crash near null [@ load]
Categories
(Core :: Graphics: WebGPU, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox118 | --- | unaffected |
| firefox119 | --- | unaffected |
| firefox120 | + | fixed |
| firefox121 | --- | verified |
People
(Reporter: tsmith, Assigned: bradwerth)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [fuzzblocker][bugmon:bisected,confirmed])
Crash Data
Attachments
(2 files)
|
343 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
|
Details | Review |
Found while fuzzing m-c 20231017-71d9492d06c4 (--enable-address-sanitizer --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
==203086==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000110 (pc 0x7f7c85906453 bp 0x7ffda5004f70 sp 0x7ffda5004ee0 T0)
==203086==The signal is caused by a READ memory access.
==203086==Hint: address points to the zero page.
#0 0x7f7c85906453 in load /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/atomic_base.h:396:9
#1 0x7f7c85906453 in load /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:195:17
#2 0x7f7c85906453 in operator bool /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:496:12
#3 0x7f7c85906453 in IsWritable /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h:111:36
#4 0x7f7c85906453 in StartWriteOp /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h:140:5
#5 0x7f7c85906453 in AutoWriteOp /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:40:59
#6 0x7f7c85906453 in PLDHashTable::Remove(void const*) /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:528:15
#7 0x7f7c8c9c0a50 in RemoveEntry /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:346:12
#8 0x7f7c8c9c0a50 in RemoveEntry /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:825:37
#9 0x7f7c8c9c0a50 in Remove /builds/worker/workspace/obj-build/dist/include/nsTHashSet.h:117:41
#10 0x7f7c8c9c0a50 in UntrackBuffer /builds/worker/checkouts/gecko/dom/webgpu/Device.cpp:102:63
#11 0x7f7c8c9c0a50 in mozilla::webgpu::Buffer::Drop() /builds/worker/checkouts/gecko/dom/webgpu/Buffer.cpp:153:15
#12 0x7f7c8c9c1781 in mozilla::webgpu::Buffer::~Buffer() /builds/worker/checkouts/gecko/dom/webgpu/Buffer.cpp:54:3
#13 0x7f7c8c9e1540 in DeleteCycleCollectable /builds/worker/workspace/obj-build/dist/include/mozilla/webgpu/Buffer.h:44:3
#14 0x7f7c8c9e1540 in mozilla::webgpu::Buffer::cycleCollection::DeleteCycleCollectable(void*) /builds/worker/workspace/obj-build/dist/include/mozilla/webgpu/Buffer.h:44:3
#15 0x7f7c858900c6 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2472:7
#16 0x7f7c8588ee75 in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2662:3
#17 0x7f7c8589ac17 in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3659:3
#18 0x7f7c85899931 in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3483:9
#19 0x7f7c8589921a in nsCycleCollector::ShutdownCollect() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3417:20
#20 0x7f7c8589c5c6 in nsCycleCollector::Shutdown(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3721:5
#21 0x7f7c8589ecc0 in nsCycleCollector_shutdown(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:4045:18
#22 0x7f7c85b471f2 in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:702:3
#23 0x7f7c96640c42 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:660:16
#24 0x562e10d2007c in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#25 0x562e10d2007c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#26 0x7f7cad029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#27 0x7f7cad029e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#28 0x562e10c44388 in _start (/home/user/workspace/browsers/m-c-20231018094117-fuzzing-asan-opt/firefox+0xdc388) (BuildId: ca2f30af2fc2908e9ae9232cd28460de69599e13)
|
Reporter | |
Comment 1•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/CBeGk_5jYshtWZmSAF79VA/index.html
|
||
Comment 2•2 years ago
|
||
One likely regressor would seem to be bug 1838693, since that's what introduced Device::UntrackBuffer.
|
Assignee | |
Comment 3•2 years ago
|
||
I'll see if this can be fixed by holding RefPtrs to those Buffers instead of using vanilla pointers. That should remove timing dependencies during GC. Alternatively, perhaps there's cycle collection tagging that I need to add to Device to prevent this. I'll figure it out.
|
||
Comment 4•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20231018160439-639c0da2250e.
The bug appears to have been introduced in the following build range:
Start: e0dd0b10e8fd0ea751f11fb0a6548ad9b6780e16 (20231016153418)
End: fa12efd7ca249d06b27ea86690ae0d0478f5dcce (20231016182434)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e0dd0b10e8fd0ea751f11fb0a6548ad9b6780e16&tochange=fa12efd7ca249d06b27ea86690ae0d0478f5dcce
|
||
Comment 5•2 years ago
|
||
Based on comment #4, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.
:bradwerth, if possible, could you fill the Regressed by field and investigate this regression?
For more information, please visit BugBot documentation.
|
|
||
Comment 7•2 years ago
|
||
Copying crash signatures from duplicate bugs.
|
|
||
Comment 9•2 years ago
|
||
Set release status flags based on info from the regressing bug 1838693
|
|
Assignee | |
Comment 10•2 years ago
|
||
In addition to moving the valid check earlier in Buffer::Drop, this
patch also ensures that Device clears the tracked buffers set after they
have been unmapped, and cleans up the error handling in Device::GetLost.
|
||
Updated•2 years ago
|
|
||
Comment 11•2 years ago
|
||
|
||
Updated•2 years ago
|
|
||
Comment 13•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 14•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20231023215318-1f052dc81e97.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
Assignee | |
Comment 15•2 years ago
|
||
Comment on attachment 9359661 [details]
Bug 1859825: Ensure that WebGPU Buffers are only dropped once.
Beta/Release Uplift Approval Request
- User impact if declined: Users viewing WebGPU content (enabled by default on Windows, elsewhere only through pref) will experience crashes on window close.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Makes well-understood correctness fixes to existing code. No new code paths are activated; one existing path gets an early exit.
- String changes made/needed:
- Is Android affected?: No
|
|
||
Comment 16•2 years ago
|
||
Comment on attachment 9359661 [details]
Bug 1859825: Ensure that WebGPU Buffers are only dropped once.
Approved for 120.0b2
|
|
||
Comment 17•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
Description
•