Bad JSON Parsers
以下为 快照 页面，建议前往来源网站查看，会有更好的阅读体验。
Bad JSON parsers
Exposing problems in json parsers of several programming languages.
Many JSON parsers (and many parsers in general) use recursion to parse nested structures. This is very convenient while programming the parser, but it has consequenses on what the parser can parse: indeed, the size of the call stack is usually limited to a value several orders of magnitude smaller than the available RAM, and this implies that a program with too many levels of recursion will fail.
However, the JSON specification doesn't contain any limit on how deeply nested JSON structures can be. This means that most JSON parsers fail on a valid input.
This repository contains tools to measure the limits of JSON parsers of different languages.
How to use
The json parser must be a program that reads JSON on its standard input, and exits with a status of 0 if it managed to parse it and any other status if an error occured.
How it works
constructs json structures composed uniquely of nested arrays, and gives them to the program it tests. For instance, for a depth of 3, it builds the following json :
. This allows to create a structure of only 2n
bytes that has n
It uses binary search
to find the smallest structure for which the programm fails.
On my machine (Ubuntu Linux 4.10.0-35-generic SMP x86_64 with 8Gb RAM, 8.4 MB maximum stack size), I found the following results, sorted from worst to best:language json library nesting level file size notes ruby json 101 202 bytes rust serde_json 128 256 bytes php
JSON.parse5713 11.4 KB C++ nlohmann::json 13787 27.6 KB segfault ruby Oj ∞ ∞ Haskell Aeson ∞ ∞ available RAM is the only limit
I tried to test the most popular json library of each language. If you want to add a new language or a new library, feel free to open a pull request.
All the parameters were left to their defaut values. In particular, the result
for PHP is particular:
parameter to configure
the maximum depth of the object to be parsed.
Build recursive descent parsers . Contribute to shivamMg/rd development by creating an account on GitHub.
·Security In my never-ending quest to improve the quality of my C codebases, I've been using AFL to fuzz statzone , the zone parser I use to generate monthly statistics...
Some years ago someone asked whether it would make sense to switch Python to a PEG parser. (Or a PEG grammar; I don’t recall exactly what was said by whom, or when.) I looked into it a bit and wasn’t sure what to think, so...
Post with 43689 views. Good Code VS Bad Code
From the DEV community. Sharing ideas that makes us all better developers.
This is an additional post in the
Post with 0 votes and 11231 views. This bad boy...
func init() in Go is a weird beast. It’s the only function you can have multiples of in the same package (yup, that’s right… give it a try). It gets run when the package is imported . And you shou...
The chromatic scale is an ordered data structure Before proceeding, I recommend reading