[Webkit-unassigned] [Bug 250558] New: texSubImage2D crashed on iOS16 + WebGL2 + large WASM memory

Fri Jan 13 03:29:05 PST 2023

https://bugs.webkit.org/show_bug.cgi?id=250558

            Bug ID: 250558
           Summary: texSubImage2D crashed on iOS16 + WebGL2 + large WASM
                    memory
           Product: WebKit
           Version: WebKit Local Build
          Hardware: iPhone / iPad
                OS: iOS 16
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebGL
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: fuyoucheng at gmail.com
                CC: dino at apple.com, kbr at google.com, kkinnunen at apple.com

How to reproduce:
1. Create a new Untiy WebGL project with an empty scene, 
2. Set graphic api to WebGL2，
3. Set WASM initial memory to a large size (by adding "-s TOTAL_MEMORY=768MB" to PlayerSettings.WebGL.emscriptenArgs)
4. Build and load with Safari on iPhone12 with iOS16,
5. Safari report error when loading.

Rootcause:
Unity called texSubImage2D during initialization, Safari report error when invoking this api due to insufficient memory.
But that texture is 4*4 RGBA UNSIGNED_BYTE, should not cause any memory pressure.
When looking into WebGL2RenderingContext::texSubImage2D in WebKit source code, we found:
In WebGLRenderingContextBase::texImageArrayBufferViewHelper, variable 'data' created by WebGLRenderingContextBase::validateTexFuncData has incorrect value.
data.m_bufSize ought to be pixel data length, but acturally assigned as arrayBuffer(whole WASM memory) length - pixel data offset, which is much more larger.
Then later in IPC::Encoder::encodeFixedLengthData, encoder buffer will grow by this large size and lead to memory issue.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230113/d4889b65/attachment.htm>