NEW256663
DFG: toString() returns a function instead of a string 
https://bugs.webkit.org/show_bug.cgi?id=256663
Summary DFG: toString() returns a function instead of a string
emile
Reported 2023-05-11 14:23:21 PDT
Hi, we hit this very weird bug in our application based on Tauri. It uses Vue and works fine on all major browsers and OS (including safari 16.2) apart from newer versions of webkitgtk. We initially got a report from our users about the error: TypeError: e.toString().match is not a function (https://github.com/caido/caido/issues/406). By trial and error, we saw that it looks like calling [Object].toString() returns a function (namely itself) instead of the actual string representation. But then calling it manually in the inspector doesn't seem to use the same codepath and works correctly, after which if we reload the app it works fine (which is very very weird). We nailed it down to OS that had a newer version of libwebkit2gtk-4.0-37 which corresponds to 2.40.0-3 Older versions of ubuntu were using 2.38.6-0 and did not have this issue. I would blame it on us or Vue if not for the fact that our app works fine with older versions. It looks like other people have had this issue as well, we found this oss application where it was reported: https://github.com/baiy/Ctool/issues/234. That might be easier for debugging since our application is not open source. We tried to do a basic reproduction by basically calling String.toString().match() on a blank page but we were not able to trigger the bug so it must be more complex than that. We will continue to investigate, but this is problematic since OS don't update webkit very often so this basically prevents Tauri apps from running on a lot of machines.
Attachments
Add attachment proposed patch, testcase, etc.
emile
Comment 1 2023-05-11 14:32:46 PDT
The code that triggers to bug for our application is from Vue: https://github.com/vuejs/core/blob/ab9256a4bbea4ffeb6cacf2d416709c81ab89298/packages/runtime-core/src/componentProps.ts#L599-L602 There doesn't seem to be anything particular about it.
emile
Comment 2 2023-05-11 15:21:43 PDT
I also cross posted to Tauri to get some feedback from the Tauri community if some other devs have seen that bug in their app: https://github.com/tauri-apps/tauri/issues/6949
Michael Catanzaro
Comment 3 2023-05-12 08:48:03 PDT
Try setting the environment variable JavaScriptCoreUseJIT=0. Does the bug still occur? A sure way to figure out when this broke would be to 'git bisect' it. That's going to be slow and won't be easy if you've never built WebKitGTK before, but should be effective.
emile
Comment 4 2023-05-12 11:33:53 PDT
With this environment variable, the error is gone but I have a different one related to webassembly: ReferenceError: Can't find variable WebAssembly. I am guessing wasm isn't available without the JIT? Or maybe the other error is somehow related to our use of wasm. Yeah I have like zero idea on how to do that, I will have to check.
Michael Catanzaro
Comment 5 2023-05-12 12:46:29 PDT
(In reply to emile from comment #4) > I am guessing wasm isn't available without the JIT? I think so, yes. Now try again with JSC_useDFGJIT=0 and then again with JSC_useFTLJIT=0 and see what happens. > Yeah I have like zero idea on how to do that, I will have to check. If you do manage to bisect it, you'll be able to tell us exactly when it broke, which will help a lot.
emile
Comment 6 2023-05-15 08:57:59 PDT
(In reply to Michael Catanzaro from comment #5) > Now try again with JSC_useDFGJIT=0 and then again with JSC_useFTLJIT=0 and > see what happens. With JSC_useDFGJIT=0 it works! No error in the console With JSC_useFTLJIT=0, still the same error (TypeError: e.toString().match is not a function) > If you do manage to bisect it, you'll be able to tell us exactly when it > broke, which will help a lot. I need a better setup for that, keeping you posted on it.
Michael Catanzaro
Comment 7 2023-05-15 09:59:38 PDT
JSC has four tiers: interpreter tier, baseline JIT tier, DFG JIT tier, and FTL JIT tier. So now we know your bug is caused by the DFG tier. Your attempts at a simple reproducer failed because the code isn't hot enough to trigger the DFG tier.
emile
Comment 8 2023-05-15 10:25:01 PDT
Yeah I was reading https://webkit.org/blog/6411/javascriptcore-csi-a-crash-site-investigation-story/ and https://webkit.org/blog/3362/introducing-the-webkit-ftl-jit/ I will try to create a smaller reproduction, because even with bisect it will be annoying to test. I will need to check how DFG considers a path hot, since we adding some logging around the toString call and it fails on the first runtime call.
Fujii Hironori
Comment 9 2023-05-15 14:35:40 PDT
JFYI, DFG JIT had a regression (bug#254752, bug#254325).
Michael Catanzaro
Comment 10 2023-05-15 20:34:14 PDT
(In reply to Fujii Hironori from comment #9) > JFYI, DFG JIT had a regression (bug#254752, bug#254325). We didn't backport the regression commit (261993@main) to 2.40, so it's certainly not that. (Also, we don't have an army of users complaining that reddit is broken. :)
Michael Catanzaro
Comment 11 2023-05-15 20:38:41 PDT
(In reply to emile from comment #8) > I will try to create a smaller reproduction, because even with bisect it > will be annoying to test. I will need to check how DFG considers a path hot, > since we adding some logging around the toString call and it fails on the > first runtime call. If you manage to get a small reproduction, then it will be easy to bisect. I can probably find some time to do that. Crafting the reproducer is the hard part. Good luck.
Radar WebKit Bug Importer
Comment 12 2023-05-18 14:24:42 PDT
<rdar://problem/109532163>
Note You need to log in before you can comment on or make changes to this bug.