WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
301674
WebCore::MediaSource::~MediaSource; WebCore::MediaSource::~MediaSource; mpark::detail::destructor::~destructor
https://bugs.webkit.org/show_bug.cgi?id=301674
Summary
WebCore::MediaSource::~MediaSource; WebCore::MediaSource::~MediaSource; mpark...
Jean-Yves Avenard [:jya]
Reported
2025-10-29 20:56:34 PDT
``` Reproduction Command: DYLD_FRAMEWORK_PATH=$PWD DYLD_LIBRARY_PATH=$PWD __XPC_DYLD_FRAMEWORK_PATH=$PWD __XPC_DYLD_LIBRARY_PATH=$PWD ASAN_OPTIONS=handle_segv=2,handle_sigbus=2,handle_sigill=2,handle_abort=2,handle_sigtrap=2,allocator_may_return_null=1 __XPC_ASAN_OPTIONS=handle_segv=2,handle_sigbus=2,handle_sigill=2,handle_abort=2,handle_sigtrap=2,allocator_may_return_null=1 ./WebKitTestRunner --no-enable-all-experimental-feature --no-timeout fuzz-7.html fuzz-7.html Crash Log: AddressSanitizer:DEADLYSIGNAL ================================================================= ==55279==ERROR: AddressSanitizer: TRAP on unknown address 0x00012beeb308 (pc 0x00012beeb308 bp 0x00016bbdac30 sp 0x00016bbdac30 T0) #0 0x00012beeb308 in WTFCrashWithSecurityImplication+0x10 (JavaScriptCore:arm64e+0x61b7308) #1 0x00012beeb944 in WTF::RefCountedBase::printRefDuringDestructionLogAndCrash(void const*)+0x9c (JavaScriptCore:arm64e+0x61b7944) #2 0x0003061a74d8 in WebCore::MediaSource::~MediaSource()+0x11bc (WebCore:arm64e+0x61a74d8) #3 0x0003061af7ac in WebCore::MediaSource::~MediaSource()+0x1c (WebCore:arm64e+0x61af7ac) #4 0x00030039102c in WebCore::HTMLMediaElement::~HTMLMediaElement()+0x3370 (WebCore:arm64e+0x39102c) #5 0x00030038dc14 in WebCore::HTMLVideoElement::~HTMLVideoElement()+0x30 (WebCore:arm64e+0x38dc14) #6 0x000129fd1dc8 in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const+0x1160 (JavaScriptCore:arm64e+0x429ddc8) #7 0x000129fa36a0 in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)+0x380 (JavaScriptCore:arm64e+0x426f6a0) #8 0x000129fa32ec in JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) const+0x94 (JavaScriptCore:arm64e+0x426f2ec) #9 0x000128ebc978 in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*)+0x92c (JavaScriptCore:arm64e+0x3188978) #10 0x000128ea6d0c in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)+0x210 (JavaScriptCore:arm64e+0x3172d0c) #11 0x000302bf5274 in WebCore::JSHTMLVideoElement::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement>>&&)+0x1b4 (WebCore:arm64e+0x2bf5274) #12 0x000302bf4ee8 in WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLVideoElement>::WrapperClass* WebCore::createWrapper<WebCore::HTMLVideoElement, WebCore::HTMLElement>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLElement, WTF::RawPtrTraits<WebCore::HTMLElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLElement>>&&)+0x16c (WebCore:arm64e+0x2bf4ee8) #13 0x000302a9b930 in WebCore::createJSHTMLWrapper(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLElement, WTF::RawPtrTraits<WebCore::HTMLElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLElement>>&&)+0x5d70 (WebCore:arm64e+0x2a9b930) #14 0x00030721dfb0 in WebCore::toJSNewlyCreated(JSC::JSGlobalObject*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element>>&&)+0x178 (WebCore:arm64e+0x721dfb0) #15 0x00030232b888 in JSC::JSValue WebCore::toJSNewlyCreated<WebCore::IDLInterface<WebCore::Element>, WebCore::ExceptionOr<WTF::Ref<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element>>>>(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, JSC::ThrowScope&, WebCore::ExceptionOr<WTF::Ref<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element>>>&&)+0x144 (WebCore:arm64e+0x232b888) #16 0x00030232ad24 in WebCore::jsDocumentPrototypeFunction_createElementBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)+0x708 (WebCore:arm64e+0x232ad24) #17 0x00030231fa90 in WebCore::jsDocumentPrototypeFunction_createElement(JSC::JSGlobalObject*, JSC::CallFrame*)+0x1c4 (WebCore:arm64e+0x231fa90) #18 0x00012e82c03c (<unknown module>) ```
Attachments
Add attachment
proposed patch, testcase, etc.
Jean-Yves Avenard [:jya]
Comment 1
2025-10-29 20:58:02 PDT
rdar://163479310
Jean-Yves Avenard [:jya]
Comment 2
2025-10-29 21:18:29 PDT
Pull request:
https://github.com/apple/WebKit/pull/3933
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug