Bug 219496

Summary:

Crash when trying to suspend an OfflineAudioContext with a bad buffer

Product:

WebKit

Reporter:

Chris Dumez <cdumez>

Component:

Web Audio

Assignee:

Chris Dumez <cdumez>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

cdumez, darin, eric.carlson, ews-watchlist, ggaren, glenn, jer.noble, philipj, sergio, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none

Description Chris Dumez 2020-12-03 09:56:26 PST

Crash when trying to suspend an OfflineAudioContext with a bad buffer:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000006d22b5c8c WTF::VectorBufferBase<WTF::RefPtr<JSC::GenericTypedArrayView<JSC::Float32Adaptor>, WTF::RawPtrTraits<JSC::GenericTypedArrayView<JSC::Float32Adaptor> >, WTF::DefaultRefDerefTraits<JSC::GenericTypedArrayView<JSC::Float32Adaptor> > >, WTF::FastMalloc>::buffer() const + 12 (Vector.h:344)
1   com.apple.WebCore             	0x00000006d22b5c78 WTF::Vector<WTF::RefPtr<JSC::GenericTypedArrayView<JSC::Float32Adaptor>, WTF::RawPtrTraits<JSC::GenericTypedArrayView<JSC::Float32Adaptor> >, WTF::DefaultRefDerefTraits<JSC::GenericTypedArrayView<JSC::Float32Adaptor> > >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::data() const + 24 (Vector.h:727)
2   com.apple.WebCore             	0x00000006d229ed55 WTF::Vector<WTF::RefPtr<JSC::GenericTypedArrayView<JSC::Float32Adaptor>, WTF::RawPtrTraits<JSC::GenericTypedArrayView<JSC::Float32Adaptor> >, WTF::DefaultRefDerefTraits<JSC::GenericTypedArrayView<JSC::Float32Adaptor> > >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::begin() const + 21 (Vector.h:732)
3   com.apple.WebCore             	0x00000006d229e2e3 WebCore::AudioBuffer::hasDetachedChannelBuffer() const + 35 (AudioBuffer.cpp:250)
4   com.apple.WebCore             	0x00000006d22a10cc WebCore::AudioBuffer::length() const + 28 (AudioBuffer.h:57)
5   com.apple.WebCore             	0x00000006d235abd7 WebCore::OfflineAudioContext::suspendOfflineRendering(double, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&) + 311 (OfflineAudioContext.cpp:137)
6   com.apple.WebCore             	0x00000006d10e4728 WebCore::jsOfflineAudioContextPrototypeFunction_suspendBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSOfflineAudioContext*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&) + 536 (JSOfflineAudioContext.cpp:341)
7   com.apple.WebCore             	0x00000006d10e4c4e long long WebCore::IDLOperationReturningPromise<WebCore::JSOfflineAudioContext>::call<&(WebCore::jsOfflineAudioContextPrototypeFunction_suspendBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSOfflineAudioContext*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::'lambda'(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)::operator()(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&) const + 670 (JSDOMOperationReturningPromise.h:50)
8   com.apple.WebCore             	0x00000006d10e48ff JSC::JSValue WebCore::callPromiseFunction<long long WebCore::IDLOperationReturningPromise<WebCore::JSOfflineAudioContext>::call<&(WebCore::jsOfflineAudioContextPrototypeFunction_suspendBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSOfflineAudioContext*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::'lambda'(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)>(JSC::JSGlobalObject&, JSC::CallFrame&, &(WebCore::jsOfflineAudioContextPrototypeFunction_suspendBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSOfflineAudioContext*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&))) + 399 (JSDOMPromiseDeferred.h:340)
9   com.apple.WebCore             	0x00000006d10e44fd long long WebCore::IDLOperationReturningPromise<WebCore::JSOfflineAudioContext>::call<&(WebCore::jsOfflineAudioContextPrototypeFunction_suspendBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSOfflineAudioContext*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 45 (JSDOMOperationReturningPromise.h:41)
10  com.apple.WebCore             	0x00000006d1093ea4 WebCore::jsOfflineAudioContextPrototypeFunction_suspend(JSC::JSGlobalObject*, JSC::CallFrame*) + 36 (JSOfflineAudioContext.cpp:347)

Comment 1 Chris Dumez 2020-12-03 09:57:12 PST

<rdar://71627586>

Comment 2 Chris Dumez 2020-12-03 09:58:53 PST

Created attachment 415307 [details]
Patch

Comment 3 Geoffrey Garen 2020-12-03 10:01:55 PST

Comment on attachment 415307 [details]
Patch

r=me

Comment 4 Chris Dumez 2020-12-03 13:05:49 PST

Created attachment 415333 [details]
Patch

Comment 5 EWS 2020-12-03 14:24:42 PST

Committed r270408: <https://trac.webkit.org/changeset/270408>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 415333 [details].