RESOLVED FIXED299452
[JSC] Stack overflow with destructor chain after JSON.parse with deeply nested JSON 
https://bugs.webkit.org/show_bug.cgi?id=299452
Summary [JSC] Stack overflow with destructor chain after JSON.parse with deeply neste...
Anthony Tarbinian
Reported 2025-09-24 10:46:11 PDT
rdar://158627869 When calling JSON.parse with a reviver function (https://tc39.es/ecma262/multipage/structured-data.html#sec-json.parse) passed in, a deeply nested JSON object (about 6000) levels deep will trigger a stack overflow. This is due to the destructor for the `ranges` variable being invoked when it goes out of scope at the end of the `jsonParseSlow` function in JSONObject.cpp (https://searchfox.org/wubkat/source/Source/JavaScriptCore/runtime/JSONObject.cpp#1814-1844). The actual contents of the reviver function are not significant. The bug still reproduces with a reviver function which leaves the values unchanged. However, a reviver function does need to be passed in to take the code path for `jsonParseSlow` (https://searchfox.org/wubkat/source/Source/JavaScriptCore/runtime/JSONObject.cpp#1856-1861).
Attachments
Add attachment proposed patch, testcase, etc.
Anthony Tarbinian
Comment 1 2025-09-24 12:24:19 PDT
Pull request: https://github.com/apple/WebKit/pull/3705
Anthony Tarbinian
Comment 2 2025-09-24 14:05:20 PDT
Pull request: https://github.com/WebKit/WebKit/pull/51282
EWS
Comment 3 2025-10-06 16:48:36 PDT
Committed 301098@main (06f13ed8ff16): <https://commits.webkit.org/301098@main> Reviewed commits have been landed. Closing PR #51282 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.