Crash [@ CanSend]
Categories
(Core :: Graphics: WebGPU, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox127 | --- | fixed |
People
(Reporter: jkratzer, Assigned: bradwerth)
References
(Blocks 1 open bug)
Details
(Keywords: testcase-wanted, Whiteboard: [fuzzblocker])
Crash Data
Attachments
(2 files)
Found while fuzzing mozilla-central rev 9325b48bdcc6 (built with: --enable-address-sanitizer --enable-fuzzing).
This is currently one of our top fuzz blockers and appears to be a recent regression.
Currently, I only have access to raw testcases. The minimized testcases are very unreliable. I've managed to get a pernosco session for this bug and will attach it here shortly.
[@ CanSend]
=================================================================
==88226==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x7fb44d513d80 bp 0x7ffdc8d158d0 sp 0x7ffdc8d158a0 T0)
==88226==The signal is caused by a READ memory access.
==88226==Hint: address points to the zero page.
#0 0x7fb44d513d80 in CanSend /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:206:45
#1 0x7fb44d513d80 in mozilla::webgpu::ComputePipeline::Cleanup() /gecko/dom/webgpu/ComputePipeline.cpp:36:15
#2 0x7fb44d513c20 in mozilla::webgpu::ComputePipeline::cycleCollection::Unlink(void*) /gecko/dom/webgpu/ComputePipeline.cpp:14:1
#3 0x7fb4460b1d4c in nsCycleCollector::CollectWhite() /gecko/xpcom/base/nsCycleCollector.cpp:3161:26
#4 0x7fb4460b6298 in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /gecko/xpcom/base/nsCycleCollector.cpp:3531:26
#5 0x7fb4460b57ba in nsCycleCollector::ShutdownCollect() /gecko/xpcom/base/nsCycleCollector.cpp:3442:20
#6 0x7fb4460b8486 in nsCycleCollector::Shutdown(bool) /gecko/xpcom/base/nsCycleCollector.cpp:3741:5
#7 0x7fb4460babf0 in nsCycleCollector_shutdown(bool) /gecko/xpcom/base/nsCycleCollector.cpp:4067:18
#8 0x7fb446368f37 in mozilla::ShutdownXPCOM(nsIServiceManager*) /gecko/xpcom/build/XPCOMInit.cpp:718:3
#9 0x7fb45697f6d2 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:651:16
#10 0x5615936c1b5c in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#11 0x5615936c1b5c in main /gecko/browser/app/nsBrowserApp.cpp:375:18
#12 0x7fb46f3a3d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#13 0x7fb46f3a3e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#14 0x5615935e5e68 in _start (/home/worker/builds/m-c-20240423153912-fuzzing-asan-opt/firefox+0xdce68) (BuildId: 7b4a47f9c3e60a08c06513e23c320d9d72aa6149)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:206:45 in CanSend
==88226==ABORTING
|
Reporter | |
Comment 1•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Comment 3•1 year ago
|
||
There are 33 crashes from 21 Nightly installs on all desktop OS. First reported build is 127.0a1 20240422214652.
Bug 1892774 fixed a typo in a condition in dom/webgpu/ComputePipeline.cpp.
Nika also landed IPC destruction/CC code for the same Nightly in bug 1879375, bug 1875528 and bug 1724083.
|
Assignee | |
Comment 4•1 year ago
|
||
Seems like bridge certainly can be null in both ComputePipeline::Cleanup and in ComputePipeline::GetBindGroupLayout. I'll build a patch that handles this and let the webgpu reviewers decide what's the right state management for this object.
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 5•1 year ago
|
||
This aligns the implementation with RenderPipeline::Cleanup(). It also
adds a drive-by assert to GetBindGroupLayout() in both classes to add
confidence that the bridge is in the expected state.
|
||
Updated•1 year ago
|
|
|
||
Comment 7•1 year ago
|
||
| bugherder | ||
Description
•