287431 2025-02-10 13:25:29 -0800 REGRESSION(288121@main): [WebAudio] DirectConvolver::process() tries to use use negative indexes on a std::span 2025-02-11 03:45:45 -0800 1 1 1 Unclassified WebKit Web Audio WebKit Nightly Build PC Linux RESOLVED FIXED DoNotImportToRadar P2 Normal --- 266396 1 aperez aperez cdumez oldest_to_newest 2093595 0 aperez 2025-02-10 13:25:29 -0800 In 288121@main (bug #284897) the convolution code was changed from using a "float*" to a "std::span<float>". The code previously used a float* pointing to the *middle* of a buffer, which was defined as: float* inputP = m_buffer.data() + m_inputBlockSize; and then changed to: auto inputP = m_buffer.span().subspan(m_inputBlockSize); In both cases above "inputP" points to the middle of "m_buffer", because this is always initialized to have double the amount of elements of "m_inputBlockSize": DirectConvolver::DirectConvolver(size_t inputBlockSize) : m_inputBlockSize(inputBlockSize) , m_buffer(inputBlockSize * 2) { } Later, there is a loop which is roughly this, plus unrolled cases for a few kernel sizes, but the issue is the same in all of them: #define CONVOLVE_ONE_SAMPLE \ sum += inputP[i - j] * kernelP[j]; \ j++; size_t i = 0; while (i < source.size()) { size_t j = 0; float sum = 0; while (j < kernelSize) { CONVOLVE_ONE_SAMPLE } destination[i++] = sum; } Inside the macro, the calculated "i - j" index *will be negative* most of the time, to pick elements from the *left* half of "m_buffer". While this worked fine with the raw "float*", indexing a "std::span<float>" will coerce the negative index into a "size_t" with the values wrapping around (due to underflow) and resulting into huge indexes. This triggers an assertion when the C++ library assertions are enabled (for example with the patch for bug #266396). 2093607 1 aperez 2025-02-10 13:35:36 -0800 Pull request: https://github.com/WebKit/WebKit/pull/40371 2093755 2 ews-feeder 2025-02-11 01:02:35 -0800 Committed 290202@main (19e127b1e23d): <https://commits.webkit.org/290202@main> Reviewed commits have been landed. Closing PR #40371 and removing active labels.