Infinite loop in JSONReader

Brought to you by: efficacy

#2 Infinite loop in JSONReader

Status: closed

Owner: nobody

Labels: None

Priority: 5

Updated: 2007-08-15

Created: 2007-08-14

Creator: Mirko Nasato

Private: No

stringtree-json 2.0.9

Something as simple as

public void test() {
String line = "{ a: 1 }";
JSONReader reader = new JSONReader();
Object object = reader.read(line);
assertNotNull(object);
}

seems to get stuck in an infinite loop.

Using JSONValidatingReader insted of JSONReader gives:

expected string at column 3
{ a: 1 }
^expected value at column 1
{ a: 1 }
^

After further investigation stringtree-json only seems to work with "{ \"a\": 1 }", not with "{ a: 1 }" nor with "{ 'a': 1 }".

In any case the fact that it enters an infinite loop is very bad.

Switching back to the good old library at http://www.json.org/java/

Discussion

Frank Carver - 2007-08-15

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Frank Carver - 2007-08-15

Logged In: YES
user_id=142676
Originator: NO

I'm sorry if JSONReader is not to your taste.

The Stringtree JSONReader does not attempt any error detection or correction. It was an important goal of JSONReader to be as fast and lean as possible when presented with valid JSON input. Extra code to recognize and deal with even a reasonable range of possible error cases would dramatically bloat and slow down the code. This would penalise all users, even those who never supply any invalid input.

In my experience, the great majority of JSON is mechanically generated, and thus unlikely to include these sorts of error.

I understand that an infinite loop is a poor response from the software, but the solution is to ensure that your JSON is valid before attempting to parse it. If you have a source of JSON which might produce invalid JSON, then the solution is to use the JSONValidatingReader, which gave a correct identification of the problem in this case.

Your comment that JSONReader requires {"a":1} is correct. That is the format required by the JSON specification at json.org. A JSON "object" starts with {, ends with }, and contains a comma-separated sequence of "name" : value pairs. names without quotes, or names surrounded in apostrophes are not valid.

With all that in mind, I am closing this bug.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Mirko Nasato - 2007-08-15

Logged In: YES
user_id=1812940
Originator: YES

Fair enough, thanks for clarifying that this behaviour is by design. I know JSON only specifies double quotes for object key names, although the other two forms are valid in JavaScript.

Maybe you could at least warn your users that using the non-validating JSONReader on a public service will expose to a risk of denial of service, triggered by simply passing an invalid JSON string.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.