293832 2025-05-30 15:00:20 -0700 Page using wasm-gc ref.test instruction crashes in iOS Safari 2025-06-05 14:43:30 -0700 1 1 1 Unclassified WebKit WebAssembly Safari 18 iPhone / iPad iOS 18 RESOLVED FIXED InRadar P2 Normal --- 1 roberthoodchatham webkit-unassigned keith_miller webkit-bug-importer ysuzuki oldest_to_newest 2120800 0 roberthoodchatham 2025-05-30 15:00:20 -0700 The following website fails to load in Safari in iOS. It loads fine in Safari on desktop and also in other browsers. https://pyodide.org/en/0.27.1/console.html It was fixed by adding these lines that avoid using ref.test in Safari iOS: https://github.com/python/cpython/blob/main/Python/emscripten_trampoline.c#L74-L77 The version with the fix: https://pyodide.org/en/0.27.3/console.html 2120813 1 roberthoodchatham 2025-05-30 15:40:27 -0700 I can reproduce the problem 2120815 2 roberthoodchatham 2025-05-30 15:46:56 -0700 Here's a minimalish reproducer: ``` <!doctype html> <html> <head> <meta charset="UTF-8" /> </head> <body> <div> Result is: </div> <div id="result"> </div> <script type="module"> function sleep(ms) { return new Promise(res => setTimeout(res, ms)); } // Try to initialize countArgsFunc const code = new Uint8Array([ 0x00, 0x61, 0x73, 0x6d, // \0asm magic number 0x01, 0x00, 0x00, 0x00, // version 1 0x01, 0x1b, // Type section, body is 0x1b bytes 0x05, // 6 entries 0x60, 0x00, 0x01, 0x7f, // (type $type0 (func (param) (result i32))) 0x60, 0x01, 0x7f, 0x01, 0x7f, // (type $type1 (func (param i32) (result i32))) 0x60, 0x02, 0x7f, 0x7f, 0x01, 0x7f, // (type $type2 (func (param i32 i32) (result i32))) 0x60, 0x03, 0x7f, 0x7f, 0x7f, 0x01, 0x7f, // (type $type3 (func (param i32 i32 i32) (result i32))) 0x60, 0x01, 0x7f, 0x00, // (type $blocktype (func (param i32) (result))) 0x02, 0x09, // Import section, 0x9 byte body 0x01, // 1 import (table $funcs (import "e" "t") 0 funcref) 0x01, 0x65, // "e" 0x01, 0x74, // "t" 0x01, // importing a table 0x70, // of entry type funcref 0x00, 0x00, // table limits: no max, min of 0 0x03, 0x02, // Function section 0x01, 0x01, // We're going to define one function of type 1 (func (param i32) (result i32)) 0x07, 0x05, // export section 0x01, // 1 export 0x01, 0x66, // called "f" 0x00, // a function 0x00, // at index 0 0x0a, 0x44, // Code section, 0x01, 0x42, // one entry of length 50 0x01, 0x01, 0x70, // one local of type funcref // Body of the function 0x20, 0x00, // local.get $fptr 0x25, 0x00, // table.get $funcs 0x22, 0x01, // local.tee $fref 0xfb, 0x14, 0x03, // ref.test $type3 0x02, 0x04, // block $b (type $blocktype) 0x45, // i32.eqz 0x0d, 0x00, // br_if $b 0x41, 0x03, // i32.const 3 0x0f, // return 0x0b, // end block 0x20, 0x01, // local.get $fref 0xfb, 0x14, 0x02, // ref.test $type2 0x02, 0x04, // block $b (type $blocktype) 0x45, // i32.eqz 0x0d, 0x00, // br_if $b 0x41, 0x02, // i32.const 2 0x0f, // return 0x0b, // end block 0x20, 0x01, // local.get $fref 0xfb, 0x14, 0x01, // ref.test $type1 0x02, 0x04, // block $b (type $blocktype) 0x45, // i32.eqz 0x0d, 0x00, // br_if $b 0x41, 0x01, // i32.const 1 0x0f, // return 0x0b, // end block 0x20, 0x01, // local.get $fref 0xfb, 0x14, 0x00, // ref.test $type0 0x02, 0x04, // block $b (type $blocktype) 0x45, // i32.eqz 0x0d, 0x00, // br_if $b 0x41, 0x00, // i32.const 0 0x0f, // return 0x0b, // end block 0x41, 0x7f, // i32.const -1 0x0b // end function ]); const mod = new WebAssembly.Module(code); const wasmTable = new WebAssembly.Table({element: "anyfunc", initial: 2}); const inst = new WebAssembly.Instance(mod, { e: { t: wasmTable } }); wasmTable.set(0, inst.exports.f); const f = inst.exports.f; for (let i = 0; i < 10000; i++) { document.querySelector("#result").innerText = `${i}: ${f(0)}`; if (i % 1000 === 0) { await sleep(100); } } </script> </body> ``` 2120816 3 roberthoodchatham 2025-05-30 15:49:03 -0700 Deployed this here: https://wasm-gc-test.pages.dev/ 2121988 4 ysuzuki 2025-06-05 13:51:53 -0700 Likely a dupe of bug 293113 :) 2121989 5 webkit-bug-importer 2025-06-05 13:51:59 -0700 <rdar://problem/152674966> 2122008 6 ysuzuki 2025-06-05 14:42:49 -0700 Yes, it was a dupe. 2122009 7 ysuzuki 2025-06-05 14:42:52 -0700 *** This bug has been marked as a duplicate of bug 293113 *** 2122011 8 roberthoodchatham 2025-06-05 14:43:30 -0700 Thanks!