Closed Bug 1754780 Opened 2 years ago Closed 2 years ago

-[_MTLCommandEncoder dealloc]:70: failed assertion `Command encoder released without endEncoding'

Tracking

()

Status:

RESOLVED WORKSFORME

Tracking Flags:

Tracking

Status

firefox99

---

affected

People

(Reporter: truber, Unassigned)

References

(Blocks 1 open bug)

Details

Crash Data

Attachments

(1 file)

testcase.html 2 years ago Jesse Schwartzentruber (:truber) 238 bytes, text/html		Details

Jesse Schwartzentruber (:truber)

Reporter

Description

•

2 years ago

Attached file testcase.html — Details

Found while fuzzing m-c 20220210-ddc6b48554dc (--enable-address-sanitizer --enable-fuzzing).

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/*.app/Contents/MacOS/firefox testcase.html

-[_MTLCommandEncoder dealloc]:70: failed assertion `Command encoder released without endEncoding'
AddressSanitizer:DEADLYSIGNAL
Exiting due to channel error.
[ffpuppet] Reason code: ALERT
=================================================================
==2740==ERROR: AddressSanitizer: ABRT on unknown address 0x7fff6ac8e33a (pc 0x7fff6ac8e33a bp 0x70000d564490 sp 0x70000d564468 T48)
    #0 0x7fff6ac8e33a in __pthread_kill (/usr/lib/system/libsystem_kernel.dylib:x86_64+0x733a)
    #1 0x7fff6ac15807 in abort (/usr/lib/system/libsystem_c.dylib:x86_64+0x7f807)
    #2 0x7fff6ac14ac5 in __assert_rtn (/usr/lib/system/libsystem_c.dylib:x86_64+0x7eac5)
    #3 0x7fff3629e728 in MTLReportFailure.cold.2 (/System/Library/Frameworks/Metal.framework/Versions/A/Metal:x86_64+0x8b728)
    #4 0x7fff36291e87 in MTLReportFailure (/System/Library/Frameworks/Metal.framework/Versions/A/Metal:x86_64+0x7ee87)
    #5 0x7fff3622cf99 in -[_MTLCommandEncoder dealloc] (/System/Library/Frameworks/Metal.framework/Versions/A/Metal:x86_64+0x19f99)
    #6 0x7fff26b565d8 in -[MTLIGAccelBlitCommandEncoder dealloc] (/System/Library/Extensions/AppleIntelHD4000GraphicsMTLDriver.bundle/Contents/MacOS/AppleIntelHD4000GraphicsMTLDriver:x86_64+0x385d8)
    #7 0x11d7f2bd8 in core::ptr::drop_in_place$LT$wgpu_hal..metal..CommandEncoder$GT$::h5200f76fae265cc5 (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x126b0bd8)
    #8 0x11d7f4be5 in core::ptr::drop_in_place$LT$wgpu_core..command..CommandBuffer$LT$wgpu_hal..metal..Api$GT$$GT$::hef9ef6e4ac2687e2 (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x126b2be5)
    #9 0x11d820b96 in wgpu_core::device::_$LT$impl$u20$wgpu_core..hub..Global$LT$G$GT$$GT$::command_encoder_drop::h767bb3b9e58e3989 (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x126deb96)
    #10 0x113490288 in mozilla::webgpu::WebGPUParent::RecvCommandEncoderDestroy(unsigned long long) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x834e288)
    #11 0x10e12ca3a in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x2feaa3a)
    #12 0x10d643feb in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x2501feb)
    #13 0x10d41e2ea in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x22dc2ea)
    #14 0x10d41aa1b in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x22d8a1b)
    #15 0x10d41cb1b in mozilla::ipc::MessageChannel::MessageTask::Run() (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x22dab1b)
    #16 0x10bdfdfdf in nsThread::ProcessNextEvent(bool, bool*) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xcbbfdf)
    #17 0x10be0c23d in NS_ProcessNextEvent(nsIThread*, bool) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xcca23d)
    #18 0x10d42b715 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x22e9715)
    #19 0x10d2dc243 in MessageLoop::Run() (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x219a243)
    #20 0x10bdf4b24 in nsThread::ThreadFunc(void*) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xcb2b24)
    #21 0x102f1e49e in _pt_root (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/libnss3.dylib:x86_64+0x41e49e)
    #22 0x7fff6ad4f108 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib:x86_64+0x6108)
    #23 0x7fff6ad4ab8a in thread_start (/usr/lib/system/libsystem_pthread.dylib:x86_64+0x1b8a)

==2740==Register values:
rax = 0x0000000000000000  rbx = 0x000070000d568000  rcx = 0x000070000d564468  rdx = 0x0000000000000000
rdi = 0x0000000000006f03  rsi = 0x0000000000000006  rbp = 0x000070000d564490  rsp = 0x000070000d564468
 r8 = 0x0000000000000046   r9 = 0xcccccccccccccccd  r10 = 0x000070000d568000  r11 = 0x0000000000000246
r12 = 0x0000000000006f03  r13 = 0x0000000000000000  r14 = 0x0000000000000006  r15 = 0x0000000000000016
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/usr/lib/system/libsystem_kernel.dylib:x86_64+0x733a) in __pthread_kill
Thread T48 created by T0 here:
    #0 0x10140000c in wrap_pthread_create (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x4200c)
    #1 0x102f0c87f in _PR_CreateThread (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/libnss3.dylib:x86_64+0x40c87f)
    #2 0x102ef4bae in PR_CreateThread (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/libnss3.dylib:x86_64+0x3f4bae)
    #3 0x10bdf7824 in nsThread::Init(nsTSubstring<char> const&) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xcb5824)
    #4 0x10be0a109 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xcc8109)
    #5 0x10be17b75 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xcd5b75)
    #6 0x10f27c5f1 in mozilla::layers::CompositorThreadHolder::CreateCompositorThread() (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x413a5f1)
    #7 0x10f27cc51 in mozilla::layers::CompositorThreadHolder::Start() (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x413ac51)
    #8 0x10f51da81 in gfxPlatform::Init() (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x43dba81)
    #9 0x10f51b24b in gfxPlatform::GetPlatform() (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x43d924b)
    #10 0x1164c2b14 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xb380b14)
    #11 0x10be6162d in NS_InvokeByIndex (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xd1f62d)
    #12 0x10e6c3f02 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x3581f02)
    #13 0x10e6cadc7 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x3588dc7)
    #14 0x11b05b315 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xff19315)
    #15 0x11b0607cb in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xff1e7cb)
    #16 0x11b6c5f9d in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x10583f9d)
    #17 0x11b046675 in Interpret(JSContext*, js::RunState&) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xff04675)
    #18 0x11b0305ab in js::RunScript(JSContext*, js::RunState&) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xfeee5ab)
    #19 0x11b05b57c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xff1957c)
    #20 0x11b05e119 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xff1c119)
    #21 0x11b34e0c0 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x1020c0c0)
    #22 0x10e6b2de4 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x3570de4)
    #23 0x10be6327b in PrepareAndDispatch (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xd2127b)
    #24 0x10be61bea in SharedStub (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xd1fbea)
    #25 0x10bd96f0e in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xc54f0e)
    #26 0x11ad5ebaf in nsXREDirProvider::DoStartup() (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xfc1cbaf)
    #27 0x11ad39c0c in XREMain::XRE_mainRun() (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xfbf7c0c)
    #28 0x11ad3d405 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xfbfb405)
    #29 0x11ad3e5d3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xfbfc5d3)
    #30 0x10111a24d in main (/Users/truber/builds/m-c-20220210035537-fuzzing-asan-opt/Nightly.app/Contents/MacOS/firefox:x86_64+0x10000224d)
    #31 0x7fff6ab46cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)

==2740==ABORTING

Flags: in-testsuite?

Jesse Schwartzentruber (:truber)

Reporter

Updated

•

2 years ago

Blocks: domino, fuzzing-webgpu

Mayank Bansal

Comment 1

•

2 years ago

i get a crash if i let the testcase run for 30-45 seconds, and then close the tab in which the testcase is loaded.

https://crash-stats.mozilla.org/report/index/fd5a8a4a-cc28-4c78-8ba7-17ee50220210

Crash Signature: [@ wgpu_core::hub::Storage<T>::get<T> ]

Comment 2

•

2 years ago

The severity field is not set for this bug.
:jimb, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jimb)

Jim Blandy :jimb

Updated

•

2 years ago

Severity: -- → S3

Flags: needinfo?(jimb)

Jim Blandy :jimb

Comment 3

•

2 years ago

Since this is a macOS problem, it's not a blocker for webgpu-in-nightly, so I'm moving this to webgpu-mvp.

Blocks: webgpu-mvp
No longer blocks: fuzzing-webgpu

BugBot [:suhaib / :marco/ :calixte]

Comment 4

•

2 years ago

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED

Closed: 2 years ago

Resolution: --- → WORKSFORME

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

-[_MTLCommandEncoder dealloc]:70: failed assertion `Command encoder released without endEncoding'

Categories

(Core :: Graphics: WebGPU, defect)

Tracking

()

People

(Reporter: truber, Unassigned)

References

(Blocks 1 open bug)

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Comment 2

Updated

Comment 3

Comment 4

Attachment

General

Description

File Name

Content Type