Testcase found while fuzzing mozilla-central rev 5ad292b847e4 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 5ad292b847e4 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(Buffer already dropped.) at gfx/wgpu_bindings/src/server.rs:426

    ==2754626==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc5c01f0ae5 bp 0x7fc59c517c20 sp 0x7fc59c517c10 T2755013)
    ==2754626==The signal is caused by a WRITE memory access.
    ==2754626==Hint: address points to the zero page.
        #0 0x7fc5c01f0ae5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
        #1 0x7fc5c01f0ae5 in RustMozCrash /mozglue/static/rust/wrappers.cpp:18:3
        #2 0x7fc5c01f0a68 in mozglue_static::panic_hook::ha654bb11f4cf491d /mozglue/static/rust/lib.rs:91:9
        #3 0x7fc5c01f04eb in core::ops::function::Fn::call::h5c66be0d65b09404 /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/core/src/ops/function.rs:77:5
        #4 0x7fc5c11a7309 in std::panicking::rust_panic_with_hook::hb0138cb6e6fea3e4 /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/std/src/panicking.rs:702:17
        #5 0x7fc5bf3b128b in std::panicking::begin_panic::_$u7b$$u7b$closure$u7d$$u7d$::h126fba27fc559747 /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/std/src/panicking.rs:617:9
        #6 0x7fc5bf3afeff in std::sys_common::backtrace::__rust_end_short_backtrace::hb4db439b8ddce0d1 /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/std/src/sys_common/backtrace.rs:138:18
        #7 0x7fc5b651341e in std::panicking::begin_panic::hf7bc5d69d467b8a8 /rustc/4b91a6ea7258a947e59c6522cd5898e7c0a6a88f/library/std/src/panicking.rs:616:12
        #8 0x7fc5bf5083a4 in wgpu_server_buffer_destroy /gfx/wgpu_bindings/src/server.rs:426:13
        #9 0x7fc5b9f924b5 in mozilla::webgpu::WebGPUParent::RecvBufferDestroy(unsigned long) /dom/webgpu/ipc/WebGPUParent.cpp:532:3
        #10 0x7fc5b9faac27 in mozilla::webgpu::PWebGPUParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:1015:80
        #11 0x7fc5b7f8cf2e in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:214:32
        #12 0x7fc5b75a9e21 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1756:25
        #13 0x7fc5b75a6975 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1681:9
        #14 0x7fc5b75a7516 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1481:3
        #15 0x7fc5b75a88a1 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1579:14
        #16 0x7fc5b69c9387 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
        #17 0x7fc5b69cf8cd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #18 0x7fc5b75b0ba5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #19 0x7fc5b74d4f07 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:381:10
        #20 0x7fc5b74d4e12 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #21 0x7fc5b74d4e12 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #22 0x7fc5b69c46b6 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
        #23 0x7fc5ccd47557 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #24 0x7fc5cd5f5b42 in start_thread nptl/./nptl/pthread_create.c:442:8
        #25 0x7fc5cd6879ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
    ==2754626==ABORTING

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220921214338-7c0a787fe65a.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 56c35cc1a87ff4d45bb93c3329ced58b8925c21f (20210923034247)
End: 5ad292b847e44f0f00e351a05a7a4c4935db703a (20220921095211)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

https://crash-stats.mozilla.org/report/index/1c0aca44-56bb-4c4b-834b-9a4410220922#tab-bugzilla

FYI: This is currently the most frequent webgpu issue we see while fuzzing. Not quite fuzzblocker territory but it is frequent.

The severity field is not set for this bug.
:jimb, could you have a look please?

For more information, please visit auto_nag documentation.

It looks like the test case is empty.

:nical, the testcase is there it just wasn't marked as text/html. I've updated the attachment.

Ah! thanks, sorry about that.

Once https://github.com/gfx-rs/wgpu/pull/3094 is merged, unallocated and freed handles will panic in wgpu-core so we don't have to do it here. In the mean time it will produce the wrong error but still fail safely. DestroyError::Invalid means the handle exists but is not is in an invalid state, for example if the buffer was created with invalid parameter like in this bug's test case.

https://hg.mozilla.org/mozilla-central/rev/a6870c0b803a

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20221013212700-03a5ba4802be.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.