WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
219496
Crash when trying to suspend an OfflineAudioContext with a bad buffer
https://bugs.webkit.org/show_bug.cgi?id=219496
Summary
Crash when trying to suspend an OfflineAudioContext with a bad buffer
Chris Dumez
Reported
2020-12-03 09:56:26 PST
Crash when trying to suspend an OfflineAudioContext with a bad buffer: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000006d22b5c8c WTF::VectorBufferBase<WTF::RefPtr<JSC::GenericTypedArrayView<JSC::Float32Adaptor>, WTF::RawPtrTraits<JSC::GenericTypedArrayView<JSC::Float32Adaptor> >, WTF::DefaultRefDerefTraits<JSC::GenericTypedArrayView<JSC::Float32Adaptor> > >, WTF::FastMalloc>::buffer() const + 12 (Vector.h:344) 1 com.apple.WebCore 0x00000006d22b5c78 WTF::Vector<WTF::RefPtr<JSC::GenericTypedArrayView<JSC::Float32Adaptor>, WTF::RawPtrTraits<JSC::GenericTypedArrayView<JSC::Float32Adaptor> >, WTF::DefaultRefDerefTraits<JSC::GenericTypedArrayView<JSC::Float32Adaptor> > >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::data() const + 24 (Vector.h:727) 2 com.apple.WebCore 0x00000006d229ed55 WTF::Vector<WTF::RefPtr<JSC::GenericTypedArrayView<JSC::Float32Adaptor>, WTF::RawPtrTraits<JSC::GenericTypedArrayView<JSC::Float32Adaptor> >, WTF::DefaultRefDerefTraits<JSC::GenericTypedArrayView<JSC::Float32Adaptor> > >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::begin() const + 21 (Vector.h:732) 3 com.apple.WebCore 0x00000006d229e2e3 WebCore::AudioBuffer::hasDetachedChannelBuffer() const + 35 (AudioBuffer.cpp:250) 4 com.apple.WebCore 0x00000006d22a10cc WebCore::AudioBuffer::length() const + 28 (AudioBuffer.h:57) 5 com.apple.WebCore 0x00000006d235abd7 WebCore::OfflineAudioContext::suspendOfflineRendering(double, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&) + 311 (OfflineAudioContext.cpp:137) 6 com.apple.WebCore 0x00000006d10e4728 WebCore::jsOfflineAudioContextPrototypeFunction_suspendBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSOfflineAudioContext*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&) + 536 (JSOfflineAudioContext.cpp:341) 7 com.apple.WebCore 0x00000006d10e4c4e long long WebCore::IDLOperationReturningPromise<WebCore::JSOfflineAudioContext>::call<&(WebCore::jsOfflineAudioContextPrototypeFunction_suspendBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSOfflineAudioContext*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::'lambda'(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)::operator()(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&) const + 670 (JSDOMOperationReturningPromise.h:50) 8 com.apple.WebCore 0x00000006d10e48ff JSC::JSValue WebCore::callPromiseFunction<long long WebCore::IDLOperationReturningPromise<WebCore::JSOfflineAudioContext>::call<&(WebCore::jsOfflineAudioContextPrototypeFunction_suspendBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSOfflineAudioContext*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::'lambda'(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)>(JSC::JSGlobalObject&, JSC::CallFrame&, &(WebCore::jsOfflineAudioContextPrototypeFunction_suspendBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSOfflineAudioContext*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&))) + 399 (JSDOMPromiseDeferred.h:340) 9 com.apple.WebCore 0x00000006d10e44fd long long WebCore::IDLOperationReturningPromise<WebCore::JSOfflineAudioContext>::call<&(WebCore::jsOfflineAudioContextPrototypeFunction_suspendBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSOfflineAudioContext*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 45 (JSDOMOperationReturningPromise.h:41) 10 com.apple.WebCore 0x00000006d1093ea4 WebCore::jsOfflineAudioContextPrototypeFunction_suspend(JSC::JSGlobalObject*, JSC::CallFrame*) + 36 (JSOfflineAudioContext.cpp:347)
Attachments
Patch
(5.10 KB, patch)
2020-12-03 09:58 PST
,
Chris Dumez
no flags
Details
Formatted Diff
Diff
Patch
(6.05 KB, patch)
2020-12-03 13:05 PST
,
Chris Dumez
no flags
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Chris Dumez
Comment 1
2020-12-03 09:57:12 PST
<
rdar://71627586
>
Chris Dumez
Comment 2
2020-12-03 09:58:53 PST
Created
attachment 415307
[details]
Patch
Geoffrey Garen
Comment 3
2020-12-03 10:01:55 PST
Comment on
attachment 415307
[details]
Patch r=me
Chris Dumez
Comment 4
2020-12-03 13:05:49 PST
Created
attachment 415333
[details]
Patch
EWS
Comment 5
2020-12-03 14:24:42 PST
Committed
r270408
: <
https://trac.webkit.org/changeset/270408
> All reviewed patches have been landed. Closing bug and clearing flags on
attachment 415333
[details]
.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug