Closed Bug 1780110 Opened 3 years ago Closed 3 years ago

Unmapping a "mapping pending" buffer crashes Firefox

Categories

(Core :: Graphics: WebGPU, defect, P2)

Product:
Core
Component:
Graphics: WebGPU
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jimb, Unassigned)

References

Details

Calling mapAsync on a GPUBuffer, and then calling unmap before the mapAsync's promise has been resolved, crashes Firefox.

Buffer::MapAsync populates mMapped with an unallocated Shmem, which indicates the "mapping pending" state. The promise's resolution closure overwrites that unallocated Shmem with the one received from the parent, but without checked that mMapped is still Some. Calling Buffer::Unmap after MapAsync but before the closure runs causes the closure to try to write to mMapped while it is Nothing.

This may be fixed by bug 1777535.

Depends on: 1777535
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.