Testcase found while fuzzing mozilla-central rev 59134b451eec (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 59134b451eec --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !Failed(), at /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h:583

    ==2690797==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9476672098 bp 0x7ffe63da74a0 sp 0x7ffe63da7490 T2690797)
    ==2690797==The signal is caused by a WRITE memory access.
    ==2690797==Hint: address points to the zero page.
        #0 0x7f9476672098 in mozilla::binding_danger::TErrorResult<mozilla::binding_danger::AssertAndSuppressCleanupPolicy>::~TErrorResult() /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h
        #1 0x7f9479b54019 in mozilla::webgpu::Device::CreateShaderModule(JSContext*, mozilla::dom::GPUShaderModuleDescriptor const&) /dom/webgpu/Device.cpp:281:1
        #2 0x7f94790b9fe4 in mozilla::dom::GPUDevice_Binding::createShaderModule(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WebGPUBinding.cpp:17166:82
        #3 0x7f947970d2ac in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3285:13
        #4 0x7f947ec12040 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:417:13
        #5 0x7f947ec118aa in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:504:12
        #6 0x7f947ec08d9c in CallFromStack /js/src/vm/Interpreter.cpp:575:10
        #7 0x7f947ec08d9c in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3313:16
        #8 0x7f947ec00112 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:389:13
        #9 0x7f947ec117a6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:536:13
        #10 0x7f947ec12d68 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:602:8
        #11 0x7f947daec256 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1572:10
        #12 0x7f947d89c001 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:153:8
        #13 0x7f947da84ed2 in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2112:12
        #14 0x7f947da84ed2 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2175:12
        #15 0x7f947ec12040 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:417:13
        #16 0x7f947ec118aa in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:504:12
        #17 0x7f947ec12d68 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:602:8
        #18 0x7f947d8c6ee1 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #19 0x7f94789e18fd in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:35:8
        #20 0x7f9476635145 in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:88:12
        #21 0x7f94766343d3 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:101:12
        #22 0x7f94766343d3 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
        #23 0x7f9476622098 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:676:17
        #24 0x7f9476622f0c in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
        #25 0x7f94774b7a85 in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1485:28
        #26 0x7f9476744d3c in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1242:24
        #27 0x7f947674af8d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #28 0x7f9477317e44 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #29 0x7f947723e2e7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #30 0x7f947723e1f2 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #31 0x7f947723e1f2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #32 0x7f947b4e0c18 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #33 0x7f947d60763b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:875:20
        #34 0x7f9477318d8a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #35 0x7f947723e2e7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #36 0x7f947723e1f2 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #37 0x7f947723e1f2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #38 0x7f947d606c5c in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:734:34
        #39 0x5619c24c8110 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #40 0x5619c24c8110 in main /browser/app/nsBrowserApp.cpp:338:18
        #41 0x7f948ce82082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #42 0x5619c249debc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15ebc) (BuildId: 8fab917e3f7762d3ef82e00084da9521afc7b211)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/ErrorResult.h in mozilla::binding_danger::TErrorResult<mozilla::binding_danger::AssertAndSuppressCleanupPolicy>::~TErrorResult()
    ==2690797==ABORTING

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220715095545-59134b451eec.
The bug appears to have been introduced in the following build range:

Start: e6e2286d2ac25001127a1cf54a87a95fb435c734 (20220708093332)
End: 807e95cd9956aa4967ddddc80f8ccab4ad370e8d (20220708081410)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e6e2286d2ac25001127a1cf54a87a95fb435c734&tochange=807e95cd9956aa4967ddddc80f8ccab4ad370e8d

Set release status flags based on info from the regressing bug 1750576

:nical, since you are the author of the regressor, bug 1750576, could you take a look?
For more information, please visit auto_nag documentation.

ErrorResult crashes in its destructor if an error occured and it wasn't handled (checking Failed() doesn't count as handling the error. We could throw a JS exception instead but the webgpu spec doesn't say anything about throwing in createShaderModule, so in doubt this patch is only silencing the crash..
Note: I am not even sure what the implications of returning null are, perhaps we should return a dummy shader module that is in an invalid state instead?

Set release status flags based on info from the regressing bug 1750576

The severity field is not set for this bug.
:jimb, could you have a look please?

For more information, please visit auto_nag documentation.

As far as I can tell, calling SuppressException and returning nullptr from Device::CreateShaderModule is just going to hit this assertion:

template <class T, GetOrCreateReflectorWrapBehavior wrapBehavior>
MOZ_ALWAYS_INLINE bool DoGetOrCreateDOMReflector(
    JSContext* cx, T* value, JS::Handle<JSObject*> givenProto,
    JS::MutableHandle<JS::Value> rval) {
  MOZ_ASSERT(value);
  ...
}

Nical, how does applying this patch actually affect the behavior?

Probably does not.

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.