Bug 1576767 Comment 295 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

I still haven't heard from anyone testing with [PatchBug1576767](https://github.com/steven-michaud/PatchBug1576767). But I've grown tired of waiting, so I submitted the following bug report to Apple. For what it's worth, the "feedback number" is FB7875887. I'll post updates on Apple's responses.

macOS Catalina's AMDRadeonX4000, AMDRadeonX5000 and AMDRadeonX6000
kernel extensions have a bug that can cause crashes in an application
that uses graphics acceleration. The bug is in code that manages GPU
accelerator memory, specifically in the following two methods:

        bool
        AMDRadeonX4000_AMDHWVMContext::mapVA(vm_address_t startAddress,
                                             IOAccelMemory* arg2,
                                             vm_size_t arg3, vm_size_t length,
                                             AMDRadeonX4000_IAMDHWVMM::VmMapFlags arg5);

        bool
        AMDRadeonX4000_AMDHWVMContext::unmapVA(vm_address_t startAddress,
                                               vm_size_t length);

The C++ code for the start of both functions can be reconstructed as follows:

if (startAddress < vmRangeStart) {
  return false;
}
if (startAddress + length >= vmRangeEnd) {
  return false;
}

The bug is in the fourth line, which should be:

if (startAddress + length > vmRangeEnd) {

The mapVA() method maps a buffer into GPU accelerator memory. The
unmapVA() method unmaps it. These six lines of code do an error return
if the buffer won't fit into the available range of GPU memory. The
bug is triggered when mapVA() is called to map a buffer into the very
end of the range. The buffer would fit just fine. But the bug in the
fourth line triggers an error return. Since this error return is
unexpected, it triggers a cascade of other errors that finishes with a
call to IOAccelContext2::setContextError(0xfffffff9/-7). This in turn
causes the application to crash at gpusGenerateCrashLog.cold.1() (in
libGPUSupportMercury.dylib).

Since the bug is very simple and straightforward, I've created a
kernel extension that patches it in running instances of the
AMDRadeon4000, AMDRadeonX5000 and AMDRadeonX6000 kernel extensions. In
my tests it fixes the crashes.

https://github.com/steven-michaud/PatchBug1576767

For some reason, Firefox is much more prone to these crashes than
other applications. That's how they came to my attention. I've been
working on the crashes at
https://bugzilla.mozilla.org/show_bug.cgi?id=1576767. More information
is available there.
I still haven't heard from anyone testing with [PatchBug1576767](https://github.com/steven-michaud/PatchBug1576767). But I've grown tired of waiting, so I submitted the following bug report to Apple. For what it's worth, the "feedback number" is FB7875887. I'll post updates on Apple's responses.

# Crash bug in macOS Catalina AMDRadeonXN000 kernel extension

macOS Catalina's AMDRadeonX4000, AMDRadeonX5000 and AMDRadeonX6000
kernel extensions have a bug that can cause crashes in an application
that uses graphics acceleration. The bug is in code that manages GPU
accelerator memory, specifically in the following two methods:

        bool
        AMDRadeonX4000_AMDHWVMContext::mapVA(vm_address_t startAddress,
                                             IOAccelMemory* arg2,
                                             vm_size_t arg3, vm_size_t length,
                                             AMDRadeonX4000_IAMDHWVMM::VmMapFlags arg5);

        bool
        AMDRadeonX4000_AMDHWVMContext::unmapVA(vm_address_t startAddress,
                                               vm_size_t length);

The C++ code for the start of both functions can be reconstructed as follows:

if (startAddress < vmRangeStart) {
  return false;
}
if (startAddress + length >= vmRangeEnd) {
  return false;
}

The bug is in the fourth line, which should be:

if (startAddress + length > vmRangeEnd) {

The mapVA() method maps a buffer into GPU accelerator memory. The
unmapVA() method unmaps it. These six lines of code do an error return
if the buffer won't fit into the available range of GPU memory. The
bug is triggered when mapVA() is called to map a buffer into the very
end of the range. The buffer would fit just fine. But the bug in the
fourth line triggers an error return. Since this error return is
unexpected, it triggers a cascade of other errors that finishes with a
call to IOAccelContext2::setContextError(0xfffffff9/-7). This in turn
causes the application to crash at gpusGenerateCrashLog.cold.1() (in
libGPUSupportMercury.dylib).

Since the bug is very simple and straightforward, I've created a
kernel extension that patches it in running instances of the
AMDRadeon4000, AMDRadeonX5000 and AMDRadeonX6000 kernel extensions. In
my tests it fixes the crashes.

https://github.com/steven-michaud/PatchBug1576767

For some reason, Firefox is much more prone to these crashes than
other applications. That's how they came to my attention. I've been
working on the crashes at
https://bugzilla.mozilla.org/show_bug.cgi?id=1576767. More information
is available there.
I still haven't heard from anyone testing with [PatchBug1576767](https://github.com/steven-michaud/PatchBug1576767). But I've grown tired of waiting, so I submitted the following bug report to Apple. For what it's worth, the "feedback number" is FB7875887. I'll post updates on Apple's responses.

Crash bug in macOS Catalina AMDRadeonXN000 kernel extension

macOS Catalina's AMDRadeonX4000, AMDRadeonX5000 and AMDRadeonX6000
kernel extensions have a bug that can cause crashes in an application
that uses graphics acceleration. The bug is in code that manages GPU
accelerator memory, specifically in the following two methods:

        bool
        AMDRadeonX4000_AMDHWVMContext::mapVA(vm_address_t startAddress,
                                             IOAccelMemory* arg2,
                                             vm_size_t arg3, vm_size_t length,
                                             AMDRadeonX4000_IAMDHWVMM::VmMapFlags arg5);

        bool
        AMDRadeonX4000_AMDHWVMContext::unmapVA(vm_address_t startAddress,
                                               vm_size_t length);

The C++ code for the start of both functions can be reconstructed as follows:

if (startAddress < vmRangeStart) {
  return false;
}
if (startAddress + length >= vmRangeEnd) {
  return false;
}

The bug is in the fourth line, which should be:

if (startAddress + length > vmRangeEnd) {

The mapVA() method maps a buffer into GPU accelerator memory. The
unmapVA() method unmaps it. These six lines of code do an error return
if the buffer won't fit into the available range of GPU memory. The
bug is triggered when mapVA() is called to map a buffer into the very
end of the range. The buffer would fit just fine. But the bug in the
fourth line triggers an error return. Since this error return is
unexpected, it triggers a cascade of other errors that finishes with a
call to IOAccelContext2::setContextError(0xfffffff9/-7). This in turn
causes the application to crash at gpusGenerateCrashLog.cold.1() (in
libGPUSupportMercury.dylib).

Since the bug is very simple and straightforward, I've created a
kernel extension that patches it in running instances of the
AMDRadeon4000, AMDRadeonX5000 and AMDRadeonX6000 kernel extensions. In
my tests it fixes the crashes.

https://github.com/steven-michaud/PatchBug1576767

For some reason, Firefox is much more prone to these crashes than
other applications. That's how they came to my attention. I've been
working on the crashes at
https://bugzilla.mozilla.org/show_bug.cgi?id=1576767. More information
is available there.
I still haven't heard from anyone testing with [PatchBug1576767](https://github.com/steven-michaud/PatchBug1576767). But I've grown tired of waiting, so I submitted the following bug report to Apple. For what it's worth, the "feedback number" is FB7875887. I'll post updates on Apple's responses.

Crash bug in macOS Catalina AMDRadeonXN000 kernel extension

macOS Catalina's AMDRadeonX4000, AMDRadeonX5000 and AMDRadeonX6000
kernel extensions have a bug that can cause crashes in an application
that uses graphics acceleration. The bug is in code that manages GPU
accelerator memory, specifically in the following two methods:

        bool
        AMDRadeonX4000_AMDHWVMContext::mapVA(vm_address_t startAddress,
                                             IOAccelMemory* arg2,
                                             vm_size_t arg3, vm_size_t length,
                                             AMDRadeonX4000_IAMDHWVMM::VmMapFlags arg5);

        bool
        AMDRadeonX4000_AMDHWVMContext::unmapVA(vm_address_t startAddress,
                                               vm_size_t length);

The C++ code for the start of both functions can be reconstructed as follows:

        if (startAddress < vmRangeStart) {
          return false;
        }
        if (startAddress + length >= vmRangeEnd) {
          return false;
        }

The bug is in the fourth line, which should be:

        if (startAddress + length > vmRangeEnd) {

The mapVA() method maps a buffer into GPU accelerator memory. The
unmapVA() method unmaps it. These six lines of code do an error return
if the buffer won't fit into the available range of GPU memory. The
bug is triggered when mapVA() is called to map a buffer into the very
end of the range. The buffer would fit just fine. But the bug in the
fourth line triggers an error return. Since this error return is
unexpected, it triggers a cascade of other errors that finishes with a
call to IOAccelContext2::setContextError(0xfffffff9/-7). This in turn
causes the application to crash at gpusGenerateCrashLog.cold.1() (in
libGPUSupportMercury.dylib).

Since the bug is very simple and straightforward, I've created a
kernel extension that patches it in running instances of the
AMDRadeon4000, AMDRadeonX5000 and AMDRadeonX6000 kernel extensions. In
my tests it fixes the crashes.

https://github.com/steven-michaud/PatchBug1576767

For some reason, Firefox is much more prone to these crashes than
other applications. That's how they came to my attention. I've been
working on the crashes at
https://bugzilla.mozilla.org/show_bug.cgi?id=1576767. More information
is available there.
I still haven't heard from anyone testing with [PatchBug1576767](https://github.com/steven-michaud/PatchBug1576767). But I've grown tired of waiting, so I submitted the following bug report to Apple. For what it's worth, the "feedback number" is FB7875887. I'll post updates on Apple's responses.

### Crash bug in macOS Catalina AMDRadeonXN000 kernel extension

macOS Catalina's AMDRadeonX4000, AMDRadeonX5000 and AMDRadeonX6000
kernel extensions have a bug that can cause crashes in an application
that uses graphics acceleration. The bug is in code that manages GPU
accelerator memory, specifically in the following two methods:

        bool
        AMDRadeonX4000_AMDHWVMContext::mapVA(vm_address_t startAddress,
                                             IOAccelMemory* arg2,
                                             vm_size_t arg3, vm_size_t length,
                                             AMDRadeonX4000_IAMDHWVMM::VmMapFlags arg5);

        bool
        AMDRadeonX4000_AMDHWVMContext::unmapVA(vm_address_t startAddress,
                                               vm_size_t length);

The C++ code for the start of both functions can be reconstructed as follows:

        if (startAddress < vmRangeStart) {
          return false;
        }
        if (startAddress + length >= vmRangeEnd) {
          return false;
        }

The bug is in the fourth line, which should be:

        if (startAddress + length > vmRangeEnd) {

The mapVA() method maps a buffer into GPU accelerator memory. The
unmapVA() method unmaps it. These six lines of code do an error return
if the buffer won't fit into the available range of GPU memory. The
bug is triggered when mapVA() is called to map a buffer into the very
end of the range. The buffer would fit just fine. But the bug in the
fourth line triggers an error return. Since this error return is
unexpected, it triggers a cascade of other errors that finishes with a
call to IOAccelContext2::setContextError(0xfffffff9/-7). This in turn
causes the application to crash at gpusGenerateCrashLog.cold.1() (in
libGPUSupportMercury.dylib).

Since the bug is very simple and straightforward, I've created a
kernel extension that patches it in running instances of the
AMDRadeon4000, AMDRadeonX5000 and AMDRadeonX6000 kernel extensions. In
my tests it fixes the crashes.

https://github.com/steven-michaud/PatchBug1576767

For some reason, Firefox is much more prone to these crashes than
other applications. That's how they came to my attention. I've been
working on the crashes at
https://bugzilla.mozilla.org/show_bug.cgi?id=1576767. More information
is available there.

Back to Bug 1576767 Comment 295