Closed Bug 1752869 Opened 3 years ago Closed 2 years ago

Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at /third_party/rust/wgpu-core/src/id.rs:126

Categories

(Core :: Graphics: WebGPU, defect)

Product:
Core
Component:
Graphics: WebGPU
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
101 Branch
Tracking Flags:
Tracking Status
firefox101 --- verified

People

(Reporter: jkratzer, Assigned: jimb)

References

(Blocks 2 open bugs)

Details

(Keywords: testcase, Whiteboard: [bugmon:confirm])

Crash Data

Attachments

(2 files)

Testcase
885 bytes, text/plain
Details
Bug 1752869: Handle invalid BindGroupLayouts better. r?jgilbert
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 49a9d19fd713 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 49a9d19fd713 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at /third_party/rust/wgpu-core/src/id.rs:126

    =================================================================
    ==1520293==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f33ae280170 bp 0x7f3379ed8b30 sp 0x7f3379ed8b20 T51)
    ==1520293==The signal is caused by a WRITE memory access.
    ==1520293==Hint: address points to the zero page.
        #0 0x7f33ae280170 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
        #1 0x7f33ae280170 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7f33ae280096 in mozglue_static::panic_hook::hfa977cf1421d9ca6 /mozglue/static/rust/lib.rs:91:9
        #3 0x7f33ae27ed55 in core::ops::function::Fn::call::h875c5534bb524182 /builds/worker/fetches/rust/library/core/src/ops/function.rs:70:5
        #4 0x7f33b1202927 in std::panicking::rust_panic_with_hook::h213176a09718247f (/home/jkratzer/builds/mc-asan/libxul.so+0x1f427927)
        #5 0x7f33b12107c1 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h3cfe49433456fe03 std.cd29c496-cgu.3
        #6 0x7f33b1210263 in std::sys_common::backtrace::__rust_end_short_backtrace::hbf0fc5e1af0506eb crtstuff.c
        #7 0x7f33b1202411 in rust_begin_unwind (/home/jkratzer/builds/mc-asan/libxul.so+0x1f427411)
        #8 0x7f339a534120 in core::panicking::panic_fmt::hcb79d2bd962905f6 (/home/jkratzer/builds/mc-asan/libxul.so+0x8759120)
        #9 0x7f339a53406c in core::panicking::panic::h0278218a0d986439 (/home/jkratzer/builds/mc-asan/libxul.so+0x875906c)
        #10 0x7f33aa6667bb in core::option::Option$LT$T$GT$::unwrap::ha702e380ec921ff7 /builds/worker/fetches/rust/library/core/src/option.rs:746:21
        #11 0x7f33aa6667bb in _$LT$wgpu_core..id..Id$LT$T$GT$$u20$as$u20$wgpu_core..id..TypedId$GT$::zip::h1ed4ff156af8d767 /third_party/rust/wgpu-core/src/id.rs:126:12
        #12 0x7f33aa6667bb in _$LT$wgpu_core..id..Id$LT$T$GT$$u20$as$u20$core..convert..From$LT$wgpu_core..id..SerialId$GT$$GT$::from::hf6bee104ac41d0c9 /third_party/rust/wgpu-core/src/id.rs:45:52
        #13 0x7f33aa6667bb in core::ops::function::FnOnce::call_once::h982effcf4a1d21c9 /builds/worker/fetches/rust/library/core/src/ops/function.rs:227:5
        #14 0x7f33aa6667bb in core::result::Result$LT$T$C$E$GT$::map::h6852fcb81c72b723 /builds/worker/fetches/rust/library/core/src/result.rs:767:25
        #15 0x7f33aa6667bb in wgpu_core::id::_::_$LT$impl$u20$serde..de..Deserialize$u20$for$u20$wgpu_core..id..Id$LT$T$GT$$GT$::deserialize::h36396b411cf1a618 /third_party/rust/wgpu-core/src/id.rs:13:12
        #16 0x7f33aa6667bb in _$LT$core..marker..PhantomData$LT$T$GT$$u20$as$u20$serde..de..DeserializeSeed$GT$::deserialize::hb072b9a0a532f51e /third_party/rust/serde/src/de/mod.rs:785:9
        #17 0x7f33aa6667bb in _$LT$$LT$$RF$mut$u20$bincode..de..Deserializer$LT$R$C$O$GT$$u20$as$u20$serde..de..Deserializer$GT$..deserialize_tuple..Access$LT$R$C$O$GT$$u20$as$u20$serde..de..SeqAccess$GT$::next_element_seed::h68b2cbf6d1fbfb18 /third_party/rust/bincode/src/de/mod.rs:314:25
        #18 0x7f33aa6667bb in serde::de::SeqAccess::next_element::h035df502500be9e7 /third_party/rust/serde/src/de/mod.rs:1721:9
        #19 0x7f33aa6667bb in _$LT$serde..de..impls..$LT$impl$u20$serde..de..Deserialize$u20$for$u20$alloc..vec..Vec$LT$T$GT$$GT$..deserialize..VecVisitor$LT$T$GT$$u20$as$u20$serde..de..Visitor$GT$::visit_seq::h28a68613a6636f25 /third_party/rust/serde/src/de/impls.rs:928:46
        #20 0x7f33aa6667bb in _$LT$$RF$mut$u20$bincode..de..Deserializer$LT$R$C$O$GT$$u20$as$u20$serde..de..Deserializer$GT$::deserialize_tuple::h6069296df992608b /third_party/rust/bincode/src/de/mod.rs:326:9
        #21 0x7f33aa6667bb in _$LT$$RF$mut$u20$bincode..de..Deserializer$LT$R$C$O$GT$$u20$as$u20$serde..de..Deserializer$GT$::deserialize_seq::h488906f137b827f1 /third_party/rust/bincode/src/de/mod.rs:350:9
        #22 0x7f33aa6667bb in serde::de::impls::_$LT$impl$u20$serde..de..Deserialize$u20$for$u20$alloc..vec..Vec$LT$T$GT$$GT$::deserialize::hff3221a9a341756f /third_party/rust/serde/src/de/impls.rs:939:9
        #23 0x7f33aa6667bb in serde::de::impls::_$LT$impl$u20$serde..de..Deserialize$u20$for$u20$alloc..borrow..Cow$LT$T$GT$$GT$::deserialize::he01d4a381dec449a /third_party/rust/serde/src/de/impls.rs:1731:9
        #24 0x7f33aa6667bb in _$LT$core..marker..PhantomData$LT$T$GT$$u20$as$u20$serde..de..DeserializeSeed$GT$::deserialize::h74e907902d2071eb /third_party/rust/serde/src/de/mod.rs:785:9
        #25 0x7f33aa6667bb in _$LT$$LT$$RF$mut$u20$bincode..de..Deserializer$LT$R$C$O$GT$$u20$as$u20$serde..de..Deserializer$GT$..deserialize_tuple..Access$LT$R$C$O$GT$$u20$as$u20$serde..de..SeqAccess$GT$::next_element_seed::h30165ce486b299ed /third_party/rust/bincode/src/de/mod.rs:314:25
        #26 0x7f33aa6667bb in serde::de::SeqAccess::next_element::hea4c4c5c0d72c5ff /third_party/rust/serde/src/de/mod.rs:1721:9
        #27 0x7f33aab77c68 in _$LT$wgpu_core..binding_model.._..$LT$impl$u20$serde..de..Deserialize$u20$for$u20$wgpu_core..binding_model..PipelineLayoutDescriptor$GT$..deserialize..__Visitor$u20$as$u20$serde..de..Visitor$GT$::visit_seq::haeb527cfdbde3c73 /third_party/rust/wgpu-core/src/binding_model.rs:535:39
        #28 0x7f33aab77c68 in _$LT$$RF$mut$u20$bincode..de..Deserializer$LT$R$C$O$GT$$u20$as$u20$serde..de..Deserializer$GT$::deserialize_tuple::hef6fbe52f4e06d86 /third_party/rust/bincode/src/de/mod.rs:326:9
        #29 0x7f33aab77c68 in _$LT$$RF$mut$u20$bincode..de..Deserializer$LT$R$C$O$GT$$u20$as$u20$serde..de..Deserializer$GT$::deserialize_struct::h5eb8b14e1a79a34b /third_party/rust/bincode/src/de/mod.rs:411:9
        #30 0x7f33aab77c68 in wgpu_core::binding_model::_::_$LT$impl$u20$serde..de..Deserialize$u20$for$u20$wgpu_core..binding_model..PipelineLayoutDescriptor$GT$::deserialize::hf47d9dd1b1010a59 /third_party/rust/wgpu-core/src/binding_model.rs:535:39
        #31 0x7f33aab77c68 in _$LT$core..marker..PhantomData$LT$T$GT$$u20$as$u20$serde..de..DeserializeSeed$GT$::deserialize::h6a3548f40f246d4a /third_party/rust/serde/src/de/mod.rs:785:9
        #32 0x7f33aab77c68 in _$LT$$LT$$RF$mut$u20$bincode..de..Deserializer$LT$R$C$O$GT$$u20$as$u20$serde..de..Deserializer$GT$..deserialize_tuple..Access$LT$R$C$O$GT$$u20$as$u20$serde..de..SeqAccess$GT$::next_element_seed::hf2b1c2e09912e6de /third_party/rust/bincode/src/de/mod.rs:314:25
        #33 0x7f33aab77c68 in serde::de::SeqAccess::next_element::ha73214f23b3e686b /third_party/rust/serde/src/de/mod.rs:1721:9
        #34 0x7f33aab77c68 in _$LT$$LT$wgpu_bindings.._..$LT$impl$u20$serde..de..Deserialize$u20$for$u20$wgpu_bindings..DeviceAction$GT$..deserialize..__Visitor$u20$as$u20$serde..de..Visitor$GT$..visit_enum..__Visitor$u20$as$u20$serde..de..Visitor$GT$::visit_seq::h861b64ddc33050d3 /gfx/wgpu_bindings/src/lib.rs:76:28
        #35 0x7f33aab77c68 in _$LT$$RF$mut$u20$bincode..de..Deserializer$LT$R$C$O$GT$$u20$as$u20$serde..de..Deserializer$GT$::deserialize_tuple::h73a3a472e591b0c0 /third_party/rust/bincode/src/de/mod.rs:326:9
        #36 0x7f33aab77c68 in _$LT$$RF$mut$u20$bincode..de..Deserializer$LT$R$C$O$GT$$u20$as$u20$serde..de..VariantAccess$GT$::tuple_variant::hfe3b8d03c49f10ea /third_party/rust/bincode/src/de/mod.rs:483:9
        #37 0x7f33aab77c68 in _$LT$wgpu_bindings.._..$LT$impl$u20$serde..de..Deserialize$u20$for$u20$wgpu_bindings..DeviceAction$GT$..deserialize..__Visitor$u20$as$u20$serde..de..Visitor$GT$::visit_enum::h8be2357cf86f71b6 /gfx/wgpu_bindings/src/lib.rs:76:28
        #38 0x7f33aab1b7c6 in _$LT$$RF$mut$u20$bincode..de..Deserializer$LT$R$C$O$GT$$u20$as$u20$serde..de..Deserializer$GT$::deserialize_enum::h6adc2621c84d69b6 /third_party/rust/bincode/src/de/mod.rs:290:9
        #39 0x7f33aab1b7c6 in wgpu_bindings::_::_$LT$impl$u20$serde..de..Deserialize$u20$for$u20$wgpu_bindings..DeviceAction$GT$::deserialize::h1e7ad2acde9afbde /gfx/wgpu_bindings/src/lib.rs:76:28
        #40 0x7f33aab1b7c6 in _$LT$core..marker..PhantomData$LT$T$GT$$u20$as$u20$serde..de..DeserializeSeed$GT$::deserialize::hff88988dc1cc0ce0 /third_party/rust/serde/src/de/mod.rs:785:9
        #41 0x7f33aab1b7c6 in bincode::internal::deserialize_seed::h9d69b32b4a3ea548 /third_party/rust/bincode/src/internal.rs:118:15
        #42 0x7f33aab1b7c6 in bincode::internal::deserialize::hd925582c3ed262cb /third_party/rust/bincode/src/internal.rs:106:5
        #43 0x7f33aab1b7c6 in bincode::config::Options::deserialize::h2d1e859a2e3626c6 /third_party/rust/bincode/src/config/mod.rs:200:9
        #44 0x7f33aab1b7c6 in bincode::deserialize::hb9b65f52bd22b831 /third_party/rust/bincode/src/lib.rs:181:5
        #45 0x7f33aab1b7c6 in wgpu_server_device_action /gfx/wgpu_bindings/src/server.rs:500:18
        #46 0x7f33a1125916 in mozilla::webgpu::WebGPUParent::RecvDeviceAction(unsigned long, mozilla::ipc::ByteBuf const&) /dom/webgpu/ipc/WebGPUParent.cpp:756:3
        #47 0x7f339d2b3a61 in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:224:56
        #48 0x7f339ca1458b in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp:188:32
        #49 0x7f339c7ea419 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1658:25
        #50 0x7f339c7e8019 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /ipc/glue/MessageChannel.cpp:1583:9
        #51 0x7f339c7e9557 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1480:14
        #52 0x7f339b2d3fdb in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1189:16
        #53 0x7f339b2de98c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
        #54 0x7f339c7f2f81 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
        #55 0x7f339c6766a1 in RunInternal /ipc/chromium/src/base/message_loop.cc:331:10
        #56 0x7f339c6766a1 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
        #57 0x7f339c6766a1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
        #58 0x7f339b2cc4ef in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
        #59 0x7f33bdf3d02e in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #60 0x7f33c0053608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
        #61 0x7f33bfc1b292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
    Thread T51 (Compositor) created by T0 here:
        #0 0x5617b3d03fac in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
        #1 0x7f33bdf2d0b4 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
        #2 0x7f33bdf1e35e in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
        #3 0x7f339b2cf835 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:627:18
        #4 0x7f339b2dc76f in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /xpcom/threads/nsThreadManager.cpp:581:12
        #5 0x7f339b2e7d01 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /xpcom/threads/nsThreadUtils.cpp:163:57
        #6 0x7f339e0debd2 in NS_NewNamedThread<11UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
        #7 0x7f339e0debd2 in mozilla::layers::CompositorThreadHolder::CreateCompositorThread() /gfx/layers/ipc/CompositorThread.cpp:62:17
        #8 0x7f339e0def56 in CompositorThreadHolder /gfx/layers/ipc/CompositorThread.cpp:39:25
        #9 0x7f339e0def56 in mozilla::layers::CompositorThreadHolder::Start() /gfx/layers/ipc/CompositorThread.cpp:103:33
        #10 0x7f339e2b773a in InitLayersIPC /gfx/thebes/gfxPlatform.cpp:1294:5
        #11 0x7f339e2b773a in gfxPlatform::Init() /gfx/thebes/gfxPlatform.cpp:959:3
        #12 0x7f339e2ba8a0 in GetPlatform /gfx/thebes/gfxPlatform.cpp:465:5
        #13 0x7f339e2ba8a0 in gfxPlatform::InitializeCMS() /gfx/thebes/gfxPlatform.cpp:2083:9
        #14 0x7f33a366725d in GetCMSMode /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:521:5
        #15 0x7f33a366725d in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /widget/nsXPLookAndFeel.cpp:868:9
        #16 0x7f33a366b09e in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /widget/nsXPLookAndFeel.cpp:1252:47
        #17 0x7f33a35df0b8 in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:446:12
        #18 0x7f33a35df0b8 in ThemedAccentColor /widget/ThemeColors.cpp:89:37
        #19 0x7f33a35df0b8 in mozilla::widget::ThemeColors::RecomputeAccentColors() /widget/ThemeColors.cpp:170:20
        #20 0x7f33a35ded35 in mozilla::widget::Theme::LookAndFeelChanged() /widget/Theme.cpp:178:3
        #21 0x7f33a3665742 in nsXPLookAndFeel::GetInstance() /widget/nsXPLookAndFeel.cpp:359:3
        #22 0x7f33a366ba9d in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /widget/nsXPLookAndFeel.cpp:1369:3
        #23 0x7f339b128e37 in nsSystemInfo::Init() /xpcom/base/nsSystemInfo.cpp:1047:5
        #24 0x7f339b230c9f in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:9164:7
        #25 0x7f339b27faa7 in CreateInstance /xpcom/components/nsComponentManager.cpp:181:46
        #26 0x7f339b27faa7 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1288:17
        #27 0x7f339b280558 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /xpcom/components/nsComponentManager.cpp:1378:10
        #28 0x7f339b254bfd in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12288:50
        #29 0x7f339b0df2b1 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /xpcom/base/nsCOMPtr.cpp:109:7
        #30 0x7f339d6fb76c in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5
        #31 0x7f339d6fb76c in GetServiceImpl /js/xpconnect/src/JSServices.cpp:84:32
        #32 0x7f339d6fb76c in GetService /js/xpconnect/src/JSServices.cpp:131:8
        #33 0x7f339d6fb76c in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /js/xpconnect/src/JSServices.cpp:154:25
        #34 0x7f33a8b1ae17 in CallResolveOp /js/src/vm/NativeObject-inl.h:640:8
        #35 0x7f33a8b1ae17 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> /js/src/vm/NativeObject-inl.h:760:14
        #36 0x7f33a8b1ae17 in NativeGetPropertyInline<js::CanGC> /js/src/vm/NativeObject.cpp:2127:10
        #37 0x7f33a8b1ae17 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2175:10
        #38 0x7f33a8630fe9 in GetProperty /js/src/vm/ObjectOperations-inl.h:120:10
        #39 0x7f33a8630fe9 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /js/src/vm/ObjectOperations-inl.h:127:10
        #40 0x7f33a8630644 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4710:10
        #41 0x7f33a86013e8 in GetPropertyOperation /js/src/vm/Interpreter.cpp:208:10
        #42 0x7f33a86013e8 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2973:12
        #43 0x7f33a85f8bc1 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:394:13
        #44 0x7f33a8627a6f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:544:13
        #45 0x7f33a8629bbb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:589:8
        #46 0x7f33a88a679c in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:53:10
        #47 0x7f339d743700 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:973:17
        #48 0x7f339b3255e2 in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
        #49 0x7f339b32436a in SharedStub xptcstubs_x86_64_linux.cpp
        #50 0x7f339b275e32 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /xpcom/components/nsCategoryManager.cpp:687:19
        #51 0x7f33a835fdc9 in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:978:11
        #52 0x7f33a833b2b3 in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5102:18
        #53 0x7f33a833e339 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5552:8
        #54 0x7f33a833f073 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5611:21
        #55 0x5617b3d4ebf9 in do_main /browser/app/nsBrowserApp.cpp:225:22
        #56 0x5617b3d4ebf9 in main /browser/app/nsBrowserApp.cpp:395:16
        #57 0x7f33bfb200b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    ==1520293==ABORTING
Attached file Testcase 

    
    

    
  
https://crash-stats.mozilla.org/report/index/7a5d2d76-e3d0-497b-aceb-a31330220131


Crash Signature: [@ wgpu_core::id::impl$11::zip<T> ]

    
  
Blocks: fuzzing-webgpu

    
    

    
  
The severity field is not set for this bug.

:kvark, could you have a look please?


For more information, please visit auto_nag documentation.


Flags: needinfo?(dmalyshau)

    
  
Severity: -- → S3

    
    

    
  
I can reproduce this with a local build of 49a9d19fd713.



    
    

    
  
I can also reproduce this with a local build of a33cd50e2f73 (yesterday, 2022-4-20).



    
    

    
  
WebGPUChild::DeviceCreatePipelineLayout is sending the following DeviceAction to the parent:


CreatePipelineLayout(
        (
            1,
            1,
            Vulkan,
        ),
        PipelineLayoutDescriptor {
            label: None,
            bind_group_layouts: [
                (
                    0,
                    0,
                    Empty,
                ),
            ],
            push_constant_ranges: [],
        },
    )



The (0, 0, Empty) is a null BindGroupLayoutId, which should not exist.



    
    

    
  
The index passed to getBindGroupLayout is out of bounds; this is the origin of the zero id:


  const RawId id = index < mImplicitBindGroupLayoutIds.Length()
                       ? mImplicitBindGroupLayoutIds[index]
                       : 0;




    
    

    
  
So what happens is that that 0 RawId gets passed to WebGPUChild::DeviceCreatePipelineLayout, and because cbindgen renders the Rust type std::num::NonZeroU64 as the C++ type uint64_t,  ffi::WGPUBindGroupLayoutId is simply an ordinary integer type. This means that DeviceCreatePipelineLayout will cheerfully convert a zero to a NonZeroU64 when it's passed across the C++ / Rust boundary.


I think the way to approach this is, WebGPU has this concept of "invalid" objects, that get constructed by the API but must not be used. Anything that tries to incorporate an invalid object becomes invalid itself. I believe that a 0 id is supposed to indicate that the mozilla::webgpu::BindGroupLayout is invalid (although this isn't documented), which means that createPipelineLayout should just be returning an invalid PipelineLayout, and not trying to send anything to the compositor, which is where things go awry.



    
    

    
  
In gpuweb/gpuweb#2803, I landed a change to the WebGPU API spec that clarifies how getBindGroupLayout is supposed to handle out-of-bounds indices.



    
    

    
  


  
Arrange for passing an invalid BindGroupLayout to CreatePipelineLayout or

CreateBindGroup to produce an invalid PipelineLayout/BindGroup, instead of

trying to pass the BindGroupLayout's bogus RawId (which is zero) over to the

GPU process, causing a panic in deserialization (thank you, Rust!).


Arrange for a PipelineLayout constructed with a zero RawId to mark itself

invalid, as most other WebGPU content objects do. This permits

WebGPUChild::DeviceCreatePipelineLayout to return zero if the descriptor is

invalid.


Assignee: nobody → jimb
Status: NEW → ASSIGNED

    
    

    
  
Pushed by jblandy@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/47697e51f9a7
Handle invalid BindGroupLayouts better. r=jgilbert

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/47697e51f9a7


Status: ASSIGNED → RESOLVED
Closed: 2 years ago

          status-firefox101:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch

    
    

    
  
:jkratzer, could you verify this no longer reproduces?:


Flags: needinfo?(dmalyshau) → needinfo?(jkratzer)

    
    

    
  
Jim, I can confirm that this issue no longer reproduces on mozilla-central rev a3002a9b4204.


Flags: needinfo?(jkratzer)
Flags: qe-verify+

    
    

    
  
Reproduced with Nightly from 31.01.2022.


No longer reproducible on Firefox 101.0.



          status-firefox101:
          fixedverified
Flags: qe-verify+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: