From 004778e6df266dd6366fc455ac4e6dc3c697e53b Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Fri, 13 Nov 2015 21:23:33 +0100 Subject: [PATCH] deps: backport 6df9a1d from upstream v8 PR-URL: https://github.com/nodejs/node-private/pull/6 Reviewed-By: Fedor Indutny --- deps/v8/src/json-stringifier.h | 50 +------------------ .../mjsunit/regress/regress-crbug-554946.js | 12 +++++ 2 files changed, 14 insertions(+), 48 deletions(-) create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-554946.js diff --git a/deps/v8/src/json-stringifier.h b/deps/v8/src/json-stringifier.h index fb6b80dde4..0a4101b7df 100644 --- a/deps/v8/src/json-stringifier.h +++ b/deps/v8/src/json-stringifier.h @@ -434,54 +434,8 @@ BasicJsonStringifier::Result BasicJsonStringifier::SerializeJSArray( uint32_t length = 0; CHECK(object->length()->ToArrayLength(&length)); builder_.AppendCharacter('['); - switch (object->GetElementsKind()) { - case FAST_SMI_ELEMENTS: { - Handle elements( - FixedArray::cast(object->elements()), isolate_); - for (uint32_t i = 0; i < length; i++) { - if (i > 0) builder_.AppendCharacter(','); - SerializeSmi(Smi::cast(elements->get(i))); - } - break; - } - case FAST_DOUBLE_ELEMENTS: { - // Empty array is FixedArray but not FixedDoubleArray. - if (length == 0) break; - Handle elements( - FixedDoubleArray::cast(object->elements()), isolate_); - for (uint32_t i = 0; i < length; i++) { - if (i > 0) builder_.AppendCharacter(','); - SerializeDouble(elements->get_scalar(i)); - } - break; - } - case FAST_ELEMENTS: { - Handle elements( - FixedArray::cast(object->elements()), isolate_); - for (uint32_t i = 0; i < length; i++) { - if (i > 0) builder_.AppendCharacter(','); - Result result = - SerializeElement(isolate_, - Handle(elements->get(i), isolate_), - i); - if (result == SUCCESS) continue; - if (result == UNCHANGED) { - builder_.AppendCString("null"); - } else { - return result; - } - } - break; - } - // TODO(yangguo): The FAST_HOLEY_* cases could be handled in a faster way. - // They resemble the non-holey cases except that a prototype chain lookup - // is necessary for holes. - default: { - Result result = SerializeJSArraySlow(object, length); - if (result != SUCCESS) return result; - break; - } - } + Result result = SerializeJSArraySlow(object, length); + if (result != SUCCESS) return result; builder_.AppendCharacter(']'); StackPop(); return SUCCESS; diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-554946.js b/deps/v8/test/mjsunit/regress/regress-crbug-554946.js new file mode 100644 index 0000000000..ab2e327295 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-554946.js @@ -0,0 +1,12 @@ +// Copyright 2015 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +var array = []; +var funky = { + toJSON: function() { array.length = 1; return "funky"; } +}; +for (var i = 0; i < 10; i++) array[i] = i; +array[0] = funky; +assertEquals('["funky",null,null,null,null,null,null,null,null,null]', + JSON.stringify(array));