1874478 - crash at null in [@ core::mem::manually_drop::ManuallyDrop]

Status: RESOLVED FIXED

(Core :: Graphics: WebGPU, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20231112-43bee97ffb8c (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==3076==ERROR: AddressSanitizer: access-violation on unknown address 0x000000000000 (pc 0x7ffc9e98827a bp 0x00045e7f9940 sp 0x00045e7f9900 T31)
==3076==The signal is caused by a READ memory access.
==3076==Hint: address points to the zero page.
    #0 0x7ffc9e988279 in core::mem::manually_drop::ManuallyDrop<winapi::um::d3d12::D3D12_CPU_DESCRIPTOR_HANDLE>::into_inner /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112\library\core\src\mem\manually_drop.rs:89
    #1 0x7ffc9e988279 in core::mem::maybe_uninit::MaybeUninit<winapi::um::d3d12::D3D12_CPU_DESCRIPTOR_HANDLE>::assume_init /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112\library\core\src\mem\maybe_uninit.rs:632
    #2 0x7ffc9e988279 in core::mem::uninitialized /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112\library\core\src\mem\mod.rs:702
    #3 0x7ffc9e988279 in winapi::um::d3d12::ID3D12DescriptorHeap::GetCPUDescriptorHandleForHeapStart /builds/worker/checkouts/gecko/third_party/rust/winapi/src/macros.rs:222
    #4 0x7ffc9e988279 in d3d12::com::ComPtr<winapi::um::d3d12::ID3D12DescriptorHeap>::start_cpu_descriptor /builds/worker/checkouts/gecko/third_party/rust/d3d12/src/descriptor.rs:34
    #5 0x7ffc9e988279 in wgpu_hal::dx12::descriptor::FixedSizeHeap::new /builds/worker/checkouts/gecko/third_party/rust/wgpu-hal/src/dx12/descriptor.rs:131
    #6 0x7ffc9e988279 in wgpu_hal::dx12::descriptor::impl$4::alloc_handle::closure$0 /builds/worker/checkouts/gecko/third_party/rust/wgpu-hal/src/dx12/descriptor.rs:200
    #7 0x7ffc9e988279 in enum2$<core::option::Option<usize> >::unwrap_or_else /rustc/82e1608dfa6e0b5569232559e3d385fea5a93112\library\core\src\option.rs:976
    #8 0x7ffc9e988279 in wgpu_hal::dx12::descriptor::CpuPool::alloc_handle /builds/worker/checkouts/gecko/third_party/rust/wgpu-hal/src/dx12/descriptor.rs:197
    #9 0x7ffc9e98d74f in wgpu_hal::dx12::device::impl$1::create_sampler /builds/worker/checkouts/gecko/third_party/rust/wgpu-hal/src/dx12/device.rs:585
    #10 0x7ffc9e879e1a in wgpu_core::device::resource::Device<wgpu_hal::dx12::Api>::create_sampler /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/device/resource.rs:1295
    #11 0x7ffc9e879e1a in wgpu_core::global::Global<wgpu_bindings::identity::IdentityRecyclerFactory>::device_create_sampler /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/device/global.rs:887
    #12 0x7ffc9e879e1a in wgpu_bindings::server::Global::device_action<wgpu_hal::dx12::Api> /builds/worker/checkouts/gecko/gfx/wgpu_bindings/src/server.rs:669
    #13 0x7ffc9e863b8b in wgpu_server_device_action /builds/worker/checkouts/gecko/gfx/wgpu_bindings/src/server.rs:921
    #14 0x7ffc94a1f685 in mozilla::webgpu::WebGPUParent::RecvDeviceAction(unsigned __int64, class mozilla::ipc::ByteBuf const &) /builds/worker/checkouts/gecko/dom/webgpu/ipc/WebGPUParent.cpp:1278
    #15 0x7ffc94a3db12 in mozilla::webgpu::PWebGPUParent::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:283
    #16 0x7ffc911421a5 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:279
    #17 0x7ffc8fce1c7f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(class mozilla::ipc::ActorLifecycleProxy *, class IPC::Message const &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813
    #18 0x7ffc8fcdf451 in mozilla::ipc::MessageChannel::DispatchMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::UniquePtr<class IPC::Message, class mozilla::DefaultDelete<class IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732
    #19 0x7ffc8fce02ed in mozilla::ipc::MessageChannel::RunMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::ipc::MessageChannel::MessageTask &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525
    #20 0x7ffc8fce0a51 in mozilla::ipc::MessageChannel::MessageTask::Run(void) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623
    #21 0x7ffc8e572d76 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193
    #22 0x7ffc8e5837ea in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480
    #23 0x7ffc8fceafeb in mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
    #24 0x7ffc8fc04c43 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370
    #25 0x7ffc8fc04c43 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363
    #26 0x7ffc8fc04a0a in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345
    #27 0x7ffc8e5690fd in nsThread::ThreadFunc(void *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370
    #28 0x7ffcaa827397 in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
    #29 0x7ffcaa7ff72c in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
    #30 0x7ffcf5e11bb1  (C:\WINDOWS\System32\ucrtbase.dll+0x180021bb1)
    #31 0x7ffcaac20705 in __asan::AsanThread::ThreadStart(unsigned __int64) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:291
    #32 0x7ffcf69f7343  (C:\WINDOWS\System32\KERNEL32.DLL+0x180017343)
    #33 0x7ffcc9099b7e in mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator() /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h:150
    #34 0x7ffcc9099b7e in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:561
    #35 0x7ffcf85026b0  (C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800526b0)

Comment 1

[Tyson Smith [:tsmith]]

With a debug build this test triggers: Hit MOZ_CRASH(assertion failed: !self.is_null()) at /builds/worker/checkouts/gecko/third_party/rust/d3d12/src/com.rs:88

Comment 2

[Mayank Bansal]

https://crash-stats.mozilla.org/report/index/90d0d6d5-115e-486d-8304-74e920240113

Comment 3

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240112173417-734e2e027196.
The bug appears to have been introduced in the following build range:

Start: ba00fe639072b671be556332e4628092d64d31df (20230615205119)
End: 08fd41d3ba9b86259882ef3f3a02a49faa61a5c5 (20230616001721)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ba00fe639072b671be556332e4628092d64d31df&tochange=08fd41d3ba9b86259882ef3f3a02a49faa61a5c5

Comment 4

[Bob Hood [:bhood]]

WebGPU is as-yet unreleased, and locked to Nightly. Do we really need tracking on this?

Comment 5

[Nicolas Silva [:nical]]

We are losing the device because of some invalid API usage (see log below):

D3D12 ERROR: ID3D12Device::CreateShaderResourceView: The Plane Slice 0 cannot be used when the resource format is R24G8_TYPELESS and the view format is X24_TYPELESS_G8_UINT.  See documentation for the set of valid view format names for this resource format, determining which how the resource (or part of it) will appear to shader. [ STATE_CREATION ERROR #29: CREATESHADERRESOURCEVIEW_INVALIDVIDEOPLANESLICE]
D3D12: Removing Device.
D3D12 ERROR: ID3D12Device::RemoveDevice: Device removal has been triggered for the following reason (DXGI_ERROR_INVALID_CALL: There is strong evidence that the application has performed an illegal or undefined operation, and such a condition could not be returned to the application cleanly through a return code). [ EXECUTION ERROR #232: DEVICE_REMOVAL_PROCESS_AT_FAULT]
Exception thrown at 0x00007FFA9C07CF19 in firefox.exe: Microsoft C++ exception: _com_error at memory location 0x0000001DE87F9A80.
Exception thrown at 0x00007FFA9C07CF19 in firefox.exe: Microsoft C++ exception: _com_error at memory location 0x0000001DE87F9DF8.
Exception thrown at 0x00007FFA9C07CF19 in firefox.exe: Microsoft C++ exception: _com_error at memory location 0x0000001DE87FAB80.

The current wgpu revision isn't checking the hresult when creating a descriptor heap which leads to a null comptr being created and then this crash. wgpu trunk has the missing checks. which will turn the crash into an error which will look like the problem is fixed, but the invalid API usage still needs fixing.

Comment 6

[Nicolas Silva [:nical]]

Filed https://github.com/gfx-rs/wgpu/issues/5097 upstream

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Based on comment #3, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:nical, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Comment 8

[Erich Gubler [:ErichDonGubler]]

gfx-rs/wgpu#5097 has merged. Now tracking against bug 1875543.

Comment 9

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20231112094805-43bee97ffb8c) but not with tip (mozilla-central 20240209214145-9c7562b79131.)

The bug appears to have been fixed in the following build range:

Start: f3efca74da0f43269bd8ac07e2a5d27e89c4d7c3 (20240123145016)
End: 936300bf2ee78e086143fb3718e2c0af755385b0 (20240123160955)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f3efca74da0f43269bd8ac07e2a5d27e89c4d7c3&tochange=936300bf2ee78e086143fb3718e2c0af755385b0

nical, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 10

[Erich Gubler [:ErichDonGubler]]

Confirmed.