Crash [@ RefPtr]
Categories
(Core :: Graphics: WebGPU, defect)
Tracking
()
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 643848d855eb (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 643848d855eb --debug --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla --repeat 10 --relaunch 1 ./firefox/firefox <bugid>
[@ RefPtr]
==788158==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x0000000000a0 (pc 0x779939db71c9 bp 0x7ffc8210e130 sp 0x7ffc8210e120 T788158)
==788158==The signal is caused by a READ memory access.
==788158==Hint: address points to the zero page.
#0 0x779939db71c9 in RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:92:27
#1 0x779939db71c9 in mozilla::webgpu::Device::GetBridge() /dom/webgpu/Device.cpp:57:50
#2 0x779939ddfde6 in mozilla::webgpu::TextureView::Cleanup() /dom/webgpu/TextureView.cpp:35:45
#3 0x779939ddfd70 in mozilla::webgpu::TextureView::cycleCollection::Unlink(void*) /dom/webgpu/TextureView.cpp:15:1
#4 0x7799365b8a9e in nsCycleCollector::CollectWhite() /xpcom/base/nsCycleCollector.cpp:3161:26
#5 0x7799365ba5a8 in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /xpcom/base/nsCycleCollector.cpp:3531:26
#6 0x7799365ba1ad in nsCycleCollector::ShutdownCollect() /xpcom/base/nsCycleCollector.cpp:3442:20
#7 0x7799365bb706 in nsCycleCollector::Shutdown(bool) /xpcom/base/nsCycleCollector.cpp:3741:5
#8 0x7799365bd1ad in nsCycleCollector_shutdown(bool) /xpcom/base/nsCycleCollector.cpp:4067:18
#9 0x77993670177b in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:718:3
#10 0x77993dc6bfbc in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:651:16
#11 0x567633e8a5c6 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#12 0x567633e8a5c6 in main /browser/app/nsBrowserApp.cpp:375:18
#13 0x77994c79cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#14 0x77994c79ce3f in __libc_start_main csu/../csu/libc-start.c:392:3
#15 0x567633e602f8 in _start (/home/jkratzer/builds/m-c-20240409093900-fuzzing-debug/firefox-bin+0x592f8) (BuildId: ee2187d63f331818083659cf4411c425a899e839)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:92:27 in RefPtr
==788158==ABORTING
Reporter | ||
Comment 1•6 months ago
|
||
Reporter | ||
Comment 2•6 months ago
|
||
Comment 3•6 months ago
|
||
Verified bug as reproducible on mozilla-central 20240409093900-643848d855eb.
The bug appears to have been introduced in the following build range:
Start: ea8ea972270ddb95f071f900f9199fb7ff95bb10 (20240405093900)
End: bb1591f8008a0b1f33fe132528ee339ab149082f (20240405095510)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ea8ea972270ddb95f071f900f9199fb7ff95bb10&tochange=bb1591f8008a0b1f33fe132528ee339ab149082f
Comment 4•6 months ago
|
||
I think this is the same as 1890219 which has a fix but hasn't landed yet.
Updated•6 months ago
|
Comment 6•6 months ago
|
||
No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•