Closed Bug 1848256 Opened 9 months ago Closed 3 months ago

Crash in [@ wgpu_core::storage::Storage<T>::get_mut] with PipelineLayout[n] does not exist

Categories

(Core :: Graphics: WebGPU, defect, P3)

Product:
Core
Component:
Graphics: WebGPU
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: mccr8, Unassigned)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/119d8882-93c4-4f4d-9b0d-6d7320230810

MOZ_CRASH Reason: PipelineLayout[8] does not exist

Top 10 frames of crashing thread:

0  libxul.so  MOZ_Crash  mfbt/Assertions.h:281
0  libxul.so  RustMozCrash  mozglue/static/rust/wrappers.cpp:18
1  libxul.so  mozglue_static::panic_hook  mozglue/static/rust/lib.rs:96
2  libxul.so  core::ops::function::Fn::call  library/core/src/ops/function.rs:79
3  libxul.so  <alloc::boxed::Box<F, A> as core::ops::function::Fn<Args>>::call  library/alloc/src/boxed.rs:1999
3  libxul.so  std::panicking::rust_panic_with_hook  library/std/src/panicking.rs:709
4  libxul.so  std::panicking::begin_panic_handler::{{closure}}  library/std/src/panicking.rs:597
5  libxul.so  std::sys_common::backtrace::__rust_end_short_backtrace  library/std/src/sys_common/backtrace.rs:151
6  libxul.so  rust_begin_unwind  library/std/src/panicking.rs:593
7  libxul.so  core::panicking::panic_fmt  library/core/src/panicking.rs:67

2 crashes from 2 installs, but there's a crash reason, so maybe something is actionable.

In this bug, wgpu-core is panicking simply because the content process provided a bad wgpu resource id. The content process isn't trusted anyway, so this should definitely not panic.

What I said above is not correct. A compromised content process should crash the parent process - that's the safest thing to do. Trying to recover just gives attackers more interesting parent process states to play with.

It seems like this bug could arise when content sends a wgpu_bindings::DeviceAction::CreatePipelineLayout that is not processed, but somehow later sends a PWebGPU::PipelineLayoutDestroy IPDL message that is processed.

Without reproduction instructions, it's hard to do much with this.

Severity: -- → S3
Priority: -- → P3

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.