How Safari crashes the graphics driver

It all started when we began getting reports of really weird behavior in Safari — something like this:

Glitches when moving objects on a board, unresponsive board rendering on the macOS app, frozen macOS, kernel panic.

Now what?

We reported it to Apple, but on second thought we didn’t identify the right root cause. Now I believe that this issue hasn’t got anything to do with memory.

We wanted to give Apple a reproducible example of the issue, so that they wouldn’t need to dig in our Miro app.

After some analysis, we believed that the problem had something to do with rendering: either DOM elements, or Canvas2D. We disabled all DOM elements, but the bug persisted. We had only one suspect left: Canvas2D.

The board was most likely producing a set of calls to the Canvas2D APIs that were triggering the bug, so we wrote a script to save all calls to the Canvas2D API during the rendering of the board. This produced about 20 MB of JS code, with only board calls to the Canvas2D API.

And we got it! We could reproduce the bug without needing the Miro app! That was a great success. We couldn’t possibly send Apple a report with a 20 MB HTML file, so we got rid of irrelevant calls. After a couple of days of painstaking trial and error, we had about 30 lines of code that can blow up a whole system to kernel panic when they run in Safari.

We produced a working test case for this bug; it’s just about 30 lines of code:

After some experimenting, we discovered one important requirement to successfully reproduce the bug: a MacBook with an integrated graphics card. It’s a default setting on Big Sur; on Catalina, you enable it by running this command:

To learn more about integrated graphics and discrete graphics, read this article:

The only thing we know for sure is that it has something to do with Canvas2D and the Intel HD card. Anything besides that is pure speculation: maybe a bug in the Intel HD driver? Maybe Safari uses the Intel HD driver incorrectly?

Since this bug can cause a kernel panic and it can really mess up app rendering in macOS, this is something potentially dangerous, so it must occur at low level.

We can visually represent the process we used with a diagram like this:

We installed Monterey Beta 12 on our MacBook, and we can confirm that we can no longer reproduce the bug. There is one concern though: in the development process of the future Monterey releases, this bug could resurface, and it could crawl its way to a release version of Monterey — we’ll be watchful.

Related posts:

Here are 3 Practical Strategies to Overcome your Emotional Pain. Be it a past relationship or an insult; we’re battling emotional outbursts.So deal with them.

now is the time to be different and inspire your business intelligence and performance management software clients with a gilbert data multi-channel approach. This tool helps to integrate operational…

The amount of people not understanding the reference but being the loudest in the discourse is infuriating I am so glad you are happy, you two are so cute together and it’s so obvious that you are…