Closed Bug 1780799 Opened 2 years ago Closed 11 months ago

Hit MOZ_CRASH(called `Result::unwrap()` on an `Err` value: TryFromIntError(())) at /third_party/rust/wgpu-core/src/command/compute.rs:811

Categories

(Core :: Graphics: WebGPU, defect)

Product:
Core
Component:
Graphics: WebGPU
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1813705

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

Testcase
1.06 KB, text/plain
Details

Testcase found while fuzzing mozilla-central rev be11d2aa123a (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build be11d2aa123a --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(called `Result::unwrap()` on an `Err` value: TryFromIntError(())) at /third_party/rust/wgpu-core/src/command/compute.rs:811

    ==1698593==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f516b758965 bp 0x7ffc2cc2fc50 sp 0x7ffc2cc2fc40 T1698593)
    ==1698593==The signal is caused by a WRITE memory access.
    ==1698593==Hint: address points to the zero page.
        #0 0x7f516b758965 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
        #1 0x7f516b758965 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7f516b7588e8 in mozglue_static::panic_hook::hc73c6ec992377969 /mozglue/static/rust/lib.rs:91:9
        #3 0x7f516b75836b in core::ops::function::Fn::call::h3d3ab1c02c30d6c6 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/core/src/ops/function.rs:77:5
        #4 0x7f516c71e445 in std::panicking::rust_panic_with_hook::hc82286af2030e925 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panicking.rs:702:17
        #5 0x7f516c71e246 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h1c15057c2f09081f /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panicking.rs:588:13
        #6 0x7f516c71b403 in std::sys_common::backtrace::__rust_end_short_backtrace::h65de906a5330f8da /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/sys_common/backtrace.rs:138:18
        #7 0x7f516c71df78 in rust_begin_unwind /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/std/src/panicking.rs:584:5
        #8 0x7f5161e7aac2 in core::panicking::panic_fmt::h741cfbfc95bc6112 /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/core/src/panicking.rs:142:14
        #9 0x7f5161e7abb2 in core::result::unwrap_failed::h995262f85f9c4e2c /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/core/src/result.rs:1785:5
        #10 0x7f516ab2ae6c in wgpu_compute_pass_set_bind_group /rustc/a8314ef7d0ec7b75c336af2c9857bfaf43002bfc/library/core/src/result.rs
        #11 0x7f5164ba7d75 in mozilla::dom::GPUComputePassEncoder_Binding::setBindGroup(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WebGPUBinding.cpp:15783:24
        #12 0x7f516520024c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3285:13
        #13 0x7f516a70ead0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:417:13
        #14 0x7f516a70e33a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:504:12
        #15 0x7f516a70582c in CallFromStack /js/src/vm/Interpreter.cpp:575:10
        #16 0x7f516a70582c in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3313:16
        #17 0x7f516a6fcba2 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:389:13
        #18 0x7f516a70e236 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:536:13
        #19 0x7f516a70f7f8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:602:8
        #20 0x7f51695e98e7 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1572:10
        #21 0x7f51693992f1 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:153:8
        #22 0x7f5169582562 in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2112:12
        #23 0x7f5169582562 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2175:12
        #24 0x7f516a70ead0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:417:13
        #25 0x7f516a70e33a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:504:12
        #26 0x7f516a70f7f8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:602:8
        #27 0x7f51693c41d1 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #28 0x7f51644d560d in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:35:8
        #29 0x7f516211e515 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:88:12
        #30 0x7f516211d7a3 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:101:12
        #31 0x7f516211d7a3 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
        #32 0x7f516210b418 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:676:17
        #33 0x7f516210c28c in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
        #34 0x7f5162fa3a85 in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1485:28
        #35 0x7f516222e21c in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1242:24
        #36 0x7f516223446d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #37 0x7f5162e03d64 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #38 0x7f5162d2a267 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #39 0x7f5162d2a172 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #40 0x7f5162d2a172 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #41 0x7f5166fd6ac8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #42 0x7f51691032fb in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:875:20
        #43 0x7f5162e04caa in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #44 0x7f5162d2a267 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #45 0x7f5162d2a172 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #46 0x7f5162d2a172 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #47 0x7f516910291c in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:734:34
        #48 0x55de131f4120 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #49 0x55de131f4120 in main /browser/app/nsBrowserApp.cpp:338:18
        #50 0x7f5178990082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #51 0x55de131c9ecc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15ecc) (BuildId: 0647b35399483c22aafabff58bae1d6ebc486851)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
    ==1698593==ABORTING
Attached file Testcase 

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220722085933-be11d2aa123a.

The bug appears to have been introduced in the following build range:




Start: c858714b247620ccd0de475d4cce021b081be5d4 (20211129215823)

End: 64da1a6eb7238a147f5b9036dfea70d7e830c59e (20211130012119)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c858714b247620ccd0de475d4cce021b081be5d4&tochange=64da1a6eb7238a147f5b9036dfea70d7e830c59e




Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
https://crash-stats.mozilla.org/report/index/d3dfad5d-8d9c-4767-bd74-f3f040220722


Crash Signature: [@ core::result::unwrap_failed | wgpu_core::command::compute::compute_ffi::wgpu_compute_pass_set_bind_group ]
Flags: needinfo?(jimb)
Regressed by: 1772568

    
  
See Also:  → 1813705

    
    

    
  
Testcase crashes using the initial build (mozilla-central 20220722085933-be11d2aa123a) but not with tip (mozilla-central 20230526215433-fc6056442a0f.)


The bug appears to have been fixed in the following build range:




Start: 4971297a8917c4ce5f9136ebb0c82cde74eb50c4 (20230525170024)

End: 40ab75e2a8b4cc21529dbfa2ad7d0ff5be4f8120 (20230525182502)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=4971297a8917c4ce5f9136ebb0c82cde74eb50c4&tochange=40ab75e2a8b4cc21529dbfa2ad7d0ff5be4f8120




jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Flags: needinfo?(jimb) → needinfo?(jkratzer)
Keywords: bugmon

    
    

    
  
I believe I can answer for :jkratzner. I authored a fix for wgpu upstream in bug 1813705, and integrated that fix into tree with the patch series for bug 1832451. That patch series is at the tip of the pushlog you've presented. Looking at the crash log here, I feel confident in saying that his bug is a duplicate of bug 1813705.


Given the above, the pushlog range can be narrowed even further to https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=34e423bf50861cf52db538b8ef953c61644e52a&tochange=40ab75e2a8b4cc21529dbfa2ad7d0ff5be4f8120.


Status: NEW → RESOLVED
Closed: 11 months ago
Duplicate of bug: 1813705
Flags: needinfo?(jkratzer)
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: