1813705 - Hit MOZ_CRASH(called `Result::unwrap()` on an `Err` value: TryFromIntError(())) at /third_party/rust/wgpu-core/src/command/render.rs:2131

Status: NEW

(Core :: Graphics: WebGPU, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 49ac19f1e046 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 49ac19f1e046 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(called `Result::unwrap()` on an `Err` value: TryFromIntError(())) at /third_party/rust/wgpu-core/src/command/render.rs:2131

    ==698667==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc270bce525 bp 0x7ffcee43bff0 sp 0x7ffcee43bfe0 T698667)
    ==698667==The signal is caused by a WRITE memory access.
    ==698667==Hint: address points to the zero page.
        #0 0x7fc270bce525 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
        #1 0x7fc270bce525 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7fc270bce49f in mozglue_static::panic_hook::h8aaeca453eaddea4 /mozglue/static/rust/lib.rs:91:9
        #3 0x7fc270bcdecb in core::ops::function::Fn::call::h8c839fef988e6243 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/ops/function.rs:161:5
        #4 0x7fc271bcd7fc in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::ha7dbb2d260f78172 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/alloc/src/boxed.rs:2032:9
        #5 0x7fc271bcd7fc in std::panicking::rust_panic_with_hook::hdb4da1ae79c845a5 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:692:13
        #6 0x7fc271bcd578 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h02b5b35b126d5cf2 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:579:13
        #7 0x7fc271bca95b in std::sys_common::backtrace::__rust_end_short_backtrace::h6c6853376cf416d1 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/sys_common/backtrace.rs:137:18
        #8 0x7fc271bcd281 in rust_begin_unwind /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:575:5
        #9 0x7fc271c296a2 in core::panicking::panic_fmt::hfd9e949092070b66 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/panicking.rs:64:14
        #10 0x7fc271c29c12 in core::result::unwrap_failed::h4d34d8346233eb49 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/result.rs:1791:5
        #11 0x7fc26ffe9d86 in wgpu_render_pass_set_bind_group /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/result.rs
        #12 0x7fc269c9c0c1 in mozilla::dom::GPURenderPassEncoder_Binding::setBindGroup(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WebGPUBinding.cpp:24696:24
        #13 0x7fc26a2f3cd2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3308:13
        #14 0x7fc26e71e056 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:459:13
        #15 0x7fc26e71d97f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12
        #16 0x7fc26e70f5bf in CallFromStack /js/src/vm/Interpreter.cpp:619:10
        #17 0x7fc26e70f5bf in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3362:16
        #18 0x7fc26e702c7e in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
        #19 0x7fc26e71d87b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
        #20 0x7fc26e71edac in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
        #21 0x7fc26ea0fb57 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1488:10
        #22 0x7fc26e7b263c in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:149:8
        #23 0x7fc26e99bba5 in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2111:12
        #24 0x7fc26e99bba5 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2174:12
        #25 0x7fc26e71e056 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:459:13
        #26 0x7fc26e71d97f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12
        #27 0x7fc26e71edac in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
        #28 0x7fc26e7daeec in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #29 0x7fc269508cee in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
        #30 0x7fc267023fb5 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
        #31 0x7fc267023273 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
        #32 0x7fc267023273 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
        #33 0x7fc267010f58 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:676:17
        #34 0x7fc267011dcc in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
        #35 0x7fc267eece38 in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1480:28
        #36 0x7fc26713883a in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1234:24
        #37 0x7fc26713e79d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:477:10
        #38 0x7fc267d41673 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #39 0x7fc267c63258 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #40 0x7fc267c63161 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #41 0x7fc267c63161 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #42 0x7fc26c283148 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #43 0x7fc26e4d39db in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:742:20
        #44 0x7fc267d42539 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #45 0x7fc267c63258 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #46 0x7fc267c63161 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #47 0x7fc267c63161 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #48 0x7fc26e4d3538 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:675:34
        #49 0x555bbbf29ce0 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #50 0x555bbbf29ce0 in main /browser/app/nsBrowserApp.cpp:353:18
        #51 0x7fc27c261d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #52 0x7fc27c261e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #53 0x555bbbf00348 in _start (/home/jkratzer/builds/m-c-20230130035123-fuzzing-debug/firefox-bin+0x5b348) (BuildId: 925bf2dc759b044fa7f059ac60ea374376106551)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
    ==698667==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230130214413-8eb2c58dc415.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 4bff0b888cd9a91b7cb4dc3d35951160e39aa0ae (20220201093942)
End: 49ac19f1e04696769d37ba1b347a5b5e73d1bec7 (20230130035123)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Comment 3

[Mayank Bansal]

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/94a986d6-cb81-465f-b29b-f73a20230131

Comment 4

[Release mgmt bot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:jimb, could you have a look please?

For more information, please visit auto_nag documentation.