I still haven't heard from anyone testing with [PatchBug1576767](https://github.com/steven-michaud/PatchBug1576767). But I've grown tired of waiting, so I submitted the following bug report to Apple. For what it's worth, the "feedback number" is FB7875887. I'll post updates on Apple's responses. macOS Catalina's AMDRadeonX4000, AMDRadeonX5000 and AMDRadeonX6000 kernel extensions have a bug that can cause crashes in an application that uses graphics acceleration. The bug is in code that manages GPU accelerator memory, specifically in the following two methods: bool AMDRadeonX4000_AMDHWVMContext::mapVA(vm_address_t startAddress, IOAccelMemory* arg2, vm_size_t arg3, vm_size_t length, AMDRadeonX4000_IAMDHWVMM::VmMapFlags arg5); bool AMDRadeonX4000_AMDHWVMContext::unmapVA(vm_address_t startAddress, vm_size_t length); The C++ code for the start of both functions can be reconstructed as follows: if (startAddress < vmRangeStart) { return false; } if (startAddress + length >= vmRangeEnd) { return false; } The bug is in the fourth line, which should be: if (startAddress + length > vmRangeEnd) { The mapVA() method maps a buffer into GPU accelerator memory. The unmapVA() method unmaps it. These six lines of code do an error return if the buffer won't fit into the available range of GPU memory. The bug is triggered when mapVA() is called to map a buffer into the very end of the range. The buffer would fit just fine. But the bug in the fourth line triggers an error return. Since this error return is unexpected, it triggers a cascade of other errors that finishes with a call to IOAccelContext2::setContextError(0xfffffff9/-7). This in turn causes the application to crash at gpusGenerateCrashLog.cold.1() (in libGPUSupportMercury.dylib). Since the bug is very simple and straightforward, I've created a kernel extension that patches it in running instances of the AMDRadeon4000, AMDRadeonX5000 and AMDRadeonX6000 kernel extensions. In my tests it fixes the crashes. https://github.com/steven-michaud/PatchBug1576767 For some reason, Firefox is much more prone to these crashes than other applications. That's how they came to my attention. I've been working on the crashes at https://bugzilla.mozilla.org/show_bug.cgi?id=1576767. More information is available there.
Bug 1576767 Comment 295 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I still haven't heard from anyone testing with [PatchBug1576767](https://github.com/steven-michaud/PatchBug1576767). But I've grown tired of waiting, so I submitted the following bug report to Apple. For what it's worth, the "feedback number" is FB7875887. I'll post updates on Apple's responses. # Crash bug in macOS Catalina AMDRadeonXN000 kernel extension macOS Catalina's AMDRadeonX4000, AMDRadeonX5000 and AMDRadeonX6000 kernel extensions have a bug that can cause crashes in an application that uses graphics acceleration. The bug is in code that manages GPU accelerator memory, specifically in the following two methods: bool AMDRadeonX4000_AMDHWVMContext::mapVA(vm_address_t startAddress, IOAccelMemory* arg2, vm_size_t arg3, vm_size_t length, AMDRadeonX4000_IAMDHWVMM::VmMapFlags arg5); bool AMDRadeonX4000_AMDHWVMContext::unmapVA(vm_address_t startAddress, vm_size_t length); The C++ code for the start of both functions can be reconstructed as follows: if (startAddress < vmRangeStart) { return false; } if (startAddress + length >= vmRangeEnd) { return false; } The bug is in the fourth line, which should be: if (startAddress + length > vmRangeEnd) { The mapVA() method maps a buffer into GPU accelerator memory. The unmapVA() method unmaps it. These six lines of code do an error return if the buffer won't fit into the available range of GPU memory. The bug is triggered when mapVA() is called to map a buffer into the very end of the range. The buffer would fit just fine. But the bug in the fourth line triggers an error return. Since this error return is unexpected, it triggers a cascade of other errors that finishes with a call to IOAccelContext2::setContextError(0xfffffff9/-7). This in turn causes the application to crash at gpusGenerateCrashLog.cold.1() (in libGPUSupportMercury.dylib). Since the bug is very simple and straightforward, I've created a kernel extension that patches it in running instances of the AMDRadeon4000, AMDRadeonX5000 and AMDRadeonX6000 kernel extensions. In my tests it fixes the crashes. https://github.com/steven-michaud/PatchBug1576767 For some reason, Firefox is much more prone to these crashes than other applications. That's how they came to my attention. I've been working on the crashes at https://bugzilla.mozilla.org/show_bug.cgi?id=1576767. More information is available there.
I still haven't heard from anyone testing with [PatchBug1576767](https://github.com/steven-michaud/PatchBug1576767). But I've grown tired of waiting, so I submitted the following bug report to Apple. For what it's worth, the "feedback number" is FB7875887. I'll post updates on Apple's responses. Crash bug in macOS Catalina AMDRadeonXN000 kernel extension macOS Catalina's AMDRadeonX4000, AMDRadeonX5000 and AMDRadeonX6000 kernel extensions have a bug that can cause crashes in an application that uses graphics acceleration. The bug is in code that manages GPU accelerator memory, specifically in the following two methods: bool AMDRadeonX4000_AMDHWVMContext::mapVA(vm_address_t startAddress, IOAccelMemory* arg2, vm_size_t arg3, vm_size_t length, AMDRadeonX4000_IAMDHWVMM::VmMapFlags arg5); bool AMDRadeonX4000_AMDHWVMContext::unmapVA(vm_address_t startAddress, vm_size_t length); The C++ code for the start of both functions can be reconstructed as follows: if (startAddress < vmRangeStart) { return false; } if (startAddress + length >= vmRangeEnd) { return false; } The bug is in the fourth line, which should be: if (startAddress + length > vmRangeEnd) { The mapVA() method maps a buffer into GPU accelerator memory. The unmapVA() method unmaps it. These six lines of code do an error return if the buffer won't fit into the available range of GPU memory. The bug is triggered when mapVA() is called to map a buffer into the very end of the range. The buffer would fit just fine. But the bug in the fourth line triggers an error return. Since this error return is unexpected, it triggers a cascade of other errors that finishes with a call to IOAccelContext2::setContextError(0xfffffff9/-7). This in turn causes the application to crash at gpusGenerateCrashLog.cold.1() (in libGPUSupportMercury.dylib). Since the bug is very simple and straightforward, I've created a kernel extension that patches it in running instances of the AMDRadeon4000, AMDRadeonX5000 and AMDRadeonX6000 kernel extensions. In my tests it fixes the crashes. https://github.com/steven-michaud/PatchBug1576767 For some reason, Firefox is much more prone to these crashes than other applications. That's how they came to my attention. I've been working on the crashes at https://bugzilla.mozilla.org/show_bug.cgi?id=1576767. More information is available there.
I still haven't heard from anyone testing with [PatchBug1576767](https://github.com/steven-michaud/PatchBug1576767). But I've grown tired of waiting, so I submitted the following bug report to Apple. For what it's worth, the "feedback number" is FB7875887. I'll post updates on Apple's responses. Crash bug in macOS Catalina AMDRadeonXN000 kernel extension macOS Catalina's AMDRadeonX4000, AMDRadeonX5000 and AMDRadeonX6000 kernel extensions have a bug that can cause crashes in an application that uses graphics acceleration. The bug is in code that manages GPU accelerator memory, specifically in the following two methods: bool AMDRadeonX4000_AMDHWVMContext::mapVA(vm_address_t startAddress, IOAccelMemory* arg2, vm_size_t arg3, vm_size_t length, AMDRadeonX4000_IAMDHWVMM::VmMapFlags arg5); bool AMDRadeonX4000_AMDHWVMContext::unmapVA(vm_address_t startAddress, vm_size_t length); The C++ code for the start of both functions can be reconstructed as follows: if (startAddress < vmRangeStart) { return false; } if (startAddress + length >= vmRangeEnd) { return false; } The bug is in the fourth line, which should be: if (startAddress + length > vmRangeEnd) { The mapVA() method maps a buffer into GPU accelerator memory. The unmapVA() method unmaps it. These six lines of code do an error return if the buffer won't fit into the available range of GPU memory. The bug is triggered when mapVA() is called to map a buffer into the very end of the range. The buffer would fit just fine. But the bug in the fourth line triggers an error return. Since this error return is unexpected, it triggers a cascade of other errors that finishes with a call to IOAccelContext2::setContextError(0xfffffff9/-7). This in turn causes the application to crash at gpusGenerateCrashLog.cold.1() (in libGPUSupportMercury.dylib). Since the bug is very simple and straightforward, I've created a kernel extension that patches it in running instances of the AMDRadeon4000, AMDRadeonX5000 and AMDRadeonX6000 kernel extensions. In my tests it fixes the crashes. https://github.com/steven-michaud/PatchBug1576767 For some reason, Firefox is much more prone to these crashes than other applications. That's how they came to my attention. I've been working on the crashes at https://bugzilla.mozilla.org/show_bug.cgi?id=1576767. More information is available there.
I still haven't heard from anyone testing with [PatchBug1576767](https://github.com/steven-michaud/PatchBug1576767). But I've grown tired of waiting, so I submitted the following bug report to Apple. For what it's worth, the "feedback number" is FB7875887. I'll post updates on Apple's responses. ### Crash bug in macOS Catalina AMDRadeonXN000 kernel extension macOS Catalina's AMDRadeonX4000, AMDRadeonX5000 and AMDRadeonX6000 kernel extensions have a bug that can cause crashes in an application that uses graphics acceleration. The bug is in code that manages GPU accelerator memory, specifically in the following two methods: bool AMDRadeonX4000_AMDHWVMContext::mapVA(vm_address_t startAddress, IOAccelMemory* arg2, vm_size_t arg3, vm_size_t length, AMDRadeonX4000_IAMDHWVMM::VmMapFlags arg5); bool AMDRadeonX4000_AMDHWVMContext::unmapVA(vm_address_t startAddress, vm_size_t length); The C++ code for the start of both functions can be reconstructed as follows: if (startAddress < vmRangeStart) { return false; } if (startAddress + length >= vmRangeEnd) { return false; } The bug is in the fourth line, which should be: if (startAddress + length > vmRangeEnd) { The mapVA() method maps a buffer into GPU accelerator memory. The unmapVA() method unmaps it. These six lines of code do an error return if the buffer won't fit into the available range of GPU memory. The bug is triggered when mapVA() is called to map a buffer into the very end of the range. The buffer would fit just fine. But the bug in the fourth line triggers an error return. Since this error return is unexpected, it triggers a cascade of other errors that finishes with a call to IOAccelContext2::setContextError(0xfffffff9/-7). This in turn causes the application to crash at gpusGenerateCrashLog.cold.1() (in libGPUSupportMercury.dylib). Since the bug is very simple and straightforward, I've created a kernel extension that patches it in running instances of the AMDRadeon4000, AMDRadeonX5000 and AMDRadeonX6000 kernel extensions. In my tests it fixes the crashes. https://github.com/steven-michaud/PatchBug1576767 For some reason, Firefox is much more prone to these crashes than other applications. That's how they came to my attention. I've been working on the crashes at https://bugzilla.mozilla.org/show_bug.cgi?id=1576767. More information is available there.