Fix length check in JSON.stringify.

R=verwaest@chromium.org
BUG=160010

Review URL: https://chromiumcodereview.appspot.com/11410031

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12925 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/json-stringifier.h

@@ -690,7 +690,6 @@ void BasicJsonStringifier::SerializeStringUnchecked_(const SrcChar* src,
   // The <uc16, char> version of this method must not be called.
   ASSERT(sizeof(*dest) >= sizeof(*src));
 
-  *(dest++) = '"';
   for (int i = 0; i < length; i++) {
     SrcChar c = src[i];
     if (DoNotEscape(c)) {
@@ -701,7 +700,6 @@ void BasicJsonStringifier::SerializeStringUnchecked_(const SrcChar* src,
     }
   }
 
-  *(dest++) = '"';
   current_index_ += static_cast<int>(dest - dest_start);
 }
 
@@ -710,12 +708,13 @@ template <bool is_ascii, typename Char>
 void BasicJsonStringifier::SerializeString_(Vector<const Char> vector,
                                             Handle<String> string) {
   int length = vector.length();
+  Append_<is_ascii, char>('"');
   // We make a rough estimate to find out if the current string can be
   // serialized without allocating a new string part. The worst case length of
-  // an escaped character is 6.  Shifting left by 3 is a more pessimistic
-  // estimate than multiplying by 6, but faster to calculate.
-  static const int kEnclosingQuotesLength = 2;
-  if (current_index_ + (length << 3) + kEnclosingQuotesLength < part_length_) {
+  // an escaped character is 6.  Shifting the remainin string length right by 3
+  // is a more pessimistic estimate, but faster to calculate.
+
+  if (((part_length_ - current_index_) >> 3) > length) {
     if (is_ascii) {
       SerializeStringUnchecked_(
           vector.start(),
@@ -728,7 +727,6 @@ void BasicJsonStringifier::SerializeString_(Vector<const Char> vector,
           length);
     }
   } else {
-    Append_<is_ascii, char>('"');
     String* string_location = *string;
     for (int i = 0; i < length; i++) {
       Char c = vector[i];
@@ -744,8 +742,9 @@ void BasicJsonStringifier::SerializeString_(Vector<const Char> vector,
         string_location = *string;
       }
     }
-    Append_<is_ascii, char>('"');
   }
+
+  Append_<is_ascii, char>('"');
 }
 
 

test/mjsunit/regress/regress-crbug-160010.js

+// Copyright 2012 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+var str = "a";
+for (var i = 0; i < 28; i++) {
+  str += str;
+}
+JSON.stringify(str);
+