Closed Bug 1998691 Opened 5 months ago Closed 2 months ago

Hit MOZ_CRASH(TextureView[Id(1,3)] does not exist) at /third_party/rust/wgpu-core/src/storage.rs:133

Categories

(Core :: Graphics: WebGPU, defect, P1)

Product:
Core
Component:
Graphics: WebGPU
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
149 Branch
Tracking Flags:
Tracking Status
firefox149 --- verified

People

(Reporter: jkratzer, Assigned: ErichDonGubler)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files, 1 obsolete file)

Testcase
954 bytes, text/html
Details
Bug 1998691 - fix(webgpu): actually track `GPURenderPassDescriptor.colorAttachments[].resolveTarget`s r=#webgpu-reviewers!
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev 1c9634718ce1 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework pipx --upgrade
$ python -m pipx ensurepath
$ fuzzfetch --build 1c9634718ce1 --debug --fuzzing  -n firefox
$ grizzly-replay-bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(TextureView[Id(1,3)] does not exist) at /third_party/rust/wgpu-core/src/storage.rs:133

    ==231117==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7c615f219eca bp 0x7c60f5eb8570 sp 0x7c60f5eb8560 T231235)
    ==231117==The signal is caused by a WRITE memory access.
    ==231117==Hint: address points to the zero page.
        #0 0x7c615f219eca in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:237:3
        #1 0x7c615f219eca in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:375:3
        #2 0x7c615f219eca in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #3 0x7c615f219a44 in mozglue_static::panic_hook::h3f437f7b1d715ff6 /mozglue/static/rust/lib.rs:99:9
        #4 0x7c615f2194fb in core::ops::function::Fn::call::hf176de18da62d029 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:79:5
        #5 0x7c6160974b82 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h7c356b28a03897d7 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/alloc/src/boxed.rs:1990:9
        #6 0x7c6160974b82 in std::panicking::rust_panic_with_hook::h541791bcc774ef34 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/std/src/panicking.rs:839:13
        #7 0x7c6160974839 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h6479a2f0137c7d19 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/std/src/panicking.rs:704:13
        #8 0x7c6160973838 in std::sys::backtrace::__rust_end_short_backtrace::ha04e7c0fc61ded91 /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/std/src/sys/backtrace.rs:168:18
        #9 0x7c61609744cc in rust_begin_unwind /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/std/src/panicking.rs:695:5
        #10 0x7c616099d63f in core::panicking::panic_fmt::h5764ee7030b7a73d /rustc/05f9846f893b09a1be1fc8560e33fc3c815cfecb/library/core/src/panicking.rs:75:14
        #11 0x7c615e2081aa in wgpu_core::storage::Storage$LT$T$GT$::get::h00df8036282f327e /third_party/rust/wgpu-core/src/storage.rs:133:46
        #12 0x7c615e1675cc in wgpu_core::command::render::_$LT$impl$u20$wgpu_core..global..Global$GT$::command_encoder_begin_render_pass::fill_arc_desc::h43c83f40be7bb95a /third_party/rust/wgpu-core/src/command/render.rs:1617:38
        #13 0x7c615e1675cc in wgpu_core::command::render::_$LT$impl$u20$wgpu_core..global..Global$GT$::command_encoder_begin_render_pass::hc0ae87a19a566155 /third_party/rust/wgpu-core/src/command/render.rs:1718:23
        #14 0x7c615df781b2 in wgpu_bindings::command::replay_render_pass::h91fed41faa253dc2 /gfx/wgpu_bindings/src/command.rs:712:31
        #15 0x7c615df934c9 in wgpu_bindings::server::process_message::h768ef0807e6af8ed /gfx/wgpu_bindings/src/server.rs:2749:13
        #16 0x7c615df8a5a2 in wgpu_server_messages /gfx/wgpu_bindings/src/server.rs:2578:9
        #17 0x7c6158b1a0c5 in mozilla::webgpu::WebGPUParent::RecvMessages(unsigned int, mozilla::ipc::ByteBuf&&, nsTArray<mozilla::ipc::ByteBuf>&&, nsTArray<mozilla::ipc::shared_memory::Handle<(mozilla::ipc::shared_memory::Type)0>>&&) /dom/webgpu/ipc/WebGPUParent.cpp:1605:3
        #18 0x7c6158b1bb02 in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:306:80
        #19 0x7c615680ebba in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:261:32
        #20 0x7c6155c111be in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1794:25
        #21 0x7c6155c0e740 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, std::unique_ptr<IPC::Message, std::default_delete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1720:9
        #22 0x7c6155c0f147 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1509:3
        #23 0x7c6155c10129 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1611:14
        #24 0x7c6155022d8a in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1160:16
        #25 0x7c615502948f in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:461:10
        #26 0x7c6155c17c69 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:329:5
        #27 0x7c6155b718e1 in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
        #28 0x7c6155b718e1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
        #29 0x7c615501e9ee in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:375:10
        #30 0x7c616a07fa3f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:191:3
        #31 0x7c616a93aaa3 in start_thread ./nptl/pthread_create.c:447:8
        #32 0x7c616a9c7c6b in clone3 ./misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78:0
    
    ==231117==Register values:
    rax = 0x0000000000000085  rbx = 0x00007c60f5eb8790  rcx = 0x0000000000000000  rdx = 0x00007c616aaa2563
    rdi = 0x00007c616aaa3700  rsi = 0x0000000000000000  rbp = 0x00007c60f5eb8570  rsp = 0x00007c60f5eb8560
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000000  r11 = 0x0000000000000293
    r12 = 0x3ecacd956843e7a6  r13 = 0x7dbd9dbbbfd8facb  r14 = 0x0000000000000085  r15 = 0x00007c60f5eb8790
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV (/home/jkratzer/builds/m-c-20251106043345-fuzzing-debug/libxul.so+0xe592eca) (BuildId: a73a0253b06d7e1828972cf7b7d9a69f8e59f692)
    ==231117==ABORTING
Attached file Testcase
Attachment #9525035 - Attachment filename: testcase.html.undefined → testcase.html
Attachment #9525035 - Attachment mime type: text/plain → text/html

Verified bug as reproducible on mozilla-central 20251106205256-330420a3e506.
Unable to bisect testcase (503 server error: service unavailable for url: https://hg-edge.mozilla.org/mozilla-central/json-rev/1c9634718ce1).

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Severity: -- → S3
Priority: -- → P1
Assignee: nobody → egubler
Status: NEW → ASSIGNED

Ah, this is a defect in my implementation of bug 1976960. Good thing we have your help to get me to clean up my own mess! 😅 Filing a patch shortly.

Implicitly created texture views have a problem that goes back to when I first implemented them in bug 1976960. The lifetime of the implicitly created views was basically the lifetime of the API call generating them…! Eek! 😬 A single garbage collection could free up both the view and the ID associated with it, interleaved with other completely good API calls.

Obviously, this is no freaking good and we should fix this. Fix this by having a single default texture view field on the original texture itself, which gets lazily instantiated in operations where the view is implicitly used.

Attachment #9542936 - Attachment description: Bug 1998691 - fix(webgpu): actually track `GPURenderPassDescriptor.colorAttachment[].resolveTarget`s r=#webgpu-reviewers! → Bug 1998691 - fix(webgpu): actually track `GPURenderPassDescriptor.colorAttachments[].resolveTarget`s r=#webgpu-reviewers!
Attachment #9542588 - Attachment is obsolete: true
Pushed by egubler@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/0e264516e3bc https://hg.mozilla.org/integration/autoland/rev/a64ce0c5b7e2 fix(webgpu): actually track `GPURenderPassDescriptor.colorAttachments[].resolveTarget`s r=webgpu-reviewers,teoxoy

https://hg.mozilla.org/mozilla-central/rev/a64ce0c5b7e2

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
status-firefox149: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 149 Branch

Verified bug as fixed on rev mozilla-central 20260207211441-6ad6c4f493c8.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox149: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: