<html>
    <head>
      <base href="https://bugs.webkit.org/">
    </head>
    <body><span class="vcard"><a class="email" href="mailto:ysuzuki@apple.com" title="Yusuke Suzuki <ysuzuki@apple.com>"> <span class="fn">Yusuke Suzuki</span></a>
</span> changed
          <a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - JSON.parse incorrectly handles array proxies"
   href="https://bugs.webkit.org/show_bug.cgi?id=199292">bug 199292</a>
          <br>
             <table border="1" cellspacing="0" cellpadding="8">
          <tr>
            <th>What</th>
            <th>Removed</th>
            <th>Added</th>
          </tr>

         <tr>
           <td style="text-align:right;">CC</td>
           <td>
                
           </td>
           <td>ysuzuki@apple.com
           </td>
         </tr>

         <tr>
           <td style="text-align:right;">Attachment #373059 Flags</td>
           <td>review?, commit-queue?
           </td>
           <td>review-, commit-queue-
           </td>
         </tr></table>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - JSON.parse incorrectly handles array proxies"
   href="https://bugs.webkit.org/show_bug.cgi?id=199292#c2">Comment # 2</a>
              on <a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - JSON.parse incorrectly handles array proxies"
   href="https://bugs.webkit.org/show_bug.cgi?id=199292">bug 199292</a>
              from <span class="vcard"><a class="email" href="mailto:ysuzuki@apple.com" title="Yusuke Suzuki <ysuzuki@apple.com>"> <span class="fn">Yusuke Suzuki</span></a>
</span></b>
        <pre>Comment on <span class=""><a href="attachment.cgi?id=373059&action=diff" name="attach_373059" title="Patch">attachment 373059</a> <a href="attachment.cgi?id=373059&action=edit" title="Patch">[details]</a></span>
Patch

View in context: <a href="https://bugs.webkit.org/attachment.cgi?id=373059&action=review">https://bugs.webkit.org/attachment.cgi?id=373059&action=review</a>

<span class="quote">> Source/JavaScriptCore/ChangeLog:9
> +        1. Use isArray to correctly detect proxied arrays.
> +        2. Make "length" lookup observable to array proxies and handle exceptions.</span >

Let's add each test in addition to test262 to ensure this behavior.

<span class="quote">> Source/JavaScriptCore/runtime/JSONObject.cpp:675
> +                ASSERT(isArray(m_exec, inValue));
>                  if (markedStack.size() > maximumFilterRecursion)
>                      return throwStackOverflowError(m_exec, scope);
>  
> -                JSArray* array = asArray(inValue);
> +                auto array = asObject(inValue);
>                  markedStack.appendWithCrashOnOverflow(array);
> -                arrayLengthStack.append(array->length());
> +                unsigned length = isJSArray(array)
> +                    ? asArray(array)->length()
> +                    : array->get(m_exec, vm.propertyNames->length).toUInt32(m_exec);
> +                RETURN_IF_EXCEPTION(scope, { });
> +                arrayLengthStack.append(length);</span >

`isArray` is user-observable, side-effect operations. When we encounter the revoked Proxy, then we throw an error.
So,

1. When `isArray` is used, we need to do error-handling correctly.
2. Since this error is observable (like, throwing an error before/after the other operations, which can be observable to users), when calling `isArray` becomes important.

Is this `isArray()` call specified in the spec?</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>