Closed
Bug 1464757
Opened 6 years ago
Closed 6 years ago
Assertion with CCW-BigInt in PreprocessValue
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla62
Tracking | Status | |
---|---|---|
firefox62 | --- | fixed |
People
(Reporter: anba, Assigned: terpri)
References
Details
Attachments
(1 file)
1.80 KB,
patch
|
anba
:
review+
|
Details | Diff | Splinter Review |
Test case: --- JSON.stringify(newGlobal().eval("Object(BigInt(0))")) --- Asserts with: --- Thread 1 "js" received signal SIGSEGV, Segmentation fault. 0x0000000000729dfa in JSObject::as<js::BigIntObject> (this=0x7ffff7e00710) at /home/andre/hg/mozilla-inbound/js/src/vm/JSObject.h:526 526 MOZ_ASSERT(this->is<T>()); --- Stack trace: --- #0 0x0000000000729dfa in JSObject::as<js::BigIntObject> (this=0x7ffff7e00710) at /home/andre/hg/mozilla-inbound/js/src/vm/JSObject.h:526 #1 0x000000000070631f in PreprocessValue<JS::Handle<jsid> > (cx=0x7ffff5817000, holder=..., key=..., vp=..., scx=0x7fffffff91b0) at /home/andre/hg/mozilla-inbound/js/src/builtin/JSON.cpp:299 #2 0x0000000000705722 in js::Stringify (cx=0x7ffff5817000, vp=..., replacer_=0x0, space_=..., sb=..., stringifyBehavior=js::StringifyBehavior::Normal) at /home/andre/hg/mozilla-inbound/js/src/builtin/JSON.cpp:769 #3 0x0000000000706c71 in json_stringify (cx=0x7ffff5817000, argc=1, vp=0x7ffff4866090) at /home/andre/hg/mozilla-inbound/js/src/builtin/JSON.cpp:959 #4 0x00000000006bdeb4 in js::CallJSNative (cx=0x7ffff5817000, native=0x706b00 <json_stringify(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/andre/hg/mozilla-inbound/js/src/vm/JSContext-inl.h:279 #5 0x00000000006aca7f in js::InternalCallOrConstruct (cx=0x7ffff5817000, args=..., construct=js::NO_CONSTRUCT) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:471 #6 0x00000000006ad050 in InternalCall (cx=0x7ffff5817000, args=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:520 #7 0x00000000006ace4d in js::CallFromStack (cx=0x7ffff5817000, args=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:526 #8 0x00000000006a16fb in Interpret (cx=0x7ffff5817000, state=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:3093 #9 0x00000000006968a8 in js::RunScript (cx=0x7ffff5817000, state=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:421 #10 0x00000000006adee3 in js::ExecuteKernel (cx=0x7ffff5817000, script=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=0x7fffffffceb0) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:704 #11 0x00000000006ae240 in js::Execute (cx=0x7ffff5817000, script=..., envChainArg=..., rval=0x7fffffffceb0) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:736 #12 0x0000000000dc2c8d in ExecuteScript (cx=0x7ffff5817000, scope=..., script=..., rval=0x7fffffffceb0) at /home/andre/hg/mozilla-inbound/js/src/jsapi.cpp:4752 #13 0x0000000000dc2b13 in JS_ExecuteScript (cx=0x7ffff5817000, scriptArg=..., rval=...) at /home/andre/hg/mozilla-inbound/js/src/jsapi.cpp:4778 #14 0x0000000000479861 in EvalAndPrint (cx=0x7ffff5817000, bytes=0x7ffff496b680 "JSON.stringify(newGlobal().eval(\"Object(BigInt(0))\"))\n\344\344\344\344\344\344\344\344\344\344@\366\312\364\377\177\376\377\200\366\312\364\377\177\376\377\300\366\312\364\377\177\376\377 {\302\364\377\177\373\377H", length=54, lineno=1, compileOnly=false) at /home/andre/hg/mozilla-inbound/js/src/shell/js.cpp:1174 #15 0x0000000000478eab in ReadEvalPrintLoop (cx=0x7ffff5817000, in=0x7ffff6c758e0 <_IO_2_1_stdin_>, compileOnly=false) at /home/andre/hg/mozilla-inbound/js/src/shell/js.cpp:1246 #16 0x000000000047816b in Process (cx=0x7ffff5817000, filename=0x0, forceTTY=true, kind=FileScript) at /home/andre/hg/mozilla-inbound/js/src/shell/js.cpp:1334 #17 0x000000000045cb72 in ProcessArgs (cx=0x7ffff5817000, op=0x7fffffffd688) at /home/andre/hg/mozilla-inbound/js/src/shell/js.cpp:8422 #18 0x0000000000455a5e in Shell (cx=0x7ffff5817000, op=0x7fffffffd688, envp=0x7fffffffd8b8) at /home/andre/hg/mozilla-inbound/js/src/shell/js.cpp:8876 #19 0x00000000004523cc in main (argc=1, argv=0x7fffffffd8a8, envp=0x7fffffffd8b8) at /home/andre/hg/mozilla-inbound/js/src/shell/js.cpp:9349 ---
Assignee | ||
Comment 1•6 years ago
|
||
PreprocessValue should probably use js::Unbox for BigInts, like it does for Booleans, so that proxies are unboxed correctly. test262 PR for to this bug: https://github.com/tc39/test262/pull/1573
Assignee | ||
Comment 2•6 years ago
|
||
PreprocessValue was calling BigIntObject::unbox directly, which doesn't check for proxy objects. Add a BigInt branch to js::Unbox and use that function instead.
Attachment #8981285 -
Flags: review?(andrebargull)
Reporter | ||
Comment 3•6 years ago
|
||
Comment on attachment 8981285 [details] [diff] [review] Fix JSON stringification of proxied BigInt objects. Review of attachment 8981285 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #8981285 -
Flags: review?(andrebargull) → review+
Updated•6 years ago
|
Keywords: checkin-needed
Pushed by apavel@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/cc408fce6baf Fix JSON stringification of proxied BigInt objects. r=anba
Keywords: checkin-needed
Comment 5•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/cc408fce6baf
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Updated•6 years ago
|
Assignee: nobody → robin
You need to log in
before you can comment on or make changes to this bug.
Description
•