Closed Bug 1861751 Opened 11 months ago Closed 11 months ago

Hit MOZ_CRASH(Unexpected binding entry BindGroupEntry { binding: 23, buffer: None, offset: 0, size: None, sampler: None, texture_view: None }) at gfx/wgpu_bindings/src/client.rs:1029

Categories

(Core :: Graphics: WebGPU, defect, P1)

Product:
Core
Component:
Graphics: WebGPU
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
121 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox119 --- unaffected
firefox120 --- disabled
firefox121 --- verified

People

(Reporter: jkratzer, Assigned: bradwerth)

References

(Blocks 4 open bugs, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])

Crash Data

Attachments

(5 files)

Testcase
938 bytes, text/plain
Details
Bug 1861751 Part 1: Don't attempt bind group entries for buffers with id 0.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1861751 Part 2: Don't attempt to drop buffers with id 0.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1861751 Part 4: Add tests of invalid buffers in various usages.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1861751 Part 3: Don't queue writes on invalid buffers.
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 99f1297a102b (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 99f1297a102b --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Unexpected binding entry BindGroupEntry { binding: 23, buffer: None, offset: 0, size: None, sampler: None, texture_view: None }) at gfx/wgpu_bindings/src/client.rs:1029

    ==404999==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3be3a6a7b5 bp 0x7ffd220bf150 sp 0x7ffd220bf140 T404999)
    ==404999==The signal is caused by a WRITE memory access.
    ==404999==Hint: address points to the zero page.
        #0 0x7f3be3a6a7b5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
        #1 0x7f3be3a6a7b5 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7f3be3a6a74a in mozglue_static::panic_hook::habfbf582d66d5c86 /mozglue/static/rust/lib.rs:96:9
        #3 0x7f3be3a6a14b in core::ops::function::Fn::call::h081d0c2d4ea076dc /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/ops/function.rs:79:5
        #4 0x7f3be4ada97d in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::hb3a915ffd78277c6 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/alloc/src/boxed.rs:2007:9
        #5 0x7f3be4ada97d in std::panicking::rust_panic_with_hook::h75cd912a39a34e8a /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/std/src/panicking.rs:709:13
        #6 0x7f3be4ada706 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h1498b46f7849e167 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/std/src/panicking.rs:597:13
        #7 0x7f3be4ad79c5 in std::sys_common::backtrace::__rust_end_short_backtrace::hd36a39b27b98086b /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/std/src/sys_common/backtrace.rs:151:18
        #8 0x7f3be4ada451 in rust_begin_unwind /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/std/src/panicking.rs:593:5
        #9 0x7f3be4b3a132 in core::panicking::panic_fmt::h98ef273141454c23 /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/panicking.rs:67:14
        #10 0x7f3be2bf5e01 in wgpu_client_create_bind_group /gfx/wgpu_bindings/src/client.rs
        #11 0x7f3bdce7fc45 in mozilla::webgpu::WebGPUChild::DeviceCreateBindGroup(unsigned long, mozilla::dom::GPUBindGroupDescriptor const&) /dom/webgpu/ipc/WebGPUChild.cpp:660:14
        #12 0x7f3bdce61f32 in mozilla::webgpu::Device::CreateBindGroup(mozilla::dom::GPUBindGroupDescriptor const&) /dom/webgpu/Device.cpp:236:19
        #13 0x7f3bdc38d03a in mozilla::dom::GPUDevice_Binding::createBindGroup(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WebGPUBinding.cpp:19188:79
        #14 0x7f3bdc9a6a88 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3327:13
        #15 0x7f3be1157154 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:472:13
        #16 0x7f3be1156a6d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12
        #17 0x7f3be1167038 in CallFromStack /js/src/vm/Interpreter.cpp:638:10
        #18 0x7f3be1167038 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3053:16
        #19 0x7f3be1155fc2 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:444:13
        #20 0x7f3be1156a89 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:598:13
        #21 0x7f3be1157f2d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8
        #22 0x7f3be14c84d7 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1519:10
        #23 0x7f3be120e2f4 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:149:8
        #24 0x7f3be1428016 in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2120:10
        #25 0x7f3be1428016 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2178:12
        #26 0x7f3be1157154 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:472:13
        #27 0x7f3be1156a6d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12
        #28 0x7f3be1157f2d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8
        #29 0x7f3be123eb14 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #30 0x7f3bdbc3f76c in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./PromiseBinding.cpp:83:8
        #31 0x7f3bd96aeb05 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
        #32 0x7f3bd96ae445 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
        #33 0x7f3bd96ae445 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:210:18
        #34 0x7f3bd969a338 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:673:17
        #35 0x7f3bd969b359 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:460:3
        #36 0x7f3bda6534c6 in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1490:28
        #37 0x7f3bd97cfdd3 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1236:24
        #38 0x7f3bd97d6a8d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #39 0x7f3bda48e095 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #40 0x7f3bda3a8081 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #41 0x7f3bda3a8081 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #42 0x7f3bdecdd628 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #43 0x7f3be0f1825b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:721:20
        #44 0x7f3bda48ef76 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #45 0x7f3bda3a8081 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #46 0x7f3bda3a8081 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #47 0x7f3be0f17ac2 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:656:34
        #48 0x55abbba53276 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #49 0x55abbba53276 in main /browser/app/nsBrowserApp.cpp:375:18
        #50 0x7f3bedb29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #51 0x7f3bedb29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #52 0x55abbba28fa8 in _start (/home/jkratzer/builds/m-c-20231026091345-fuzzing-debug/firefox-bin+0x58fa8) (BuildId: a197a6135aa1b0734093d05a414912dab9da9678)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3 in MOZ_Crash
    ==404999==ABORTING
Attached file Testcase

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/28237f01-d791-4e0e-9a98-642e10231028#tab-bugzilla

Crash Signature: [@ wgpu_bindings::client::wgpu_client_create_bind_group ]
Keywords: crash

Jim, would you mind setting severity for this?

Flags: needinfo?(jimb)

Verified bug as reproducible on mozilla-central 20231027211343-ec7d4cb306bc.
The bug appears to have been introduced in the following build range:

Start: e0dd0b10e8fd0ea751f11fb0a6548ad9b6780e16 (20231016153418)
End: fa12efd7ca249d06b27ea86690ae0d0478f5dcce (20231016182434)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e0dd0b10e8fd0ea751f11fb0a6548ad9b6780e16&tochange=fa12efd7ca249d06b27ea86690ae0d0478f5dcce

Keywords: regression
Whiteboard: [bugmon:confirm][fuzzblocker] → [bugmon:bisected,confirmed][fuzzblocker]

The relevant revisions in the push range appear to be related to :bradwerth's recent work.

Flags: needinfo?(jimb) → needinfo?(bwerth)

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox121: --- → affected

I'll figure it out.

Assignee: nobody → bwerth
Severity: -- → S3
Flags: needinfo?(bwerth)
Priority: -- → P3
Regressed by: 1838693

Set release status flags based on info from the regressing bug 1838693

status-firefox119: --- → unaffected
status-firefox120: --- → affected
status-firefox-esr115: --- → unaffected

Buffers that are created in lost Devices are given the id 0. Don't
attempt to bind these buffers in bind broup entries.

Buffers created on lost Devices are given id 0. Don't attempt to drop
these buffers.

Depends on D192286

This also sets a pref to ignore the blocklist, permitting all of the
tests to run on whichever platform attempts them. The expected fails
will take care of platform-specific results.

Duplicate of this bug: 1860113
Priority: P3 → P1
Duplicate of this bug: 1860577

Depends on D192287

Attachment #9361110 - Attachment description: Bug 1861751 Part 3: Add test of invalid buffer and invalid bindgroup. → Bug 1861751 Part 4: Add tests of invalid buffers in various usages.

Copying crash signatures from duplicate bugs.

Crash Signature: [@ wgpu_bindings::client::wgpu_client_create_bind_group ] → [@ wgpu_bindings::client::wgpu_client_create_bind_group ] [@ core::num::nonzero::NonZeroU64::new]

The severity field for this bug is set to S3. However, the following bug duplicate has higher severity:

:bradwerth, could you consider increasing the severity of this bug to S2?

For more information, please visit BugBot documentation.

Flags: needinfo?(bwerth)
Severity: S3 → S2
Crash Signature: [@ wgpu_bindings::client::wgpu_client_create_bind_group ] [@ core::num::nonzero::NonZeroU64::new] → [@ wgpu_bindings::client::wgpu_client_create_bind_group ] [@ core::num::nonzero::NonZeroU64::new]
Flags: needinfo?(bwerth)
Pushed by bwerth@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7abd61047e07 Part 1: Don't attempt bind group entries for buffers with id 0. r=webgpu-reviewers,ErichDonGubler https://hg.mozilla.org/integration/autoland/rev/b1da4e3d2291 Part 2: Don't attempt to drop buffers with id 0. r=webgpu-reviewers,ErichDonGubler https://hg.mozilla.org/integration/autoland/rev/c7526dc950f2 Part 3: Don't queue writes on invalid buffers. r=webgpu-reviewers,ErichDonGubler https://hg.mozilla.org/integration/autoland/rev/8882a7679012 Part 4: Add tests of invalid buffers in various usages. r=webgpu-reviewers,ErichDonGubler
Regressions: 1863040
Blocks: 1860826

Verified bug as fixed on rev mozilla-central 20231104091937-fa8ebe703963.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox121: fixedverified
Keywords: bugmon
Blocks: 1863369
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: