From fbd1f771613fc6f13fcc20dcad04c7065633a2c2 Mon Sep 17 00:00:00 2001
From: Timothy Flynn <trflynn89@pm.me>
Date: Fri, 23 May 2025 15:16:23 -0400
Subject: [PATCH] LibWeb: Disentangle both ends of a MessagePort at once

Otherwise, the remote end believes it is still entangled and may try to
access its own (now null) remote port. This fixes a crash in WPT.
---
 Libraries/LibWeb/HTML/MessagePort.cpp                |  6 +++++-
 .../streams/piping/crashtests/cross-piping.html      | 12 ++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 Tests/LibWeb/Crash/wpt-import/streams/piping/crashtests/cross-piping.html

diff --git a/Libraries/LibWeb/HTML/MessagePort.cpp b/Libraries/LibWeb/HTML/MessagePort.cpp
index f9d878a7702..1394ea35fa1 100644
--- a/Libraries/LibWeb/HTML/MessagePort.cpp
+++ b/Libraries/LibWeb/HTML/MessagePort.cpp
@@ -147,9 +147,13 @@ WebIDL::ExceptionOr<void> MessagePort::transfer_receiving_steps(HTML::TransferDa
 
 void MessagePort::disentangle()
 {
-    if (m_remote_port) {
+    if (auto remote_port = m_remote_port) {
+        // Set the pointers to null before disentangling the remote port to prevent infinite recursion here.
         m_remote_port->m_remote_port = nullptr;
         m_remote_port = nullptr;
+
+        if (remote_port)
+            remote_port->disentangle();
     }
 
     if (m_transport) {
diff --git a/Tests/LibWeb/Crash/wpt-import/streams/piping/crashtests/cross-piping.html b/Tests/LibWeb/Crash/wpt-import/streams/piping/crashtests/cross-piping.html
new file mode 100644
index 00000000000..712d5ecebef
--- /dev/null
+++ b/Tests/LibWeb/Crash/wpt-import/streams/piping/crashtests/cross-piping.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<script type="module">
+  let a = new ReadableStream();
+  let b = self.open()
+  let f = new b.WritableStream();
+  a.pipeThrough(
+    { "readable": a, "writable": f },
+    { "signal": AbortSignal.abort() }
+  )
+  await new Promise(setTimeout);
+  structuredClone(undefined, { "transfer": [f] })
+</script>