Closed Bug 1939731 Opened 28 days ago Closed 12 days ago

Hit MOZ_CRASH(Texture[Id(0,1)] does not exist) at /third_party/rust/wgpu-core/src/storage.rs:128

Categories

(Core :: Graphics: WebGPU, defect, P1)

Product:
Core
Component:
Graphics: WebGPU
Platform:
x86_64
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
136 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox133 --- unaffected
firefox134 --- unaffected
firefox135 --- disabled
firefox136 --- verified

People

(Reporter: jkratzer, Assigned: ErichDonGubler)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:confirm][fuzzblocker])

Crash Data

Attachments

(3 files)

Detailed Crash Information
6.46 KB, text/plain
Details
Testcase
806 bytes, text/html
Details
Bug 1939731 - fix(webgpu): populate texture resource registry on external texture validation failure r=#webgpu-reviewers!
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 27f9f8e7311a (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 27f9f8e7311a --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla .\firefox\firefox.exe <bugid>

Hit MOZ_CRASH(Texture[Id(0,1)] does not exist) at /third_party/rust/wgpu-core/src/storage.rs:128

    r10 = 0x00007ffe8ac50000	r11 = 0x0000009005dfd3e0	r12 = 0x0000009005dfebf0
    r13 = 0x000001a066258830	r14 = 0x000001a066254e00	r15 = 0x00007ffe2bff43a0
     r8 = 0x000000000000000e	 r9 = 0x00007ffe8addebf8	rax = 0x00007ffe6f64a280
    rbp = 0x0000009005dfdf10	rbx = 0x0000009005dfe0b8	rcx = 0x00008f3f9b1fb8ba
    rdi = 0x0000000000000080	rdx = 0x0000000000000000	rip = 0x00007ffe28fa6c23
    rsi = 0x0000009005dfe0b8	rsp = 0x0000009005dfde50
    OS|Windows NT|10.0.22631
    CPU|amd64|family 6 model 186 stepping 2|6
    Crash|EXCEPTION_BREAKPOINT|0x00007ffe28fa6c23|8
    8|0|xul.dll|RustMozCrash(char const*, int, char const*)|hg:hg.mozilla.org/mozilla-central:mozglue/static/rust/wrappers.cpp:27f9f8e7311a864b059f50e2a7e3988afddc35b9|18|0x23
    8|1|xul.dll|mozglue_static::panic_hook(std::panic::PanicHookInfo*)|hg:hg.mozilla.org/mozilla-central:mozglue/static/rust/lib.rs:27f9f8e7311a864b059f50e2a7e3988afddc35b9|102|0xf5
    8|2|xul.dll|core::ops::function::Fn::call<void (*)(ref$<std::panic::PanicHookInfo>),tuple$<ref$<std::panic::PanicHookInfo> > >(void (**)(std::panic::PanicHookInfo*), std::panic::PanicHookInfo*)|/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf/library/core/src/ops/function.rs|79|0x11
    8|3|xul.dll|std::panicking::rust_panic_with_hook()|/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf/library/std/src/panicking.rs|809|0xeb
    8|4|xul.dll|std::panicking::begin_panic_handler::closure$0()|/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf/library/std/src/panicking.rs|674|0xa8
    8|5|xul.dll|std::sys::backtrace::__rust_end_short_backtrace<std::panicking::begin_panic_handler::closure_env$0,never$>()|/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf/library/std/src/sys/backtrace.rs|170|0xe
    8|6|xul.dll|std::panicking::begin_panic_handler()|/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf/library/std/src/panicking.rs|665|0x1d
    8|7|xul.dll|core::panicking::panic_fmt()|/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf/library/core/src/panicking.rs|74|0x20
    8|8|xul.dll|wgpu_core::registry::Registry<enum2$<wgpu_core::resource::Fallible<wgpu_core::pipeline::PipelineCache> > >::get<enum2$<wgpu_core::resource::Fallible<wgpu_core::pipeline::PipelineCache> > >(wgpu_core::id::Id<enum2$<wgpu_core::id::markers::PipelineCache> >)|hg:hg.mozilla.org/mozilla-central:third_party/rust/wgpu-core/src/registry.rs:27f9f8e7311a864b059f50e2a7e3988afddc35b9|123|0x1ad
    8|9|xul.dll|wgpu_core::global::Global::command_encoder_copy_texture_to_texture(wgpu_core::id::Id<enum2$<wgpu_core::id::markers::CommandEncoder> >, wgpu_types::TexelCopyTextureInfo<wgpu_core::id::Id<enum2$<wgpu_core::id::markers::Texture> > >*, wgpu_types::TexelCopyTextureInfo<wgpu_core::id::Id<enum2$<wgpu_core::id::markers::Texture> > >*, wgpu_types::Extent3d*)|hg:hg.mozilla.org/mozilla-central:third_party/rust/wgpu-core/src/command/transfer.rs:27f9f8e7311a864b059f50e2a7e3988afddc35b9|1066|0x31e
    8|10|xul.dll|wgpu_bindings::server::wgpu_server_command_encoder_action(wgpu_bindings::server::Global*, wgpu_core::id::Id<enum2$<wgpu_core::id::markers::CommandEncoder> >, wgpu_bindings::ByteBuf*, wgpu_bindings::error::ErrorBuffer)|hg:hg.mozilla.org/mozilla-central:gfx/wgpu_bindings/src/server.rs:27f9f8e7311a864b059f50e2a7e3988afddc35b9|2267|0x5db
    8|11|xul.dll|mozilla::webgpu::WebGPUParent::RecvCommandEncoderAction(unsigned long long, unsigned long long, mozilla::ipc::ByteBuf const&)|hg:hg.mozilla.org/mozilla-central:dom/webgpu/ipc/WebGPUParent.cpp:27f9f8e7311a864b059f50e2a7e3988afddc35b9|1451|0x7e
    8|12|xul.dll|mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:3456978532421677cc066120c54be3447458f6f95c29f3f42b9b886106e357248cee6e2640fc7d41ed373dc10b9d0076e48ff0ccea3dd84e45760decd976d88b/ipc/ipdl/PWebGPUParent.cpp:|495|0x3e82
    8|13|xul.dll|mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:98f01332cc71c4f1133afa8e328952acba1083c6941d06adfd3c17cb179adf4981ada8a4705589cfca66690370a50f8032cf639c76dabb19a53e5c7cb54b342b/ipc/ipdl/PCanvasManagerParent.cpp:|261|0x2b1
    8|14|xul.dll|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:27f9f8e7311a864b059f50e2a7e3988afddc35b9|1723|0x14c
    8|15|xul.dll|mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message,mozilla::DefaultDelete<IPC::Message> >)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:27f9f8e7311a864b059f50e2a7e3988afddc35b9|1650|0x255
    8|16|xul.dll|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:27f9f8e7311a864b059f50e2a7e3988afddc35b9|1441|0x193
    8|17|xul.dll|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:27f9f8e7311a864b059f50e2a7e3988afddc35b9|1541|0xfa
    8|18|xul.dll|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:27f9f8e7311a864b059f50e2a7e3988afddc35b9|1153|0x98d
    8|19|xul.dll|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:27f9f8e7311a864b059f50e2a7e3988afddc35b9|480|0x70
    8|20|xul.dll|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:27f9f8e7311a864b059f50e2a7e3988afddc35b9|299|0xc5
    8|21|xul.dll|MessageLoop::RunHandler()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:27f9f8e7311a864b059f50e2a7e3988afddc35b9|362|0x3e
    8|22|xul.dll|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:27f9f8e7311a864b059f50e2a7e3988afddc35b9|344|0x6e
    8|23|xul.dll|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:27f9f8e7311a864b059f50e2a7e3988afddc35b9|366|0x155
    8|24|nss3.dll|_PR_NativeRunThread(void*)|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/threads/combined/pruthr.c:27f9f8e7311a864b059f50e2a7e3988afddc35b9|382|0x120
    8|25|nss3.dll|pr_root(void*)|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/md/windows/w95thred.c:27f9f8e7311a864b059f50e2a7e3988afddc35b9|129|0x10
    8|26|ucrtbase.dll||||
    8|27|KERNELBASE.dll||||
    8|28|kernel32.dll||||
    8|29|mozglue.dll|patched_BaseThreadInitThunk(int, void*, void*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:27f9f8e7311a864b059f50e2a7e3988afddc35b9|562|0x73
    8|30|ntdll.dll||||
    8|31|KERNELBASE.dll||||
Attached file Testcase
Whiteboard: [bugmon:confirm] → [bugmon:confirm][fuzzblocker]

I get this crash from the testcase on latet Nightly: https://crash-stats.mozilla.org/report/index/8f8ca775-b275-494f-80ef-088190250103#tab-bugzilla

Crash Signature: [@ wgpu_core::storage::Storage<T>::get ]
Keywords: crash

Bisection:
Bug 1938311 - Change ExternalTexture's requested size error handling to be explicit r=webgpu-reviewers,gfx-reviewers,ErichDonGubler
Differential Revision: https://phabricator.services.mozilla.com/D232621

I focussed purely on the crash. But as early as Jan2024, the testcase produces a stream of gfx-errors in about:support. So the underlying issue is older.

Keywords: regression
Regressed by: 1938311

Set release status flags based on info from the regressing bug 1938311

:sotaro, since you are the author of the regressor, bug 1938311, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox133: --- → unaffected
status-firefox134: --- → unaffected
status-firefox135: --- → affected
status-firefox-esr128: --- → unaffected
Flags: needinfo?(sotaro.ikeda.g)
Severity: -- → S3

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:jimb, could you consider increasing the severity?

For more information, please visit BugBot documentation.

Flags: needinfo?(jimb)

Because the copyTextureToTexture's args. in the test case are not disjoint (they are both the entire range of the same texture), I would expect it to be encountering this apparently missing validation step from GPUQueue.copyTextureToTexture in the WebGPU spec. (which would not be a crash):

The set of subresources for texture copy(source, copySize) and the set of subresources for texture copy(destination, copySize) are disjoint.

...but apparently something else is going wrong instead! I'm guessing that we're permitting what is an external texture (a separate type of WebGPU resource from a texture) to be used as if it were a texture, and, of course, the ID for the external texture cannot be found when its ID is looked up against the set of textures we're tracking.

Assignee: nobody → egubler
Status: NEW → ASSIGNED
Flags: needinfo?(jimb)
Priority: -- → P1
Attachment #9445565 - Attachment mime type: text/plain → text/html
Flags: needinfo?(sotaro.ikeda.g)

Hey :sotaro, since this is a regression from one of your issues, could you see if you understand this issue before I dive into it? If you feel this is an issue in WebGPU proper, I'm happy to continue investigating.

Flags: needinfo?(sotaro.ikeda.g)

OK, I am going to look into it tomorrow.

Before Bug 1938311 fix, texture allocation was failed at conv::check_texture_dimension_size() in Device::create_texture(). And invalid id is assigned in Global::device_create_texture()

Since Bug 1938311 fix, the texture allocation is failed in device_action(). In this case, invalid texture id is not assigned. Then Storage::get() causes panic.

Flags: needinfo?(sotaro.ikeda.g)
Pushed by egubler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1b7954a266d5 fix(webgpu): populate texture resource registry on external texture validation failure r=webgpu-reviewers,nical

https://hg.mozilla.org/mozilla-central/rev/1b7954a266d5

Status: ASSIGNED → RESOLVED
Closed: 12 days ago
status-firefox136: fix-optionalfixed
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch

Bug appears to be fixed on mozilla-central 20250118091314-d716251198fa but BugMon was unable to find a usable build for 27f9f8e7311a.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

status-firefox136: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: