1850839 - Assertion failure: !top.nobj->isIndexed(), at builtin/JSON.cpp:1364

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[lukas.bernhard]

Steps to reproduce:

On git commit c3b462663f7d45d2d1fc91374a68856b484a9a29 the attached sample asserts when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js

function f0() {
    return f0;
}
const v2 = this.representativeStringArray();
v2.splice(this);
const o14 = {
    [f0]: v2,
};
JSON.stringify(o14);

#0  0x0000555557a76f50 in FastStr (cx=0x7ffff662e100, v=..., scx=0x7fffffff9f80,
    whySlow=0x7fffffff9dff) at js/src/builtin/JSON.cpp:1364
#1  0x0000555557a75b01 in js::Stringify (cx=0x7ffff662e100, vp=..., replacer_=0x0,
    space_=..., sb=..., stringifyBehavior=js::StringifyBehavior::Compare)
    at js/src/builtin/JSON.cpp:1646
#2  0x0000555557a78e34 in json_stringify (cx=0x7ffff662e100, argc=1, vp=0x7ffff54e3090)
    at js/src/builtin/JSON.cpp:2079
#3  0x00005555579d7a3c in CallJSNative (cx=0x7ffff662e100, 
    native=0x555557a78b60 <json_stringify(JSContext*, unsigned int, JS::Value*)>,
    reason=js::CallReason::Call, args=...)
    at js/src/vm/Interpreter.cpp:486
#4  0x00005555579ae8d3 in js::InternalCallOrConstruct (cx=0x7ffff662e100, args=...,
    construct=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:580
#5  0x00005555579af059 in InternalCall (cx=0x7ffff662e100, args=...,
    reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:647
#6  0x00005555579aee93 in js::CallFromStack (cx=0x7ffff662e100, args=...,
    reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:652
#7  0x00005555579bd548 in js::Interpret (cx=0x7ffff662e100, state=...)
    at js/src/vm/Interpreter.cpp:3395
#8  0x00005555579ae2af in MaybeEnterInterpreterTrampoline (cx=0x7ffff662e100, state=...)
    at js/src/vm/Interpreter.cpp:400
#9  0x00005555579adf71 in js::RunScript (cx=0x7ffff662e100, state=...)
    at js/src/vm/Interpreter.cpp:458
#10 0x00005555579b04a1 in js::ExecuteKernel (cx=0x7ffff662e100, script=..., 
    envChainArg=..., evalInFrame=..., result=...)
    at js/src/vm/Interpreter.cpp:845
#11 0x00005555579b0814 in js::Execute (cx=0x7ffff662e100, script=..., envChain=...,
    rval=...) at js/src/vm/Interpreter.cpp:877
#12 0x0000555557b71faf in ExecuteScript (cx=0x7ffff662e100, envChain=..., script=...,
    rval=...) at js/src/vm/CompilationAndEvaluation.cpp:494
#13 0x0000555557b720d5 in JS_ExecuteScript (cx=0x7ffff662e100, scriptArg=...)
    at js/src/vm/CompilationAndEvaluation.cpp:518
#14 0x00005555578075bf in RunFile (cx=0x7ffff662e100, 
    filename=0x7ffff5508570 "crash.js",
    file=0x7ffff7669020, compileMethod=CompileUtf8::DontInflate, compileOnly=false,
    fullParse=false) at js/src/shell/js.cpp:1099
#15 0x0000555557806e5c in Process (cx=0x7ffff662e100, 
    filename=0x7ffff5508570 "crash.js", 
    forceTTY=false, kind=FileScript) at js/src/shell/js.cpp:1679

Comment 1

[Steve Fink [:sfink] [:s:]]

This is an overzealous assert based on a conservative deopt bit: it's asserting because arr->isIndexed() is true, which means there can be indexed elements in the properties. Except in this case, all indexed elements have been discarded with arr.splice(0), so it doesn't matter. The only question is whether to make this case fail the fast path or not.

The mismatched condition is if (!IsPackedArray(obj) && ObjectMayHaveExtraIndexedProperties(obj)) {. The 2nd conditiion will discard arrays where obj->isIndexed(), but in this case IsPackedArray(obj) is true so that condition is not checked.

Comment 2

[Steve Fink [:sfink] [:s:]]

Attachment: Bug 1850839 - Weaken isIndexed() assert

Comment 3

[Pulsebot]

Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ff7e2e9adbc1
Weaken isIndexed() assert r=jandem

Comment 4

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/ff7e2e9adbc1