Closed Bug 1861985 Opened 6 months ago Closed 5 months ago

Assertion failure: aId, at /dom/webgpu/CommandBuffer.cpp:21

Categories

(Core :: Graphics: WebGPU, defect, P1)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
122 Branch
Tracking Status
firefox-esr115 --- unaffected
firefox119 --- unaffected
firefox120 --- unaffected
firefox121 --- wontfix
firefox122 --- verified

People

(Reporter: jkratzer, Assigned: nical)

References

(Blocks 2 open bugs, Regressed 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])

Crash Data

Attachments

(3 files, 1 obsolete file)

Testcase found while fuzzing mozilla-central rev 0be08aa0812f (built with: --enable-debug --enable-fuzzing). This issue is occurring with significant frequency and is having a negative impact on fuzzing. Please address it as soon as possible.

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 0be08aa0812f --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: aId, at /dom/webgpu/CommandBuffer.cpp:21

    ==2812450==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd39ddc67e1 bp 0x7fffd969e6a0 sp 0x7fffd969e680 T2812450)
    ==2812450==The signal is caused by a WRITE memory access.
    ==2812450==Hint: address points to the zero page.
        #0 0x7fd39ddc67e1 in mozilla::webgpu::CommandBuffer::CommandBuffer(mozilla::webgpu::Device*, unsigned long, nsTArray<mozilla::WeakPtr<mozilla::webgpu::CanvasContext, (mozilla::detail::WeakPtrDestructorBehavior)0>>&&) /dom/webgpu/CommandBuffer.cpp:21:3
        #1 0x7fd39ddc86d5 in mozilla::webgpu::CommandEncoder::Finish(mozilla::dom::GPUCommandBufferDescriptor const&) /dom/webgpu/CommandEncoder.cpp:233:11
        #2 0x7fd39d2e8859 in mozilla::dom::GPUCommandEncoder_Binding::finish(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WebGPUBinding.cpp:16035:83
        #3 0x7fd39d90c2f8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3330:13
        #4 0x7fd3a20c1034 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:472:13
        #5 0x7fd3a20c094d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12
        #6 0x7fd3a20d0f18 in CallFromStack /js/src/vm/Interpreter.cpp:638:10
        #7 0x7fd3a20d0f18 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3053:16
        #8 0x7fd3a20bfea2 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:444:13
        #9 0x7fd3a20c0969 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:598:13
        #10 0x7fd3a20c1e0d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8
        #11 0x7fd3a2432e07 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1519:10
        #12 0x7fd3a2178374 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:149:8
        #13 0x7fd3a23926b9 in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2115:12
        #14 0x7fd3a23926b9 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2178:12
        #15 0x7fd3a20c1034 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:472:13
        #16 0x7fd3a20c094d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:566:12
        #17 0x7fd3a20c1e0d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:665:8
        #18 0x7fd3a21a8c94 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #19 0x7fd39cba4d4c in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./PromiseBinding.cpp:83:8
        #20 0x7fd39a613965 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
        #21 0x7fd39a6132a5 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
        #22 0x7fd39a6132a5 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:210:18
        #23 0x7fd39a5ff198 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:673:17
        #24 0x7fd39a6001b9 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:460:3
        #25 0x7fd39b5b8926 in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1490:28
        #26 0x7fd39a734c03 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1236:24
        #27 0x7fd39a73b8bd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #28 0x7fd39b3f32e3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #29 0x7fd39b30d321 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #30 0x7fd39b30d321 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #31 0x7fd39fc48128 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #32 0x7fd3a1e8213b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:721:20
        #33 0x7fd39b3f4216 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #34 0x7fd39b30d321 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #35 0x7fd39b30d321 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #36 0x7fd3a1e819a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:656:34
        #37 0x55ebde551276 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #38 0x55ebde551276 in main /browser/app/nsBrowserApp.cpp:375:18
        #39 0x7fd3affe5d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #40 0x7fd3affe5e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #41 0x55ebde526fa8 in _start (/home/jkratzer/builds/m-c-20231028092407-fuzzing-debug/firefox-bin+0x58fa8) (BuildId: 706b5a27b7a5cc62651827195f08d60ce1dfb301)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/webgpu/CommandBuffer.cpp:21:3 in mozilla::webgpu::CommandBuffer::CommandBuffer(mozilla::webgpu::Device*, unsigned long, nsTArray<mozilla::WeakPtr<mozilla::webgpu::CanvasContext, (mozilla::detail::WeakPtrDestructorBehavior)0>>&&)
    ==2812450==ABORTING
Attached file Testcase
Crash Signature: [@ mozilla::webgpu::CommandBuffer::CommandBuffer ]
Keywords: crash

Verified bug as reproducible on mozilla-central 20231030095338-07ff1e2e4f65.
The bug appears to have been introduced in the following build range:

Start: 6013b7df2b9133416d4244ef4d45c492f215c3d0 (20231027130502)
End: cda838e04db16590f96ddeaa7d7d54cc80e12a03 (20231027135458)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6013b7df2b9133416d4244ef4d45c492f215c3d0&tochange=cda838e04db16590f96ddeaa7d7d54cc80e12a03

Keywords: regression
Whiteboard: [bugmon:confirm][fuzzblocker] → [bugmon:bisected,confirmed][fuzzblocker]
Regressed by: 1856371

Set release status flags based on info from the regressing bug 1856371

:nical, since you are the author of the regressor, bug 1856371, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(nical.bugzilla)
Blocks: webgpu-v1
Severity: -- → S2
Priority: -- → P2

NOTE: This is a major fuzzblocker. It is by far the top reported issue and has multiple signatures. Please prioritize it appropriately.

Flags: needinfo?(jimb)

I can reproduce. I'll take this for now and try to build a fix.

Flags: needinfo?(nical.bugzilla)
Flags: needinfo?(jimb)

These CommandBuffers are created with mValid false, which means that the
parent never knows about them and never will. For that reason, it
doesn't matter that they have empty ids. They are effectively empty
objects with the correct JS shape.

Assignee: nobody → bwerth
Status: NEW → ASSIGNED
Attachment #9361968 - Attachment description: Bug 1861985: Add constructor for invalid CommandBuffers, plus a test. → Bug 1861985: Allow CommandBuffers to be constructed with id 0, plus a test.

This makes sure we never create an invalid (zero) ID after incorrect usage of a command encoder.
It also simplifies the code. The JS object should not do any validaion (per spec) and simply forward the commands to the parent process where all of the validation is done.

Attachment #9361968 - Attachment is obsolete: true
Assignee: bwerth → nical.bugzilla
See Also: → 1863369

In wgpu, command encoders and command buffers actually share the same identity and resource, so dropping one drops the other. This commit makes it so that our gecko wrappers take that into account. The lifetime is now tied to the encoder which may be held alive by a command buffer if there is one.

These two patches need to be applied on top of an upstream change that hasn't made it into mozilla-central yet.

The good news is that the test case attached to this bug does not crash with the attached patches and upstream fixes, the bad news is that these fixes depend on stuff that cause a few regressions so landing it all may get delayed a bit.

S4 because WebGPU doesn't ship. P1 because fuzzblocker.

Severity: S2 → S4
Priority: P2 → P1

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:nical, could you consider increasing the severity?

For more information, please visit BugBot documentation.

Flags: needinfo?(nical.bugzilla)
Flags: needinfo?(nical.bugzilla)
Pushed by nsilva@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0bdc4c60018e
Let the parent process handle validating command encoders. r=webgpu-reviewers,webidl,saschanaz,jimb
https://hg.mozilla.org/integration/autoland/rev/13f07117425f
Handle CommandBuffer/CommandBuffer lifecycle correctly. r=webgpu-reviewers,ErichDonGubler

Backed out for causing build bustages in RefPtr.h

  • Backout link
  • Push with failures
  • Failure Log
  • Failure line: /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:54:38: error: member access into incomplete type 'mozilla::webgpu::CommandEncoder'
Flags: needinfo?(nical.bugzilla)
Pushed by nsilva@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e3f53b794c1d
Let the parent process handle validating command encoders. r=webgpu-reviewers,webidl,saschanaz,jimb
https://hg.mozilla.org/integration/autoland/rev/1e35eb31a789
Handle CommandBuffer/CommandBuffer lifecycle correctly. r=webgpu-reviewers,ErichDonGubler
Pushed by nsilva@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/655dc5c5782a
Let the parent process handle validating command encoders. r=webgpu-reviewers,webidl,saschanaz,jimb
https://hg.mozilla.org/integration/autoland/rev/c5e7b70590f0
Handle CommandBuffer/CommandBuffer lifecycle correctly. r=webgpu-reviewers,ErichDonGubler
Regressions: 1866101
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 122 Branch

Verified bug as fixed on rev mozilla-central 20231122215037-fa3223e08cd7.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Flags: needinfo?(nical.bugzilla)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: