From 7681432dbfca3dc44056cd50fa09a5292f3f4711 Mon Sep 17 00:00:00 2001 From: yangguo Date: Thu, 30 Apr 2015 03:02:15 -0700 Subject: [PATCH] JSON serializer should fail gracefully for special value wrappers. R=mstarzinger@chromium.org BUG=chromium:471702 LOG=N Review URL: https://codereview.chromium.org/1120573002 Cr-Commit-Position: refs/heads/master@{#28154} --- src/json-stringifier.h | 7 +++++-- test/mjsunit/regress/regress-crbug-471702.js | 7 +++++++ 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 test/mjsunit/regress/regress-crbug-471702.js diff --git a/src/json-stringifier.h b/src/json-stringifier.h index 444de43..efb71e5 100644 --- a/src/json-stringifier.h +++ b/src/json-stringifier.h @@ -396,11 +396,14 @@ BasicJsonStringifier::Result BasicJsonStringifier::SerializeJSValue( isolate_, value, Execution::ToNumber(isolate_, object), EXCEPTION); if (value->IsSmi()) return SerializeSmi(Smi::cast(*value)); SerializeHeapNumber(Handle::cast(value)); - } else { - DCHECK(class_name == isolate_->heap()->Boolean_string()); + } else if (class_name == isolate_->heap()->Boolean_string()) { Object* value = JSValue::cast(*object)->value(); DCHECK(value->IsBoolean()); builder_.AppendCString(value->IsTrue() ? "true" : "false"); + } else { + // Fail gracefully for special value wrappers. + isolate_->ThrowIllegalOperation(); + return EXCEPTION; } return SUCCESS; } diff --git a/test/mjsunit/regress/regress-crbug-471702.js b/test/mjsunit/regress/regress-crbug-471702.js new file mode 100644 index 0000000..dcd9f9b --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-471702.js @@ -0,0 +1,7 @@ +// Copyright 2015 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +assertThrows(function() { JSON.stringify(%DebugGetLoadedScripts()); }); -- 2.7.4