Revision: 12808
Author: [email protected]
Date: Wed Oct 24 08:49:59 2012
Log: Fix stack overflow in JSON.stringify.
[email protected]
BUG=
Review URL: https://chromiumcodereview.appspot.com/11265011
http://code.google.com/p/v8/source/detail?r=12808
Modified:
/branches/bleeding_edge/build/common.gypi
/branches/bleeding_edge/src/json-stringifier.h
/branches/bleeding_edge/test/mjsunit/json-recursive.js
=======================================
--- /branches/bleeding_edge/build/common.gypi Wed Oct 24 05:38:24 2012
+++ /branches/bleeding_edge/build/common.gypi Wed Oct 24 08:49:59 2012
@@ -180,6 +180,11 @@
'defines': [
'V8_TARGET_ARCH_IA32',
],
+ 'msvs_settings': {
+ 'VCLinkerTool': {
+ 'StackReserveSize': '4194304',
+ },
+ },
}], # v8_target_arch=="ia32"
['v8_target_arch=="mipsel"', {
'defines': [
@@ -246,7 +251,7 @@
},
'msvs_settings': {
'VCLinkerTool': {
- 'StackReserveSize': '2097152',
+ 'StackReserveSize': '8388608',
},
},
'msvs_configuration_platform': 'x64',
=======================================
--- /branches/bleeding_edge/src/json-stringifier.h Tue Oct 23 05:00:42 2012
+++ /branches/bleeding_edge/src/json-stringifier.h Wed Oct 24 08:49:59 2012
@@ -45,7 +45,7 @@
static const int kInitialPartLength = 32;
static const int kMaxPartLength = 16 * 1024;
static const int kPartLengthGrowthFactor = 2;
- static const int kStackLimit = 8 * 1024;
+ static const int kStackLimit = 4 * 1024;
enum Result { UNCHANGED, SUCCESS, BAILOUT, CIRCULAR, STACK_OVERFLOW };
@@ -399,7 +399,8 @@
BasicJsonStringifier::Result BasicJsonStringifier::SerializeArray(
Handle<JSArray> object) {
HandleScope handle_scope(isolate_);
- if (StackPush(object) == CIRCULAR) return CIRCULAR;
+ Result stack_push = StackPush(object);
+ if (stack_push != SUCCESS) return stack_push;
int length = Smi::cast(object->length())->value();
Append('[');
switch (object->GetElementsKind()) {
=======================================
--- /branches/bleeding_edge/test/mjsunit/json-recursive.js Mon Oct 22
07:22:58 2012
+++ /branches/bleeding_edge/test/mjsunit/json-recursive.js Wed Oct 24
08:49:59 2012
@@ -38,7 +38,19 @@
rec(a,b,c,d,e,f,g,h,i,j,k,l,m,n);
}
-assertThrows(
- function() { rec(1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4) },
- RangeError);
+assertThrows(function() { rec(1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4) },
+ RangeError);
+
+var deepArray = [];
+for (var i = 0; i < 2048; i++) deepArray = [deepArray];
+JSON.stringify(deepArray);
+for (var i = 2048; i < 4097; i++) deepArray = [deepArray];
+assertThrows(function() { JSON.stringify(deepArray); }, RangeError);
+
+
+var deepObject = {};
+for (var i = 0; i < 2048; i++) deepObject = { next: deepObject };
+JSON.stringify(deepObject);
+for (var i = 2048; i < 4097; i++) deepObject = { next: deepObject };
+assertThrows(function() { JSON.stringify(deepObject); }, RangeError);
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
