<script> onload = () => { let writer = new SFrameTransform().writable.getWriter(); new AudioContext().audioWorklet.addModule('a').catch(() => { writer.write(); }); }; </script> results in the following crash under ASAN: ==28057==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x0006404c3a11 bp 0x7ffeec079390 sp 0x7ffeec079390 T0) #0 0x6404c3a11 in JSC::JSGlobalObject::vm() const+0x21 (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe9a11) #1 0x642ca44bf in WebCore::ExceptionOr<void> WebCore::RTCRtpSFrameTransform::createStreams(JSC::JSGlobalObject&)::$_1::operator()<WebCore::ScriptExecutionContext, JSC::JSValue>(WebCore::ScriptExecutionContext&, JSC::JSValue) const+0x10f (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28ca4bf) #2 0x642ca4243 in WTF::Detail::CallableWrapper<WebCore::RTCRtpSFrameTransform::createStreams(JSC::JSGlobalObject&)::$_1, WebCore::ExceptionOr<void>, WebCore::ScriptExecutionContext&, JSC::JSValue>::call(WebCore::ScriptExecutionContext&, JSC::JSValue)+0x113 (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28ca243) #3 0x642c913c8 in WTF::Function<WebCore::ExceptionOr<void> (WebCore::ScriptExecutionContext&, JSC::JSValue)>::operator()(WebCore::ScriptExecutionContext&, JSC::JSValue) const+0x148 (/Volumes/Data/safari-6/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28b73c8) <rdar://74859450>
I can reproduce this crash with ASAN build of WebKitTestRunner at r274459 and r274986 but not with DumpRenderTree.
Seems like this might be the incorrect line of code in RTCRtpSFrameTransform::createStreams: auto& globalObject = *JSC::jsCast<JSDOMGlobalObject*>(context.globalObject()); What guarantees globalObject can’t be null?
Yeah, I think this is yet another example of code where after navigating away from a document, we'd end up executing a promise for the previous page. At that point, document is no longer associated with a frame so ScriptExecutionContext::globalObject() will return nullptr. It is very odd that we're running a script in a document that had already been navigated away though (WebContent crashes after navigating to about:blank where we try to run the write.write() in the lambda.
Created attachment 427068 [details] Patch
Comment on attachment 427068 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=427068&action=review > LayoutTests/ChangeLog:8 > + Add test for this. Not needed
Comment on attachment 427068 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=427068&action=review >> LayoutTests/ChangeLog:8 >> + Add test for this. > > Not needed The test or the text?
The text, test is good :)
Created attachment 427122 [details] Patch
Committed r276631 (237059@main): <https://commits.webkit.org/237059@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 427122 [details].