224400 – Regression(r275668) Potential null pointer deref in AudioParam::exponentialRampToValueAtTime(float, double)

Bug 224400 - Regression(r275668) Potential null pointer deref in AudioParam::exponentialRampToValueAtTime(float, double)

Summary: Regression(r275668) Potential null pointer deref in AudioParam::exponentialRa...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Web Audio (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:	224279
	Show dependency tree / graph

Reported:	2021-04-09 16:52 PDT by Chris Dumez
Modified:	2021-04-10 15:41 PDT (History)
CC List:	11 users (show)

See Also:

Attachments
Patch (4.14 KB, patch) 2021-04-09 16:54 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2021-04-09 16:52:05 PDT

Potential null pointer deref in AudioParam::exponentialRampToValueAtTime(float, double):
Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000128
Exception Note:        EXC_CORPSE_NOTIFY

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                   0x00000001111a359a std::__1::unique_ptr<WebCore::AudioDestinationNode, std::__1::default_delete<WebCore::AudioDestinationNode> >::get() const + 0 (memory:2318) [inlined]
1   com.apple.WebCore                   0x00000001111a359a WTF::UniqueRef<WebCore::AudioDestinationNode>::operator->() const + 0 (UniqueRef.h:71) [inlined]
2   com.apple.WebCore                   0x00000001111a359a WebCore::BaseAudioContext::currentTime() const + 0 (BaseAudioContext.h:123) [inlined]
3   com.apple.WebCore                   0x00000001111a359a WebCore::AudioParam::exponentialRampToValueAtTime(float, double) + 154 (AudioParam.cpp:190)
4   com.apple.WebCore                   0x00000001107f5de8 WebCore::jsAudioParamPrototypeFunction_exponentialRampToValueAtTimeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSAudioParam*) + 400 (JSAudioParam.cpp:379) [inlined]
5   com.apple.WebCore                   0x00000001107f5de8 long long WebCore::IDLOperation<WebCore::JSAudioParam>::call<&(WebCore::jsAudioParamPrototypeFunction_exponentialRampToValueAtTimeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSAudioParam*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 554 (JSDOMOperation.h:55) [inlined]
6   com.apple.WebCore                   0x00000001107f5de8 WebCore::jsAudioParamPrototypeFunction_exponentialRampToValueAtTime(JSC::JSGlobalObject*, JSC::CallFrame*) + 584 (JSAudioParam.cpp:384)

Comment 1 Chris Dumez 2021-04-09 16:52:19 PDT

<rdar://76450376>

Comment 2 Chris Dumez 2021-04-09 16:54:59 PDT

Created attachment 425667 [details]
Patch

Comment 3 Chris Dumez 2021-04-10 15:41:27 PDT

Comment on attachment 425667 [details]
Patch

Clearing flags on attachment: 425667

Committed r275804 (236375@main): <https://commits.webkit.org/236375@main>

Comment 4 Chris Dumez 2021-04-10 15:41:29 PDT

All reviewed patches have been landed.  Closing bug.