Fix stack overflow in JSON.stringify.

R=verwaest@chromium.org BUG= Review URL: https://chromiumcodereview.appspot.com/11265011 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12808 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Fix stack overflow in JSON.stringify.
R=verwaest@chromium.org BUG= Review URL: https://chromiumcodereview.appspot.com/11265011 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12808 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
b2d41f8f · yangguo@chromium.org · 8f0501f5 · b2d41f8f · b2d41f8f · b2d41f8f
Commit b2d41f8f authored Oct 24, 2012 by yangguo@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 6 deletions

common.gypi build/common.gypi +6 -1

json-stringifier.h src/json-stringifier.h +3 -2

json-recursive.js test/mjsunit/json-recursive.js +15 -3

No files found.
--- a/build/common.gypi
+++ b/build/common.gypi
@@ -180,6 +180,11 @@
        'defines': [
          'V8_TARGET_ARCH_IA32',
        ],
+        'msvs_settings': {
+          'VCLinkerTool': {
+            'StackReserveSize': '4194304',
+          },
+        },
      }],  # v8_target_arch=="ia32"
      ['v8_target_arch=="mipsel"', {
        'defines': [
@@ -246,7 +251,7 @@
        },
        'msvs_settings': {
          'VCLinkerTool': {
-            'StackReserveSize': '2097152',
+            'StackReserveSize': '8388608',
          },
        },
        'msvs_configuration_platform': 'x64',

--- a/src/json-stringifier.h
+++ b/src/json-stringifier.h
@@ -45,7 +45,7 @@ class BasicJsonStringifier BASE_EMBEDDED {
  static const int kInitialPartLength = 32;
  static const int kMaxPartLength = 16 * 1024;
  static const int kPartLengthGrowthFactor = 2;
-  static const int kStackLimit = 8 * 1024;
+  static const int kStackLimit = 4 * 1024;

  enum Result { UNCHANGED, SUCCESS, BAILOUT, CIRCULAR, STACK_OVERFLOW };

@@ -399,7 +399,8 @@ BasicJsonStringifier::Result BasicJsonStringifier::SerializeDouble(
 BasicJsonStringifier::Result BasicJsonStringifier::SerializeArray(
    Handle<JSArray> object) {
  HandleScope handle_scope(isolate_);
-  if (StackPush(object) == CIRCULAR) return CIRCULAR;
+  Result stack_push = StackPush(object);
+  if (stack_push != SUCCESS) return stack_push;
  int length = Smi::cast(object->length())->value();
  Append('[');
  switch (object->GetElementsKind()) {

--- a/test/mjsunit/json-recursive.js
+++ b/test/mjsunit/json-recursive.js
@@ -38,7 +38,19 @@ function rec(a,b,c,d,e,f,g,h,i,j,k,l,m,n) {
  rec(a,b,c,d,e,f,g,h,i,j,k,l,m,n);
 }

-assertThrows(
-    function() { rec(1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4) },
-    RangeError);
+assertThrows(function() { rec(1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4) },
+             RangeError);

+
+var deepArray = [];
+for (var i = 0; i < 2048; i++) deepArray = [deepArray];
+JSON.stringify(deepArray);
+for (var i = 2048; i < 4097; i++) deepArray = [deepArray];
+assertThrows(function() { JSON.stringify(deepArray); }, RangeError);
+
+
+var deepObject = {};
+for (var i = 0; i < 2048; i++) deepObject = { next: deepObject };
+JSON.stringify(deepObject);
+for (var i = 2048; i < 4097; i++) deepObject = { next: deepObject };
+assertThrows(function() { JSON.stringify(deepObject); }, RangeError);