Hit MOZ_CRASH(attempt to multiply with overflow) at /third_party/rust/wgpu-core/src/command/transfer.rs:268
Categories
(Core :: Graphics: WebGPU, defect, P3)
Tracking
()
People
(Reporter: jkratzer, Assigned: nical)
References
(Blocks 2 open bugs)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file, 1 obsolete file)
|
614 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 558bd074ee55 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 558bd074ee55 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Hit MOZ_CRASH(attempt to multiply with overflow) at /third_party/rust/wgpu-core/src/command/transfer.rs:268
==32649==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fce10cbf995 bp 0x7fcdad3fe750 sp 0x7fcdad3fe740 T32694)
==32649==The signal is caused by a WRITE memory access.
==32649==Hint: address points to the zero page.
#0 0x7fce10cbf995 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7fce10cbf995 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fce10cbf918 in mozglue_static::panic_hook::he15bb605fa1e0082 /mozglue/static/rust/lib.rs:91:9
#3 0x7fce10cbf39b in core::ops::function::Fn::call::hc02296221a301c01 /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/core/src/ops/function.rs:77:5
#4 0x7fce11c9a169 in std::panicking::rust_panic_with_hook::hb0138cb6e6fea3e4 /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/std/src/panicking.rs:702:17
#5 0x7fce11c99f68 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h4cb67095557cd1aa /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/std/src/panicking.rs:586:13
#6 0x7fce11c97273 in std::sys_common::backtrace::__rust_end_short_backtrace::h2bfcac279dcdc911 /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/std/src/sys_common/backtrace.rs:138:18
#7 0x7fce11c99cd8 in rust_begin_unwind /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/std/src/panicking.rs:584:5
#8 0x7fce0723ffc2 in core::panicking::panic_fmt::h1de71520faaa17d3 /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/core/src/panicking.rs:142:14
#9 0x7fce0723fe8c in core::panicking::panic::h467ee1bf554babeb /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/core/src/panicking.rs:48:5
#10 0x7fce100786ed in wgpu_core::command::transfer::validate_linear_texture_data::h86e8b36c638b3d28 /third_party/rust/wgpu-core/src/command/transfer.rs
#11 0x7fce100064c8 in wgpu_core::device::queue::_$LT$impl$u20$wgpu_core..hub..Global$LT$G$GT$$GT$::queue_write_texture::h1a8d2ac3218af741 /third_party/rust/wgpu-core/src/device/queue.rs:435:50
#12 0x7fce100064c8 in wgpu_server_queue_write_action /gfx/wgpu_bindings/src/server.rs:811:13
#13 0x7fce0ab16647 in mozilla::webgpu::WebGPUParent::RecvQueueWriteAction(unsigned long, unsigned long, mozilla::ipc::ByteBuf const&, mozilla::ipc::Shmem&&) /dom/webgpu/ipc/WebGPUParent.cpp:603:3
#14 0x7fce0ab2f912 in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:1481:80
#15 0x7fce08b4195e in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:214:32
#16 0x7fce081cf031 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1755:25
#17 0x7fce081cbb85 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1680:9
#18 0x7fce081cc726 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1480:3
#19 0x7fce081cdab1 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1578:14
#20 0x7fce075f3957 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
#21 0x7fce075f9e9d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#22 0x7fce081d5d34 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
#23 0x7fce080fa197 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#24 0x7fce080fa0a2 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#25 0x7fce080fa0a2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#26 0x7fce075eec86 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
#27 0x7fce1d72f557 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#28 0x7fce1e4a9608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#29 0x7fce1e070132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
==32649==ABORTING
|
Reporter | |
Comment 1•2 years ago
|
||
| Comment hidden (obsolete) |
|
|
Reporter | |
Comment 3•2 years ago
|
||
Looks like I attached the wrong testcase here.
|
||
Comment 4•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220921214338-7c0a787fe65a.
The bug appears to have been introduced in the following build range:
Start: 0274cb297f00e9163de83c2d4c02ac935e90e88d (20220120141258)
End: 2c37aa3ea90beb833b3779e935131922245899fd (20220120164800)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0274cb297f00e9163de83c2d4c02ac935e90e88d&tochange=2c37aa3ea90beb833b3779e935131922245899fd
|
||
Comment 5•2 years ago
|
||
The severity field is not set for this bug.
:jimb, could you have a look please?
For more information, please visit auto_nag documentation.
|
Assignee | |
Updated•2 years ago
|
|
|
||
Comment 6•2 years ago
|
||
Based on comment #4, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.
:nical, if possible, could you fill the Regressed by field and investigate this regression?
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 7•2 years ago
|
||
Looks like the regression range is incorrect.
|
|
Reporter | |
Comment 8•2 years ago
|
||
:nical, is it not possible that this was fixed via bug 1750866?
|
|
Assignee | |
Comment 9•2 years ago
|
||
I don't think so, looks like that bug was closed before this one was filed. I just landed a fix for this upstream in https://github.com/gfx-rs/wgpu/pull/3146 so the fix will come in the next wgpu update.
|
|
Reporter | |
Comment 10•2 years ago
•
|
||
Oh, my apologies for the noise. I actually meant to suggest that this issue was a regression of bug 1750866.
|
|
Assignee | |
Comment 11•2 years ago
|
||
I actually meant to suggest that this issue was a regression of bug 1750866.
Maybe sort of, I think that the main problem is validation issues in wgpu, that patch probably changed something that made that validation issue accessible while it wasn't before but the incorrect validation was already there.
|
||
Comment 12•2 years ago
|
||
This should be fixed by the next wgpu update.
|
|
Assignee | |
Comment 13•2 years ago
|
||
Conifrmed the upstream fix.
|
|
||
Comment 14•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20221219162526-91a9bbbe6bea.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•2 years ago
|
Description
•