Closed Bug 1821582 Opened 2 years ago Closed 10 days ago

`worker.postMessage` with a WebAssembly.Memory followed by 2 typed arrays doesn't work.

Categories

(Core :: JavaScript: WebAssembly, defect, P2)

Product:
Core
Component:
JavaScript: WebAssembly
Version:
Firefox 109
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
149 Branch
Tracking Flags:
Tracking Status
firefox149 --- fixed

People

(Reporter: d, Assigned: yury)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1821582 - Preserve SharedArrayBuffer identity during WebAssembly.Memory cloning. r?sfink
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0

Steps to reproduce:

I created a new WebAssembly.Memory(…). I also created an object with two Int32Arrays backed by the memory's buffer. Then I posted them to a worker and got different results depending on the order of the memory and the object.

I have uploaded a minimum reproduction to https://github.com/DDR0/Stardust/tree/memory-issue-2-reproduction. main.mjs sends the messages as detailed above, and sim.mjs echos the messages received to the console. I have included example_server.py to serve the files cross-origin-isolated, so shared memory gets enabled.

Actual results:

Console:

🛈 Worker Thread: [object Object],[object WebAssembly.Memory]. sim.mjs:1:47
⚠ [object MessageEvent] sim.mjs:2:45
🛈 Worker Thread: [object Object],[object WebAssembly.Memory]. sim.mjs:1:47
⚠ [object MessageEvent]  sim.mjs:2:45

Expected results:

Console:

🛈 Worker Thread: [object Object],[object WebAssembly.Memory]. sim.mjs:1:47
🛈 Worker Thread: [object WebAssembly.Memory],[object Object]. sim.mjs:1:47
🛈 Worker Thread: [object Object],[object WebAssembly.Memory]. sim.mjs:1:47
🛈 Worker Thread: [object WebAssembly.Memory],[object Object]. sim.mjs:1:47

Note: The above shows up if I back the memory with a normal SharedArrayBuffer(10) or only have one TypedArray in the object. The typed arrays don't have to be in the object.

Note: While Chromium does transfer [memory, object], it transfers [object, memory] as null, firing the worker's message event in both cases. This issue does not reproduce in Firefox, and only needs one typed array instead of two. I have filed it with them at https://bugs.chromium.org/p/chromium/issues/detail?id=1421524.

Thank you!

Im not sure if this is the correct component for this issue, hopefully one of our devs can take a look and move it to a more suitable one.

QA Whiteboard: [qa-not-actionable]
Component: Untriaged → JavaScript: WebAssembly
Product: Firefox → Core

The sister Chromium issue, mentioned above, has been fixed now.

Ben, could you take a look?

Assignee: nobody → bvisness
Severity: -- → N/A
Priority: -- → P2
Severity: N/A → S3
Assignee: bvisness → ydelendik

Use startWrite for the SharedArrayBuffer in writeSharedWasmMemory to ensure
it gets registered in the memory map. This allows subsequent references from
typed arrays to use back-references instead of creating duplicate buffers.

Add the SharedArrayBuffer to allObjs in readSharedArrayBuffer so
back-references can be resolved during deserialization.

This preserves buffer identity across structured cloning.

Attachment #9544419 - Attachment description: Bug 1821582 - Preserve SharedArrayBuffer identity during WebAssembly.Memory cloning. r?jandem → Bug 1821582 - Preserve SharedArrayBuffer identity during WebAssembly.Memory cloning. r?sfink
Pushed by ydelendik@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/41839dfe700a https://hg.mozilla.org/integration/autoland/rev/7eb3b11c1e7d Preserve SharedArrayBuffer identity during WebAssembly.Memory cloning. r=sfink

https://hg.mozilla.org/mozilla-central/rev/7eb3b11c1e7d

Status: UNCONFIRMED → RESOLVED
Closed: 10 days ago
status-firefox149: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 149 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: