Closed
Bug 1816140
Opened 1 year ago
Closed 1 year ago
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Invalid height!), at /dom/webgpu/ipc/WebGPUParent.cpp:702
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
112 Branch
| Tracking | Status | |
|---|---|---|
| firefox112 | --- | verified |
People
(Reporter: jkratzer, Assigned: jimb)
References
(Blocks 2 open bugs)
Details
(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 3387e4f266f0 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 3387e4f266f0 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Invalid height!), at /dom/webgpu/ipc/WebGPUParent.cpp:702
==1012636==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fdaf66eb6e8 bp 0x7fdad44d2520 sp 0x7fdad44d24c0 T1012715)
==1012636==The signal is caused by a WRITE memory access.
==1012636==Hint: address points to the zero page.
#0 0x7fdaf66eb6e8 in mozilla::webgpu::WebGPUParent::RecvDeviceCreateSwapChain(unsigned long, unsigned long, mozilla::layers::RGBDescriptor const&, nsTArray<unsigned long> const&, mozilla::layers::RemoteTextureOwnerId const&) /dom/webgpu/ipc/WebGPUParent.cpp:702:5
#1 0x7fdaf6704960 in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:1820:80
#2 0x7fdaf466e3a0 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:214:32
#3 0x7fdaf3c8a10a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1800:25
#4 0x7fdaf3c86d87 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1725:9
#5 0x7fdaf3c878b5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1525:3
#6 0x7fdaf3c88bef in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1623:14
#7 0x7fdaf3086b62 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1191:16
#8 0x7fdaf308ce1d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:477:10
#9 0x7fdaf3c91283 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
#10 0x7fdaf3bb1b78 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
#11 0x7fdaf3bb1a81 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#12 0x7fdaf3bb1a81 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#13 0x7fdaf3081fd7 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:383:10
#14 0x7fdb06059c86 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#15 0x7fdb068fab42 in start_thread nptl/pthread_create.c:442:8
#16 0x7fdb0698c9ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/webgpu/ipc/WebGPUParent.cpp:702:5 in mozilla::webgpu::WebGPUParent::RecvDeviceCreateSwapChain(unsigned long, unsigned long, mozilla::layers::RGBDescriptor const&, nsTArray<unsigned long> const&, mozilla::layers::RemoteTextureOwnerId const&)
==1012636==ABORTING
|
Reporter | |
Comment 1•1 year ago
|
||
|
||
Comment 2•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230210050819-da8d8748ace3.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: c16bd21a7817926d39dac482b0cd5cca5817a18b (20220211040854)
End: 3387e4f266f095d429421e49529dd54c68262f62 (20230202041118)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Whiteboard: [bugmon:confirm][fuzzblocker] → [bugmon:bisected,confirmed][fuzzblocker]
|
Assignee | |
Comment 4•1 year ago
|
||
|
||
Updated•1 year ago
|
Attachment #9317126 -
Attachment description: WIP: Bug 1816140: Check that OffscreenCanvas width and height fit in int32_t. → Bug 1816140: Check that OffscreenCanvas width and height fit in int32_t.
Pushed by jblandy@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/375be6eb6296 Check that OffscreenCanvas width and height fit in int32_t. r=gfx-reviewers,webidl,aosmond,nical,smaug
|
||
Comment 6•1 year ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox112:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
|
|
||
Comment 7•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230214093302-f45ac8766b61.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•