1931929 - Hit MOZ_CRASH(Buffer is destroyed) at /third_party/rust/wgpu-core/src/track/mod.rs:264

Status: RESOLVED FIXED

(Core :: Graphics: WebGPU, defect, P1)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 67b3e32e08bb (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 67b3e32e08bb --asan --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Buffer is destroyed) at /third_party/rust/wgpu-core/src/track/mod.rs:264

    =================================================================
    ==96247==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x749d55e102f7 bp 0x749d00dfe670 sp 0x749d00dfe660 T50)
    ==96247==The signal is caused by a WRITE memory access.
    ==96247==Hint: address points to the zero page.
        #0 0x749d55e102f7 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:324:3
        #1 0x749d55e102f7 in RustMozCrash /gecko/mozglue/static/rust/wrappers.cpp:18:3
        #2 0x749d55e0eb8e in mozglue_static::panic_hook::hdca720bc3f76da3d /gecko/mozglue/static/rust/lib.rs:102:9
        #3 0x749d55e0eb8e in core::ops::function::Fn::call::h8f853c6dc6fd4b8a /builds/worker/fetches/rust/library/core/src/ops/function.rs:79:5
        #4 0x749d5923be84 in std::panicking::rust_panic_with_hook::h0c15db9fe1a518fe std.4dd631fead81e61f-cgu.07
        #5 0x749d5925dbd6 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h2060c42a42ddfa61 std.4dd631fead81e61f-cgu.15
        #6 0x749d5925d788 in std::sys::backtrace::__rust_end_short_backtrace::h847fed22d6b380d1 std.4dd631fead81e61f-cgu.15
        #7 0x749d5923b803 in rust_begin_unwind std.4dd631fead81e61f-cgu.07
        #8 0x749d59276052 in core::panicking::panic_fmt::h3b8e088a44a40c49 core.94660c13282c6d7-cgu.06
        #9 0x749d5927211a in core::option::expect_failed::haecc40d93e795735 core.94660c13282c6d7-cgu.03
        #10 0x749d538c2981 in core::option::Option$LT$T$GT$::expect::h2d840256434a6972 /builds/worker/fetches/rust/library/core/src/option.rs:933:21
        #11 0x749d538c2981 in wgpu_core::track::PendingTransition$LT$wgpu_hal..BufferUses$GT$::into_hal::h9d11c0a1cf367be0 /gecko/third_party/rust/wgpu-core/src/track/mod.rs:264:44
        #12 0x749d538c2981 in wgpu_core::command::query::_$LT$impl$u20$wgpu_core..global..Global$GT$::command_encoder_resolve_query_set::_$u7b$$u7b$closure$u7d$$u7d$::hf50f4117b94cd847 /gecko/third_party/rust/wgpu-core/src/command/query.rs:397:53
        #13 0x749d538c2981 in core::option::Option$LT$T$GT$::map::hf8e79022584c5740 /builds/worker/fetches/rust/library/core/src/option.rs:1110:29
        #14 0x749d538c2981 in wgpu_core::command::query::_$LT$impl$u20$wgpu_core..global..Global$GT$::command_encoder_resolve_query_set::h1d8da3eb9200f325 /gecko/third_party/rust/wgpu-core/src/command/query.rs:397:39
        #15 0x749d535e183d in wgpu_bindings::server::Global::command_encoder_action::h697a96a5e576c2db /gecko/gfx/wgpu_bindings/src/server.rs:1992:35
        #16 0x749d535e183d in wgpu_server_command_encoder_action /gecko/gfx/wgpu_bindings/src/server.rs:2085:5
        #17 0x749d4a9ca25a in mozilla::webgpu::WebGPUParent::RecvCommandEncoderAction(unsigned long, unsigned long, mozilla::ipc::ByteBuf const&) /gecko/dom/webgpu/ipc/WebGPUParent.cpp:1452:3
        #18 0x749d4a9e9293 in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:495:80
        #19 0x749d47240595 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:261:32
        #20 0x749d45825e95 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1726:25
        #21 0x749d458220cf in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /gecko/ipc/glue/MessageChannel.cpp:1653:9
        #22 0x749d45822ff1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1444:3
        #23 0x749d45824543 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1544:14
        #24 0x749d4425ff96 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1149:16
        #25 0x749d4426a8b8 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:480:10
        #26 0x749d4582f6f5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:329:5
        #27 0x749d45712e14 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:369:10
        #28 0x749d45712e14 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:362:3
        #29 0x749d45712e14 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:344:3
        #30 0x749d44258bac in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:366:10
        #31 0x749d655eb5fb in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:191:3
        #32 0x624eac3af578 in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
        #33 0x749d65bd7ac2 in start_thread nptl/pthread_create.c:442:8
        #34 0x749d65c68a03 in __clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:100
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:324:3 in MOZ_Crash
    Thread T50 created by T0 here:
        #0 0x624eac398f81 in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:250:3
        #1 0x749d655dbfb8 in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:429:10
        #2 0x749d655ca12e in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:496:10
        #3 0x749d4425b6c1 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:615:20
        #4 0x749d44269176 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /gecko/xpcom/threads/nsThreadManager.cpp:606:22
        #5 0x749d44273cb9 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /gecko/xpcom/threads/nsThreadUtils.cpp:176:57
        #6 0x749d47205eed in NS_NewNamedThread<15UL> /gecko/xpcom/threads/nsThreadUtils.h:76:10
        #7 0x749d47205eed in mozilla::gfx::CanvasRenderThread::Start() /gecko/gfx/ipc/CanvasRenderThread.cpp:115:17
        #8 0x749d46ffde7d in gfxPlatform::Init() /gecko/gfx/thebes/gfxPlatform.cpp:969:3
        #9 0x749d4e732794 in GetPlatform /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:182:7
        #10 0x749d4e732794 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /gecko/widget/GfxInfoBase.cpp:1809:25
        #11 0x749d442a866d in NS_InvokeByIndex /gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
        #12 0x749d45afcd9a in Invoke /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1620:10
        #13 0x749d45afcd9a in Call /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1174:19
        #14 0x749d45afcd9a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1120:23
        #15 0x749d45b01a3c in GetAttribute /gecko/js/xpconnect/src/xpcprivate.h:1451:12
        #16 0x749d45b01a3c in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1006:10
        #17 0x749d508c3034 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:532:13
        #18 0x749d508c3034 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:628:12
        #19 0x749d508c4f6c in InternalCall /gecko/js/src/vm/Interpreter.cpp:695:10
        #20 0x749d508c4f6c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:727:8
        #21 0x749d508c6d5a in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:849:10
        #22 0x749d50c80f4a in CallGetter(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, js::PropertyInfoBase<unsigned int>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2149:12
        #23 0x749d50c63f77 in GetExistingProperty<(js::AllowGC)1> /gecko/js/src/vm/NativeObject.cpp:2177:12
        #24 0x749d50c63f77 in NativeGetPropertyInline<(js::AllowGC)1> /gecko/js/src/vm/NativeObject.cpp:2330:14
        #25 0x749d50c63f77 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2360:10
        #26 0x749d5191c00a in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:117:10
        #27 0x749d5191c00a in GetObjectElementOperation /gecko/js/src/vm/Interpreter-inl.h:394:10
        #28 0x749d5191c00a in GetElementOperationWithStackIndex /gecko/js/src/vm/Interpreter-inl.h:491:10
        #29 0x749d5191c00a in GetElementOperation /gecko/js/src/vm/Interpreter-inl.h:499:10
        #30 0x749d5191c00a in js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /gecko/js/src/jit/BaselineIC.cpp:727:8
        #31 0x214dac0a5b63  ([anon:js-executable-memory]+0x2b63)
        #32 0x214dac22b509  ([anon:js-executable-memory]+0x8509)
        #33 0x214dac0a34e5  ([anon:js-executable-memory]+0x4e5)
        #34 0x749d5227b244 in EnterJit /gecko/js/src/jit/Jit.cpp:114:5
        #35 0x749d5227b244 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /gecko/js/src/jit/Jit.cpp:260:10
        #36 0x749d508e2f51 in js::Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3368:40
        #37 0x749d508c1f2f in MaybeEnterInterpreterTrampoline /gecko/js/src/vm/Interpreter.cpp:433:10
        #38 0x749d508c1f2f in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:502:13
        #39 0x749d508c31aa in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:660:13
        #40 0x749d508c4f6c in InternalCall /gecko/js/src/vm/Interpreter.cpp:695:10
        #41 0x749d508c4f6c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:727:8
        #42 0x749d508c6d5a in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:849:10
        #43 0x749d50c80f4a in CallGetter(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, js::PropertyInfoBase<unsigned int>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2149:12
        #44 0x749d50c63f77 in GetExistingProperty<(js::AllowGC)1> /gecko/js/src/vm/NativeObject.cpp:2177:12
        #45 0x749d50c63f77 in NativeGetPropertyInline<(js::AllowGC)1> /gecko/js/src/vm/NativeObject.cpp:2330:14
        #46 0x749d50c63f77 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2360:10
        #47 0x749d508f9ba7 in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:117:10
        #48 0x749d508f9ba7 in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:124:10
        #49 0x749d508f9ba7 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:4765:10
        #50 0x749d508d8b1c in GetPropertyOperation /gecko/js/src/vm/Interpreter.cpp:285:10
        #51 0x749d508d8b1c in js::Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:2984:12
        #52 0x749d508c1f2f in MaybeEnterInterpreterTrampoline /gecko/js/src/vm/Interpreter.cpp:433:10
        #53 0x749d508c1f2f in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:502:13
        #54 0x749d508c31aa in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:660:13
        #55 0x749d508c4f6c in InternalCall /gecko/js/src/vm/Interpreter.cpp:695:10
        #56 0x749d508c4f6c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:727:8
        #57 0x749d50a30d56 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:55:10
        #58 0x749d45af09cf in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:918:17
        #59 0x749d442a9ee9 in PrepareAndDispatch /gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
        #60 0x749d442a8d9e in SharedStub xptcstubs_x86_64_linux.cpp
        #61 0x749d441fe751 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /gecko/xpcom/components/nsCategoryManager.cpp:680:19
        #62 0x749d505fbe00 in nsXREDirProvider::DoStartup() /gecko/toolkit/xre/nsXREDirProvider.cpp:652:11
        #63 0x749d505ddc60 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5574:18
        #64 0x749d505dfb61 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:6031:8
        #65 0x749d505e0c93 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:6104:21
        #66 0x624eac3f2dcc in do_main /gecko/browser/app/nsBrowserApp.cpp:232:22
        #67 0x624eac3f2dcc in main /gecko/browser/app/nsBrowserApp.cpp:464:16
        #68 0x749d65b6cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    ==96247==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Erich Gubler [:ErichDonGubler]]

In :jimb's words:

Flagging S3 despite being security-sensitive because WebGPU is not enabled in release. But this is a top priority for the WebGPU team.

Comment 3

[Mayank Bansal]

(In reply to Erich Gubler [:ErichDonGubler] from comment #2)

In :jimb's words:

Flagging S3 despite being security-sensitive because WebGPU is not enabled in release. But this is a top priority for the WebGPU team.

Marking the bug as s-s.

Comment 4

[Mayank Bansal]

Bisection:

Bug 1838729 - test(webgpu): accept observed intermittents in backlog

Differential Revision: https://phabricator.services.mozilla.com/D228138

Comment 5

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20241118213357-4b3940576018.
The bug appears to have been introduced in the following build range:

Start: 63781d6cee611c3d6e18e8a516a1eb5336f8fd08 (20241106021703)
End: 66c06d5d735b9b7d7ccb0e85f326c28f7d19dd7d (20241106063415)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=63781d6cee611c3d6e18e8a516a1eb5336f8fd08&tochange=66c06d5d735b9b7d7ccb0e85f326c28f7d19dd7d

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1838729

Comment 7

[Daniel Veditz [:dveditz]]

(In reply to Erich Gubler [:ErichDonGubler] from comment #2)

In :jimb's words:

Flagging S3 despite being security-sensitive because WebGPU is not enabled in release. But this is a top priority for the WebGPU team.

You copied that comment from a bug that looked like a potential use-after-free; this one looks like a Rust panic that should be safe. Did you mean to imply it should be security sensitive (as Mayank obviously assumed) or were you only meaning to explain the "S3"?

Comment 8

[Erich Gubler [:ErichDonGubler]]

(In reply to Daniel Veditz [:dveditz] from comment #7)

(In reply to Erich Gubler [:ErichDonGubler] from comment #2)

In :jimb's words:

Flagging S3 despite being security-sensitive because WebGPU is not enabled in release. But this is a top priority for the WebGPU team.

You copied that comment from a bug that looked like a potential use-after-free; this one looks like a Rust panic that should be safe. Did you mean to imply it should be security sensitive (as Mayank obviously assumed) or were you only meaning to explain the "S3"?

Oh, derp, this isn't security-sensitive, as far as I know. That was definitely a copy-paste error, thanks for the call-out! Sorry about that.

Comment 9

[Erich Gubler [:ErichDonGubler]]

Fixing upstream in wgpu#6579.

Comment 10

[Erich Gubler [:ErichDonGubler]]

This should be resolved now. :jkratzner, can you confirm?

Comment 11

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1838729

Comment 12

[Jason Kratzer [:jkratzer]]

(In reply to Erich Gubler [:ErichDonGubler] from comment #10)

This should be resolved now. :jkratzner, can you confirm?

I can confirm that this no longer reproduces on 9358b6a02a04 (20241126093610).