Closed
Bug 1793528
Opened 2 years ago
Closed 1 year ago
Assertion failure: mSegment->Size() - (2 * pageSize) >= mSize (illegal size in shared memory segment), at /builds/worker/checkouts/gecko/ipc/glue/Shmem.cpp:236
Categories
(Core :: Graphics: WebGPU, defect, P2)
Tracking
()
RESOLVED
FIXED
112 Branch
People
(Reporter: tsmith, Assigned: nical)
References
(Blocks 2 open bugs)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
553 bytes,
text/html
|
Details |
Found while fuzzing m-c 20220922-c9041757a18a (--enable-debug --enable-fuzzing). This was found with a x86 Windows build.
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: mSegment->Size() - (2 * pageSize) >= mSize (illegal size in shared memory segment), at /builds/worker/checkouts/gecko/ipc/glue/Shmem.cpp:236
eax = 0x6d52ca08 ebp = 0x0083e250 ebx = 0x07540000
ecx = 0x00002002 edi = 0x00000000 edx = 0x0083d6fa
eflags = 0x00200202 eip = 0x5eed0ea5 esi = 0x0083e270
esp = 0x0083e238
OS|Windows NT|10.0.19044
CPU|x86|GenuineIntel family 6 model 70 stepping 1|8
Crash|EXCEPTION_BREAKPOINT|0x5eed0ea5|0
0|0|xul.dll|mozilla::ipc::Shmem::Shmem(mozilla::ipc::SharedMemory*, int)|hg:hg.mozilla.org/mozilla-central:ipc/glue/Shmem.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|235|0x235
0|1|xul.dll|mozilla::ipc::IToplevelProtocol::CreateSharedMemory(unsigned int, bool, int*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/ProtocolUtils.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|689|0x7b
0|2|xul.dll|mozilla::ipc::IProtocol::AllocUnsafeShmem(unsigned int, mozilla::ipc::Shmem*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/ProtocolUtils.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|430|0x35
0|3|xul.dll|mozilla::webgpu::Buffer::Create(mozilla::webgpu::Device*, unsigned long long, mozilla::dom::GPUBufferDescriptor const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/webgpu/Buffer.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|83|0x186
0|4|xul.dll|mozilla::webgpu::Device::CreateBuffer(mozilla::dom::GPUBufferDescriptor const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/webgpu/Device.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|126|0x19
0|5|xul.dll|mozilla::dom::GPUDevice_Binding::createBuffer(JSContext*, JS::Handle<JSObject *>, void*, JSJitMethodCallArgs const&)|s3:gecko-generated-sources:66a53accce1eb563e1b5324037453a304080dc916d7779dd8689154e720aba775c4409ae982964608b4583630c9bd39a57adb222aac32227e4720925dd99028a/dom/bindings/WebGPUBinding.cpp:|17957|0x122
0|6|xul.dll|mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|3287|0x18d
0|7|xul.dll|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|458|0xc5
0|8|xul.dll|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|546|0x24f
0|9|xul.dll|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|613|0x54
0|10|xul.dll|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|3374|0x7734
0|11|xul.dll|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|430|0x1e2
0|12|xul.dll|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|578|0x267
0|13|xul.dll|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|613|0x54
0|14|xul.dll|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|645|0x10b
0|15|xul.dll|js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName *>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/SelfHosting.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|1498|0xd1
0|16|xul.dll|AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject *>, ResumeKind, JS::Handle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/AsyncFunction.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|154|0x31f
0|17|xul.dll|js::AsyncFunctionAwaitedFulfilled(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject *>, JS::Handle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/AsyncFunction.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|195|0x12
0|18|xul.dll|PromiseReactionJob(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:js/src/builtin/Promise.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|2174|0x52a
0|19|xul.dll|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|458|0xc5
0|20|xul.dll|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|546|0x24f
0|21|xul.dll|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|613|0x54
0|22|xul.dll|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|645|0x10b
0|23|xul.dll|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/CallAndConstruct.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|117|0x1dc
0|24|xul.dll|mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&)|s3:gecko-generated-sources:d3e713ea3e7107411f5fef8dc0a4081abdc4f38634a2a343342772d6b71989e1e24be474a1b935dbb5d6432bd674e126419f141563776f9bced0f78bddb79ede/dom/bindings/PromiseBinding.cpp:|35|0xa8
0|25|xul.dll|mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:7d885247757f58cd712e7bb1dae199280182a90878cd9331531ffe98d4c17bf3bfebb690bf31378bf8c47269472f12eca72131f895d65705fa6d38734fcefa4f/dist/include/mozilla/dom/PromiseBinding.h:|88|0xf9
0|26|xul.dll|mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&)|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|213|0x16c
0|27|xul.dll|mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool)|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|676|0x496
0|28|xul.dll|mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int)|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|463|0x16
0|29|xul.dll|XPCJSContext::AfterProcessTask(unsigned int)|hg:hg.mozilla.org/mozilla-central:js/xpconnect/src/XPCJSContext.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|1480|0x51a
0|30|xul.dll|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|1242|0xd1a
0|31|xul.dll|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|465|0x40
0|32|xul.dll|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|107|0x11e
0|33|xul.dll|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c9041757a18ac481d701af85012d9c7c9720db7a|381|0x82
0|34|xul.dll|MessageLoop::RunHandler()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c9041757a18ac481d701af85012d9c7c9720db7a|374|0x72
0|35|xul.dll|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c9041757a18ac481d701af85012d9c7c9720db7a|356|0x57
0|36|xul.dll|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|150|0x24
0|37|xul.dll|nsAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/windows/nsAppShell.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|614|0x290
0|38|xul.dll|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|880|0x60
0|39|xul.dll|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|235|0x37
0|40|xul.dll|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c9041757a18ac481d701af85012d9c7c9720db7a|381|0x82
0|41|xul.dll|MessageLoop::RunHandler()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c9041757a18ac481d701af85012d9c7c9720db7a|374|0x72
0|42|xul.dll|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c9041757a18ac481d701af85012d9c7c9720db7a|356|0x57
0|43|xul.dll|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|739|0x9bc
0|44|xul.dll|mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/Bootstrap.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|67|0x10
0|45|firefox.exe|NS_internal_main(int, char**, char**)|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|359|0x74a
0|46|firefox.exe|wmain(int, wchar_t**)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsWindowsWMain.cpp:c9041757a18ac481d701af85012d9c7c9720db7a|167|0x303
0|47|firefox.exe|__scrt_common_main_seh()|/builds/worker/workspace/obj-build/browser/app/d:/agent/_work/3/s/src/vctools/crt/vcstartup/src/startup/exe_common.inl|288|0xf9
0|48|kernel32.dll||||
0|49|ntdll.dll||||
0|50|ntdll.dll||||
Flags: in-testsuite?
|
Assignee | |
Comment 1•2 years ago
|
||
The test case creates a very large buffer that is mapped at creation, which validation will catch, but IPDL chokes on the shmem allocation before we can get there.
I have a simple patch that skips the shmem when the size is larger than the max texture size. It will fix this test case however I'd like to reproduce and better understand how likely we are to run into this with very large be legal sizes.
IPDL's shmem allocation code tries to fail gracefully, it's unclear how we are getting into this in the first place.
Assignee: nobody → nical.bugzilla
|
||
Comment 2•2 years ago
|
||
The severity field is not set for this bug.
:jimb, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(jimb)
|
||
Comment 3•1 year ago
|
||
Assigning severity 3, since WebGPU is not enabled.
Severity: -- → S3
Flags: needinfo?(jimb)
Priority: -- → P2
|
|
||
Comment 4•1 year ago
•
|
||
Nical, should this block webgpu-in-nightly? [edit: added it just in case; if not, feel free to remove]
Flags: needinfo?(nical.bugzilla)
|
|
||
Updated•1 year ago
|
Blocks: webgpu-in-nightly
|
|
||
Comment 5•1 year ago
|
||
Jason, could we re-test this? We've changed a lot of this code, and we don't think it's reproducible any more.
Flags: needinfo?(jkratzer)
|
|
||
Comment 6•1 year ago
•
|
||
Jason, bug 1817271 has been fixed, could you give this another try?
|
||
Comment 7•1 year ago
|
||
I verified that this bug no longer reproduces on mozilla-central rev b8a8b74dbdd0 (20230227).
Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(jkratzer)
Resolution: --- → FIXED
|
||
Updated•1 year ago
|
status-firefox110:
--- → disabled
status-firefox111:
--- → disabled
status-firefox112:
--- → fixed
status-firefox-esr102:
--- → unaffected
Flags: needinfo?(nical.bugzilla)
Target Milestone: --- → 112 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•