fix(json): JSON.parse reviver on a lazy-tape array no longer SIGSEGVs (#1424)#1447
Merged
Conversation
…#1424) apply_reviver walked the parsed value as an ArrayHeader, reading length/capacity/element f64s directly off the pointer. Under PERRY_JSON_TAPE the top-level array is a LazyArrayHeader with a different layout, so the walk read garbage and crashed (exit 139) before any console.log fired, and the reviver never ran on the elements. Materialize a lazy array (force_materialize_lazy) at the top of apply_reviver so the in-place element walk + write-backs operate on a real ArrayHeader, and the caller receives the materialized array. Flips test_json_lazy_reviver to PASS in both default and PERRY_JSON_TAPE=1 modes (301 reviver calls, matching Node).
proggeramlug
added a commit
that referenced
this pull request
May 23, 2026
…es (#1458) Rolls up 22 PRs that merged to main post-v0.5.1025 without per-PR version bumps. - node:timers epic (#1213, 6 PRs #1449-#1455): node:timers/promises setTimeout/setImmediate, numeric-id clear*, namespace import, ref() typeof, Symbol.dispose, global setImmediate/clearImmediate. - node:perf_hooks fan-out (10 PRs across #1320 #1327 #1337-#1340 #1388-#1390 #1403): typeof methods, performance singleton identity, nodeTiming, toJSON, clearResourceTimings, structured-clone detail, observer arg + buffered + throw cases. - node:json lazy-tape closes #1424 (#1447) — JSON.parse reviver on lazy-tape arrays no longer SIGSEGVs (test un-skip-listed). - #1448 console.log/util.inspect on lazy-tape arrays materialises before formatting. - #1429 GC unsafe-zone guards for fastify/hyper handlers. - #1341 codegen: Any-typed .includes()/.indexOf() dynamic dispatch. - #1370 perry/ui web driver debug noise dropped. #1423 (AsyncLocalStorage .enterWith/.exit) remains skip-listed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
JSON.parse(blob, reviver)on a large top-level array crashed with SIGSEGV (exit 139, zero output) under the lazy-tape path (PERRY_JSON_TAPE=1, and the default for this shape), and the reviver was never invoked on the elements (#1424).apply_reviverwalks the parsed value as anArrayHeader, readinglength/capacity/element f64s directly off the pointer. ALazyArrayHeaderhas a different layout, so those reads returned garbage → out-of-bounds element access → crash. Fix: materialize a lazy array viaforce_materialize_lazyat the top ofapply_reviver(mirroring the stringify path'sredirect_lazy_to_materialized, but forcing materialization since nothing has indexed the array yet), so the in-place element walk + write-backs operate on a realArrayHeaderand the caller receives the materialized array.Test
Flips
test_json_lazy_reviverto PASS in both default andPERRY_JSON_TAPE=1modes:JSON parity sweep clean in the default (CI) config: 18 pass, 0 fail.
Closes #1424.