Closed Bug 1813705 Opened 1 year ago Closed 11 months ago

Hit MOZ_CRASH(called `Result::unwrap()` on an `Err` value: TryFromIntError(())) at /third_party/rust/wgpu-core/src/command/render.rs:2131

Categories

(Core :: Graphics: WebGPU, defect, P2)

Product:
Core
Component:
Graphics: WebGPU
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
115 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- disabled
firefox113 --- disabled
firefox114 --- disabled
firefox115 --- fixed

People

(Reporter: jkratzer, Assigned: ErichDonGubler)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file, 1 obsolete file)

Testcase
1.53 KB, text/html
Details

Testcase found while fuzzing mozilla-central rev 49ac19f1e046 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 49ac19f1e046 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(called `Result::unwrap()` on an `Err` value: TryFromIntError(())) at /third_party/rust/wgpu-core/src/command/render.rs:2131

    ==698667==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc270bce525 bp 0x7ffcee43bff0 sp 0x7ffcee43bfe0 T698667)
    ==698667==The signal is caused by a WRITE memory access.
    ==698667==Hint: address points to the zero page.
        #0 0x7fc270bce525 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
        #1 0x7fc270bce525 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7fc270bce49f in mozglue_static::panic_hook::h8aaeca453eaddea4 /mozglue/static/rust/lib.rs:91:9
        #3 0x7fc270bcdecb in core::ops::function::Fn::call::h8c839fef988e6243 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/ops/function.rs:161:5
        #4 0x7fc271bcd7fc in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::ha7dbb2d260f78172 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/alloc/src/boxed.rs:2032:9
        #5 0x7fc271bcd7fc in std::panicking::rust_panic_with_hook::hdb4da1ae79c845a5 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:692:13
        #6 0x7fc271bcd578 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h02b5b35b126d5cf2 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:579:13
        #7 0x7fc271bca95b in std::sys_common::backtrace::__rust_end_short_backtrace::h6c6853376cf416d1 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/sys_common/backtrace.rs:137:18
        #8 0x7fc271bcd281 in rust_begin_unwind /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:575:5
        #9 0x7fc271c296a2 in core::panicking::panic_fmt::hfd9e949092070b66 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/panicking.rs:64:14
        #10 0x7fc271c29c12 in core::result::unwrap_failed::h4d34d8346233eb49 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/result.rs:1791:5
        #11 0x7fc26ffe9d86 in wgpu_render_pass_set_bind_group /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/result.rs
        #12 0x7fc269c9c0c1 in mozilla::dom::GPURenderPassEncoder_Binding::setBindGroup(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WebGPUBinding.cpp:24696:24
        #13 0x7fc26a2f3cd2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3308:13
        #14 0x7fc26e71e056 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:459:13
        #15 0x7fc26e71d97f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12
        #16 0x7fc26e70f5bf in CallFromStack /js/src/vm/Interpreter.cpp:619:10
        #17 0x7fc26e70f5bf in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3362:16
        #18 0x7fc26e702c7e in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
        #19 0x7fc26e71d87b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
        #20 0x7fc26e71edac in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
        #21 0x7fc26ea0fb57 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1488:10
        #22 0x7fc26e7b263c in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:149:8
        #23 0x7fc26e99bba5 in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2111:12
        #24 0x7fc26e99bba5 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2174:12
        #25 0x7fc26e71e056 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:459:13
        #26 0x7fc26e71d97f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12
        #27 0x7fc26e71edac in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
        #28 0x7fc26e7daeec in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #29 0x7fc269508cee in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
        #30 0x7fc267023fb5 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
        #31 0x7fc267023273 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
        #32 0x7fc267023273 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
        #33 0x7fc267010f58 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:676:17
        #34 0x7fc267011dcc in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
        #35 0x7fc267eece38 in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1480:28
        #36 0x7fc26713883a in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1234:24
        #37 0x7fc26713e79d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:477:10
        #38 0x7fc267d41673 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #39 0x7fc267c63258 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #40 0x7fc267c63161 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #41 0x7fc267c63161 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #42 0x7fc26c283148 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #43 0x7fc26e4d39db in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:742:20
        #44 0x7fc267d42539 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #45 0x7fc267c63258 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #46 0x7fc267c63161 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #47 0x7fc267c63161 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #48 0x7fc26e4d3538 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:675:34
        #49 0x555bbbf29ce0 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #50 0x555bbbf29ce0 in main /browser/app/nsBrowserApp.cpp:353:18
        #51 0x7fc27c261d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #52 0x7fc27c261e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #53 0x555bbbf00348 in _start (/home/jkratzer/builds/m-c-20230130035123-fuzzing-debug/firefox-bin+0x5b348) (BuildId: 925bf2dc759b044fa7f059ac60ea374376106551)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
    ==698667==ABORTING
Attached file Testcase (obsolete) — 

    
    

    
  
Verified bug as reproducible on mozilla-central 20230130214413-8eb2c58dc415.

Unable to bisect testcase (Testcase reproduces on start build!):




Start: 4bff0b888cd9a91b7cb4dc3d35951160e39aa0ae (20220201093942)

End: 49ac19f1e04696769d37ba1b347a5b5e73d1bec7 (20230130035123)

BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)




Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

    
    

    
  
Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/94a986d6-cb81-465f-b29b-f73a20230131


Crash Signature: [@ core::result::unwrap_failed | wgpu_core::command::render::render_ffi::wgpu_render_pass_set_bind_group ]
Keywords: crash

    
    

    
  
The severity field is not set for this bug.

:jimb, could you have a look please?


For more information, please visit auto_nag documentation.


Flags: needinfo?(jimb)

    
  
See Also:  → 1780799

    
    

    
  
Testcase crashes using the initial build (mozilla-central 20230130035123-49ac19f1e046) but not with tip (mozilla-central 20230421211246-38967ad7e8f2.)


The bug appears to have been fixed in the following build range:




Start: 1881ebd0d8e56fb3b338ca1eb047c6198b117e9a (20230415092927)

End: 4478010afe8699402699dc895c4c4a405adeddf8 (20230415081028)

Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1881ebd0d8e56fb3b338ca1eb047c6198b117e9a&tochange=4478010afe8699402699dc895c4c4a405adeddf8




jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Flags: needinfo?(jimb) → needinfo?(jkratzer)
Keywords: bugmon

    
    

    
  
Kelsey, is this something that could have been fixed by bug 1817541?


Flags: needinfo?(jkratzer) → needinfo?(jgilbert)

    
    

    
  

      
      
      
      

        Attached file
          
        Testcase
      

    


  
Updated the test case to reproduce with latest API changes made to conform to the spec (i.e., GPURenderPassColorAttachment.loadValue has been renamed to loadOp). I'm still getting a crash here; bug 1817541 merely changed the previous test case to a run-time error because of incorrect API usage. 😕



        Attachment #9314946 -
        Attachment is obsolete: true

    
  
Flags: needinfo?(jgilbert)

    
    

    
  
The root cause of the crash I'm reproducing in my previous comment seems to be that:


    

  1. We define u32 values for bind group indices (i.e., the binding member of GPUBindGroupLayoutEntry, which are elements of the array passed into GPUDevice.createBindGroupLayout.
    2. 

  2. When we call wgpu_core::command::render::wgpu_render_pass_set_bind_group via FFI, it attempts to construct an instance of RenderCommand::SetBindGroup whose index member is derived from the binding field in the JS layout entry. wgpu-core attempts to infallibly coerce the u32 index provided from JS into a u8.
    3. 

  3. This fuzzing test case passes a bind group index that is greater than u8::MAX (3875), which results in a panic in wgpu-core.
    4. 



I'm not sure what the resolution here is. There are two options that I see:


    

  1. Firefox's implementation accepts 32-bit unsigned integers in JS land, but throws a TypeError or something when it fails to validate that binding is within u8 representation bounds. This doesn't follow the current WebGPU v1 spec. draft, though.
    2. 

  2. wgpu upstream should be changed to accept u32 for bind group indices. AFAIK, all supported platforms for wgpu have 32-bit word sizes, which is the only potential blocker I see for making this change. I already have a draft PR in upstream for this (see  (wgpu#3743)) to see how feasible this is.
    3. 




    
  
Assignee: nobody → egubler

    
    

    
  
Upstream PR for resolving this: wgpu#3743



    
    

    
  
wgpu#3743 has been merged upstream. Now awaiting the consumption of another wgpu update.



    
  
Status: NEW → ASSIGNED

    
  
Depends on: 1832451

    
    

    
  
I can confirm that the fix upstream that will be delivered with bug 1832451 also fixes this issue; I'm now getting an error message in the JS console that states Binding index 3875 is greater than the maximum index 640, rather than a crash, which is exactly what we want here.



    
  
Severity: -- → S3
Priority: -- → P2

    
  
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED

          status-firefox113:
          --- → disabled

          status-firefox114:
          --- → disabled

          status-firefox115:
          --- → fixed

          status-firefox-esr102:
          --- → disabled
Target Milestone: --- → 115 Branch

    
  
Duplicate of this bug: 1780799

    
    

    
  
Copying crash signatures from duplicate bugs.


Crash Signature: [@ core::result::unwrap_failed | wgpu_core::command::render::render_ffi::wgpu_render_pass_set_bind_group ] → [@ core::result::unwrap_failed | wgpu_core::command::render::render_ffi::wgpu_render_pass_set_bind_group ]
[@ core::result::unwrap_failed | wgpu_core::command::compute::compute_ffi::wgpu_compute_pass_set_bind_group]
Crash Signature: [@ core::result::unwrap_failed | wgpu_core::command::render::render_ffi::wgpu_render_pass_set_bind_group ]
[@ core::result::unwrap_failed | wgpu_core::command::compute::compute_ffi::wgpu_compute_pass_set_bind_group] → [@ core::result::unwrap_failed | wgpu_core::command::render::render_ffi::wgpu_render_pass_set_bind_group ]
[@ core::result::unwrap_failed | wgpu_core::command::compute::compute_ffi::wgpu_compute_pass_set_bind_group]
QA Whiteboard: [qa-115b-p2]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: