SetAsGPUOutOfMemoryError() called but its OwningNonNull is left uninitialized
Categories
(Core :: Graphics: WebGPU, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox-esr115 | --- | unaffected |
| firefox114 | --- | unaffected |
| firefox115 | --- | unaffected |
| firefox116 | --- | fixed |
People
(Reporter: jgilbert, Assigned: jgilbert)
References
(Regression)
Details
(Keywords: regression)
Attachments
(1 file)
|
Assignee | |
Comment 1•2 years ago
|
||
From bug 1838703, here's the root cause analysis for the regression surfaced (though not introduced) by bug 1837557.
class OwningGPUOutOfMemoryErrorOrGPUValidationError : public AllOwningUnionBase
[...]
union Value
{
UnionMember<OwningNonNull<mozilla::webgpu::OutOfMemoryError> > mGPUOutOfMemoryError;
UnionMember<OwningNonNull<mozilla::webgpu::ValidationError> > mGPUValidationError;
};
TypeOrUninit mType;
Value mValue;
OwningNonNull<mozilla::webgpu::OutOfMemoryError>&
OwningGPUOutOfMemoryErrorOrGPUValidationError::SetAsGPUOutOfMemoryError()
{
if (mType == eGPUOutOfMemoryError) {
return mValue.mGPUOutOfMemoryError.Value();
}
Uninit();
mType = eGPUOutOfMemoryError;
return mValue.mGPUOutOfMemoryError.SetValue();
}
class UnionMember {
AlignedStorage2<T> mStorage;
[...]
template <typename... Args>
T& SetValue(Args&&... args) {
new (mStorage.addr()) T(std::forward<Args>(args)...);
return *mStorage.addr();
}
template <class T>
class MOZ_IS_SMARTPTR_TO_REFCOUNTED OwningNonNull {
public:
using element_type = T;
OwningNonNull() = default;
The problem is that SetValue() in-place constructs the union variant, and in this case the union variant isn't OutOfMemory (which has a deleted ctor), it's OwningNonNull<OutOfMemory>, which does have a super dangerous default constructor!
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 2•2 years ago
|
||
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 3•2 years ago
|
||
The patch here is required for the patch in bug 1838703 to work, since bug 1838703 catches this issue.
|
|
Assignee | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Comment 5•2 years ago
|
||
Set release status flags based on info from the regressing bug 1837557
|
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 6•2 years ago
|
||
Backed out for causing build bustages on OutOfMemoryError.h.
Failure log: https://treeherder.mozilla.org/logviewer?job_id=419505508&repo=autoland
Backout link: https://hg.mozilla.org/integration/autoland/rev/fa529bbf11c86465c2e1ecfd68b07ae27cbfcb87
|
|
||
Comment 7•2 years ago
|
||
I believe that :jgilbert has addressed the cause of the backout in D181161 already (added explicit to the OutOfMemoryError constructor), so I'm gonna try to land this.
|
||
Comment 9•2 years ago
|
||
Backed out for causing build bustages in OutOfMemoryError.h
- Backout link
- Push with failures
- Failure Log
- Failure line: builds/worker/workspace/obj-build/dist/include/mozilla/webgpu/OutOfMemoryError.h:24:12: error: missing return type for function 'sOutOfMemoryError'; did you mean the constructor name 'OutOfMemoryError'?
|
||
Comment 10•2 years ago
|
||
|
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 11•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 12•2 years ago
|
||
Set release status flags based on info from the regressing bug 1837557
Description
•