Testcase found while fuzzing mozilla-central rev 41271d27d65a (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 41271d27d65a --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: mSize > 0 (invalid size), at /ipc/glue/Shmem.cpp:262

    ==1671548==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9f74f80763 bp 0x7ffebed42c70 sp 0x7ffebed42c60 T1671548)
    ==1671548==The signal is caused by a WRITE memory access.
    ==1671548==Hint: address points to the zero page.
        #0 0x7f9f74f80763 in mozilla::ipc::Shmem::AssertInvariants() const /ipc/glue/Shmem.cpp:262:3
        #1 0x7f9f74f817b7 in mozilla::ipc::Shmem::MkCreatedMessage(mozilla::ipc::Shmem::PrivateIPDLCaller, int) /ipc/glue/Shmem.cpp:433:3
        #2 0x7f9f74f6e3bb in mozilla::ipc::IToplevelProtocol::CreateSharedMemory(unsigned long, mozilla::ipc::SharedMemory::SharedMemoryType, bool, int*) /ipc/glue/ProtocolUtils.cpp:689:13
        #3 0x7f9f74f6f073 in CreateSharedMemory /ipc/glue/ProtocolUtils.cpp:332:21
        #4 0x7f9f74f6f073 in mozilla::ipc::IProtocol::AllocShmem(unsigned long, mozilla::ipc::SharedMemory::SharedMemoryType, mozilla::ipc::Shmem*) /ipc/glue/ProtocolUtils.cpp:416:31
        #5 0x7f9f7775a105 in mozilla::webgpu::Device::CreateBuffer(mozilla::dom::GPUBufferDescriptor const&, mozilla::ErrorResult&) /dom/webgpu/Device.cpp:137:19
        #6 0x7f9f76ccd888 in mozilla::dom::GPUDevice_Binding::createBuffer(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WebGPUBinding.cpp:16733:76
        #7 0x7f9f7731d48c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3271:13
        #8 0x7f9f7c7b3ca0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:420:13
        #9 0x7f9f7c7b34aa in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:507:12
        #10 0x7f9f7c7aa886 in CallFromStack /js/src/vm/Interpreter.cpp:578:10
        #11 0x7f9f7c7aa886 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3314:16
        #12 0x7f9f7c7a1b22 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:389:13
        #13 0x7f9f7c7b33a6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:539:13
        #14 0x7f9f7c7b49d8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:605:8
        #15 0x7f9f7b6d37d6 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1590:10
        #16 0x7f9f7b4525e1 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:152:8
        #17 0x7f9f7b63b592 in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2113:12
        #18 0x7f9f7b63b592 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2176:12
        #19 0x7f9f7c7b3ca0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:420:13
        #20 0x7f9f7c7b34aa in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:507:12
        #21 0x7f9f7c7b49d8 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:605:8
        #22 0x7f9f7b4794d1 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #23 0x7f9f765f861d in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:35:8
        #24 0x7f9f74284745 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:89:12
        #25 0x7f9f742839d3 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:102:12
        #26 0x7f9f742839d3 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
        #27 0x7f9f742717a8 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:674:17
        #28 0x7f9f7427261c in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
        #29 0x7f9f750f4f45 in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1481:28
        #30 0x7f9f74394e6c in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1217:24
        #31 0x7f9f7439b0ad in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #32 0x7f9f74f5bfb4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #33 0x7f9f74e84567 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #34 0x7f9f74e84472 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #35 0x7f9f74e84472 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #36 0x7f9f790b1bf8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #37 0x7f9f7b1f3a6b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:874:20
        #38 0x7f9f74f5cefa in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #39 0x7f9f74e84567 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #40 0x7f9f74e84472 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #41 0x7f9f74e84472 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #42 0x7f9f7b1f308c in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:733:34
        #43 0x5594ad22be90 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #44 0x5594ad22be90 in main /browser/app/nsBrowserApp.cpp:338:18
        #45 0x7f9f8b2f0082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #46 0x5594ad201c3c in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15c3c) (BuildId: 84db100a918732cc0264ea219b418046cd03965e)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /ipc/glue/Shmem.cpp:262:3 in mozilla::ipc::Shmem::AssertInvariants() const
    ==1671548==ABORTING

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220525150600-41271d27d65a.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 257c3c51ab2338a35634610b9d3c6c4c305e6005 (20210527031253)
End: 41271d27d65a17e29ea8cfeacc2bbaf9ddd43975 (20220525150600)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

The severity field is not set for this bug.
:jimb, could you have a look please?

For more information, please visit auto_nag documentation.

Most operations maniplating shmems in WebGPU are fallible, we'll have to handle passing them conditionally in most messages.

This commit starts with BufferMap, to avoid crashing when map is called on an invalid buffer.

We can't pass zero-sized shmems through IPDL so we have to use MaybeShmem for when the buffer size is zero.

This patch tries to handle this case without throwing excpetions on the JS timeline to align with the spec's error model.

Depends on D149892

We need to smoosh these two patches together before we land them. With only the first one landed:

 0:23.21 /home/jimb/moz/central/dom/webgpu/ipc/WebGPUParent.cpp:384:20: error: no matching conversion for functional-style cast from 'mozilla::null_t' to 'mozilla::webgpu::MaybeShmem'
 0:23.21     req->mResolver(MaybeShmem(mozilla::null_t()));
 0:23.21                    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~

With both landed, it's fine.

This needs some more work.

Backed out 22 changesets (Bug 1780792, Bug 1778713, Bug 1771254, Bug 1777535) for causing bustages on WebGPUParent.h.
Backout link
Push with failures <--> BP-hybrid
Failure Log

https://hg.mozilla.org/mozilla-central/rev/e6fc2537362e
https://hg.mozilla.org/mozilla-central/rev/efe6968345ff

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220810212956-d9acc6dde178.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.