::Function<void ()>::operator()() const WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:103:35 #12 0x7f6f22ad326f in WTF::ensureOnMainThread(WTF::Function<void ()>&&) WebKitBuild/GTK/Debug/./Source/WTF/wtf/MainThread.cpp:95:9 #13 0x7f6f48c88a71 in void WTF::ThreadSafeWeakPtrControlBlock::strongDeref<WebCore::MediaPlayerPrivateGStreamer, (WTF::DestructionThread)1>() const WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/ThreadSafeWeakPtr.h:112:13 #14 0x7f6f48c88463 in WTF::ThreadSafeRefCountedAndCanMakeThreadSafeWeakPtr<WebCore::MediaPlayerPrivateGStreamer, (WTF::DestructionThread)1>::deref() const WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/ThreadSafeWeakPtr.h:263:87 #15 0x7f6f48c881e8 in WebCore::MediaPlayerPrivateGStreamer::deref() const WebKitBuild/GTK/Debug/./Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h:127:81 #16 0x7f6f3af4acdf in WTF::DefaultRefDerefTraits<WebCore::MediaPlayerPrivateInterface>::derefIfNotNull(WebCore::MediaPlayerPrivateInterface*) WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/Ref.h:64:18 #17 0x7f6f3af03394 in WTF::RefPtr<WebCore::MediaPlayerPrivateInterface, WTF::RawPtrTraits<WebCore::MediaPlayerPrivateInterface>, WTF::DefaultRefDerefTraits<WebCore::MediaPlayerPrivateInterface>>::~RefPtr() WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/RefPtr.h:62:24 #18 0x7f6f488d75e9 in WebCore::MediaPlayer::~MediaPlayer() WebKitBuild/GTK/Debug/./Source/WebCore/platform/graphics/MediaPlayer.cpp:536:1 #19 0x7f6f3aca0fc8 in void WTF::ThreadSafeWeakPtrControlBlock::strongDeref<WebCore::MediaPlayer, (WTF::DestructionThread)1>() const::'lambda'()::operator()() const WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/ThreadSafeWeakPtr.h:94:13 #20 0x7f6f3aca0ea8 in WTF::Detail::CallableWrapper<void WTF::ThreadSafeWeakPtrControlBlock::strongDeref<WebCore::MediaPlayer, (WTF::DestructionThread)1>() const::'lambda'(), void>::call() WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:59:39 #21 0x7f6f1f44d77e in WTF::Function<void ()>::operator()() const WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:103:35 #22 0x7f6f22ad326f in WTF::ensureOnMainThread(WTF::Function<void ()>&&) WebKitBuild/GTK/Debug/./Source/WTF/wtf/MainThread.cpp:95:9 #23 0x7f6f3ac9ff91 in void WTF::ThreadSafeWeakPtrControlBlock::strongDeref<WebCore::MediaPlayer, (WTF::DestructionThread)1>() const WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/ThreadSafeWeakPtr.h:112:13 #24 0x7f6f3ac9f983 in WTF::ThreadSafeRefCountedAndCanMakeThreadSafeWeakPtr<WebCore::MediaPlayer, (WTF::DestructionThread)1>::deref() const WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/ThreadSafeWeakPtr.h:263:87 #25 0x7f6f3ac9f6cb in WTF::DefaultRefDerefTraits<WebCore::MediaPlayer>::derefIfNotNull(WebCore::MediaPlayer*) WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/Ref.h:64:18 #26 0x7f6f3ac9f3f4 in WTF::RefPtr<WebCore::MediaPlayer, WTF::RawPtrTraits<WebCore::MediaPlayer>, WTF::DefaultRefDerefTraits<WebCore::MediaPlayer>>::~RefPtr() WebKitBuild/GTK/Debug/./WebKitBuild/GTK/Debug/WTF/Headers/wtf/RefPtr.h:62:24 #27 0x7f6f469ac28a in WebCore::HTMLMediaElement::createMediaPlayer() WebKitBuild/GTK/Debug/./Source/WebCore/html/HTMLMediaElement.cpp:8111:16 #28 0x7f6f469a18e6 in WebCore::HTMLMediaElement::prepareForLoad() WebKitBuild/GTK/Debug/./Source/WebCore/html/HTMLMediaElement.cpp:1522:5 #29 0x7f6f469a9fa0 in WebCore::HTMLMediaElement::setSrcObject(std::optional<mpark::variant<WTF::RefPtr<WebCore::MediaStream, WTF::RawPtrTraits<WebCore::MediaStream>, WTF::DefaultRefDerefTraits<WebCore::MediaStream>>, WTF::RefPtr<WebCore::MediaSource, WTF::RawPtrTraits<WebCore::MediaSource>, WTF::DefaultRefDerefTraits<WebCore::MediaSource>>, WTF::RefPtr<WebCore::Blob, WTF::RawPtrTraits<WebCore::Blob>, WTF::DefaultRefDerefTraits<WebCore::Blob>>>>&&) WebKitBuild/GTK/Debug/./Source/WebCore/html/HTMLMediaElement.cpp:1414:5 previously allocated by thread T0 here: #0 0x000000308a3d in calloc (/var/home/phil/WebKit/WebKitBuild/GTK/Debug/bin/WebKitWebProcess+0x308a3d) (BuildId: 3023e3fcd37354c191cc601e4c00551fef4b28cd) #1 0x7f6f246039d1 in g_malloc0 (/lib64/libglib-2.0.so.0+0x489d1) (BuildId: e06d79ca6a0879accff6de7371a1576511f00c6a) #2 0x7f6f24744302 in g_type_create_instance (/lib64/libgobject-2.0.so.0+0x33302) (BuildId: 7c82aed2ec76dac0449e3fefa5da8328eeae2676) #3 0x7f6f247298a3 (/lib64/libgobject-2.0.so.0+0x188a3) (BuildId: 7c82aed2ec76dac0449e3fefa5da8328eeae2676) #4 0x7f6f2472aec6 in g_object_new_with_properties (/lib64/libgobject-2.0.so.0+0x19ec6) (BuildId: 7c82aed2ec76dac0449e3fefa5da8328eeae2676) #5 0x7f6f1639e509 in gst_element_factory_create_with_properties /_build/../gstreamer/subprojects/gstreamer/gst/gstelementfactory.c:495:28 SUMMARY: AddressSanitizer: heap-use-after-free WebKitBuild/GTK/Debug/./Source/WebCore/platform/mediastream/gstreamer/GStreamerMediaStreamSource.cpp:866:23 in WebKitMediaStreamObserver::didRemoveTrack(WebCore::MediaStreamTrackPrivate&) Shadow bytes around the buggy address: 0x7cbf12721400: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 0x7cbf12721480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7cbf12721500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x7cbf12721580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x7cbf12721600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x7cbf12721680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd] 0x7cbf12721700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7cbf12721780: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc 0x7cbf12721800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 0x7cbf12721880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 0x7cbf12721900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==811638==ABORTING WebKitWebProcess terminated (pid 811638) for reason: crash

Pull request: https://github.com/WebKit/WebKit/pull/54369

Committed 303482@main (88490723d9f2): <https://commits.webkit.org/303482@main> Reviewed commits have been landed. Closing PR #54369 and removing active labels.