Reviewers: Toon Verwaest,
Description:
Fix stack overflow in JSON.stringify.
[email protected]
BUG=
Please review this at https://chromiumcodereview.appspot.com/11265011/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M build/common.gypi
M src/json-stringifier.h
M test/mjsunit/json-recursive.js
Index: build/common.gypi
diff --git a/build/common.gypi b/build/common.gypi
index
97f0aae6643802f34858d812baea4ee4df89f178..e0564989e62014dd62072f10b746fee942a02f4e
100644
--- a/build/common.gypi
+++ b/build/common.gypi
@@ -180,6 +180,11 @@
'defines': [
'V8_TARGET_ARCH_IA32',
],
+ 'msvs_settings': {
+ 'VCLinkerTool': {
+ 'StackReserveSize': '4194304',
+ },
+ },
}], # v8_target_arch=="ia32"
['v8_target_arch=="mipsel"', {
'defines': [
@@ -246,7 +251,7 @@
},
'msvs_settings': {
'VCLinkerTool': {
- 'StackReserveSize': '2097152',
+ 'StackReserveSize': '8388608',
},
},
'msvs_configuration_platform': 'x64',
Index: src/json-stringifier.h
diff --git a/src/json-stringifier.h b/src/json-stringifier.h
index
4b9b0b6be9baabb8b3c30e9e6ecac98f23fcf5f7..3f59ca2f63abf68e05bb53f24f24fbbaf595aa26
100644
--- a/src/json-stringifier.h
+++ b/src/json-stringifier.h
@@ -45,7 +45,7 @@ class BasicJsonStringifier BASE_EMBEDDED {
static const int kInitialPartLength = 32;
static const int kMaxPartLength = 16 * 1024;
static const int kPartLengthGrowthFactor = 2;
- static const int kStackLimit = 8 * 1024;
+ static const int kStackLimit = 4 * 1024;
enum Result { UNCHANGED, SUCCESS, BAILOUT, CIRCULAR, STACK_OVERFLOW };
@@ -399,7 +399,8 @@ BasicJsonStringifier::Result
BasicJsonStringifier::SerializeDouble(
BasicJsonStringifier::Result BasicJsonStringifier::SerializeArray(
Handle<JSArray> object) {
HandleScope handle_scope(isolate_);
- if (StackPush(object) == CIRCULAR) return CIRCULAR;
+ Result stack_push = StackPush(object);
+ if (stack_push != SUCCESS) return stack_push;
int length = Smi::cast(object->length())->value();
Append('[');
switch (object->GetElementsKind()) {
Index: test/mjsunit/json-recursive.js
diff --git a/test/mjsunit/json-recursive.js b/test/mjsunit/json-recursive.js
index
f28cce8139f917aec17e54dc62916274b08ed3f6..7c7b1465cca86e7491e0258b08ff0aa6fcdcea03
100644
--- a/test/mjsunit/json-recursive.js
+++ b/test/mjsunit/json-recursive.js
@@ -38,7 +38,19 @@ function rec(a,b,c,d,e,f,g,h,i,j,k,l,m,n) {
rec(a,b,c,d,e,f,g,h,i,j,k,l,m,n);
}
-assertThrows(
- function() { rec(1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4) },
- RangeError);
+assertThrows(function() { rec(1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4) },
+ RangeError);
+
+var deepArray = [];
+for (var i = 0; i < 2048; i++) deepArray = [deepArray];
+JSON.stringify(deepArray);
+for (var i = 2048; i < 4097; i++) deepArray = [deepArray];
+assertThrows(function() { JSON.stringify(deepArray); }, RangeError);
+
+
+var deepObject = {};
+for (var i = 0; i < 2048; i++) deepObject = { next: deepObject };
+JSON.stringify(deepObject);
+for (var i = 2048; i < 4097; i++) deepObject = { next: deepObject };
+assertThrows(function() { JSON.stringify(deepObject); }, RangeError);
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
