Bug 223793 - Nullptr crash in RTCRtpSFrameTransform::createStreams
Summary: Nullptr crash in RTCRtpSFrameTransform::createStreams
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebRTC (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Rob Buis
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-03-26 03:45 PDT by Ryosuke Niwa
Modified: 2021-04-27 02:41 PDT (History)
13 users (show)

See Also:


Attachments
Patch (3.38 KB, patch)
2021-04-26 11:36 PDT, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (3.35 KB, patch)
2021-04-26 23:13 PDT, Rob Buis
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2021-03-26 03:45:49 PDT
<script>
  onload = () => {
    let writer = new SFrameTransform().writable.getWriter();
    new AudioContext().audioWorklet.addModule('a').catch(() => {
      writer.write();
    });
  };
</script>

results in the following crash under ASAN:

==28057==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x0006404c3a11 bp 0x7ffeec079390 sp 0x7ffeec079390 T0)

    #0 0x6404c3a11 in JSC::JSGlobalObject::vm() const+0x21 (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe9a11)
    #1 0x642ca44bf in WebCore::ExceptionOr<void> WebCore::RTCRtpSFrameTransform::createStreams(JSC::JSGlobalObject&)::$_1::operator()<WebCore::ScriptExecutionContext, JSC::JSValue>(WebCore::ScriptExecutionContext&, JSC::JSValue) const+0x10f (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28ca4bf)
    #2 0x642ca4243 in WTF::Detail::CallableWrapper<WebCore::RTCRtpSFrameTransform::createStreams(JSC::JSGlobalObject&)::$_1, WebCore::ExceptionOr<void>, WebCore::ScriptExecutionContext&, JSC::JSValue>::call(WebCore::ScriptExecutionContext&, JSC::JSValue)+0x113 (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28ca243)
    #3 0x642c913c8 in WTF::Function<WebCore::ExceptionOr<void> (WebCore::ScriptExecutionContext&, JSC::JSValue)>::operator()(WebCore::ScriptExecutionContext&, JSC::JSValue) const+0x148 (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28b73c8)

<rdar://74859450>
Comment 1 Ryosuke Niwa 2021-03-26 03:46:57 PDT
I can reproduce this crash with ASAN build of WebKitTestRunner at r274459 and r274986 but not with DumpRenderTree.
Comment 2 Darin Adler 2021-03-26 10:24:08 PDT
Seems like this might be the incorrect line of code in RTCRtpSFrameTransform::createStreams:

        auto& globalObject = *JSC::jsCast<JSDOMGlobalObject*>(context.globalObject());

What guarantees globalObject can’t be null?
Comment 3 Ryosuke Niwa 2021-03-27 04:03:15 PDT
Yeah, I think this is yet another example of code where after navigating away from a document, we'd end up executing a promise for the previous page. At that point, document is no longer associated with a frame so ScriptExecutionContext::globalObject() will return nullptr.

It is very odd that we're running a script in a document that had already been navigated away though (WebContent crashes after navigating to about:blank where we try to run the write.write() in the lambda.
Comment 4 Rob Buis 2021-04-26 11:36:44 PDT
Created attachment 427068 [details]
Patch
Comment 5 youenn fablet 2021-04-26 13:37:09 PDT
Comment on attachment 427068 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=427068&action=review

> LayoutTests/ChangeLog:8
> +        Add test for this.

Not needed
Comment 6 Rob Buis 2021-04-26 13:55:01 PDT
Comment on attachment 427068 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=427068&action=review

>> LayoutTests/ChangeLog:8
>> +        Add test for this.
> 
> Not needed

The test or the text?
Comment 7 youenn fablet 2021-04-26 13:57:49 PDT
The text, test is good :)
Comment 8 Rob Buis 2021-04-26 23:13:19 PDT
Created attachment 427122 [details]
Patch
Comment 9 EWS 2021-04-27 00:42:56 PDT
Committed r276631 (237059@main): <https://commits.webkit.org/237059@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 427122 [details].