mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2024-11-25 09:00:22 +00:00
0603402c80
This fixes Array.prototype.{join,toString}() crashing with arrays
containing themselves, i.e. circular references.
The spec is suspiciously silent about this, and indeed engine262, a
"100% spec compliant" ECMA-262 implementation, can't handle these cases.
I had a look at some major engines instead and they all seem to keep
track or check for circular references and return an empty string for
already seen objects.
- SpiderMonkey: "AutoCycleDetector detector(cx, obj)"
- V8: "CycleProtectedArrayJoin<JSArray>(...)"
- JavaScriptCore: "StringRecursionChecker checker(globalObject, thisObject)"
- ChakraCore: "scriptContext->CheckObject(thisArg)"
To keep things simple & consistent this uses the same pattern as
JSONObject, MarkupGenerator and js: simply putting each seen object in a
HashTable<Object*>.
Fixes #3929.
|
||
|---|---|---|
| .. | ||
| Heap | ||
| Runtime | ||
| Tests | ||
| AST.cpp | ||
| AST.h | ||
| CMakeLists.txt | ||
| Console.cpp | ||
| Console.h | ||
| Forward.h | ||
| Interpreter.cpp | ||
| Interpreter.h | ||
| Lexer.cpp | ||
| Lexer.h | ||
| MarkupGenerator.cpp | ||
| MarkupGenerator.h | ||
| Parser.cpp | ||
| Parser.h | ||
| Token.cpp | ||
| Token.h | ||