From c0e4353bde882f86c5d7ff70f01cb91834b5b8ea Mon Sep 17 00:00:00 2001
From: Linus Groh <mail@linusgroh.de>
Date: Sat, 19 Sep 2020 12:57:31 +0100
Subject: [PATCH] LibJS: Handle getter exception in
 JSONObject::serialize_json_property()

In the case of an exception in a property getter function we would not
return early, and a subsequent attempt to call the replacer function
would crash the interpreter due to call_internal() asserting.

Fixes #3548.
---
 Libraries/LibJS/Runtime/JSONObject.cpp                 |  2 ++
 .../JSON.stringify-exception-in-property-getter.js     | 10 ++++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 Libraries/LibJS/Tests/builtins/JSON/JSON.stringify-exception-in-property-getter.js

diff --git a/Libraries/LibJS/Runtime/JSONObject.cpp b/Libraries/LibJS/Runtime/JSONObject.cpp
index aea0030a364..841565e5da7 100644
--- a/Libraries/LibJS/Runtime/JSONObject.cpp
+++ b/Libraries/LibJS/Runtime/JSONObject.cpp
@@ -150,6 +150,8 @@ JS_DEFINE_NATIVE_FUNCTION(JSONObject::stringify)
 String JSONObject::serialize_json_property(Interpreter& interpreter, StringifyState& state, const PropertyName& key, Object* holder)
 {
     auto value = holder->get(key);
+    if (interpreter.exception())
+        return {};
     if (value.is_object()) {
         auto to_json = value.as_object().get("toJSON");
         if (interpreter.exception())
diff --git a/Libraries/LibJS/Tests/builtins/JSON/JSON.stringify-exception-in-property-getter.js b/Libraries/LibJS/Tests/builtins/JSON/JSON.stringify-exception-in-property-getter.js
new file mode 100644
index 00000000000..18845f842bf
--- /dev/null
+++ b/Libraries/LibJS/Tests/builtins/JSON/JSON.stringify-exception-in-property-getter.js
@@ -0,0 +1,10 @@
+test("Issue #3548, exception in property getter with replacer function", () => {
+    const o = {
+        get foo() {
+            throw Error();
+        },
+    };
+    expect(() => {
+        JSON.stringify(o, (_, value) => value);
+    }).toThrow(Error);
+});