Closed Bug 1888178 Opened 10 months ago Closed 7 months ago

Hit MOZ_CRASH(index out of bounds: the len is 2 but the index is 2) at /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/storage.rs:201

Categories

(Core :: Graphics: WebGPU, defect, P1)

Product:
Core
Component:
Graphics: WebGPU
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox126 --- disabled
firefox127 --- disabled
firefox128 --- disabled
firefox129 --- fixed

People

(Reporter: tsmith, Assigned: teoxoy)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, Whiteboard: [fuzzblocker])

Attachments

(5 files)

testcase.html
578 bytes, text/html
Details
log_stderr.txt
29.94 KB, text/plain
Details
trace.ron
1.65 KB, application/octet-stream
Details
about:support-webgpu-erichdongubler-igpu.txt
4.08 KB, text/plain
Details
Bug 1888178 - make swapchain texture creation error handling more robust. r=#webgpu-reviewers
48 bytes, text/x-phabricator-request
Details | Review

Found while fuzzing m-c 20240322-5d6efea5e0bb (--enable-debug --enable-fuzzing)

This issue is being reported frequently but is not reliably reproducible. A reduced test case is unavailable at this time.

Hit MOZ_CRASH(index out of bounds: the len is 2 but the index is 2) at /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/storage.rs:201

#0 0x7ffd4d4c3a57 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:43
#1 0x7ffd4d4c3a57 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:300
#2 0x7ffd4d4c3a57 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:17
#3 0x7ffd4b55421f in mozglue_static::panic_hook /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:96
#4 0x7ffd4b55421f in core::ops::function::FnOnce::call_once /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce\library\core\src\ops\function.rs:250
#5 0x7ffd4b55421f in core::ops::function::FnOnce::call_once<void (*)(ref$<core::panic::panic_info::PanicInfo>),tuple$<ref$<core::panic::panic_info::PanicInfo> > > /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce\library\core\src\ops\function.rs:79
#6 0x7ffd4b8536f7 in alloc::boxed::impl$49::call /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\alloc\src\boxed.rs:2029
#7 0x7ffd4b8536f7 in std::panicking::rust_panic_with_hook /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:783
#8 0x7ffd4b853578 in std::panicking::begin_panic_handler::closure$0 /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:657
#9 0x7ffd4b8534b8 in std::sys_common::backtrace::__rust_end_short_backtrace<std::panicking::begin_panic_handler::closure_env$0,never$> /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\sys_common\backtrace.rs:171
#10 0x7ffd4b8534a1 in std::panicking::begin_panic_handler /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:645
#11 0x7ffd4dd1c326 in core::panicking::panic_fmt /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\core\src\panicking.rs:72
#12 0x7ffd4dd1c423 in core::panicking::panic_bounds_check /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\core\src\panicking.rs:208
#13 0x7ffd4c060c30 in wgpu_server_texture_drop /builds/worker/checkouts/gecko/gfx/wgpu_bindings/src/server.rs:1264
#14 0x7ffd41e814ea in mozilla::webgpu::WebGPUParent::RecvTextureDrop /builds/worker/checkouts/gecko/dom/webgpu/ipc/WebGPUParent.cpp:709
#15 0x7ffd41e814ea in mozilla::webgpu::PWebGPUParent::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:1400
#16 0x7ffd3e54b695 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:290
#17 0x7ffd3d0ab5cf in mozilla::ipc::MessageChannel::DispatchAsyncMessage(class mozilla::ipc::ActorLifecycleProxy *, class IPC::Message const &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1818
#18 0x7ffd3d0a8da1 in mozilla::ipc::MessageChannel::DispatchMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::UniquePtr<class IPC::Message, class mozilla::DefaultDelete<class IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1737
#19 0x7ffd3d0a9c3d in mozilla::ipc::MessageChannel::RunMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::ipc::MessageChannel::MessageTask &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1530
#20 0x7ffd3d0aa3a1 in mozilla::ipc::MessageChannel::MessageTask::Run(void) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1628
#21 0x7ffd3b915926 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193
#22 0x7ffd3b926f8a in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480
#23 0x7ffd3d0b4aff in mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330
#24 0x7ffd3cfc0383 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370
#25 0x7ffd3cfc0383 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363
#26 0x7ffd3cfc014a in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345
#27 0x7ffd3b90bcad in nsThread::ThreadFunc(void *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370
#28 0x7ffd5de7b277 in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
#29 0x7ffd5de5360c in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
#30 0x7ffd7edb6b4b  (C:\Windows\System32\ucrtbase.dll+0x180026b4b)
#31 0x7ffd5e270715 in __asan::AsanThread::ThreadStart(unsigned __int64) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:291
#32 0x12e86284002e  (<unknown module>)
#33 0xb2061ffe3f  (<unknown module>)
#34 0x7ffd5e27225e in CreateThread (C:\Users\task_171110928223025\builds\m-c-20240322093041-fuzzing-asan-opt\clang_rt.asan_dynamic-x86_64.dll+0x18005225e)
#35 0x2f  (<unknown module>)
#36 0xb2061ffdb7  (<unknown module>)
#37 0xb2061ffe3f  (<unknown module>)
#38 0x7ffd6ba97e7e in mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator() /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h:150
#39 0x7ffd6ba97e7e in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:558
#40 0x7ffd80fee8aa  (C:\Windows\SYSTEM32\ntdll.dll+0x18007e8aa)
Severity: -- → S3
Flags: needinfo?(egubler)

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:jimb, could you consider increasing the severity?

For more information, please visit BugBot documentation.

Flags: needinfo?(jimb)

S3 is appropriate, because WebGPU isn't shipped yet. This may, however, be indicative of needing a higher priority than before.

Flags: needinfo?(egubler)
Priority: -- → P1

This bug is one of our most prolific fuzz blockers. Is there anything we can do to re-prioritize this?

Assignee: nobody → egubler
Status: NEW → ASSIGNED
OS: Unspecified → Windows
Attached file testcase.html

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --asan --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox.exe 1888178

One additional note, I was only able to reproduce this on a machine without an actual GPU.

Attached file log_stderr.txt
Attached file trace.ron
I am unable to reproduce this on a device with an integrated GPU (a machine with an N7 Z590 mobo). I've attached the WebGPU portion of my `about:support` page with `about:support-webgpu-erichdongubler-igpu.txt`.
Pushed by ttanasoaia@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/802dfcfa2927 make swapchain texture creation error handling more robust. r=webgpu-reviewers,nical

We on the WebGPU team believe that :teoxoy's (landed) patch D213800 has a strong chance of resolving this issue. :jkratzner is on PTO, but we look forward to his testing to confirm or refute the fix when he gets back.

Flags: needinfo?(jimb) → needinfo?(jkratzer)
See Also: → 1888174, 1888175

I hear from :jimb that :tsmith is a good person to request help from to try to carry this issue forward while :jkratzner is OOO. NI'ing; :tsmith, I'm happy to loop you in via whatever sync. or async. medium is best for you. 🙂 Short summary: Could you please confirm whether this crash is reproducible after Teo's fix, which has already landed in central.

Flags: needinfo?(twsmith)

I've tried all my local machines and I can't reproduce the error so I won't be able to verify it locally. I will be able to verify the issue once a build with the patch applied is running in automation. I will provide an update at that time.

The issue is no longer being reported by fuzzers. It was last reported while running m-c 1ddf59a206f4.

Flags: needinfo?(twsmith)

Marking this as resolved, then! 🙌🏻 Kudos, :teoxoy.

Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Flags: needinfo?(jkratzer)
Keywords: leave-open
Resolution: --- → FIXED
Assignee: egubler → ttanasoaia
status-firefox126: affecteddisabled
status-firefox127: --- → disabled
status-firefox128: --- → disabled
status-firefox129: --- → fixed
status-firefox-esr115: --- → unaffected
Target Milestone: --- → 129 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: