Closed Bug 1787672 Opened 2 years ago Closed 2 years ago

crash in [@ wgpu_core::track::range::RangedStates]

Tracking

()

Status:

RESOLVED INCOMPLETE

Tracking Flags:

Tracking

Status

firefox106

---

affected

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: testcase-wanted)

Tyson Smith [:tsmith]

Reporter

Description

•

2 years ago

Found while fuzzing 20220827-0b115d7382af (--enable-address-sanitizer --enable-fuzzing)

Unfortunately a reproducible test case is not available at the moment.

==4184==ERROR: AddressSanitizer: unknown-crash on address 0x67fc2b3f97d5e at pc 0x7ffb68489d69 bp 0x003bf8ff9ce0 sp 0x003bf8ff9d28
READ of size 1688606843186376 at 0x67fc2b3f97d5e thread T8
    #0 0x7ffb68489d68 in __asan_wrap_memmove /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:810
    #1 0x7ffb57a5e40c in core::intrinsics::copy /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f\library\core\src\intrinsics.rs:2214
    #2 0x7ffb57a5e40c in smallvec::SmallVec<array$<tuple$<core::ops::range::Range<u32>,wgpu_hal::TextureUses>,1> >::insert /builds/worker/checkouts/gecko/third_party/rust/smallvec/src/lib.rs:1081
    #3 0x7ffb57a5e40c in wgpu_core::track::range::RangedStates<u32,wgpu_hal::TextureUses>::isolate<u32,wgpu_hal::TextureUses> /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/track/range.rs:120
    #4 0x7ffb57a5ec18 in wgpu_core::track::texture::ComplexTextureState::from_selector_state_iter<enum$<wgpu_core::track::texture::EitherIter<core::iter::sources::once::Once<tuple$<wgpu_core::track::texture::TextureSelector,wgpu_hal::TextureUses> >,core::iter::adapters::flatten::FlatMap<core::iter::adapters::enumerate::Enumerate<core::slice::iter::Iter<wgpu_core::track::range::RangedStates<u32,wgpu_hal::TextureUses> > >,core::iter::adapters::map::Map<core::slice::iter::Iter<tuple$<core::ops::range::Range<u32>,wgpu_hal::TextureUses> >,wgpu_core::track::texture::impl$1::to_selector_state_iter::closure$0::closure_env$0>,wgpu_core::track::texture::impl$1::to_selector_state_iter::closure_env$0> > > > /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/track/texture.rs:118
    #5 0x7ffb57ab2120 in wgpu_core::track::texture::insert /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/track/texture.rs:1038
    #6 0x7ffb57ab2120 in wgpu_core::track::texture::insert_or_barrier_update /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/track/texture.rs:980
    #7 0x7ffb57ab2120 in wgpu_core::track::texture::TextureTracker<wgpu_hal::vulkan::Api>::set_single<wgpu_hal::vulkan::Api> /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/track/texture.rs:537
    #8 0x7ffb57ab88eb in wgpu_core::hub::Global<wgpu_bindings::identity::IdentityRecyclerFactory>::command_encoder_copy_texture_to_buffer<wgpu_bindings::identity::IdentityRecyclerFactory,wgpu_hal::vulkan::Api> /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/command/transfer.rs:780
    #9 0x7ffb57a8623a in wgpu_bindings::server::Global::command_encoder_action<wgpu_hal::vulkan::Api> /builds/worker/checkouts/gecko/gfx/wgpu_bindings/src/server.rs:583
    #10 0x7ffb57a8405a in wgpu_server_command_encoder_action /builds/worker/checkouts/gecko/gfx/wgpu_bindings/src/server.rs:709
    #11 0x7ffb4de52457 in mozilla::webgpu::WebGPUParent::RecvCommandEncoderAction(unsigned __int64, unsigned __int64, class mozilla::ipc::ByteBuf const &) /builds/worker/checkouts/gecko/dom/webgpu/ipc/WebGPUParent.cpp:1064
    #12 0x7ffb4de8433c in mozilla::webgpu::PWebGPUParent::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:421
    #13 0x7ffb4a343c40 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:214
    #14 0x7ffb48f9a0f2 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(class mozilla::ipc::ActorLifecycleProxy *, class IPC::Message const &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1755
    #15 0x7ffb48f97436 in mozilla::ipc::MessageChannel::DispatchMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::UniquePtr<class IPC::Message, class mozilla::DefaultDelete<class IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1680
    #16 0x7ffb48f98534 in mozilla::ipc::MessageChannel::RunMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::ipc::MessageChannel::MessageTask &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1480
    #17 0x7ffb48f98d66 in mozilla::ipc::MessageChannel::MessageTask::Run(void) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1578
    #18 0x7ffb47946485 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199
    #19 0x7ffb47954b3c in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465
    #20 0x7ffb48fa3bde in mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
    #21 0x7ffb48ebd095 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381
    #22 0x7ffb48ebd095 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #23 0x7ffb48ebce65 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #24 0x7ffb4793be3e in nsThread::ThreadFunc(void *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384
    #25 0x7ffb65b896ad in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
    #26 0x7ffb65b61a3b in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
    #27 0x7ffb7b4dfb7f  (C:\Windows\System32\ucrtbase.dll+0x18001fb7f)
    #28 0x7ffb68499dc3 in __asan::AsanThread::ThreadStart(unsigned __int64) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277
    #29 0x7ffb7dce84d3  (C:\Windows\System32\KERNEL32.DLL+0x1800084d3)
    #30 0x7ffb7862bfac in mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator() /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h:150
    #31 0x7ffb7862bfac in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:577
    #32 0x7ffb7e6f1790  (C:\Windows\SYSTEM32\ntdll.dll+0x180051790)

Address 0x67fc2b3f97d5e is a wild pointer inside of access range of size 0x5ffc76b0dacc8.
SUMMARY: AddressSanitizer: unknown-crash /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:810 in __asan_wrap_memmove
Thread T8 created by T0 here:
    #0 0x7ffb6849af62 in __asan_wrap_CreateThread /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:146
    #1 0x7ffb7b4dfa76  (C:\Windows\System32\ucrtbase.dll+0x18001fa76)
    #2 0x7ffb65b6186d in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
    #3 0x7ffb65b8a46a in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
    #4 0x7ffb65b8ac03 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
    #5 0x7ffb65b80aff in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
    #6 0x7ffb4793f3d1 in nsThread::Init(class nsTSubstring<char> const &) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:618
    #7 0x7ffb47951fa8 in nsThreadManager::NewNamedThread(class nsTSubstring<char> const &, unsigned int, class nsIThread **) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:533
    #8 0x7ffb4795edfc in NS_NewNamedThread(class nsTSubstring<char> const &, class nsIThread **, struct already_AddRefed<class nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:161
    #9 0x7ffb4a30bef6 in NS_NewNamedThread /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74
    #10 0x7ffb4a30bef6 in mozilla::gfx::CanvasRenderThread::Start(void) /builds/worker/checkouts/gecko/gfx/ipc/CanvasRenderThread.cpp:41
    #11 0x7ffb4a302bfa in mozilla::gfx::GPUParent::RecvInit(class nsTArray<class mozilla::gfx::GfxVarUpdate> &&, class mozilla::gfx::DevicePrefs const &, class nsTArray<class mozilla::gfx::LayerTreeIdMapping> &&, class nsTArray<class mozilla::gfx::GfxInfoFeatureStatus> &&, unsigned int) /builds/worker/checkouts/gecko/gfx/ipc/GPUParent.cpp:365
    #12 0x7ffb4a36031e in mozilla::gfx::PGPUParent::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PGPUParent.cpp:813
    #13 0x7ffb48f9a0f2 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(class mozilla::ipc::ActorLifecycleProxy *, class IPC::Message const &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1755
    #14 0x7ffb48f97436 in mozilla::ipc::MessageChannel::DispatchMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::UniquePtr<class IPC::Message, class mozilla::DefaultDelete<class IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1680
    #15 0x7ffb48f98534 in mozilla::ipc::MessageChannel::RunMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::ipc::MessageChannel::MessageTask &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1480
    #16 0x7ffb48f98d66 in mozilla::ipc::MessageChannel::MessageTask::Run(void) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1578
    #17 0x7ffb4796a78d in mozilla::RunnableTask::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538
    #18 0x7ffb47918f02 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851
    #19 0x7ffb4791530c in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683
    #20 0x7ffb47915cee in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461
    #21 0x7ffb47973441 in mozilla::TaskController::InitializeInternal::<lambda_2>::operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:190
    #22 0x7ffb47973441 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:190:7'>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531
    #23 0x7ffb479457f5 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205
    #24 0x7ffb47954b3c in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465
    #25 0x7ffb48fa2a91 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107
    #26 0x7ffb48ebd095 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381
    #27 0x7ffb48ebd095 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #28 0x7ffb48ebce65 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #29 0x7ffb511a346a in nsBaseAppShell::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150
    #30 0x7ffb513a4ffe in nsAppShell::Run(void) /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:614
    #31 0x7ffb55c5c464 in XRE_RunAppShell(void) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880
    #32 0x7ffb48ebd095 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381
    #33 0x7ffb48ebd095 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #34 0x7ffb48ebce65 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #35 0x7ffb55c5b628 in XRE_InitChildProcess(int, char **const, struct XREChildData const *) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739
    #36 0x7ff794b02bcf in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:58
    #37 0x7ff794b02bcf in NS_internal_main(int, char **, char **) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:362
    #38 0x7ff794b017bf in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:167
    #39 0x7ff794bfe477 in invoke_main d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
    #40 0x7ff794bfe477 in __scrt_common_main_seh d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #41 0x7ffb7dce84d3  (C:\Windows\System32\KERNEL32.DLL+0x1800084d3)
    #42 0x7ffb7e6f1790  (C:\Windows\SYSTEM32\ntdll.dll+0x180051790)

Daniel Veditz [:dveditz]

Updated

•

2 years ago

Keywords: testcase-wanted

BugBot [:suhaib / :marco/ :calixte]

Comment 1

•

2 years ago

The severity field is not set for this bug.
:jimb, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jimb)

Tyson Smith [:tsmith]

Reporter

Updated

•

2 years ago

Status: NEW → RESOLVED

Closed: 2 years ago

Resolution: --- → INCOMPLETE

Daniel Veditz [:dveditz]

Updated

•

1 year ago

Group: gfx-core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

crash in [@ wgpu_core::track::range::RangedStates]

Categories

(Core :: Graphics: WebGPU, defect)

Tracking

()

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: testcase-wanted)

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Updated

Updated