224400 – Regression(r275668) Potential null pointer deref in AudioParam::exponentialRampToValueAtTime(float, double)

RESOLVED FIXED 224400

Regression(r275668) Potential null pointer deref in AudioParam::exponentialRampToValueAtTime(float, double)

https://bugs.webkit.org/show_bug.cgi?id=224400

Summary Regression(r275668) Potential null pointer deref in AudioParam::exponentialRa...

Chris Dumez

Reported 2021-04-09 16:52:05 PDT

Potential null pointer deref in AudioParam::exponentialRampToValueAtTime(float, double): Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000128 Exception Note: EXC_CORPSE_NOTIFY Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001111a359a std::__1::unique_ptr<WebCore::AudioDestinationNode, std::__1::default_delete<WebCore::AudioDestinationNode> >::get() const + 0 (memory:2318) [inlined] 1 com.apple.WebCore 0x00000001111a359a WTF::UniqueRef<WebCore::AudioDestinationNode>::operator->() const + 0 (UniqueRef.h:71) [inlined] 2 com.apple.WebCore 0x00000001111a359a WebCore::BaseAudioContext::currentTime() const + 0 (BaseAudioContext.h:123) [inlined] 3 com.apple.WebCore 0x00000001111a359a WebCore::AudioParam::exponentialRampToValueAtTime(float, double) + 154 (AudioParam.cpp:190) 4 com.apple.WebCore 0x00000001107f5de8 WebCore::jsAudioParamPrototypeFunction_exponentialRampToValueAtTimeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSAudioParam*) + 400 (JSAudioParam.cpp:379) [inlined] 5 com.apple.WebCore 0x00000001107f5de8 long long WebCore::IDLOperation<WebCore::JSAudioParam>::call<&(WebCore::jsAudioParamPrototypeFunction_exponentialRampToValueAtTimeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSAudioParam*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 554 (JSDOMOperation.h:55) [inlined] 6 com.apple.WebCore 0x00000001107f5de8 WebCore::jsAudioParamPrototypeFunction_exponentialRampToValueAtTime(JSC::JSGlobalObject*, JSC::CallFrame*) + 584 (JSAudioParam.cpp:384)

Attachments
Patch (4.14 KB, patch) 2021-04-09 16:54 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2021-04-09 16:52:19 PDT

<rdar://76450376>

Chris Dumez

Comment 2 2021-04-09 16:54:59 PDT

Created attachment 425667 [details] Patch

Chris Dumez

Comment 3 2021-04-10 15:41:27 PDT

Comment on attachment 425667 [details] Patch Clearing flags on attachment: 425667 Committed r275804 (236375@main): <https://commits.webkit.org/236375@main>

Chris Dumez

Comment 4 2021-04-10 15:41:29 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Web Audio

Assignee

Chris Dumez

Reported

2021-04-09 16:52 PDT

Modified

2021-04-10 15:41 PDT History

CC List

11 users Show

URL

Keywords InRadar

Depends on

Blocks

224279

Dependencies

tree graph