RESOLVED FIXED314931
WorkerOrWorkletGlobalScope::postTask() should null-check workerOrWorkletThread() to handle cross-thread teardown race 
https://bugs.webkit.org/show_bug.cgi?id=314931
Summary WorkerOrWorkletGlobalScope::postTask() should null-check workerOrWorkletThrea...
David Kilzer (:ddkilzer)
Reported 2026-05-15 20:44:07 PDT
`WorkerOrWorkletGlobalScope::postTask()` and `WorkerOrWorkletGlobalScope::postTaskForMode()` unconditionally dereference the result of `workerOrWorkletThread()`. After `300878@main` (Bug 299941) converted the underlying `m_thread` field to `ThreadSafeWeakPtr<WorkerOrWorkletThread>`, that accessor can legitimately return `nullptr`, so these unconditional dereferences are now a nullptr crash. They also must keep a RefPtr<WorkerOrWorkletThread> on the stack when calling out to a non-trivial method for SaferCPP. Crash stack: ``` Thread 0 Crashed: 0 WebCore: WorkerOrWorkletGlobalScope::postTask 1 WebCore: ScriptExecutionContext::postTaskTo 2 WebCore: WorkerGlobalScope::releaseMemoryInWorkers 3 WebCore: releaseCriticalMemory 4 WebCore: releaseMemory 5 WebKit: WebProcess::initializeWebProcess (memory-pressure handler) 6 JavaScriptCore: MemoryPressureHandler::releaseMemory 7 WebKit: WebProcess::releaseMemory 8 WebKit: WebProcess::prepareToSuspend [...] ```
Attachments
Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2026-05-15 20:44:09 PDT
<rdar://problem/165266466>
David Kilzer (:ddkilzer)
Comment 2 2026-05-15 20:51:41 PDT
Pull request: https://github.com/WebKit/WebKit/pull/65030
EWS
Comment 3 2026-05-22 18:35:12 PDT
Committed 313772@main (52162f9781a0): <https://commits.webkit.org/313772@main> Reviewed commits have been landed. Closing PR #65030 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.