Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ed04ff40674d30791da2d18b27b33ed805b50a82
https://github.com/WebKit/WebKit/commit/ed04ff40674d30791da2d18b27b33ed805b50a82
Author: Anthony Tarbinian <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
A
ManualTests/webaudio/nocrash-audiocontext-reference-destroyed-document.html
M Source/WebCore/Modules/webaudio/AudioContext.cpp
M Source/WebCore/Modules/webaudio/AudioContext.h
M Source/WebCore/Modules/webaudio/BaseAudioContext.h
Log Message:
-----------
Don't call document->removeAudioProducer during Document destruction
https://bugs.webkit.org/show_bug.cgi?id=309708
rdar://172168772
Reviewed by Ryosuke Niwa.
When the Document destructor is called, it is possible
for it to take a code path where it references the document
which is actively being destroyed. Since the Document is
in the middle of it's destructor call, the Document is not in
a well-defined state it may have already freed member variables, etc.
This is the path which leads to the access of the document during
destruction:
- Document::~Document
- ScriptExecutionContext::~ScriptExecutionContext
- BaseAudioContext::deleteMarkedNodes
- AudioContext::~AudioContext
- Document::removeAudioProducer
To remove the audio producers safely, this patch does so when we are certain
the document is still alive. So, we will call this from AudioContext::stop()
which itself gets invoked from Document::commonTeardown ->
ScriptExectionContext::stopActiveDOMObjects.
To be defensive, we can also guard the call to document->removeAudioProducer in
~AudioContext with a check to !BaseAudioContext::isStopped().
This ensures that we won't access the document while it is being torn down.
During teardown, ScriptExecutionContext will stop the AudioContext by
calling BaseAudioContext::stop which in turn sets
BaseAudioContext::m_isStopScheduled to true and causes
BaseAudoContext::isStopped to return true.
Adding a manual test since the layout test can take up to a few
minutes to trigger the bug.
If running the manual test, test it against an ASAN build to reproduce
the crash. On average, the test takes 49 seconds to trigger the bug.
* ManualTests/webaudio/nocrash-audiocontext-reference-destroyed-document.html:
Added.
* Source/WebCore/Modules/webaudio/AudioContext.cpp:
(WebCore::AudioContext::~AudioContext):
(WebCore::AudioContext::stop):
* Source/WebCore/Modules/webaudio/AudioContext.h:
* Source/WebCore/Modules/webaudio/BaseAudioContext.h:
Originally-landed-as: 305413.492@rapid/safari-7624.2.5.110-branch
(72b0f61b5005). rdar://176061965
Canonical link: https://commits.webkit.org/313630@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
