Reland: Fix JSON parser Handle leak (previous CL 1041483004)

src/json-parser.h

 // Copyright 2011 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef V8_JSON_PARSER_H_
 #define V8_JSON_PARSER_H_
 
 #include "src/v8.h"
 
 #include "src/char-predicates-inl.h"
 #include "src/conversions.h"
 #include "src/heap/spaces-inl.h"
 #include "src/messages.h"
 #include "src/token.h"
 
 namespace v8 {
 namespace internal {
 
+enum ParseElementResult { kElementFound, kElementNotFound, kNullHandle };
+
+
 // A simple json parser.
 template <bool seq_one_byte>
 class JsonParser BASE_EMBEDDED {
  public:
   MUST_USE_RESULT static MaybeHandle<Object> Parse(Handle<String> source) {
     return JsonParser(source).ParseJson();
   }
 
   static const int kEndOfString = -1;
 
@@ skipping 119 matching lines @@
   Handle<Object> ParseJsonValue();
 
   // Parse a JSON object literal (grammar production JSONObject).
   // An object literal is a squiggly-braced and comma separated sequence
   // (possibly empty) of key/value pairs, where the key is a JSON string
   // literal, the value is a JSON value, and the two are separated by a colon.
   // A JSON array doesn't allow numbers and identifiers as keys, like a
   // JavaScript array.
   Handle<Object> ParseJsonObject();
 
+  // Helper for ParseJsonObject. Parses the form "123": obj, which is recorded
+  // as an element, not a property.
+  ParseElementResult ParseElement(Handle<JSObject> json_object);
+
   // Parses a JSON array literal (grammar production JSONArray). An array
   // literal is a square-bracketed and comma separated sequence (possibly empty)
   // of JSON values.
   // A JSON array doesn't allow leaving out values from the sequence, nor does
   // it allow a terminal comma, like a JavaScript array does.
   Handle<Object> ParseJsonArray();
 
 
   // Mark that a parsing error has happened at the current token, and
   // return a null handle. Primarily for readability.
@@ skipping 124 matching lines @@
         AdvanceGetChar() == 'l') {
       AdvanceSkipWhitespace();
       return factory()->null_value();
     }
     return ReportUnexpectedCharacter();
   }
   return ReportUnexpectedCharacter();
 }
 
 
+template <bool seq_one_byte>
+ParseElementResult JsonParser<seq_one_byte>::ParseElement(
+    Handle<JSObject> json_object) {
+  uint32_t index = 0;
+  // Maybe an array index, try to parse it.
+  if (c0_ == '0') {
+    // With a leading zero, the string has to be "0" only to be an index.
+    Advance();
+  } else {
+    do {
+      int d = c0_ - '0';
+      if (index > 429496729U - ((d > 5) ? 1 : 0)) break;
+      index = (index * 10) + d;
+      Advance();
+    } while (IsDecimalDigit(c0_));
+  }
+
+  if (c0_ == '"') {
+    // Successfully parsed index, parse and store element.
+    AdvanceSkipWhitespace();
+
+    if (c0_ == ':') {
+      AdvanceSkipWhitespace();
+      Handle<Object> value = ParseJsonValue();
+      if (!value.is_null()) {
+        JSObject::SetOwnElement(json_object, index, value, SLOPPY).Assert();
+        return kElementFound;
+      } else {
+        return kNullHandle;
+      }
+    }
+  }
+  return kElementNotFound;
+}
+
 // Parse a JSON object. Position must be right at '{'.
 template <bool seq_one_byte>
 Handle<Object> JsonParser<seq_one_byte>::ParseJsonObject() {
   HandleScope scope(isolate());
   Handle<JSObject> json_object =
       factory()->NewJSObject(object_constructor(), pretenure_);
   Handle<Map> map(json_object->map());
   int descriptor = 0;
   ZoneList<Handle<Object> > properties(8, zone());
   DCHECK_EQ(c0_, '{');
 
   bool transitioning = true;
 
   AdvanceSkipWhitespace();
   if (c0_ != '}') {
     do {
       if (c0_ != '"') return ReportUnexpectedCharacter();
 
       int start_position = position_;
       Advance();
 
-      uint32_t index = 0;
       if (IsDecimalDigit(c0_)) {
-        // Maybe an array index, try to parse it.
-        if (c0_ == '0') {
-          // With a leading zero, the string has to be "0" only to be an index.
-          Advance();
-        } else {
-          do {
-            int d = c0_ - '0';
-            if (index > 429496729U - ((d > 5) ? 1 : 0)) break;
-            index = (index * 10) + d;
-            Advance();
-          } while (IsDecimalDigit(c0_));
-        }
-
-        if (c0_ == '"') {
-          // Successfully parsed index, parse and store element.
-          AdvanceSkipWhitespace();
-
-          if (c0_ != ':') return ReportUnexpectedCharacter();
-          AdvanceSkipWhitespace();
-          Handle<Object> value = ParseJsonValue();
-          if (value.is_null()) return ReportUnexpectedCharacter();
-
-          JSObject::SetOwnElement(json_object, index, value, SLOPPY).Assert();
-          continue;
-        }
-        // Not an index, fallback to the slow path.
+        ParseElementResult element_result = ParseElement(json_object);
+        if (element_result == kNullHandle) return Handle<Object>::null();
+        if (element_result == kElementFound) continue;
       }
+      // Not an index, fallback to the slow path.
 
       position_ = start_position;
 #ifdef DEBUG
       c0_ = '"';
 #endif
 
       Handle<String> key;
       Handle<Object> value;
 
       // Try to follow existing transitions as long as possible. Once we stop
       // transitioning, no transition can be found anymore.
+      DCHECK(transitioning);
+      // First check whether there is a single expected transition. If so, try
+      // to parse it first.
+      bool follow_expected = false;
+      Handle<Map> target;
+      if (seq_one_byte) {
+        key = TransitionArray::ExpectedTransitionKey(map);
+        follow_expected = !key.is_null() && ParseJsonString(key);
+      }
+      // If the expected transition hits, follow it.
+      if (follow_expected) {
+        target = TransitionArray::ExpectedTransitionTarget(map);
+      } else {
+        // If the expected transition failed, parse an internalized string and
+        // try to find a matching transition.
+        key = ParseJsonInternalizedString();
+        if (key.is_null()) return ReportUnexpectedCharacter();
+
+        target = TransitionArray::FindTransitionToField(map, key);
+        // If a transition was found, follow it and continue.
+        transitioning = !target.is_null();
+      }
+      if (c0_ != ':') return ReportUnexpectedCharacter();
+
+      AdvanceSkipWhitespace();
+      value = ParseJsonValue();
+      if (value.is_null()) return ReportUnexpectedCharacter();
+
       if (transitioning) {
-        // First check whether there is a single expected transition. If so, try
-        // to parse it first.
-        bool follow_expected = false;
-        Handle<Map> target;
-        if (seq_one_byte) {
-          key = TransitionArray::ExpectedTransitionKey(map);
-          follow_expected = !key.is_null() && ParseJsonString(key);
+        PropertyDetails details =
+            target->instance_descriptors()->GetDetails(descriptor);
+        Representation expected_representation = details.representation();
+
+        if (value->FitsRepresentation(expected_representation)) {
+          if (expected_representation.IsHeapObject() &&
+              !target->instance_descriptors()
+                   ->GetFieldType(descriptor)
+                   ->NowContains(value)) {
+            Handle<HeapType> value_type(
+                value->OptimalType(isolate(), expected_representation));
+            Map::GeneralizeFieldType(target, descriptor,
+                                     expected_representation, value_type);
+          }
+          DCHECK(target->instance_descriptors()
+                     ->GetFieldType(descriptor)
+                     ->NowContains(value));
+          properties.Add(value, zone());
+          map = target;
+          descriptor++;
+          continue;
+        } else {
+          transitioning = false;
         }
-        // If the expected transition hits, follow it.
-        if (follow_expected) {
-          target = TransitionArray::ExpectedTransitionTarget(map);
-        } else {
-          // If the expected transition failed, parse an internalized string and
-          // try to find a matching transition.
-          key = ParseJsonInternalizedString();
-          if (key.is_null()) return ReportUnexpectedCharacter();
+      }
 
-          target = TransitionArray::FindTransitionToField(map, key);
-          // If a transition was found, follow it and continue.
-          transitioning = !target.is_null();
+      DCHECK(!transitioning);
+
+      // Commit the intermediate state to the object and stop transitioning.
+      CommitStateToJsonObject(json_object, map, &properties);
+
+      Runtime::DefineObjectProperty(json_object, key, value, NONE).Check();
+    } while (transitioning && MatchSkipWhiteSpace(','));
+
+    // If we transitioned until the very end, transition the map now.
+    if (transitioning) {
+      CommitStateToJsonObject(json_object, map, &properties);
+    } else {
+      while (MatchSkipWhiteSpace(',')) {
+        HandleScope local_scope(isolate());
+        if (c0_ != '"') return ReportUnexpectedCharacter();
+
+        int start_position = position_;
+        Advance();
+
+        if (IsDecimalDigit(c0_)) {
+          ParseElementResult element_result = ParseElement(json_object);
+          if (element_result == kNullHandle) return Handle<Object>::null();
+          if (element_result == kElementFound) continue;
         }
-        if (c0_ != ':') return ReportUnexpectedCharacter();
+        // Not an index, fallback to the slow path.
 
-        AdvanceSkipWhitespace();
-        value = ParseJsonValue();
-        if (value.is_null()) return ReportUnexpectedCharacter();
+        position_ = start_position;
+#ifdef DEBUG
+        c0_ = '"';
+#endif
 
-        if (transitioning) {
-          PropertyDetails details =
-              target->instance_descriptors()->GetDetails(descriptor);
-          Representation expected_representation = details.representation();
+        Handle<String> key;
+        Handle<Object> value;
 
-          if (value->FitsRepresentation(expected_representation)) {
-            if (expected_representation.IsHeapObject() &&
-                !target->instance_descriptors()
-                     ->GetFieldType(descriptor)
-                     ->NowContains(value)) {
-              Handle<HeapType> value_type(value->OptimalType(
-                      isolate(), expected_representation));
-              Map::GeneralizeFieldType(target, descriptor,
-                                       expected_representation, value_type);
-            }
-            DCHECK(target->instance_descriptors()->GetFieldType(
-                    descriptor)->NowContains(value));
-            properties.Add(value, zone());
-            map = target;
-            descriptor++;
-            continue;
-          } else {
-            transitioning = false;
-          }
-        }
-
-        // Commit the intermediate state to the object and stop transitioning.
-        CommitStateToJsonObject(json_object, map, &properties);
-      } else {
         key = ParseJsonInternalizedString();
         if (key.is_null() || c0_ != ':') return ReportUnexpectedCharacter();
 
         AdvanceSkipWhitespace();
         value = ParseJsonValue();
         if (value.is_null()) return ReportUnexpectedCharacter();
+
+        Runtime::DefineObjectProperty(json_object, key, value, NONE).Check();
       }
+    }
 
-      Runtime::DefineObjectProperty(json_object, key, value, NONE).Check();
-    } while (MatchSkipWhiteSpace(','));
     if (c0_ != '}') {
       return ReportUnexpectedCharacter();
     }
-
-    // If we transitioned until the very end, transition the map now.
-    if (transitioning) {
-      CommitStateToJsonObject(json_object, map, &properties);
-    }
   }
   AdvanceSkipWhitespace();
   return scope.CloseAndEscape(json_object);
 }
 
 
 template <bool seq_one_byte>
 void JsonParser<seq_one_byte>::CommitStateToJsonObject(
     Handle<JSObject> json_object, Handle<Map> map,
     ZoneList<Handle<Object> >* properties) {
@@ skipping 345 matching lines @@
 
   DCHECK_EQ('"', c0_);
   // Advance past the last '"'.
   AdvanceSkipWhitespace();
   return result;
 }
 
 } }  // namespace v8::internal
 
 #endif  // V8_JSON_PARSER_H_