Closed
Bug 1752210
Opened 2 years ago
Closed 1 year ago
Hit MOZ_CRASH(assertion failed: self.buffer.is_some()) at /third_party/rust/wgpu-core/src/command/bundle.rs:835
Categories
(Core :: Graphics: WebGPU, defect, P1)
Tracking
()
RESOLVED
FIXED
104 Branch
People
(Reporter: jkratzer, Assigned: jimb)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
439 bytes,
text/plain
|
Details |
Testcase found while fuzzing mozilla-central rev 504105450146 (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 504105450146 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Hit MOZ_CRASH(assertion failed: self.buffer.is_some()) at /third_party/rust/wgpu-core/src/command/bundle.rs:835
=================================================================
==604553==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fc269906620 bp 0x7fc1a01fd370 sp 0x7fc1a01fd360 T77)
==604553==The signal is caused by a WRITE memory access.
==604553==Hint: address points to the zero page.
#0 0x7fc269906620 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7fc269906620 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fc269906546 in mozglue_static::panic_hook::h44aeb7ca04756874 /mozglue/static/rust/lib.rs:91:9
#3 0x7fc269905205 in core::ops::function::Fn::call::had720d134c14d3a8 /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
#4 0x7fc26c890717 in std::panicking::rust_panic_with_hook::h213176a09718247f (/home/jkratzer/builds/mc-asan/libxul.so+0x1f406717)
#5 0x7fc26c89e5b1 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h3cfe49433456fe03 std.cd29c496-cgu.3
#6 0x7fc26c89e053 in std::sys_common::backtrace::__rust_end_short_backtrace::hbf0fc5e1af0506eb crtstuff.c
#7 0x7fc26c890201 in rust_begin_unwind (/home/jkratzer/builds/mc-asan/libxul.so+0x1f406201)
#8 0x7fc255be7ca0 in core::panicking::panic_fmt::hcb79d2bd962905f6 (/home/jkratzer/builds/mc-asan/libxul.so+0x875dca0)
#9 0x7fc255be7bec in core::panicking::panic::h0278218a0d986439 (/home/jkratzer/builds/mc-asan/libxul.so+0x875dbec)
#10 0x7fc26637aede in wgpu_core::command::bundle::IndexState::limit::h11612e2137ca6867 /third_party/rust/wgpu-core/src/command/bundle.rs:835:9
#11 0x7fc266135f9d in wgpu_core::command::bundle::RenderBundleEncoder::finish::hebe173f886ec1da6 /third_party/rust/wgpu-core/src/command/bundle.rs:412:39
#12 0x7fc266135f9d in wgpu_core::device::_$LT$impl$u20$wgpu_core..hub..Global$LT$G$GT$$GT$::render_bundle_encoder_finish::hdc3edc4685e36c01 /third_party/rust/wgpu-core/src/device/mod.rs:4278:39
#13 0x7fc266135f9d in _$LT$wgpu_bindings..server..Global$u20$as$u20$wgpu_bindings..server..GlobalExt$GT$::device_action::hdebfe7c40f2e1994 /gfx/wgpu_bindings/src/server.rs:335:34
#14 0x7fc2661ad70d in wgpu_server_device_action /gfx/wgpu_bindings/src/server.rs:501:5
#15 0x7fc25c7ced96 in mozilla::webgpu::WebGPUParent::RecvDeviceAction(unsigned long, mozilla::ipc::ByteBuf const&) /dom/webgpu/ipc/WebGPUParent.cpp:751:3
#16 0x7fc258965e3e in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:224:56
#17 0x7fc2580cfddb in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp:204:32
#18 0x7fc257ea02e9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:2024:25
#19 0x7fc257e9d1d8 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /ipc/glue/MessageChannel.cpp:1949:9
#20 0x7fc257e9ea00 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1816:3
#21 0x7fc257e9f417 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1844:14
#22 0x7fc256987beb in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1189:16
#23 0x7fc25699259c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
#24 0x7fc257eaa57b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
#25 0x7fc257d28a81 in RunInternal /ipc/chromium/src/base/message_loop.cc:331:10
#26 0x7fc257d28a81 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#27 0x7fc257d28a81 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#28 0x7fc2569800ff in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
#29 0x7fc2795ca02e in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#30 0x7fc27aedf608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#31 0x7fc27aaa7292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
Thread T77 (Compositor) created by T0 here:
#0 0x564a7ccdfe4c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
#1 0x7fc2795ba0b4 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7fc2795ab35e in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7fc256983445 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:627:18
#4 0x7fc25699037f in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /xpcom/threads/nsThreadManager.cpp:581:12
#5 0x7fc25699b911 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /xpcom/threads/nsThreadUtils.cpp:163:57
#6 0x7fc259790502 in NS_NewNamedThread<11UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
#7 0x7fc259790502 in mozilla::layers::CompositorThreadHolder::CreateCompositorThread() /gfx/layers/ipc/CompositorThread.cpp:62:17
#8 0x7fc259790886 in CompositorThreadHolder /gfx/layers/ipc/CompositorThread.cpp:39:25
#9 0x7fc259790886 in mozilla::layers::CompositorThreadHolder::Start() /gfx/layers/ipc/CompositorThread.cpp:103:33
#10 0x7fc259968767 in InitLayersIPC /gfx/thebes/gfxPlatform.cpp:1301:5
#11 0x7fc259968767 in gfxPlatform::Init() /gfx/thebes/gfxPlatform.cpp:963:3
#12 0x7fc25996b8c0 in GetPlatform /gfx/thebes/gfxPlatform.cpp:467:5
#13 0x7fc25996b8c0 in gfxPlatform::InitializeCMS() /gfx/thebes/gfxPlatform.cpp:2090:9
#14 0x7fc25ed1132d in GetCMSMode /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:521:5
#15 0x7fc25ed1132d in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /widget/nsXPLookAndFeel.cpp:868:9
#16 0x7fc25ed1516e in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:1252:47
#17 0x7fc25ec891a8 in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:446:12
#18 0x7fc25ec891a8 in ThemedAccentColor /widget/ThemeColors.cpp:89:37
#19 0x7fc25ec891a8 in mozilla::widget::ThemeColors::RecomputeAccentColors() /widget/ThemeColors.cpp:170:20
#20 0x7fc25ec88deb in mozilla::widget::Theme::LookAndFeelChanged() /widget/Theme.cpp:169:3
#21 0x7fc25ed0f812 in nsXPLookAndFeel::GetInstance() /widget/nsXPLookAndFeel.cpp:359:3
#22 0x7fc25ed15b6d in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /widget/nsXPLookAndFeel.cpp:1369:3
#23 0x7fc2567dc917 in nsSystemInfo::Init() /xpcom/base/nsSystemInfo.cpp:1047:5
#24 0x7fc2568e477f in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:9164:7
#25 0x7fc256933587 in CreateInstance /xpcom/components/nsComponentManager.cpp:181:46
#26 0x7fc256933587 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1288:17
#27 0x7fc256934038 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1378:10
#28 0x7fc2569086dd in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12288:50
#29 0x7fc256792d91 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /xpcom/base/nsCOMPtr.cpp:109:7
#30 0x7fc258dacdfc in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5
#31 0x7fc258dacdfc in GetServiceImpl /js/xpconnect/src/JSServices.cpp:84:32
#32 0x7fc258dacdfc in GetService /js/xpconnect/src/JSServices.cpp:131:8
#33 0x7fc258dacdfc in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /js/xpconnect/src/JSServices.cpp:154:25
#34 0x7fc2641bb5b7 in CallResolveOp /js/src/vm/NativeObject-inl.h:640:8
#35 0x7fc2641bb5b7 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> /js/src/vm/NativeObject-inl.h:760:14
#36 0x7fc2641bb5b7 in NativeGetPropertyInline<js::CanGC> /js/src/vm/NativeObject.cpp:2127:10
#37 0x7fc2641bb5b7 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2175:10
#38 0x7fc263cd7849 in GetProperty /js/src/vm/ObjectOperations-inl.h:120:10
#39 0x7fc263cd7849 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /js/src/vm/ObjectOperations-inl.h:127:10
#40 0x7fc263cd6ea4 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4710:10
#41 0x7fc263ca7c48 in GetPropertyOperation /js/src/vm/Interpreter.cpp:208:10
#42 0x7fc263ca7c48 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2973:12
#43 0x7fc263c9f421 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:394:13
#44 0x7fc263cce2cf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:544:13
#45 0x7fc263cd041b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:589:8
#46 0x7fc263f4d06c in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:53:10
#47 0x7fc258df4d90 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:973:17
#48 0x7fc2569d9272 in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#49 0x7fc2569d7ffa in SharedStub xptcstubs_x86_64_linux.cpp
#50 0x7fc256929912 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /xpcom/components/nsCategoryManager.cpp:687:19
#51 0x7fc263a06629 in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:978:11
#52 0x7fc2639e1b13 in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5089:18
#53 0x7fc2639e4b99 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5539:8
#54 0x7fc2639e58d3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5598:21
#55 0x564a7cd2aa99 in do_main /browser/app/nsBrowserApp.cpp:225:22
#56 0x564a7cd2aa99 in main /browser/app/nsBrowserApp.cpp:395:16
#57 0x7fc27a9ac0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
==604553==ABORTING
|
Reporter | |
Comment 1•2 years ago
|
||
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220126163134-35652548842a.
The bug appears to have been introduced in the following build range:
Start: b830e4dd32f993ab44be2ba1961bac7256438350 (20210526211756)
End: 1efbacbfdbc55e82a9442221a8d277eaa0f8c641 (20210526203835)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=b830e4dd32f993ab44be2ba1961bac7256438350&tochange=1efbacbfdbc55e82a9442221a8d277eaa0f8c641
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 3•2 years ago
|
||
Crash Signature: [@ wgpu_core::command::bundle::IndexState::limit ]
|
|
Reporter | |
Updated•2 years ago
|
Blocks: fuzzing-webgpu
|
||
Comment 4•2 years ago
|
||
The severity field is not set for this bug.
:kvark, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(dmalyshau)
|
Assignee | |
Comment 5•2 years ago
|
||
I can reproduce this.
|
|
||
Updated•2 years ago
|
Keywords: regression
|
|
||
Comment 6•2 years ago
|
||
Set release status flags based on info from the regressing bug 1710679
status-firefox100:
--- → affected
status-firefox101:
--- → affected
status-firefox102:
--- → affected
status-firefox-esr91:
--- → affected
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 7•2 years ago
|
||
There's basically no state validation for render bundle commands in wgpu_core. Whereas Global::command_encoder_run_render_pass_impl calls command::render::State::is_ready before every draw command, there is no corresponding is_ready method on command::bundle::State for RenderBundleEncoder::finish to call.
Fixing this exact crash is going to be a waste of time because the fuzzers will immediately find the next thing we don't validate. The way to fix this is to implement all the validation WebGPU requires for render bundles.
|
|
Assignee | |
Comment 8•2 years ago
•
|
||
There's basically no state validation for render bundle commands in
wgpu_core.
This is an overstatement. There is quite a bit of state validation, but there's also plenty missing. For example, I just filed gfx-rs/wgpu#2690:
Perform "valid to use with" checks when recording render bundles. #2690
|
|
||
Comment 9•2 years ago
|
||
Redirect a needinfo that is pending on an inactive user to the triage owner.
:jimb, since the bug has high priority and recent activity, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(dmalyshau) → needinfo?(jimb)
|
|
Assignee | |
Comment 10•2 years ago
|
||
I'm actively working on this; most of the activity has been on GitHub.
Flags: needinfo?(jimb)
|
||
Comment 11•2 years ago
|
||
Assigning this to you then (to silence an autonag error because it would like to needinfo kvark as the author of the regressor).
Assignee: nobody → jimb
Status: NEW → ASSIGNED
|
|
||
Comment 12•2 years ago
|
||
Set release status flags based on info from the regressing bug 1710679
status-firefox103:
--- → affected
|
||
Updated•2 years ago
|
|
|
||
Comment 13•2 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220126034745-504105450146) but not with tip (mozilla-central 20220701213554-5140fba12e4a.)
The bug appears to have been fixed in the following build range:
Start: 79d41dfeadc6f5ccf0431cf3813faa51a32d9d89 (20220628201013)
End: 1b9aabdf58d787249fb5d48d59c30d001e461a9a (20220628230036)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=79d41dfeadc6f5ccf0431cf3813faa51a32d9d89&tochange=1b9aabdf58d787249fb5d48d59c30d001e461a9a
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
|
Assignee | |
Comment 14•1 year ago
|
||
Fixed by Bug 1776816.
|
|
||
Updated•1 year ago
|
status-firefox-esr102:
--- → disabled
Target Milestone: --- → 104 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•