[Webkit-unassigned] [Bug 231364] Crash on iOS Safari wasm - two references to the same object return different values from trivial accessor for a primitive field.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 12 15:04:27 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=231364

--- Comment #2 from Paris Morgan <paris at 8thwall.com> ---
Sure, here a link to a repro: https://8w.8thwall.app/safari-memory-bug. I've run it on an iPhone 12 Pro running iOS 15.0.1 and an iPhone 6S Plus running iOS 14.8.

You should accept camera permissions and then wave the phone around for ~5 seconds to trigger the crash, upon which you'll see a screen saying "Oops, something went wrong!". If you connect to Safari and look at console logs you can then see logs. I've slightly modified the code above to instead be:
```
void f() {
  ...
  auto &o1 = objs_.at(idx);
  ...
  auto &o2 = objs_.at(idx);
  ....
  printf("     (1) First we check if o1 and o2 have the same address but different values:\n");
  if (std::addressof(o1) == std::addressof(o2) && o1.id() != o2.id()) {
    printf("     (1) Same address but different values! o1: %p, o1.id(): %u | o2: %p, o2.id(): %u\n", &o1, o1.id(), &o2, o2.id());
  } else if (std::addressof(o1) == std::addressof(o2)) {
    printf("     (1) Same address and same values. o1: %p, o1.id(): %u | o2: %p, o2.id(): %u\n", &o1, o1.id(), &o2, o2.id());
  }

  printf("     (2) Now lets print out the addresses and ids of o1 and o2:\n");
  printf("     (2) o1: %p, o1.id(): %u | o2: %p, o2.id(): %u\n", &o1, o1.id(), &o2, o2.id());

  printf("     (3) Now check again if o1 and o2 have the same address but different values:\n");
  if (std::addressof(o1) == std::addressof(o2) && o1.id() != o2.id()) {
    printf("     (3) Same address but different values! o1: %p, o1.id(): %u | o2: %p, o2.id(): %u\n", &o1, o1.id(), &o2, o2.id());
  } else if (std::addressof(o1) == std::addressof(o2)) {
    printf("     (3) Same address and same values. o1: %p, o1.id(): %u | o2: %p, o2.id(): %u\n", &o1, o1.id(), &o2, o2.id());
  }
```
The result is that on the camera frame that crashes you will see:
```
(1) First we check if o1 and o2 have the same address but different values:
(1) Same address and same values. o1: 0xb392d8, o1.id(): 4240949120 | o2: 0xb392d8, o2.id(): 4240949120
(2) Now lets print out the addresses and ids of o1 and o2:
(2) o1: 0xb392d8, o1.id(): 4240949120 | o2: 0xb392d8, o2.id(): 0
(3) Now check again if o1 and o2 have the same address but different values:
(3) Same address but different values! o1: 0xb392d8, o1.id(): 4240949120 | o2: 0xb392d8, o2.id(): 0
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211012/e6f7876d/attachment.htm>

More information about the webkit-unassigned mailing list