[Webkit-unassigned] [Bug 169956] New: [Crash] WebCore::AudioBuffer::AudioBuffer don't checking illegal value
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 22 08:03:11 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=169956
Bug ID: 169956
Summary: [Crash] WebCore::AudioBuffer::AudioBuffer don't
checking illegal value
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Web Audio
Assignee: webkit-unassigned at lists.webkit.org
Reporter: buchob7 at yahoo.co.jp
CODE:
<script>
var context = new webkitAudioContext().createBuffer(2, -1, 44100);
</script>
so i don't know which select component...
maybe don't checking second argument value and don't check failed allocate.
LLDB LOG:
* thread #1: tid = 0x26f30, 0x00007fff7964ac08 JavaScriptCore`JSC::ArrayBufferView::setNeuterable(bool) + 8, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x18)
frame #0: 0x00007fff7964ac08 JavaScriptCore`JSC::ArrayBufferView::setNeuterable(bool) + 8
JavaScriptCore`JSC::ArrayBufferView::setNeuterable:
-> 0x7fff7964ac08 <+8>: movl 0x18(%rdi), %ecx
0x7fff7964ac0b <+11>: movl %ecx, %edx
0x7fff7964ac0d <+13>: shrl $0x1f, %edx
0x7fff7964ac10 <+16>: cmpl %edx, %eax
(lldb) reg re
General Purpose Registers:
rax = 0x0000000000000000
rbx = 0x0000000000000002
rcx = 0x0000000000000000
rdx = 0x00000000fffffffc
rdi = 0x0000000000000000
rsi = 0x0000000000000000
rbp = 0x00007fff5e8ead40
rsp = 0x00007fff5e8ead40
r8 = 0x00007fff5e8eae2c
r9 = 0x0000000105b9eda0
r10 = 0x0000000104f78ce0
r11 = 0x00000001057f57d0
r12 = 0x00007fff5e8ead58
r13 = 0x000000000000000a
r14 = 0x0000000104e7cd80
r15 = 0x0000000104e7cda0
rip = 0x00007fff7964ac08 JavaScriptCore`JSC::ArrayBufferView::setNeuterable(bool) + 8
rflags = 0x0000000000010246
cs = 0x000000000000002b
fs = 0x0000000000000000
gs = 0x0000000000000000
(lldb) bt
* thread #1: tid = 0x26f30, 0x00007fff7964ac08 JavaScriptCore`JSC::ArrayBufferView::setNeuterable(bool) + 8, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x18)
* frame #0: 0x00007fff7964ac08 JavaScriptCore`JSC::ArrayBufferView::setNeuterable(bool) + 8
frame #1: 0x00007fff7e228907 WebCore`WebCore::AudioBuffer::AudioBuffer(unsigned int, unsigned long, float) + 151
frame #2: 0x00007fff7e2286fe WebCore`WebCore::AudioBuffer::create(unsigned int, unsigned long, float) + 94
frame #3: 0x00007fff7e22f4cf WebCore`WebCore::AudioContext::createBuffer(unsigned int, unsigned long, float, int&) + 31
frame #4: 0x00007fff7e6f10ee WebCore`WebCore::jsAudioContextPrototypeFunctionCreateBuffer(JSC::ExecState*) + 1102
frame #5: 0x000050543c201028
frame #6: 0x00007fff79bf2595 JavaScriptCore`llint_entry + 24967
frame #7: 0x00007fff79bec22b JavaScriptCore`vmEntryToJavaScript + 299
frame #8: 0x00007fff79ab1e0e JavaScriptCore`JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158
frame #9: 0x00007fff793cfdac JavaScriptCore`JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 16380
frame #10: 0x00007fff7975fcb5 JavaScriptCore`JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 469
frame #11: 0x00007fff7ece7f4e WebCore`WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) + 302
frame #12: 0x00007fff7dfc0d23 WebCore`WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 563
frame #13: 0x00007fff7dfbfd4a WebCore`WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 1066
frame #14: 0x00007fff7dfbf442 WebCore`WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 338
frame #15: 0x00007fff7dfbf280 WebCore`WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 48
frame #16: 0x00007fff7dfbf196 WebCore`WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 86
frame #17: 0x00007fff7e59fc7d WebCore`WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) + 669
frame #18: 0x00007fff7df57293 WebCore`WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 115
frame #19: 0x00007fff7e59ffb0 WebCore`WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) + 480
frame #20: 0x00007fff7e3a5edc WebCore`WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) + 92
frame #21: 0x00007fff7df55f4b WebCore`WebCore::DocumentWriter::end() + 43
frame #22: 0x00007fff7df4824c WebCore`WebCore::DocumentLoader::finishedLoading(double) + 268
frame #23: 0x00007fff7dfd5c5e WebCore`WebCore::CachedResource::checkNotify() + 158
frame #24: 0x00007fff7e279801 WebCore`WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 225
frame #25: 0x00007fff7dfd5a22 WebCore`WebCore::SubresourceLoader::didFinishLoading(double) + 1218
frame #26: 0x00007fff7f2e7507 WebKit`WebKit::WebResourceLoader::didFinishResourceLoad(double) + 159
frame #27: 0x00007fff7f52519a WebKit`WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 362
frame #28: 0x00007fff7f365f39 WebKit`IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 119
frame #29: 0x00007fff7f3688e6 WebKit`IPC::Connection::dispatchOneMessage() + 126
frame #30: 0x00007fff79dad439 JavaScriptCore`WTF::RunLoop::performWork() + 169
frame #31: 0x00007fff79dad652 JavaScriptCore`WTF::RunLoop::performWork(void*) + 34
frame #32: 0x00007fff76f5b981 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
frame #33: 0x00007fff76f3ca7d CoreFoundation`__CFRunLoopDoSources0 + 557
frame #34: 0x00007fff76f3bf76 CoreFoundation`__CFRunLoopRun + 934
frame #35: 0x00007fff76f3b974 CoreFoundation`CFRunLoopRunSpecific + 420
frame #36: 0x00007fff764c7a5c HIToolbox`RunCurrentEventLoopInMode + 240
frame #37: 0x00007fff764c7891 HIToolbox`ReceiveNextEventCommon + 432
frame #38: 0x00007fff764c76c6 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
frame #39: 0x00007fff74a6d5b4 AppKit`_DPSNextEvent + 1120
frame #40: 0x00007fff751e7d6b AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2789
frame #41: 0x00007fff74a61f35 AppKit`-[NSApplication run] + 926
frame #42: 0x00007fff74a2c850 AppKit`NSApplicationMain + 1237
frame #43: 0x00007fff8c6f78c7 libxpc.dylib`_xpc_objc_main + 775
frame #44: 0x00007fff8c6f62e4 libxpc.dylib`xpc_main + 494
frame #45: 0x00000001013137a2 com.apple.WebKit.WebContent`___lldb_unnamed_symbol1$$com.apple.WebKit.WebContent + 380
frame #46: 0x00007fff8c493255 libdyld.dylib`start + 1
(lldb)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170322/0f725b69/attachment-0001.html>
More information about the webkit-unassigned
mailing list