[Webkit-unassigned] [Bug 275160] REGRESSION (iOS 17.5): Method call silently fails since iOS 17.5/ MacOS 14.5 after a warmup period

Thu Jun 6 02:00:54 PDT 2024

https://bugs.webkit.org/show_bug.cgi?id=275160

Jarred Sumner <jarred at jarredsumner.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jarred at jarredsumner.com

--- Comment #3 from Jarred Sumner <jarred at jarredsumner.com> ---
Possibly caused by https://bugs.webkit.org/show_bug.cgi?id=272107, based on this diff between https://github.com/oven-sh/WebKit/compare/autobuild-2475726ed0329ab2d2a92daf73e12ee1e485d575...autobuild-e3a2d89a0b1644cc8d5c245bd2ffee4d4bd6c1d5

This bug reproduces starting in Bun v1.1.2, and in the jsc shell.

```
❯ bun-1.1.2 repero.js
{"success":331,"fail":169}
{"success":331,"fail":669}
{"success":331,"fail":1169}
{"success":331,"fail":1669}
{"success":331,"fail":2169}
{"success":331,"fail":2669}
{"success":331,"fail":3169}
{"success":331,"fail":3669}
{"success":331,"fail":4169}
{"success":331,"fail":4669}
{"success":331,"fail":5169}
{"success":331,"fail":5669}
{"success":331,"fail":6169}
{"success":331,"fail":6669}
{"success":331,"fail":7169}
{"success":331,"fail":7669}
{"success":331,"fail":8169}
{"success":331,"fail":8669}
{"success":331,"fail":9169}                        
```

```
❯ bun-1.1.1 repero.js
{"success":500,"fail":0}
{"success":1000,"fail":0}
{"success":1500,"fail":0}
{"success":2000,"fail":0}
{"success":2500,"fail":0}
{"success":3000,"fail":0}
{"success":3500,"fail":0}
{"success":4000,"fail":0}
{"success":4500,"fail":0}
{"success":5000,"fail":0}
{"success":5500,"fail":0}
{"success":6000,"fail":0}
{"success":6500,"fail":0}
{"success":7000,"fail":0}
{"success":7500,"fail":0}
{"success":8000,"fail":0}
{"success":8500,"fail":0}
{"success":9000,"fail":0}
{"success":9500,"fail":0}
```

Code that runs in jsc shell and bun without safari:

```
globalThis.console ??= {};
console.log ??= print;

var cb;
globalThis.setInterval ||= function setInterval(cb, ms) {
  function iter() {
    setTimeout(iter, ms);
    cb && cb();
  }

  setTimeout(iter, ms);
};

setInterval(() => {
  cb && cb();
}, 16);

function requestAnimationFrame(callback) {
  cb = callback;
}

function copyFromSrcToTgt({
  count,
  size,
  srcBuffer,
  srcOffset,
  srcStride,
  tgtBuffer,
  tgtOffset,
  tgtStride,
}) {
  const source_buffer = new Uint32Array(srcBuffer, srcOffset);
  const target_buffer = new Uint32Array(tgtBuffer, tgtOffset);

  for (let v = 0; v < count; v++) {
    const src_base = (v * srcStride) / 4;
    const tgt_base = (v * tgtStride) / 4;
    for (let k = 0; k < size / 4; k++) {
      target_buffer[tgt_base + k] = source_buffer[src_base + k];
    }
  }
}
let buffersNotAligned = [];
for (let i = 0; i < 500; i++) {
  let typedBuffer = new Float32Array(i % 2 === 0 ? 900 : 810);
  typedBuffer.fill(i + 1);
  buffersNotAligned.push(typedBuffer);
}

let buffersAligned = [];
for (let i = 0; i < 500; i++) {
  let typedBuffer = new Float32Array(900);
  typedBuffer.fill(i + 1);
  buffersAligned.push(typedBuffer);
}
let success = 0;
let fail = 0;
function doCopyOperation(buffers) {
  for (let i = 0; i < buffers.length; i += 2) {
    let buffer1 = buffers[i];
    let buffer2 = buffers[i + 1];
    let dstBuffer = new Float32Array(
      2 * Math.max(buffer1.length, buffer2.length)
    );
    copyFromSrcToTgt({
      count: buffer1.length / 3,
      size: 3 * 4, // byte size of 3 float 32
      srcBuffer: buffer1.buffer,
      tgtBuffer: dstBuffer.buffer,
      srcOffset: 0,
      srcStride: 12,
      tgtOffset: 0,
      tgtStride: 24,
    });
    copyFromSrcToTgt({
      // This is a deliberate mistake so that we can go out of bound for buffer2, which should yield undefined values
      // using buffer2.length instead fixes the problem but the sample has been made to showcase the issue
      // Going out of bound works fine on Win, Linux and Android, was also working fine on MacOS before 14.5 and iOS before 17.5
      // It also works fine on current MacOS and iOS for a period
      count: buffer1.length / 3,
      size: 3 * 4, // byte size of 3 float 32
      srcBuffer: buffer2.buffer,
      tgtBuffer: dstBuffer.buffer,
      srcOffset: 0,
      srcStride: 12,
      tgtOffset: 12,
      tgtStride: 24,
    });
    if (dstBuffer[0] === 0) {
      fail++;
    } else {
      success++;
    }
  }
}
function doOperation() {
  // This fails after a warm up period
  doCopyOperation(buffersNotAligned);
  // This should always work, but also starts failing after a warm up period, if the previous line is commented, this never fails
  doCopyOperation(buffersAligned);
  console.log(
    JSON.stringify({
      success,
      fail,
    })
  );
  if (success > 1e6 || fail > 1e6) {
    return;
  }
  requestAnimationFrame(doOperation);
}
requestAnimationFrame(doOperation);
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240606/c6fbda5e/attachment.htm>