Closed Bug 1860921 Opened 1 year ago Closed 1 year ago

Hit MOZ_CRASH(Texture[0] does not exist) at /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/storage.rs:125

Categories

(Core :: Graphics: WebGPU, defect)

defect

Tracking

()

VERIFIED FIXED
121 Branch
Tracking Status
firefox-esr115 --- unaffected
firefox119 --- unaffected
firefox120 --- unaffected
firefox121 --- verified

People

(Reporter: tsmith, Assigned: sotaro)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [fuzzblocker][bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing m-c 20231024-bcdbc81d4adf (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Texture[0] does not exist) at /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/storage.rs:125

#0 0x7fc4e3493e95 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
#1 0x7fc4e3493e95 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7fc4e3493e2a in mozglue_static::panic_hook::habfbf582d66d5c86 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:96:9
#3 0x7fc4e349382b in core::ops::function::Fn::call::h081d0c2d4ea076dc /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ops/function.rs:79:5
#4 0x7fc4e45031ed in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::hb3a915ffd78277c6 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/alloc/src/boxed.rs:2007:9
#5 0x7fc4e45031ed in std::panicking::rust_panic_with_hook::h75cd912a39a34e8a /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/std/src/panicking.rs:709:13
#6 0x7fc4e4502f76 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h1498b46f7849e167 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/std/src/panicking.rs:597:13
#7 0x7fc4e4500235 in std::sys_common::backtrace::__rust_end_short_backtrace::hd36a39b27b98086b /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/std/src/sys_common/backtrace.rs:151:18
#8 0x7fc4e4502cc1 in rust_begin_unwind /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/std/src/panicking.rs:593:5
#9 0x7fc4e45629a2 in core::panicking::panic_fmt::h98ef273141454c23 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/panicking.rs:67:14
#10 0x7fc4e2621de1 in wgpu_core::storage::Storage$LT$T$C$I$GT$::get_mut::h537edeff8ff6ce63 /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/storage.rs:125:50
#11 0x7fc4e2665f7d in wgpu_core::device::queue::_$LT$impl$u20$wgpu_core..global..Global$LT$G$GT$$GT$::queue_write_texture::ha9f54ea04e7f0777 /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/device/queue.rs:633:19
#12 0x7fc4e2665f7d in wgpu_server_queue_write_action /builds/worker/checkouts/gecko/gfx/wgpu_bindings/src/server.rs:1000:13
#13 0x7fc4dc83b379 in mozilla::webgpu::WebGPUParent::RecvQueueWriteAction(unsigned long, unsigned long, mozilla::ipc::ByteBuf const&, mozilla::ipc::UnsafeSharedMemoryHandle&&) /builds/worker/checkouts/gecko/dom/webgpu/ipc/WebGPUParent.cpp:798:3
#14 0x7fc4dc84cec3 in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:1724:80
#15 0x7fc4da8ca47d in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:269:32
#16 0x7fc4d9e36f2f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#17 0x7fc4d9e33c82 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#18 0x7fc4d9e34902 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#19 0x7fc4d9e35a4f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#20 0x7fc4d917eb3d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1192:16
#21 0x7fc4d9185acd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#22 0x7fc4d9e3e15e in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#23 0x7fc4d9d56e81 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#24 0x7fc4d9d56e81 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#25 0x7fc4d9179e23 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10
#26 0x7fc4ed8d4d0f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#27 0x7fc4ed694ac2 in start_thread nptl/pthread_create.c:442:8
#28 0x7fc4ed726a3f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20231024215736-bfd2855924f2.
The bug appears to have been introduced in the following build range:

Start: ed9d130c38a8858740845db8ec5c8bb7e68cce65 (20231024004955)
End: bcdbc81d4adffb0c3b1e04e1854e43cf49314d92 (20231024050629)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ed9d130c38a8858740845db8ec5c8bb7e68cce65&tochange=bcdbc81d4adffb0c3b1e04e1854e43cf49314d92

Keywords: regression
Whiteboard: [fuzzblocker] → [fuzzblocker][bugmon:bisected,confirmed]
Crash Signature: [@ wgpu_core::storage::Storage<T>::get_mut<T> ]
Keywords: crash
Regressed by: 1856787

Set release status flags based on info from the regressing bug 1856787

:sotaro, since you are the author of the regressor, bug 1856787, could you take a look?

For more information, please visit BugBot documentation.

Flags: needinfo?(sotaro.ikeda.g)

I take the bug.

Assignee: nobody → sotaro.ikeda.g
Flags: needinfo?(sotaro.ikeda.g)

The change to Texture::Destroy() seemed to cause the problem. The change make wgpu texture to destroy.

The following calls panic if texture is Vacant.
https://searchfox.org/mozilla-central/rev/ffdc4971dc18e1141cb2a90c2b0b776365650270/third_party/rust/wgpu-core/src/storage.rs#125

Blocks: 1860958
Pushed by sikeda.birchill@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/03d61eb955a9 Revert Texture::Destroy() and add Texture::ForceDestroy() r=webgpu-reviewers,nical
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 121 Branch
Duplicate of this bug: 1860920

Verified bug as fixed on rev mozilla-central 20231025162820-03d61eb955a9.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: