Hit MOZ_CRASH(JSON.stringify mismatch between fast and slow paths) at /js/src/builtin/JSON.cpp:1702
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox-esr115 | --- | unaffected |
firefox116 | --- | unaffected |
firefox117 | --- | fixed |
firefox118 | --- | fixed |
People
(Reporter: decoder, Assigned: sfink)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files, 1 obsolete file)
The following testcase crashes on mozilla-central revision 20230727-de3fd99966b1 (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):
a = [];
Object.defineProperty(Array.prototype, '0', {
get() {
return 0
},
set() {}
});
a.push(1);
JSON.stringify(a);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x57d86599 in js::Stringify(JSContext*, JS::MutableHandle<JS::Value>, JSObject*, JS::Value const&, js::StringBuffer&, js::StringifyBehavior) ()
#1 0x57d89a57 in json_stringify(JSContext*, unsigned int, JS::Value*) ()
#2 0x57ce96e4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#15 0x57b4dc18 in main ()
eax 0x568238e2 1451374818
ebx 0x5955fe00 1498807808
ecx 0x59561a1c 1498815004
edx 0xf7bb2cc7 -138728249
esi 0xff877650 -7899568
edi 0xf691a100 -158228224
ebp 0xff877608 4287067656
esp 0xff877320 4287066912
eip 0x57d86599 <js::Stringify(JSContext*, JS::MutableHandle<JS::Value>, JSObject*, JS::Value const&, js::StringBuffer&, js::StringifyBehavior)+12233>
=> 0x57d86599 <_ZN2js9StringifyEP9JSContextN2JS13MutableHandleINS2_5ValueEEEP8JSObjectRKS4_RNS_12StringBufferENS_17StringifyBehaviorE+12233>: movl $0x6a6,0x0
0x57d865a3 <_ZN2js9StringifyEP9JSContextN2JS13MutableHandleINS2_5ValueEEEP8JSObjectRKS4_RNS_12StringBufferENS_17StringifyBehaviorE+12243>: call 0x57be3323 <abort>
Marking s-s until triaged as the test triggers spidey sense.
Reporter | ||
Comment 1•1 year ago
|
||
Reporter | ||
Comment 2•1 year ago
|
||
Updated•1 year ago
|
Comment 3•1 year ago
|
||
Unable to reproduce bug 1845671 using build mozilla-central 20230727034425-de3fd99966b1. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•1 year ago
|
Comment 4•1 year ago
|
||
Set release status flags based on info from the regressing bug 1837410
Assignee | ||
Comment 5•1 year ago
|
||
Updated•1 year ago
|
Assignee | ||
Comment 6•1 year ago
|
||
(In reply to Bugmon [:jkratzer for issues] from comment #3)
Unable to reproduce bug 1845671 using build mozilla-central 20230727034425-de3fd99966b1. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
I'm guessing bugmon must not be using a DEBUG build, because this should reproduce 100% reliably there with any runtime flags. But that seems surprising; aren't a lot of bugs going to be DEBUG-only, eg if they're crashing with MOZ_ASSERT?
Assignee | ||
Comment 7•1 year ago
|
||
I will probably land bug 1847369, which nerfs what the fast path allows and thus fixes a superset of the problems, including the one in this bug. (I will wait for review to be sure, though.)
Comment 9•1 year ago
|
||
(In reply to Steve Fink [:sfink] [:s:] from comment #6)
(In reply to Bugmon [:jkratzer for issues] from comment #3)
Unable to reproduce bug 1845671 using build mozilla-central 20230727034425-de3fd99966b1. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.I'm guessing bugmon must not be using a DEBUG build, because this should reproduce 100% reliably there with any runtime flags. But that seems surprising; aren't a lot of bugs going to be DEBUG-only, eg if they're crashing with MOZ_ASSERT?
This was an issue with 32-bit builds. It should be fixed now.
Comment 10•1 year ago
|
||
Testcase crashes using the initial build (mozilla-central 20230727034425-de3fd99966b1) but not with tip (mozilla-central 20230816034343-b6d00af33f9f.)
The bug appears to have been fixed in the following build range:
Start: 16838b515ded4549918a4ebf3e3fa8a0b427e1f4 (20230811213712)
End: 2be0ee236a5cef53847ab52c806c55bfd6b4ae6b (20230812091525)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=16838b515ded4549918a4ebf3e3fa8a0b427e1f4&tochange=2be0ee236a5cef53847ab52c806c55bfd6b4ae6b
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Updated•1 year ago
|
Updated•9 months ago
|
Description
•