RESOLVED FIXED293832
Page using wasm-gc ref.test instruction crashes in iOS Safari 
https://bugs.webkit.org/show_bug.cgi?id=293832
Summary Page using wasm-gc ref.test instruction crashes in iOS Safari
roberthoodchatham
Reported 2025-05-30 15:00:20 PDT
The following website fails to load in Safari in iOS. It loads fine in Safari on desktop and also in other browsers. https://pyodide.org/en/0.27.1/console.html It was fixed by adding these lines that avoid using ref.test in Safari iOS: https://github.com/python/cpython/blob/main/Python/emscripten_trampoline.c#L74-L77 The version with the fix: https://pyodide.org/en/0.27.3/console.html
Attachments
Add attachment proposed patch, testcase, etc.
roberthoodchatham
Comment 1 2025-05-30 15:40:27 PDT
I can reproduce the problem
roberthoodchatham
Comment 2 2025-05-30 15:46:56 PDT
Here's a minimalish reproducer: ``` <!doctype html> <html> <head> <meta charset="UTF-8" /> </head> <body> <div> Result is: </div> <div id="result"> </div> <script type="module"> function sleep(ms) { return new Promise(res => setTimeout(res, ms)); } // Try to initialize countArgsFunc const code = new Uint8Array([ 0x00, 0x61, 0x73, 0x6d, // \0asm magic number 0x01, 0x00, 0x00, 0x00, // version 1 0x01, 0x1b, // Type section, body is 0x1b bytes 0x05, // 6 entries 0x60, 0x00, 0x01, 0x7f, // (type $type0 (func (param) (result i32))) 0x60, 0x01, 0x7f, 0x01, 0x7f, // (type $type1 (func (param i32) (result i32))) 0x60, 0x02, 0x7f, 0x7f, 0x01, 0x7f, // (type $type2 (func (param i32 i32) (result i32))) 0x60, 0x03, 0x7f, 0x7f, 0x7f, 0x01, 0x7f, // (type $type3 (func (param i32 i32 i32) (result i32))) 0x60, 0x01, 0x7f, 0x00, // (type $blocktype (func (param i32) (result))) 0x02, 0x09, // Import section, 0x9 byte body 0x01, // 1 import (table $funcs (import "e" "t") 0 funcref) 0x01, 0x65, // "e" 0x01, 0x74, // "t" 0x01, // importing a table 0x70, // of entry type funcref 0x00, 0x00, // table limits: no max, min of 0 0x03, 0x02, // Function section 0x01, 0x01, // We're going to define one function of type 1 (func (param i32) (result i32)) 0x07, 0x05, // export section 0x01, // 1 export 0x01, 0x66, // called "f" 0x00, // a function 0x00, // at index 0 0x0a, 0x44, // Code section, 0x01, 0x42, // one entry of length 50 0x01, 0x01, 0x70, // one local of type funcref // Body of the function 0x20, 0x00, // local.get $fptr 0x25, 0x00, // table.get $funcs 0x22, 0x01, // local.tee $fref 0xfb, 0x14, 0x03, // ref.test $type3 0x02, 0x04, // block $b (type $blocktype) 0x45, // i32.eqz 0x0d, 0x00, // br_if $b 0x41, 0x03, // i32.const 3 0x0f, // return 0x0b, // end block 0x20, 0x01, // local.get $fref 0xfb, 0x14, 0x02, // ref.test $type2 0x02, 0x04, // block $b (type $blocktype) 0x45, // i32.eqz 0x0d, 0x00, // br_if $b 0x41, 0x02, // i32.const 2 0x0f, // return 0x0b, // end block 0x20, 0x01, // local.get $fref 0xfb, 0x14, 0x01, // ref.test $type1 0x02, 0x04, // block $b (type $blocktype) 0x45, // i32.eqz 0x0d, 0x00, // br_if $b 0x41, 0x01, // i32.const 1 0x0f, // return 0x0b, // end block 0x20, 0x01, // local.get $fref 0xfb, 0x14, 0x00, // ref.test $type0 0x02, 0x04, // block $b (type $blocktype) 0x45, // i32.eqz 0x0d, 0x00, // br_if $b 0x41, 0x00, // i32.const 0 0x0f, // return 0x0b, // end block 0x41, 0x7f, // i32.const -1 0x0b // end function ]); const mod = new WebAssembly.Module(code); const wasmTable = new WebAssembly.Table({element: "anyfunc", initial: 2}); const inst = new WebAssembly.Instance(mod, { e: { t: wasmTable } }); wasmTable.set(0, inst.exports.f); const f = inst.exports.f; for (let i = 0; i < 10000; i++) { document.querySelector("#result").innerText = `${i}: ${f(0)}`; if (i % 1000 === 0) { await sleep(100); } } </script> </body> ```
roberthoodchatham
Comment 3 2025-05-30 15:49:03 PDT
Deployed this here: https://wasm-gc-test.pages.dev/
Yusuke Suzuki
Comment 4 2025-06-05 13:51:53 PDT
Likely a dupe of bug 293113 :)
Radar WebKit Bug Importer
Comment 5 2025-06-05 13:51:59 PDT
<rdar://problem/152674966>
Yusuke Suzuki
Comment 6 2025-06-05 14:42:49 PDT
Yes, it was a dupe.
Yusuke Suzuki
Comment 7 2025-06-05 14:42:52 PDT
*** This bug has been marked as a duplicate of bug 293113 ***
roberthoodchatham
Comment 8 2025-06-05 14:43:30 PDT
Thanks!
Note You need to log in before you can comment on or make changes to this bug.