Bug 231157 - Safari crashes when GPU Process: Canvas Rendering is enabled with large paths
Summary: Safari crashes when GPU Process: Canvas Rendering is enabled with large paths
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Canvas (show other bugs)
Version: Safari 15
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
: 230751 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-10-04 01:37 PDT by timocov
Modified: 2022-02-15 05:20 PST (History)
7 users (show)

See Also:

Attachments
The page you need to open to get a safari crashed (1.34 KB, text/html)
2021-10-04 01:37 PDT, timocov 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description timocov 2021-10-04 01:37:16 PDT 
Created attachment 440038 [details]
The page you need to open to get a safari crashed

0. It seems that since iOS v15 the option "GPU Process: Canvas Rendering" is enabled by default, but if it is disabled, go to setting and enable it explicitly
1. Open the page https://bl.ocks.org/timocov/raw/648966ce5c57492e82864b4d78a7c1cb/?raw=true (the same page in attachments or here https://gist.github.com/timocov/648966ce5c57492e82864b4d78a7c1cb)
2. Wait some time until the page is crashed

If you disable this page, everything will be good and no page crash.

On iOS 15.1 the issue still persist.
Comment 1 Alexey Proskuryakov 2021-10-04 10:48:43 PDT 
I can reproduce, getting this:

Requesting termination of web process 1779 for reason: "Detected invalid display list item or extent"
Comment 2 Radar WebKit Bug Importer 2021-10-04 10:49:22 PDT 
<rdar://problem/83842976>
Comment 3 timocov 2021-10-07 04:16:26 PDT 
Is it possible to disable this feature from iOS app somehow? We have a lot of users which are facing this issue in our app continuously and most likely the issue is not with what we render there. We’re continue getting negative reviews in the store because of that. Or maybe disable this feature in the following patch-release until all issues regarding this will be fixed?
Comment 4 Brandon Liu 2021-10-13 00:44:24 PDT 
Hi,

Thanks for creating this example page. I was able to modify it to be more specific, please see these links to 8 different test cases:

https://bdon.github.io/protomaps-experiments/safari15/

JavaScript code is here: https://github.com/bdon/protomaps-experiments/tree/master/safari15

In each frame it does 2 things:
1. it strokes or fills a path with N subpaths, where N can be controlled by the URL query parameter “count”. The subpaths are each a filled circle, a stroked line with 2 vertices, a triangle or a quad. 
2. It fillRects 1000 times with random height. This # of 1000 does not seem to matter.

For each case, there is an exact value of the # of subpaths N at which the hanging/crash will reproduce immediately; below this # there is no issue.

For arc filling, it hangs at 400 arcs
For line drawing, it hangs at 2728 lines
For triangles, it hangs at 1819 triangles
For quads, it hangs at 1364 quads

It seems like exactly 5,456 vertices in a single path draw call is causing the crash. If the 2nd part, 1000 fillRects, is left out, it also works fine. 

I can reproduce this perfectly on 3 devices of varying specs: x86 MacBook, iPhone XS and iPad Air 2.
Comment 5 Cameron McCormack (:heycam) 2021-10-28 21:22:08 PDT 
*** Bug 230751 has been marked as a duplicate of this bug. ***
Comment 6 Wenson Hsieh 2022-01-22 10:35:12 PST 
This is fixed on trunk, after r284079.
Comment 7 Brent Fulgham 2022-02-08 21:09:29 PST 
This change should be present in STP 139, iOS 15.4 Beta, and macOS 12.3 Beta.
Comment 8 Brandon Liu 2022-02-15 05:20:12 PST 
Confirming that STP 139+ resolves this for us in both isolated test case and real-world application. Thank you WebKit team!