Fix error handling in SerializeJSONProperty (#3816)

dbatyai · web-flow · commit d06c3a7f5090 · 2020-05-30T19:46:52.000+02:00
Fixes #3813. JerryScript-DCO-1.0-Signed-off-by: Dániel Bátyai dbatyai@inf.u-szeged.hu
diff --git a/jerry-core/ecma/builtin-objects/ecma-builtin-json.c b/jerry-core/ecma/builtin-objects/ecma-builtin-json.c
@@ -1186,36 +1186,36 @@ ecma_builtin_json_serialize_property (ecma_json_stringify_context_t *context_p,
     ecma_object_t *obj_p = ecma_get_object_from_value (value);
     lit_magic_string_id_t class_name = ecma_object_get_class_name (obj_p);
 
-    ecma_value_t result = ECMA_VALUE_EMPTY;
-
     /* 5.a */
     if (class_name == LIT_MAGIC_STRING_NUMBER_UL)
     {
-      result = ecma_op_to_number (value);
+      value = ecma_op_to_number (value);
+      ecma_deref_object (obj_p);
+
+      if (ECMA_IS_VALUE_ERROR (value))
+      {
+        return value;
+      }
     }
     /* 5.b */
     else if (class_name == LIT_MAGIC_STRING_STRING_UL)
     {
       ecma_string_t *str_p = ecma_op_to_string (value);
-      result = ecma_make_string_value (str_p);
+      ecma_deref_object (obj_p);
+
+      if (JERRY_UNLIKELY (str_p == NULL))
+      {
+        return ECMA_VALUE_ERROR;
+      }
+
+      value = ecma_make_string_value (str_p);
     }
     /* 5.c */
     else if (class_name == LIT_MAGIC_STRING_BOOLEAN_UL)
     {
       ecma_extended_object_t *ext_object_p = (ecma_extended_object_t *) obj_p;
-      result = ext_object_p->u.class_prop.u.value;
-    }
-
-    if (!ecma_is_value_empty (result))
-    {
+      value = ext_object_p->u.class_prop.u.value;
       ecma_deref_object (obj_p);
-
-      if (ECMA_IS_VALUE_ERROR (result))
-      {
-        return result;
-      }
-
-      value = result;
     }
   }
 
diff --git a/tests/jerry/regression-test-issue-3813.js b/tests/jerry/regression-test-issue-3813.js
@@ -0,0 +1,23 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+var o = Object("str");
+o.toString = function() { throw "toString error" };
+
+try {
+  JSON.stringify(o);
+  assert(false);
+} catch (e) {
+  assert(e === "toString error");
+}
