[Webkit-unassigned] [Bug 232662] Multi-threaded WASM App Fails on Webgl 2.0 Context in iOS 15.2 beta and STP 134

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 4 03:22:08 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=232662

--- Comment #3 from Kimmo Kinnunen <kkinnunen at apple.com> ---
Thank you for the report.
It appears to hang somewhere during calls to convert uniform2fv and uniformMatrix4fv arguments via custom javascript (?). I'm not an expert when this would happen in JS or  WASM.

In case you have time to debug this more, a more minimal test case would be appreciated. E.g. remove content while still observing the hang, until the hang disappears. Also one strategy could be to console.log before each WebGL call, and see which ones are the last ones that work. Then you could report what kind of object is being passed to WebGL.

If you have a programming stack that compiles some input language to WASM, you could also explain this so that we could try to make a test case using this stack.


 * frame #0: 0x0000000710a001a7 JavaScriptCore`JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) [inlined] WTF::ThreadSafeRefCountedBase::derefBase(this=<unavailable>) const at ThreadSafeRefCounted.h:86:13 [opt]
    frame #1: 0x0000000710a001a1 JavaScriptCore`JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) [inlined] WTF::ThreadSafeRefCounted<JSC::JITCode, (WTF::DestructionThread)0>::deref(this=<unavailable>) const at ThreadSafeRefCounted.h:113 [opt]
    frame #2: 0x0000000710a001a1 JavaScriptCore`JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) [inlined] WTF::DefaultRefDerefTraits<JSC::JITCode>::derefIfNotNull(ptr=0x000000072f513640) at RefPtr.h:42 [opt]
    frame #3: 0x0000000710a0019c JavaScriptCore`JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) [inlined] WTF::RefPtr<JSC::JITCode, WTF::RawPtrTraits<JSC::JITCode>, WTF::DefaultRefDerefTraits<JSC::JITCode> >::~RefPtr(this=<unavailable>) at RefPtr.h:73 [opt]
    frame #4: 0x0000000710a0019c JavaScriptCore`JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) [inlined] WTF::RefPtr<JSC::JITCode, WTF::RawPtrTraits<JSC::JITCode>, WTF::DefaultRefDerefTraits<JSC::JITCode> >::~RefPtr(this=<unavailable>) at RefPtr.h:73 [opt]
    frame #5: 0x0000000710a0019c JavaScriptCore`JSC::Interpreter::executeCall(this=<unavailable>, lexicalGlobalObject=<unavailable>, function=0x000000073671f580, callData=<unavailable>, thisValue=<unavailable>, args=0x00007ffeef4921d8) at Interpreter.cpp:970 [opt]
    frame #6: 0x0000000710d5846f JavaScriptCore`JSC::iteratorNext(globalObject=0x00000007161e8468, iterationRecord=IterationRecord @ 0x00007fc931cfe7e0, argument=JSValue @ scalar) at IteratorOperations.cpp:51:22 [opt]
    frame #7: 0x0000000710d5af98 JavaScriptCore`JSC::iteratorStep(globalObject=0x00000007161e8468, iterationRecord=<unavailable>) at IteratorOperations.cpp:76:22 [opt]
    frame #8: 0x000000070acba467 WebCore`void JSC::forEachInIterable<WebCore::Detail::GenericSequenceConverter<WebCore::IDLUnrestrictedFloat>::convert(JSC::JSGlobalObject&, JSC::JSObject*, JSC::JSValue, WTF::Vector<float, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&)::'lambda'(JSC::VM&, JSC::JSGlobalObject&, JSC::JSValue)>(globalObject=0x00000007161e8468, iterable=<unavailable>, iteratorMethod=<unavailable>, callback=0x00007ffeef4922f8) at IteratorOperations.h:129:24 [opt]
    frame #9: 0x000000070acb9f5d WebCore`WebCore::Detail::NumericSequenceConverter<WebCore::IDLUnrestrictedFloat>::convert(lexicalGlobalObject=0x00000007161e8468, object=0x000000071c5f7ea0, method=JSValue @ r15) at IndexingHeader.h:0:54 [opt]
    frame #10: 0x000000070acb9ca0 WebCore`WebCore::Converter<WebCore::IDLUnion<WebCore::IDLAllowSharedAdaptor<WebCore::IDLFloat32Array>, WebCore::IDLSequence<WebCore::IDLUnrestrictedFloat> > >::convert(JSC::JSGlobalObject&, JSC::JSValue) [inlined] WebCore::Detail::SequenceConverter<WebCore::IDLUnrestrictedFloat>::convert(lexicalGlobalObject=0x00000007161e8468, object=<unavailable>, method=JSValue @ r12) at JSDOMConvertSequences.h:323:16 [opt]
    frame #11: 0x000000070acb9c92 WebCore`WebCore::Converter<WebCore::IDLUnion<WebCore::IDLAllowSharedAdaptor<WebCore::IDLFloat32Array>, WebCore::IDLSequence<WebCore::IDLUnrestrictedFloat> > >::convert(JSC::JSGlobalObject&, JSC::JSValue) [inlined] WebCore::Converter<WebCore::IDLSequence<WebCore::IDLUnrestrictedFloat> >::convert(lexicalGlobalObject=0x00000007161e8468, object=<unavailable>, method=JSValue @ r12) at JSDOMConvertSequences.h:369 [opt]
    frame #12: 0x000000070acb9c92 WebCore`WebCore::Converter<WebCore::IDLUnion<WebCore::IDLAllowSharedAdaptor<WebCore::IDLFloat32Array>, WebCore::IDLSequence<WebCore::IDLUnrestrictedFloat> > >::convert(JSC::JSGlobalObject&, JSC::JSValue) [inlined] WebCore::ConditionalSequenceConverter<std::__1::variant<WTF::RefPtr<JSC::GenericTypedArrayView<JSC::Float32Adaptor>, WTF::RawPtrTraits<JSC::GenericTypedArrayView<JSC::Float32Adaptor> >, WTF::DefaultRefDerefTraits<JSC::GenericTypedArrayView<JSC::Float32Adaptor> > >, WTF::Vector<float, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >, WebCore::IDLSequence<WebCore::IDLUnrestrictedFloat>, true>::convert(lexicalGlobalObject=0x00000007161e8468, object=<unavailable>, method=JSValue @ r12) at JSDOMConvertUnion.h:86 [opt]
    frame #13: 0x000000070acb9c92 WebCore`WebCore::Converter<WebCore::IDLUnion<WebCore::IDLAllowSharedAdaptor<WebCore::IDLFloat32Array>, WebCore::IDLSequence<WebCore::IDLUnrestrictedFloat> > >::convert(lexicalGlobalObject=0x00000007161e8468, value=JSValue @ 0x00007ffeef492368) at JSDOMConvertUnion.h:310 [opt]
    frame #14: 0x000000070acc172f WebCore`WebCore::jsWebGL2RenderingContextPrototypeFunction_uniformMatrix4fv1Body(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGL2RenderingContext*) [inlined] WebCore::Converter<WebCore::IDLUnion<WebCore::IDLAllowSharedAdaptor<WebCore::IDLFloat32Array>, WebCore::IDLSequence<WebCore::IDLUnrestrictedFloat> > >::ReturnType WebCore::convert<WebCore::IDLUnion<WebCore::IDLAllowSharedAdaptor<WebCore::IDLFloat32Array>, WebCore::IDLSequence<WebCore::IDLUnrestrictedFloat> > >(lexicalGlobalObject=0x00000007161e8468, value=JSValue @ 0x00007ffeef492450) at JSDOMConvertBase.h:61:12 [opt]
    frame #15: 0x000000070acc1720 WebCore`WebCore::jsWebGL2RenderingContextPrototypeFunction_uniformMatrix4fv1Body(lexicalGlobalObject=0x00000007161e8468, callFrame=0x00007ffeef492620, castedThis=<unavailable>) at JSWebGL2RenderingContext.cpp:8620 [opt]
    frame #16: 0x000000070ac988b4 WebCore`WebCore::jsWebGL2RenderingContextPrototypeFunction_uniformMatrix4fv(JSC::JSGlobalObject*, JSC::CallFrame*) [inlined] WebCore::jsWebGL2RenderingContextPrototypeFunction_uniformMatrix4fvOverloadDispatcher(lexicalGlobalObject=0x00000007161e8468, callFrame=0x00007ffeef492620, castedThis=<unavailable>) at JSDOMConvertNullable.h:0:13 [opt]
    frame #17: 0x000000070ac9885c WebCore`WebCore::jsWebGL2RenderingContextPrototypeFunction_uniformMatrix4fv(JSC::JSGlobalObject*, JSC::CallFrame*) [inlined] long long WebCore::IDLOperation<WebCore::JSWebGL2RenderingContext>::call<&(lexicalGlobalObject=0x00000007161e8468, callFrame=0x00007ffeef492620, operationName=<unavailable>)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) at JSDOMOperation.h:63 [opt]
    frame #18: 0x000000070ac98857 WebCore`WebCore::jsWebGL2RenderingContextPrototypeFunction_uniformMatrix4fv(lexicalGlobalObject=0x00000007161e8468, callFrame=0x00007ffeef492620) at JSWebGL2RenderingContext.cpp:12759 [opt]
    frame #19: 0x00003496058011d8
    frame #20: 0x00000007102ca2f9 JavaScriptCore`llint_entry at LowLevelInterpreter.asm:1177
    frame #21: 0x00003496063e4713
    frame #22: 0x0000349607040dbc
    frame #23: 0x000034960704100c
    frame #24: 0x00000007102d1a1c JavaScriptCore`wasmLLIntPCRangeStart at WebAssembly.asm:812
    frame #25: 0x00000007102d1a1c JavaScriptCore`wasmLLIntPCRangeStart at WebAssembly.asm:812
    frame #26: 0x00000007102d24be JavaScriptCore`wasmLLIntPCRangeStart at WebAssembly.asm:803
    frame #27: 0x00000007102d1a1c JavaScriptCore`wasmLLIntPCRangeStart at WebAssembly.asm:812
    frame #28: 0x00000007102d1a1c JavaScriptCore`wasmLLIntPCRangeStart at WebAssembly.asm:812
    frame #29: 0x00000007102d1a1c JavaScriptCore`wasmLLIntPCRangeStart at WebAssembly.asm:812
    frame #30: 0x00000007102d1a1c JavaScriptCore`wasmLLIntPCRangeStart at WebAssembly.asm:812
    frame #31: 0x00000007102d1a1c JavaScriptCore`wasmLLIntPCRangeStart at WebAssembly.asm:812
    frame #32: 0x00000007102d1a1c JavaScriptCore`wasmLLIntPCRangeStart at WebAssembly.asm:812
    frame #33: 0x00000007102d1a1c JavaScriptCore`wasmLLIntPCRangeStart at WebAssembly.asm:812
    frame #34: 0x00000007102d1a1c JavaScriptCore`wasmLLIntPCRangeStart at WebAssembly.asm:812

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211104/e0893895/attachment.htm>

More information about the webkit-unassigned mailing list