Closed Bug 1813123 Opened 1 year ago Closed 1 year ago

Assertion failure: (detail::IsInBounds<From, To>(aFrom)), at /builds/worker/workspace/obj-build/dist/include/mozilla/Casting.h:207

Categories

(Core :: Graphics: WebGPU, defect)

x86_64
Linux
defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase found while fuzzing mozilla-central rev f75c73066b88 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build f75c73066b88 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: (detail::IsInBounds<From, To>(aFrom)), at /builds/worker/workspace/obj-build/dist/include/mozilla/Casting.h:207

    ==187802==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd559bf5bfd bp 0x7ffc649e0f40 sp 0x7ffc649e0ea0 T187802)
    ==187802==The signal is caused by a WRITE memory access.
    ==187802==Hint: address points to the zero page.
        #0 0x7fd559bf5bfd in mozilla::webgpu::Device::InitSwapChain(mozilla::dom::GPUCanvasConfiguration const&, mozilla::layers::RemoteTextureOwnerId, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>*) /dom/webgpu/Device.cpp
        #1 0x7fd559bf5804 in mozilla::webgpu::CanvasContext::Configure(mozilla::dom::GPUCanvasConfiguration const&) /dom/webgpu/CanvasContext.cpp:69:29
        #2 0x7fd559100254 in mozilla::dom::GPUCanvasContext_Binding::configure(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WebGPUBinding.cpp:14840:24
        #3 0x7fd5597764b2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3308:13
        #4 0x7fd55db97376 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:459:13
        #5 0x7fd55db96c9f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12
        #6 0x7fd55db888df in CallFromStack /js/src/vm/Interpreter.cpp:619:10
        #7 0x7fd55db888df in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3362:16
        #8 0x7fd55db7bf9e in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
        #9 0x7fd55db96b9b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
        #10 0x7fd55db980cc in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
        #11 0x7fd55de88e67 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1488:10
        #12 0x7fd55dc2b95c in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:149:8
        #13 0x7fd55de14eb5 in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2111:12
        #14 0x7fd55de14eb5 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2174:12
        #15 0x7fd55db97376 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:459:13
        #16 0x7fd55db96c9f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12
        #17 0x7fd55db980cc in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
        #18 0x7fd55dc5420c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #19 0x7fd55898dade in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
        #20 0x7fd5564c0fe5 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
        #21 0x7fd5564c02a3 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
        #22 0x7fd5564c02a3 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
        #23 0x7fd5564adf88 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:676:17
        #24 0x7fd5564aedfc in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
        #25 0x7fd557389ee8 in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1480:28
        #26 0x7fd5565d586a in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1234:24
        #27 0x7fd5565db7cd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:477:10
        #28 0x7fd5571de743 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #29 0x7fd557100358 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #30 0x7fd557100261 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #31 0x7fd557100261 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #32 0x7fd55b705af8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #33 0x7fd55d94ccfb in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:742:20
        #34 0x7fd5571df659 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #35 0x7fd557100358 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #36 0x7fd557100261 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #37 0x7fd557100261 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #38 0x7fd55d94c858 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:675:34
        #39 0x55de8bdacce0 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #40 0x55de8bdacce0 in main /browser/app/nsBrowserApp.cpp:353:18
        #41 0x7fd569d41d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #42 0x7fd569d41e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #43 0x55de8bd83348 in _start (/home/jkratzer/builds/m-c-20230127094652-fuzzing-debug/firefox-bin+0x5b348) (BuildId: 3dcd87d302507e33b27ddc81c1ad79da4ab2b653)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/webgpu/Device.cpp in mozilla::webgpu::Device::InitSwapChain(mozilla::dom::GPUCanvasConfiguration const&, mozilla::layers::RemoteTextureOwnerId, mozilla::gfx::SurfaceFormat, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>*)
    ==187802==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20230127094652-f75c73066b88.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 7f00dabac085e45723ccdea1c7e7e2f61e273b30 (20220129091708)
End: f75c73066b887c2379158c73c994b5ef95460238 (20230127094652)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Testcase crashes using the initial build (mozilla-central 20230127094652-f75c73066b88) but not with tip (mozilla-central 20230203160655-a356e2d3cf46.)

The bug appears to have been fixed in the following build range:

Start: b7f07512450399f35fc38a7e94241b19a4c2693c (20230201215112)
End: 371e407a353d5c96d2dc553b1bef77c6a6e4df12 (20230201201354)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b7f07512450399f35fc38a7e94241b19a4c2693c&tochange=371e407a353d5c96d2dc553b1bef77c6a6e4df12

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(jkratzer)
Keywords: bugmon

This was probably fixed by bug 1813719.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(jkratzer)
Resolution: --- → WORKSFORME
See Also: → 1813719
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: