231423 – SIGSEGV when creating WebGL context in Safari 15.0, crashes tab completely

Bug 231423 - SIGSEGV when creating WebGL context in Safari 15.0, crashes tab completely

Summary: SIGSEGV when creating WebGL context in Safari 15.0, crashes tab completely

Status:	REOPENED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebGL (show other bugs)
Version:	Safari 15
Hardware:	Mac (Intel) macOS 11

Importance:	P1 Blocker
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-10-08 04:48 PDT by Will Morgan
Modified:	2021-10-21 02:05 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
com.apple.WebKit.WebContent_2021-10-08-124039_Mac.crash (147.81 KB, text/plain) 2021-10-08 04:48 PDT, Will Morgan	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Will Morgan 2021-10-08 04:48:39 PDT

Created attachment 440593 [details]
com.apple.WebKit.WebContent_2021-10-08-124039_Mac.crash

Hi,

Safari 15 is now crashing the tab when creating a WebGL canvas context. This is now blocking all users of Safari 15 from using our, and our customers, web apps.


Unfortunately no console logs are available, but here is what the system console says - full log attached:

Process:               com.apple.WebKit.WebContent [87508]
Path:                  /Library/Apple/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
Identifier:            com.apple.WebKit.WebContent
Version:               16612 (16612.1.29.41.4)
Build Info:            WebKit-7612001029041004~8 (612A78a)
Code Type:             X86-64 (Native)
Parent Process:        ??? [1]
Responsible:           Safari [87045]
User ID:               501

Date/Time:             2021-10-08 12:40:34.829 +0100
OS Version:            macOS 11.6 (20G165)
Report Version:        12
Bridge OS Version:     3.0 (14Y908)
Anonymous UUID:        EE8A9404-E3A7-470C-9EC2-1B968DC00E20

Sleep/Wake UUID:       B189040B-3AF0-490F-B83B-9312801AD26E

Time Awake Since Boot: 400000 seconds
Time Since Wake:       13000 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [87508]

VM Regions Near 0:
--> 
    __TEXT                      1070ca000-1070ce000    [   16K] r-x/r-x SM=COW  /Library/Apple/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

Application Specific Information:
Bundle controller class:
BrowserBundleController
 

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000005b8cd793c WebCore::GraphicsContextGLOpenGL::reshapeDisplayBufferBacking() + 188
1   com.apple.WebCore             	0x00000005b82dd243 WebCore::GraphicsContextGLOpenGL::reshapeFBOs(WebCore::IntSize const&) + 451
2   com.apple.WebCore             	0x00000005b82df2c3 WebCore::GraphicsContextGLOpenGL::reshape(int, int) + 547
3   com.apple.WebCore             	0x00000005b96cdfe4 WebCore::WebGLRenderingContextBase::initializeNewContext() + 2324
4   com.apple.WebCore             	0x00000005b96d9312 WebCore::WebGLRenderingContextBase::create(WebCore::CanvasBase&, WebCore::GraphicsContextGLAttributes&, WebCore::GraphicsContextGLWebGLVersion) + 2882
5   com.apple.WebCore             	0x00000005b959325a WebCore::HTMLCanvasElement::createContextWebGL(WebCore::GraphicsContextGLWebGLVersion, WebCore::GraphicsContextGLAttributes&&) + 330
6   com.apple.WebCore             	0x00000005b9592e92 WebCore::HTMLCanvasElement::getContext(JSC::JSGlobalObject&, WTF::String const&, WTF::Vector<JSC::Strong<JSC::Unknown, (JSC::ShouldStrongDestructorGrabLock)0>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&) + 1186
7   com.apple.WebCore             	0x00000005b8640b6b WebCore::jsHTMLCanvasElementPrototypeFunction_getContext(JSC::JSGlobalObject*, JSC::CallFrame*) + 411
8   ???                           	0x00004632a1a011d8 0 + 77183273931224
9   com.apple.JavaScriptCore      	0x00000005bc49ac4e llint_entry + 112071
10  com.apple.JavaScriptCore      	0x00000005bc49b939 llint_entry + 115378
11  com.apple.JavaScriptCore      	0x00000005bc49ac4e llint_entry + 112071
12  com.apple.JavaScriptCore      	0x00000005bc49ac4e llint_entry + 112071
13  com.apple.JavaScriptCore      	0x00000005bc49abc9 llint_entry + 111938
14  com.apple.JavaScriptCore      	0x00000005bc49abc9 llint_entry + 111938
15  com.apple.JavaScriptCore      	0x00000005bc49abc9 llint_entry + 111938
16  com.apple.JavaScriptCore      	0x00000005bc49ac4e llint_entry + 112071
17  com.apple.JavaScriptCore      	0x00000005bc49ac4e llint_entry + 112071
18  com.apple.JavaScriptCore      	0x00000005bc47f486 vmEntryToJavaScript + 216

Comment 1 Will Morgan 2021-10-08 05:06:30 PDT

This can be reproduced reliably on the websites listed on this GitHub issue thread: https://github.com/mrdoob/three.js/issues/22582

Some examples: 

  - https://www.aquarium.ru/en
  - https://billie.withyoutube.com
  - https://voiceofracism.co.nz
  - https://augmentedperception.github.io/deepviewvideo/

Comment 2 Kimmo Kinnunen 2021-10-08 05:55:04 PDT

Thanks for the report. This has since been fixed and will be shipped in the upcoming releases.

*** This bug has been marked as a duplicate of bug 229309 ***

Comment 3 Kimmo Kinnunen 2021-10-08 05:55:30 PDT

The workaround is to not request WebXR context.

Comment 4 Will Morgan 2021-10-08 08:06:43 PDT

Hi Kimmo,

I'm not able to see that ticket, but our product is using WebGL, not WebXR.

Do you mean that we should not use WebGL or WebXR at all?

In any case, we and our customers would appreciate an update about when the fix, in whatever form it may take, will be shipped?

Thanks.

Comment 5 Kenneth Russell 2021-10-08 13:52:42 PDT

Will: these samples

Comment 6 Kenneth Russell 2021-10-08 13:57:20 PDT

...oops, accidentally saved incomplete comment.

Will: these samples are specifying the WebGL context creation attribute:

  xrCompatible: true

and there was a bug in Safari's handling of this attribute. Hoping this is already better tested on WebKit's EWS bots.

Comment 7 Sam Sneddon [:gsnedders] 2021-10-13 13:56:37 PDT

> In any case, we and our customers would appreciate an update about when the fix, in whatever form it may take, will be shipped?

Apple does not comment on future releases.

This does, however, appear identical to bug 229309 from the stack; see what Ken said for some detail there.

Comment 8 Will Morgan 2021-10-13 14:43:25 PDT

Sam, I cannot see the content of that bug.

Comment 9 Kenneth Russell 2021-10-13 16:49:36 PDT

I don't have access to Bug 229309 (anymore?) either. :)

Comment 10 Radar WebKit Bug Importer 2021-10-15 04:49:18 PDT

<rdar://problem/84297576>

Comment 11 Dustin Kerstein 2021-10-20 10:34:53 PDT

Would you be able to provide the version number of Safari where this is resolved? I can still replicate this on the latest Safari Technical Preview on https://my.panomoments.com/u/dustinkerstein/m/havana-intersection

Comment 12 Dustin Kerstein 2021-10-20 14:36:58 PDT

FYI, I just upgraded the three.js library on https://my.panomoments.com to r122 and this issue went away (though this unfortunately breaks the WebVR implementation - but I can live with that for now). Just wanted to let you know as you won't be able to replicate with that link above.

Comment 13 Will Morgan 2021-10-21 02:05:49 PDT

This no longer appears to be an issue in the latest beta of Safari (13th October 2021), but knowing when that will be GA and released would still be useful.