Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 02e76c68f62d4eb9afd58210d91e07c85e5ad4b9
https://github.com/WebKit/WebKit/commit/02e76c68f62d4eb9afd58210d91e07c85e5ad4b9
Author: David Kilzer <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
M Source/WebCore/platform/mediastream/RealtimeIncomingAudioSource.cpp
M Source/WebCore/platform/mediastream/RealtimeIncomingVideoSource.cpp
M
Source/WebCore/platform/mediastream/cocoa/RealtimeIncomingAudioSourceCocoa.cpp
M
Source/WebCore/platform/mediastream/cocoa/RealtimeIncomingAudioSourceCocoa.h
M
Source/WebCore/platform/mediastream/cocoa/RealtimeIncomingVideoSourceCocoa.h
M
Source/WebCore/platform/mediastream/cocoa/RealtimeIncomingVideoSourceCocoa.mm
M
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingAudioSourceLibWebRTC.cpp
M
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingAudioSourceLibWebRTC.h
M
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingVideoSourceLibWebRTC.cpp
M
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingVideoSourceLibWebRTC.h
Log Message:
-----------
Fix crashes in RealtimeIncoming*Source destructors by ensuring sink removal
before member destruction
<https://bugs.webkit.org/show_bug.cgi?id=308636>
<rdar://162084447>
Reviewed by Jean-Yves Avenard and Youenn Fablet.
Crashes occurred when WebRTC audio/video callbacks accessed destroyed
member variables during object destruction. The root cause is due to
C++ destruction-order behavior: the compiler-generated destructors in
derived classes (e.g. RealtimeIncomingAudioSourceCocoa) destroy derived
members before calling the base class destructor, but the base class
destructor's stop() call is what removes the audio/video track sink.
While RTCPeerConnection::doClose() normally stops sources via
requestToEnd(), there are code paths where the source can reach
destruction while still producing data -- for example,
requestToEnd() is blocked if any RealtimeMediaSourceObserver returns
true from preventSourceFromEnding(). If the source is still producing
data when destruction begins, the base class destructor's stop() does
call RemoveSink() (which properly synchronizes with in-progress OnData
callbacks via sink_lock_ in RemoteAudioSource), but by that point
derived members like m_audioBufferList are already destroyed.
The fix ensures derived destructors call stop() to remove sinks before
any member destruction occurs. The base class destructors now contain
ASSERT(!isProducingData()) to verify subclasses follow this pattern.
* Source/WebCore/platform/mediastream/RealtimeIncomingAudioSource.cpp:
(WebCore::RealtimeIncomingAudioSource::~RealtimeIncomingAudioSource):
* Source/WebCore/platform/mediastream/RealtimeIncomingVideoSource.cpp:
(WebCore::RealtimeIncomingVideoSource::~RealtimeIncomingVideoSource):
*
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingAudioSourceLibWebRTC.cpp:
(WebCore::RealtimeIncomingAudioSourceLibWebRTC::~RealtimeIncomingAudioSourceLibWebRTC):
Add.
*
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingAudioSourceLibWebRTC.h:
*
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingVideoSourceLibWebRTC.cpp:
(WebCore::RealtimeIncomingVideoSourceLibWebRTC::~RealtimeIncomingVideoSourceLibWebRTC):
Add.
*
Source/WebCore/platform/mediastream/libwebrtc/gstreamer/RealtimeIncomingVideoSourceLibWebRTC.h:
* Source/WebCore/platform/mediastream/mac/RealtimeIncomingAudioSourceCocoa.cpp:
(WebCore::RealtimeIncomingAudioSourceCocoa::~RealtimeIncomingAudioSourceCocoa):
Add.
* Source/WebCore/platform/mediastream/mac/RealtimeIncomingAudioSourceCocoa.h:
* Source/WebCore/platform/mediastream/mac/RealtimeIncomingVideoSourceCocoa.h:
* Source/WebCore/platform/mediastream/mac/RealtimeIncomingVideoSourceCocoa.mm:
(WebCore::RealtimeIncomingVideoSourceCocoa::~RealtimeIncomingVideoSourceCocoa):
Add.
Originally-landed-as: 305413.429@rapid/safari-7624.2.5.110-branch
(6d6607033ebc). rdar://176067300
Canonical link: https://commits.webkit.org/313616@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
