Workaround for a TextDecoder bug in Safari causing a RangeError to be thrown

`TextDecoder` in Safari has a limitation that causes it to throw `RangeError`
after decoding more than 2GiB of data. This causes long running wasm programs
that need to use `TextDecoder` to crash and start throwing `RuntimeError` with
the message "Out of bounds memory access".

We work around the issue by tracking how much data has been decoded by any
given `TextDecoder`, and replace it when it comes close to 2GiB, deducting
a small margin of 1MiB which has been empirically shown to reduce the
likelihood of miscounting (for unknown reasons) causing a `RangeError` to
be thrown.

This commit also adds stricter handling of the kind of declaration used for
TextDecoder and TextEncoder - TextDecoder always uses let because it needs
to be mutable, and TextEncoder always uses const because it doesn't need to
be mutable.

Fixes #4471

Author: bes

crates/cli-support/src/js/mod.rs

@@ -1714,10 +1714,10 @@ __wbg_set_wasm(wasm);"
         if !self.should_write_global("text_encoder") {
             return Ok(());
         }
-        self.expose_text_processor("TextEncoder", "encode", "('utf-8')", None)
+        self.expose_text_processor("const", "TextEncoder", "encode", "('utf-8')", None)
     }
 
-    fn expose_text_decoder(&mut self) -> Result<(), Error> {
+    fn expose_text_decoder(&mut self, mem: &MemView, memory: MemoryId) -> Result<(), Error> {
         if !self.should_write_global("text_decoder") {
             return Ok(());
         }
@@ -1729,22 +1729,77 @@ __wbg_set_wasm(wasm);"
         // `ignoreBOM` is needed so that the BOM will be preserved when sending a string from Rust to JS
         // `fatal` is needed to catch any weird encoding bugs when sending a string from Rust to JS
         self.expose_text_processor(
+            "let",
             "TextDecoder",
             "decode",
             "('utf-8', { ignoreBOM: true, fatal: true })",
             init,
         )?;
 
+        let text_decoder_decode = self.generate_text_decoder_decode(mem, memory)?;
+        match &self.config.mode {
+            OutputMode::Bundler { .. } | OutputMode::Web => {
+                // For targets that can run in a browser, we need a workaround for the fact that
+                // (at least) Safari 16 to 18 has a TextDecoder that can't decode anymore after
+                // processing 2GiB of data. The workaround is that we keep track of how much the
+                // decoder has decoded and just create a new decoder when we're getting close to
+                // the limit.
+                // See MAX_SAFARI_DECODE_BYTES below for link to bug report.
+
+                let cached_text_processor = self.generate_cached_text_processor_init(
+                    "TextDecoder",
+                    "decode",
+                    "('utf-8', { ignoreBOM: true, fatal: true })",
+                )?;
+
+                // Maximum number of bytes Safari can handle for one TextDecoder is 2GiB (2147483648)
+                // but empirically it seems to crash a bit before the end, so we remove 1MiB of margin.
+                // Workaround for a bug in Safari.
+                // See https://github.com/rustwasm/wasm-bindgen/issues/4471
+                const MAX_SAFARI_DECODE_BYTES: u32 = 2147483648 - 1048576;
+                self.global(&format!(
+                    "
+                    const MAX_SAFARI_DECODE_BYTES = {0};
+                    let numBytesDecoded = 0;
+                    function decodeText(ptr, len) {{
+                        numBytesDecoded += len;
+                        if (numBytesDecoded >= MAX_SAFARI_DECODE_BYTES) {{
+                            {1}
+                            cachedTextDecoder.decode();
+                            numBytesDecoded = len;
+                        }}
+                        return {2};
+                    }}
+                    ",
+                    MAX_SAFARI_DECODE_BYTES, cached_text_processor, text_decoder_decode,
+                ));
+            }
+            _ => {
+                // For any non-browser target, we can just use the TextDecoder without any workarounds.
+                // For browser-targets, see the workaround for Safari above.
+                self.global(&format!(
+                    "
+                    function decodeText(ptr, len) {{
+                        return {};
+                    }}
+                    ",
+                    text_decoder_decode,
+                ));
+            }
+        }
+
         Ok(())
     }
 
     fn expose_text_processor(
         &mut self,
+        decl_kind: &str,
         s: &str,
         op: &str,
         args: &str,
         init: Option<&str>,
     ) -> Result<(), Error> {
+        let cached_text_processor_init = self.generate_cached_text_processor_init(s, op, args)?;
         match &self.config.mode {
             OutputMode::Node { .. } => {
                 let name = self.import_name(&JsImport {
@@ -1754,7 +1809,9 @@ __wbg_set_wasm(wasm);"
                     },
                     fields: Vec::new(),
                 })?;
-                self.global(&format!("let cached{} = new {}{};", s, name, args));
+                // decl_kind is the kind of the kind of the declaration: let or const
+                // cached_text_processor_init is the rest of the statement for initializing a cached text processor
+                self.global(&format!("{} {}", decl_kind, cached_text_processor_init));
             }
             OutputMode::Bundler {
                 browser_only: false,
@@ -1766,13 +1823,15 @@ __wbg_set_wasm(wasm);"
                 ",
                     s
                 ));
-                self.global(&format!("let cached{0} = new l{0}{1};", s, args));
+                self.global(&format!("{} {}", decl_kind, cached_text_processor_init));
             }
             OutputMode::Deno
             | OutputMode::Web
             | OutputMode::NoModules { .. }
             | OutputMode::Bundler { browser_only: true } => {
-                self.global(&format!("const cached{0} = (typeof {0} !== 'undefined' ? new {0}{1} : {{ {2}: () => {{ throw Error('{0} not available') }} }} );", s, args, op))
+                // decl_kind is the kind of the kind of the declaration: let or const
+                // cached_text_processor_init is the rest of the statement for initializing a cached text processor
+                self.global(&format!("{} {}", decl_kind, cached_text_processor_init))
             }
         };
 
@@ -1795,9 +1854,43 @@ __wbg_set_wasm(wasm);"
         Ok(())
     }
 
+    /// Generates a partial text processor statement, everything except the declaration kind,
+    /// i.e. everything except for `const` or `let` which the caller needs to handle itself.
+    fn generate_cached_text_processor_init(
+        &mut self,
+        s: &str,
+        op: &str,
+        args: &str,
+    ) -> Result<String, Error> {
+        let new_cached_text_procesor = match &self.config.mode {
+            OutputMode::Node { .. } => {
+                let name = self.import_name(&JsImport {
+                    name: JsImportName::Module {
+                        module: "util".to_string(),
+                        name: s.to_string(),
+                    },
+                    fields: Vec::new(),
+                })?;
+                format!("cached{} = new {}{};", s, name, args)
+            }
+            OutputMode::Bundler {
+                browser_only: false,
+            } => {
+                format!("cached{0} = new l{0}{1};", s, args)
+            }
+            OutputMode::Deno
+            | OutputMode::Web
+            | OutputMode::NoModules { .. }
+            | OutputMode::Bundler { browser_only: true } => {
+                format!("cached{0} = (typeof {0} !== 'undefined' ? new {0}{1} : {{ {2}: () => {{ throw Error('{0} not available') }} }} );", s, args, op)
+            }
+        };
+        Ok(new_cached_text_procesor)
+    }
+
     fn expose_get_string_from_wasm(&mut self, memory: MemoryId) -> Result<MemView, Error> {
-        self.expose_text_decoder()?;
         let mem = self.expose_uint8_memory(memory);
+        self.expose_text_decoder(&mem, memory)?;
         let ret = MemView {
             name: "getStringFromWasm".into(),
             num: mem.num,
@@ -1807,6 +1900,23 @@ __wbg_set_wasm(wasm);"
             return Ok(ret);
         }
 
+        self.global(&format!(
+            "
+            function {}(ptr, len) {{
+                ptr = ptr >>> 0;
+                return decodeText(ptr, len);
+            }}
+            ",
+            ret,
+        ));
+        Ok(ret)
+    }
+
+    fn generate_text_decoder_decode(
+        &self,
+        mem: &MemView,
+        memory: MemoryId,
+    ) -> Result<String, Error> {
         // Typically we try to give a raw view of memory out to `TextDecoder` to
         // avoid copying too much data. If, however, a `SharedArrayBuffer` is
         // being used it looks like that is rejected by `TextDecoder` or
@@ -1818,16 +1928,10 @@ __wbg_set_wasm(wasm);"
         let is_shared = self.module.memories.get(memory).shared;
         let method = if is_shared { "slice" } else { "subarray" };
 
-        self.global(&format!(
-            "
-            function {}(ptr, len) {{
-                ptr = ptr >>> 0;
-                return cachedTextDecoder.decode({}().{}(ptr, ptr + len));
-            }}
-            ",
-            ret, mem, method
-        ));
-        Ok(ret)
+        Ok(format!(
+            "cachedTextDecoder.decode({}().{}(ptr, ptr + len))",
+            mem, method
+        ))
     }
 
     fn expose_get_cached_string_from_wasm(

crates/cli/tests/reference/anyref-import-catch.js

@@ -19,12 +19,6 @@ function handleError(f, args) {
     }
 }
 
-const lTextDecoder = typeof TextDecoder === 'undefined' ? (0, module.require)('util').TextDecoder : TextDecoder;
-
-let cachedTextDecoder = new lTextDecoder('utf-8', { ignoreBOM: true, fatal: true });
-
-cachedTextDecoder.decode();
-
 let cachedUint8ArrayMemory0 = null;
 
 function getUint8ArrayMemory0() {
@@ -34,9 +28,27 @@ function getUint8ArrayMemory0() {
     return cachedUint8ArrayMemory0;
 }
 
+const lTextDecoder = typeof TextDecoder === 'undefined' ? (0, module.require)('util').TextDecoder : TextDecoder;
+
+let cachedTextDecoder = new lTextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+
+cachedTextDecoder.decode();
+
+const MAX_SAFARI_DECODE_BYTES = 2146435072;
+let numBytesDecoded = 0;
+function decodeText(ptr, len) {
+    numBytesDecoded += len;
+    if (numBytesDecoded >= MAX_SAFARI_DECODE_BYTES) {
+        cachedTextDecoder = new lTextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+        cachedTextDecoder.decode();
+        numBytesDecoded = len;
+    }
+    return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
+}
+
 function getStringFromWasm0(ptr, len) {
     ptr = ptr >>> 0;
-    return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
+    return decodeText(ptr, len);
 }
 
 function takeFromExternrefTable0(idx) {

crates/cli/tests/reference/builder.js

@@ -4,12 +4,6 @@ export function __wbg_set_wasm(val) {
 }
 
 
-const lTextDecoder = typeof TextDecoder === 'undefined' ? (0, module.require)('util').TextDecoder : TextDecoder;
-
-let cachedTextDecoder = new lTextDecoder('utf-8', { ignoreBOM: true, fatal: true });
-
-cachedTextDecoder.decode();
-
 let cachedUint8ArrayMemory0 = null;
 
 function getUint8ArrayMemory0() {
@@ -19,9 +13,27 @@ function getUint8ArrayMemory0() {
     return cachedUint8ArrayMemory0;
 }
 
+const lTextDecoder = typeof TextDecoder === 'undefined' ? (0, module.require)('util').TextDecoder : TextDecoder;
+
+let cachedTextDecoder = new lTextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+
+cachedTextDecoder.decode();
+
+const MAX_SAFARI_DECODE_BYTES = 2146435072;
+let numBytesDecoded = 0;
+function decodeText(ptr, len) {
+    numBytesDecoded += len;
+    if (numBytesDecoded >= MAX_SAFARI_DECODE_BYTES) {
+        cachedTextDecoder = new lTextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+        cachedTextDecoder.decode();
+        numBytesDecoded = len;
+    }
+    return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
+}
+
 function getStringFromWasm0(ptr, len) {
     ptr = ptr >>> 0;
-    return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
+    return decodeText(ptr, len);
 }
 
 const ClassBuilderFinalization = (typeof FinalizationRegistry === 'undefined')

crates/cli/tests/reference/constructor.js

@@ -4,12 +4,6 @@ export function __wbg_set_wasm(val) {
 }
 
 
-const lTextDecoder = typeof TextDecoder === 'undefined' ? (0, module.require)('util').TextDecoder : TextDecoder;
-
-let cachedTextDecoder = new lTextDecoder('utf-8', { ignoreBOM: true, fatal: true });
-
-cachedTextDecoder.decode();
-
 let cachedUint8ArrayMemory0 = null;
 
 function getUint8ArrayMemory0() {
@@ -19,9 +13,27 @@ function getUint8ArrayMemory0() {
     return cachedUint8ArrayMemory0;
 }
 
+const lTextDecoder = typeof TextDecoder === 'undefined' ? (0, module.require)('util').TextDecoder : TextDecoder;
+
+let cachedTextDecoder = new lTextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+
+cachedTextDecoder.decode();
+
+const MAX_SAFARI_DECODE_BYTES = 2146435072;
+let numBytesDecoded = 0;
+function decodeText(ptr, len) {
+    numBytesDecoded += len;
+    if (numBytesDecoded >= MAX_SAFARI_DECODE_BYTES) {
+        cachedTextDecoder = new lTextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+        cachedTextDecoder.decode();
+        numBytesDecoded = len;
+    }
+    return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
+}
+
 function getStringFromWasm0(ptr, len) {
     ptr = ptr >>> 0;
-    return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
+    return decodeText(ptr, len);
 }
 
 const ClassConstructorFinalization = (typeof FinalizationRegistry === 'undefined')

crates/cli/tests/reference/echo.js

@@ -82,7 +82,7 @@ function getUint8ArrayMemory0() {
 
 const lTextEncoder = typeof TextEncoder === 'undefined' ? (0, module.require)('util').TextEncoder : TextEncoder;
 
-let cachedTextEncoder = new lTextEncoder('utf-8');
+const cachedTextEncoder = new lTextEncoder('utf-8');
 
 const encodeString = (typeof cachedTextEncoder.encodeInto === 'function'
     ? function (arg, view) {
@@ -155,9 +155,21 @@ let cachedTextDecoder = new lTextDecoder('utf-8', { ignoreBOM: true, fatal: true
 
 cachedTextDecoder.decode();
 
+const MAX_SAFARI_DECODE_BYTES = 2146435072;
+let numBytesDecoded = 0;
+function decodeText(ptr, len) {
+    numBytesDecoded += len;
+    if (numBytesDecoded >= MAX_SAFARI_DECODE_BYTES) {
+        cachedTextDecoder = new lTextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+        cachedTextDecoder.decode();
+        numBytesDecoded = len;
+    }
+    return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
+}
+
 function getStringFromWasm0(ptr, len) {
     ptr = ptr >>> 0;
-    return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
+    return decodeText(ptr, len);
 }
 /**
  * @param {number} a