Found while fuzzing m-c 20221120-d2c628738330 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: data != nullptr, at /builds/worker/checkouts/gecko/dom/webgpu/Queue.cpp:67

#0 0x7f414e900632 in mozilla::webgpu::Queue::WriteBuffer(mozilla::webgpu::Buffer const&, unsigned long, mozilla::dom::ArrayBufferViewOrArrayBuffer const&, unsigned long, mozilla::dom::Optional<unsigned long> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/webgpu/Queue.cpp:67:3
#1 0x7f414de475d7 in mozilla::dom::GPUQueue_Binding::writeBuffer(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WebGPUBinding.cpp:22121:24
#2 0x7f414e4a01f2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3308:13
#3 0x7f41527fd556 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#4 0x7f41527fce7f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#5 0x7f415327b90d in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1591:10
#6 0xd8b80f842e3  (<unknown module>)

Verified bug as reproducible on mozilla-central 20230117161302-455aa95a34de.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 192e73e7c91313c09603efd1650931b917746bf4 (20220119093435)
End: d2c6287383301f29964047d5c718640eb4bbcccb (20221120214001)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

The severity field is not set for this bug.
:jimb, could you have a look please?

For more information, please visit auto_nag documentation.

Marking severity S3, as WebGPU is not enabled. However, this should block webgpu-in-nightly.

I can reproduce this on b06e825a4d81 (2023-2-6).

The test case's finagling with AudioContext.decodeAudioData detaches the ArrayBuffer c, but Queue::WriteBuffer is not expecting to receive a detached ArrayBuffer as its argument.

Calling mozilla::dom::TypedArray_base::Data on a detached ArrayBuffer
returns null, so GPUQueue.writeBuffer or GPUQueue.writeTexture need to
be prepared for this case.

Consolidate validation code from mozilla::webgpu::Queue::WriteBuffer
and WriteTexture into a new function, GetBufferSourceDataAndSize, and
use that in both cases.

Backed out changeset fd94ed7faa11 (bug 1810831) for build bustages at Queue.cpp

Backout: https://hg.mozilla.org/integration/autoland/rev/1a9a3443880eff69c46bdc1b187d1d6a924d10db

Failure push: https://treeherder.mozilla.org/jobs?repo=autoland&revision=fd94ed7faa11650aa77a99ea6c98595f86e2f4f3&selectedTaskRun=eiR0i4TNQKm7YVLNGyJ0Ag.0

Failure log: https://treeherder.mozilla.org/logviewer?job_id=405018771&repo=autoland&lineNumber=14829

https://hg.mozilla.org/mozilla-central/rev/efcb92927abd

Verified bug as fixed on rev mozilla-central 20230209041032-a8b83be2a943.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.