Fix bug in JSON.parse for objects containing "__proto__" as key.

It added the __proto__ key as a normal key, which made it visible
in enumeration, while reading still hit the hard-coded accessor.

Review URL: http://codereview.chromium.org/6451002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6674 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/parser.cc

@@ -4058,6 +4058,11 @@ Handle<Object> JsonParser::ParseJsonObject() {
       uint32_t index;
       if (key->AsArrayIndex(&index)) {
         SetOwnElement(json_object, index, value);
+      } else if (key->Equals(Heap::Proto_symbol())) {
+        // We can't remove the __proto__ accessor since it's hardcoded
+        // in several places. Instead go along and add the value as
+        // the prototype of the created object if possible.
+        SetPrototype(json_object, value);
       } else {
         SetLocalPropertyIgnoreAttributes(json_object, key, value, NONE);
       }

test/mjsunit/json.js

@@ -415,3 +415,17 @@ var falseNum = Object("37");
 falseNum.__proto__ = Number.prototype;
 falseNum.toString = function() { return 42; };
 assertEquals('"42"', JSON.stringify(falseNum));
+
+// We don't currently allow plain properties called __proto__ in JSON
+// objects in JSON.parse. Instead we read them as we would JS object
+// literals. If we change that, this test should change with it.
+// 
+// Parse a non-object value as __proto__. This must not create a 
+// __proto__ property different from the original, and should not 
+// change the original.
+var o = JSON.parse('{"__proto__":5}');
+assertEquals(Object.prototype, o.__proto__);  // __proto__ isn't changed.
+assertEquals(0, Object.keys(o).length);  // __proto__ isn't added as enumerable.
+
+
+