Closed Bug 1890530 Opened 6 months ago Closed 6 months ago

Crash [@ RefPtr]

Categories

(Core :: Graphics: WebGPU, defect)

x86_64
Linux
defect

Tracking

()

RESOLVED DUPLICATE of bug 1890219

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

Testcase found while fuzzing mozilla-central rev 643848d855eb (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 643848d855eb --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla --repeat 10 --relaunch 1 ./firefox/firefox <bugid>
[@ RefPtr]

    ==788158==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x0000000000a0 (pc 0x779939db71c9 bp 0x7ffc8210e130 sp 0x7ffc8210e120 T788158)
    ==788158==The signal is caused by a READ memory access.
    ==788158==Hint: address points to the zero page.
        #0 0x779939db71c9 in RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:92:27
        #1 0x779939db71c9 in mozilla::webgpu::Device::GetBridge() /dom/webgpu/Device.cpp:57:50
        #2 0x779939ddfde6 in mozilla::webgpu::TextureView::Cleanup() /dom/webgpu/TextureView.cpp:35:45
        #3 0x779939ddfd70 in mozilla::webgpu::TextureView::cycleCollection::Unlink(void*) /dom/webgpu/TextureView.cpp:15:1
        #4 0x7799365b8a9e in nsCycleCollector::CollectWhite() /xpcom/base/nsCycleCollector.cpp:3161:26
        #5 0x7799365ba5a8 in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /xpcom/base/nsCycleCollector.cpp:3531:26
        #6 0x7799365ba1ad in nsCycleCollector::ShutdownCollect() /xpcom/base/nsCycleCollector.cpp:3442:20
        #7 0x7799365bb706 in nsCycleCollector::Shutdown(bool) /xpcom/base/nsCycleCollector.cpp:3741:5
        #8 0x7799365bd1ad in nsCycleCollector_shutdown(bool) /xpcom/base/nsCycleCollector.cpp:4067:18
        #9 0x77993670177b in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:718:3
        #10 0x77993dc6bfbc in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:651:16
        #11 0x567633e8a5c6 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #12 0x567633e8a5c6 in main /browser/app/nsBrowserApp.cpp:375:18
        #13 0x77994c79cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #14 0x77994c79ce3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #15 0x567633e602f8 in _start (/home/jkratzer/builds/m-c-20240409093900-fuzzing-debug/firefox-bin+0x592f8) (BuildId: ee2187d63f331818083659cf4411c425a899e839)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:92:27 in RefPtr
    ==788158==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20240409093900-643848d855eb.
The bug appears to have been introduced in the following build range:

Start: ea8ea972270ddb95f071f900f9199fb7ff95bb10 (20240405093900)
End: bb1591f8008a0b1f33fe132528ee339ab149082f (20240405095510)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ea8ea972270ddb95f071f900f9199fb7ff95bb10&tochange=bb1591f8008a0b1f33fe132528ee339ab149082f

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

I think this is the same as 1890219 which has a fix but hasn't landed yet.

See Also: → 1890219
See Also: 1890219
Status: NEW → RESOLVED
Closed: 6 months ago
Duplicate of bug: 1890219
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: