218603 – Crash in AudioBuffer::sampleRate()

Bug 218603 - Crash in AudioBuffer::sampleRate()

Summary: Crash in AudioBuffer::sampleRate()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Web Audio (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-11-05 00:12 PST by Ryosuke Niwa
Modified:	2020-11-10 09:01 PST (History)
CC List:	16 users (show)

See Also:	218754

Attachments
Patch (20.29 KB, patch) 2020-11-05 13:14 PST, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2020-11-05 00:12:50 PST

<script>
let ctx = new OfflineAudioContext(1, 2**29, 3000);
new OscillatorNode(ctx);
</script>

results in this:
=================================================================
==67805==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00011d7f33c2 bp 0x7ffee9ad5d60 sp 0x7ffee9ad5d60 T0)
==67805==The signal is caused by a READ memory access.
==67805==Hint: address points to the zero page.
==67805==WARNING: invalid path to external symbolizer!
==67805==WARNING: Failed to use and restart external symbolizer!
    #0 0x11d7f33c2 in WebCore::AudioBuffer::sampleRate() const+0x22 (WebCore.framework/Versions/A/WebCore:x86_64+0x5ee3c2)
    #1 0x11faf4e9b in WebCore::OfflineAudioDestinationNode::sampleRate() const+0x2b (WebCore.framework/Versions/A/WebCore:x86_64+0x28efe9b)
    #2 0x11fa8b9df in WebCore::BaseAudioContext::sampleRate() const+0x5f (WebCore.framework/Versions/A/WebCore:x86_64+0x28869df)
    #3 0x11fae4a8c in WebCore::OscillatorNode::OscillatorNode(WebCore::BaseAudioContext&, WebCore::OscillatorOptions const&)+0x1cc (WebCore.framework/Versions/A/WebCore:x86_64+0x28dfa8c)
    #4 0x11fae4068 in WebCore::OscillatorNode::OscillatorNode(WebCore::BaseAudioContext&, WebCore::OscillatorOptions const&)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x28df068)
    #5 0x11fae3cbe in WebCore::OscillatorNode::create(WebCore::BaseAudioContext&, WebCore::OscillatorOptions const&)+0x22e (WebCore.framework/Versions/A/WebCore:x86_64+0x28decbe)
    #6 0x11e48f9c5 in WebCore::JSDOMConstructor<WebCore::JSOscillatorNode>::construct(JSC::JSGlobalObject*, JSC::CallFrame*)+0x295 (WebCore.framework/Versions/A/WebCore:x86_64+0x128a9c5)
    #7 0x138e17017 in JSC::NativeFunction::operator()(JSC::JSGlobalObject*, JSC::CallFrame*)+0x27 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x258a017)
    #8 0x138e16f45 in JSC::TaggedNativeFunction::operator()(JSC::JSGlobalObject*, JSC::CallFrame*)+0xe5 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2589f45)
    #9 0x138eba6dd in JSC::LLInt::handleHostCall(JSC::CallFrame*, JSC::JSValue, JSC::CodeSpecializationKind)+0x2bd (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x262d6dd)
    #10 0x138eb9fa3 in JSC::LLInt::setUpCall(JSC::CallFrame*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*)+0x773 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x262cfa3)
    #11 0x138ea005b in JSC::SlowPathReturnType JSC::LLInt::genericCall<JSC::OpConstruct>(JSC::CodeBlock*, JSC::CallFrame*, JSC::OpConstruct&&, JSC::CodeSpecializationKind, unsigned int)+0x1ab (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x261305b)
    #12 0x138e9fe30 in llint_slow_path_construct+0x120 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2612e30)
    #13 0x13745394d in llint_entry+0x1cbaf (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xbc694d)
    #14 0x137436ba8 in vmEntryToJavaScript+0xd7 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xba9ba8)
    #15 0x138b9aba5 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)+0x6d45 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x230dba5)
    #16 0x1392df16e in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0x21e (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2a5216e)
    #17 0x1392df427 in JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0xe7 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2a52427)
    #18 0x12016bd39 in WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0xd9 (WebCore.framework/Versions/A/WebCore:x86_64+0x2f66d39)
    #19 0x12016b549 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)+0x2e9 (WebCore.framework/Versions/A/WebCore:x86_64+0x2f66549)
    #20 0x12016b13d in WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)+0xed (WebCore.framework/Versions/A/WebCore:x86_64+0x2f6613d)
    #21 0x12016bf3f in WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&)+0x1f (WebCore.framework/Versions/A/WebCore:x86_64+0x2f66f3f)
    #22 0x120a18a7c in WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&)+0x3bc (WebCore.framework/Versions/A/WebCore:x86_64+0x3813a7c)
    #23 0x120a1538e in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport)+0xb0e (WebCore.framework/Versions/A/WebCore:x86_64+0x381038e)
    #24 0x121179426 in WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&)+0x206 (WebCore.framework/Versions/A/WebCore:x86_64+0x3f74426)
    #25 0x1211790f4 in WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement, WTF::DumbPtrTraits<WebCore::ScriptElement> >&&, WTF::TextPosition const&)+0x84 (WebCore.framework/Versions/A/WebCore:x86_64+0x3f740f4)
    #26 0x12114fbf2 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder()+0x3f2 (WebCore.framework/Versions/A/WebCore:x86_64+0x3f4abf2)
    #27 0x1211502b7 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&)+0x367 (WebCore.framework/Versions/A/WebCore:x86_64+0x3f4b2b7)
    #28 0x12114f1de in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)+0x18e (WebCore.framework/Versions/A/WebCore:x86_64+0x3f4a1de)
    #29 0x12114eda5 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)+0x65 (WebCore.framework/Versions/A/WebCore:x86_64+0x3f49da5)
    #30 0x121151302 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl> >&&)+0x332 (WebCore.framework/Versions/A/WebCore:x86_64+0x3f4c302)
    #31 0x1207b9aaf in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&)+0x14f (WebCore.framework/Versions/A/WebCore:x86_64+0x35b4aaf)
    #32 0x121666a13 in WebCore::DocumentWriter::end()+0x153 (WebCore.framework/Versions/A/WebCore:x86_64+0x4461a13)
    #33 0x12166552c in WebCore::DocumentLoader::finishedLoading()+0x2dc (WebCore.framework/Versions/A/WebCore:x86_64+0x446052c)
    #34 0x121664e93 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&)+0x2d3 (WebCore.framework/Versions/A/WebCore:x86_64+0x445fe93)
    #35 0x12182c1ff in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&)+0x17f (WebCore.framework/Versions/A/WebCore:x86_64+0x46271ff)
    #36 0x12182682e in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&)+0x4e (WebCore.framework/Versions/A/WebCore:x86_64+0x462182e)
    #37 0x1218280e8 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&)+0x258 (WebCore.framework/Versions/A/WebCore:x86_64+0x46230e8)
    #38 0x12179bd82 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&)+0x732 (WebCore.framework/Versions/A/WebCore:x86_64+0x4596d82)
    #39 0x1130023b6 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&)+0x286 (WebKit.framework/Versions/A/WebKit:x86_64+0x1afd3b6)
    #40 0x113721251 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&, std::__1::integer_sequence<unsigned long, 0ul>)+0x61 (WebKit.framework/Versions/A/WebKit:x86_64+0x221c251)
    #41 0x1137211d8 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::NetworkLoadMetrics>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&))+0x28 (WebKit.framework/Versions/A/WebKit:x86_64+0x221c1d8)
    #42 0x11371ec46 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&))+0x146 (WebKit.framework/Versions/A/WebKit:x86_64+0x2219c46)
    #43 0x11371e253 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&)+0x1a3 (WebKit.framework/Versions/A/WebKit:x86_64+0x2219253)
    #44 0x112fc31aa in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0xfa (WebKit.framework/Versions/A/WebKit:x86_64+0x1abe1aa)
    #45 0x1115a295e in IPC::Connection::dispatchMessage(IPC::Decoder&)+0x1ce (WebKit.framework/Versions/A/WebKit:x86_64+0x9d95e)
    #46 0x1115a35f7 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)+0x167 (WebKit.framework/Versions/A/WebKit:x86_64+0x9e5f7)
    #47 0x1115a4116 in IPC::Connection::dispatchOneIncomingMessage()+0x196 (WebKit.framework/Versions/A/WebKit:x86_64+0x9f116)
    #48 0x1115c11d5 in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_7::operator()()+0x35 (WebKit.framework/Versions/A/WebKit:x86_64+0xbc1d5)
    #49 0x1115c113c in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_7, void>::call()+0xc (WebKit.framework/Versions/A/WebKit:x86_64+0xbc13c)
    #50 0x1368c547e in WTF::Function<void ()>::operator()() const+0x3e (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3847e)
    #51 0x13695cf38 in WTF::RunLoop::performWork()+0x228 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xcff38)
    #52 0x136960175 in WTF::RunLoop::performWork(void*)+0xb5 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd3175)


<rdar://problem/70532749>

Comment 1 Chris Dumez 2020-11-05 12:45:18 PST

This likely just needs a null-check on the m_renderTarget. It is possible to construct an OfflineAudioContext which has no renderTarget buffer and the buffer creation failed.

Comment 2 Chris Dumez 2020-11-05 13:14:33 PST

Created attachment 413346 [details]
Patch

Comment 3 Geoffrey Garen 2020-11-05 13:19:42 PST

Comment on attachment 413346 [details]
Patch

r=me

Comment 4 EWS 2020-11-05 14:22:06 PST

Committed r269475: <https://trac.webkit.org/changeset/269475>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 413346 [details].