[v8-dev] [v8] r12816 committed - Catch stack overflow in JSON.parse....

Thu, 25 Oct 2012 05:37:17 -0700 

Revision: 12816
Author:   [email protected]
Date:     Thu Oct 25 05:36:40 2012
Log:      Catch stack overflow in JSON.parse.

BUG=

Review URL: https://chromiumcodereview.appspot.com/11275039
http://code.google.com/p/v8/source/detail?r=12816

Modified:
 /branches/bleeding_edge/src/json-parser.h
 /branches/bleeding_edge/test/mjsunit/json-recursive.js

=======================================
--- /branches/bleeding_edge/src/json-parser.h   Thu Oct 25 04:52:37 2012
+++ /branches/bleeding_edge/src/json-parser.h   Thu Oct 25 05:36:40 2012
@@ -195,8 +195,10 @@
   AdvanceSkipWhitespace();
   Handle<Object> result = ParseJsonValue();
   if (result.is_null() || c0_ != kEndOfString) {
+    // Some exception (for example stack overflow) is already pending.
+    if (isolate_->has_pending_exception()) return Handle<Object>::null();
+
     // Parse failed. Current character is the unexpected token.
-
     const char* message;
     Factory* factory = this->factory();
     Handle<JSArray> array;
@@ -247,6 +249,12 @@
 // Parse any JSON value.
 template <bool seq_ascii>
 Handle<Object> JsonParser<seq_ascii>::ParseJsonValue() {
+  StackLimitCheck stack_check(isolate_);
+  if (stack_check.HasOverflowed()) {
+    isolate_->StackOverflow();
+    return Handle<Object>::null();
+  }
+
   if (c0_ == '"') return ParseJsonString();
   if ((c0_ >= '0' && c0_ <= '9') || c0_ == '-') return ParseJsonNumber();
   if (c0_ == '{') return ParseJsonObject();
=======================================
--- /branches/bleeding_edge/test/mjsunit/json-recursive.js Thu Oct 25 05:18:24 2012 +++ /branches/bleeding_edge/test/mjsunit/json-recursive.js Thu Oct 25 05:36:40 2012 
@@ -56,3 +56,11 @@
 JSON.stringify(deepObject);
 for (var i = depth1; i < depth2; i++) deepObject = { next: deepObject };
 assertThrows(function() { JSON.stringify(deepObject); }, RangeError);
+
+
+var str = "[1]";
+for (var i = 0; i < 100000; i++) {
+  str = "[1," + str + "]";
+}
+
+assertThrows(function() { JSON.parse(str); }, RangeError);

--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to