Found while fuzzing m-c 20230131-3cb50cbf836e (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Hit MOZ_CRASH(assertion failed: index < self.start.len()) at /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/track/buffer.rs:272

#0 0x7f7d97741105 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f7d97741105 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f7d9774107f in mozglue_static::panic_hook::hef68bc1b778da820 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7f7d97740aab in core::ops::function::Fn::call::h42a394326fa8f33d /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/ops/function.rs:161:5
#4 0x7f7d986e782c in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::ha7dbb2d260f78172 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/alloc/src/boxed.rs:2032:9
#5 0x7f7d986e782c in std::panicking::rust_panic_with_hook::hdb4da1ae79c845a5 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:692:13
#6 0x7f7d986e7561 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h02b5b35b126d5cf2 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:577:13
#7 0x7f7d986e498b in std::sys_common::backtrace::__rust_end_short_backtrace::h6c6853376cf416d1 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/sys_common/backtrace.rs:137:18
#8 0x7f7d986e72b1 in rust_begin_unwind /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:575:5
#9 0x7f7d987436d2 in core::panicking::panic_fmt::hfd9e949092070b66 /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/panicking.rs:64:14
#10 0x7f7d987437ac in core::panicking::panic::h341545107301821d /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/panicking.rs:111:5
#11 0x7f7d96a30506 in wgpu_core::track::buffer::BufferTracker$LT$A$GT$::tracker_assert_in_bounds::h77a297edc6d609c4 /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/track/buffer.rs:272:9
#12 0x7f7d96a30506 in wgpu_core::track::buffer::BufferTracker$LT$A$GT$::remove_abandoned::h45e87043646b8020 /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/track/buffer.rs:537:9
#13 0x7f7d96a4e721 in wgpu_core::device::life::LifetimeTracker$LT$A$GT$::triage_suspected::h1bac2bf1e9c6fb02 /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/device/life.rs:654:20
#14 0x7f7d96a42fc7 in wgpu_core::device::Device$LT$A$GT$::maintain::h7980b2f567f99214 /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/device/mod.rs:463:9
#15 0x7f7d96a92f50 in wgpu_core::device::_$LT$impl$u20$wgpu_core..hub..Global$LT$G$GT$$GT$::poll_devices::ha52c540d3709ed35 /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/device/mod.rs:5534:42
#16 0x7f7d96a92f50 in wgpu_core::device::_$LT$impl$u20$wgpu_core..hub..Global$LT$G$GT$$GT$::poll_all_devices::h24692e84f8d71704 /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/device/mod.rs:5565:31
#17 0x7f7d96a92f50 in wgpu_server_poll_all_devices /builds/worker/checkouts/gecko/gfx/wgpu_bindings/src/server.rs:127:5
#18 0x7f7d9119ae83 in DispatchToMethod<mozilla::webgpu::WebGPUParent, void (mozilla::webgpu::WebGPUParent::*)()> /builds/worker/checkouts/gecko/ipc/chromium/src/base/tuple.h:381:3
#19 0x7f7d9119ae83 in base::BaseTimer<mozilla::webgpu::WebGPUParent, true>::TimerTask::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/timer.h:157:7
#20 0x7f7d8da42747 in mozilla::DelayedRunnable::Notify(nsITimer*) /builds/worker/checkouts/gecko/xpcom/threads/DelayedRunnable.cpp:92:20
#21 0x7f7d8da60008 in operator() /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:656:44
#22 0x7f7d8da60008 in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:309:16
#23 0x7f7d8da60008 in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:655:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
#24 0x7f7d8da60008 in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:655:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:902:12
#25 0x7f7d8da60008 in match<(lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:655:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:660:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:661:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
#26 0x7f7d8da60008 in nsTimerImpl::Fire(int) /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:654:22
#27 0x7f7d8da5f32f in nsTimerEvent::Run() /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:469:11
#28 0x7f7d8da6c622 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1233:16
#29 0x7f7d8da729ad in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#30 0x7f7d8e6c6833 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
#31 0x7f7d8e5e6fc8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#32 0x7f7d8e5e6ed1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#33 0x7f7d8e5e6ed1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#34 0x7f7d8da679c7 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#35 0x7f7da0c5bc86 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#36 0x7f7da1504b42 in start_thread nptl/pthread_create.c:442:8
#37 0x7f7da15969ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Verified bug as reproducible on mozilla-central 20230309214328-8aea0e783414.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 6f0a8dddad511ef68fae3a4ab07cc9336516cc3a (20220311094123)
End: 3cb50cbf836e2e371e41a7b3c9ddd60a6010e109 (20230131093335)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

The severity field is not set for this bug.
:jimb, could you have a look please?

For more information, please visit auto_nag documentation.

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

A Pernosco session is available here: https://pernos.co/debug/xWPvKAadghI5fjuit6g9hw/index.html

Testcase crashes using the initial build (mozilla-central 20230131093335-3cb50cbf836e) but not with tip (mozilla-central 20231124214933-8a861d9d1b4a.)

The bug appears to have been fixed in the following build range:

Start: 36c4a38c6d225c7315445718e62d4703c40c277a (20231120194812)
End: 7b567ceeead73f84de62ab77b4b6c87450b347fa (20231120230927)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=36c4a38c6d225c7315445718e62d4703c40c277a&tochange=7b567ceeead73f84de62ab77b4b6c87450b347fa

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

I am no longer able to reproduce the issue with the attached test case. This was last reported by fuzzers targeting m-c 20231119-c3021f5ece18.