Closed
Bug 1774452
Opened 2 years ago
Closed 2 years ago
Assertion failure: data != nullptr, at /dom/webgpu/Queue.cpp:116
Categories
(Core :: Graphics: WebGPU, defect)
Tracking
()
VERIFIED
FIXED
105 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox-esr102 | --- | disabled |
| firefox103 | --- | disabled |
| firefox104 | --- | disabled |
| firefox105 | --- | verified |
People
(Reporter: jkratzer, Assigned: nical)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev b1ed2fa50612 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build b1ed2fa50612 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: data != nullptr, at /dom/webgpu/Queue.cpp:116
==139606==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f69e7716f45 bp 0x7ffde5bbcbf0 sp 0x7ffde5bbcb10 T139606)
==139606==The signal is caused by a WRITE memory access.
==139606==Hint: address points to the zero page.
#0 0x7f69e7716f45 in mozilla::webgpu::Queue::WriteTexture(mozilla::dom::GPUImageCopyTexture const&, mozilla::dom::ArrayBufferViewOrArrayBuffer const&, mozilla::dom::GPUImageDataLayout const&, mozilla::dom::RangeEnforcedUnsignedLongSequenceOrGPUExtent3DDict const&, mozilla::ErrorResult&) /dom/webgpu/Queue.cpp:116:3
#1 0x7f69e6c84674 in mozilla::dom::GPUQueue_Binding::writeTexture(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WebGPUBinding.cpp:19864:24
#2 0x7f69e72ca3ac in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3272:13
#3 0x7f69ec760750 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:421:13
#4 0x7f69ec75ff5a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:508:12
#5 0x7f69ec757376 in CallFromStack /js/src/vm/Interpreter.cpp:579:10
#6 0x7f69ec757376 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3325:16
#7 0x7f69ec74e532 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:390:13
#8 0x7f69ec75fe56 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:540:13
#9 0x7f69ec761488 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:606:8
#10 0x7f69eb6718d6 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1603:10
#11 0x7f69eb3f0f21 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:152:8
#12 0x7f69eb5d9858 in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2117:10
#13 0x7f69eb5d9858 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2175:12
#14 0x7f69ec760750 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:421:13
#15 0x7f69ec75ff5a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:508:12
#16 0x7f69ec761488 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:606:8
#17 0x7f69eb417ec1 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
#18 0x7f69e65a537d in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:35:8
#19 0x7f69e42162d5 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:88:12
#20 0x7f69e4215563 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:101:12
#21 0x7f69e4215563 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
#22 0x7f69e4203318 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:676:17
#23 0x7f69e420418c in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
#24 0x7f69e5090e35 in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1482:28
#25 0x7f69e4326e0c in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1217:24
#26 0x7f69e432d04d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#27 0x7f69e4ef7456 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#28 0x7f69e4e1e637 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
#29 0x7f69e4e1e542 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#30 0x7f69e4e1e542 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#31 0x7f69e9062f38 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
#32 0x7f69eb191d3b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:875:20
#33 0x7f69e4ef834a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#34 0x7f69e4e1e637 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
#35 0x7f69e4e1e542 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#36 0x7f69e4e1e542 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#37 0x7f69eb19135c in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:734:34
#38 0x558f02480f70 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#39 0x558f02480f70 in main /browser/app/nsBrowserApp.cpp:338:18
#40 0x7f69fb29d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#41 0x558f02456d1c in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15d1c) (BuildId: b2d1bcdab58cde437345acb5b623f21a6c1d4685)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/webgpu/Queue.cpp:116:3 in mozilla::webgpu::Queue::WriteTexture(mozilla::dom::GPUImageCopyTexture const&, mozilla::dom::ArrayBufferViewOrArrayBuffer const&, mozilla::dom::GPUImageDataLayout const&, mozilla::dom::RangeEnforcedUnsignedLongSequenceOrGPUExtent3DDict const&, mozilla::ErrorResult&)
==139606==ABORTING
|
Reporter | |
Comment 1•2 years ago
|
||
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220615214908-0e44540919cd.
The bug appears to have been introduced in the following build range:
Start: c858714b247620ccd0de475d4cce021b081be5d4 (20211129215823)
End: 64da1a6eb7238a147f5b9036dfea70d7e830c59e (20211130012119)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c858714b247620ccd0de475d4cce021b081be5d4&tochange=64da1a6eb7238a147f5b9036dfea70d7e830c59e
Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Updated•2 years ago
|
Blocks: webgpu-in-nightly
|
||
Comment 3•2 years ago
|
||
The severity field is not set for this bug.
:jimb, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(jimb)
|
Assignee | |
Comment 4•2 years ago
|
||
|
||
Updated•2 years ago
|
Assignee: nobody → nical.bugzilla
Status: NEW → ASSIGNED
Pushed by nsilva@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fc36ee10b819 Avoid crashing when taking an invalid array buffer in writeTexture. r=jgilbert
|
||
Comment 6•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox105:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
|
|
||
Comment 7•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220727155540-b4cd9af34e00.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•2 years ago
|
Severity: -- → S4
status-firefox103:
--- → disabled
status-firefox104:
--- → disabled
status-firefox-esr102:
--- → disabled
status-firefox-esr91:
--- → unaffected
Flags: needinfo?(jimb)
You need to log in
before you can comment on or make changes to this bug.
Description
•