[webkit-changes] [WebKit/WebKit] 64ad3f: REGRESSION(305413.674@safari-7624-branch): Crash i...

Sat, 06 Jun 2026 10:17:34 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 64ad3f36af0d8f25efc49f0390c7a3732e99c825
      
https://github.com/WebKit/WebKit/commit/64ad3f36af0d8f25efc49f0390c7a3732e99c825
  Author: Ryosuke Niwa <[email protected]>
  Date:   2026-06-06 (Sat, 06 Jun 2026)

  Changed paths:
    A LayoutTests/streams/pipeTo-removed-iframe-crash-expected.txt
    A LayoutTests/streams/pipeTo-removed-iframe-crash.html
    M Source/WebCore/Modules/streams/StreamPipeToUtilities.cpp
    M Source/WebCore/bindings/js/InternalReadableStreamDefaultReader.cpp
    M Source/WebCore/bindings/js/InternalWritableStreamWriter.cpp

  Log Message:
  -----------
  REGRESSION(305413.674@safari-7624-branch): Crash in 
StreamPipeToState::globalObject
https://bugs.webkit.org/show_bug.cgi?id=312938
rdar://175084445

Reviewed by Chris Dumez.

The crash was caused by StreamPipeToState::globalObject calling 
jsDynamicCast<JSDOMGlobalObject*>
on context->globalObject() without a nullptr check. Fixed the crash by adding a 
nullptr check.

The newly written test revealed a related bug that we were calling 
DOMPromise::status even when
active DOM objects had been stopped. Added a bunch of early returns to 
functions in
InternalReadableStreamDefaultReader and InternalWritableStreamWriter to avoid 
debug assertions
in these cases, one of which is hit by the new test.

Test: streams/pipeTo-removed-iframe-crash.html

* LayoutTests/streams/pipeTo-removed-iframe-crash-expected.txt: Added.
* LayoutTests/streams/pipeTo-removed-iframe-crash.html: Added.
* Source/WebCore/Modules/streams/StreamPipeToUtilities.cpp:
(WebCore::StreamPipeToState::globalObject):
* Source/WebCore/bindings/js/InternalReadableStreamDefaultReader.cpp:
(WebCore::InternalReadableStreamDefaultReader::onClosedPromiseRejection):
(WebCore::InternalReadableStreamDefaultReader::onClosedPromiseResolution):
* Source/WebCore/bindings/js/InternalWritableStreamWriter.cpp:
(WebCore::InternalWritableStreamWriter::onClosedPromiseRejection):
(WebCore::InternalWritableStreamWriter::onClosedPromiseResolution):
(WebCore::InternalWritableStreamWriter::whenReady):

Originally-landed-as: 305413.711@safari-7624-branch (90e48031ed4d). 
rdar://176059102
Canonical link: https://commits.webkit.org/314699@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to