json 2.19.9 → 2.20.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5e5fed66aaa650ac7aaf223c4d8e505a2d6ce3fe72599af4931356ae619f020b
-  data.tar.gz: 347004780c7a7568685502ade79f145371a49a213d348a65c99ea8fbffc6eee7
+  metadata.gz: 24e3bc40d587f5a4c001b5f4c7da30170bdf06f5401f2aa1928469c8fb3860e2
+  data.tar.gz: b668789b5f3a56d7db311eb4ec9d10b6d236debab23016fabd1682316d50ae50
 SHA512:
-  metadata.gz: 0bffdb4cd21e4656a1402a00d95ae890dc75befff379aeef4aad575a7f715a0dbeb87cfef6fefa3cd5235c3302a29fabb510d5db67e527678023cd8a88c34b49
-  data.tar.gz: 7e08cfae0c5d404687644528ecfb9438c9ea254f43fd285d116ba1542a4ef78045463b18850324e91ba4d0c735e7d9ed4b583499aadafe7d0bab51dd54a8d086
+  metadata.gz: aaa62a65724e3caa24797ce93ed3ac710a0186a1fd2db990a20fddb10eb99c71d92a967d0bed9d5086cb5b203c5dda0793faa461fda1e5c6963c62da5b4db3dc
+  data.tar.gz: fc44e571dcb662a35a36165d7f7afbb94b11ab8d5660ab1a65905961b7548260152afbb3286fd233223ea5435b6bb62135a3b67b30bd26ca0cd8114e6921c980

data/CHANGES.md

@@ -2,10 +2,20 @@
 
 ### Unreleased
 
+### 2026-06-23 (2.20.0)
+
+* Both C and Java parsers are no longer recursive, so parsing very deep documents with `max_nesting: false` will no longer
+  result in `SystemStackError stack level too deep` errors.
+  * The `:max_nesting` option still defaults to `100`.
+* Optimized floating point number parsing further by replacing the ryu algorithm by a port of Eisel-Lemire Fast Float.
+* Added `JSON::ResumableParser` to parse streams of JSON documents. Not yet available on JRuby.
+* Deprecate default support of JavaScript comments in the parser and add `allow_comments: true` parsing option.
+* Integrate with Ruby 4.1 `ruby_sized_xfree`.
+
 ### 2026-06-11 (2.19.9)
 
 * Fix buffer overflow that could lead to a crash when writing JSON directly into an IO
-  with `JSON.generate(object, io)`. [CVE-PENDING].
+  with `JSON.generate(object, io)`. [CVE-2026-54696].
 
 ### 2026-06-03 (2.19.8)
 

data/LEGAL

@@ -15,6 +15,6 @@ ext/json/ext/vendor/jeaiii-ltoa.h::
   This file is adapted from https://github.com/jeaiii/itoa
   It is licensed under the MIT License
 
-ext/json/ext/vendor/ryu.h::
-  This file is adapted from the Ryu algorithm by Ulf Adams https://github.com/ulfjack/ryu.
-  It is dual-licensed under Apache License 2.0 OR Boost Software License 1.0.
+ext/json/ext/vendor/fast_float_parser.h::
+  This file is adapted from the Fast Float C++ library by The fast_float authors https://github.com/fastfloat/fast_float
+  It is licensed under the MIT License

data/README.md

@@ -306,5 +306,3 @@ The latest version of this library can be downloaded at
 Online Documentation should be located at
 
 * https://www.rubydoc.info/gems/json
-
-[Ragel]: http://www.colm.net/open-source/ragel/

data/ext/json/ext/fbuffer/fbuffer.h

@@ -68,7 +68,7 @@ static inline void fbuffer_consumed(FBuffer *fb, size_t consumed)
 static void fbuffer_free(FBuffer *fb)
 {
     if (fb->ptr && fb->type == FBUFFER_HEAP_ALLOCATED) {
-        ruby_xfree(fb->ptr);
+        JSON_SIZED_FREE_N(fb->ptr, fb->capa);
     }
 }
 
@@ -92,7 +92,7 @@ static void fbuffer_realloc(FBuffer *fb, size_t new_capa)
             fb->type = FBUFFER_HEAP_ALLOCATED;
             MEMCPY(fb->ptr, old_buffer, char, fb->len);
         } else {
-            REALLOC_N(fb->ptr, char, new_capa);
+            JSON_SIZED_REALLOC_N(fb->ptr, char, new_capa, fb->capa);
         }
         fb->capa = new_capa;
     }

data/ext/json/ext/generator/extconf.rb

@@ -6,6 +6,7 @@ if RUBY_ENGINE == 'truffleruby'
 else
   append_cflags("-std=c99")
   have_const("RUBY_TYPED_EMBEDDABLE", "ruby.h") # RUBY_VERSION >= 3.3
+  have_func("ruby_xfree_sized", "ruby.h") # RUBY_VERSION >= 4.1
 
   $defs << "-DJSON_GENERATOR"
   $defs << "-DJSON_DEBUG" if ENV.fetch("JSON_DEBUG", "0") != "0"

data/ext/json/ext/generator/generator.c

@@ -724,7 +724,11 @@ static void State_compact(void *ptr)
 
 static size_t State_memsize(const void *ptr)
 {
+#ifdef HAVE_RUBY_TYPED_EMBEDDABLE
+    return 0;
+#else
     return sizeof(JSON_Generator_State);
+#endif
 }
 
 static const rb_data_type_t JSON_Generator_State_type = {

data/ext/json/ext/json.h

@@ -11,6 +11,9 @@
 
 #if defined(RUBY_DEBUG) && RUBY_DEBUG
 # define JSON_ASSERT RUBY_ASSERT
+# ifndef JSON_DEBUG
+#  define JSON_DEBUG 1
+# endif
 #else
 # ifdef JSON_DEBUG
 #  include <assert.h>
@@ -20,8 +23,18 @@
 # endif
 #endif
 
+#ifdef JSON_DEBUG
+# define JSON_UNREACHABLE_RETURN(val) rb_bug("Unreachable")
+#else
+# define JSON_UNREACHABLE_RETURN UNREACHABLE_RETURN
+#endif
+
 /* shims */
 
+#ifndef UNDEF_P
+#define UNDEF_P(val) (val == Qundef)
+#endif
+
 #if SIZEOF_UINT64_T == SIZEOF_LONG_LONG
 # define INT64T2NUM(x) LL2NUM(x)
 # define UINT64T2NUM(x) ULL2NUM(x)
@@ -49,6 +62,24 @@ typedef unsigned char _Bool;
 #endif
 #endif
 
+#ifndef HAVE_RUBY_XFREE_SIZED
+static inline void ruby_xfree_sized(void *ptr, size_t oldsize)
+{
+    ruby_xfree(ptr);
+}
+
+static inline void *ruby_xrealloc2_sized(void *ptr, size_t new_elems, size_t elem_size, size_t old_elems)
+{
+    return ruby_xrealloc2(ptr, new_elems, elem_size);
+}
+#endif
+
+# define JSON_SIZED_REALLOC_N(v, T, m, n) \
+    ((v) = (T *)ruby_xrealloc2_sized((void *)(v), (m), sizeof(T), (n)))
+
+# define JSON_SIZED_FREE(v) ruby_xfree_sized((void *)(v), sizeof(*(v)))
+# define JSON_SIZED_FREE_N(v, n) ruby_xfree_sized((void *)(v), sizeof(*(v)) * (n))
+
 #ifndef HAVE_RB_EXT_RACTOR_SAFE
 #   undef RUBY_TYPED_FROZEN_SHAREABLE
 #   define RUBY_TYPED_FROZEN_SHAREABLE 0
@@ -113,4 +144,36 @@ typedef unsigned char _Bool;
 #define JSON_CPU_LITTLE_ENDIAN_64BITS 0
 #endif
 
+#ifdef JSON_TRUFFLERUBY_RB_CATCH_BUG
+
+#undef RB_BLOCK_CALL_FUNC_ARGLIST
+#define RB_BLOCK_CALL_FUNC_ARGLIST(yielded_arg, func_args) VALUE func_args
+
+NORETURN(static inline) void json_rb_throw_obj(VALUE tag, VALUE obj)
+{
+    VALUE exc = rb_exc_new_str(rb_eException, rb_utf8_str_new_cstr("throw_workaround"));
+    rb_ivar_set(exc, rb_intern("@throw_tag"), tag);
+    rb_ivar_set(exc, rb_intern("@throw_obj"), obj);
+    rb_exc_raise(exc);
+}
+#define rb_throw_obj json_rb_throw_obj
+
+static inline VALUE json_rb_catch_obj(VALUE tag, VALUE (*func)(VALUE args), VALUE func_args)
+{
+    int status;
+    VALUE result = rb_protect(func, func_args, &status);
+    if (status) {
+        VALUE exc = rb_errinfo();
+        if (tag == rb_ivar_get(exc, rb_intern("@throw_tag"))) {
+            rb_set_errinfo(Qnil);
+            return rb_ivar_get(exc, rb_intern("@throw_obj"));
+        }
+        rb_jump_tag(status);
+    }
+    return result;
+}
+#define rb_catch_obj json_rb_catch_obj
+
+#endif // JSON_TRUFFLERUBY_RB_CATCH_BUG
+
 #endif // _JSON_H_

data/ext/json/ext/parser/extconf.rb

@@ -2,10 +2,43 @@
 require 'mkmf'
 
 $defs << "-DJSON_DEBUG" if ENV.fetch("JSON_DEBUG", "0") != "0"
+
+if RUBY_ENGINE == 'truffleruby' && RUBY_ENGINE_VERSION < '40.0'
+  # Ref: https://github.com/truffleruby/truffleruby/issues/4329
+  # Ref: https://github.com/truffleruby/truffleruby/pull/4333
+  $defs << "-DJSON_TRUFFLERUBY_RB_CATCH_BUG"
+end
+
 have_func("rb_enc_interned_str", "ruby/encoding.h") # RUBY_VERSION >= 3.0
 have_func("rb_str_to_interned_str", "ruby.h") # RUBY_VERSION >= 3.0
 have_func("rb_hash_new_capa", "ruby.h") # RUBY_VERSION >= 3.2
 have_func("rb_hash_bulk_insert", "ruby.h") # Missing on TruffleRuby
+have_func("ruby_xfree_sized", "ruby.h") # RUBY_VERSION >= 4.1
+
+def have_builtin_func(name, check_expr, opt = "", &b)
+  checking_for checking_message(name.funcall_style, nil, opt) do
+    if try_compile(<<SRC, opt, &b)
+int foo;
+int main() { #{check_expr}; return 0; }
+SRC
+      $defs.push(format("-DHAVE_BUILTIN_%s", name.tr_cpp))
+      true
+    else
+      false
+    end
+  end
+end
+
+have_builtin_func("__builtin_clzll", "__builtin_clzll(0)")
+
+if have_header("x86intrin.h")
+  have_func("_lzcnt_u64", "x86intrin.h")
+end
+
+if have_header("intrin.h")
+  have_func("__lzcnt64", "intrin.h")
+  have_func("_BitScanReverse64", "intrin.h")
+end
 
 if RUBY_ENGINE == "ruby"
   have_const("RUBY_TYPED_EMBEDDABLE", "ruby.h") # RUBY_VERSION >= 3.3