1752215 - Hit MOZ_CRASH(Device[1] does not exist) at /third_party/rust/wgpu-core/src/hub.rs:116

Status: VERIFIED FIXED

(Core :: Graphics: WebGPU, defect, P1)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 35652548842a (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 35652548842a --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Device[1] does not exist) at /third_party/rust/wgpu-core/src/hub.rs:116

    =================================================================
    ==647856==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fe64635bf80 bp 0x7fe5fce583d0 sp 0x7fe5fce583c0 T76)
    ==647856==The signal is caused by a WRITE memory access.
    ==647856==Hint: address points to the zero page.
        #0 0x7fe64635bf80 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
        #1 0x7fe64635bf80 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7fe64635bea6 in mozglue_static::panic_hook::hfa977cf1421d9ca6 /mozglue/static/rust/lib.rs:91:9
        #3 0x7fe64635ab65 in core::ops::function::Fn::call::h875c5534bb524182 /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
        #4 0x7fe6492de777 in std::panicking::rust_panic_with_hook::h213176a09718247f (/home/jkratzer/builds/mc-asan/libxul.so+0x1f401777)
        #5 0x7fe6492ec63f in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h3cfe49433456fe03 std.cd29c496-cgu.3
        #6 0x7fe6492ec0b3 in std::sys_common::backtrace::__rust_end_short_backtrace::hbf0fc5e1af0506eb crtstuff.c
        #7 0x7fe6492de261 in rust_begin_unwind (/home/jkratzer/builds/mc-asan/libxul.so+0x1f401261)
        #8 0x7fe632638b80 in core::panicking::panic_fmt::hcb79d2bd962905f6 (/home/jkratzer/builds/mc-asan/libxul.so+0x875bb80)
        #9 0x7fe64290b4e4 in wgpu_core::hub::Storage$LT$T$C$I$GT$::get::h987711294b1b533e /third_party/rust/wgpu-core/src/hub.rs:116:32
        #10 0x7fe6428d4462 in _$LT$wgpu_core..hub..Storage$LT$T$C$I$GT$$u20$as$u20$core..ops..index..Index$LT$wgpu_core..id..Valid$LT$I$GT$$GT$$GT$::index::h45f35daeb92d08e6 /third_party/rust/wgpu-core/src/hub.rs:89:9
        #11 0x7fe6428d4462 in wgpu_core::hub::Hub$LT$A$C$F$GT$::clear::ha945b2272b10bdca /third_party/rust/wgpu-core/src/hub.rs:628:21
        #12 0x7fe642ad7652 in _$LT$wgpu_core..hub..Global$LT$G$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::hceb09b163af8b47b /third_party/rust/wgpu-core/src/hub.rs:910:13
        #13 0x7fe642ad7652 in core::ptr::drop_in_place$LT$wgpu_core..hub..Global$LT$wgpu_bindings..identity..IdentityRecyclerFactory$GT$$GT$::hff0ea8fe890a05ce /builds/worker/fetches/rust/library/core/src/ptr/mod.rs:188:1
        #14 0x7fe642ad7652 in core::ptr::drop_in_place$LT$wgpu_bindings..server..Global$GT$::h7ae5e61ab849472d /builds/worker/fetches/rust/library/core/src/ptr/mod.rs:188:1
        #15 0x7fe642ad7652 in core::ptr::drop_in_place$LT$alloc..boxed..Box$LT$wgpu_bindings..server..Global$GT$$GT$::h74ee5c4dbf4fdd41 /builds/worker/fetches/rust/library/core/src/ptr/mod.rs:188:1
        #16 0x7fe642ad7652 in wgpu_server_delete /gfx/wgpu_bindings/src/server.rs:82:34
        #17 0x7fe63921fb5d in mozilla::webgpu::WebGPUParent::RecvShutdown() /dom/webgpu/ipc/WebGPUParent.cpp:744:3
        #18 0x7fe6353b8e69 in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:1749:56
        #19 0x7fe634b20ceb in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp:204:32
        #20 0x7fe6348f11f9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:2024:25
        #21 0x7fe6348ee0e8 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /ipc/glue/MessageChannel.cpp:1949:9
        #22 0x7fe6348ef910 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1816:3
        #23 0x7fe6348f0327 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1844:14
        #24 0x7fe6333d8acb in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1189:16
        #25 0x7fe6333e347c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #26 0x7fe6348fb48b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #27 0x7fe634779991 in RunInternal /ipc/chromium/src/base/message_loop.cc:331:10
        #28 0x7fe634779991 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #29 0x7fe634779991 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #30 0x7fe6333d0fdf in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
        #31 0x7fe65601702e in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #32 0x7fe65792c608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
        #33 0x7fe6574f4292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
    Thread T76 (Compositor) created by T0 here:
        #0 0x564af9076e4c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
        #1 0x7fe6560070b4 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
        #2 0x7fe655ff835e in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
        #3 0x7fe6333d4325 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:627:18
        #4 0x7fe6333e125f in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /xpcom/threads/nsThreadManager.cpp:581:12
        #5 0x7fe6333ec7f1 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /xpcom/threads/nsThreadUtils.cpp:163:57
        #6 0x7fe6361e1422 in NS_NewNamedThread<11UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
        #7 0x7fe6361e1422 in mozilla::layers::CompositorThreadHolder::CreateCompositorThread() /gfx/layers/ipc/CompositorThread.cpp:62:17
        #8 0x7fe6361e17a6 in CompositorThreadHolder /gfx/layers/ipc/CompositorThread.cpp:39:25
        #9 0x7fe6361e17a6 in mozilla::layers::CompositorThreadHolder::Start() /gfx/layers/ipc/CompositorThread.cpp:103:33
        #10 0x7fe6363b96e7 in InitLayersIPC /gfx/thebes/gfxPlatform.cpp:1301:5
        #11 0x7fe6363b96e7 in gfxPlatform::Init() /gfx/thebes/gfxPlatform.cpp:963:3
        #12 0x7fe6363bc840 in GetPlatform /gfx/thebes/gfxPlatform.cpp:467:5
        #13 0x7fe6363bc840 in gfxPlatform::InitializeCMS() /gfx/thebes/gfxPlatform.cpp:2090:9
        #14 0x7fe63b76348d in GetCMSMode /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:521:5
        #15 0x7fe63b76348d in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /widget/nsXPLookAndFeel.cpp:868:9
        #16 0x7fe63b7672ce in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:1252:47
        #17 0x7fe63b6db2e8 in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:446:12
        #18 0x7fe63b6db2e8 in ThemedAccentColor /widget/ThemeColors.cpp:89:37
        #19 0x7fe63b6db2e8 in mozilla::widget::ThemeColors::RecomputeAccentColors() /widget/ThemeColors.cpp:170:20
        #20 0x7fe63b6daf65 in mozilla::widget::Theme::LookAndFeelChanged() /widget/Theme.cpp:178:3
        #21 0x7fe63b761972 in nsXPLookAndFeel::GetInstance() /widget/nsXPLookAndFeel.cpp:359:3
        #22 0x7fe63b767ccd in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /widget/nsXPLookAndFeel.cpp:1369:3
        #23 0x7fe63322d7f7 in nsSystemInfo::Init() /xpcom/base/nsSystemInfo.cpp:1047:5
        #24 0x7fe63333565f in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:9164:7
        #25 0x7fe633384467 in CreateInstance /xpcom/components/nsComponentManager.cpp:181:46
        #26 0x7fe633384467 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1288:17
        #27 0x7fe633384f18 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1378:10
        #28 0x7fe6333595bd in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12288:50
        #29 0x7fe6331e3c71 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /xpcom/base/nsCOMPtr.cpp:109:7
        #30 0x7fe6357fdd0c in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5
        #31 0x7fe6357fdd0c in GetServiceImpl /js/xpconnect/src/JSServices.cpp:84:32
        #32 0x7fe6357fdd0c in GetService /js/xpconnect/src/JSServices.cpp:131:8
        #33 0x7fe6357fdd0c in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /js/xpconnect/src/JSServices.cpp:154:25
        #34 0x7fe640c0c6b7 in CallResolveOp /js/src/vm/NativeObject-inl.h:640:8
        #35 0x7fe640c0c6b7 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> /js/src/vm/NativeObject-inl.h:760:14
        #36 0x7fe640c0c6b7 in NativeGetPropertyInline<js::CanGC> /js/src/vm/NativeObject.cpp:2127:10
        #37 0x7fe640c0c6b7 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2175:10
        #38 0x7fe640728949 in GetProperty /js/src/vm/ObjectOperations-inl.h:120:10
        #39 0x7fe640728949 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /js/src/vm/ObjectOperations-inl.h:127:10
        #40 0x7fe640727fa4 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4710:10
        #41 0x7fe6406f8d48 in GetPropertyOperation /js/src/vm/Interpreter.cpp:208:10
        #42 0x7fe6406f8d48 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2973:12
        #43 0x7fe6406f0521 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:394:13
        #44 0x7fe64071f3cf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:544:13
        #45 0x7fe64072151b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:589:8
        #46 0x7fe64099e16c in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:53:10
        #47 0x7fe635845ca0 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:973:17
        #48 0x7fe63342a152 in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
        #49 0x7fe633428eda in SharedStub xptcstubs_x86_64_linux.cpp
        #50 0x7fe63337a7f2 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /xpcom/components/nsCategoryManager.cpp:687:19
        #51 0x7fe640457729 in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:978:11
        #52 0x7fe640432c13 in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5089:18
        #53 0x7fe640435c99 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5539:8
        #54 0x7fe6404369d3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5598:21
        #55 0x564af90c1a99 in do_main /browser/app/nsBrowserApp.cpp:225:22
        #56 0x564af90c1a99 in main /browser/app/nsBrowserApp.cpp:395:16
        #57 0x7fe6573f90b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    ==647856==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Unable to reproduce bug 1752215 using build mozilla-central 20220126163134-35652548842a. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 3

[Intermittent Failures Robot]

3 failures in 3165 pushes (0.001 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• mozilla-central: 3

Platform and build breakdown:

• windows10-64-2004-mingwclang-qr: 2
  • debug: 2
• windows10-32-2004-mingwclang-qr: 1
  • debug: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1752215&startday=2022-01-31&endday=2022-02-06&tree=all

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:kvark, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 5

[Intermittent Failures Robot]

1 failures in 3281 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• mozilla-central: 1

Platform and build breakdown:

• windows10-32-2004-mingwclang-qr: 1
  • debug: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1752215&startday=2022-02-14&endday=2022-02-20&tree=all

Comment 6

[Intermittent Failures Robot]

4 failures in 2992 pushes (0.001 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• mozilla-central: 4

Platform and build breakdown:

• windows10-64-2004-mingwclang-qr: 3
  • debug: 3
• windows10-32-2004-mingwclang-qr: 1
  • debug: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1752215&startday=2022-02-21&endday=2022-02-27&tree=all

Comment 7

[Jim Blandy :jimb]

I can reproduce this. Fixing this is P1 for me, since it's a fuzzblocker. S3 because WebGPU is non-essential functionality for now.

Comment 8

[Jim Blandy :jimb]

wgpu_core is freeing a Device while it is still referenced by Buffers held by a mozilla::webgpu::PresentationData (a WebGPU swap chain). When the client later decides to drop the swap chain, its attempt to access the Device to which it belongs panics.

Comment 9

[Jim Blandy :jimb]

Despite the fact that wgpu_core::resource::Buffer holds a RefCount for the buffer's Device, it turns out that that particular refcount is ignored. Calling Global::device_drop before Global::buffer_drop does indeed cause a panic. The wgpu API doesn't run into this because... dropping a wgpu::Device doesn't bother to free the device. Firefox uses its own wgpu_bindings facade for wgpu_core, which does bother to free the device.

Comment 10

[Jim Blandy :jimb]

I think this should be fixed by these two wgpu PRs upstream:

• wgpu-core: Register new pipelines with device's tracker. #2565
• Free the raw device when wgpu::Device is dropped. #2567

Comment 11

[Jim Blandy :jimb]

Updating to upstream wgpu (bug 1762730) does seem to fix this for me. So that's good.

Comment 12

[Jason Kratzer [:jkratzer]]

I've been unable to reproduce this on mozilla-central rev 87b37ed2950d. I think we can safely close this for now. I'll try and get a fix bisection to ensure that it was bug 1762730 that fixed this.

Comment 13

[Catalin Sasca, Desktop Test Engineering [:csasca]]

Was able to reproduce the crash on Firefox (build 35652548842a) under Ubuntu 22.04 by following the STR from Comment 0.

The crash is no longer reproducible on Firefox 101.0 on the same system.