Linus Groh 00b8ce4a6d LibJS: Pass this value to fallback func in Array.prototype.toString() ...

The existing code looks innocently correct, implementing the following
step:

    3. If IsCallable(func) is false, set func to the intrinsic function
       %Object.prototype.toString%.

as

    return ObjectPrototype::to_string(vm, global_object);

However, this misses the fact that the next step calls the function with
the previously ToObject()'d this value (`array`):

    4. Return ? Call(func, array).

This doesn't happen in the current implementation, which will use the
unaltered this value from the Array.prototype.toString() call, and make
another, unequal object in %Object.prototype.toString%. Since both that
and Array.prototype.toString() do a Get() call on said object, this
behavior is observable (see newly added test).

Fix this by actually doing what the spec says and calling the fallback
function the regular way.

2022-04-12 00:23:27 +01:00

31 KiB

Raw Blame History

View Raw