1812151 - Hit MOZ_CRASH(Buffer Valid((1, 1, Vulkan)) is still mapped) at /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/device/queue.rs:913

Status: RESOLVED FIXED

(Core :: Graphics: WebGPU, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20221125-8b092cca2cab (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Buffer Valid((1, 1, Vulkan)) is still mapped) at /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/device/queue.rs:913

#0 0x7fb336da9345 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7fb336da9345 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fb336da92c2 in mozglue_static::panic_hook::h54d936b166c9baa9 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7fb336da8d8b in core::ops::function::Fn::call::hca13bd9519fdde34 /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/core/src/ops/function.rs:78:5
#4 0x7fb337e719c8 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h44df53ea2a13204b /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/alloc/src/boxed.rs:2001:9
#5 0x7fb337e719c8 in std::panicking::rust_panic_with_hook::hfd45b6b6c12d9fa5 /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/panicking.rs:692:13
#6 0x7fb337e71746 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hf591e8609a75bd4b /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/panicking.rs:579:13
#7 0x7fb337e6ea7b in std::sys_common::backtrace::__rust_end_short_backtrace::h81899558795e4ff7 /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/sys_common/backtrace.rs:137:18
#8 0x7fb337e71461 in rust_begin_unwind /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/panicking.rs:575:5
#9 0x7fb337ec8122 in core::panicking::panic_fmt::h4235fa9b4675b332 /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/core/src/panicking.rs:65:14
#10 0x7fb336116f80 in wgpu_core::device::queue::_$LT$impl$u20$wgpu_core..hub..Global$LT$G$GT$$GT$::queue_submit::h78c9003a60ebb937 /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/device/queue.rs:913:42
#11 0x7fb3361813eb in wgpu_server_queue_submit /builds/worker/checkouts/gecko/gfx/wgpu_bindings/src/server.rs:771:18
#12 0x7fb330ab7624 in mozilla::webgpu::WebGPUParent::RecvQueueSubmit(unsigned long, unsigned long, nsTArray<unsigned long> const&) /builds/worker/checkouts/gecko/dom/webgpu/ipc/WebGPUParent.cpp:613:3
#13 0x7fb330ad0ac4 in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:1416:80
#14 0x7fb32ea5d7a0 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:214:32
#15 0x7fb32e07821a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#16 0x7fb32e074e97 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#17 0x7fb32e0759c5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#18 0x7fb32e076cff in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#19 0x7fb32d47eed8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1191:16
#20 0x7fb32d48513d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#21 0x7fb32e07f393 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
#22 0x7fb32df9ff18 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#23 0x7fb32df9fe21 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#24 0x7fb32df9fe21 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#25 0x7fb32d47a3d7 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:383:10
#26 0x7fb34035fc86 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#27 0x7fb340c08b42 in start_thread nptl/pthread_create.c:442:8
#28 0x7fb340c9a9ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Comment 1

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20221125214546-8b092cca2cab) but not with tip (mozilla-central 20230124213422-ba77054848c4.)

The bug appears to have been fixed in the following build range:

Start: 5ddeabd60a3ceacb071fe392982484be50e49987 (20230124085757)
End: 9b6e69ab8017d1947dc209e38f3713284f26f7be (20230124102327)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5ddeabd60a3ceacb071fe392982484be50e49987&tochange=9b6e69ab8017d1947dc209e38f3713284f26f7be

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 2

[Tyson Smith [:tsmith]]

This was fixed by bug 1811284.