1247926 - Assertion failure: isString(), at js/src/debug64/dist/include/js/Value.h:1271 with JSON.parse and unboxed arrays

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 576a6dcde5b6 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --unboxed-arrays --ion-offthread-compile=off):

JSON.parse('[1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0]', function(k, v) { return ""; });
str = "[";
for (i = 0; i < 2048; i++) str += "1,"
str += "1]";
JSON.parse(str);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000051292c in JS::Value::toString (this=<optimized out>) at js/src/debug64/dist/include/js/Value.h:1271
#0  0x000000000051292c in JS::Value::toString (this=<optimized out>) at js/src/debug64/dist/include/js/Value.h:1271
#1  0x0000000000523435 in toString (this=<optimized out>) at js/src/debug64/dist/include/js/Value.h:1271
#2  js::SetUnboxedValueNoTypeChange (unboxedObject=<optimized out>, p=0x7ffff69a7000 '\344' <repeats 199 times>, <incomplete sequence \344>..., type=<optimized out>, v=..., preBarrier=<optimized out>) at js/src/vm/UnboxedObject-inl.h:68
#3  0x0000000000ba2f39 in SetOrExtendBoxedOrUnboxedDenseElements<(JSValueType)5> (updateTypes=js::Update, count=<optimized out>, vp=0x801, start=0, obj=0x7ffff3400320, cx=0x1) at js/src/vm/UnboxedObject-inl.h:538
#4  operator()<(JSValueType)5u> (this=<synthetic pointer>) at js/src/vm/UnboxedObject.cpp:2081
#5  CallBoxedOrUnboxedSpecialization<SetOrExtendBoxedOrUnboxedDenseElementsFunctor> (obj=0x7ffff3400320, f=...) at js/src/vm/UnboxedObject-inl.h:670
#6  js::SetOrExtendAnyBoxedOrUnboxedDenseElements (cx=cx@entry=0x7ffff6907800, obj=obj@entry=0x7ffff3400320, start=start@entry=0, vp=vp@entry=0x7ffff69b1000, count=count@entry=2049, updateTypes=<optimized out>, updateTypes@entry=js::DontUpdate) at js/src/vm/UnboxedObject.cpp:2091
#7  0x0000000000521d11 in js::NewCopiedArrayTryUseGroup (cx=cx@entry=0x7ffff6907800, group=group@entry=..., vp=vp@entry=0x7ffff69b1000, length=length@entry=2049, newKind=newKind@entry=js::GenericObject, updateTypes=js::DontUpdate) at js/src/jsarray.cpp:3648
#8  0x0000000000ac8c02 in js::ObjectGroup::newArrayObject (cx=0x7ffff6907800, vp=0x7ffff69b1000, length=2049, newKind=newKind@entry=js::GenericObject, arrayKind=arrayKind@entry=js::ObjectGroup::Normal) at js/src/vm/ObjectGroup.cpp:914
#9  0x0000000000ab2d78 in js::JSONParserBase::finishArray (this=0x7fffffffbbf8, vp=..., elements=...) at js/src/vm/JSONParser.cpp:609
#10 0x0000000000abd972 in js::JSONParser<unsigned char>::parse (this=this@entry=0x7fffffffbbf8, vp=..., vp@entry=...) at js/src/vm/JSONParser.cpp:688
#11 0x0000000000950ed5 in parse (vp=..., this=0x7fffffffbbe0) at js/src/vm/JSONParser.h:262
#12 js::ParseJSONWithReviver<unsigned char> (cx=cx@entry=0x7ffff6907800, chars=..., reviver=..., reviver@entry=..., vp=vp@entry=...) at js/src/json.cpp:887
#13 0x000000000093cb4d in json_parse (cx=0x7ffff6907800, argc=<optimized out>, vp=0x7fffffffc0c8) at js/src/json.cpp:940
#14 0x0000000000aadd82 in js::CallJSNative (cx=0x7ffff6907800, native=0x93c920 <json_parse(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#15 0x0000000000aa73f1 in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475
#16 0x0000000000aa7f1c in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffc5c8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:527
#17 0x000000000060b056 in js::jit::DoCallFallback (cx=0x7ffff6907800, frame=0x7fffffffc608, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc5b8, res=...) at js/src/jit/BaselineIC.cpp:6136
#18 0x00007ffff7ff1abf in ?? ()
#19 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff69a7000	140737330704384
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffb5e0	140737488336352
rsp	0x7fffffffb5e0	140737488336352
r8	0x7ffff7fe07c0	140737354008512
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffb3a0	140737488335776
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff69b1008	140737330745352
r13	0x7ffff6907800	140737330051072
r14	0x0	0
r15	0x7ffff3400320	140737274446624
rip	0x51292c <JS::Value::toString() const+28>
=> 0x51292c <JS::Value::toString() const+28>:	movl   $0x4f7,0x0
   0x512937 <JS::Value::toString() const+39>:	callq  0x4a4f50 <abort()>

Comment 1

[Fuzzing Team]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 2

[Benjamin Bouvier [:bbouvier] (inactive)]

ni? bhackett because of unboxed arrays.

Comment 3

[Brian Hackett [Laid off!]]

Attachment: patch

When creating an array from JSON or a literal we have a check to make sure any unboxed representation for the object being created actually matches up with the elements in the new array.  This check breaks down when creating the resulting array hits a path where the existing objects are eagerly analyzed, because the created array is large.  This patch refactors things so that the check works correctly in this case, and makes some simplifications to the associated array creation functions.

Comment 4

[Eric Faust [:efaust]]

Brian, this is a nightly-only failure, correct? Can we wontfix this for 47?

Comment 5

[Eric Faust [:efaust]]

Marking wontfix for 47, since this is a nightly-only crash.

Comment 6

[Ekanan Ketunuti]

Forgot to land this?

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Crash volume for signature 'JSCompartment::wrap':
 - nightly (version 50): 8 crashes from 2016-06-06.
 - aurora  (version 49): 43 crashes from 2016-06-07.
 - beta    (version 48): 272 crashes from 2016-06-06.
 - release (version 47): 602 crashes from 2016-05-31.
 - esr     (version 45): 21 crashes from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly          0          1          1          0          2          4          0
 - aurora           8         20          1          4          2          4          3
 - beta            58         28         42         42         34         35         13
 - release         83         93         90         74        101         90         33
 - esr              3          2          2          0          8          1          3

Affected platforms: Windows, Mac OS X, Linux

Comment 8

[Liz Henry (:lizzard) (relman/hg->git project)]

Jandem, naveed, can you help with this crash? It may only be in nightly - but the crash signature is showing up in beta and release.

Comment 9

[Jan de Mooij [:jandem]]

Unboxed arrays are disabled by default, so this bug is unrelated to the crashes in comment 7.

Ekanan, why did you link that crash report + the [@JSCompartment::wrap] signature to this bug? It's confusing the Release Management bot. I'll take a look at the current crashes though.

Comment 10

[Ekanan Ketunuti]

(In reply to Jan de Mooij [:jandem] from comment #9)
> Unboxed arrays are disabled by default, so this bug is unrelated to the
> crashes in comment 7.
> 
> Ekanan, why did you link that crash report + the [@JSCompartment::wrap]
> signature to this bug? It's confusing the Release Management bot. I'll take
> a look at the current crashes though.

I enabled unboxed arrays and get crash w/ script in comment 0.

Comment 11

[Pulsebot]

Pushed by bhackett@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/9125f0c5deba
Fix analysis of preliminary array object groups when creating JSON or literal objects, r=jandem.

Comment 12

[Iris Hsiao [:ihsiao]]

https://hg.mozilla.org/mozilla-central/rev/9125f0c5deba