Closed Bug 1464757 Opened 6 years ago Closed 6 years ago

Assertion with CCW-BigInt in PreprocessValue

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox62 --- fixed

People

(Reporter: anba, Assigned: terpri)

References

Details

Attachments

(1 file)

Fix JSON stringification of proxied BigInt objects.
1.80 KB, patch
anba
: review+
Details | Diff | Splinter Review 
Test case:
---
JSON.stringify(newGlobal().eval("Object(BigInt(0))"))
---


Asserts with:
---
Thread 1 "js" received signal SIGSEGV, Segmentation fault.
0x0000000000729dfa in JSObject::as<js::BigIntObject> (this=0x7ffff7e00710) at /home/andre/hg/mozilla-inbound/js/src/vm/JSObject.h:526
526             MOZ_ASSERT(this->is<T>());
---


Stack trace:
---
#0  0x0000000000729dfa in JSObject::as<js::BigIntObject> (this=0x7ffff7e00710) at /home/andre/hg/mozilla-inbound/js/src/vm/JSObject.h:526
#1  0x000000000070631f in PreprocessValue<JS::Handle<jsid> > (cx=0x7ffff5817000, holder=..., key=..., vp=..., scx=0x7fffffff91b0) at /home/andre/hg/mozilla-inbound/js/src/builtin/JSON.cpp:299
#2  0x0000000000705722 in js::Stringify (cx=0x7ffff5817000, vp=..., replacer_=0x0, space_=..., sb=..., stringifyBehavior=js::StringifyBehavior::Normal)
    at /home/andre/hg/mozilla-inbound/js/src/builtin/JSON.cpp:769
#3  0x0000000000706c71 in json_stringify (cx=0x7ffff5817000, argc=1, vp=0x7ffff4866090) at /home/andre/hg/mozilla-inbound/js/src/builtin/JSON.cpp:959
#4  0x00000000006bdeb4 in js::CallJSNative (cx=0x7ffff5817000, native=0x706b00 <json_stringify(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/andre/hg/mozilla-inbound/js/src/vm/JSContext-inl.h:279
#5  0x00000000006aca7f in js::InternalCallOrConstruct (cx=0x7ffff5817000, args=..., construct=js::NO_CONSTRUCT) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:471
#6  0x00000000006ad050 in InternalCall (cx=0x7ffff5817000, args=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:520
#7  0x00000000006ace4d in js::CallFromStack (cx=0x7ffff5817000, args=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:526
#8  0x00000000006a16fb in Interpret (cx=0x7ffff5817000, state=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:3093
#9  0x00000000006968a8 in js::RunScript (cx=0x7ffff5817000, state=...) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:421
#10 0x00000000006adee3 in js::ExecuteKernel (cx=0x7ffff5817000, script=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=0x7fffffffceb0)
    at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:704
#11 0x00000000006ae240 in js::Execute (cx=0x7ffff5817000, script=..., envChainArg=..., rval=0x7fffffffceb0) at /home/andre/hg/mozilla-inbound/js/src/vm/Interpreter.cpp:736
#12 0x0000000000dc2c8d in ExecuteScript (cx=0x7ffff5817000, scope=..., script=..., rval=0x7fffffffceb0) at /home/andre/hg/mozilla-inbound/js/src/jsapi.cpp:4752
#13 0x0000000000dc2b13 in JS_ExecuteScript (cx=0x7ffff5817000, scriptArg=..., rval=...) at /home/andre/hg/mozilla-inbound/js/src/jsapi.cpp:4778
#14 0x0000000000479861 in EvalAndPrint (cx=0x7ffff5817000, 
    bytes=0x7ffff496b680 "JSON.stringify(newGlobal().eval(\"Object(BigInt(0))\"))\n\344\344\344\344\344\344\344\344\344\344@\366\312\364\377\177\376\377\200\366\312\364\377\177\376\377\300\366\312\364\377\177\376\377 {\302\364\377\177\373\377H", length=54, lineno=1, compileOnly=false) at /home/andre/hg/mozilla-inbound/js/src/shell/js.cpp:1174
#15 0x0000000000478eab in ReadEvalPrintLoop (cx=0x7ffff5817000, in=0x7ffff6c758e0 <_IO_2_1_stdin_>, compileOnly=false) at /home/andre/hg/mozilla-inbound/js/src/shell/js.cpp:1246
#16 0x000000000047816b in Process (cx=0x7ffff5817000, filename=0x0, forceTTY=true, kind=FileScript) at /home/andre/hg/mozilla-inbound/js/src/shell/js.cpp:1334
#17 0x000000000045cb72 in ProcessArgs (cx=0x7ffff5817000, op=0x7fffffffd688) at /home/andre/hg/mozilla-inbound/js/src/shell/js.cpp:8422
#18 0x0000000000455a5e in Shell (cx=0x7ffff5817000, op=0x7fffffffd688, envp=0x7fffffffd8b8) at /home/andre/hg/mozilla-inbound/js/src/shell/js.cpp:8876
#19 0x00000000004523cc in main (argc=1, argv=0x7fffffffd8a8, envp=0x7fffffffd8b8) at /home/andre/hg/mozilla-inbound/js/src/shell/js.cpp:9349
---
PreprocessValue should probably use js::Unbox for BigInts, like it does for Booleans, so that proxies are unboxed correctly.

test262 PR for to this bug: https://github.com/tc39/test262/pull/1573
PreprocessValue was calling BigIntObject::unbox directly, which doesn't
check for proxy objects. Add a BigInt branch to js::Unbox and use that
function instead.
Attachment #8981285 - Flags: review?(andrebargull)
Comment on attachment 8981285 [details] [diff] [review]
Fix JSON stringification of proxied BigInt objects.

Review of attachment 8981285 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!
Attachment #8981285 - Flags: review?(andrebargull) → review+
Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/cc408fce6baf
Fix JSON stringification of proxied BigInt objects. r=anba
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/cc408fce6baf
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox62: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Assignee: nobody → robin
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: