Merged: [json] Need stack run if object is JS_PRIMITIVE_WRAPPER_TYPE

Fixed: chromium:1480765
(cherry picked from commit cb9bfb5)

Change-Id: Ifc69c612ee5a851ee46d403ef827cc2ff045093a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4866326
Commit-Queue: Jakob Kummerow <[email protected]>
Reviewed-by: Matthias Liedtke <[email protected]>
Auto-Submit: Jakob Kummerow <[email protected]>
Commit-Queue: Matthias Liedtke <[email protected]>
Cr-Commit-Position: refs/branch-heads/11.8@{v8#8}
Cr-Branched-From: 935bdbf-refs/heads/11.8.172@{#1}
Cr-Branched-From: b82a911-refs/heads/main@{#89779}

src/json/json-stringifier.cc

@@ -836,6 +836,10 @@ JsonStringifier::Result JsonStringifier::Serialize_(Handle<Object> object,
       if (deferred_string_key) SerializeDeferredKey(comma, key);
       return SerializeJSArray(Handle<JSArray>::cast(object), key);
     case JS_PRIMITIVE_WRAPPER_TYPE:
+      if (!need_stack_) {
+        need_stack_ = true;
+        return NEED_STACK;
+      }
       if (deferred_string_key) SerializeDeferredKey(comma, key);
       return SerializeJSPrimitiveWrapper(
           Handle<JSPrimitiveWrapper>::cast(object), key);

test/mjsunit/json2.js

@@ -195,3 +195,23 @@ var o = {};
 o.somespecialproperty = 10;
 o["\x19"] = 10;
 assertThrows("JSON.parse('{\"somespecialproperty\":100, \"\x19\":10}')");
+
+let exception_count = 0;
+function foo(v) {
+  try {
+    v["set-i32"];
+  } catch (e) {
+    exception_count++;
+  }
+  try {
+    JSON.stringify(v);
+  } catch (e) {}
+}
+let obj1 = Object('2');
+obj1.__proto__ = { toString: function () {} };
+Object.defineProperty(obj1, "toString", {value: foo});
+%EnsureFeedbackVectorForFunction(foo);
+foo(obj1);
+assertEquals(1, exception_count);
+foo({obj1, b: { toJSON: function () {} }});
+assertEquals(2, exception_count);