RESOLVED FIXED 223452
Avoid heap allocation under AudioWorkletNode::process() 
https://bugs.webkit.org/show_bug.cgi?id=223452
Summary Avoid heap allocation under AudioWorkletNode::process()
Chris Dumez
Reported 2021-03-18 10:33:19 PDT
Avoid heap allocation under AudioWorkletNode::process(): Thread 18 Crashed:: WebCore: AudioWorklet 0 com.apple.JavaScriptCore 0x000000079fd74aee 0x79fd72000 + 10990 1 com.apple.JavaScriptCore 0x00000007a151229b 0x79fd72000 + 24773275 2 com.apple.JavaScriptCore 0x000000079fdb2a5f 0x79fd72000 + 264799 3 com.apple.WebCore 0x0000000782bfadb5 WebCore::AudioArray<float>::resize(WTF::Checked<unsigned long, WTF::CrashOnOverflow>) + 133 (AudioArray.h:65) 4 com.apple.WebCore 0x0000000782c33965 WebCore::AudioWorkletNode::process(unsigned long) + 1333 (AudioWorkletNode.cpp:217) 5 com.apple.WebCore 0x0000000782bd8c8e WebCore::AudioNode::processIfNecessary(unsigned long) + 462 (AudioNode.cpp:474) 6 com.apple.WebCore 0x0000000782bdb547 WebCore::AudioNodeOutput::pull(WebCore::AudioBus*, unsigned long) + 407 (AudioNodeOutput.cpp:124) 7 com.apple.WebCore 0x0000000782bdb316 WebCore::AudioNodeInput::sumAllConnections(WebCore::AudioBus*, unsigned long) + 566 (AudioNodeInput.cpp:197) 8 com.apple.WebCore 0x0000000782bd3b47 WebCore::AudioNodeInput::pull(WebCore::AudioBus*, unsigned long) + 295 (AudioNodeInput.cpp:225) 9 com.apple.WebCore 0x0000000782bd36e5 WebCore::AudioDestinationNode::render(WebCore::AudioBus*, WebCore::AudioBus*, unsigned long, WebCore::AudioIOPosition const&) + 469 (AudioDestinationNode.cpp:94) 10 com.apple.WebCore 0x0000000782c9a7ad WebCore::OfflineAudioDestinationNode::offlineRender() + 877 (OfflineAudioDestinationNode.cpp:164) 11 com.apple.WebCore 0x0000000782cba4c3 WebCore::OfflineAudioDestinationNode::startRendering(WTF::CompletionHandler<void (WTF::Optional<WebCore::Exception>&&)>&&)::$_2::operator()() + 35 (OfflineAudioDestinationNode.cpp:103) 12 com.apple.WebCore 0x0000000782cba499 WebCore::OfflineAudioDestinationNode::startRendering(WTF::CompletionHandler<void (WTF::Optional<WebCore::Exception>&&)>&&)::$_3::operator()(WebCore::ScriptExecutionContext&) + 25 (OfflineAudioDestinationNode.cpp:124) 13 com.apple.WebCore 0x0000000782cba3f3 WTF::Detail::CallableWrapper<WebCore::OfflineAudioDestinationNode::startRendering(WTF::CompletionHandler<void (WTF::Optional<WebCore::Exception>&&)>&&)::$_3, void, WebCore::ScriptExecutionContext&>::call(WebCore::ScriptExecutionContext&) + 51 (Function.h:52) 14 com.apple.WebCore 0x0000000782f1cdaa WTF::Function<void (WebCore::ScriptExecutionContext&)>::operator()(WebCore::ScriptExecutionContext&) const + 154 (Function.h:83) 15 com.apple.WebCore 0x0000000782f13e9d WebCore::ScriptExecutionContext::Task::performTask(WebCore::ScriptExecutionContext&) + 29 (ScriptExecutionContext.h:192) 16 com.apple.WebCore 0x00000007856aef90 WebCore::WorkerRunLoop::Task::performTask(WebCore::WorkerOrWorkletGlobalScope*) + 128 (WorkerRunLoop.cpp:270)
Attachments
Patch (3.91 KB, patch)
2021-03-18 10:44 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (3.95 KB, patch)
2021-03-18 14:00 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (3.93 KB, patch)
2021-03-18 14:35 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2021-03-18 10:44:32 PDT
Created attachment 423615 [details] Patch
Peng Liu
Comment 2 2021-03-18 13:59:36 PDT
Comment on attachment 423615 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=423615&action=review > Source/WebCore/ChangeLog:8 > + Always use arrays of size 128 (render quantum) for AudioParam values. We use to Nit. s/use to/used to/g
Chris Dumez
Comment 3 2021-03-18 14:00:57 PDT
Created attachment 423650 [details] Patch
Darin Adler
Comment 4 2021-03-18 14:33:07 PDT
Comment on attachment 423650 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=423650&action=review > Source/WebCore/ChangeLog:26 > + behavior is thus consistant with Blink. consistent > Source/WebCore/Modules/webaudio/AudioWorkletNode.cpp:215 > + std::fill(paramValues->data(), paramValues->data() + framesToProcess, audioParam->finalValue()); How about using std::fill_n instead?
Chris Dumez
Comment 5 2021-03-18 14:35:35 PDT
Created attachment 423659 [details] Patch
EWS
Comment 6 2021-03-18 15:42:32 PDT
Committed r274677: <https://commits.webkit.org/r274677> All reviewed patches have been landed. Closing bug and clearing flags on attachment 423659 [details].
Radar WebKit Bug Importer
Comment 7 2021-03-18 15:43:14 PDT
<rdar://problem/75594322>
Note You need to log in before you can comment on or make changes to this bug.