Closed Bug 1791809 Opened 2 years ago Closed 1 year ago

Hit MOZ_CRASH(attempt to multiply with overflow) at /third_party/rust/wgpu-core/src/command/transfer.rs:268

Categories

(Core :: Graphics: WebGPU, defect, P3)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
110 Branch
Tracking Status
firefox-esr102 --- disabled
firefox108 --- disabled
firefox109 --- disabled
firefox110 --- fixed

People

(Reporter: jkratzer, Assigned: nical)

References

(Blocks 2 open bugs)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file, 1 obsolete file)

Testcase found while fuzzing mozilla-central rev 558bd074ee55 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 558bd074ee55 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Hit MOZ_CRASH(attempt to multiply with overflow) at /third_party/rust/wgpu-core/src/command/transfer.rs:268

    ==32649==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fce10cbf995 bp 0x7fcdad3fe750 sp 0x7fcdad3fe740 T32694)
    ==32649==The signal is caused by a WRITE memory access.
    ==32649==Hint: address points to the zero page.
        #0 0x7fce10cbf995 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
        #1 0x7fce10cbf995 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7fce10cbf918 in mozglue_static::panic_hook::he15bb605fa1e0082 /mozglue/static/rust/lib.rs:91:9
        #3 0x7fce10cbf39b in core::ops::function::Fn::call::hc02296221a301c01 /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/core/src/ops/function.rs:77:5
        #4 0x7fce11c9a169 in std::panicking::rust_panic_with_hook::hb0138cb6e6fea3e4 /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/std/src/panicking.rs:702:17
        #5 0x7fce11c99f68 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h4cb67095557cd1aa /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/std/src/panicking.rs:586:13
        #6 0x7fce11c97273 in std::sys_common::backtrace::__rust_end_short_backtrace::h2bfcac279dcdc911 /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/std/src/sys_common/backtrace.rs:138:18
        #7 0x7fce11c99cd8 in rust_begin_unwind /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/std/src/panicking.rs:584:5
        #8 0x7fce0723ffc2 in core::panicking::panic_fmt::h1de71520faaa17d3 /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/core/src/panicking.rs:142:14
        #9 0x7fce0723fe8c in core::panicking::panic::h467ee1bf554babeb /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/core/src/panicking.rs:48:5
        #10 0x7fce100786ed in wgpu_core::command::transfer::validate_linear_texture_data::h86e8b36c638b3d28 /third_party/rust/wgpu-core/src/command/transfer.rs
        #11 0x7fce100064c8 in wgpu_core::device::queue::_$LT$impl$u20$wgpu_core..hub..Global$LT$G$GT$$GT$::queue_write_texture::h1a8d2ac3218af741 /third_party/rust/wgpu-core/src/device/queue.rs:435:50
        #12 0x7fce100064c8 in wgpu_server_queue_write_action /gfx/wgpu_bindings/src/server.rs:811:13
        #13 0x7fce0ab16647 in mozilla::webgpu::WebGPUParent::RecvQueueWriteAction(unsigned long, unsigned long, mozilla::ipc::ByteBuf const&, mozilla::ipc::Shmem&&) /dom/webgpu/ipc/WebGPUParent.cpp:603:3
        #14 0x7fce0ab2f912 in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:1481:80
        #15 0x7fce08b4195e in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:214:32
        #16 0x7fce081cf031 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1755:25
        #17 0x7fce081cbb85 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1680:9
        #18 0x7fce081cc726 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1480:3
        #19 0x7fce081cdab1 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1578:14
        #20 0x7fce075f3957 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
        #21 0x7fce075f9e9d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #22 0x7fce081d5d34 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
        #23 0x7fce080fa197 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #24 0x7fce080fa0a2 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #25 0x7fce080fa0a2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #26 0x7fce075eec86 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
        #27 0x7fce1d72f557 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #28 0x7fce1e4a9608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
        #29 0x7fce1e070132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
    ==32649==ABORTING
Attached file Testcase (obsolete) —
Attached file testcase.html

Looks like I attached the wrong testcase here.

Attachment #9295611 - Attachment is obsolete: true
Keywords: bugmon

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220921214338-7c0a787fe65a.
The bug appears to have been introduced in the following build range:

Start: 0274cb297f00e9163de83c2d4c02ac935e90e88d (20220120141258)
End: 2c37aa3ea90beb833b3779e935131922245899fd (20220120164800)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0274cb297f00e9163de83c2d4c02ac935e90e88d&tochange=2c37aa3ea90beb833b3779e935131922245899fd

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

The severity field is not set for this bug.
:jimb, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jimb)
Assignee: nobody → nical.bugzilla
Severity: -- → S2
Flags: needinfo?(jimb)
Priority: -- → P3

Based on comment #4, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:nical, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit auto_nag documentation.

Flags: needinfo?(nical.bugzilla)

Looks like the regression range is incorrect.

Flags: needinfo?(nical.bugzilla)

:nical, is it not possible that this was fixed via bug 1750866?

Flags: needinfo?(nical.bugzilla)

I don't think so, looks like that bug was closed before this one was filed. I just landed a fix for this upstream in https://github.com/gfx-rs/wgpu/pull/3146 so the fix will come in the next wgpu update.

Flags: needinfo?(nical.bugzilla)

Oh, my apologies for the noise. I actually meant to suggest that this issue was a regression of bug 1750866.

I actually meant to suggest that this issue was a regression of bug 1750866.

Maybe sort of, I think that the main problem is validation issues in wgpu, that patch probably changed something that made that validation issue accessible while it wasn't before but the incorrect validation was already there.

This should be fixed by the next wgpu update.

Conifrmed the upstream fix.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED

Verified bug as fixed on rev mozilla-central 20221219162526-91a9bbbe6bea.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Depends on: 1806166
Target Milestone: --- → 110 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: