Google Git
Sign in
chromium / v8 / v8 / d0e889b07db78de8017cb939a794e8722f757a86^! / .
commitd0e889b07db78de8017cb939a794e8722f757a86[log] [tgz]
authorJakob Kummerow <jkummerow@chromium.org>Tue May 14 09:35:06 2019
committerCommit Bot <commit-bot@chromium.org>Tue May 14 11:53:07 2019
tree972c9a6600875a8cc8005698d2fa21d09b5c1acf
parentea575e8283d07784ef9f8b7c60ae1d87175f0477 [diff]
[bigint] Fix toJSON function lookup

When looking up toJSON function presence on the BigInt prototype,
we must pass the original primitive value as the receiver to any
getter calls. Thanks to the magic of the LookupIterator, this is
actually easier than the alternative.

Bug: v8:9048
Change-Id: I72e144dbfa2862df479fd4deee40acd5dd468243
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1611538
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61475}

diff --git a/src/json-stringifier.cc b/src/json-stringifier.cc
index a7d8e66..7ac611d 100644
--- a/src/json-stringifier.cc
+++ b/src/json-stringifier.cc

@@ -322,21 +322,13 @@
                                                          Handle<Object> key) {
   HandleScope scope(isolate_);
 
-  Handle<Object> object_for_lookup = object;
-  if (object->IsBigInt()) {
-    ASSIGN_RETURN_ON_EXCEPTION(isolate_, object_for_lookup,
-                               Object::ToObject(isolate_, object), Object);
-  }
-  DCHECK(object_for_lookup->IsJSReceiver());
-
-  // Retrieve toJSON function.
+  // Retrieve toJSON function. The LookupIterator automatically handles
+  // the ToObject() equivalent ("GetRoot") if {object} is a BigInt.
   Handle<Object> fun;
-  {
-    LookupIterator it(isolate_, object_for_lookup, tojson_string_,
-                      LookupIterator::PROTOTYPE_CHAIN_SKIP_INTERCEPTOR);
-    ASSIGN_RETURN_ON_EXCEPTION(isolate_, fun, Object::GetProperty(&it), Object);
-    if (!fun->IsCallable()) return object;
-  }
+  LookupIterator it(isolate_, object, tojson_string_,
+                    LookupIterator::PROTOTYPE_CHAIN_SKIP_INTERCEPTOR);
+  ASSIGN_RETURN_ON_EXCEPTION(isolate_, fun, Object::GetProperty(&it), Object);
+  if (!fun->IsCallable()) return object;
 
   // Call toJSON function.
   if (key->IsSmi()) key = factory()->NumberToString(key);

diff --git a/test/test262/test262.status b/test/test262/test262.status
index af41354..6a28e04 100644
--- a/test/test262/test262.status
+++ b/test/test262/test262.status

@@ -521,9 +521,6 @@
   # https://bugs.chromium.org/p/v8/issues/detail?id=9047
   'annexB/built-ins/Function/createdynfn-no-line-terminator-html-close-comment-body': [FAIL],
 
-  # https://bugs.chromium.org/p/v8/issues/detail?id=9048
-  'built-ins/JSON/stringify/bigint-tojson-receiver': [FAIL],
-
   # https://bugs.chromium.org/p/v8/issues/detail?id=9049
   'language/comments/hashbang/use-strict': [SKIP],