[JSON stringifier] Correctly load array elements.

BUG=chromium:554946 LOG=y R=jkummerow@chromium.org, jochen@chromium.org Review URL: https://codereview.chromium.org/1435083003 Cr-Commit-Position: refs/heads/master@{#31968}
2015-11-12 11:30:09 -08:00 · 2015-11-12 11:30:09 -08:00 · 6df9a1db8c
commit 6df9a1db8c
parent f83b8a61cf
2 changed files with 14 additions and 48 deletions
--- a/src/json-stringifier.h
+++ b/src/json-stringifier.h
@ -435,54 +435,8 @@ BasicJsonStringifier::Result BasicJsonStringifier::SerializeJSArray(
  uint32_t length = 0;
  CHECK(object->length()->ToArrayLength(&length));
  builder_.AppendCharacter('[');
-  switch (object->GetElementsKind()) {
-    case FAST_SMI_ELEMENTS: {
-      Handle<FixedArray> elements(
-          FixedArray::cast(object->elements()), isolate_);
-      for (uint32_t i = 0; i < length; i++) {
-        if (i > 0) builder_.AppendCharacter(',');
-        SerializeSmi(Smi::cast(elements->get(i)));
-      }
-      break;
-    }
-    case FAST_DOUBLE_ELEMENTS: {
-      // Empty array is FixedArray but not FixedDoubleArray.
-      if (length == 0) break;
-      Handle<FixedDoubleArray> elements(
-          FixedDoubleArray::cast(object->elements()), isolate_);
-      for (uint32_t i = 0; i < length; i++) {
-        if (i > 0) builder_.AppendCharacter(',');
-        SerializeDouble(elements->get_scalar(i));
-      }
-      break;
-    }
-    case FAST_ELEMENTS: {
-      Handle<FixedArray> elements(
-          FixedArray::cast(object->elements()), isolate_);
-      for (uint32_t i = 0; i < length; i++) {
-        if (i > 0) builder_.AppendCharacter(',');
-        Result result =
-            SerializeElement(isolate_,
-                             Handle<Object>(elements->get(i), isolate_),
-                             i);
-        if (result == SUCCESS) continue;
-        if (result == UNCHANGED) {
-          builder_.AppendCString("null");
-        } else {
-          return result;
-        }
-      }
-      break;
-    }
-    // TODO(yangguo):  The FAST_HOLEY_* cases could be handled in a faster way.
-    // They resemble the non-holey cases except that a prototype chain lookup
-    // is necessary for holes.
-    default: {
-      Result result = SerializeJSArraySlow(object, length);
-      if (result != SUCCESS) return result;
-      break;
-    }
-  }
+  Result result = SerializeJSArraySlow(object, length);
+  if (result != SUCCESS) return result;
  builder_.AppendCharacter(']');
  StackPop();
  return SUCCESS;
--- a/test/mjsunit/regress/regress-crbug-554946.js
+++ b/test/mjsunit/regress/regress-crbug-554946.js
@ -0,0 +1,12 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var array = [];
+var funky = {
+  toJSON: function() { array.length = 1; return "funky"; }
+};
+for (var i = 0; i < 10; i++) array[i] = i;
+array[0] = funky;
+assertEquals('["funky",null,null,null,null,null,null,null,null,null]',
+             JSON.stringify(array));