Bug 223690

Summary: [iOS] Reproducible crash in Interpreter::executeCall
Product: WebKit Reporter: Glenn Croes <glenn.croes>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: fpizlo, mark.lam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: Safari 14   
Hardware: iPhone / iPad   
OS: iOS 14   
URL: https://demo.luciad.com/wasm-benchmark/2021.0/?webgl&reference=EPSG:4978
Attachments:
Description Flags
Chrome iPad crash log
none
iPhone Safari crash log none

Description Glenn Croes 2021-03-24 07:21:50 PDT 
Created attachment 424131 [details]
Chrome iPad crash log

Hi,

Some context: We make an API to visualize 3D geospatial data. For our upcoming release we switched our C++ transpiled rendering backend to WASM (from asm.js) and we've noticed that applications that use our 3D WebGL-accelerated maps now crash on iOS.

The issue can be reproduced by opening https://demo.luciad.com/wasm-benchmark/2021.0/?webgl&reference=EPSG:4978 on an iOS device (or a simulator).
The crash happens shortly after the page has loaded / JS code is being executed. After the page has crashed, the page reloads and crashes again.
The issue can be reproduced on iOS Chrome, Safari and Firefox.


We're not exactly sure what triggers it, as it's pretty hard to debug these kinds of crashes.
It might, or might not be related to the switch to WASM.


I've included one of the logs in attachment (chrome on iPad).
I can share more logs if necessary, but they all report a similar SIGSEGV fault.
Comment 1 Glenn Croes 2021-03-24 07:23:40 PDT 
Created attachment 424132 [details]
iPhone Safari crash log
Comment 2 Alexey Proskuryakov 2021-03-24 09:30:18 PDT 
I can reproduce this crash with iOS 14.5 beta.

Thread 24 Crashed:
0   JavaScriptCore                	0x00000001af95a2c0 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 508
1   JavaScriptCore                	0x00000001af95a2ac JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 488
2   JavaScriptCore                	0x00000001afbcc378 JSC::callGetter(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue) + 212
3   JavaScriptCore                	0x00000001afa3051c JSC::LLInt::performLLIntGetByID(JSC::Instruction const*, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&) + 1988
4   JavaScriptCore                	0x00000001afa2fc6c llint_slow_path_get_by_id + 296
5   JavaScriptCore                	0x00000001af323e70 llint_entry + 45104
6   JavaScriptCore                	0x00000001af33d1a4 llint_entry + 148324
7   JavaScriptCore                	0x00000001af318b94 vmEntryToJavaScript + 276
8   JavaScriptCore                	0x00000001af95a2ac JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 488
9   JavaScriptCore                	0x00000001afb671e0 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 176
10  WebCore                       	0x00000001b3b2ccc0 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1528
Comment 3 Radar WebKit Bug Importer 2021-03-24 09:30:48 PDT 
<rdar://problem/75788717>
Comment 4 Glenn Croes 2021-04-08 06:56:43 PDT 
I'm glad to see you were able to reproduce this issue.

Do you already have an idea what triggers this? If so, we could probably work around the issue, so we can ship our upcoming release without having to disappoint customers that are targeting iOS. We also wouldn't be blocked by a fix being implemented / available on a stable iOS release.

Any feedback or pointers would be greatly appreciated.
Comment 5 Yusuke Suzuki 2021-04-10 01:42:44 PDT 
I think this is likely https://bugs.webkit.org/show_bug.cgi?id=223491
Comment 6 Yusuke Suzuki 2021-04-10 02:03:49 PDT 
Yup! I've ensured that this is dupe of bug 223491 :)
Thanks for your report!

*** This bug has been marked as a duplicate of bug 223491 ***