169956 – [Crash] WebCore::AudioBuffer::AudioBuffer don't checking illegal value

RESOLVED FIXED Bug 169956

[Crash] WebCore::AudioBuffer::AudioBuffer don't checking illegal value

https://bugs.webkit.org/show_bug.cgi?id=169956

Summary [Crash] WebCore::AudioBuffer::AudioBuffer don't checking illegal value

buch0

Reported 2017-03-22 08:03:11 PDT

CODE: <script> var context = new webkitAudioContext().createBuffer(2, -1, 44100); </script> so i don't know which select component... maybe don't checking second argument value and don't check failed allocate. LLDB LOG: * thread #1: tid = 0x26f30, 0x00007fff7964ac08 JavaScriptCore`JSC::ArrayBufferView::setNeuterable(bool) + 8, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x18) frame #0: 0x00007fff7964ac08 JavaScriptCore`JSC::ArrayBufferView::setNeuterable(bool) + 8 JavaScriptCore`JSC::ArrayBufferView::setNeuterable: -> 0x7fff7964ac08 <+8>: movl 0x18(%rdi), %ecx 0x7fff7964ac0b <+11>: movl %ecx, %edx 0x7fff7964ac0d <+13>: shrl $0x1f, %edx 0x7fff7964ac10 <+16>: cmpl %edx, %eax (lldb) reg re General Purpose Registers: rax = 0x0000000000000000 rbx = 0x0000000000000002 rcx = 0x0000000000000000 rdx = 0x00000000fffffffc rdi = 0x0000000000000000 rsi = 0x0000000000000000 rbp = 0x00007fff5e8ead40 rsp = 0x00007fff5e8ead40 r8 = 0x00007fff5e8eae2c r9 = 0x0000000105b9eda0 r10 = 0x0000000104f78ce0 r11 = 0x00000001057f57d0 r12 = 0x00007fff5e8ead58 r13 = 0x000000000000000a r14 = 0x0000000104e7cd80 r15 = 0x0000000104e7cda0 rip = 0x00007fff7964ac08 JavaScriptCore`JSC::ArrayBufferView::setNeuterable(bool) + 8 rflags = 0x0000000000010246 cs = 0x000000000000002b fs = 0x0000000000000000 gs = 0x0000000000000000 (lldb) bt * thread #1: tid = 0x26f30, 0x00007fff7964ac08 JavaScriptCore`JSC::ArrayBufferView::setNeuterable(bool) + 8, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x18) * frame #0: 0x00007fff7964ac08 JavaScriptCore`JSC::ArrayBufferView::setNeuterable(bool) + 8 frame #1: 0x00007fff7e228907 WebCore`WebCore::AudioBuffer::AudioBuffer(unsigned int, unsigned long, float) + 151 frame #2: 0x00007fff7e2286fe WebCore`WebCore::AudioBuffer::create(unsigned int, unsigned long, float) + 94 frame #3: 0x00007fff7e22f4cf WebCore`WebCore::AudioContext::createBuffer(unsigned int, unsigned long, float, int&) + 31 frame #4: 0x00007fff7e6f10ee WebCore`WebCore::jsAudioContextPrototypeFunctionCreateBuffer(JSC::ExecState*) + 1102 frame #5: 0x000050543c201028 frame #6: 0x00007fff79bf2595 JavaScriptCore`llint_entry + 24967 frame #7: 0x00007fff79bec22b JavaScriptCore`vmEntryToJavaScript + 299 frame #8: 0x00007fff79ab1e0e JavaScriptCore`JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 frame #9: 0x00007fff793cfdac JavaScriptCore`JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 16380 frame #10: 0x00007fff7975fcb5 JavaScriptCore`JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 469 frame #11: 0x00007fff7ece7f4e WebCore`WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) + 302 frame #12: 0x00007fff7dfc0d23 WebCore`WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 563 frame #13: 0x00007fff7dfbfd4a WebCore`WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 1066 frame #14: 0x00007fff7dfbf442 WebCore`WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 338 frame #15: 0x00007fff7dfbf280 WebCore`WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 48 frame #16: 0x00007fff7dfbf196 WebCore`WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 86 frame #17: 0x00007fff7e59fc7d WebCore`WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) + 669 frame #18: 0x00007fff7df57293 WebCore`WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 115 frame #19: 0x00007fff7e59ffb0 WebCore`WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) + 480 frame #20: 0x00007fff7e3a5edc WebCore`WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) + 92 frame #21: 0x00007fff7df55f4b WebCore`WebCore::DocumentWriter::end() + 43 frame #22: 0x00007fff7df4824c WebCore`WebCore::DocumentLoader::finishedLoading(double) + 268 frame #23: 0x00007fff7dfd5c5e WebCore`WebCore::CachedResource::checkNotify() + 158 frame #24: 0x00007fff7e279801 WebCore`WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 225 frame #25: 0x00007fff7dfd5a22 WebCore`WebCore::SubresourceLoader::didFinishLoading(double) + 1218 frame #26: 0x00007fff7f2e7507 WebKit`WebKit::WebResourceLoader::didFinishResourceLoad(double) + 159 frame #27: 0x00007fff7f52519a WebKit`WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 362 frame #28: 0x00007fff7f365f39 WebKit`IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 119 frame #29: 0x00007fff7f3688e6 WebKit`IPC::Connection::dispatchOneMessage() + 126 frame #30: 0x00007fff79dad439 JavaScriptCore`WTF::RunLoop::performWork() + 169 frame #31: 0x00007fff79dad652 JavaScriptCore`WTF::RunLoop::performWork(void*) + 34 frame #32: 0x00007fff76f5b981 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 frame #33: 0x00007fff76f3ca7d CoreFoundation`__CFRunLoopDoSources0 + 557 frame #34: 0x00007fff76f3bf76 CoreFoundation`__CFRunLoopRun + 934 frame #35: 0x00007fff76f3b974 CoreFoundation`CFRunLoopRunSpecific + 420 frame #36: 0x00007fff764c7a5c HIToolbox`RunCurrentEventLoopInMode + 240 frame #37: 0x00007fff764c7891 HIToolbox`ReceiveNextEventCommon + 432 frame #38: 0x00007fff764c76c6 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71 frame #39: 0x00007fff74a6d5b4 AppKit`_DPSNextEvent + 1120 frame #40: 0x00007fff751e7d6b AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2789 frame #41: 0x00007fff74a61f35 AppKit`-[NSApplication run] + 926 frame #42: 0x00007fff74a2c850 AppKit`NSApplicationMain + 1237 frame #43: 0x00007fff8c6f78c7 libxpc.dylib`_xpc_objc_main + 775 frame #44: 0x00007fff8c6f62e4 libxpc.dylib`xpc_main + 494 frame #45: 0x00000001013137a2 com.apple.WebKit.WebContent`___lldb_unnamed_symbol1$$com.apple.WebKit.WebContent + 380 frame #46: 0x00007fff8c493255 libdyld.dylib`start + 1 (lldb)

Attachments
Proposed patch. (4.75 KB, patch) 2017-03-25 10:03 PDT, Eric Carlson	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews124 for ios-simulator-wk2 (978.19 KB, application/zip) 2017-03-26 08:36 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews122 for ios-simulator-wk2 (880.45 KB, application/zip) 2017-03-26 13:29 PDT, Build Bot	no flags	Details
Updated patch. (5.49 KB, patch) 2017-03-27 11:07 PDT, Eric Carlson	youennf: review+	Details Formatted Diff Diff
Patch for landing. (5.52 KB, patch) 2017-03-30 09:48 PDT, Eric Carlson	no flags	Details Formatted Diff Diff
Patch for landing. (5.58 KB, patch) 2017-03-30 12:46 PDT, Eric Carlson	no flags	Details Formatted Diff Diff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.

Eric Carlson

Comment 1 2017-03-25 10:03:32 PDT

Created attachment 305379 [details] Proposed patch.

buch0

Comment 2 2017-03-25 22:14:41 PDT

Thanks for Patch. i love apple

Build Bot

Comment 3 2017-03-26 08:36:43 PDT

Comment on attachment 305379 [details] Proposed patch. Attachment 305379 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/3413176 New failing tests: fast/scrolling/ios/touch-scroll-pointer-events-none.html fast/history/page-cache-createObjectURL-using-open-panel.html

Build Bot

Comment 4 2017-03-26 08:36:45 PDT

Created attachment 305423 [details] Archive of layout-test-results from ews124 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews124 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6

Eric Carlson

Comment 5 2017-03-26 12:57:46 PDT

(In reply to Build Bot from comment #4) > Created attachment 305423 [details] > Archive of layout-test-results from ews124 for ios-simulator-wk2 > > The attached test failures were seen while running run-webkit-tests on the > ios-sim-ews. > Bot: ews124 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6 These are unrelated to the patch.

Build Bot

Comment 6 2017-03-26 13:29:44 PDT

Comment on attachment 305379 [details] Proposed patch. Attachment 305379 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/3414049 New failing tests: fast/css/getComputedStyle/computed-style-font-family.html

Build Bot

Comment 7 2017-03-26 13:29:46 PDT

Created attachment 305433 [details] Archive of layout-test-results from ews122 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews122 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6

buch0

Comment 8 2017-03-27 01:55:44 PDT

(In reply to Build Bot from comment #6) > Comment on attachment 305379 [details] > Proposed patch. > > Attachment 305379 [details] did not pass ios-sim-ews (ios-simulator-wk2): > Output: http://webkit-queues.webkit.org/results/3414049 > > New failing tests: > fast/css/getComputedStyle/computed-style-font-family.html okay thanks man :D

Eric Carlson

Comment 9 2017-03-27 10:15:40 PDT

Comment on attachment 305379 [details] Proposed patch. I need to revise this.

Eric Carlson

Comment 10 2017-03-27 11:07:53 PDT

Created attachment 305487 [details] Updated patch.

youenn fablet

Comment 11 2017-03-27 16:41:07 PDT

Comment on attachment 305487 [details] Updated patch. View in context: https://bugs.webkit.org/attachment.cgi?id=305487&action=review > Source/WebCore/Modules/webaudio/AudioBuffer.cpp:47 > + RefPtr<AudioBuffer> buffer = adoptRef(*new AudioBuffer(numberOfChannels, numberOfFrames, sampleRate)); Should be auto or Ref<>. > Source/WebCore/Modules/webaudio/AudioBuffer.cpp:48 > + if (!buffer || !buffer->m_length) Should just be !buffer->m_length I guess. In the case of !buffer, we are probably in a very bad situation and will crash anyway. > Source/WebCore/Modules/webaudio/AudioBuffer.cpp:76 > m_channels.append(channelDataArray); Use WTFMove here. Or maybe refactor to put more code in common between the constructors, like an allocateChannelDataArray method that would be called fromAudioBuffer::create. > Source/WebCore/Modules/webaudio/AudioBuffer.cpp:95 > channelDataArray->setRange(bus.channel(i)->data(), m_length, 0); Why are we setting the range here but not in the other constructor?

Eric Carlson

Comment 12 2017-03-30 09:48:37 PDT

Created attachment 305866 [details] Patch for landing.

Eric Carlson

Comment 13 2017-03-30 12:46:10 PDT

Created attachment 305877 [details] Patch for landing.

WebKit Commit Bot

Comment 14 2017-03-30 13:17:18 PDT

Comment on attachment 305877 [details] Patch for landing. Clearing flags on attachment: 305877 Committed r214618: <http://trac.webkit.org/changeset/214618>

WebKit Commit Bot

Comment 15 2017-03-30 13:17:23 PDT

All reviewed patches have been landed. Closing bug.

Brent Fulgham

Comment 16 2017-06-05 14:47:02 PDT

<rdar://problem/25954398>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Web Audio

Assignee

Eric Carlson

Reported

2017-03-22 08:03 PDT

Modified

2017-06-05 14:47 PDT History

CC List

5 users Show

URL

Keywords InRadar

Depends on

Blocks