Closed Bug 1883800 Opened 4 months ago Closed 4 months ago

Hit MOZ_CRASH(Tried to insert buffer already tracked) at /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/track/buffer.rs:398

Categories

(Core :: Graphics: WebGPU, defect, P1)

Product:
Core
Component:
Graphics: WebGPU
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
125 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox123 --- unaffected
firefox124 --- unaffected
firefox125 --- fixed

People

(Reporter: tsmith, Assigned: ErichDonGubler)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file, 1 obsolete file)

testcase.html
463 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing m-c 20240228-06645f775e47 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Tried to insert buffer already tracked) at /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/track/buffer.rs:398

#0 0x7f603a9e8b55 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:301:3
#1 0x7f603a9e8b55 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f603a9e844b in mozglue_static::panic_hook::h08f0b8cf893a7d1b /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:96:9
#3 0x7f603a9e844b in core::ops::function::Fn::call::h470351fe87853971 /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/core/src/ops/function.rs:79:5
#4 0x7f603ba606d5 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::hbc5ccf4eb663e1e5 /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/alloc/src/boxed.rs:2029:9
#5 0x7f603ba606d5 in std::panicking::rust_panic_with_hook::h095fccf1dc9379ee /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/std/src/panicking.rs:783:13
#6 0x7f603ba603e8 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h032ba12139b353db /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/std/src/panicking.rs:649:13
#7 0x7f603ba5d915 in std::sys_common::backtrace::__rust_end_short_backtrace::h9259bc2ff8fd0f76 /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/std/src/sys_common/backtrace.rs:171:18
#8 0x7f603ba6017f in rust_begin_unwind /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/std/src/panicking.rs:645:5
#9 0x7f603baac174 in core::panicking::panic_fmt::h784f20a50eaab275 /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library/core/src/panicking.rs:72:14
#10 0x7f6039b7c3ae in wgpu_core::track::buffer::BufferTracker$LT$A$GT$::insert_single::he3755ccc5248dce7 /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/track/buffer.rs:398:17
#11 0x7f6039b7c3ae in wgpu_core::device::global::_$LT$impl$u20$wgpu_core..global..Global$GT$::device_create_buffer::h21441898a3de5c70 /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/device/global.rs:255:13
#12 0x7f6039b7c3ae in wgpu_server_device_create_buffer /builds/worker/checkouts/gecko/gfx/wgpu_bindings/src/server.rs:474:9
#13 0x7f6033f5a749 in mozilla::webgpu::WebGPUParent::RecvDeviceCreateBuffer(unsigned long, unsigned long, mozilla::dom::GPUBufferDescriptor&&, mozilla::ipc::UnsafeSharedMemoryHandle&&) /builds/worker/checkouts/gecko/dom/webgpu/ipc/WebGPUParent.cpp:472:3
#14 0x7f6033f6da1d in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:764:80
#15 0x7f60320b7b9d in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:290:32
#16 0x7f60315f311f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1812:25
#17 0x7f60315efe72 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1731:9
#18 0x7f60315f0af2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1524:3
#19 0x7f60315f1c3f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1622:14
#20 0x7f603090c7f1 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#21 0x7f60309137cd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#22 0x7f60315fa32e in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#23 0x7f603150f411 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#24 0x7f603150f411 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#25 0x7f6030907ac3 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10
#26 0x7f604570c66f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#27 0x7f6045494ac2 in start_thread nptl/pthread_create.c:442:8
#28 0x7f604552684f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/fe8d35bb-ad78-4f3d-8a20-fa4d20240306

Crash Signature: [@ wgpu_bindings::server::wgpu_server_device_create_buffer ]

Verified bug as reproducible on mozilla-central 20240306044140-099f52f30c39.
The bug appears to have been introduced in the following build range:

Start: 149f61eecb69d6cf570be79260785c5b4a42e516 (20240227190003)
End: 612e5052e6e1b87c661886c015e3888c21730558 (20240227202530)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=149f61eecb69d6cf570be79260785c5b4a42e516&tochange=612e5052e6e1b87c661886c015e3888c21730558

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1879989

Set release status flags based on info from the regressing bug 1879989

:ErichDonGubler, since you are the author of the regressor, bug 1879989, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox123: --- → unaffected
status-firefox124: --- → unaffected
status-firefox-esr115: --- → unaffected
Flags: needinfo?(egubler)

I think I've identified a fix here, which I've attached as a WIP patch. Need to test it still.

Flags: needinfo?(egubler)
Severity: -- → S3
Priority: -- → P1
Assignee: nobody → egubler
Status: NEW → ASSIGNED

I have successfully tested a fix, which needs to merged implemented upstream. See wgpu#5359.

wgpu#5359 has been merged. Now awaiting webgpu-update-wgpu.

Depends on: webgpu-update-wgpu
Attachment #9389816 - Attachment is obsolete: true
No longer depends on: webgpu-update-wgpu
Depends on: 1884946

This should be resolved now.

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED

Verified bug as fixed on rev mozilla-central 20240313094814-4f7a5399c1cc.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
status-firefox125: fix-optionalfixed
Target Milestone: --- → 125 Branch
See Also: → 1891140
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: