Closed Bug 1752122 Opened 3 years ago Closed 2 years ago

Hit MOZ_CRASH(out of memory: 0x0000000000000060 bytes requested) at /memory/mozalloc/mozalloc_abort.cpp:35

Categories

(Core :: Graphics: WebGPU, defect)

Product:
Core
Component:
Graphics: WebGPU
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
98 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected

People

(Reporter: jkratzer, Assigned: kvark)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed][no-nag])

Attachments

(1 file)

Testcase
3.84 KB, application/octet-stream
Details

Testcase found while fuzzing mozilla-central rev 504105450146 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 504105450146 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Hit MOZ_CRASH(out of memory: 0x0000000000000060 bytes requested) at /memory/mozalloc/mozalloc_abort.cpp:35

    ==21950==AddressSanitizer: soft rss limit exhausted (10000Mb vs 10015Mb)
    =================================================================
    ==21950==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f50ee37d7ad bp 0x7f50ff2cc010 sp 0x7f50ff2cbf00 T78)
    ==21950==The signal is caused by a READ memory access.
    ==21950==Hint: address points to the zero page.
        #0 0x7f50ee37d7ad  (/usr/lib/x86_64-linux-gnu/libvulkan_lvp.so+0x14f7ad)
        #1 0x7f50ee365f53  (/usr/lib/x86_64-linux-gnu/libvulkan_lvp.so+0x137f53)
        #2 0x7f50ee37e20f  (/usr/lib/x86_64-linux-gnu/libvulkan_lvp.so+0x15020f)
        #3 0x7f50ee36a27c  (/usr/lib/x86_64-linux-gnu/libvulkan_lvp.so+0x13c27c)
        #4 0x7f50ee371887  (/usr/lib/x86_64-linux-gnu/libvulkan_lvp.so+0x143887)
        #5 0x7f50ee37310e  (/usr/lib/x86_64-linux-gnu/libvulkan_lvp.so+0x14510e)
        #6 0x7f50ee533469  (/usr/lib/x86_64-linux-gnu/libvulkan_lvp.so+0x305469)
        #7 0x7f50ee53468e  (/usr/lib/x86_64-linux-gnu/libvulkan_lvp.so+0x30668e)
        #8 0x7f50ee4a54b5  (/usr/lib/x86_64-linux-gnu/libvulkan_lvp.so+0x2774b5)
        #9 0x7f50ee2e59b8  (/usr/lib/x86_64-linux-gnu/libvulkan_lvp.so+0xb79b8)
        #10 0x7f51a48d25eb  (/lib/x86_64-linux-gnu/libvulkan.so.1+0x1f5eb)
        #11 0x7f51a48dcca0  (/lib/x86_64-linux-gnu/libvulkan.so.1+0x29ca0)
        #12 0x7f51a48dd8e9  (/lib/x86_64-linux-gnu/libvulkan.so.1+0x2a8e9)
        #13 0x7f51a48e0962 in vkCreateDevice (/lib/x86_64-linux-gnu/libvulkan.so.1+0x2d962)
        #14 0x7f51c607be8f in ash::vk::features::InstanceFnV1_0::create_device::h6b36a70bbc8c9ce1 /third_party/rust/ash/src/vk/features.rs:639:9
        #15 0x7f51c607be8f in ash::instance::Instance::create_device::hf5e10934da1a0a00 /third_party/rust/ash/src/instance.rs:269:9
        #16 0x7f51c5f9e45d in wgpu_hal::vulkan::adapter::_$LT$impl$u20$wgpu_hal..Adapter$LT$wgpu_hal..vulkan..Api$GT$$u20$for$u20$wgpu_hal..vulkan..Adapter$GT$::open::h21d54f354b864102 /third_party/rust/wgpu-hal/src/vulkan/adapter.rs:1316:13
        #17 0x7f51c599f58d in wgpu_core::instance::Adapter$LT$A$GT$::create_device::hca9d96b6f21a6c8f /third_party/rust/wgpu-core/src/instance.rs:360:29
        #18 0x7f51c599f58d in wgpu_core::instance::_$LT$impl$u20$wgpu_core..hub..Global$LT$G$GT$$GT$::adapter_request_device::h54e3d5756af4c1c8 /third_party/rust/wgpu-core/src/instance.rs:905:32
        #19 0x7f51c599f58d in wgpu_server_adapter_request_device /gfx/wgpu_bindings/src/server.rs:159:9
        #20 0x7f51bc0c5214 in mozilla::webgpu::WebGPUParent::RecvAdapterRequestDevice(unsigned long, mozilla::ipc::ByteBuf const&, unsigned long) /dom/webgpu/ipc/WebGPUParent.cpp:286:3
        #21 0x7f51b8261019 in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:580:56
        #22 0x7f51b79caddb in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp:204:32
        #23 0x7f51b779b2e9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:2024:25
        #24 0x7f51b77981d8 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /ipc/glue/MessageChannel.cpp:1949:9
        #25 0x7f51b7799a00 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1816:3
        #26 0x7f51b779a417 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1844:14
        #27 0x7f51b6282beb in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1189:16
        #28 0x7f51b628d59c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #29 0x7f51b77a557b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #30 0x7f51b7623a81 in RunInternal /ipc/chromium/src/base/message_loop.cc:331:10
        #31 0x7f51b7623a81 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #32 0x7f51b7623a81 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #33 0x7f51b627b0ff in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
        #34 0x7f51d8ec502e in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #35 0x7f51dafdb608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
        #36 0x7f51daba3292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libvulkan_lvp.so+0x14f7ad) 
    Thread T78 (Compositor) created by T0 here:
        #0 0x55789c85de4c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
        #1 0x7f51d8eb50b4 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
        #2 0x7f51d8ea635e in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
        #3 0x7f51b627e445 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:627:18
        #4 0x7f51b628b37f in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /xpcom/threads/nsThreadManager.cpp:581:12
        #5 0x7f51b6296911 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /xpcom/threads/nsThreadUtils.cpp:163:57
        #6 0x7f51b908b502 in NS_NewNamedThread<11UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
        #7 0x7f51b908b502 in mozilla::layers::CompositorThreadHolder::CreateCompositorThread() /gfx/layers/ipc/CompositorThread.cpp:62:17
        #8 0x7f51b908b886 in CompositorThreadHolder /gfx/layers/ipc/CompositorThread.cpp:39:25
        #9 0x7f51b908b886 in mozilla::layers::CompositorThreadHolder::Start() /gfx/layers/ipc/CompositorThread.cpp:103:33
        #10 0x7f51b9263767 in InitLayersIPC /gfx/thebes/gfxPlatform.cpp:1301:5
        #11 0x7f51b9263767 in gfxPlatform::Init() /gfx/thebes/gfxPlatform.cpp:963:3
        #12 0x7f51b92668c0 in GetPlatform /gfx/thebes/gfxPlatform.cpp:467:5
        #13 0x7f51b92668c0 in gfxPlatform::InitializeCMS() /gfx/thebes/gfxPlatform.cpp:2090:9
        #14 0x7f51be60c32d in GetCMSMode /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:521:5
        #15 0x7f51be60c32d in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /widget/nsXPLookAndFeel.cpp:868:9
        #16 0x7f51be61016e in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:1252:47
        #17 0x7f51be5841a8 in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:446:12
        #18 0x7f51be5841a8 in ThemedAccentColor /widget/ThemeColors.cpp:89:37
        #19 0x7f51be5841a8 in mozilla::widget::ThemeColors::RecomputeAccentColors() /widget/ThemeColors.cpp:170:20
        #20 0x7f51be583deb in mozilla::widget::Theme::LookAndFeelChanged() /widget/Theme.cpp:169:3
        #21 0x7f51be60a812 in nsXPLookAndFeel::GetInstance() /widget/nsXPLookAndFeel.cpp:359:3
        #22 0x7f51be610b6d in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /widget/nsXPLookAndFeel.cpp:1369:3
        #23 0x7f51b60d7917 in nsSystemInfo::Init() /xpcom/base/nsSystemInfo.cpp:1047:5
        #24 0x7f51b61df77f in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:9164:7
        #25 0x7f51b622e587 in CreateInstance /xpcom/components/nsComponentManager.cpp:181:46
        #26 0x7f51b622e587 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1288:17
        #27 0x7f51b622f038 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1378:10
        #28 0x7f51b62036dd in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12288:50
        #29 0x7f51b608dd91 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /xpcom/base/nsCOMPtr.cpp:109:7
        #30 0x7f51b86a7dfc in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5
        #31 0x7f51b86a7dfc in GetServiceImpl /js/xpconnect/src/JSServices.cpp:84:32
        #32 0x7f51b86a7dfc in GetService /js/xpconnect/src/JSServices.cpp:131:8
        #33 0x7f51b86a7dfc in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /js/xpconnect/src/JSServices.cpp:154:25
        #34 0x7f51c3ab65b7 in CallResolveOp /js/src/vm/NativeObject-inl.h:640:8
        #35 0x7f51c3ab65b7 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> /js/src/vm/NativeObject-inl.h:760:14
        #36 0x7f51c3ab65b7 in NativeGetPropertyInline<js::CanGC> /js/src/vm/NativeObject.cpp:2127:10
        #37 0x7f51c3ab65b7 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2175:10
        #38 0x7f51c35d2849 in GetProperty /js/src/vm/ObjectOperations-inl.h:120:10
        #39 0x7f51c35d2849 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /js/src/vm/ObjectOperations-inl.h:127:10
        #40 0x7f51c35d1ea4 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4710:10
        #41 0x7f51c35a2c48 in GetPropertyOperation /js/src/vm/Interpreter.cpp:208:10
        #42 0x7f51c35a2c48 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2973:12
        #43 0x7f51c359a421 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:394:13
        #44 0x7f51c35c92cf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:544:13
        #45 0x7f51c35cb41b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:589:8
        #46 0x7f51c384806c in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:53:10
        #47 0x7f51b86efd90 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:973:17
        #48 0x7f51b62d4272 in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
        #49 0x7f51b62d2ffa in SharedStub xptcstubs_x86_64_linux.cpp
        #50 0x7f51b6224912 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /xpcom/components/nsCategoryManager.cpp:687:19
        #51 0x7f51c3301629 in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:978:11
        #52 0x7f51c32dcb13 in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5089:18
        #53 0x7f51c32dfb99 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5539:8
        #54 0x7f51c32e08d3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5598:21
        #55 0x55789c8a8a99 in do_main /browser/app/nsBrowserApp.cpp:225:22
        #56 0x55789c8a8a99 in main /browser/app/nsBrowserApp.cpp:395:16
        #57 0x7f51daaa80b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    ==21950==ABORTING
Attached file Testcase 

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220126034745-504105450146.

The bug appears to have been introduced in the following build range:




Start: 60c6b98b954e8d31353f9934e4b7c1581fd07d37 (20210903164901)

End: ef5dc3e04e5f271eea0636ab3a495e95cc912f1d (20210903165630)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=60c6b98b954e8d31353f9934e4b7c1581fd07d37&tochange=ef5dc3e04e5f271eea0636ab3a495e95cc912f1d




Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
Bugmon Analysis

Testcase crashes using the initial build (mozilla-central 20220126034745-504105450146) but not with tip (mozilla-central 20220128155052-48e8fb0b62c5.)

The bug appears to have been fixed in the following build range:




Start: fc1489e91c7a664be7ed39c8aaae63590a303245 (20220128044116)

End: 559c2c231f2187c471b1e482e85ad9b96218800f (20220128094730)

Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fc1489e91c7a664be7ed39c8aaae63590a303245&tochange=559c2c231f2187c471b1e482e85ad9b96218800f

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.




Keywords: bugmon

    
  
Blocks: fuzzing-webgpu

    
    

    
  
The severity field is not set for this bug.

:kvark, could you have a look please?


For more information, please visit auto_nag documentation.


Flags: needinfo?(dmalyshau)

    
    

    
      
  

    
  
Severity: -- → S3

    
    

    
  
I can confirm that this is fixed in 559c2c23 and on current M-C.



    
  
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED

    
    

    
  
Setting regressed_by field after analyzing regression range found by bugmon.


Regressed by: 1726626

    
    

    
  
Set release status flags based on info from the regressing bug 1726626



          status-firefox101:
          --- → affected

          status-firefox102:
          --- → affected

          status-firefox103:
          --- → affected

          status-firefox-esr91:
          --- → unaffected
Assignee: nobody → dmalyshau

          status-firefox101:
          affected → ---

          status-firefox102:
          affected → ---

          status-firefox103:
          affected → ---
Depends on: 1751718
Flags: needinfo?(dmalyshau)
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][no-nag]
Target Milestone: --- → 98 Branch

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: