[v8-dev] [v8] r6674 committed - Fix bug in JSON.parse for objects containing "__proto__" as key....

Tue, 08 Feb 2011 03:39:30 -0800 

Revision: 6674
Author: [email protected]
Date: Tue Feb  8 03:38:15 2011
Log: Fix bug in JSON.parse for objects containing "__proto__" as key.

It added the __proto__ key as a normal key, which made it visible
in enumeration, while reading still hit the hard-coded accessor.

Review URL: http://codereview.chromium.org/6451002
http://code.google.com/p/v8/source/detail?r=6674

Modified:
 /branches/bleeding_edge/src/parser.cc
 /branches/bleeding_edge/test/mjsunit/json.js

=======================================
--- /branches/bleeding_edge/src/parser.cc       Mon Feb  7 00:57:06 2011
+++ /branches/bleeding_edge/src/parser.cc       Tue Feb  8 03:38:15 2011
@@ -4058,6 +4058,11 @@
       uint32_t index;
       if (key->AsArrayIndex(&index)) {
         SetOwnElement(json_object, index, value);
+      } else if (key->Equals(Heap::Proto_symbol())) {
+        // We can't remove the __proto__ accessor since it's hardcoded
+        // in several places. Instead go along and add the value as
+        // the prototype of the created object if possible.
+        SetPrototype(json_object, value);
       } else {
         SetLocalPropertyIgnoreAttributes(json_object, key, value, NONE);
       }
=======================================
--- /branches/bleeding_edge/test/mjsunit/json.js        Wed Dec 15 01:31:05 2010
+++ /branches/bleeding_edge/test/mjsunit/json.js        Tue Feb  8 03:38:15 2011
@@ -415,3 +415,17 @@
 falseNum.__proto__ = Number.prototype;
 falseNum.toString = function() { return 42; };
 assertEquals('"42"', JSON.stringify(falseNum));
+
+// We don't currently allow plain properties called __proto__ in JSON
+// objects in JSON.parse. Instead we read them as we would JS object
+// literals. If we change that, this test should change with it.
+//
+// Parse a non-object value as __proto__. This must not create a
+// __proto__ property different from the original, and should not
+// change the original.
+var o = JSON.parse('{"__proto__":5}');
+assertEquals(Object.prototype, o.__proto__);  // __proto__ isn't changed.
+assertEquals(0, Object.keys(o).length); // __proto__ isn't added as enumerable. 
+
+
+

--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to