[JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 18 Jul 2018 18:31:09 +0000 (18:31 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 18 Jul 2018 18:31:09 +0000 (18:31 +0000)
commitad2577223c58ad6247944e123ca327e497ff5362
treeca7b8c11fa7ffd9e09faa42b3997b38423b6f109
parent3e45e0d1c3c45369d3d1db380bf3ea125665f66d
[JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks
https://bugs.webkit.org/show_bug.cgi?id=187755

Reviewed by Mark Lam.

JSTests:

* stress/json-stringify-gap-calculation-should-be-after-replacer-check.js: Added.
(shouldThrow):
(shouldThrow.string.toString):
* test262/expectations.yaml:

Source/JavaScriptCore:

JSON.stringify used `inherits<JSArray>(vm)` to determine whether the given replacer is an array replacer.
But this is wrong. According to the spec, we should use `isArray`[1], which accepts Proxies. This difference
makes one test262 test failed.

This patch changes the code to using `isArray()`. And we reorder the evaluations of replacer check and ident space check
to align these checks to the spec's order.

[1]: https://tc39.github.io/ecma262/#sec-json.stringify

* runtime/JSONObject.cpp:
(JSC::Stringifier::Stringifier):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233918 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/json-stringify-gap-calculation-should-be-after-replacer-check.js [new file with mode: 0644]
JSTests/test262/expectations.yaml
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSONObject.cpp