[webkit-changes] [WebKit/WebKit] cd0bb0: ASAN_TRAP | JSArrayBufferView::ConstructionContext...

Fri, 04 Apr 2025 05:32:52 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cd0bb027e8f37acdb983669ac548323cae0e78ba
      
https://github.com/WebKit/WebKit/commit/cd0bb027e8f37acdb983669ac548323cae0e78ba
  Author: Claudio Saavedra <csaave...@igalia.com>
  Date:   2025-04-04 (Fri, 04 Apr 2025)

  Changed paths:
    A 
LayoutTests/media/encrypted-media/media-events-transfer-arrays-expected.txt
    A LayoutTests/media/encrypted-media/media-events-transfer-arrays.html
    M Source/JavaScriptCore/jsc.cpp
    M Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
    M Source/WebCore/Modules/webaudio/AudioBuffer.cpp

  Log Message:
  -----------
  ASAN_TRAP | JSArrayBufferView::ConstructionContext::ConstructionContext; 
JSC::JSGenericTypedArrayView::create; JSC::GenericTypedArrayView::wrapImpl
https://bugs.webkit.org/show_bug.cgi?id=286835

Reviewed by Yijia Huang.

Since ArrayBuffer#transfer was added, it's not possible to assume that a impl 
TypedArray
will have a valid ArrayBuffer attached. When wrapping a TypedArray with a JS 
counter part,
JSGenericTypedArrayView<Adaptor>::create() was assumming that the TypedArray's 
buffer would
not be nullptr, but this is not the case if JS code has transferred the buffer
elsewhere.

To fix this check that the buffer has not been detached and throw if that's
not the case.

This bug seems to only be reproducible at the moment with legacy EME events
that have Uint8Array attributes, so the added test covers both occurences
I found.

* LayoutTests/media/encrypted-media/media-events-transfer-arrays-expected.txt: 
Added.
* LayoutTests/media/encrypted-media/media-events-transfer-arrays.html: Added.
* Source/JavaScriptCore/jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::wrapImpl):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h:
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::create):
* Source/WebCore/Modules/webaudio/AudioBuffer.cpp:
(WebCore::AudioBuffer::getChannelData):

Originally-landed-as: 289651.4@webkit-2025.2-embargoed (15ab95a2898a). 
rdar://148056878
Canonical link: https://commits.webkit.org/293233@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to