Closed Bug 1969286 Opened 10 months ago Closed 10 months ago

Hit MOZ_CRASH(Buffer[Id(0,1)] does not exist) at /third_party/rust/wgpu-core/src/storage.rs:129

Categories

(Core :: Graphics: WebGPU, defect, P1)

Product:
Core
Component:
Graphics: WebGPU
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
141 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox139 --- disabled
firefox140 --- disabled
firefox141 --- verified

People

(Reporter: jkratzer, Assigned: teoxoy)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Testcase
4.77 KB, application/octet-stream
Details
Bug 1969286 - Mark indirect buffers as used by encoders r=#webgpu-reviewers
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 5f5c3d10232a (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 5f5c3d10232a --asan --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(Buffer[Id(0,1)] does not exist) at /third_party/rust/wgpu-core/src/storage.rs:129

    =================================================================
    ==1708074==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f2d10f03663 bp 0x7f2ca0e05750 sp 0x7f2ca0e05740 T72)
    ==1708074==The signal is caused by a WRITE memory access.
    ==1708074==Hint: address points to the zero page.
        #0 0x7f2d10f03663 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
        #1 0x7f2d10f03663 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:381:3
        #2 0x7f2d10f03663 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #3 0x7f2d10f01ee7 in mozglue_static::panic_hook::heee11e1d1c1b52d8 /mozglue/static/rust/lib.rs:99:9
        #4 0x7f2d10f01ee7 in core::ops::function::Fn::call::h31664a0eaade1427 /builds/worker/fetches/rust/library/core/src/ops/function.rs:79:5
        #5 0x7f2d149e49f9 in std::panicking::rust_panic_with_hook::h089cf39f00799133 std.b0550a264f4b45a7-cgu.13
        #6 0x7f2d149d8e86 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hf02865fc1697377b std.b0550a264f4b45a7-cgu.10
        #7 0x7f2d149d8998 in std::sys::backtrace::__rust_end_short_backtrace::h92bc9e113a7f691d std.b0550a264f4b45a7-cgu.10
        #8 0x7f2d149e4403 in rust_begin_unwind std.b0550a264f4b45a7-cgu.13
        #9 0x7f2d14a12452 in core::panicking::panic_fmt::he169818ca2499665 core.2e3d2901cc719945-cgu.15
        #10 0x7f2d0e60df99 in wgpu_core::storage::Storage$LT$T$GT$::get::h709689dab838d6ec /third_party/rust/wgpu-core/src/storage.rs:129:46
        #11 0x7f2d0e466088 in wgpu_core::registry::Registry$LT$T$GT$::get::h313e7b26759bf882 /third_party/rust/wgpu-core/src/registry.rs:123:9
        #12 0x7f2d0e466088 in wgpu_core::command::compute::_$LT$impl$u20$wgpu_core..global..Global$GT$::compute_pass_dispatch_workgroups_indirect::hfc239ce45cd718e0 /third_party/rust/wgpu-core/src/command/compute.rs:1226:22
        #13 0x7f2d0dfec597 in wgpu_bindings::command::replay_compute_pass_impl::h453d09770285a5c0 /gfx/wgpu_bindings/src/command.rs:978:17
        #14 0x7f2d0dfec597 in wgpu_bindings::command::replay_compute_pass::hdba4e664e78d67d1 /gfx/wgpu_bindings/src/command.rs:939:23
        #15 0x7f2d0e02f977 in _$LT$wgpu_bindings..server..Global$u20$as$u20$wgpu_bindings..server..wgpu_server_compute_pass..ReplayComputePass$GT$::replay_compute_pass::hee3d4166a9623925 /gfx/wgpu_bindings/src/server.rs:2438:13
        #16 0x7f2d0e02f977 in wgpu_server_compute_pass /gfx/wgpu_bindings/src/server.rs:2442:5
        #17 0x7f2d04ab431a in mozilla::webgpu::WebGPUParent::RecvComputePass(unsigned long, unsigned long, mozilla::ipc::ByteBuf const&) /dom/webgpu/ipc/WebGPUParent.cpp:1716:3
        #18 0x7f2d04ad187d in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:618:80
        #19 0x7f2d01317059 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:261:32
        #20 0x7f2cff92b711 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1789:25
        #21 0x7f2cff927b08 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1716:9
        #22 0x7f2cff9289a4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1507:3
        #23 0x7f2cff929ea3 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1607:14
        #24 0x7f2cfe2bd54c in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1153:16
        #25 0x7f2cfe2c7b28 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #26 0x7f2cff935a1c in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:329:5
        #27 0x7f2cff818794 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #28 0x7f2cff818794 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #29 0x7f2cff818794 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #30 0x7f2cfe2b6390 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:366:10
        #31 0x7f2d2166174b in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:191:3
        #32 0x5a9203c08406 in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
        #33 0x7f2d21bedaa3 in start_thread nptl/pthread_create.c:447:8
        #34 0x7f2d21c7ac3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
    
    ==1708074==Register values:
    rax = 0x0000000000000081  rbx = 0x0000000000000081  rcx = 0x0000000000000001  rdx = 0x0000000000000000  
    rdi = 0x00005a9203d830d0  rsi = 0x00007f2ca0e056f8  rbp = 0x00007f2ca0e05750  rsp = 0x00007f2ca0e05740  
     r8 = 0x0000000000000000   r9 = 0x0000000000000000  r10 = 0xffffff0000000000  r11 = 0x4000000000000000  
    r12 = 0x00000fe613a8e600  r13 = 0x0000000000000081  r14 = 0x00007f2c9d4b32b4  r15 = 0x00007f2c9d4b3024  
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3 in MOZ_CrashSequence
    Thread T72 created by T0 here:
        #0 0x5a9203bf19e1 in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:250:3
        #1 0x7f2d216522b9 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:429:10
        #2 0x7f2d216404fe in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:496:10
        #3 0x7f2cfe2b8d91 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:615:20
        #4 0x7f2cfe2c63f6 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /xpcom/threads/nsThreadManager.cpp:619:22
        #5 0x7f2cfe2d0d19 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /xpcom/threads/nsThreadUtils.cpp:176:57
        #6 0x7f2d012deca0 in NS_NewNamedThread<15UL> /xpcom/threads/nsThreadUtils.h:76:10
        #7 0x7f2d012deca0 in mozilla::gfx::CanvasRenderThread::Start() /gfx/ipc/CanvasRenderThread.cpp:115:17
        #8 0x7f2d010d6132 in gfxPlatform::Init() /gfx/thebes/gfxPlatform.cpp:975:3
        #9 0x7f2d088dc8b4 in GetPlatform /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:184:7
        #10 0x7f2d088dc8b4 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /widget/GfxInfoBase.cpp:1809:25
        #11 0x7f2cfe30622d in NS_InvokeByIndex /xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
        #12 0x7f2cffbf3d74 in Invoke /js/xpconnect/src/XPCWrappedNative.cpp:1620:10
        #13 0x7f2cffbf3d74 in Call /js/xpconnect/src/XPCWrappedNative.cpp:1174:19
        #14 0x7f2cffbf3d74 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /js/xpconnect/src/XPCWrappedNative.cpp:1120:23
        #15 0x7f2cffbf89be in GetAttribute /js/xpconnect/src/xpcprivate.h:1451:12
        #16 0x7f2cffbf89be in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1006:10
        #17 0x7f2d0ab683c7 in CallJSNative /js/src/vm/Interpreter.cpp:494:13
        #18 0x7f2d0ab683c7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:590:12
        #19 0x7f2d0ab6a241 in InternalCall /js/src/vm/Interpreter.cpp:657:10
        #20 0x7f2d0ab6a241 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:689:8
        #21 0x7f2d0ab6bf6a in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:811:10
        #22 0x7f2d0af6db3a in CallGetter(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, js::PropertyInfoBase<unsigned int>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2092:12
        #23 0x7f2d0af5012d in GetExistingProperty<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2120:12
        #24 0x7f2d0af5012d in NativeGetPropertyInline<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2273:14
        #25 0x7f2d0af5012d in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2303:10
        #26 0x7f2d0bc3995e in GetProperty /js/src/vm/ObjectOperations-inl.h:113:10
        #27 0x7f2d0bc3995e in GetObjectElementOperation /js/src/vm/Interpreter-inl.h:390:10
        #28 0x7f2d0bc3995e in GetElementOperationWithStackIndex /js/src/vm/Interpreter-inl.h:473:10
        #29 0x7f2d0bc3995e in GetElementOperation /js/src/vm/Interpreter-inl.h:481:10
        #30 0x7f2d0bc3995e in js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:733:8
        #31 0x1079fa4fbb13  ([anon:js-executable-memory]+0x2b13)
        #32 0x1079fa502c26  ([anon:js-executable-memory]+0x9c26)
        #33 0x1079fa4f94e5  ([anon:js-executable-memory]+0x4e5)
        #34 0x7f2d0c686ea4 in EnterJit /js/src/jit/Jit.cpp:114:5
        #35 0x7f2d0c686ea4 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /js/src/jit/Jit.cpp:260:10
        #36 0x7f2d0ab89b63 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3325:40
        #37 0x7f2d0ab67198 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:395:10
        #38 0x7f2d0ab67198 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:464:13
        #39 0x7f2d0ab6853d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:622:13
        #40 0x7f2d0ab6a241 in InternalCall /js/src/vm/Interpreter.cpp:657:10
        #41 0x7f2d0ab6a241 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:689:8
        #42 0x7f2d0ab6bf6a in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:811:10
        #43 0x7f2d0af6db3a in CallGetter(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, js::PropertyInfoBase<unsigned int>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2092:12
        #44 0x7f2d0af5012d in GetExistingProperty<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2120:12
        #45 0x7f2d0af5012d in NativeGetPropertyInline<(js::AllowGC)1> /js/src/vm/NativeObject.cpp:2273:14
        #46 0x7f2d0af5012d in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2303:10
        #47 0x7f2d0ab9fcb1 in GetProperty /js/src/vm/ObjectOperations-inl.h:113:10
        #48 0x7f2d0ab9fcb1 in GetProperty /js/src/vm/ObjectOperations-inl.h:120:10
        #49 0x7f2d0ab9fcb1 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4630:10
        #50 0x7f2d0ab7e72b in GetPropertyOperation /js/src/vm/Interpreter.cpp:280:10
        #51 0x7f2d0ab7e72b in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2941:12
        #52 0x7f2d0ab67198 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:395:10
        #53 0x7f2d0ab67198 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:464:13
        #54 0x7f2d0ab6853d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:622:13
        #55 0x7f2d0ab6a241 in InternalCall /js/src/vm/Interpreter.cpp:657:10
        #56 0x7f2d0ab6a241 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:689:8
        #57 0x7f2d0acac546 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:55:10
        #58 0x7f2cffbe7a1e in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:918:17
        #59 0x7f2cfe307aa9 in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
        #60 0x7f2cfe30695e in SharedStub xptcstubs_x86_64_linux.cpp
        #61 0x7f2cfe25bc8e in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /xpcom/components/nsCategoryManager.cpp:680:19
        #62 0x7f2d0a8c064c in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:653:11
        #63 0x7f2d0a89fe2c in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5668:18
        #64 0x7f2d0a8a1c9b in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:6136:8
        #65 0x7f2d0a8a2cf3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:6209:21
        #66 0x5a9203c4eed4 in do_main /browser/app/nsBrowserApp.cpp:232:22
        #67 0x5a9203c4eed4 in main /browser/app/nsBrowserApp.cpp:464:16
        #68 0x7f2d21b7b1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #69 0x7f2d21b7b28a in __libc_start_main csu/../csu/libc-start.c:360:3
        #70 0x5a9203b6e8a8 in _start (/home/jkratzer/builds/m-c-20250529033404-fuzzing-asan-opt/firefox+0xc78a8) (BuildId: 4247ae08b919de37f96289b3e5ac747c61cfa62d)
    
    ==1708074==ABORTING
Attached file Testcase
Attachment #9491531 - Attachment filename: testcase.zip.undefined → testcase.zip

Verified bug as reproducible on mozilla-central 20250529033404-5f5c3d10232a.
The bug appears to have been introduced in the following build range:

Start: 639d61a9a326ce05c6bd095c628841a03b09c7dc (20241119091210)
End: 11c60eb4490ade388b49a3b9fd3c634a4aa95da0 (20241119111811)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=639d61a9a326ce05c6bd095c628841a03b09c7dc&tochange=11c60eb4490ade388b49a3b9fd3c634a4aa95da0

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Set release status flags based on info from the regressing bug 1930756

:teoxoy, since you are the author of the regressor, bug 1930756, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox139: --- → affected
status-firefox140: --- → affected
status-firefox141: --- → affected
status-firefox-esr128: --- → unaffected
Flags: needinfo?(ttanasoaia)

Hmm, this seems to be a regression because we removed the pref.

This function needs to register the buffer as used, will put up a patch.

Assignee: nobody → ttanasoaia
Status: NEW → ASSIGNED
Flags: needinfo?(ttanasoaia)
Severity: -- → S3
Priority: -- → P1

https://hg.mozilla.org/mozilla-central/rev/d222a7cd7af4

Status: ASSIGNED → RESOLVED
Closed: 10 months ago
status-firefox141: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 141 Branch

Verified bug as fixed on rev mozilla-central 20250605040737-236f8bd740a3.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox141: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: