1860577 - Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/id.rs:194 | [@ wgpu_server_queue_write_action]

Status: RESOLVED DUPLICATE of bug 1861751

(Core :: Graphics: WebGPU, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev ffe93e4e0835 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build ffe93e4e0835 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(called `Option::unwrap()` on a `None` value) at /third_party/rust/wgpu-core/src/id.rs:194

    ==267949==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f83509e1b55 bp 0x7f832cd1d650 sp 0x7f832cd1d640 T267997)
    ==267949==The signal is caused by a WRITE memory access.
    ==267949==Hint: address points to the zero page.
        #0 0x7f83509e1b55 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
        #1 0x7f83509e1b55 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7f83509e1aea in mozglue_static::panic_hook::habfbf582d66d5c86 /mozglue/static/rust/lib.rs:96:9
        #3 0x7f83509e14eb in core::ops::function::Fn::call::h081d0c2d4ea076dc /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ops/function.rs:79:5
        #4 0x7f8351a4d1fd in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::hb3a915ffd78277c6 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/alloc/src/boxed.rs:2007:9
        #5 0x7f8351a4d1fd in std::panicking::rust_panic_with_hook::h75cd912a39a34e8a /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/std/src/panicking.rs:709:13
        #6 0x7f8351a4cf40 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h1498b46f7849e167 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/std/src/panicking.rs:595:13
        #7 0x7f8351a4a245 in std::sys_common::backtrace::__rust_end_short_backtrace::hd36a39b27b98086b /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/std/src/sys_common/backtrace.rs:151:18
        #8 0x7f8351a4ccd1 in rust_begin_unwind /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/std/src/panicking.rs:593:5
        #9 0x7f8351aac9b2 in core::panicking::panic_fmt::h98ef273141454c23 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/panicking.rs:67:14
        #10 0x7f8351aaca42 in core::panicking::panic::hf53fd8b0bfa5848e /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/panicking.rs:117:5
        #11 0x7f834fbb6768 in wgpu_server_queue_write_action /gfx/wgpu_bindings/src/server.rs
        #12 0x7f8349d7f1b9 in mozilla::webgpu::WebGPUParent::RecvQueueWriteAction(unsigned long, unsigned long, mozilla::ipc::ByteBuf const&, mozilla::ipc::UnsafeSharedMemoryHandle&&) /dom/webgpu/ipc/WebGPUParent.cpp:795:3
        #13 0x7f8349d902c3 in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:1724:80
        #14 0x7f8347e0bc0d in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:269:32
        #15 0x7f834737fc1f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1800:25
        #16 0x7f834737c972 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1725:9
        #17 0x7f834737d5f2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1525:3
        #18 0x7f834737e73f in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1623:14
        #19 0x7f83466c7c4d in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1192:16
        #20 0x7f83466cebdd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #21 0x7f8347386dd5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
        #22 0x7f834729fc41 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #23 0x7f834729fc41 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #24 0x7f83466c2f33 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:370:10
        #25 0x7f835a2eed0f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #26 0x7f835ab8fac2 in start_thread nptl/pthread_create.c:442:8
        #27 0x7f835ac21a3f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3 in MOZ_Crash
    ==267949==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Mayank Bansal]

This is the crash i get from the attached testcase : https://crash-stats.mozilla.org/report/index/9b590dcd-7a4c-48eb-9d24-d1ceb0231023#tab-bugzilla

Comment 3

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20231023215318-1f052dc81e97.
The bug appears to have been introduced in the following build range:

Start: e0dd0b10e8fd0ea751f11fb0a6548ad9b6780e16 (20231016153418)
End: fa12efd7ca249d06b27ea86690ae0d0478f5dcce (20231016182434)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e0dd0b10e8fd0ea751f11fb0a6548ad9b6780e16&tochange=fa12efd7ca249d06b27ea86690ae0d0478f5dcce

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

This bug has been marked as a regression. Setting status flag for Nightly to affected.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

:bradwerth, since you are the author of the regressor, bug 1838693, could you take a look?

For more information, please visit BugBot documentation.

Comment 6

[Brad Werth [:bradwerth] | Out until July 8]

One way to fix this, after wgpu is updated to report device loss would be to make child objects like Queue check mParent->IsLost() before sending any messages. But since that isn't landed, I'll try to figure out how to prevent Queue objects created after device.destroy from triggering panics in wgpu.

Comment 7

[Brad Werth [:bradwerth] | Out until July 8]

Attachment: Bug 1860577 Part 1: Don't send Queue messages when Device is known to be lost.

Comment 8

[Brad Werth [:bradwerth] | Out until July 8]

This can be fixed similarly to the fix in Bug 1861751, since the Buffer is created on a destroyed device and has an id of 0. I'll build a patch that does that, and abandon the speculative attachment 9361317 [details].

Comment 9

[Brad Werth [:bradwerth] | Out until July 8]

Actually, I'll just roll the fix into Bug 1861751.

Comment 10

[Bugmon [:jkratzer for issues]]

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.