Bug 289232

Hello, I found a crash in JSC. ==============poc.js============= var a = []; var str = "a"; for (var i = 0; i < 8; i++) { str += str; str += String.fromCharCode(i, i) + str.trimLeft(); } print(str) for (var i = 0; i < 10000; i++) { a.push(str); } json1 = JSON.stringify(a); =============================== Run args: ./jsc poc.js Result: /usr/lib/gcc/x86_64-redhat-linux/12/../../../../include/c++/12/span:321: span<element_type, dynamic_extent> std::span<unsigned char>::first(size_type) const [_Type = unsigned char, _Extent = 18446744073709551615]: Assertion '__count <= size()' failed. Stack: * thread #1, name = 'jsc', stop reason = signal SIGABRT frame #0: 0x00007ffff56afe5c libc.so.6`__pthread_kill_implementation + 268 libc.so.6`__pthread_kill_implementation: -> 0x7ffff56afe5c <+268>: movl %eax, %ebp 0x7ffff56afe5e <+270>: negl %ebp 0x7ffff56afe60 <+272>: cmpl $0xfffff000, %eax ; imm = 0xFFFFF000 0x7ffff56afe65 <+277>: movl $0x0, %eax (lldb) bt * thread #1, name = 'jsc', stop reason = signal SIGABRT * frame #0: 0x00007ffff56afe5c libc.so.6`__pthread_kill_implementation + 268 frame #1: 0x00007ffff565fa76 libc.so.6`raise + 22 frame #2: 0x00007ffff56497fc libc.so.6`abort + 215 frame #3: 0x00007ffff58d7e80 libstdc++.so.6`std::__glibcxx_assert_fail(char const*, int, char const*, char const*) + 96 frame #4: 0x0000555558a0ef4f jsc`WTF::StringBuilder::appendQuotedJSONString(this=0x00007fffffff84a0, string=0x00007fffe9100428) at StringBuilderJSON.cpp:0 frame #5: 0x0000555557eb5890 jsc`JSC::Stringifier::appendStringifiedValue(this=0x00007fffffff85e8, builder=0x00007fffffff84a0, value=JSValue @ 0x00007fffffff8050, holder=0x00007fffffff8708, propertyName=0x00007fffffff8208) at JSONObject.cpp:411:17 frame #6: 0x0000555557eb83ff jsc`JSC::Stringifier::Holder::appendNextProperty(this=0x00007fffffff8708, stringifier=0x00007fffffff85e8, builder=0x00007fffffff84a0) at JSONObject.cpp:604:39 frame #7: 0x0000555557eb5ac7 jsc`JSC::Stringifier::appendStringifiedValue(this=0x00007fffffff85e8, builder=0x00007fffffff84a0, value=JSValue @ 0x00007fffffff8300, holder=0x00007fffffff8530, propertyName=0x00007fffffff84e0) at JSONObject.cpp:471:37 frame #8: 0x0000555557eb4929 jsc`JSC::Stringifier::stringify(globalObject=0x00007fffe903a088, value=JSValue @ r15, replacer=JSValue @ rbp, space=JSValue @ scalar) at JSONObject.cpp:305:40 frame #9: 0x0000555557ebfc35 jsc`JSC::stringify(globalObject=0x00007fffe903a088, value=JSValue @ rbp, replacer=JSValue @ r14, space=JSValue @ rbx) at JSONObject.cpp:1510:21 frame #10: 0x0000555557ec49d1 jsc`JSC::jsonProtoFuncStringify(globalObject=0x00007fffe903a088, callFrame=0x00007fffffffd3a0) at JSONObject.cpp:1879:21 frame #11: 0x00007fffa8a0c038 frame #12: 0x00007fffa8a434ad frame #13: 0x0000555556713174 jsc`llint_call_javascript + 6 frame #14: 0x000055555779e666 jsc`JSC::Interpreter::executeProgram(this=0x00007fffe94163b8, source=<unavailable>, (null)=<unavailable>, thisObj=0x00007fffeb01e248) at Interpreter.cpp:1189:28 frame #15: 0x0000555557bef643 jsc`JSC::evaluate(globalObject=0x00007fffe903a088, source=0x00007fffffffdb38, thisValue=JSValue @ 0x00007fffffffd9c8, returnedException=0x00007fffffffdbf0) at Completion.cpp:138:37 frame #16: 0x0000555556424e90 jsc`int runJSC<jscmain(int, char**)::$_0>(CommandLine const&, bool, jscmain(int, char**)::$_0 const&) at jsc.cpp:3832:35 frame #17: 0x000055555642404e jsc`int runJSC<jscmain(int, char**)::$_0>(CommandLine const&, bool, jscmain(int, char**)::$_0 const&) [inlined] jscmain(this=<unavailable>, vm=<unavailable>, globalObject=0x00007fffe903a088, success=0x00007fffffffda97)::$_0::operator()(JSC::VM&, GlobalObject*, bool&) const at jsc.cpp:4521:13 frame #18: 0x0000555556424041 jsc`int runJSC<jscmain(int, char**)::$_0>(options=0x00005555594561b8, isWorker=false, func=<unavailable>)::$_0 const&) at jsc.cpp:4312:13 frame #19: 0x0000555556421083 jsc`jscmain(argc=2, argv=0x00007fffffffdf08) at jsc.cpp:4514:18 frame #20: 0x000055555642086c jsc`main(argc=2, argv=0x00007fffffffdf08) at jsc.cpp:3588:15 frame #21: 0x00007ffff564a510 libc.so.6`__libc_start_call_main + 128 frame #22: 0x00007ffff564a5c9 libc.so.6`__libc_start_main@@GLIBC_2.34 + 137 frame #23: 0x0000555556402925 jsc`_start + 37