1979048 - WebGPU abort() in ASAN builds

Status: UNCONFIRMED

(Core :: Graphics: WebGPU, defect, P1)

Description

[Ameen Basha M K]

Attachment: a_100.txt

HI team, firefox nightly on ubuntu 24 crash with below html poc in webgpu area

Comment 1

[Ameen Basha M K]

Attachment: a_100.html

Comment 2

[Ameen Basha M K]

AddressSanitizer:DEADLYSIGNAL

==69588==ERROR: AddressSanitizer: ABRT on unknown address 0x03e800010fd4 (pc 0x7bd3c1a9eb2c bp 0x7bd34ee94970 sp 0x7bd34ee94930 T58)
#0 0x7bd3c1a9eb2c in __pthread_kill_implementation nptl/pthread_kill.c:44:76
#1 0x7bd3c1a9eb2c in __pthread_kill_internal nptl/pthread_kill.c:78:10
#2 0x7bd3c1a9eb2c in pthread_kill nptl/pthread_kill.c:89:10
#3 0x7bd3c1a4527d in raise signal/../sysdeps/posix/raise.c:26:13
#4 0x7bd3c1a288fe in abort stdlib/abort.c:79:7
#5 0x7bd35dcabbf7 (/lib/x86_64-linux-gnu/libgallium-24.2.8-1ubuntu124.04.1.so+0xabbf7) (BuildId: 48f1fa5b9817cc9b1a495564c09ffd548eb36a28)
#6 0x7bd35ec798a6 (/lib/x86_64-linux-gnu/libgallium-24.2.8-1ubuntu124.04.1.so+0x10798a6) (BuildId: 48f1fa5b9817cc9b1a495564c09ffd548eb36a28)
#7 0x7bd35e31a11d (/lib/x86_64-linux-gnu/libgallium-24.2.8-1ubuntu124.04.1.so+0x71a11d) (BuildId: 48f1fa5b9817cc9b1a495564c09ffd548eb36a28)
#8 0x7bd35ddbf714 (/lib/x86_64-linux-gnu/libgallium-24.2.8-1ubuntu124.04.1.so+0x1bf714) (BuildId: 48f1fa5b9817cc9b1a495564c09ffd548eb36a28)
#9 0x7bd35dce9b1d (/lib/x86_64-linux-gnu/libgallium-24.2.8-1ubuntu1~24.04.1.so+0xe9b1d) (BuildId: 48f1fa5b9817cc9b1a495564c09ffd548eb36a28)
#10 0x7bd34092d247 (/lib/x86_64-linux-gnu/libEGL_mesa.so.0+0x31247) (BuildId: 66e884d689c5d72e5210123bdebc4e99f8228db0)
#11 0x7bd3409215e0 (/lib/x86_64-linux-gnu/libEGL_mesa.so.0+0x255e0) (BuildId: 66e884d689c5d72e5210123bdebc4e99f8228db0)
#12 0x7bd340911245 (/lib/x86_64-linux-gnu/libEGL_mesa.so.0+0x15245) (BuildId: 66e884d689c5d72e5210123bdebc4e99f8228db0)
#13 0x7bd3a7d11046 in fSwapBuffersWithDamage /builds/worker/checkouts/gecko/gfx/gl/GLLibraryEGL.h:516:5
#14 0x7bd3a7d11046 in fSwapBuffersWithDamage /builds/worker/checkouts/gecko/gfx/gl/GLLibraryEGL.h:956:18
#15 0x7bd3a7d11046 in mozilla::gl::GLContextEGL::SwapBuffers() /builds/worker/checkouts/gecko/gfx/gl/GLContextProviderEGL.cpp:555:20
#16 0x7bd3a88b7f6a in mozilla::wr::RenderCompositorEGL::EndFrame(nsTArray<mozilla::wr::Box2D<int, mozilla::wr::DevicePixel>> const&) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderCompositorEGL.cpp:167:9
#17 0x7bd3a88dd763 in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, bool*, mozilla::wr::FrameReadyParams const&, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:272:28
#18 0x7bd3a88db3ee in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, mozilla::wr::FrameReadyParams const&, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>> const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char>> const&, mozilla::wr::RendererStats*, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:849:31
#19 0x7bd3a88d9fcb in mozilla::wr::RenderThread::HandleFrameOneDocInner(mozilla::wr::WrWindowId, mozilla::wr::FrameReadyParams const&, mozilla::Maybe<mozilla::wr::FramePublishId>) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:663:3
#20 0x7bd3a88d8647 in HandleFrameOneDoc /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:611:3
#21 0x7bd3a88d8647 in WrNotifierEvent_HandleNewFrameReady /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:573:3
#22 0x7bd3a88d8647 in mozilla::wr::RenderThread::HandleWrNotifierEvents(mozilla::wr::WrWindowId) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:536:9
#23 0x7bd3a5eadd97 in operator()<StoreRefPtrPassByPtr<mozilla::net::ConnectionData> &> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#24 0x7bd3a5eadd97 in __invoke_impl<nsresult, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), StoreRefPtrPassByPtr<mozilla::net::ConnectionData> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#25 0x7bd3a5eadd97 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), StoreRefPtrPassByPtr<mozilla::net::ConnectionData> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#26 0x7bd3a5eadd97 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<StoreRefPtrPassByPtr<mozilla::net::ConnectionData> > &, 0UL> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#27 0x7bd3a5eadd97 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<StoreRefPtrPassByPtr<mozilla::net::ConnectionData> > &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#28 0x7bd3a5eadd97 in apply<mozilla::net::Dashboard, nsresult (mozilla::net::Dashboard::)(mozilla::net::ConnectionData )> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#29 0x7bd3a5eadd97 in mozilla::detail::RunnableMethodImpl<mozilla::ChildProfilerController, void (mozilla::ChildProfilerController::)(mozilla::ProfileAndAdditionalInformation*), true, (mozilla::RunnableKind)0, mozilla::ProfileAndAdditionalInformation*>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#30 0x7bd3a5bcabdc in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1153:16
#31 0x7bd3a5bd5138 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#32 0x7bd3a707560a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:329:5
#33 0x7bd3a6f80f34 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#34 0x7bd3a6f80f34 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#35 0x7bd3a6f80f34 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#36 0x7bd3a5bc3a1e in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:366:10
#37 0x7bd3c1ccb8ab in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:191:3
#38 0x58d899663986 in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
#39 0x7bd3c1a9caa3 in start_thread nptl/pthread_create.c:447:8
#40 0x7bd3c1b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

==69588==Register values:
rax = 0x0000000000000000 rbx = 0x000000000001101a rcx = 0x00007bd3c1a9eb2c rdx = 0x0000000000000006
rdi = 0x0000000000010fd4 rsi = 0x000000000001101a rbp = 0x00007bd34ee94970 rsp = 0x00007bd34ee94930
r8 = 0x0000519000966e80 r9 = 0x00007fffffffff01 r10 = 0x0000000000000008 r11 = 0x0000000000000246
r12 = 0x0000000000000006 r13 = 0x000050b0003623f8 r14 = 0x0000000000000016 r15 = 0x0000531000474de0

Comment 3

[Andrew McCreight [:mccr8]]

It looks like this is calling abort so it probably isn't a security issue.

Comment 4

[Erich Gubler [:ErichDonGubler] (he/him)]

I'm unable to reproduce this on my Windows 11 machine. Maybe this is Linux-specific?

Comment 5

[Erich Gubler [:ErichDonGubler] (he/him)]

I agree with :mccr8; this doesn't seem security sensitive. Tagging :jimb and/or :teoxoy for consensus.

Comment 6

[Daniel Veditz [:dveditz]]

It's crashing in the libgallium MESA driver so almost certainly Linux-only.

Ameen: does your testcase crash on your machine when you aren't running an ASAN build? If so please submit a normal crash report and paste the URL here. If not, please open about:support#graphics, copy that whole "Graphics" section, and put it in an attachment here on this bug (not in a comment).

Thanks

Comment 7

[Daniel Veditz [:dveditz]]

Is this in a VM? Obviously we want the about:support#graphics information for the browser that crashed (i.e. this ASAN build) running on the machine or VM it crashed in.

Comment 8

[Daniel Veditz [:dveditz]]

(In reply to Erich Gubler [:ErichDonGubler] (he/him) from comment #4)

I'm unable to reproduce this on my Windows 11 machine. Maybe this is Linux-specific?

Apart from the OS difference, ASAN builds will detect errors that do not cause a non-ASAN build to crash, or would crash later somewhere far removed from the initial bad read or write that ASAN detects.

Comment 9

[Ameen Basha M K]

HI Daniel, have tested the above cases, it is not crashing on normal build (which is by default running on my ubuntu machine) it is crashing only on asan build.

Also this is not tested on a VM, it is a standalone machine.

As requested have attached the Graphics details

Comment 10

[Ameen Basha M K]

Attachment: Screen Shot 2025-07-25 at 08.03.59.png

Comment 11

[Ameen Basha M K]

Attachment: graphics_details.txt

Comment 12

[Daniel Veditz [:dveditz]]

There doesn't seem to be any evidence to indicate a security bug here -- abort() is a protective self-kill