Apple broke WebAssembly and are leaving it broken

3
Official Construct Post
Ashley's avatar
Ashley
  • 29 Jan, 2018
  • 389 words
  • ~2-3 mins
  • 7,956 visits
  • 0 favourites

The Spectre security vulnerability has left many companies scrambing to mitigate it. Along with other browser vendors, Apple worked quickly to add some mitigations to Safari and issued iOS 11.2.2 to patch it.

Unfortunately they also completely broke WebAssembly on iOS. As in, WebAssembly no longer works, period. According to this, the issue is memory reads from non-zero locations return zero. This amounts to "memory reads don't work". Obviously if a program can't read memory, the program is unlikely to work. So it's pretty broken. Strangely this only affects iOS and not Safari on macOS.

Apple rushed out a follow-up patch with iOS 11.2.5. I expected them to have fixed this rather glaring error in this patch. Unfortunately no, it's still broken. When will it be fixed? I don't know; Apple don't discuss their plans publicly. The best guess I've had is in this WebKit bug of "spring". That could mean WebAssembly is enabled but non-functioning in a major browser for a month or more.

I am guessing something has gone seriously wrong at Apple and nobody was expecting this to happen, but really, it would have been better to disable WebAssembly completely than leave it broken. As it is, on iOS feature-detection will see WebAssembly supported and try to use it, but fail. If it were disabled, anything with an asm.js fallback would have switched back to that. So now everyone else has to scramble to fix their WebAssembly feature detection to check for broken iOS support and also fall back to asm.js in that case. (Luckily Brion Vibber has figured out a minimal check which I linked to earlier.) For anyone with middleware or frameworks like us, we have to fix it, then tell everyone who uses our software to go and update everything they've published as well. The effects of Spectre ripple outwards... (For Construct 3 users, this is why your games may fail to load on iOS. We'll add the workaround soon.)

Given a string of high-profile software snafus by Apple recently, this is hardly instilling further confidence. If only they had some kind of system for distributing app updates separately to the OS... but no, for some reason the browser is an OS component. There must be someone at Apple wishing they'd distributed Safari as an app right now, like Chrome is on Android.

Subscribe

Get emailed when there are new posts!