Closed Bug 1773933 Opened 3 years ago Closed 3 years ago

Assertion failure: cx_->hadNondeterministicException()

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1745907

People

(Reporter: exploit, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

crash.js
633 bytes, text/javascript
Details
Attached file crash.js

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.115 Safari/537.36

Steps to reproduce:

Attached testcase crashes on gecko-dev/FIREFOX_ESR_91_9_X_RELBRANCH built with fuzzilli build option(https://github.com/googleprojectzero/fuzzilli/blob/3f0d246a47f39e066ab560f3bb23e2fe47a25850/Targets/Spidermonkey/fuzzbuild.sh).

Actual results:

Execution crashes with backtrace:

Assertion failure: cx_->hadNondeterministicException(), at /home/builder/firefox/js/src/jit/WarpOracle.cpp:193

UndefinedBehaviorSanitizer:DEADLYSIGNAL
==38330==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5555571ebc52 bp 0x7fffffffb700 sp 0x7fffffffb660 T38330)
==38330==The signal is caused by a WRITE memory access.
==38330==Hint: address points to the zero page.
    #0 0x5555571ebc52 in js::jit::WarpOracle::createSnapshot() /home/builder/firefox/js/src/jit/WarpOracle.cpp:193:5
    #1 0x555556b48721 in js::jit::CreateWarpSnapshot(JSContext*, js::jit::MIRGenerator*, JS::Handle<JSScript*>) /home/builder/firefox/js/src/jit/Ion.cpp:1608:48
    #2 0x555556b160b7 in js::jit::IonCompile(JSContext*, JS::Handle<JSScript*>, unsigned char*) /home/builder/firefox/js/src/jit/Ion.cpp:1685:41
    #3 0x555556b160b7 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) /home/builder/firefox/js/src/jit/Ion.cpp:1907:24
    #4 0x555556b173ff in BaselineCanEnterAtBranch(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) /home/builder/firefox/js/src/jit/Ion.cpp:2108:25
    #5 0x555556b173ff in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) /home/builder/firefox/js/src/jit/Ion.cpp:2159:12
    #6 0x555556b17dca in js::jit::IonCompileScriptForBaselineOSR(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*, js::jit::IonOsrTempData**) /home/builder/firefox/js/src/jit/Ion.cpp:2271:8

Probably a duplicate of bug 1745907. (It was tested against ESR91 and contains exponentiation ** with BigInt values.)

This assertion is made to ensure that SpiderMonkey is optimal when running compilation, by checking if its learns from its mistakes. Fixing this assertion prevent SpiderMonkey from entering a re-compilation loop in case of failure. If this happens then we would still make progress within Baseline compiled code.

Thus the program might be slower than expected, but it should remain correct.

Also 91 is going away, the next ESR being 102.

Blocks: sm-opt-jits
Severity: -- → S4
Priority: -- → P3

I confirm that this is a duplicate of bug 1745907.

There's nothing to uplift here; the fix was to just stop asserting in this case. The assertion only exists in debug builds, so it has no impact on users.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: