289232 – JavaScriptCore crash in WTF::StringBuilder::appendQuotedJSONString.

RESOLVED FIXED 289232

JavaScriptCore crash in WTF::StringBuilder::appendQuotedJSONString.

https://bugs.webkit.org/show_bug.cgi?id=289232

Summary JavaScriptCore crash in WTF::StringBuilder::appendQuotedJSONString.

EntryHi

Reported 2025-03-06 03:50:37 PST

Hello, I found a crash in JSC. ==============poc.js============= var a = []; var str = "a"; for (var i = 0; i < 8; i++) { str += str; str += String.fromCharCode(i, i) + str.trimLeft(); } print(str) for (var i = 0; i < 10000; i++) { a.push(str); } json1 = JSON.stringify(a); =============================== Run args: ./jsc poc.js Result: /usr/lib/gcc/x86_64-redhat-linux/12/../../../../include/c++/12/span:321: span<element_type, dynamic_extent> std::span<unsigned char>::first(size_type) const [_Type = unsigned char, _Extent = 18446744073709551615]: Assertion '__count <= size()' failed. Stack: * thread #1, name = 'jsc', stop reason = signal SIGABRT frame #0: 0x00007ffff56afe5c libc.so.6`__pthread_kill_implementation + 268 libc.so.6`__pthread_kill_implementation: -> 0x7ffff56afe5c <+268>: movl %eax, %ebp 0x7ffff56afe5e <+270>: negl %ebp 0x7ffff56afe60 <+272>: cmpl $0xfffff000, %eax ; imm = 0xFFFFF000 0x7ffff56afe65 <+277>: movl $0x0, %eax (lldb) bt * thread #1, name = 'jsc', stop reason = signal SIGABRT * frame #0: 0x00007ffff56afe5c libc.so.6`__pthread_kill_implementation + 268 frame #1: 0x00007ffff565fa76 libc.so.6`raise + 22 frame #2: 0x00007ffff56497fc libc.so.6`abort + 215 frame #3: 0x00007ffff58d7e80 libstdc++.so.6`std::__glibcxx_assert_fail(char const*, int, char const*, char const*) + 96 frame #4: 0x0000555558a0ef4f jsc`WTF::StringBuilder::appendQuotedJSONString(this=0x00007fffffff84a0, string=0x00007fffe9100428) at StringBuilderJSON.cpp:0 frame #5: 0x0000555557eb5890 jsc`JSC::Stringifier::appendStringifiedValue(this=0x00007fffffff85e8, builder=0x00007fffffff84a0, value=JSValue @ 0x00007fffffff8050, holder=0x00007fffffff8708, propertyName=0x00007fffffff8208) at JSONObject.cpp:411:17 frame #6: 0x0000555557eb83ff jsc`JSC::Stringifier::Holder::appendNextProperty(this=0x00007fffffff8708, stringifier=0x00007fffffff85e8, builder=0x00007fffffff84a0) at JSONObject.cpp:604:39 frame #7: 0x0000555557eb5ac7 jsc`JSC::Stringifier::appendStringifiedValue(this=0x00007fffffff85e8, builder=0x00007fffffff84a0, value=JSValue @ 0x00007fffffff8300, holder=0x00007fffffff8530, propertyName=0x00007fffffff84e0) at JSONObject.cpp:471:37 frame #8: 0x0000555557eb4929 jsc`JSC::Stringifier::stringify(globalObject=0x00007fffe903a088, value=JSValue @ r15, replacer=JSValue @ rbp, space=JSValue @ scalar) at JSONObject.cpp:305:40 frame #9: 0x0000555557ebfc35 jsc`JSC::stringify(globalObject=0x00007fffe903a088, value=JSValue @ rbp, replacer=JSValue @ r14, space=JSValue @ rbx) at JSONObject.cpp:1510:21 frame #10: 0x0000555557ec49d1 jsc`JSC::jsonProtoFuncStringify(globalObject=0x00007fffe903a088, callFrame=0x00007fffffffd3a0) at JSONObject.cpp:1879:21 frame #11: 0x00007fffa8a0c038 frame #12: 0x00007fffa8a434ad frame #13: 0x0000555556713174 jsc`llint_call_javascript + 6 frame #14: 0x000055555779e666 jsc`JSC::Interpreter::executeProgram(this=0x00007fffe94163b8, source=<unavailable>, (null)=<unavailable>, thisObj=0x00007fffeb01e248) at Interpreter.cpp:1189:28 frame #15: 0x0000555557bef643 jsc`JSC::evaluate(globalObject=0x00007fffe903a088, source=0x00007fffffffdb38, thisValue=JSValue @ 0x00007fffffffd9c8, returnedException=0x00007fffffffdbf0) at Completion.cpp:138:37 frame #16: 0x0000555556424e90 jsc`int runJSC<jscmain(int, char**)::$_0>(CommandLine const&, bool, jscmain(int, char**)::$_0 const&) at jsc.cpp:3832:35 frame #17: 0x000055555642404e jsc`int runJSC<jscmain(int, char**)::$_0>(CommandLine const&, bool, jscmain(int, char**)::$_0 const&) [inlined] jscmain(this=<unavailable>, vm=<unavailable>, globalObject=0x00007fffe903a088, success=0x00007fffffffda97)::$_0::operator()(JSC::VM&, GlobalObject*, bool&) const at jsc.cpp:4521:13 frame #18: 0x0000555556424041 jsc`int runJSC<jscmain(int, char**)::$_0>(options=0x00005555594561b8, isWorker=false, func=<unavailable>)::$_0 const&) at jsc.cpp:4312:13 frame #19: 0x0000555556421083 jsc`jscmain(argc=2, argv=0x00007fffffffdf08) at jsc.cpp:4514:18 frame #20: 0x000055555642086c jsc`main(argc=2, argv=0x00007fffffffdf08) at jsc.cpp:3588:15 frame #21: 0x00007ffff564a510 libc.so.6`__libc_start_call_main + 128 frame #22: 0x00007ffff564a5c9 libc.so.6`__libc_start_main@@GLIBC_2.34 + 137 frame #23: 0x0000555556402925 jsc`_start + 37

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-03-13 04:51:13 PDT

<rdar://problem/146943330>

Mark Lam

Comment 2 2025-03-13 19:50:03 PDT

Pull request: https://github.com/WebKit/WebKit/pull/42459

EWS

Comment 3 2025-03-14 10:08:17 PDT

Committed 292170@main (5deaf3ecdf97): <https://commits.webkit.org/292170@main> Reviewed commits have been landed. Closing PR #42459 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Mark Lam

Reported

2025-03-06 03:50 PST

Modified

2025-03-14 13:04 PDT History

CC List

5 users Show

URL

Keywords InRadar

Depends on

Blocks