RESOLVED FIXED308414
[WebVTT] InbandDataTextTrack::removeCue crashes when removing non-DataCue cues 
https://bugs.webkit.org/show_bug.cgi?id=308414
Summary [WebVTT] InbandDataTextTrack::removeCue crashes when removing non-DataCue cues
David Kilzer (:ddkilzer)
Reported 2026-02-21 21:42:52 PST
`InbandDataTextTrack::removeCue()` crashes when `TextTrack.removeCue()` is called from JavaScript with a non-DataCue on an inband metadata text track. Steps to reproduce: 1. Load HLS media with inband metadata track (creates InbandDataTextTrack) 2. JavaScript: `track.addCue(new VTTCue(0, 1, "test"))` (succeeds) 3. JavaScript: `track.removeCue(vttCue)` (crashes) Crash stack: ``` 0 WebCore WTFCrashWithInfo(int, char const*, char const*, int) [inlined] WebCore WTF::downcast<DataCue, TextTrackCue>(TextTrackCue&) [inlined] WebCore InbandDataTextTrack::removeCue(TextTrackCue&) 1 WebCore jsTextTrackPrototypeFunction_removeCueBody(...) [inlined] WebCore jsTextTrackPrototypeFunction_removeCue(...) 2 JIT (JavaScript execution) [...] ``` Root cause: The function unconditionally performs `downcast<DataCue>(cue)` which triggers `RELEASE_ASSERT(is<DataCue>(cue))`. However, `TextTrack::addCue()` is non-virtual and allows any TextTrackCue subtype to be added to an `InbandDataTextTrack`, creating this mismatch. Regression: This bug has been latent since the original DataCue implementation in April 2014 (commit 150050@main, Bug 131799). <rdar://122375096>
Attachments
Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2026-02-21 22:01:13 PST
Pull request: https://github.com/WebKit/WebKit/pull/59190
EWS
Comment 2 2026-02-22 15:31:07 PST
Committed 308019@main (c9e58f72c198): <https://commits.webkit.org/308019@main> Reviewed commits have been landed. Closing PR #59190 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.