Closed Bug 1780057 Opened 2 years ago Closed 2 years ago

Hit MOZ_CRASH(attempt to subtract with overflow) at /third_party/rust/wgpu-core/src/device/mod.rs:1013

Categories

(Core :: Graphics: WebGPU, defect)

Product:
Core
Component:
Graphics: WebGPU
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
107 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- disabled
firefox102 --- disabled
firefox103 --- disabled
firefox104 --- disabled
firefox105 --- disabled
firefox106 --- disabled
firefox107 --- fixed

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
487 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev 0ac3dabcf588 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 0ac3dabcf588 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(attempt to subtract with overflow) at /third_party/rust/wgpu-core/src/device/mod.rs:1013

    ==3235727==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f98396c4785 bp 0x7f97f8c8d870 sp 0x7f97f8c8d860 T3235838)
    ==3235727==The signal is caused by a WRITE memory access.
    ==3235727==Hint: address points to the zero page.
        #0 0x7f98396c4785 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
        #1 0x7f98396c4785 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7f98396c4708 in mozglue_static::panic_hook::hc73c6ec992377969 /mozglue/static/rust/lib.rs:91:9
        #3 0x7f98396c418b in core::ops::function::Fn::call::h3d3ab1c02c30d6c6 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/core/src/ops/function.rs:77:5
        #4 0x7f983a6878d5 in std::panicking::rust_panic_with_hook::hc82286af2030e925 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panicking.rs:702:17
        #5 0x7f983a687698 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h1c15057c2f09081f /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panicking.rs:586:13
        #6 0x7f983a684893 in std::sys_common::backtrace::__rust_end_short_backtrace::h65de906a5330f8da /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/sys_common/backtrace.rs:138:18
        #7 0x7f983a687408 in rust_begin_unwind /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panicking.rs:584:5
        #8 0x7f982fdf0a02 in core::panicking::panic_fmt::h741cfbfc95bc6112 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/core/src/panicking.rs:142:14
        #9 0x7f982fdf08cc in core::panicking::panic::hab046c3856b52f65 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/core/src/panicking.rs:48:5
        #10 0x7f9838a25c6c in wgpu_server_texture_action /gfx/wgpu_bindings/src/server.rs
        #11 0x7f98335d786e in mozilla::webgpu::WebGPUParent::RecvTextureAction(unsigned long, unsigned long, mozilla::ipc::ByteBuf const&) /dom/webgpu/ipc/WebGPUParent.cpp:951:3
        #12 0x7f98335ec1cb in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:364:80
        #13 0x7f98316dc7ee in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:214:32
        #14 0x7f9830d724f1 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1749:25
        #15 0x7f9830d6f045 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1674:9
        #16 0x7f9830d6fbe6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1474:3
        #17 0x7f9830d70f71 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1572:14
        #18 0x7f98301a3bb7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
        #19 0x7f98301aa0fd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #20 0x7f9830d79275 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #21 0x7f9830c9e397 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #22 0x7f9830c9e2a2 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #23 0x7f9830c9e2a2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #24 0x7f983019eee6 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
        #25 0x7f9846dc8557 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #26 0x7f9847b3a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
        #27 0x7f9847701132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
    ==3235727==ABORTING
Attached file Testcase 

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220718184409-e8822bdecf78.

The bug appears to have been introduced in the following build range:




Start: 60c6b98b954e8d31353f9934e4b7c1581fd07d37 (20210903164901)

End: ef5dc3e04e5f271eea0636ab3a495e95cc912f1d (20210903165630)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=60c6b98b954e8d31353f9934e4b7c1581fd07d37&tochange=ef5dc3e04e5f271eea0636ab3a495e95cc912f1d




Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
Setting regressed_by field after analyzing regression range found by bugmon.


Regressed by: 1726626

    
    

    
  
Set release status flags based on info from the regressing bug 1726626



          status-firefox102:
          --- → affected

          status-firefox103:
          --- → affected

          status-firefox104:
          --- → affected

          status-firefox-esr102:
          --- → affected

          status-firefox-esr91:
          --- → unaffected

    
    

    
  
Set release status flags based on info from the regressing bug 1726626



          status-firefox105:
          --- → affected

    
    

    
  
The severity field is not set for this bug.

:jimb, could you have a look please?


For more information, please visit auto_nag documentation.


Flags: needinfo?(jimb)
Depends on: 1784271

    
    

    
  
Fixed by bug 1791297.


Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED

    
    

    
  
Bugmon Analysis

Verified bug as fixed on rev mozilla-central 20220922214429-4ce68ee50da2.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED
Keywords: bugmon

          status-firefox106:
          fix-optionaldisabled

          status-firefox107:
          --- → fixed
Depends on: 1791297
No longer depends on: 1784271
Flags: needinfo?(jimb)
Target Milestone: --- → 107 Branch

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: