[Webkit-unassigned] [Bug 139664] New: Crash with cyclic channel merger

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 15 19:21:32 PST 2014 

https://bugs.webkit.org/show_bug.cgi?id=139664

            Bug ID: 139664
           Summary: Crash with cyclic channel merger
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Web Audio
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.buer+webkitbugs at gmail.com
                CC: crogers at google.com

This snippet of JS code run from the developer console of Safari:

var audioContext;
if (!audioContext) {
    if (window.AudioContext) {
        audioContext = new AudioContext();
    } else if (window.webkitAudioContext) {
        audioContext = new webkitAudioContext();  
    } else {
        throw new Error('AudioContext missing');
    }
}

var o = audioContext.createOscillator();
var m = audioContext.createChannelMerger(2);
var d = audioContext.createDelay();

o.connect(m, 0, 1);
d.connect(m, 0, 0);
m.connect(d);
m.connect(audioContext.destination);
d.delayTime.value = 0.5;
o.start(0);


causes a crash with this relevant stack trace:
Thread 22 Crashed:: com.apple.audio.IOThread.client
0   com.apple.WebCore               0x000000010f5b99f6 WebCore::AudioNodeOutput::updateInternalBus() + 22
1   com.apple.WebCore               0x000000010f5b991a WebCore::AudioNodeOutput::updateNumberOfChannels() + 42
2   com.apple.WebCore               0x000000010f5e59b9 WebCore::ChannelMergerNode::checkNumberOfChannelsForInput(WebCore::AudioNodeInput*) + 89
3   com.apple.WebCore               0x000000010f5b9990 WebCore::AudioNodeOutput::updateNumberOfChannels() + 160
4   com.apple.WebCore               0x000000010f5aea82 WebCore::AudioBasicProcessorNode::checkNumberOfChannelsForInput(WebCore::AudioNodeInput*) + 114
5   com.apple.WebCore               0x000000010f5b9990 WebCore::AudioNodeOutput::updateNumberOfChannels() + 160
6   com.apple.WebCore               0x000000010f5e59b9 WebCore::ChannelMergerNode::checkNumberOfChannelsForInput(WebCore::AudioNodeInput*) + 89
7   com.apple.WebCore               0x000000010f5b9990 WebCore::AudioNodeOutput::updateNumberOfChannels() + 160
8   com.apple.WebCore               0x000000010f5aea82 WebCore::AudioBasicProcessorNode::checkNumberOfChannelsForInput(WebCore::AudioNodeInput*) + 114
etc, etc
128 com.apple.WebCore               0x000000010f5aea82 WebCore::AudioBasicProcessorNode::checkNumberOfChannelsForInput(WebCore::AudioNodeInput*) + 114
129 com.apple.WebCore               0x000000010f5b9990 WebCore::AudioNodeOutput::updateNumberOfChannels() + 160
130 com.apple.WebCore               0x000000010f5e59b9 WebCore::ChannelMergerNode::checkNumberOfChannelsForInput(WebCore::AudioNodeInput*) + 89
131 com.apple.WebCore               0x000000010f5bd330 WebCore::AudioSummingJunction::updateRenderingState() + 384
132 com.apple.WebCore               0x000000010f5b5078 WebCore::AudioContext::handleDirtyAudioSummingJunctions() + 120
133 com.apple.WebCore               0x000000010f5b4fd1 WebCore::AudioContext::handlePreRenderTasks() + 129
134 com.apple.WebCore               0x000000010f5b7488 WebCore::AudioDestinationNode::render(WebCore::AudioBus*, WebCore::AudioBus*, unsigned long) + 136
135 com.apple.WebCore               0x000000010f5b6f72 WebCore::AudioDestinationMac::render(unsigned int, AudioBufferList*) + 82
136 com.apple.WebCore               0x000000010f5b6eaf WebCore::AudioDestinationMac::inputProc(void*, unsigned int*, AudioTimeStamp const*, unsigned int, unsigned int, AudioBufferList*) + 15
137 com.apple.audio.units.Components    0x000000012182c039 AUInputElement::PullInput(unsigned int&, AudioTimeStamp const&, unsigned int, unsigned int) + 177
138 com.apple.audio.units.Components    0x000000012182b8ef AUInputFormatConverter2::InputProc(OpaqueAudioConverter*, unsigned int*, AudioBufferList*, AudioStreamPacketDescription**, void*) + 193
139 com.apple.audio.toolbox.AudioToolbox    0x00007fff8ea0c185 AudioConverterChain::CallInputProc(unsigned int) + 417
140 com.apple.audio.toolbox.AudioToolbox    0x00007fff8ea0bed1 AudioConverterChain::FillBufferFromInputProc(unsigned int*, CABufferList*) + 125
141 com.apple.audio.toolbox.AudioToolbox    0x00007fff8e9eaf19 BufferedAudioConverter::GetInputBytes(unsigned int, unsigned int&, CABufferList const*&) + 179
142 com.apple.audio.toolbox.AudioToolbox    0x00007fff8e9c9c9a CBRConverter::RenderOutput(CABufferList*, unsigned int, unsigned int&, AudioStreamPacketDescription*) + 104
143 com.apple.audio.toolbox.AudioToolbox    0x00007fff8e9eada0 BufferedAudioConverter::FillBuffer(unsigned int&, AudioBufferList&, AudioStreamPacketDescription*) + 286
144 com.apple.audio.toolbox.AudioToolbox    0x00007fff8ea0bce9 AudioConverterChain::RenderOutput(CABufferList*, unsigned int, unsigned int&, AudioStreamPacketDescription*) + 99
145 com.apple.audio.toolbox.AudioToolbox    0x00007fff8e9eada0 BufferedAudioConverter::FillBuffer(unsigned int&, AudioBufferList&, AudioStreamPacketDescription*) + 286
146 com.apple.audio.toolbox.AudioToolbox    0x00007fff8e9c94ee AudioConverterFillComplexBuffer + 292
147 com.apple.audio.units.Components    0x000000012182b7a6 AUInputFormatConverter2::PullAndConvertInput(AudioTimeStamp const&, unsigned int&, AudioBufferList&, AudioStreamPacketDescription*, bool&) + 98
148 com.apple.audio.units.Components    0x000000012182b08a AUConverterBase::RenderBus(unsigned int&, AudioTimeStamp const&, unsigned int, unsigned int) + 188
149 com.apple.audio.units.Components    0x0000000121828c61 AUBase::DoRenderBus(unsigned int&, AudioTimeStamp const&, unsigned int, AUOutputElement*, unsigned int, AudioBufferList&) + 153
150 com.apple.audio.units.Components    0x0000000121827515 AUBase::DoRender(unsigned int&, AudioTimeStamp const&, unsigned int, unsigned int, AudioBufferList&) + 423
151 com.apple.audio.units.Components    0x000000012182e878 AUHAL::AUIOProc(unsigned int, AudioTimeStamp const*, AudioBufferList const*, AudioTimeStamp const*, AudioBufferList*, AudioTimeStamp const*, void*) + 2076
152 com.apple.audio.CoreAudio       0x00007fff8bdc49db HALC_ProxyIOContext::IOWorkLoop() + 3667
153 com.apple.audio.CoreAudio       0x00007fff8bdc3add HALC_ProxyIOContext::IOThreadEntry(void*) + 97
154 com.apple.audio.CoreAudio       0x00007fff8bdc399d HALB_IOThread::Entry(void*) + 75
155 libsystem_pthread.dylib         0x00007fff8fe2b899 _pthread_body + 138
156 libsystem_pthread.dylib         0x00007fff8fe2b72a _pthread_start + 137
157 libsystem_pthread.dylib         0x00007fff8fe2ffc9 thread_start + 13


Guessing at the cause, the line at https://github.com/WebKit/webkit/blob/master/Source/WebCore/Modules/webaudio/AudioNodeOutput.cpp#L74 probably results in a null audio bus being returned at some point (after several renders?) due to an excessive number of channels.

If this guess is correct, an easy fix might be to modify https://github.com/WebKit/webkit/blob/master/Source/WebCore/Modules/webaudio/AudioNodeOutput.cpp#L74 to always create an audio bus with capped number of channels.

ie:
m_internalBus = AudioBus::create(std::min(numberOfChannels(), AudioContext::maxNumberOfChannels()), AudioNode::ProcessingSizeInFrames);

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141216/1eb7f582/attachment-0002.html>

More information about the webkit-unassigned mailing list