Array.prototype.toString does not have recursion stopper.

[hashseed]

Consider following code:

var a = [];
a.push(a);

a.toString()  // returns empty string.

The reason is that we track in a stack whether the array is cyclic. However, the spec doesn't prescribe this recursion check [0]. In fact, I would expect a stack overflow to occur.

Now consider following code:

var counter = 0;

var side_effect_observer = {
  toString() {
    if (counter++ == 0) {
      return array.toString();
    } else {
      return "a";
    }
  }
}

var array = [ side_effect_observer ];

array.toString();  // returns empty string.

Now arguably we do not have a cyclic array, just a recursion that does terminate. I would expect the result to be "a". V8 uses a global stack data structure to track recursion. Presumably this is implemented similarly in JSC and SpiderMonkey.

There is also this esdiscuss thread [1] that discusses this, with the conclusion that this should be spec'ed. Nothing happend since then.

Is this something we want to fix, or do we recoil in fear of breaking the web? If we want to fix, how do we deal with the second example?

[0] https://tc39.github.io/ecma262/#sec-array.prototype.join
[1] https://esdiscuss.org/topic/15-4-4-5-array-prototype-join

[hashseed]

Originally filed here: https://bugs.chromium.org/p/v8/issues/detail?id=5952

[anba]

Dup of #289?

[ljharb]

Thanks! Closing as a duplicate of #289.