Created attachment 104032 [details] Repro Repro: <script> new (window.open()).PeerConnection([].x,function(){}); </script> It seems that a WebViews PageClients structure is not fully initialized; "deviceMotionClient" and "mediaStreamClient" are not set: WebViewImpl::WebViewImpl(WebViewClient* client) : m_client(client) <<<snip>>> Page::PageClients pageClients; -------------------------------- struct PageClients { <<<snip>>> ChromeClient* chromeClient; ContextMenuClient* contextMenuClient; EditorClient* editorClient; DragClient* dragClient; InspectorClient* inspectorClient; GeolocationClient* geolocationClient; DeviceMotionClient* deviceMotionClient; DeviceOrientationClient* deviceOrientationClient; RefPtr<BackForwardList> backForwardClient; SpeechInputClient* speechInputClient; MediaStreamClient* mediaStreamClient; }; -------------------------------- pageClients.chromeClient = &m_chromeClientImpl; pageClients.contextMenuClient = &m_contextMenuClientImpl; pageClients.editorClient = &m_editorClientImpl; pageClients.dragClient = &m_dragClientImpl; pageClients.inspectorClient = &m_inspectorClientImpl; #if ENABLE(INPUT_SPEECH) pageClients.speechInputClient = m_speechInputClient.get(); #endif pageClients.deviceOrientationClient = m_deviceOrientationClientProxy.get(); pageClients.geolocationClient = m_geolocationClientProxy.get(); pageClients.backForwardClient = BackForwardListChromium::create(this); m_page = adoptPtr(new Page(pageClients)); <<<snip>>> This will cause the corresponding MediaStreamController to have a NULL m_client, which the code does not take into account and can leads to a NULL ptr as show in the repro.