From 3efe611dbfe76a816c837fc02037793fa4e22e61 Mon Sep 17 00:00:00 2001
From: Timothy Flynn <trflynn89@pm.me>
Date: Wed, 14 Sep 2022 16:11:35 -0400
Subject: [PATCH] LibJS: Do not assume that IsArray means the object type is an
 Array

IsArray returns true if the object is an Array *or* if it is a
ProxyObject whose target is an Array. Therefore, we cannot downcast to
an Array based on IsArray.

Luckily, we don't actually need an Array here; SerializeJSONArray only
needs an Object.

This was caught by UBSAN with vptr sanitation enabled.
---
 Userland/Libraries/LibJS/Runtime/JSONObject.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibJS/Runtime/JSONObject.cpp b/Userland/Libraries/LibJS/Runtime/JSONObject.cpp
index d4f97646dd..1bf5b28d53 100644
--- a/Userland/Libraries/LibJS/Runtime/JSONObject.cpp
+++ b/Userland/Libraries/LibJS/Runtime/JSONObject.cpp
@@ -207,7 +207,7 @@ ThrowCompletionOr<String> JSONObject::serialize_json_property(VM& vm, StringifyS
 
         // b. If isArray is true, return ? SerializeJSONArray(state, value).
         if (is_array)
-            return serialize_json_array(vm, state, static_cast<Array&>(value.as_object()));
+            return serialize_json_array(vm, state, value.as_object());
 
         // c. Return ? SerializeJSONObject(state, value).
         return serialize_json_object(vm, state, value.as_object());