[json] detect overflow sooner when serializing large sparse array.

R=mlippautz@chromium.org, yukishiino@chromium.org
BUG=chromium:617649

Review-Url: https://codereview.chromium.org/2069563002
Cr-Commit-Position: refs/heads/master@{#36961}

src/json-stringifier.cc

@@ -478,6 +478,12 @@ JsonStringifier::Result JsonStringifier::SerializeJSArray(
 
 JsonStringifier::Result JsonStringifier::SerializeArrayLikeSlow(
     Handle<JSReceiver> object, uint32_t start, uint32_t length) {
+  // We need to write out at least two characters per array element.
+  static const int kMaxSerializableArrayLength = String::kMaxLength / 2;
+  if (length > kMaxSerializableArrayLength) {
+    isolate_->Throw(*isolate_->factory()->NewInvalidStringLengthError());
+    return EXCEPTION;
+  }
   for (uint32_t i = start; i < length; i++) {
     Separator(i == 0);
     Handle<Object> element;
@@ -487,6 +493,8 @@ JsonStringifier::Result JsonStringifier::SerializeArrayLikeSlow(
     Result result = SerializeElement(isolate_, element, i);
     if (result == SUCCESS) continue;
     if (result == UNCHANGED) {
+      // Detect overflow sooner for large sparse arrays.
+      if (builder_.HasOverflowed()) return EXCEPTION;
       builder_.AppendCString("null");
     } else {
       return result;

src/string-builder.h

@@ -309,6 +309,8 @@ class IncrementalStringBuilder {
 
   MaybeHandle<String> Finish();
 
+  INLINE(bool HasOverflowed()) const { return overflowed_; }
+
   // Change encoding to two-byte.
   void ChangeEncoding() {
     DCHECK_EQ(String::ONE_BYTE_ENCODING, encoding_);