In the past, Safari vulnerability researchers often focused on the DOM or JS engine, but some system libraries used by Safari, such as audio, video, font, etc., haven't received enough attention. There are few successful cases using vulnerabilities found in these modules to break Safari. Due to the built-in heap isolation mechanism of Safari, the heap used by these system libraries is not the same as the heap where the DOM objects and JS objects are located. As a result, the out-of-bounds writing vulnerabilities in these modules make it extremely difficult to overwrite some key JS objects. These vulnerabilities are difficult to exploit alone without the coordination of an info leak. I have invested a lot of time on bug hunting in the Web Audio module, and have achieved amazing results. A total of 15+ out-of-bounds read bugs and 10+ out-of-bounds write bugs have been discovered so far. At present, 12 bugs have been credited by Apple. Since it is difficult for us to perform heap spraying on OSX Heap, most of the out-of-bounds writing is difficult to use in Safari alone, but I found that there is a bug that can overwrite JS objects in a clever way, bypassing Safari's heap isolation, ASLR and other defense mechanisms, and finally achieve arbitrary code execution. I demonstrated the attack at the Tianfu Cup International Cyber Security Competition hosted by the Chengdu Municipal Government of China, and successfully pwned Safari with only one shot.