Bug 224400

Summary: Regression(r275668) Potential null pointer deref in AudioParam::exponentialRampToValueAtTime(float, double)
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: Web AudioAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, darin, eric.carlson, ews-watchlist, ggaren, glenn, jer.noble, philipj, rniwa, sergio, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 224279    
Attachments:
Description Flags
Patch none

Description Chris Dumez 2021-04-09 16:52:05 PDT 
Potential null pointer deref in AudioParam::exponentialRampToValueAtTime(float, double):
Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000128
Exception Note:        EXC_CORPSE_NOTIFY

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                   0x00000001111a359a std::__1::unique_ptr<WebCore::AudioDestinationNode, std::__1::default_delete<WebCore::AudioDestinationNode> >::get() const + 0 (memory:2318) [inlined]
1   com.apple.WebCore                   0x00000001111a359a WTF::UniqueRef<WebCore::AudioDestinationNode>::operator->() const + 0 (UniqueRef.h:71) [inlined]
2   com.apple.WebCore                   0x00000001111a359a WebCore::BaseAudioContext::currentTime() const + 0 (BaseAudioContext.h:123) [inlined]
3   com.apple.WebCore                   0x00000001111a359a WebCore::AudioParam::exponentialRampToValueAtTime(float, double) + 154 (AudioParam.cpp:190)
4   com.apple.WebCore                   0x00000001107f5de8 WebCore::jsAudioParamPrototypeFunction_exponentialRampToValueAtTimeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSAudioParam*) + 400 (JSAudioParam.cpp:379) [inlined]
5   com.apple.WebCore                   0x00000001107f5de8 long long WebCore::IDLOperation<WebCore::JSAudioParam>::call<&(WebCore::jsAudioParamPrototypeFunction_exponentialRampToValueAtTimeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSAudioParam*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 554 (JSDOMOperation.h:55) [inlined]
6   com.apple.WebCore                   0x00000001107f5de8 WebCore::jsAudioParamPrototypeFunction_exponentialRampToValueAtTime(JSC::JSGlobalObject*, JSC::CallFrame*) + 584 (JSAudioParam.cpp:384)
Comment 1 Chris Dumez 2021-04-09 16:52:19 PDT 
<rdar://76450376>
Comment 2 Chris Dumez 2021-04-09 16:54:59 PDT 
Created attachment 425667 [details]
Patch
Comment 3 Chris Dumez 2021-04-10 15:41:27 PDT 
Comment on attachment 425667 [details]
Patch

Clearing flags on attachment: 425667

Committed r275804 (236375@main): <https://commits.webkit.org/236375@main>
Comment 4 Chris Dumez 2021-04-10 15:41:29 PDT 
All reviewed patches have been landed.  Closing bug.