Fix issues with JSON stringify replacer array

If the replacer array contains a property key we should include the
property even if the property is non enumerable or if it is a non own
property.

String and Number wrappers in the replacer array should be treated as
string and number values.

R=yangguo@chromium.org
BUG=v8:3200, v8:3201
LOG=Y

Review URL: https://codereview.chromium.org/187053003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19685 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/json.js b/src/json.js
index 0799deadfe957f9bf598cbfc3006d25eb60e6a2b..fc4b58decaf67b7335812377b2f1c6a8f25eb2a7 100644 (file)
--- a/src/json.js
+++ b/src/json.js
@@ -213,14 +213,21 @@ function JSONStringify(value, replacer, space) {
   if (IS_ARRAY(replacer)) {
     // Deduplicate replacer array items.
     var property_list = new InternalArray();
-    var seen_properties = {};
+    var seen_properties = { __proto__: null };
+    var seen_sentinel = {};
     var length = replacer.length;
     for (var i = 0; i < length; i++) {
       var item = replacer[i];
-      if (IS_NUMBER(item)) item = %_NumberToString(item);
-      if (IS_STRING(item) && !(item in seen_properties)) {
+      if (IS_STRING_WRAPPER(item)) {
+        item = ToString(item);
+      } else {
+        if (IS_NUMBER_WRAPPER(item)) item = ToNumber(item);
+        if (IS_NUMBER(item)) item = %_NumberToString(item);
+      }
+      if (IS_STRING(item) && seen_properties[item] != seen_sentinel) {
         property_list.push(item);
-        seen_properties[item] = true;
+        // We cannot use true here because __proto__ needs to be an object.
+        seen_properties[item] = seen_sentinel;
       }
     }
     replacer = property_list;

diff --git a/test/mjsunit/regress/regress-3135.js b/test/mjsunit/regress/regress-3135.js
index 8088432c8efe09d06f3a32cdd04608aa0fc3777c..f15c9a86d8d1caaab8ca14730b79e5253d258454 100644 (file)
--- a/test/mjsunit/regress/regress-3135.js
+++ b/test/mjsunit/regress/regress-3135.js
@@ -19,10 +19,21 @@ assertEquals('{"y":4,"x":3}', JSON.stringify({ x : 3, y : 4}, ["y", "x"]));
 assertEquals('{"y":4,"1":2,"x":3}',
              JSON.stringify({ x : 3, y : 4, 1 : 2 }, ["y", 1, "x"]));
 
-// __proto__ is ignored and doesn't break anything.
+// With a replacer array the value of the property is retrieved using [[Get]]
+// ignoring own and enumerability.
 var a = { x : 8 };
+assertEquals('{"__proto__":{"__proto__":null},"x":8}',
+             JSON.stringify(a, ["__proto__", "x", "__proto__"]));
 a.__proto__ = { x : 7 };
-assertEquals('{"x":8}', JSON.stringify(a, ["__proto__", "x", "__proto__"]));
+assertEquals('{"__proto__":{"__proto__":{"__proto__":null},"x":7},"x":8}',
+             JSON.stringify(a, ["__proto__", "x"]));
+var b = { __proto__: { x: 9 } };
+assertEquals('{}', JSON.stringify(b));
+assertEquals('{"x":9}', JSON.stringify(b, ["x"]));
+var c = {x: 10};
+Object.defineProperty(c, 'x', { enumerable: false });
+assertEquals('{}', JSON.stringify(c));
+assertEquals('{"x":10}', JSON.stringify(c, ["x"]));
 
 // Arrays are not affected by the replacer array.
 assertEquals("[9,8,7]", JSON.stringify([9, 8, 7], [1, 1]));
@@ -51,3 +62,12 @@ assertEquals('{}',
 assertEquals('{}',
              JSON.stringify({ x : 1, "1": 1 },
                             [{ valueOf: function() { return 1;} }]));
+
+// Make sure that property names that clash with the names of Object.prototype
+// still works.
+assertEquals('{"toString":42}', JSON.stringify({ toString: 42 }, ["toString"]));
+
+// Number wrappers and String wrappers should be unwrapped.
+assertEquals('{"1":1,"s":"s"}',
+             JSON.stringify({ 1: 1, s: "s" },
+                            [new Number(1), new String("s")]));