mirror of
https://github.com/RGBCube/serenity
synced 2025-10-27 13:22:33 +00:00
0603402c80
This fixes Array.prototype.{join,toString}() crashing with arrays
containing themselves, i.e. circular references.
The spec is suspiciously silent about this, and indeed engine262, a
"100% spec compliant" ECMA-262 implementation, can't handle these cases.
I had a look at some major engines instead and they all seem to keep
track or check for circular references and return an empty string for
already seen objects.
- SpiderMonkey: "AutoCycleDetector detector(cx, obj)"
- V8: "CycleProtectedArrayJoin<JSArray>(...)"
- JavaScriptCore: "StringRecursionChecker checker(globalObject, thisObject)"
- ChakraCore: "scriptContext->CheckObject(thisArg)"
To keep things simple & consistent this uses the same pattern as
JSONObject, MarkupGenerator and js: simply putting each seen object in a
HashTable<Object*>.
Fixes #3929.
|
||
|---|---|---|
| .. | ||
| Array | ||
| BigInt | ||
| Boolean | ||
| Date | ||
| Error | ||
| Function | ||
| functions | ||
| Infinity | ||
| JSON | ||
| Math | ||
| NaN | ||
| Number | ||
| Object | ||
| Proxy | ||
| Reflect | ||
| RegExp | ||
| String | ||
| Symbol | ||