Skip to content

Commit 9b9d5bf

Browse files
committed
Potential crash under BaseAudioContext's toJSNewlyCreated()
https://bugs.webkit.org/show_bug.cgi?id=221423 <rdar://73352543> Reviewed by Darin Adler. Source/WebCore: BaseAudioContext has subclasses (AudioContext & OfflineAudioContext) that are exposed to JS (for which we call toJS() for). As a result, BaseAudioContext needs a custom toJS() implementation which returns the correct subclass wrapper (JSOfflineAudioContext & JSAudioContext), instead of a JSBaseAudioContext. Test: webaudio/base-audio-context-wrapper-gc.html * Modules/webaudio/BaseAudioContext.idl: * Sources.txt: * WebCore.xcodeproj/project.pbxproj: * bindings/js/JSBaseAudioContextCustom.cpp: Added. (WebCore::toJSNewlyCreated): (WebCore::toJS): LayoutTests: Add layout test coverage. * webaudio/base-audio-context-wrapper-gc-expected.txt: Added. * webaudio/base-audio-context-wrapper-gc.html: Added. Canonical link: https://commits.webkit.org/233720@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272395 268f45cc-cd09-0410-ab3c-d52691b4dbfc
1 parent b1c3e6b commit 9b9d5bf

8 files changed

Lines changed: 132 additions & 0 deletions

File tree

LayoutTests/ChangeLog

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,16 @@
1+
2021-02-04 Chris Dumez <cdumez@apple.com>
2+
3+
Potential crash under BaseAudioContext's toJSNewlyCreated()
4+
https://bugs.webkit.org/show_bug.cgi?id=221423
5+
<rdar://73352543>
6+
7+
Reviewed by Darin Adler.
8+
9+
Add layout test coverage.
10+
11+
* webaudio/base-audio-context-wrapper-gc-expected.txt: Added.
12+
* webaudio/base-audio-context-wrapper-gc.html: Added.
13+
114
2021-02-04 Chris Dumez <cdumez@apple.com>
215

316
RELEASE_ASSERT(bigInt) in VM constructor when constructing a WorkletGlobalScope
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
This test passes if it does not crash.
2+
3+
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
4+
5+
6+
* OfflineAudioContext
7+
PASS constantSourceNode1.context.sampleRate is 44100
8+
PASS constantSourceNode1.context.length is 128
9+
10+
* AudioContext
11+
PASS constantSourceNode2.context.sampleRate is 44100
12+
PASS constantSourceNode2.context.baseLatency > 0 is true
13+
PASS successfullyParsed is true
14+
15+
TEST COMPLETE
16+
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
<script src="../resources/js-test.js"></script>
2+
<script>
3+
description("This test passes if it does not crash.");
4+
5+
debug("* OfflineAudioContext");
6+
let constantSourceNode1 = new ConstantSourceNode(new OfflineAudioContext({
7+
length: 128,
8+
sampleRate: 44100
9+
}));
10+
gc();
11+
shouldBe("constantSourceNode1.context.sampleRate", "44100"); // On BaseAudioContext.
12+
gc();
13+
shouldBe("constantSourceNode1.context.length", "128"); // On OfflineAudioContext.
14+
15+
debug("");
16+
debug("* AudioContext");
17+
let constantSourceNode2 = new ConstantSourceNode(new AudioContext({
18+
sampleRate: 44100
19+
}));
20+
gc();
21+
shouldBe("constantSourceNode2.context.sampleRate", "44100"); // On BaseAudioContext.
22+
gc();
23+
shouldBeTrue("constantSourceNode2.context.baseLatency > 0"); // On AudioContext.
24+
</script>

Source/WebCore/ChangeLog

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,25 @@
1+
2021-02-04 Chris Dumez <cdumez@apple.com>
2+
3+
Potential crash under BaseAudioContext's toJSNewlyCreated()
4+
https://bugs.webkit.org/show_bug.cgi?id=221423
5+
<rdar://73352543>
6+
7+
Reviewed by Darin Adler.
8+
9+
BaseAudioContext has subclasses (AudioContext & OfflineAudioContext) that are exposed to JS
10+
(for which we call toJS() for). As a result, BaseAudioContext needs a custom toJS()
11+
implementation which returns the correct subclass wrapper (JSOfflineAudioContext &
12+
JSAudioContext), instead of a JSBaseAudioContext.
13+
14+
Test: webaudio/base-audio-context-wrapper-gc.html
15+
16+
* Modules/webaudio/BaseAudioContext.idl:
17+
* Sources.txt:
18+
* WebCore.xcodeproj/project.pbxproj:
19+
* bindings/js/JSBaseAudioContextCustom.cpp: Added.
20+
(WebCore::toJSNewlyCreated):
21+
(WebCore::toJS):
22+
123
2021-02-04 Ryosuke Niwa <rniwa@webkit.org>
224

325
Avoid creating JS wrapper on a removed node when the subtree is not observable

Source/WebCore/Modules/webaudio/BaseAudioContext.idl

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
[
2727
ActiveDOMObject,
2828
Conditional=WEB_AUDIO,
29+
CustomToJSObject,
2930
EnabledBySetting=WebAudio&ModernUnprefixedWebAudio,
3031
ExportMacro=WEBCORE_EXPORT,
3132
Exposed=Window

Source/WebCore/Sources.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -507,6 +507,7 @@ bindings/js/JSAudioTrackCustom.cpp
507507
bindings/js/JSAudioTrackListCustom.cpp
508508
bindings/js/JSAudioWorkletProcessorCustom.cpp
509509
bindings/js/JSAuthenticatorResponseCustom.cpp
510+
bindings/js/JSBaseAudioContextCustom.cpp
510511
bindings/js/JSBasicCredentialCustom.cpp
511512
bindings/js/JSBlobCustom.cpp
512513
bindings/js/JSCSSRuleCustom.cpp

Source/WebCore/WebCore.xcodeproj/project.pbxproj

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8179,6 +8179,7 @@
81798179
468344DC1EDDFA5F00B7795B /* DOMRectList.idl */ = {isa = PBXFileReference; lastKnownFileType = text; path = DOMRectList.idl; sourceTree = "<group>"; };
81808180
468344DD1EDDFA5F00B7795B /* DOMRectList.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = DOMRectList.cpp; sourceTree = "<group>"; };
81818181
468344DE1EDDFA5F00B7795B /* DOMRectList.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = DOMRectList.h; sourceTree = "<group>"; };
8182+
468B8BDE25CC849300F67822 /* JSBaseAudioContextCustom.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = JSBaseAudioContextCustom.cpp; sourceTree = "<group>"; };
81828183
46B63F6B1C6E8CDF002E914B /* JSEventTargetCustom.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSEventTargetCustom.h; sourceTree = "<group>"; };
81838184
46B650DB2296262700FD8AA4 /* PageIdentifier.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PageIdentifier.h; sourceTree = "<group>"; };
81848185
46B9518A207D632800A7D2DD /* AbstractDOMWindow.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AbstractDOMWindow.h; sourceTree = "<group>"; };
@@ -22703,6 +22704,7 @@
2270322704
BE6DF710171CA2DA00DD52B8 /* JSAudioTrackListCustom.cpp */,
2270422705
83F37A672536B21B00FF5F3B /* JSAudioWorkletProcessorCustom.cpp */,
2270522706
576082562011BE0200116678 /* JSAuthenticatorResponseCustom.cpp */,
22707+
468B8BDE25CC849300F67822 /* JSBaseAudioContextCustom.cpp */,
2270622708
5760824F20118D8D00116678 /* JSBasicCredentialCustom.cpp */,
2270722709
8931DE5A14C44C44000DC9D2 /* JSBlobCustom.cpp */,
2270822710
49EED14B1051971900099FAB /* JSCanvasRenderingContext2DCustom.cpp */,
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
/*
2+
* Copyright (C) 2021 Apple Inc. All rights reserved.
3+
*
4+
* Redistribution and use in source and binary forms, with or without
5+
* modification, are permitted provided that the following conditions
6+
* are met:
7+
* 1. Redistributions of source code must retain the above copyright
8+
* notice, this list of conditions and the following disclaimer.
9+
* 2. Redistributions in binary form must reproduce the above copyright
10+
* notice, this list of conditions and the following disclaimer in the
11+
* documentation and/or other materials provided with the distribution.
12+
*
13+
* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14+
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15+
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16+
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
17+
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18+
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19+
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20+
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21+
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22+
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23+
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24+
*/
25+
26+
#include "config.h"
27+
28+
#if ENABLE(WEB_AUDIO)
29+
#include "JSBaseAudioContext.h"
30+
31+
#include "AudioContext.h"
32+
#include "JSAudioContext.h"
33+
#include "JSOfflineAudioContext.h"
34+
#include "OfflineAudioContext.h"
35+
36+
namespace WebCore {
37+
using namespace JSC;
38+
39+
JSValue toJSNewlyCreated(JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<BaseAudioContext>&& context)
40+
{
41+
if (context->isOfflineContext())
42+
return createWrapper<OfflineAudioContext>(globalObject, WTFMove(context));
43+
return createWrapper<AudioContext>(globalObject, WTFMove(context));
44+
}
45+
46+
JSValue toJS(JSGlobalObject* lexicalGlobalObject, JSDOMGlobalObject* globalObject, BaseAudioContext& context)
47+
{
48+
return wrap(lexicalGlobalObject, globalObject, context);
49+
}
50+
51+
} // namespace WebCore
52+
53+
#endif // ENABLE(WEB_AUDIO)

0 commit comments

Comments
 (0)