Bug 250558

Summary: texSubImage2D crashed on iOS16 + WebGL2 + large WASM memory
Product: WebKit Reporter: fuyoucheng
Component: WebGLAssignee: Kimmo Kinnunen <kkinnunen>
Status: RESOLVED FIXED    
Severity: Normal CC: dino, kbr, kkinnunen, ruba.merza, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: iPhone / iPad   
OS: iOS 16   

Description fuyoucheng 2023-01-13 03:29:05 PST 
How to reproduce:
1. Create a new Untiy WebGL project with an empty scene, 
2. Set graphic api to WebGL2,
3. Set WASM initial memory to a large size (by adding "-s TOTAL_MEMORY=768MB" to PlayerSettings.WebGL.emscriptenArgs)
4. Build and load with Safari on iPhone12 with iOS16,
5. Safari report error when loading.

Rootcause:
Unity called texSubImage2D during initialization, Safari report error when invoking this api due to insufficient memory.
But that texture is 4*4 RGBA UNSIGNED_BYTE, should not cause any memory pressure.
When looking into WebGL2RenderingContext::texSubImage2D in WebKit source code, we found:
In WebGLRenderingContextBase::texImageArrayBufferViewHelper, variable 'data' created by WebGLRenderingContextBase::validateTexFuncData has incorrect value.
data.m_bufSize ought to be pixel data length, but acturally assigned as arrayBuffer(whole WASM memory) length - pixel data offset, which is much more larger.
Then later in IPC::Encoder::encodeFixedLengthData, encoder buffer will grow by this large size and lead to memory issue.
Comment 1 Radar WebKit Bug Importer 2023-01-16 12:38:23 PST 
<rdar://problem/104305743>
Comment 2 Kimmo Kinnunen 2023-02-01 00:38:28 PST 
*** Bug 250862 has been marked as a duplicate of this bug. ***
Comment 3 Kimmo Kinnunen 2023-02-01 00:38:48 PST 
See bug 250558 for a test case
Comment 4 Kimmo Kinnunen 2023-02-01 06:51:29 PST 
Pull request: https://github.com/WebKit/WebKit/pull/9451
Comment 5 EWS 2023-02-02 00:40:03 PST 
Committed 259742@main (905fdd75fe5d): <https://commits.webkit.org/259742@main>

Reviewed commits have been landed. Closing PR #9451 and removing active labels.
Comment 6 Kimmo Kinnunen 2023-05-22 01:23:18 PDT 
The fix shipped in iOS 16.4, macOS 12.3, Safari 16.4