[v8-dev] Version 3.27.34.21 (merged r24125) (issue 600733003 by [email protected])

Wed, 24 Sep 2014 00:37:46 -0700 

Reviewers: Toon Verwaest,

Description:
Version 3.27.34.21 (merged r24125)

Fix escaped index JSON parsing

BUG=416449
LOG=N
[email protected]

Please review this at https://codereview.chromium.org/600733003/

SVN Base: https://v8.googlecode.com/svn/branches/3.27

Affected files (+5, -6 lines):
  M src/json-parser.h
  M src/objects.cc
  M src/version.cc
  A + test/mjsunit/regress/regress-json-parse-index.js


Index: src/json-parser.h
diff --git a/src/json-parser.h b/src/json-parser.h
index 60855a0a801f5c38d683ae442520ed046d79f83f..59b128125b023daecb55d73cac52a73eaa8a5d40 100644 
--- a/src/json-parser.h
+++ b/src/json-parser.h
@@ -426,8 +426,7 @@ Handle<Object> JsonParser<seq_ascii>::ParseJsonObject() { 
         if (value.is_null()) return ReportUnexpectedCharacter();
       }

-      JSObject::SetOwnPropertyIgnoreAttributes(
-          json_object, key, value, NONE).Assert();
+      Runtime::DefineObjectProperty(json_object, key, value, NONE).Check();
     } while (MatchSkipWhiteSpace(','));
     if (c0_ != '}') {
       return ReportUnexpectedCharacter();
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index 70d731ca290ef6f69c065aa9c6c150e5b893deeb..1cfaba07a802a18d56efda1f2f9d8d9bf77b08f0 100644 
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -699,7 +699,7 @@ void JSObject::SetNormalizedProperty(Handle<JSObject> object, 
                                      Handle<Name> name,
                                      Handle<Object> value,
                                      PropertyDetails details) {
-  ASSERT(!object->HasFastProperties());
+  CHECK(!object->HasFastProperties());
Handle<NameDictionary> property_dictionary(object->property_dictionary()); 

   if (!name->IsUniqueName()) {
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index f9ef5eef66b96300aa958b53c83988730a9fc256..cbbc34ce62ce040e31fd6bd9d08a4f346f1e8d69 100644 
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     27
 #define BUILD_NUMBER      34
-#define PATCH_LEVEL       20
+#define PATCH_LEVEL       21
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-json-parse-index.js
diff --git a/test/mjsunit/regress/regress-crbug-351262.js b/test/mjsunit/regress/regress-json-parse-index.js 
similarity index 72%
copy from test/mjsunit/regress/regress-crbug-351262.js
copy to test/mjsunit/regress/regress-json-parse-index.js
index a2f4eadc0de5c2bd7d27f6e78ff9940fce7b0f85..d1a785aaf1ef35714d5702be15cff74bfaa73521 100644 
--- a/test/mjsunit/regress/regress-crbug-351262.js
+++ b/test/mjsunit/regress/regress-json-parse-index.js
@@ -2,5 +2,5 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-for (var x in this) {};
-JSON.stringify(this);
+var o = JSON.parse('{"\\u0030":100}');
+assertEquals(100, o[0]);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to