Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0f476dfaa434c9d93e535670b7d128b2046db5bd
https://github.com/WebKit/WebKit/commit/0f476dfaa434c9d93e535670b7d128b2046db5bd
Author: David Kilzer <[email protected]>
Date: 2026-04-27 (Mon, 27 Apr 2026)
Changed paths:
M Source/WebCore/Modules/mediastream/RTCRtpTransformBackend.h
M
Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCRtpReceiverBackend.cpp
M
Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCRtpReceiverTransformBackend.cpp
M
Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCRtpReceiverTransformBackend.h
M Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCRtpSenderBackend.cpp
M
Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCRtpSenderTransformBackend.cpp
M
Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCRtpSenderTransformBackend.h
Log Message:
-----------
Leak due to retain cycle between
LibWebRTCRtp{Sender,Receiver}TransformBackend and libwebrtc sender/receiver
after RTCPeerConnection closes
<https://bugs.webkit.org/show_bug.cgi?id=313426>
<rdar://175674797>
Reviewed by Youenn Fablet.
Break the retain cycle between the LibWebRTC transform backend and
its underlying libwebrtc sender / receiver so the leak does not
persist after `RTCPeerConnection.close()`.
Each side needs a strong ref to the other: the WebKit backend
forwards calls to the sender / receiver, and libwebrtc's
`FrameTransformer` contract retains the registered transformer in
`frame_transformer_` for the sender's / receiver's lifetime. Neither
side has a hook that releases first once the transform is no longer
reachable from JavaScript, so both objects stay alive indefinitely.
`LibWebRTCRtpSenderBackend` / `LibWebRTCRtpReceiverBackend` is the
sole WebKit-side owner of the transform backend; once it is being
destroyed, no WebKit code path can reach the transform backend
anymore. That makes its destructor a safe point to break the cycle
by calling `SetFrameTransformer(nullptr)` on the libwebrtc sender /
receiver, which clears the `frame_transformer_` back-edge. The
transform backend keeps its `const Ref` to the sender / receiver,
so no null checks are needed elsewhere.
Test: `run-webkit-tests --debug --leaks http/wpt/webrtc webrtc`
* Source/WebCore/Modules/mediastream/RTCRtpTransformBackend.h:
(WebCore::RTCRtpTransformBackend::detachFromOwningBackend): Add.
- Default no-op; libwebrtc subclasses override to break the cycle.
* Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCRtpReceiverBackend.cpp:
(WebCore::LibWebRTCRtpReceiverBackend::~LibWebRTCRtpReceiverBackend):
- Detach the transform backend before teardown to break the cycle.
*
Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCRtpReceiverTransformBackend.cpp:
(WebCore::LibWebRTCRtpReceiverTransformBackend::detachFromOwningBackend): Add.
- Clear the receiver's frame transformer to break the back-edge.
*
Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCRtpReceiverTransformBackend.h:
* Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCRtpSenderBackend.cpp:
(WebCore::LibWebRTCRtpSenderBackend::~LibWebRTCRtpSenderBackend):
- Detach the transform backend before teardown to break the cycle.
*
Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCRtpSenderTransformBackend.cpp:
(WebCore::LibWebRTCRtpSenderTransformBackend::detachFromOwningBackend): Add.
- Clear the sender's frame transformer to break the back-edge.
*
Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCRtpSenderTransformBackend.h:
Canonical link: https://commits.webkit.org/312177@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
