LibJS: Handle getter exception in JSONObject::serialize_json_property()

In the case of an exception in a property getter function we would not return early, and a subsequent attempt to call the replacer function would crash the interpreter due to call_internal() asserting. Fixes #3548.
Author: https://github.com/linusg Commit: https://github.com/SerenityOS/serenity/commit/c0e4353bde8 Pull-request: https://github.com/SerenityOS/serenity/pull/3551 Issue: https://github.com/SerenityOS/serenity/issues/3548
2025-04-21 03:55:24 +00:00 · 2020-09-19 12:57:31 +01:00 · 2020-09-19 12:57:31 +01:00 · c0e4353bde · 2024-07-19 02:20:17 +09:00
commit c0e4353bde
parent e1965a5a8e
2 changed files with 12 additions and 0 deletions
--- a/Libraries/LibJS/Runtime/JSONObject.cpp
+++ b/Libraries/LibJS/Runtime/JSONObject.cpp
@ -150,6 +150,8 @@ JS_DEFINE_NATIVE_FUNCTION(JSONObject::stringify)
 String JSONObject::serialize_json_property(Interpreter& interpreter, StringifyState& state, const PropertyName& key, Object* holder)
 {
    auto value = holder->get(key);
+    if (interpreter.exception())
+        return {};
    if (value.is_object()) {
        auto to_json = value.as_object().get("toJSON");
        if (interpreter.exception())
--- a/Libraries/LibJS/Tests/builtins/JSON/JSON.stringify-exception-in-property-getter.js
+++ b/Libraries/LibJS/Tests/builtins/JSON/JSON.stringify-exception-in-property-getter.js
@ -0,0 +1,10 @@
+test("Issue #3548, exception in property getter with replacer function", () => {
+    const o = {
+        get foo() {
+            throw Error();
+        },
+    };
+    expect(() => {
+        JSON.stringify(o, (_, value) => value);
+    }).toThrow(Error);
+});