Documenting how JSON parsers of several programming languages deal with deeply nested structures.
Introduction
Many JSON parsers (and many parsers in general) userecursionto parse nested structures. This is very convenient while programming the parser, but it has consequences on what the parser can parse: indeed, the size of thecall stackis usually limited to a value several orders of magnitude smaller than the available RAM, and this implies that a program with too many levels of recursion will fail.
The two most recent JSON standardsRFC 8259andRFC 7159both say “An implementation may set limits on the maximum depth of nesting.” However, theECMA – 404specification doesn’t contain any limit on how deeply nested JSON structures can be.
This means that there is not a defined level of nesting which is correct or incorrect with regard to the JSON specification, and JSON parsers may differ when parsing nested structures.
This repository contains tools to measure the nesting limits of JSON parsers of different languages.
How to use
This repository contains a script calledtest_parser.shthat takes a JSON parser and usesbinary searchto find the smallest JSON structure it fails to parse and print its nesting level.
The json parser must be a program that reads JSON on its standard input, and exits with a status of 0 if it managed to parse it and any other status if an error occurred.
How it works
test_parser.shconstructs json structures composed uniquely of nested arrays, and gives them to the program it tests. For instance, for a depth of 3, it builds the following json:[[[]]]
. This allows to create a structure of only2nbytes that hasnnesting levels. It usesbinary searchto find the smallest structure for which the program fails.
Results
On my machine (Ubuntu Linux 4. 10 .0 – 35 – generic SMP x 86 _ 64 with 8Gb RAM, 8.4 MB maximum stack size), I found the following results, sorted from least nesting to most nesting:
language | json library | nesting level | file size | notes |
---|---|---|---|---|
json | bytes | |||
serde_json | bytes | |||
json_decode | bytes | maximum depth is configurable | ||
JSON :: PP | bytes | |||
json | 2.0 KB | without sys.setrecursionlimit | ||
Jansson | 4.0 KB | |||
**************************************** (Gson) | **************************************************************************************************************************** .3 KB | |||
javascript | ******************** (JSON.parse) | **************************************************************************************************************************** .4 KB | ||
JAVA – JACKSON | Jackson | ************************************************************************************************************************** (KB) | ||
****************************************** (nlohmann :: json) | .6 KB | segfault | ||
json | *********************************************************************************************** (KB) | w /- d: release |
||
******************** (encoding / json) | 5.0 MiB | goroutine stack exceeds 1000000000 – byte limit | ||
Ruby | ******************************************** (OJ) | ∞ | ∞ | |
********************************************* (Aeson) | ∞ | ∞ | available RAM is the only limit |
Remarks
I tried to test the most popular json library of each language. If you want to add a new language or a new library, feel free to open a pull request.
All the parameters were left to their default values. In particular, the result for PHP is particular:json_decode (accepts a) *************************** (depth) parameter to configure the maximum depth of the object to be parsed.
GIPHY App Key not set. Please check settings