Revision: 12871
Author: mstarzin
...@chromium.org
Date: Tue Nov 6 06:40:34 2012
Log: Merged r12816, r12826, r12830 into 3.14 branch.
Catch stack overflow in JSON.parse.
Fix ugly typo in GenerateNewNonStrictFast.
Treat leading zeros in JSON.parse correctly.
R=yang...@chromium.org
BUG=chromium:157520,chromium:158185
Review URL: https://codereview.chromium.org/11362114
http://code.google.com/p/v8/source/detail?r=12871
Added:
/branches/3.14/test/mjsunit/regress/regress-crbug-157520.js
/branches/3.14/test/mjsunit/regress/regress-crbug-158185.js
Modified:
/branches/3.14/src/ia32/code-stubs-ia32.cc
/branches/3.14/src/json-parser.h
/branches/3.14/src/version.cc
/branches/3.14/src/x64/code-stubs-x64.cc
=======================================
--- /dev/null
+++ /branches/3.14/test/mjsunit/regress/regress-crbug-157520.js Tue Nov 6
06:40:34 2012
@@ -0,0 +1,38 @@
+// Copyright 2012 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --nocrankshaft
+
+(function(){
+ var f = function(arg) {
+ arg = 2;
+ return arguments[0];
+ };
+ for (var i = 0; i < 50000; i++) {
+ assertSame(2, f(1));
+ }
+})();
=======================================
--- /dev/null
+++ /branches/3.14/test/mjsunit/regress/regress-crbug-158185.js Tue Nov 6
06:40:34 2012
@@ -0,0 +1,38 @@
+// Copyright 2012 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+assertEquals("0023456",
+ Object.keys(JSON.parse('{"0023456": 1}'))[0]);
+assertEquals("1234567890123",
+ Object.keys(JSON.parse('{"1234567890123": 1}'))[0]);
+assertEquals("123456789ABCD",
+ Object.keys(JSON.parse('{"123456789ABCD": 1}'))[0]);
+assertEquals("12A",
+ Object.keys(JSON.parse('{"12A": 1}'))[0]);
+
+assertEquals(1, JSON.parse('{"0":1}')[0]);
+assertEquals(undefined, JSON.parse('{"00":1}')[0]);
=======================================
--- /branches/3.14/src/ia32/code-stubs-ia32.cc Mon Oct 15 04:51:39 2012
+++ /branches/3.14/src/ia32/code-stubs-ia32.cc Tue Nov 6 06:40:34 2012
@@ -3593,7 +3593,7 @@
__ bind(&runtime);
__ pop(eax); // Remove saved parameter count.
__ mov(Operand(esp, 1 * kPointerSize), ecx); // Patch argument count.
- __ TailCallRuntime(Runtime::kNewStrictArgumentsFast, 3, 1);
+ __ TailCallRuntime(Runtime::kNewArgumentsFast, 3, 1);
}
=======================================
--- /branches/3.14/src/json-parser.h Mon Oct 22 06:09:53 2012
+++ /branches/3.14/src/json-parser.h Tue Nov 6 06:40:34 2012
@@ -192,8 +192,10 @@
AdvanceSkipWhitespace();
Handle<Object> result = ParseJsonValue();
if (result.is_null() || c0_ != kEndOfString) {
+ // Some exception (for example stack overflow) is already pending.
+ if (isolate_->has_pending_exception()) return Handle<Object>::null();
+
// Parse failed. Current character is the unexpected token.
-
const char* message;
Factory* factory = this->factory();
Handle<JSArray> array;
@@ -244,6 +246,12 @@
// Parse any JSON value.
template <bool seq_ascii>
Handle<Object> JsonParser<seq_ascii>::ParseJsonValue() {
+ StackLimitCheck stack_check(isolate_);
+ if (stack_check.HasOverflowed()) {
+ isolate_->StackOverflow();
+ return Handle<Object>::null();
+ }
+
if (c0_ == '"') return ParseJsonString();
if ((c0_ >= '0' && c0_ <= '9') || c0_ == '-') return ParseJsonNumber();
if (c0_ == '{') return ParseJsonObject();
@@ -293,45 +301,56 @@
Advance();
uint32_t index = 0;
- while (c0_ >= '0' && c0_ <= '9') {
- int d = c0_ - '0';
- if (index > 429496729U - ((d > 5) ? 1 : 0)) break;
- index = (index * 10) + d;
- Advance();
- }
+ if (c0_ >= '0' && c0_ <= '9') {
+ // Maybe an array index, try to parse it.
+ if (c0_ == '0') {
+ // With a leading zero, the string has to be "0" only to be an
index.
+ Advance();
+ } else {
+ do {
+ int d = c0_ - '0';
+ if (index > 429496729U - ((d > 5) ? 1 : 0)) break;
+ index = (index * 10) + d;
+ Advance();
+ } while (c0_ >= '0' && c0_ <= '9');
+ }
- if (position_ != start_position + 1 && c0_ == '"') {
- AdvanceSkipWhitespace();
+ if (c0_ == '"') {
+ // Successfully parsed index, parse and store element.
+ AdvanceSkipWhitespace();
- if (c0_ != ':') return ReportUnexpectedCharacter();
- AdvanceSkipWhitespace();
- Handle<Object> value = ParseJsonValue();
- if (value.is_null()) return ReportUnexpectedCharacter();
+ if (c0_ != ':') return ReportUnexpectedCharacter();
+ AdvanceSkipWhitespace();
+ Handle<Object> value = ParseJsonValue();
+ if (value.is_null()) return ReportUnexpectedCharacter();
+
+ JSObject::SetOwnElement(json_object, index, value,
kNonStrictMode);
+ continue;
+ }
+ // Not an index, fallback to the slow path.
+ }
- JSObject::SetOwnElement(json_object, index, value, kNonStrictMode);
- } else {
- position_ = start_position;
+ position_ = start_position;
#ifdef DEBUG
- c0_ = '"';
+ c0_ = '"';
#endif
- Handle<String> key = ParseJsonSymbol();
- if (key.is_null() || c0_ != ':') return
ReportUnexpectedCharacter();
+ Handle<String> key = ParseJsonSymbol();
+ if (key.is_null() || c0_ != ':') return ReportUnexpectedCharacter();
- AdvanceSkipWhitespace();
- Handle<Object> value = ParseJsonValue();
- if (value.is_null()) return ReportUnexpectedCharacter();
+ AdvanceSkipWhitespace();
+ Handle<Object> value = ParseJsonValue();
+ if (value.is_null()) return ReportUnexpectedCharacter();
- if (key->Equals(isolate()->heap()->Proto_symbol())) {
- prototype = value;
+ if (key->Equals(isolate()->heap()->Proto_symbol())) {
+ prototype = value;
+ } else {
+ if (JSObject::TryTransitionToField(json_object, key)) {
+ int index = json_object->LastAddedFieldIndex();
+ json_object->FastPropertyAtPut(index, *value);
} else {
- if (JSObject::TryTransitionToField(json_object, key)) {
- int index = json_object->LastAddedFieldIndex();
- json_object->FastPropertyAtPut(index, *value);
- } else {
- JSObject::SetLocalPropertyIgnoreAttributes(
- json_object, key, value, NONE);
- }
+ JSObject::SetLocalPropertyIgnoreAttributes(
+ json_object, key, value, NONE);
}
}
} while (MatchSkipWhiteSpace(','));
=======================================
--- /branches/3.14/src/version.cc Mon Oct 22 06:09:53 2012
+++ /branches/3.14/src/version.cc Tue Nov 6 06:40:34 2012
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 14
#define BUILD_NUMBER 5
-#define PATCH_LEVEL 0
+#define PATCH_LEVEL 1
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
=======================================
--- /branches/3.14/src/x64/code-stubs-x64.cc Mon Oct 15 04:51:39 2012
+++ /branches/3.14/src/x64/code-stubs-x64.cc Tue Nov 6 06:40:34 2012
@@ -2604,7 +2604,7 @@
__ bind(&runtime);
__ Integer32ToSmi(rcx, rcx);
__ movq(Operand(rsp, 1 * kPointerSize), rcx); // Patch argument count.
- __ TailCallRuntime(Runtime::kNewStrictArgumentsFast, 3, 1);
+ __ TailCallRuntime(Runtime::kNewArgumentsFast, 3, 1);
}
