275160 2024-06-05 08:00:28 -0700 REGRESSION (iOS 17.5): Method call silently fails since iOS 17.5/ MacOS 14.5 after a warmup period 2024-06-06 20:01:37 -0700 1 1 1 Unclassified WebKit JavaScriptCore Safari 17 All iOS 17 RESOLVED FIXED InRadar P2 Major --- 1 jekfer.bichon ysuzuki ahmad.saleem792 jarred keith_miller mark.lam sosuke webkit-bug-importer ysuzuki oldest_to_newest 2039858 0 471592 jekfer.bichon 2024-06-05 08:00:28 -0700 Created attachment 471592 Sample to reproduce the issue Hello, We have discovered quite a vicious bug after we updated to iOS 17.5 and MacOS 14.5. As I cannot share proprietary code with you, I have created and attached a small sample, with some comments, where the problem is visible. In the sample, I have two loops to copy the contents of two typed arrays into a bigger typed array. In the first loop, I allow the index to go out of bound, in the 2nd loop, I don't. This code, after a warmup period, starts to fail silently, with the target typed array containing only 0s. The first few hundred iterations are working as expected. On other OSs and browsers, going out of bound returns the "undefined" value, that was also the case on iOS and MacOS before we updated to the latest versions. What I suspect is that the engine optimizes the code after warming up and that code seems to be unable to handle this situation. Worse, the 2nd loop where I don't allow the index to go out of bound also starts failing silently but if you comment the 1st loop, the 2nd one never fails. If you put a breakpoint inside the copying method, the whole code becomes functional for a short period of time before starting to fail again. This behavior makes the debugging process quite frustrating as trying to observe the issue makes the issue disappear. This behavior is a regression compared to previously released iOS and MacOS versions. Thanks. 2039949 1 webkit-bug-importer 2024-06-05 14:09:52 -0700 <rdar://problem/129303210> 2040003 2 ahmad.saleem792 2024-06-05 20:12:37 -0700 It is happening on WebKit ToT (279763@main) as well. 2040051 3 jarred 2024-06-06 02:00:54 -0700 Possibly caused by https://bugs.webkit.org/show_bug.cgi?id=272107, based on this diff between https://github.com/oven-sh/WebKit/compare/autobuild-2475726ed0329ab2d2a92daf73e12ee1e485d575...autobuild-e3a2d89a0b1644cc8d5c245bd2ffee4d4bd6c1d5 This bug reproduces starting in Bun v1.1.2, and in the jsc shell. ``` ❯ bun-1.1.2 repero.js {"success":331,"fail":169} {"success":331,"fail":669} {"success":331,"fail":1169} {"success":331,"fail":1669} {"success":331,"fail":2169} {"success":331,"fail":2669} {"success":331,"fail":3169} {"success":331,"fail":3669} {"success":331,"fail":4169} {"success":331,"fail":4669} {"success":331,"fail":5169} {"success":331,"fail":5669} {"success":331,"fail":6169} {"success":331,"fail":6669} {"success":331,"fail":7169} {"success":331,"fail":7669} {"success":331,"fail":8169} {"success":331,"fail":8669} {"success":331,"fail":9169} ``` ``` ❯ bun-1.1.1 repero.js {"success":500,"fail":0} {"success":1000,"fail":0} {"success":1500,"fail":0} {"success":2000,"fail":0} {"success":2500,"fail":0} {"success":3000,"fail":0} {"success":3500,"fail":0} {"success":4000,"fail":0} {"success":4500,"fail":0} {"success":5000,"fail":0} {"success":5500,"fail":0} {"success":6000,"fail":0} {"success":6500,"fail":0} {"success":7000,"fail":0} {"success":7500,"fail":0} {"success":8000,"fail":0} {"success":8500,"fail":0} {"success":9000,"fail":0} {"success":9500,"fail":0} ``` Code that runs in jsc shell and bun without safari: ``` globalThis.console ??= {}; console.log ??= print; var cb; globalThis.setInterval ||= function setInterval(cb, ms) { function iter() { setTimeout(iter, ms); cb && cb(); } setTimeout(iter, ms); }; setInterval(() => { cb && cb(); }, 16); function requestAnimationFrame(callback) { cb = callback; } function copyFromSrcToTgt({ count, size, srcBuffer, srcOffset, srcStride, tgtBuffer, tgtOffset, tgtStride, }) { const source_buffer = new Uint32Array(srcBuffer, srcOffset); const target_buffer = new Uint32Array(tgtBuffer, tgtOffset); for (let v = 0; v < count; v++) { const src_base = (v * srcStride) / 4; const tgt_base = (v * tgtStride) / 4; for (let k = 0; k < size / 4; k++) { target_buffer[tgt_base + k] = source_buffer[src_base + k]; } } } let buffersNotAligned = []; for (let i = 0; i < 500; i++) { let typedBuffer = new Float32Array(i % 2 === 0 ? 900 : 810); typedBuffer.fill(i + 1); buffersNotAligned.push(typedBuffer); } let buffersAligned = []; for (let i = 0; i < 500; i++) { let typedBuffer = new Float32Array(900); typedBuffer.fill(i + 1); buffersAligned.push(typedBuffer); } let success = 0; let fail = 0; function doCopyOperation(buffers) { for (let i = 0; i < buffers.length; i += 2) { let buffer1 = buffers[i]; let buffer2 = buffers[i + 1]; let dstBuffer = new Float32Array( 2 * Math.max(buffer1.length, buffer2.length) ); copyFromSrcToTgt({ count: buffer1.length / 3, size: 3 * 4, // byte size of 3 float 32 srcBuffer: buffer1.buffer, tgtBuffer: dstBuffer.buffer, srcOffset: 0, srcStride: 12, tgtOffset: 0, tgtStride: 24, }); copyFromSrcToTgt({ // This is a deliberate mistake so that we can go out of bound for buffer2, which should yield undefined values // using buffer2.length instead fixes the problem but the sample has been made to showcase the issue // Going out of bound works fine on Win, Linux and Android, was also working fine on MacOS before 14.5 and iOS before 17.5 // It also works fine on current MacOS and iOS for a period count: buffer1.length / 3, size: 3 * 4, // byte size of 3 float 32 srcBuffer: buffer2.buffer, tgtBuffer: dstBuffer.buffer, srcOffset: 0, srcStride: 12, tgtOffset: 12, tgtStride: 24, }); if (dstBuffer[0] === 0) { fail++; } else { success++; } } } function doOperation() { // This fails after a warm up period doCopyOperation(buffersNotAligned); // This should always work, but also starts failing after a warm up period, if the previous line is commented, this never fails doCopyOperation(buffersAligned); console.log( JSON.stringify({ success, fail, }) ); if (success > 1e6 || fail > 1e6) { return; } requestAnimationFrame(doOperation); } requestAnimationFrame(doOperation); ``` 2040151 4 ysuzuki 2024-06-06 14:03:06 -0700 Pull request: https://github.com/WebKit/WebKit/pull/29590 2040219 5 ews-feeder 2024-06-06 20:01:35 -0700 Committed 279790@main (8f9d6d2b9c5f): <https://commits.webkit.org/279790@main> Reviewed commits have been landed. Closing PR #29590 and removing active labels. 471592 2024-06-05 08:00:28 -0700 2024-06-05 08:00:28 -0700 Sample to reproduce the issue RegShowCase.html text/html 3665 jekfer.bichon PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJlbiI+DQogIDxoZWFkPg0KICAgIDxtZXRhIGNo YXJzZXQ9IlVURi04Ij4NCiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9 ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+DQogICAgPHRpdGxlPmlPUy9NYWNPUyBS ZWcgc2hvd2Nhc2U8L3RpdGxlPg0KCTxzY3JpcHQ+DQoJZnVuY3Rpb24gY29weUZyb21TcmNUb1Rn dCh7IGNvdW50LCBzaXplLCBzcmNCdWZmZXIsIHNyY09mZnNldCwgc3JjU3RyaWRlLCB0Z3RCdWZm ZXIsIHRndE9mZnNldCwgdGd0U3RyaWRlIH0pDQoJew0KCQljb25zdCBzb3VyY2VfYnVmZmVyID0g bmV3IFVpbnQzMkFycmF5KHNyY0J1ZmZlciwgc3JjT2Zmc2V0KTsNCgkJY29uc3QgdGFyZ2V0X2J1 ZmZlciA9IG5ldyBVaW50MzJBcnJheSh0Z3RCdWZmZXIsIHRndE9mZnNldCk7DQoNCgkJZm9yKGxl dCB2ID0gMDsgdiA8IGNvdW50OyB2KyspDQoJCXsNCgkJCWNvbnN0IHNyY19iYXNlID0gdiAqIHNy Y1N0cmlkZSAvIDQ7DQoJCQljb25zdCB0Z3RfYmFzZSA9IHYgKiB0Z3RTdHJpZGUgLyA0Ow0KCQkJ Zm9yKGxldCBrID0gMDsgayA8IHNpemUgLyA0OyBrKyspIHsNCgkJCQl0YXJnZXRfYnVmZmVyW3Rn dF9iYXNlICsga10gPSBzb3VyY2VfYnVmZmVyW3NyY19iYXNlICsga107DQogICAgICAgICAgICB9 DQoJCX0NCgl9DQoJbGV0IGJ1ZmZlcnNOb3RBbGlnbmVkID0gW107DQoJZm9yIChsZXQgaSA9IDA7 IGkgPCA1MDA7IGkrKykgew0KCQlsZXQgdHlwZWRCdWZmZXIgPSBuZXcgRmxvYXQzMkFycmF5KChp JTIpID09PSAwID8gOTAwIDogODEwKTsNCgkJdHlwZWRCdWZmZXIuZmlsbChpKzEpDQogICAgICAg IGJ1ZmZlcnNOb3RBbGlnbmVkLnB1c2godHlwZWRCdWZmZXIpOw0KCX0NCiAgICANCglsZXQgYnVm ZmVyc0FsaWduZWQgPSBbXTsNCglmb3IgKGxldCBpID0gMDsgaSA8IDUwMDsgaSsrKSB7DQoJCWxl dCB0eXBlZEJ1ZmZlciA9IG5ldyBGbG9hdDMyQXJyYXkoOTAwKTsNCgkJdHlwZWRCdWZmZXIuZmls bChpKzEpDQogICAgICAgIGJ1ZmZlcnNBbGlnbmVkLnB1c2godHlwZWRCdWZmZXIpOw0KCX0NCiAg ICBsZXQgc3VjY2VzcyA9IDA7DQogICAgbGV0IGZhaWwgPSAwOw0KICAgIGZ1bmN0aW9uIGRvQ29w eU9wZXJhdGlvbihidWZmZXJzKSB7DQogICAgICAgIGZvciAobGV0IGkgPSAwOyBpIDwgYnVmZmVy cy5sZW5ndGg7IGkgKz0gMikgew0KICAgICAgICAgICAgbGV0IGJ1ZmZlcjEgPSBidWZmZXJzW2ld Ow0KICAgICAgICAgICAgbGV0IGJ1ZmZlcjIgPSBidWZmZXJzW2kgKyAxXTsNCiAgICAgICAgICAg IGxldCBkc3RCdWZmZXIgPSBuZXcgRmxvYXQzMkFycmF5KDIqTWF0aC5tYXgoYnVmZmVyMS5sZW5n dGgsIGJ1ZmZlcjIubGVuZ3RoKSk7DQogICAgICAgICAgICBjb3B5RnJvbVNyY1RvVGd0KHsNCiAg ICAgICAgICAgICAgICBjb3VudDogYnVmZmVyMS5sZW5ndGggLyAzLA0KICAgICAgICAgICAgICAg IHNpemU6IDMgKiA0LCAvLyBieXRlIHNpemUgb2YgMyBmbG9hdCAzMg0KICAgICAgICAgICAgICAg IHNyY0J1ZmZlcjogYnVmZmVyMS5idWZmZXIsDQogICAgICAgICAgICAgICAgdGd0QnVmZmVyOiBk c3RCdWZmZXIuYnVmZmVyLA0KICAgICAgICAgICAgICAgIHNyY09mZnNldDogMCwgDQogICAgICAg ICAgICAgICAgc3JjU3RyaWRlOiAxMiwNCiAgICAgICAgICAgICAgICB0Z3RPZmZzZXQ6IDAsDQog ICAgICAgICAgICAgICAgdGd0U3RyaWRlOiAyNCwNCiAgICAgICAgICAgIH0pOw0KICAgICAgICAg ICAgY29weUZyb21TcmNUb1RndCh7DQogICAgICAgICAgICAgICAgLy8gVGhpcyBpcyBhIGRlbGli ZXJhdGUgbWlzdGFrZSBzbyB0aGF0IHdlIGNhbiBnbyBvdXQgb2YgYm91bmQgZm9yIGJ1ZmZlcjIs IHdoaWNoIHNob3VsZCB5aWVsZCB1bmRlZmluZWQgdmFsdWVzDQogICAgICAgICAgICAgICAgLy8g dXNpbmcgYnVmZmVyMi5sZW5ndGggaW5zdGVhZCBmaXhlcyB0aGUgcHJvYmxlbSBidXQgdGhlIHNh bXBsZSBoYXMgYmVlbiBtYWRlIHRvIHNob3djYXNlIHRoZSBpc3N1ZQ0KICAgICAgICAgICAgICAg IC8vIEdvaW5nIG91dCBvZiBib3VuZCB3b3JrcyBmaW5lIG9uIFdpbiwgTGludXggYW5kIEFuZHJv aWQsIHdhcyBhbHNvIHdvcmtpbmcgZmluZSBvbiBNYWNPUyBiZWZvcmUgMTQuNSBhbmQgaU9TIGJl Zm9yZSAxNy41DQogICAgICAgICAgICAgICAgLy8gSXQgYWxzbyB3b3JrcyBmaW5lIG9uIGN1cnJl bnQgTWFjT1MgYW5kIGlPUyBmb3IgYSBwZXJpb2QNCiAgICAgICAgICAgICAgICBjb3VudDogYnVm ZmVyMS5sZW5ndGggLyAzLA0KICAgICAgICAgICAgICAgIHNpemU6IDMgKiA0LCAvLyBieXRlIHNp emUgb2YgMyBmbG9hdCAzMg0KICAgICAgICAgICAgICAgIHNyY0J1ZmZlcjogYnVmZmVyMi5idWZm ZXIsDQogICAgICAgICAgICAgICAgdGd0QnVmZmVyOiBkc3RCdWZmZXIuYnVmZmVyLA0KICAgICAg ICAgICAgICAgIHNyY09mZnNldDogMCwgDQogICAgICAgICAgICAgICAgc3JjU3RyaWRlOiAxMiwN CiAgICAgICAgICAgICAgICB0Z3RPZmZzZXQ6IDEyLA0KICAgICAgICAgICAgICAgIHRndFN0cmlk ZTogMjQsDQogICAgICAgICAgICB9KTsNCiAgICAgICAgICAgIGlmIChkc3RCdWZmZXJbMF0gPT09 IDApIHsNCiAgICAgICAgICAgICAgICBmYWlsKys7DQogICAgICAgICAgICB9IGVsc2Ugew0KICAg ICAgICAgICAgICAgIHN1Y2Nlc3MrKzsNCiAgICAgICAgICAgIH0NCiAgICAgICAgfQ0KICAgIH0N CiAgICBmdW5jdGlvbiBkb09wZXJhdGlvbigpIHsNCiAgICAgICAgLy8gVGhpcyBmYWlscyBhZnRl ciBhIHdhcm0gdXAgcGVyaW9kDQogICAgICAgIGRvQ29weU9wZXJhdGlvbihidWZmZXJzTm90QWxp Z25lZCk7DQogICAgICAgIC8vIFRoaXMgc2hvdWxkIGFsd2F5cyB3b3JrLCBidXQgYWxzbyBzdGFy dHMgZmFpbGluZyBhZnRlciBhIHdhcm0gdXAgcGVyaW9kLCBpZiB0aGUgcHJldmlvdXMgbGluZSBp cyBjb21tZW50ZWQsIHRoaXMgbmV2ZXIgZmFpbHMNCiAgICAgICAgZG9Db3B5T3BlcmF0aW9uKGJ1 ZmZlcnNBbGlnbmVkKTsNCiAgICAgICAgaWYgKGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdzdWNj ZXNzJykpIHsNCiAgICAgICAgICAgIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdzdWNjZXNzJyku aW5uZXJIVE1MID0gc3VjY2VzczsNCiAgICAgICAgfQ0KICAgICAgICBpZiAoZG9jdW1lbnQuZ2V0 RWxlbWVudEJ5SWQoJ2ZhaWwnKSkgew0KICAgICAgICAgICAgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5 SWQoJ2ZhaWwnKS5pbm5lckhUTUwgPSBmYWlsOw0KICAgICAgICB9DQogICAgICAgIGlmIChzdWNj ZXNzID4gMWU2IHx8IGZhaWwgPiAxZTYpIHsNCiAgICAgICAgICAgIHJldHVybjsNCiAgICAgICAg fQ0KICAgICAgICByZXF1ZXN0QW5pbWF0aW9uRnJhbWUoZG9PcGVyYXRpb24pOw0KICAgIH0NCiAg ICByZXF1ZXN0QW5pbWF0aW9uRnJhbWUoZG9PcGVyYXRpb24pOw0KCTwvc2NyaXB0Pg0KICA8L2hl YWQ+DQogIDxib2R5Pg0KICA8ZGl2Pg0KCTxoMj5TdWNjZXNzPC9oMj4NCiAgICA8ZGl2IGlkPSJz dWNjZXNzIj4NCiAgICAgICAgMA0KICAgIDwvZGl2Pg0KCTxoMj5TaWxlbnQgRmFpbHVyZTwvaDI+ DQogICAgPGRpdiBpZD0iZmFpbCI+DQogICAgICAgIDANCiAgICA8L2Rpdj4NCiAgPC9kaXY+DQog IDwvYm9keT4NCjwvaHRtbD4=