Visit this URL in Safari on iOS 8.1.2: http://www.scirra.com/labs/bugs/audiodecodecrash/ It attempts to download a file called step1.m4a and decode it with a Web Audio context. It immediately crashes the tab. It should call either the decode success or failure callbacks, alerting either "Audio decode OK" or "Audio decode error".
I can reproduce on OS X, too. Thread 13 Crashed:: Audio Decoder 0 com.apple.JavaScriptCore 0x000000011095bf6e WTFCrash + 62 1 com.apple.WebCore 0x0000000111165799 WTF::CrashOnOverflow::overflowed() + 9 2 com.apple.WebCore 0x00000001111a0320 WTF::Checked<unsigned long, WTF::CrashOnOverflow>::Checked(WTF::ResultOverflowedTag) + 16 3 com.apple.WebCore 0x00000001111a0309 WTF::Checked<unsigned long, WTF::CrashOnOverflow>::Checked(WTF::ResultOverflowedTag) + 9 4 com.apple.WebCore 0x00000001111a02f9 WebCore::AudioArray<float>::allocate(WTF::Checked<unsigned long, WTF::CrashOnOverflow>) + 217 5 com.apple.WebCore 0x000000011119e104 WebCore::AudioBus::AudioBus(unsigned int, unsigned long, bool) + 260 6 com.apple.WebCore 0x000000011119dfe5 WebCore::AudioBus::create(unsigned int, unsigned long, bool) + 69 rdar://problem/18921312
Created attachment 247970 [details] Patch
Comment on attachment 247970 [details] Patch Clearing flags on attachment: 247970 Committed r181174: <http://trac.webkit.org/changeset/181174>
All reviewed patches have been landed. Closing bug.
This still reproduces on iOS, filed bug 160146.