182473 2018-02-04 21:11:50 -0800 Crash caused by Integer Overflow 2018-03-30 07:49:56 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build Unspecified Unspecified RESOLVED DUPLICATE 183894 P2 Normal --- 1 sunlili webkit-unassigned rmorisset oldest_to_newest 1396218 0 sunlili 2018-02-04 21:11:50 -0800 Hi, Following code will cause JavaSciptCore crash. Run in webkitgtk-2.19.6. Some older versions(2.18.5) will crash too. Code: var ch = String.prototype.repeat.call("2", 1<<30); let identi_arr={ "ch":ch, }; print("ch generated") JSON.stringify(identi_arr); print("json finish") Output: ch generated 1 0x7f0e85e34841 WTFCrash 2 0x46765e WTF::CrashOnOverflow::hasOverflowed() const 3 0x467655 WTF::CrashOnOverflow::crash() 4 0x7f0e85028210 JSC::CompleteSubspace* JSC::JSCell::subspaceFor<JSC::JSSet>(JSC::VM&) 5 0x7f0e85e8d11a 6 0x7f0e85e8cc2d 7 0x7f0e85e8c8f3 WTF::StringBuilder::appendQuotedJSONString(WTF::String const&) 8 0x7f0e85b06a94 JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&) 9 0x7f0e85b077ce JSC::Stringifier::Holder::appendNextProperty(JSC::Stringifier&, WTF::StringBuilder&) 10 0x7f0e85b06dee JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&) 11 0x7f0e85b063d5 JSC::Stringifier::stringify(JSC::JSValue) 12 0x7f0e85b091fa JSC::JSONProtoFuncStringify(JSC::ExecState*) 13 0x7f0e3f3ff178 Segmentation fault (core dumped) Reason: The ch string is too large, when calculate the maximumCapacityRequired for it, an Integer Overflow be detected in StringBuilder::appendQuotedJSONString(const String& string). BT group 2018/2/5 1410595 1 rmorisset 2018-03-30 07:49:56 -0700 *** This bug has been marked as a duplicate of bug 183894 ***