Open Bug 1809567 Opened 3 months ago Updated 1 month ago

crash near null in [@ mozilla::dom::GPUDevice_Binding::createShaderModule]

Categories

(Core :: Graphics: WebGPU, defect)

Product:
Core
Component:
Graphics: WebGPU
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox110 --- disabled
firefox111 --- wontfix

People

(Reporter: tsmith, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

testcase.html
329 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20221111-b71647765896 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==533606==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f5020a1bc91 bp 0x7ffcb4c3bb00 sp 0x7ffcb4c3ba40 T0)
==533606==The signal is caused by a READ memory access.
==533606==Hint: address points to the zero page.
    #0 0x7f5020a1bc91 in nsWrapperCache::GetWrapperPreserveColor() const /builds/worker/checkouts/gecko/dom/base/nsWrapperCacheInlines.h
    #1 0x7f5020c724ea in nsWrapperCache::GetWrapper() const /builds/worker/workspace/obj-build/dist/include/nsWrapperCacheInlines.h:28:19
    #2 0x7f50254f76fa in DoGetOrCreateDOMReflector<mozilla::webgpu::ShaderModule, (mozilla::dom::binding_detail::GetOrCreateReflectorWrapBehavior)0> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:1075:26
    #3 0x7f50254f76fa in GetOrCreateDOMReflector<mozilla::webgpu::ShaderModule> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:1153:10
    #4 0x7f50254f76fa in mozilla::dom::GetOrCreateDOMReflectorHelper<RefPtr<mozilla::webgpu::ShaderModule>, true>::GetOrCreate(JSContext*, RefPtr<mozilla::webgpu::ShaderModule> const&, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:1732:12
    #5 0x7f50254f7236 in GetOrCreateDOMReflector<RefPtr<mozilla::webgpu::ShaderModule> > /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BindingUtils.h:1750:10
    #6 0x7f50254f7236 in mozilla::dom::GPUDevice_Binding::createShaderModule(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WebGPUBinding.cpp:19399:8
    #7 0x7f5025e45e05 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
    #8 0x7f502e900344 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
    #9 0x7f502e900344 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
    #10 0x7f502e8ef32a in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #11 0x7f502e8ef32a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
    #12 0x7f502e8ef32a in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3362:16
    #13 0x7f502e8d344c in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
    #14 0x7f502e900460 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
    #15 0x7f502e90211f in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #16 0x7f502e90211f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
    #17 0x7f502ed65c54 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:1488:10
    #18 0x7f502e9d08b0 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:149:8
    #19 0x7f502eca277e in AsyncFunctionPromiseReactionJob /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2111:12
    #20 0x7f502eca277e in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2174:12
    #21 0x7f502e900344 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
    #22 0x7f502e900344 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
    #23 0x7f502e90211f in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #24 0x7f502e90211f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
    #25 0x7f502ea0b03d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #26 0x7f5024bac86c in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
    #27 0x7f5020a185ba in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
    #28 0x7f5020a185ba in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
    #29 0x7f5020a185ba in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18
    #30 0x7f50209f8367 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17
    #31 0x7f50209f938f in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:463:3
    #32 0x7f5022681184 in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1479:28
    #33 0x7f5020c29ad7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:24
    #34 0x7f5020c33974 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:476:10
    #35 0x7f502239d093 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
    #36 0x7f502221ff87 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #37 0x7f502221ff87 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #38 0x7f502221ff87 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #39 0x7f50295754a9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #40 0x7f502e4e8798 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
    #41 0x7f502221ff87 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #42 0x7f502221ff87 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #43 0x7f502221ff87 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #44 0x7f502e4e7f2f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
    #45 0x563a81161454 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #46 0x563a81161917 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
    #47 0x7f50430a1d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #48 0x7f50430a1e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #49 0x563a8109fed8 in _start (/home/user/workspace/browsers/m-c-20230109162059-fuzzing-asan-opt/firefox+0x111ed8) (BuildId: e66a77d0bfedd4d1945e41f4868d91c9e84bc123)
Flags: in-testsuite?
Crash Signature: [@ nsWrapperCache::GetWrapperPreserveColor]

A Pernosco session is available here: https://pernos.co/debug/dk5aLHG1vBQqd7DOm4JUwg/index.html

Verified bug as reproducible on mozilla-central 20230111043919-66c42cef8816.
The bug appears to have been introduced in the following build range:

Start: e6e2286d2ac25001127a1cf54a87a95fb435c734 (20220708093332)
End: 807e95cd9956aa4967ddddc80f8ccab4ad370e8d (20220708081410)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e6e2286d2ac25001127a1cf54a87a95fb435c734&tochange=807e95cd9956aa4967ddddc80f8ccab4ad370e8d

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

The severity field is not set for this bug.
:jimb, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jimb)
You need to log in before you can comment on or make changes to this bug.