QtQml: Avoid infinite recursion in Array.joinHEADdev

So far, self-referencing arrays can lead to infinite recursion in
Array.join. The standard allows us to throw an exception in this case,
just like we already do in ObjectPrototype.toString(). This is not what
browsers do, but arguably they are diverging from the spec.

Pick-to: 6.10 6.9 6.8 6.5
Fixes: QTBUG-124157
Change-Id: Iac241a90ba7e583e53f52ec635add7b5cf05b200
Reviewed-by: Ulf Hermann <[email protected]>
Reviewed-by: Fabian Kosmale <[email protected]>

1 files changed, 15 insertions, 0 deletions

diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index 3a30c52df4..2b04e6824f 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -291,6 +291,7 @@ private slots:
     void jsonStringifyHugeArray();
 
     void tostringRecursionCheck();
+    void arrayJoinRecursionCheck();
     void arrayIncludesWithLargeArray();
     void printCircularArray();
     void typedArraySet();
@@ -5571,6 +5572,20 @@ void tst_QJSEngine::tostringRecursionCheck()
     }
     main();
     )js");
+
+    QVERIFY(value.isError());
+    QCOMPARE(value.toString(), QLatin1String("RangeError: Maximum call stack size exceeded."));
+}
+
+void tst_QJSEngine::arrayJoinRecursionCheck()
+{
+    QJSEngine engine;
+    auto value = engine.evaluate(R"js(
+    a=[0,1];
+    a[0]=a;
+    a+0
+    )js");
+
     QVERIFY(value.isError());
     QCOMPARE(value.toString(), QLatin1String("RangeError: Maximum call stack size exceeded."));
 }