Bug 224400

Summary: Regression(r275668) Potential null pointer deref in AudioParam::exponentialRampToValueAtTime(float, double)
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: Web AudioAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, darin, eric.carlson, ews-watchlist, ggaren, glenn, jer.noble, philipj, rniwa, sergio, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 224279    
Attachments:
Description Flags
Patch none

Chris Dumez
Reported 2021-04-09 16:52:05 PDT
Potential null pointer deref in AudioParam::exponentialRampToValueAtTime(float, double): Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000128 Exception Note: EXC_CORPSE_NOTIFY Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001111a359a std::__1::unique_ptr<WebCore::AudioDestinationNode, std::__1::default_delete<WebCore::AudioDestinationNode> >::get() const + 0 (memory:2318) [inlined] 1 com.apple.WebCore 0x00000001111a359a WTF::UniqueRef<WebCore::AudioDestinationNode>::operator->() const + 0 (UniqueRef.h:71) [inlined] 2 com.apple.WebCore 0x00000001111a359a WebCore::BaseAudioContext::currentTime() const + 0 (BaseAudioContext.h:123) [inlined] 3 com.apple.WebCore 0x00000001111a359a WebCore::AudioParam::exponentialRampToValueAtTime(float, double) + 154 (AudioParam.cpp:190) 4 com.apple.WebCore 0x00000001107f5de8 WebCore::jsAudioParamPrototypeFunction_exponentialRampToValueAtTimeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSAudioParam*) + 400 (JSAudioParam.cpp:379) [inlined] 5 com.apple.WebCore 0x00000001107f5de8 long long WebCore::IDLOperation<WebCore::JSAudioParam>::call<&(WebCore::jsAudioParamPrototypeFunction_exponentialRampToValueAtTimeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSAudioParam*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 554 (JSDOMOperation.h:55) [inlined] 6 com.apple.WebCore 0x00000001107f5de8 WebCore::jsAudioParamPrototypeFunction_exponentialRampToValueAtTime(JSC::JSGlobalObject*, JSC::CallFrame*) + 584 (JSAudioParam.cpp:384)
Attachments
Patch (4.14 KB, patch)
2021-04-09 16:54 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2021-04-09 16:52:19 PDT
<rdar://76450376>
Chris Dumez
Comment 2 2021-04-09 16:54:59 PDT
Created attachment 425667 [details] Patch
Chris Dumez
Comment 3 2021-04-10 15:41:27 PDT
Comment on attachment 425667 [details] Patch Clearing flags on attachment: 425667 Committed r275804 (236375@main): <https://commits.webkit.org/236375@main>
Chris Dumez
Comment 4 2021-04-10 15:41:29 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.