Found while fuzzing m-c 20240322-5d6efea5e0bb (--enable-debug --enable-fuzzing)

This issue is being reported frequently but is not reliably reproducible. A reduced test case is unavailable at this time.

Hit MOZ_CRASH(index out of bounds: the len is 2 but the index is 2) at /builds/worker/checkouts/gecko/third_party/rust/wgpu-core/src/storage.rs:201

#0 0x7ffd4d4c3a57 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:43
#1 0x7ffd4d4c3a57 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:300
#2 0x7ffd4d4c3a57 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:17
#3 0x7ffd4b55421f in mozglue_static::panic_hook /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:96
#4 0x7ffd4b55421f in core::ops::function::FnOnce::call_once /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce\library\core\src\ops\function.rs:250
#5 0x7ffd4b55421f in core::ops::function::FnOnce::call_once<void (*)(ref$<core::panic::panic_info::PanicInfo>),tuple$<ref$<core::panic::panic_info::PanicInfo> > > /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce\library\core\src\ops\function.rs:79
#6 0x7ffd4b8536f7 in alloc::boxed::impl$49::call /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\alloc\src\boxed.rs:2029
#7 0x7ffd4b8536f7 in std::panicking::rust_panic_with_hook /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:783
#8 0x7ffd4b853578 in std::panicking::begin_panic_handler::closure$0 /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:657
#9 0x7ffd4b8534b8 in std::sys_common::backtrace::__rust_end_short_backtrace<std::panicking::begin_panic_handler::closure_env$0,never$> /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\sys_common\backtrace.rs:171
#10 0x7ffd4b8534a1 in std::panicking::begin_panic_handler /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\std\src\panicking.rs:645
#11 0x7ffd4dd1c326 in core::panicking::panic_fmt /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\core\src\panicking.rs:72
#12 0x7ffd4dd1c423 in core::panicking::panic_bounds_check /rustc/07dca489ac2d933c78d3c5158e3f43beefeb02ce/library\core\src\panicking.rs:208
#13 0x7ffd4c060c30 in wgpu_server_texture_drop /builds/worker/checkouts/gecko/gfx/wgpu_bindings/src/server.rs:1264
#14 0x7ffd41e814ea in mozilla::webgpu::WebGPUParent::RecvTextureDrop /builds/worker/checkouts/gecko/dom/webgpu/ipc/WebGPUParent.cpp:709
#15 0x7ffd41e814ea in mozilla::webgpu::PWebGPUParent::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PWebGPUParent.cpp:1400
#16 0x7ffd3e54b695 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PCanvasManagerParent.cpp:290
#17 0x7ffd3d0ab5cf in mozilla::ipc::MessageChannel::DispatchAsyncMessage(class mozilla::ipc::ActorLifecycleProxy *, class IPC::Message const &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1818
#18 0x7ffd3d0a8da1 in mozilla::ipc::MessageChannel::DispatchMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::UniquePtr<class IPC::Message, class mozilla::DefaultDelete<class IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1737
#19 0x7ffd3d0a9c3d in mozilla::ipc::MessageChannel::RunMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::ipc::MessageChannel::MessageTask &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1530
#20 0x7ffd3d0aa3a1 in mozilla::ipc::MessageChannel::MessageTask::Run(void) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1628
#21 0x7ffd3b915926 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193
#22 0x7ffd3b926f8a in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480
#23 0x7ffd3d0b4aff in mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330
#24 0x7ffd3cfc0383 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370
#25 0x7ffd3cfc0383 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363
#26 0x7ffd3cfc014a in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345
#27 0x7ffd3b90bcad in nsThread::ThreadFunc(void *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370
#28 0x7ffd5de7b277 in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
#29 0x7ffd5de5360c in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
#30 0x7ffd7edb6b4b  (C:\Windows\System32\ucrtbase.dll+0x180026b4b)
#31 0x7ffd5e270715 in __asan::AsanThread::ThreadStart(unsigned __int64) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:291
#32 0x12e86284002e  (<unknown module>)
#33 0xb2061ffe3f  (<unknown module>)
#34 0x7ffd5e27225e in CreateThread (C:\Users\task_171110928223025\builds\m-c-20240322093041-fuzzing-asan-opt\clang_rt.asan_dynamic-x86_64.dll+0x18005225e)
#35 0x2f  (<unknown module>)
#36 0xb2061ffdb7  (<unknown module>)
#37 0xb2061ffe3f  (<unknown module>)
#38 0x7ffd6ba97e7e in mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator() /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h:150
#39 0x7ffd6ba97e7e in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:558
#40 0x7ffd80fee8aa  (C:\Windows\SYSTEM32\ntdll.dll+0x18007e8aa)

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:jimb, could you consider increasing the severity?

For more information, please visit BugBot documentation.

S3 is appropriate, because WebGPU isn't shipped yet. This may, however, be indicative of needing a higher priority than before.

This bug is one of our most prolific fuzz blockers. Is there anything we can do to re-prioritize this?

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --asan --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox.exe 1888178

One additional note, I was only able to reproduce this on a machine without an actual GPU.

We on the WebGPU team believe that :teoxoy's (landed) patch D213800 has a strong chance of resolving this issue. :jkratzner is on PTO, but we look forward to his testing to confirm or refute the fix when he gets back.

I hear from :jimb that :tsmith is a good person to request help from to try to carry this issue forward while :jkratzner is OOO. NI'ing; :tsmith, I'm happy to loop you in via whatever sync. or async. medium is best for you. 🙂 Short summary: Could you please confirm whether this crash is reproducible after Teo's fix, which has already landed in central.

https://hg.mozilla.org/mozilla-central/rev/802dfcfa2927

I've tried all my local machines and I can't reproduce the error so I won't be able to verify it locally. I will be able to verify the issue once a build with the patch applied is running in automation. I will provide an update at that time.

The issue is no longer being reported by fuzzers. It was last reported while running m-c 1ddf59a206f4.

Marking this as resolved, then! 🙌🏻 Kudos, :teoxoy.