Closed Bug 1773396 Opened 3 years ago Closed 2 years ago

stack-use-after-scope in [@ smallvec::SmallVec$LT$A$GT$::spilled]

Categories

(Core :: Graphics: WebGPU, defect, P1)

defect

Tracking

()

RESOLVED FIXED
110 Branch
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- disabled
firefox103 --- disabled
firefox104 --- disabled
firefox105 --- disabled
firefox106 --- disabled
firefox108 --- disabled
firefox109 --- disabled
firefox110 --- fixed

People

(Reporter: tsmith, Assigned: jimb)

References

(Blocks 2 open bugs)

Details

(5 keywords, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker] [post-critsmash-triage])

Attachments

(2 files, 1 obsolete file)

Attached file testcase.html (obsolete) —

Found while fuzzing m-c 20220608-5a7069a5e368 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
==28071==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f88efead640 at pc 0x7f89a75835b4 bp 0x7f88efeab330 sp 0x7f88efeab328
READ of size 8 at 0x7f88efead640 thread T39 (Compositor)
    #0 0x7f89a75835b3 in smallvec::SmallVec$LT$A$GT$::spilled::h4339f243242c631d /gecko/third_party/rust/smallvec/src/lib.rs:776:9
    #1 0x7f89a75835b3 in smallvec::SmallVec$LT$A$GT$::triple::h1aaf81946bf99c6a /gecko/third_party/rust/smallvec/src/lib.rs:747:16
    #2 0x7f89a75835b3 in _$LT$smallvec..SmallVec$LT$A$GT$$u20$as$u20$core..ops..deref..Deref$GT$::deref::h622c44788134ab5e /gecko/third_party/rust/smallvec/src/lib.rs:1520:33
    #3 0x7f89a75835b3 in wgpu_core::track::range::RangedStates$LT$I$C$T$GT$::isolate::hda73cd796555aa6e /gecko/third_party/rust/wgpu-core/src/track/range.rs:97:35
    #4 0x7f89a758a90a in wgpu_core::track::texture::ComplexTextureState::from_selector_state_iter::h0950ad9018fac719 /gecko/third_party/rust/wgpu-core/src/track/texture.rs:118:48
    #5 0x7f89a75972a7 in wgpu_core::track::texture::insert::hc71e1f058dc0e4a1 /gecko/third_party/rust/wgpu-core/src/track/texture.rs:1033:27
    #6 0x7f89a75972a7 in wgpu_core::track::texture::insert_or_barrier_update::h759ba4ab1e84b9a5 /gecko/third_party/rust/wgpu-core/src/track/texture.rs:965:9
    #7 0x7f89a75972a7 in wgpu_core::track::texture::TextureTracker$LT$A$GT$::set_single::he9ee4688b0e46643 /gecko/third_party/rust/wgpu-core/src/track/texture.rs:537:13
    #8 0x7f89a77c338d in wgpu_core::command::transfer::_$LT$impl$u20$wgpu_core..hub..Global$LT$G$GT$$GT$::command_encoder_copy_texture_to_buffer::h293aa6b810381a15 /gecko/third_party/rust/wgpu-core/src/command/transfer.rs:780:42
    #9 0x7f89a791613c in wgpu_bindings::server::Global::command_encoder_action::hec811a74f7493704 /gecko/gfx/wgpu_bindings/src/server.rs:432:21
    #10 0x7f89a795294a in wgpu_server_command_encoder_action /gecko/gfx/wgpu_bindings/src/server.rs:558:5
    #11 0x7f899d1af6fb in mozilla::webgpu::WebGPUParent::RecvCommandEncoderAction(unsigned long, unsigned long, mozilla::ipc::ByteBuf const&) /gecko/dom/webgpu/ipc/WebGPUParent.cpp:927:3
    #12 0x7f899d1dc77b in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:420:80
    #13 0x7f899a2c18dc in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:214:32
    #14 0x7f89990508f9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1781:25
    #15 0x7f899904d967 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /gecko/ipc/glue/MessageChannel.cpp:1706:9
    #16 0x7f899904e5b4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1506:3
    #17 0x7f899904f842 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1604:14
    #18 0x7f89978de68e in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1174:16
    #19 0x7f89978e8294 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #20 0x7f89990599bb in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:300:20
    #21 0x7f8998ed8811 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #22 0x7f8998ed8811 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #23 0x7f8998ed8811 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #24 0x7f89978d5c4e in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:378:10
    #25 0x7f89be8d8b7e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #26 0x7f89bf58d608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #27 0x7f89bf154132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Address 0x7f88efead640 is located in stack of thread T39 (Compositor) at offset 192 in frame
    #0 0x7f89a77c1c1f in wgpu_core::command::transfer::_$LT$impl$u20$wgpu_core..hub..Global$LT$G$GT$$GT$::command_encoder_copy_texture_to_buffer::h293aa6b810381a15 /gecko/third_party/rust/wgpu-core/src/command/transfer.rs:740

  This frame has 44 object(s):
    [32, 72) '_2.i341'
    [112, 152) '_2.i320'
    [192, 232) '_4.i319' <== Memory access at offset 192 is inside this variable
    [272, 312) '_4.i318'
    [352, 392) '_2.i309'
    [432, 472) '_4.i297'
    [512, 552) '_4.i294'
    [592, 632) '_2.i277'
    [672, 712) '_4.i263'
    [752, 792) '_4.i260'
    [832, 872) '_4.i242'
    [912, 952) '_4.i229'
    [992, 1004) '_19.i' (line 166)
    [1024, 1048) '_7.i.i.i178'
    [1088, 1112) '_7.i.i.i169'
    [1152, 1176) '_10.i.i.i'
    [1216, 1240) '_7.i.i.i'
    [1280, 1320) '_276' (line 878)
    [1360, 1408) '_270' (line 873)
    [1440, 1456) '_266' (line 872)
    [1472, 1504) '_245' (line 852)
    [1536, 1551) '_232.sroa.4' (line 834)
    [1568, 1580) '_230' (line 832)
    [1600, 1612) '_218' (line 824)
    [1632, 1680) '_215' (line 822)
    [1712, 1736) '_214.sroa.11' (line 822)
    [1776, 1784) 'bytes_per_array_layer' (line 822)
    [1808, 1856) '_201' (line 821)
    [1888, 1916) '_200.sroa.10' (line 821)
    [1952, 1964) 'hal_copy_size' (line 820)
    [1984, 2008) 'format_desc' (line 819)
    [2048, 2060) '_192' (line 817)
    [2080, 2104) '_160' (line 799)
    [2144, 2192) 'src_barrier' (line 797)
    [2224, 2240) '_128' (line 786)
    [2256, 2304) '_121' (line 780)
    [2336, 2360) '_119.sroa.9.sroa.7' (line 780)
    [2400, 2440) 'src_pending' (line 780)
    [2480, 2488) 'src_texture' (line 780)
    [2512, 2536) 'src_base' (line 774)
    [2576, 2588) '_54.sroa.4' (line 762)
    [2608, 2620) '_54.sroa.5.sroa.5' (line 762)
    [2640, 2656) '_54.sroa.6.sroa.4' (line 762)
    [2672, 2680) 'destination'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T39 (Compositor) created by T0 here:
    #0 0x55dbc0a2259c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7f89be8c8c2c in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f89be8b9fce in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f89978d8865 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:604:18
    #4 0x7f89978e5b38 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /gecko/xpcom/threads/nsThreadManager.cpp:534:12
    #5 0x7f89978f1f99 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /gecko/xpcom/threads/nsThreadUtils.cpp:161:57
    #6 0x7f8999e9acc2 in NS_NewNamedThread<11UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
    #7 0x7f8999e9acc2 in mozilla::layers::CompositorThreadHolder::CreateCompositorThread() /gecko/gfx/layers/ipc/CompositorThread.cpp:66:17
    #8 0x7f8999e9b1c9 in CompositorThreadHolder /gecko/gfx/layers/ipc/CompositorThread.cpp:40:25
    #9 0x7f8999e9b1c9 in mozilla::layers::CompositorThreadHolder::Start() /gecko/gfx/layers/ipc/CompositorThread.cpp:109:33
    #10 0x7f899a1132bc in gfxPlatform::Init() /gecko/gfx/thebes/gfxPlatform.cpp:961:3
    #11 0x7f899a116d5e in GetPlatform /gecko/gfx/thebes/gfxPlatform.cpp:467:5
    #12 0x7f899a116d5e in gfxPlatform::InitializeCMS() /gecko/gfx/thebes/gfxPlatform.cpp:2094:9
    #13 0x7f89a001d8cc in EnsureCMSInitialized /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:982:7
    #14 0x7f89a001d8cc in gfxPlatform::GetCMSMode() /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:526:5
    #15 0x7f89a001ce46 in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /gecko/widget/nsXPLookAndFeel.cpp:874:9
    #16 0x7f89a00213e6 in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /gecko/widget/nsXPLookAndFeel.cpp:1274:47
    #17 0x7f899ff8c844 in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:440:12
    #18 0x7f899ff8c844 in ThemedAccentColor /gecko/widget/ThemeColors.cpp:88:37
    #19 0x7f899ff8c844 in mozilla::widget::ThemeColors::RecomputeAccentColors() /gecko/widget/ThemeColors.cpp:197:20
    #20 0x7f899ff8c47d in mozilla::widget::Theme::LookAndFeelChanged() /gecko/widget/Theme.cpp:180:3
    #21 0x7f89a001b3be in nsXPLookAndFeel::GetInstance() /gecko/widget/nsXPLookAndFeel.cpp:358:3
    #22 0x7f89a0021dd5 in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /gecko/widget/nsXPLookAndFeel.cpp:1387:3
    #23 0x7f899773443a in nsSystemInfo::Init() /gecko/xpcom/base/nsSystemInfo.cpp:1047:5
    #24 0x7f89978464dd in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11965:7
    #25 0x7f89978889be in CreateInstance /gecko/xpcom/components/nsComponentManager.cpp:185:46
    #26 0x7f89978889be in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor> >&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /gecko/xpcom/components/nsComponentManager.cpp:1283:17
    #27 0x7f8997889488 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /gecko/xpcom/components/nsComponentManager.cpp:1373:10
    #28 0x7f899785eb5d in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12189:50
    #29 0x7f89976eaba1 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /gecko/xpcom/base/nsCOMPtr.cpp:109:7
    #30 0x7f899935c2f1 in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5
    #31 0x7f899935c2f1 in xpc::GetServiceImpl(JSContext*, mozilla::xpcom::JSServiceEntry const&, JS::MutableHandle<JSObject*>, mozilla::ErrorResult&) /gecko/js/xpconnect/src/JSServices.cpp:83:32
    #32 0x7f899935bd78 in xpc::GetService(JSContext*, mozilla::xpcom::JSServiceEntry const&, mozilla::ErrorResult&) /gecko/js/xpconnect/src/JSServices.cpp:130:8
    #33 0x7f899935aca1 in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /gecko/js/xpconnect/src/JSServices.cpp:153:25
    #34 0x7f89a568f6f6 in CallResolveOp /gecko/js/src/vm/NativeObject-inl.h:640:8
    #35 0x7f89a568f6f6 in NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> /gecko/js/src/vm/NativeObject-inl.h:752:14
    #36 0x7f89a568f6f6 in NativeGetPropertyInline<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2126:10
    #37 0x7f89a568f6f6 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2174:10
    #38 0x7f89a538a830 in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:120:10
    #39 0x7f89a538a830 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/ObjectOperations-inl.h:127:10
    #40 0x7f89a6dd6af3 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:4668:10
    #41 0x7f89a6db0e5d in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:2984:12
    #42 0x7f89a6da3629 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:389:13
    #43 0x7f89a6dcf8ae in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:539:13
    #44 0x7f89a6dd138e in InternalCall /gecko/js/src/vm/Interpreter.cpp:574:10
    #45 0x7f89a6dd138e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:605:8
    #46 0x7f89a54a3bd4 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:53:10
    #47 0x7f89993a2545 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:981:17
    #48 0x7f8997931cf2 in PrepareAndDispatch /gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #49 0x7f8997930a42 in SharedStub xptcstubs_x86_64_linux.cpp
    #50 0x7f899787f0ad in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /gecko/xpcom/components/nsCategoryManager.cpp:682:19
    #51 0x7f89a504a2a9 in nsXREDirProvider::DoStartup() /gecko/toolkit/xre/nsXREDirProvider.cpp:936:11
    #52 0x7f89a5022e50 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5476:18
    #53 0x7f89a502571e in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5927:8
    #54 0x7f89a502648b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5991:21
    #55 0x55dbc0a77821 in do_main(int, char**, char**) /gecko/browser/app/nsBrowserApp.cpp:227:22
    #56 0x55dbc0a76b5e in main /gecko/browser/app/nsBrowserApp.cpp:406:16
    #57 0x7f89bf059082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220608214824-0cf5c85ddd84.
The bug appears to have been introduced in the following build range:

Start: 11fde2629eacf0f130e7123e3c2984b4ac921bd9 (20210622113140)
End: e11836c2c03d8b50de930730d6c0e62c25db58e4 (20210622140333)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=11fde2629eacf0f130e7123e3c2984b4ac921bd9&tochange=e11836c2c03d8b50de930730d6c0e62c25db58e4

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
See Also: → 1772909
Assignee: nobody → jimb
Priority: -- → P1

The test cases causes an assertion failure in an ordinary build of a1233ae6332c:

Hit MOZ_CRASH(assertion failed: selector.mips.end <= full_range.mips.end)
at /home/jimb/moz/central/third_party/rust/wgpu-core/src/track/texture.rs:110

Same crash reproduces on recent central (8d6b4f11ecdf, 2022-7-6).

It's not certain that that assertion is the same problem that ASan found. I'm especially concerned about ASan finding a problem in Rust code. That should not happen.

(In reply to Jim Blandy :jimb from comment #2)

The test cases causes an assertion failure in an ordinary build of a1233ae6332c:

Hit MOZ_CRASH(assertion failed: selector.mips.end <= full_range.mips.end)
at /home/jimb/moz/central/third_party/rust/wgpu-core/src/track/texture.rs:110

This assertion was also filed under bug 1774463. Not sure if that should be duped against this or not.

:jimb, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(jimb)

Okay, after a bit of an excursion into bug 1743672 and bug 1778767, I can reproduce this exact asan crash on 17b1a90f4533 (central 2022-7-8).

(In reply to Release mgmt bot [:suhaib / :marco/ :calixte] from comment #6)

:jimb, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Hmm. None of those look relevant.

Flags: needinfo?(jimb)
Attached file testcase.html
Attachment #9280353 - Attachment is obsolete: true

The testcase included in comment 0 uses clientInformation instead of navigator which is the reason for the bisection range. I've reset the bugmon flags and will re-run bisection.

Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisect,confirmed]

Bugmon Analysis
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 5dee15cf3f2810ccc3bb9ec24c652f6f9d72b62d (20210712093040)
End: 5a7069a5e3689a583a3fac17c4950e7af5f825f9 (20220608035213)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisect,confirmed] → [bugmon:confirmed,bisected]

The problem is that the test case tries to access mip level 170 of a texture:

  c.copyTextureToBuffer({
    'texture': x,
    'mipLevel': 170,
  }, ...)

And there ain't never been a texture with 170 mip levels in this universe - it'd have to be 2¹⁷⁰ pixels on a side.

Unfortunately, wgpu's new (and much more efficient) resource state tracking logic skips bounds checks, so this get_unchecked_mut call goes awry:

let mips = selector.mips.start as usize..selector.mips.end as usize;
for mip in complex.mips.get_unchecked_mut(mips) {
    ...
}
See Also: 1772909

(removed "see also" link - we thought the two test cases were the same, but they're not)

Unfortunately, wgpu's new (and much more efficient) resource state tracking logic skips bounds checks

A better place to put the blame is in wgpu_core::hub::Global::command_encoder_copy_texture_to_buffer, which ought to be checking the mip level and returning an error before the tracking logic ever sees it.

Also filed wgpu#2872, to give Firefox a way to enable, in all builds, the run-time validation that the track module usually omits in release builds.

The bounds checks are already there in the code, in validate_texture_copy_range. But unfortunately that is called after TextureTracker::set_single, which is where the out-of-bounds access occurs.

Demoting this to sec-moderate, because WebGPU is not enabled by default in nightly. I expect us to fix this bug before that changes; if for some reason we do not, I'll raise its level back to sec-high.

Keywords: sec-highsec-moderate

That's not how we track these. Other people need to be able to check meta bugs and answer questions like "if we turn this on now, how many unfixed bugs of what severity get exposed?", and that doesn't work if the "highness" of a bug is only tracked in the memory of one or two people. The way we track the state you're describing is by setting the version-specific status fields to "disabled".

Severity: S2 → S3

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:jimb, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jimb)

Not increasing to S2, since WebGPU is disabled in nightly.

Flags: needinfo?(jimb)

We've identified a number of variations to this crash. I've attached here a new crash stack for a stack buffer overflow. :jimb, if you feel like this is a different issue, please let me know and I'll open a new issue.

Flags: needinfo?(jimb)

Assuming that the crash stack I submitted in comment 21 is the same as the original issue, we're now seeing such high volume of varying crash stacks that it is making it quite difficult for us to bucket and triage. Marking this as a fuzzblocker unless I hear otherwise.

Whiteboard: [bugmon:confirmed,bisected] → [bugmon:confirmed,bisected][fuzzblocker]

This has a fix that will be brought in the next time we update wgpu-core in Mozilla Central.

Flags: needinfo?(jimb)

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:jimb, could you increase the severity?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jimb)
Flags: needinfo?(jimb)
Severity: S3 → S2
Severity: S2 → S3
Whiteboard: [bugmon:confirmed,bisected][fuzzblocker] → [bugmon:confirm,bisected][fuzzblocker]

I believe bug 1806166 has brought in a fix for this (wgpu#3090).

Testcase crashes using the initial build (mozilla-central 20220608035213-5a7069a5e368) but not with tip (mozilla-central 20221219162526-91a9bbbe6bea.)

The bug appears to have been fixed in the following build range:

Start: 3ccb0b86ab11e1ff5137a780bbe2354f163e61db (20221217211745)
End: 4d46db3ff28b5b4f80c3587e77f1e162e552b5e0 (20221217231408)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3ccb0b86ab11e1ff5137a780bbe2354f163e61db&tochange=4d46db3ff28b5b4f80c3587e77f1e162e552b5e0

jimb, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(jimb)
Keywords: bugmon
Whiteboard: [bugmon:confirm,bisected][fuzzblocker] → [bugmon:bisected,confirmed][fuzzblocker]

Yes, 7c000fcb98531f7b140dae59477ccd35554cbcd7 is Bug 1806166.

Flags: needinfo?(jimb)
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Depends on: 1806166
Target Milestone: --- → 110 Branch
Flags: qe-verify-
Whiteboard: [bugmon:bisected,confirmed][fuzzblocker] → [bugmon:bisected,confirmed][fuzzblocker] [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: