231157 2021-10-04 01:37:16 -0700 Safari crashes when GPU Process: Canvas Rendering is enabled with large paths 2022-02-15 05:20:12 -0800 1 1 1 Unclassified WebKit Canvas Safari 15 Unspecified Unspecified NEW InRadar P2 Normal --- 1 timocov webkit-unassigned bdon bfulgham dino sabouhallawa simon.fraser webkit-bug-importer wenson_hsieh oldest_to_newest 1799990 0 440038 timocov 2021-10-04 01:37:16 -0700 Created attachment 440038 The page you need to open to get a safari crashed 0. It seems that since iOS v15 the option "GPU Process: Canvas Rendering" is enabled by default, but if it is disabled, go to setting and enable it explicitly 1. Open the page https://bl.ocks.org/timocov/raw/648966ce5c57492e82864b4d78a7c1cb/?raw=true (the same page in attachments or here https://gist.github.com/timocov/648966ce5c57492e82864b4d78a7c1cb) 2. Wait some time until the page is crashed If you disable this page, everything will be good and no page crash. On iOS 15.1 the issue still persist. 1800123 1 ap 2021-10-04 10:48:43 -0700 I can reproduce, getting this: Requesting termination of web process 1779 for reason: "Detected invalid display list item or extent" 1800124 2 webkit-bug-importer 2021-10-04 10:49:22 -0700 <rdar://problem/83842976> 1801561 3 timocov 2021-10-07 04:16:26 -0700 Is it possible to disable this feature from iOS app somehow? We have a lot of users which are facing this issue in our app continuously and most likely the issue is not with what we render there. We’re continue getting negative reviews in the store because of that. Or maybe disable this feature in the following patch-release until all issues regarding this will be fixed? 1803666 4 bdon 2021-10-13 00:44:24 -0700 Hi, Thanks for creating this example page. I was able to modify it to be more specific, please see these links to 8 different test cases: https://bdon.github.io/protomaps-experiments/safari15/ JavaScript code is here: https://github.com/bdon/protomaps-experiments/tree/master/safari15 In each frame it does 2 things: 1. it strokes or fills a path with N subpaths, where N can be controlled by the URL query parameter “count”. The subpaths are each a filled circle, a stroked line with 2 vertices, a triangle or a quad. 2. It fillRects 1000 times with random height. This # of 1000 does not seem to matter. For each case, there is an exact value of the # of subpaths N at which the hanging/crash will reproduce immediately; below this # there is no issue. For arc filling, it hangs at 400 arcs For line drawing, it hangs at 2728 lines For triangles, it hangs at 1819 triangles For quads, it hangs at 1364 quads It seems like exactly 5,456 vertices in a single path draw call is causing the crash. If the 2nd part, 1000 fillRects, is left out, it also works fine. I can reproduce this perfectly on 3 devices of varying specs: x86 MacBook, iPhone XS and iPad Air 2. 1809956 5 heycam 2021-10-28 21:22:08 -0700 *** Bug 230751 has been marked as a duplicate of this bug. *** 1833020 6 wenson_hsieh 2022-01-22 10:35:12 -0800 This is fixed on trunk, after r284079. 1839008 7 bfulgham 2022-02-08 21:09:29 -0800 This change should be present in STP 139, iOS 15.4 Beta, and macOS 12.3 Beta. 1841662 8 bdon 2022-02-15 05:20:12 -0800 Confirming that STP 139+ resolves this for us in both isolated test case and real-world application. Thank you WebKit team! 440038 2021-10-04 01:37:16 -0700 2021-10-04 01:37:16 -0700 The page you need to open to get a safari crashed safari-crash.html text/html 1368 timocov PGh0bWw+Cgk8aGVhZD4KCQk8c2NyaXB0IGxhbmd1YWdlPSJqYXZhc2NyaXB0Ij4KCQkJZnVuY3Rp b24gaW5pdCgpIHsKCQkJCWNvbnN0IGNhbnZhcyA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoImNh bnZhcyIpOwoJCQkJY2FudmFzLnN0eWxlLndpZHRoID0gIjgwMHB4IjsKCQkJCWNhbnZhcy5zdHls ZS5oZWlnaHQgPSAiNjAwcHgiOwoJCQkJY2FudmFzLndpZHRoID0gMTYwMDsKCQkJCWNhbnZhcy5o ZWlnaHQgPSAxMjAwOwoJCQkJZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChjYW52YXMpOwoJCQkJ bGV0IGZpcnN0ID0gbnVsbDsKCQkJCWNvbnN0IHJhZGl1cyA9IDI7CgkJCQljb25zdCBwYWludCA9 IChzdGVwKSA9PiB7CgkJCQkJZmlyc3QgPSBmaXJzdCA/PyBzdGVwOwoKCQkJCQljb25zdCBkaWZm ID0gKHN0ZXAgLSBmaXJzdCkgLyA1MDsKCQkJCQljb25zdCBjdHggPSBjYW52YXMuZ2V0Q29udGV4 dCgiMmQiKTsKCgkJCQkJY3R4LmNsZWFyUmVjdCgwLCAwLCAxNjAwLCAxMjAwKTsKCgkJCQkJZm9y IChsZXQgayA9IDA7IGsgPCAzOyBrKyspIHsKCQkJCQkJY3R4LmZpbGxTdHlsZSA9IFsncmdiYSg3 NiwgMTc1LCA4MCwgMC41KScsICdyZ2JhKDE3NiwgMTc1LCA4MCwgMC41KScsICdyZ2JhKDc2LCAx NzUsIDE4MCwgMC41KSddW2tdOwoJCQkJCQljdHguYmVnaW5QYXRoKCk7CgkJCQkJCWZvciAobGV0 IGogPSAwOyBqIDwgNTAwMDsgaisrKSB7CgkJCQkJCQljb25zdCB4ID0gMTYwMCAtIGogKiAyICog MC4yOwoJCQkJCQkJY29uc3QgeSA9IDMwMCAqIChrICsgMSkgKyAxMDAgKiBNYXRoLnNpbigoaiAr IGRpZmYpICogTWF0aC5QSSAvIDUwMCk7CgkJCQkJCQljdHgubW92ZVRvKHggKyByYWRpdXMsIHkp OwoJCQkJCQkJY3R4LmFyYyh4LCB5LCByYWRpdXMsIDAsIE1hdGguUEkgKiAyLCBmYWxzZSk7CgkJ CQkJCX0KCgkJCQkJCWN0eC5maWxsKCk7CgoJCQkJCQlmb3IgKGxldCBqID0gMDsgaiA8IDUwMDA7 IGorKykgewoJCQkJCQkJY29uc3QgeCA9IDE2MDAgLSBqICogMiAqIDAuMjsKCQkJCQkJCWNvbnN0 IHkgPSAzMDAgKiAoayArIDEpICsgMTAwICogTWF0aC5zaW4oKGogKyBkaWZmKSAqIE1hdGguUEkg LyA1MDApOwoJCQkJCQkJY29uc3QgaGVpZ2h0ID0gTWF0aC5yYW5kb20oKSAqIDEwMDsKCQkJCQkJ CWN0eC5maWxsU3R5bGUgPSAncmVkJzsKCQkJCQkJCWN0eC5maWxsUmVjdCh4LCB4ICsgMC4yLCAw LjIsIGhlaWdodCk7CgkJCQkJCX0KCQkJCQl9CgoJCQkJCXJlcXVlc3RBbmltYXRpb25GcmFtZShw YWludCk7CgkJCQl9OwoKCQkJCXJlcXVlc3RBbmltYXRpb25GcmFtZShwYWludCk7CgkJCX0KCQk8 L3NjcmlwdD4KCTwvaGVhZD4KCTxib2R5IG9ubG9hZD0iaW5pdCgpIj48L2JvZHk+CjwvaHRtbD4K