Open Bug 1975465 Opened 10 months ago Updated 1 month ago

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: unexpected to be called), at /dom/webgpu/ipc/WebGPUParent.cpp:1111

Categories

(Core :: Graphics: WebGPU, defect, P1)

Product:
Core
Component:
Graphics: WebGPU
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox-esr140 --- unaffected
firefox140 --- unaffected
firefox141 --- unaffected
firefox142 --- wontfix
firefox143 --- wontfix

People

(Reporter: jkratzer, Assigned: jimb, NeedInfo)

References

(Blocks 4 open bugs, Regression,
URL
)

Details

(Keywords: bugmon, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
529 bytes, text/html
Details

Testcase found while fuzzing mozilla-central rev 588b002c5e6c (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 588b002c5e6c --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: unexpected to be called), at /dom/webgpu/ipc/WebGPUParent.cpp:1111

    ==578031==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x75222196a52c bp 0x75217fbfc5c0 sp 0x75217fbfc1b0 T578424)
    ==578031==The signal is caused by a WRITE memory access.
    ==578031==Hint: address points to the zero page.
        #0 0x75222196a52c in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
        #1 0x75222196a52c in mozilla::webgpu::WebGPUParent::GetFrontBufferSnapshot(mozilla::ipc::IProtocol*, mozilla::layers::RemoteTextureOwnerId const&, unsigned long const&, mozilla::Maybe<mozilla::ipc::Shmem>&, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>&, unsigned int&) /dom/webgpu/ipc/WebGPUParent.cpp:1111:5
        #2 0x75221f6fc18b in mozilla::gfx::CanvasManagerParent::RecvGetSnapshot(unsigned int const&, long const&, mozilla::Maybe<mozilla::layers::RemoteTextureOwnerId> const&, mozilla::Maybe<unsigned long> const&, mozilla::webgl::FrontBufferSnapshotIpc*) /gfx/ipc/CanvasManagerParent.cpp:225:44
        #3 0x75221f71893d in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:554:87
        #4 0x75221eb293ce in mozilla::ipc::MessageChannel::DispatchSyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>&) /ipc/glue/MessageChannel.cpp:1768:25
        #5 0x75221eb26b39 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1719:9
        #6 0x75221eb276f0 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1512:3
        #7 0x75221eb287f9 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1612:14
        #8 0x75221df648da in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1153:16
        #9 0x75221df6ae7f in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #10 0x75221eb30569 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:329:5
        #11 0x75221ea87af1 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #12 0x75221ea87af1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #13 0x75221df601f7 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:366:10
        #14 0x752233b03a2f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:191:3
        #15 0x7522343beaa3 in start_thread nptl/pthread_create.c:447:8
        #16 0x75223444bc3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
    
    ==578031==Register values:
    rax = 0x0000000000000000  rbx = 0x00007521240239f0  rcx = 0x0000000000000457  rdx = 0x0000752234526563  
    rdi = 0x0000752234527700  rsi = 0x0000000000000000  rbp = 0x000075217fbfc5c0  rsp = 0x000075217fbfc1b0  
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000000  r11 = 0x0000000000000293  
    r12 = 0x00007521180038c0  r13 = 0x000075217fbfc5f8  r14 = 0x000075217fbfc788  r15 = 0x000075217fbfc788  
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3 in MOZ_CrashSequence
    ==578031==ABORTING
Attached file Testcase
Attachment #9498394 - Attachment filename: testcase.html.undefined → testcase.html
Attachment #9498394 - Attachment mime type: text/plain → text/html

Verified bug as reproducible on mozilla-central 20250703092821-588b002c5e6c.
The bug appears to have been introduced in the following build range:

Start: 2fff0a2c2880770c9e409a27af2c925fe05510ce (20250623151741)
End: def0d97874c025034e6fdeb19df57434e6501da2 (20250623170453)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2fff0a2c2880770c9e409a27af2c925fe05510ce&tochange=def0d97874c025034e6fdeb19df57434e6501da2

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

:jimb, is this relevant to the patch stack you have open for improving the health of presentation on Linux?

Flags: needinfo?(jimb)
Severity: -- → S3

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox142: --- → affected

Setting Bug 1968122 as the likely regressor from the pushlog in Comment 2

status-firefox140: --- → unaffected
status-firefox141: --- → unaffected
status-firefox-esr115: --- → unaffected
status-firefox-esr128: --- → unaffected
status-firefox-esr140: --- → unaffected
Regressed by: 1968122
Assignee: nobody → jimb
Priority: -- → P1

Set release status flags based on info from the regressing bug 1968122

status-firefox143: --- → affected

Is this something we are considering fixing for 142? Not sure how user facing this is.

I'm not able to reproduce this on my Windows machine.

The crash stack is similar to what we've seen for bug 1973973. Perhaps they are the same?

Gonna redirect the NI for Jim to Teo, since he authored the regressor bug.

Flags: needinfo?(jimb) → needinfo?(ttanasoaia)

Actually... :jimb, are you able to reproduce this?

Flags: needinfo?(jimb)

I can't reproduce this as I'm on Windows. I also don't see how Bug 1968122 could have broken this, it's probably in the regression range since this is an intermittent.

Flags: needinfo?(ttanasoaia)
See Also: → 1904596

This issue has also been reported via live site testing.

Blocks: crash-scout
URL: https://chaos-master.vercel.app/
Blocks: webgpu-dmabuf
Blocks: webgpu-linux

Unable to reproduce bug 1975465 using build mozilla-central 20250703092821-588b002c5e6c. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

:jkratzner: This did have a baseline from comment 2. Is there a bug with Bugmon, maybe?

Flags: needinfo?(jkratzer)

Erich, I'm not sure why it failed but I can reproduce it locally. Re-enabling.

Flags: needinfo?(jkratzer)
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: