An issue about JSON.stringify

[NWU-NISL]

Version

rhino-1.7.12

Test case

var NISLFuzzingFunc=function(nislMutationParameter1){
    var a={"0":1, "1":2, "2":3, "name":4};
    var b=JSON.stringify(a, nislMutationParameter1); 
    print(b);
}; 
var nislMutationArgument1=["0", "1", "name", "name"]; 
NISLFuzzingFunc(nislMutationArgument1);

Execution steps

java -jar rhino/rhino-1.7.12.jar -debug -version 200 testcase.js

Output

 {"name":4,"name":4}

Expected behavior

{"0":1,"1":2,"name":4}

Description

The JSON.stringify(value[, replacer[, space]]) method converts a JavaScript object or value to a JSON string, optionally including only the specified properties if a replacer array is specified, and the ES standard specifies that the output attributes should not contain duplicate attributes. When executing this test case, rhino has two problems: the first is that the attribute named by numeric characters cannot be output, and the second is to repeatedly output the same attribute.

contributor： @Wen Yi

[gbrail]

By the way -- I appreciate all the tricky but important bugs you are finding. (I also appreciate @rbri for fixing them!)

Who or what is "NWU NISL?" Are you a professional, a student, a research project... I'm just curious what methodology you are using to find these.

[YiWen-y]

We are a Chinese research group, and we use fuzz testing to find bugs of JS engines.

[tom08zehn]

I found a similar problem with the replacer argument but with slightly different output.

I'm using Rhino with ES6 (language version 200) but also tested with lower version 160.

I experienced a bug in Rhino with JSON.stringify() function when you provide an array of strings as 2nd argument that is used as a whitelist for the property names that you want to keep and if the property names are numbers as strings (stringified numbers). You can see a full code example here and compare Rhino result with any other JS engine (browser):

https://js.do/code/rhino-issue-object-keys-stringnumber-keys

Summary:

var obj1 = {"2":"b","3":"c","1":"a"};
JSON.stringify(obj1, ["1","2","3"]); // returns {} in Rhino but works in JS returning {"1":"a","2":"b","3":"c"}
JSON.stringify(obj1, [1,2,3]) // returns {"1.0":"a","2":"b","3":"c"} in Rhino but works in JS returning  {"1":"a","2":"b","3":"c"}

It seems like Rhino treats object property names that are stringified numbers as float types instead of strings and as a result the comparison against an array of strings fails. In addition, a comparison against an array of integer numbers succeeds... at least almost because the result is an object having property names of type "stringified floats".

[tom08zehn]

Just figured out that the trick using an array of integers instead of an array of strings also has a bug for object property name "1" (one). As shown above this returns a stringified float.

This doesn't happen for stringified numbers other than one: JSON.stringify({"2":"b","3":"c"},[2,3]));

But anyway this trick is a no-go...