Assertion failure: aId, at /dom/webgpu/CommandBuffer.cpp:21
Categories
(Core :: Graphics: WebGPU, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox119 | --- | unaffected |
firefox120 | --- | unaffected |
firefox121 | --- | wontfix |
firefox122 | --- | verified |
People
(Reporter: jkratzer, Assigned: nical)
References
(Blocks 2 open bugs, Regressed 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])
Crash Data
Attachments
(3 files, 1 obsolete file)
Testcase found while fuzzing mozilla-central rev 0be08aa0812f (built with: --enable-debug --enable-fuzzing). This issue is occurring with significant frequency and is having a negative impact on fuzzing. Please address it as soon as possible.
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 0be08aa0812f --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: aId, at /dom/webgpu/CommandBuffer.cpp:21
==2812450==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd39ddc67e1 bp 0x7fffd969e6a0 sp 0x7fffd969e680 T2812450)
==2812450==The signal is caused by a WRITE memory access.
==2812450==Hint: address points to the zero page.
#0 0x7fd39ddc67e1 in mozilla::webgpu::CommandBuffer::CommandBuffer(mozilla::webgpu::Device*, unsigned long, nsTArray<mozilla::WeakPtr<mozilla::webgpu::CanvasContext, (mozilla::detail::WeakPtrDestructorBehavior)0>>&&) /dom/webgpu/CommandBuffer.cpp:21:3
#1 0x7fd39ddc86d5 in mozilla::webgpu::CommandEncoder::Finish(mozilla::dom::GPUCommandBufferDescriptor const&) /dom/webgpu/CommandEncoder.cpp:233:11
#2 0x7fd39d2e8859 in mozilla::dom::GPUCommandEncoder_Binding::finish(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WebGPUBinding.cpp:16035:83
#3 0x7fd39d90c2f8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3330:13
#4 0x7fd3a20c1034 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:472:13
#5 0x7fd3a20c094d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12
#6 0x7fd3a20d0f18 in CallFromStack /js/src/vm/Interpreter.cpp:638:10
#7 0x7fd3a20d0f18 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3053:16
#8 0x7fd3a20bfea2 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:444:13
#9 0x7fd3a20c0969 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:598:13
#10 0x7fd3a20c1e0d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8
#11 0x7fd3a2432e07 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1519:10
#12 0x7fd3a2178374 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:149:8
#13 0x7fd3a23926b9 in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2115:12
#14 0x7fd3a23926b9 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2178:12
#15 0x7fd3a20c1034 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:472:13
#16 0x7fd3a20c094d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12
#17 0x7fd3a20c1e0d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8
#18 0x7fd3a21a8c94 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
#19 0x7fd39cba4d4c in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./PromiseBinding.cpp:83:8
#20 0x7fd39a613965 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
#21 0x7fd39a6132a5 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
#22 0x7fd39a6132a5 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:210:18
#23 0x7fd39a5ff198 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:673:17
#24 0x7fd39a6001b9 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:460:3
#25 0x7fd39b5b8926 in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1490:28
#26 0x7fd39a734c03 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1236:24
#27 0x7fd39a73b8bd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
#28 0x7fd39b3f32e3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
#29 0x7fd39b30d321 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
#30 0x7fd39b30d321 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
#31 0x7fd39fc48128 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#32 0x7fd3a1e8213b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:721:20
#33 0x7fd39b3f4216 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
#34 0x7fd39b30d321 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
#35 0x7fd39b30d321 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
#36 0x7fd3a1e819a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:656:34
#37 0x55ebde551276 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#38 0x55ebde551276 in main /browser/app/nsBrowserApp.cpp:375:18
#39 0x7fd3affe5d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#40 0x7fd3affe5e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#41 0x55ebde526fa8 in _start (/home/jkratzer/builds/m-c-20231028092407-fuzzing-debug/firefox-bin+0x58fa8) (BuildId: 706b5a27b7a5cc62651827195f08d60ce1dfb301)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/webgpu/CommandBuffer.cpp:21:3 in mozilla::webgpu::CommandBuffer::CommandBuffer(mozilla::webgpu::Device*, unsigned long, nsTArray<mozilla::WeakPtr<mozilla::webgpu::CanvasContext, (mozilla::detail::WeakPtrDestructorBehavior)0>>&&)
==2812450==ABORTING
Reporter | ||
Comment 1•11 months ago
|
||
Comment 2•11 months ago
|
||
Got a crash : https://crash-stats.mozilla.org/report/index/216f3169-605d-4ad5-9472-f563e0231030#tab-bugzilla
Comment 3•11 months ago
|
||
Verified bug as reproducible on mozilla-central 20231030095338-07ff1e2e4f65.
The bug appears to have been introduced in the following build range:
Start: 6013b7df2b9133416d4244ef4d45c492f215c3d0 (20231027130502)
End: cda838e04db16590f96ddeaa7d7d54cc80e12a03 (20231027135458)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6013b7df2b9133416d4244ef4d45c492f215c3d0&tochange=cda838e04db16590f96ddeaa7d7d54cc80e12a03
Updated•11 months ago
|
Comment 4•11 months ago
|
||
Set release status flags based on info from the regressing bug 1856371
:nical, since you are the author of the regressor, bug 1856371, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
Updated•11 months ago
|
Updated•11 months ago
|
Comment 5•11 months ago
|
||
NOTE: This is a major fuzzblocker. It is by far the top reported issue and has multiple signatures. Please prioritize it appropriately.
Comment 6•11 months ago
|
||
I can reproduce. I'll take this for now and try to build a fix.
Comment 7•11 months ago
|
||
These CommandBuffers are created with mValid false, which means that the
parent never knows about them and never will. For that reason, it
doesn't matter that they have empty ids. They are effectively empty
objects with the correct JS shape.
Updated•11 months ago
|
Updated•11 months ago
|
Assignee | ||
Comment 8•11 months ago
|
||
This makes sure we never create an invalid (zero) ID after incorrect usage of a command encoder.
It also simplifies the code. The JS object should not do any validaion (per spec) and simply forward the commands to the parent process where all of the validation is done.
Updated•11 months ago
|
Updated•11 months ago
|
Assignee | ||
Comment 9•11 months ago
|
||
In wgpu, command encoders and command buffers actually share the same identity and resource, so dropping one drops the other. This commit makes it so that our gecko wrappers take that into account. The lifetime is now tied to the encoder which may be held alive by a command buffer if there is one.
Assignee | ||
Comment 10•11 months ago
|
||
These two patches need to be applied on top of an upstream change that hasn't made it into mozilla-central yet.
Assignee | ||
Comment 11•11 months ago
|
||
The good news is that the test case attached to this bug does not crash with the attached patches and upstream fixes, the bad news is that these fixes depend on stuff that cause a few regressions so landing it all may get delayed a bit.
Comment 12•11 months ago
|
||
S4 because WebGPU doesn't ship. P1 because fuzzblocker.
Comment 13•11 months ago
|
||
This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:nical, could you consider increasing the severity?
For more information, please visit BugBot documentation.
Assignee | ||
Updated•11 months ago
|
Comment 14•11 months ago
|
||
Comment 15•11 months ago
|
||
Backed out for causing build bustages in RefPtr.h
- Backout link
- Push with failures
- Failure Log
- Failure line: /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:54:38: error: member access into incomplete type 'mozilla::webgpu::CommandEncoder'
Comment 16•10 months ago
|
||
Comment 17•10 months ago
|
||
Backed out along with Bug 1865364 & Bug 1860958 for causing bustage due to CommandEncoder.
- backout: https://hg.mozilla.org/integration/autoland/rev/fd0423fbfca05a4f9f87ef6c3393dbd79269335d
- push: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&revision=3d6b0444986341a058dddc721a55429a6d98a740
- failure logs:
- /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:54:38: error: member access into incomplete type 'mozilla::webgpu::CommandEncoder'
- TEST-UNEXPECTED-FAIL | dom/webgpu/mochitest/test_double_encoder_finish.html | Unhandled exception TypeError: can't access property "requestDevice", adapter is null
Comment 18•10 months ago
|
||
Comment 19•10 months ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/655dc5c5782a
https://hg.mozilla.org/mozilla-central/rev/c5e7b70590f0
Comment 20•10 months ago
|
||
Verified bug as fixed on rev mozilla-central 20231122215037-fa3223e08cd7.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•10 months ago
|
Assignee | ||
Updated•10 months ago
|
Description
•