Hit MOZ_CRASH(invalid scalar type) at /builds/worker/workspace/obj-build/dist/include/js/ScalarType.h:87
Categories
(Core :: Graphics: WebGPU, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox123 | --- | unaffected |
| firefox124 | --- | unaffected |
| firefox125 | --- | verified |
People
(Reporter: tsmith, Assigned: ErichDonGubler)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [fuzzblocker][bugmon:bisected,confirmed])
Crash Data
Attachments
(2 files)
Found while fuzzing m-c 20240301-76bfcd57b0cd (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Hit MOZ_CRASH(invalid scalar type) at /builds/worker/workspace/obj-build/dist/include/js/ScalarType.h:87
#0 0x7f48847492f3 in byteSize /builds/worker/workspace/obj-build/dist/include/js/ScalarType.h:87:3
#1 0x7f48847492f3 in mozilla::webgpu::Queue::WriteBuffer(mozilla::webgpu::Buffer const&, unsigned long, mozilla::dom::ArrayBufferViewOrArrayBuffer const&, unsigned long, mozilla::dom::Optional<unsigned long> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/webgpu/Queue.cpp:73:34
#2 0x7f4883c8c0fd in mozilla::dom::GPUQueue_Binding::writeBuffer(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WebGPUBinding.cpp:22771:24
#3 0x7f488427649e in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3258:13
#4 0x7f48887966d4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13
#5 0x7f488879602b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12
#6 0x7f48887a5948 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:10
#7 0x7f48887a5948 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3060:16
#8 0x7f48887955b2 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13
#9 0x7f4888796048 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13
#10 0x7f48887972fd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8
#11 0x7f4888b31e27 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:1585:10
#12 0x7f488947b672 in js::jit::InterpretResume(JSContext*, JS::Handle<JSObject*>, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:1138:10
#13 0x391f8d5fa749 ([anon:js-executable-memory]+0x11749)
|
Reporter | |
Comment 1•4 months ago
|
||
The fuzzers are reporting this frequently.
|
||
Comment 2•4 months ago
|
||
I get this craash from the testcase: https://crash-stats.mozilla.org/report/index/85f4c68d-aac7-42eb-83ff-ccadc0240306#tab-bugzilla
|
||
Comment 3•4 months ago
|
||
Verified bug as reproducible on mozilla-central 20240305094850-63e18d5ef9ec.
The bug appears to have been introduced in the following build range:
Start: 7a6867a3eabf3020e0dc11d629d16309150434ed (20240301094944)
End: f70554f10dc308a8544df7111d110ab3ec285306 (20240301093752)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7a6867a3eabf3020e0dc11d629d16309150434ed&tochange=f70554f10dc308a8544df7111d110ab3ec285306
|
||
Comment 4•4 months ago
|
||
Set release status flags based on info from the regressing bug 1879988
:ErichDonGubler, since you are the author of the regressor, bug 1879988, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
||
Updated•4 months ago
|
|
Assignee | |
Comment 5•4 months ago
|
||
|
||
Updated•4 months ago
|
|
|
Assignee | |
Updated•4 months ago
|
|
|
||
Comment 6•3 months ago
|
||
This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:ErichDonGubler, could you consider increasing the severity?
For more information, please visit BugBot documentation.
Pushed by egubler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/52377aae89ab fix(webgpu): default to elem. size 1 instead of crashing on untyped array buf. views in `GPUQueue.writeBuffer` r=webgpu-reviewers,nical
|
|
Assignee | |
Updated•3 months ago
|
|
||
Comment 8•3 months ago
|
||
| bugherder | ||
|
|
||
Comment 9•3 months ago
|
||
Verified bug as fixed on rev mozilla-central 20240311211339-2e7bccbd5370.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•