Closed Bug 1809567 Opened 2 years ago Closed 6 months ago

crash near null in [@ mozilla::dom::GPUDevice_Binding::createShaderModule]

Categories

(Core :: Graphics: WebGPU, defect, P1)

Product:
Core
Component:
Graphics: WebGPU
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
123 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- disabled
firefox110 --- disabled
firefox111 --- disabled
firefox120 --- disabled
firefox121 --- disabled
firefox122 --- disabled
firefox123 --- verified

People

(Reporter: tsmith, Assigned: jimb)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])

Crash Data

Attachments

(2 files)

testcase.html
329 bytes, text/html
Details
Bug 1809567: Propagate promise creation failures in mozilla::webgpu::Device::CreateShaderModule. r?#webgpu-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20221111-b71647765896 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==533606==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f5020a1bc91 bp 0x7ffcb4c3bb00 sp 0x7ffcb4c3ba40 T0)
==533606==The signal is caused by a READ memory access.
==533606==Hint: address points to the zero page.
    #0 0x7f5020a1bc91 in nsWrapperCache::GetWrapperPreserveColor() const /builds/worker/checkouts/gecko/dom/base/nsWrapperCacheInlines.h
    #1 0x7f5020c724ea in nsWrapperCache::GetWrapper() const /builds/worker/workspace/obj-build/dist/include/nsWrapperCacheInlines.h:28:19
    #2 0x7f50254f76fa in DoGetOrCreateDOMReflector<mozilla::webgpu::ShaderModule, (mozilla::dom::binding_detail::GetOrCreateReflectorWrapBehavior)0> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:1075:26
    #3 0x7f50254f76fa in GetOrCreateDOMReflector<mozilla::webgpu::ShaderModule> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:1153:10
    #4 0x7f50254f76fa in mozilla::dom::GetOrCreateDOMReflectorHelper<RefPtr<mozilla::webgpu::ShaderModule>, true>::GetOrCreate(JSContext*, RefPtr<mozilla::webgpu::ShaderModule> const&, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:1732:12
    #5 0x7f50254f7236 in GetOrCreateDOMReflector<RefPtr<mozilla::webgpu::ShaderModule> > /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:1750:10
    #6 0x7f50254f7236 in mozilla::dom::GPUDevice_Binding::createShaderModule(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WebGPUBinding.cpp:19399:8
    #7 0x7f5025e45e05 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
    #8 0x7f502e900344 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
    #9 0x7f502e900344 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
    #10 0x7f502e8ef32a in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #11 0x7f502e8ef32a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
    #12 0x7f502e8ef32a in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3362:16
    #13 0x7f502e8d344c in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
    #14 0x7f502e900460 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
    #15 0x7f502e90211f in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #16 0x7f502e90211f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
    #17 0x7f502ed65c54 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:1488:10
    #18 0x7f502e9d08b0 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:149:8
    #19 0x7f502eca277e in AsyncFunctionPromiseReactionJob /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2111:12
    #20 0x7f502eca277e in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2174:12
    #21 0x7f502e900344 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
    #22 0x7f502e900344 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
    #23 0x7f502e90211f in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #24 0x7f502e90211f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
    #25 0x7f502ea0b03d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #26 0x7f5024bac86c in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
    #27 0x7f5020a185ba in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
    #28 0x7f5020a185ba in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
    #29 0x7f5020a185ba in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18
    #30 0x7f50209f8367 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17
    #31 0x7f50209f938f in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:463:3
    #32 0x7f5022681184 in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1479:28
    #33 0x7f5020c29ad7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:24
    #34 0x7f5020c33974 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:476:10
    #35 0x7f502239d093 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
    #36 0x7f502221ff87 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #37 0x7f502221ff87 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #38 0x7f502221ff87 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #39 0x7f50295754a9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #40 0x7f502e4e8798 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
    #41 0x7f502221ff87 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #42 0x7f502221ff87 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #43 0x7f502221ff87 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #44 0x7f502e4e7f2f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
    #45 0x563a81161454 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #46 0x563a81161917 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
    #47 0x7f50430a1d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #48 0x7f50430a1e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #49 0x563a8109fed8 in _start (/home/user/workspace/browsers/m-c-20230109162059-fuzzing-asan-opt/firefox+0x111ed8) (BuildId: e66a77d0bfedd4d1945e41f4868d91c9e84bc123)
Flags: in-testsuite?
Crash Signature: [@ nsWrapperCache::GetWrapperPreserveColor]

A Pernosco session is available here: https://pernos.co/debug/dk5aLHG1vBQqd7DOm4JUwg/index.html

Verified bug as reproducible on mozilla-central 20230111043919-66c42cef8816.
The bug appears to have been introduced in the following build range:

Start: e6e2286d2ac25001127a1cf54a87a95fb435c734 (20220708093332)
End: 807e95cd9956aa4967ddddc80f8ccab4ad370e8d (20220708081410)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e6e2286d2ac25001127a1cf54a87a95fb435c734&tochange=807e95cd9956aa4967ddddc80f8ccab4ad370e8d

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

The severity field is not set for this bug.
:jimb, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jimb)

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Keywords: bugmon

I'm puzzled that this bug is happening in release, and not Nightly (which is where the WebGPU API is only available for end users right now). :jimb/:jgilbert, is there still something like initialization of WebGPU still done in release?

Blocks: webgpu-v1
Severity: -- → S3
Priority: -- → P3

This issue has been sitting for a while and is reported frequently by fuzzers. Please prioritize it appropriately.

status-firefox122: --- → affected
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][fuzzblocker]

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:jimb, could you consider increasing the severity?

For more information, please visit BugBot documentation.

Flags: needinfo?(jimb)

Marked as P1 per WebGPU team policy.

Flags: needinfo?(jimb)
Priority: P3 → P1

Assigning myself. May revisit after our Tue AM meeting.

Assignee: nobody → jimb

I can reproduce this locally on x86-64 Fedora 37 in a release+debug build on changeset c44f0d09630a (2024-2-2) using grizzly.replay.

The bug is that mozilla::webgpu::Device::CreateShaderModule doesn't properly handle failures from dom::promise::Create. This trips the assertion in ErrorResult's destructor that the error was handled somehow.

If creation of the CompilationInfo promise fails in
mozilla::webgpu::Device::CreateShaderModule, propagate the error
properly, rather than leaving a local ErrorResult unhandled.

We have a fix for this, but a reviewer (quite reasonably) asked for a crashtest, which is a little tricky to write. But I think I have the techniques in hand. If I can't get it working by EOD I will ask to land the fix and address the crashtest in a high-priority followup.

The latest iteration of the patch includes a crashtest that reliably reproduces the crash.

Pushed by jblandy@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e8af82a85a88
Propagate promise creation failures in mozilla::webgpu::Device::CreateShaderModule. r=webgpu-reviewers,webidl,smaug,saschanaz,ErichDonGubler
Backout by nerli@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2cc98a4e9c92
Backed out changeset e8af82a85a88 for causing crashtests in 1809567.html CLOSED TREE

The crashtest was failing because WebGPU is not available on the test machine - perhaps because the task requires software webrender. There are also cases where WebGPU is disabled by blocklist entries.

Regardless, we know that WebGPU adapters are available on some of our CI tasks, so the fix is to simply make this bug's crashtest cope with WebGPU being unavailable.

Flags: needinfo?(jimb)
Pushed by jblandy@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d6318b034527
Propagate promise creation failures in mozilla::webgpu::Device::CreateShaderModule. r=webgpu-reviewers,webidl,smaug,saschanaz,ErichDonGubler

https://hg.mozilla.org/mozilla-central/rev/d6318b034527

Status: NEW → RESOLVED
Closed: 6 months ago
status-firefox123: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch

Verified bug as fixed on rev mozilla-central 20240106211805-d6318b034527.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox123: fixedverified
Keywords: bugmon
Blocks: 1779772
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: