Closed Bug 1840708 Opened 10 months ago Closed 10 months ago

ui.perfetto.dev fails to load trace file (Error: RuntimeError: index out of bounds)

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Version:
Firefox 116
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
117 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- unaffected
firefox115 --- unaffected
firefox116 --- unaffected
firefox117 --- fixed

People

(Reporter: pmenzel+bugzilla.mozilla.org, Assigned: jandem)

References

(Regression)

Details

(Keywords: regression)

Attachments

(2 files)

Output of `about:support`
48.45 KB, text/plain
Details
Bug 1840708 - Support non-JSFunction callables for WebAssembly.Function's second argument. r?rhunt!
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0

Steps to reproduce:

Visit https://ui.perfetto.dev and open a trace file, and load (unziped) trace file.

Actual results:

The error below is shown:

To assist with debugging please attach or link to the trace you were viewing.

Viewed on: https://ui.perfetto.dev

Error: RuntimeError: index out of bounds
protozero::RingBufferMessageReader::Append(void const*, unsigned long)@https://ui.perfetto.dev/v34.0-5f456dbc0/engine_bundle.js line 1600 > WebAssembly.Module:wasm-function[5770]:0x3b6b1f
perfetto::trace_processor::Rpc::OnRpcRequest(void const*, unsigned long)@https://ui.perfetto.dev/v34.0-5f456dbc0/engine_bundle.js line 1600 > WebAssembly.Module:wasm-function[5757]:0x3b40b6
trace_processor_on_rpc_request@https://ui.perfetto.dev/v34.0-5f456dbc0/engine_bundle.js line 1600 > WebAssembly.Module:wasm-function[290]:0x1e112
createExportWrapper/<@https://ui.perfetto.dev/v34.0-5f456dbc0/engine_bundle.js:1569:22
ccall@https://ui.perfetto.dev/v34.0-5f456dbc0/engine_bundle.js:1184:19
onMessage@https://ui.perfetto.dev/v34.0-5f456dbc0/engine_bundle.js:6972:34

Expected results:

No error should be shown.

The same site works in Firefox 114.0.

The Perfetto commented in the GitHub issue:

That sounds like a bug you should file against mozilla. Maybe something in their wasm runtime is doing something different?

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript: WebAssembly' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → JavaScript: WebAssembly
Product: Firefox → Core
Keywords: regression
Summary: ui.perfetto.dev → ui.perfetto.dev fails to load trace file (Error: RuntimeError: index out of bounds)

Julian could you take a look at this? I would except I'm about to be out for two days next week.

Flags: needinfo?(jseward)

mozregression produces this:

13:00.92 INFO: No more integration revisions, bisection finished.
13:00.92 INFO: Last good revision: 9c3f71785d22cc144088970c41ba7779fe005d5b
13:00.92 INFO: First bad revision: 443570c2740f2014644dcb6e1e35937b423b9c95
13:00.92 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9c3f71785d22cc144088970c41ba7779fe005d5b&tochange=443570c2740f2014644dcb6e1e35937b423b9c95

which is bug 1483869. I'm not sure I entirely believe this, since that shipped in 112
whereas the bug reported here is not reproducible in 114. So I re-ran mozregress
again and got the same result.

Flags: needinfo?(jseward) → needinfo?(jdemooij)

Setting Regressed by field after analyzing regression range found by mozregression in comment #4.

Regressed by: 1483869

Playing around with building from source seems to confirm that bug 1483869
causes the regression. That has a stack of 12 patches. A build with none
applied works; with all 12 applied fails. Poking a bit deeper, I found the
following. I am not sure whether it is intended that arbitrary initial
prefixes of the patch stack work correctly, or only the whole stack.

FAILS
changeset:   654515:634f0d65b4ad
user:        Jan de Mooij <jdemooij@mozilla.com>
date:        Mon Feb 27 13:05:42 2023 +0000
summary:     Bug 1483869 part 2 - Rewrite bound function implementation. r=iain

WORKS
changeset:   654514:2977375e714e
user:        Jan de Mooij <jdemooij@mozilla.com>
date:        Mon Feb 27 13:05:42 2023 +0000
summary:     Bug 1483869 part 1 - Remove FinishBoundFunctionInit optimization. r=iain

Thanks for the bisection!

This is a bit similar to bug 1815219: the WebAssembly.Function constructor checks whether the second argument is a JSFunction, but bound functions now have a different JSClass so fail that check. This would also affect other callable non-JSFunction objects. I have a patch for this that fixes the website.

Assignee: nobody → jdemooij
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

The bound function rewrite in bug 1483869 exposed this, because bound functions now
have their own JSClass.

Flags: needinfo?(jdemooij)

Set release status flags based on info from the regressing bug 1483869

status-firefox115: --- → affected
status-firefox116: --- → affected
status-firefox117: --- → affected
status-firefox-esr102: --- → unaffected
status-firefox-esr115: --- → affected

WebAssembly.Function is a nightly-only feature (see js-type-reflections proposal). Unsetting the release status flags.

Severity: -- → S3
status-firefox115: affectedunaffected
status-firefox116: affectedunaffected
status-firefox117: affectedunaffected
status-firefox-esr115: affectedunaffected
Priority: -- → P1
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f70bfc695c7c
Support non-JSFunction callables for WebAssembly.Function's second argument. r=rhunt

https://hg.mozilla.org/mozilla-central/rev/f70bfc695c7c

Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → 117 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: