Fix eval hoisting and property descriptor handling

- Implement CreateGlobalVarBinding configurable flag for indirect eval in `hoist_name`.
- Implement CreateGlobalFunctionBinding semantics and add hoist traces (`hoist_declarations`).
- Harden `check_global_declarations` to follow DefinePropertyOrThrow rules (accessor/non-writable checks).
- Update `define_property_internal` to accept borrowed key, enforce configurable/writable/enumerable flags and update property attributes correctly.
- Remove creation of own `__proto__` property in `set_internal_prototype_from_constructor`.
- Add recursion depth guard to JSON serialization to avoid stack overflows.
- Add `PropertyKey` conversions from `Value` and helpers to `JSObjectData` for writable/configurable/enumerable.
- Add `Object.prototype.propertyIsEnumerable` builtin.
- Handle environment binding descriptors in `evaluate_var`.

Author: ssrlive

src/core/eval.rs

@@ -753,7 +753,25 @@ fn hoist_name<'gc>(mc: &MutationContext<'gc>, env: &JSObjectDataPtr<'gc>, name:
         }
     }
     if env_get_own(&target_env, name).is_none() {
-        env_set(mc, &target_env, name, Value::Undefined)?;
+        // If target is global object, use CreateGlobalVarBinding semantics
+        // For indirect eval, CreateGlobalVarBinding(..., true) should be used which creates
+        // a configurable=true property. Detect indirect eval marker on the global env.
+        if target_env.borrow().prototype.is_none() {
+            let deletable = if let Some(flag) = crate::core::object_get_key_value(&target_env, "__is_indirect_eval") {
+                matches!(*flag.borrow(), Value::Boolean(true))
+            } else {
+                false
+            };
+            let key = PropertyKey::String(name.to_string());
+            let desc_obj = crate::core::new_js_object_data(mc);
+            object_set_key_value(mc, &desc_obj, "value", Value::Undefined)?;
+            object_set_key_value(mc, &desc_obj, "writable", Value::Boolean(true))?;
+            object_set_key_value(mc, &desc_obj, "enumerable", Value::Boolean(true))?;
+            object_set_key_value(mc, &desc_obj, "configurable", Value::Boolean(deletable))?;
+            crate::js_object::define_property_internal(mc, &target_env, &key, &desc_obj)?;
+        } else {
+            env_set(mc, &target_env, name, Value::Undefined)?;
+        }
     }
     Ok(())
 }
@@ -889,6 +907,11 @@ fn hoist_declarations<'gc>(mc: &MutationContext<'gc>, env: &JSObjectDataPtr<'gc>
     for stmt in statements {
         if let StatementKind::FunctionDeclaration(name, params, body, is_generator, is_async) = &*stmt.kind {
             let mut body_clone = body.clone();
+            log::trace!(
+                "hoist_declarations: found function declaration '{}'; exec env proto is_none={}",
+                name,
+                env.borrow().prototype.is_none()
+            );
             if *is_generator {
                 // Create a generator function object (hoisted)
                 let func_obj = crate::core::new_js_object_data(mc);
@@ -959,8 +982,38 @@ fn hoist_declarations<'gc>(mc: &MutationContext<'gc>, env: &JSObjectDataPtr<'gc>
                 let func = evaluate_function_expression(mc, env, None, params, &mut body_clone)?;
                 if let Value::Object(func_obj) = &func {
                     object_set_key_value(mc, func_obj, "name", Value::String(utf8_to_utf16(name)))?;
+                    // CreateGlobalFunctionBinding semantics when executing in the global environment
+                    let key = crate::core::PropertyKey::String(name.clone());
+                    if env.borrow().prototype.is_none() {
+                        let existing = crate::core::get_own_property(env, &key);
+                        log::trace!(
+                            "hoist_declarations: creating global function binding for '{}' existing={:?} is_configurable={}",
+                            name,
+                            existing,
+                            env.borrow().is_configurable(&key)
+                        );
+                        if existing.is_none() || env.borrow().is_configurable(&key) {
+                            let desc_obj = crate::core::new_js_object_data(mc);
+                            object_set_key_value(mc, &desc_obj, "value", Value::Object(*func_obj))?;
+                            object_set_key_value(mc, &desc_obj, "writable", Value::Boolean(true))?;
+                            object_set_key_value(mc, &desc_obj, "enumerable", Value::Boolean(true))?;
+                            object_set_key_value(mc, &desc_obj, "configurable", Value::Boolean(true))?;
+                            crate::js_object::define_property_internal(mc, env, &key, &desc_obj)?;
+                        } else {
+                            let desc_obj = crate::core::new_js_object_data(mc);
+                            object_set_key_value(mc, &desc_obj, "value", Value::Object(*func_obj))?;
+                            crate::js_object::define_property_internal(mc, env, &key, &desc_obj)?;
+                        }
+                        log::trace!(
+                            "hoist_declarations: after create binding is_configurable={}",
+                            env.borrow().is_configurable(&key)
+                        );
+                    } else {
+                        env_set(mc, env, name, Value::Object(*func_obj))?;
+                    }
+                } else {
+                    env_set(mc, env, name, func)?;
                 }
-                env_set(mc, env, name, func)?;
             }
         }
     }
@@ -5232,11 +5285,31 @@ fn check_global_declarations<'gc>(env: &JSObjectDataPtr<'gc>, statements: &[Stat
     // Check in reverse order as per spec semantics
     for name in fn_names.iter().rev() {
         let key = crate::core::PropertyKey::String(name.clone());
-        if crate::core::get_own_property(env, &key).is_some() && !env.borrow().is_configurable(&key) {
-            return Err(EvalError::Js(crate::raise_type_error!(format!(
-                "Cannot declare global function '{}'",
-                name
-            ))));
+        if let Some(existing_rc) = crate::core::get_own_property(env, &key) {
+            // If it's configurable we can replace it freely
+            if env.borrow().is_configurable(&key) {
+                continue;
+            }
+
+            // If the existing property is an accessor, defining a data value would be incompatible
+            let existing_is_accessor = match &*existing_rc.borrow() {
+                crate::core::Value::Property { getter, setter, .. } => getter.is_some() || setter.is_some(),
+                crate::core::Value::Getter(..) | crate::core::Value::Setter(..) => true,
+                _ => false,
+            };
+
+            if existing_is_accessor {
+                return Err(EvalError::Js(crate::raise_type_error!(format!(
+                    "Cannot declare global function '{name}'"
+                ))));
+            }
+
+            // If it's a non-writable data property and non-configurable, we cannot change its value
+            if !env.borrow().is_writable(&key) {
+                return Err(EvalError::Js(crate::raise_type_error!(format!(
+                    "Cannot declare global function '{name}'"
+                ))));
+            }
         }
     }
     Ok(())
@@ -7521,13 +7594,43 @@ pub fn evaluate_expr<'gc>(mc: &MutationContext<'gc>, env: &JSObjectDataPtr<'gc>,
     }
 }
 
-fn evaluate_var<'gc>(_mc: &MutationContext<'gc>, env: &JSObjectDataPtr<'gc>, name: &str) -> Result<Value<'gc>, JSError> {
+fn evaluate_var<'gc>(mc: &MutationContext<'gc>, env: &JSObjectDataPtr<'gc>, name: &str) -> Result<Value<'gc>, JSError> {
+    // env_get returns the raw stored slot. If a property descriptor (Value::Property) was installed
+    // via DefinePropertyOrThrow, unwrap the stored value. For accessor descriptors, call accessor.
     if let Some(val_ptr) = env_get(env, name) {
         let val = val_ptr.borrow().clone();
         if let Value::Uninitialized = val {
             return Err(raise_reference_error!(format!("Cannot access '{}' before initialization", name)));
         }
-        return Ok(val);
+        match val {
+            Value::Property {
+                value: Some(v),
+                getter: _,
+                setter: _,
+            } => return Ok(v.borrow().clone()),
+            Value::Property {
+                value: None,
+                getter: _,
+                setter: _,
+            } => return Ok(Value::Undefined),
+            Value::Getter(..) | Value::Setter(..) => {
+                // Unlikely for environment bindings, but support by delegating to accessor call
+                // Use helper to invoke accessor and return its result
+                if let Some(val_rc) = env_get(env, name)
+                    && let Value::Getter(..) = &*val_rc.borrow()
+                {
+                    // Call the getter accessor
+                    let obj_key = PropertyKey::String(name.to_string());
+                    let res = get_property_with_accessors(mc, env, env, &obj_key).map_err(|e| match e {
+                        EvalError::Js(js) => js,
+                        _ => raise_eval_error!("Accessor invocation failed"),
+                    })?;
+                    return Ok(res);
+                }
+                return Err(raise_eval_error!("Accessor not supported on environment binding"));
+            }
+            other => return Ok(other),
+        }
     }
     Err(raise_reference_error!(format!("{} is not defined", name)))
 }

src/core/mod.rs

@@ -534,15 +534,8 @@ pub fn set_internal_prototype_from_constructor<'gc>(
         // set internal prototype pointer (store Weak to avoid cycles)
         log::trace!("setting prototype for ctor='{}' proto_obj={:p}", ctor_name, Gc::as_ptr(proto_obj));
         obj.borrow_mut(mc).prototype = Some(proto_obj);
-        // Also set the `__proto__` own property so `obj.__proto__` accesses match expectations
-        match object_set_key_value(mc, obj, "__proto__", Value::Object(proto_obj)) {
-            Ok(_) => {
-                // __proto__ should be non-enumerable
-                obj.borrow_mut(mc).set_non_enumerable(PropertyKey::from("__proto__"));
-                log::trace!("set_internal_prototype_from_constructor: set __proto__ own property");
-            }
-            Err(e) => log::trace!("set_internal_prototype_from_constructor: failed to set __proto__: {:?}", e),
-        }
+        // Do not create an own `__proto__` property for this helper; only set the internal prototype pointer.
+        log::trace!("set_internal_prototype_from_constructor: set internal prototype pointer");
     }
     Ok(())
 }

src/core/property_key.rs

@@ -1,5 +1,5 @@
-use crate::core::SymbolData;
 use crate::core::{Collect, Gc};
+use crate::core::{SymbolData, Value};
 
 #[derive(Clone, Debug, Collect)]
 #[collect(no_drop)]
@@ -53,6 +53,21 @@ impl<'gc> From<&String> for PropertyKey<'gc> {
     }
 }
 
+impl<'gc> From<&Value<'gc>> for PropertyKey<'gc> {
+    fn from(v: &Value<'gc>) -> Self {
+        match v {
+            Value::Symbol(sd) => PropertyKey::Symbol(*sd),
+            other => PropertyKey::String(crate::core::value_to_string(other)),
+        }
+    }
+}
+
+impl<'gc> From<Value<'gc>> for PropertyKey<'gc> {
+    fn from(v: Value<'gc>) -> Self {
+        PropertyKey::from(&v)
+    }
+}
+
 impl<'gc> PartialEq for PropertyKey<'gc> {
     fn eq(&self, other: &Self) -> bool {
         match (self, other) {

src/core/value.rs

@@ -176,9 +176,19 @@ impl<'gc> JSObjectData<'gc> {
     pub fn set_non_configurable(&mut self, key: PropertyKey<'gc>) {
         self.non_configurable.insert(key);
     }
+
+    pub fn set_configurable(&mut self, key: PropertyKey<'gc>) {
+        self.non_configurable.remove(&key);
+    }
+
     pub fn set_non_writable(&mut self, key: PropertyKey<'gc>) {
         self.non_writable.insert(key);
     }
+
+    pub fn set_writable(&mut self, key: PropertyKey<'gc>) {
+        self.non_writable.remove(&key);
+    }
+
     pub fn is_const(&self, key: &str) -> bool {
         self.constants.contains(key)
     }
@@ -257,6 +267,10 @@ impl<'gc> JSObjectData<'gc> {
         self.non_enumerable.insert(key);
     }
 
+    pub fn set_enumerable(&mut self, key: PropertyKey<'gc>) {
+        self.non_enumerable.remove(&key);
+    }
+
     pub fn is_configurable(&self, key: &PropertyKey<'gc>) -> bool {
         !self.non_configurable.contains(key)
     }
@@ -672,7 +686,14 @@ pub fn value_to_string<'gc>(val: &Value<'gc>) -> String {
         Value::DataView(_) => "[object DataView]".to_string(),
         Value::TypedArray(_) => "[object TypedArray]".to_string(),
         Value::Property { .. } => "[Property]".to_string(),
-        _ => "[unknown]".to_string(),
+        Value::Symbol(sym) => {
+            if let Some(desc) = &sym.description {
+                format!("Symbol({desc})")
+            } else {
+                "Symbol()".to_string()
+            }
+        }
+        Value::Uninitialized => "[uninitialized]".to_string(),
     }
 }
 

src/js_function.rs

@@ -2,7 +2,7 @@ use crate::core::{
     ClosureData, EvalError, Expr, Gc, JSObjectDataPtr, MutationContext, Statement, StatementKind, Value, evaluate_expr,
     has_own_property_value, new_js_object_data, prepare_function_call_env,
 };
-use crate::core::{object_get_key_value, object_set_key_value};
+use crate::core::{PropertyKey, object_get_key_value, object_set_key_value};
 use crate::error::{JSError, JSErrorKind};
 use crate::js_array::handle_array_constructor;
 use crate::js_class::prepare_call_env_with_this;
@@ -97,6 +97,7 @@ pub fn handle_global_function<'gc>(
             )));
         }
         "Object.prototype.hasOwnProperty" => return handle_object_has_own_property(args, env),
+        "Object.prototype.propertyIsEnumerable" => return handle_object_property_is_enumerable(args, env),
         "RegExp.prototype.exec" => {
             if let Some(this_rc) = crate::core::env_get(env, "this") {
                 let this_val = this_rc.borrow().clone();
@@ -1642,6 +1643,30 @@ fn handle_object_has_own_property<'gc>(args: &[Value<'gc>], env: &JSObjectDataPt
     }
 }
 
+fn handle_object_property_is_enumerable<'gc>(args: &[Value<'gc>], env: &JSObjectDataPtr<'gc>) -> Result<Value<'gc>, EvalError<'gc>> {
+    if args.len() != 1 {
+        return Err(EvalError::Js(raise_eval_error!("propertyIsEnumerable requires one argument")));
+    }
+    let key_val = args[0].clone();
+    let Some(this_rc) = crate::core::env_get(env, "this") else {
+        return Err(EvalError::Js(raise_eval_error!("propertyIsEnumerable called without this")));
+    };
+    let this_val = this_rc.borrow().clone();
+    match this_val {
+        Value::Object(obj) => {
+            // Convert key value to a PropertyKey
+            let key: PropertyKey<'gc> = key_val.into();
+
+            // Check own property and enumerability
+            if crate::core::get_own_property(&obj, &key).is_some() {
+                return Ok(Value::Boolean(obj.borrow().is_enumerable(&key)));
+            }
+            Ok(Value::Boolean(false))
+        }
+        _ => Ok(Value::Boolean(false)),
+    }
+}
+
 pub fn initialize_function<'gc>(mc: &MutationContext<'gc>, env: &JSObjectDataPtr<'gc>) -> Result<(), JSError> {
     let func_ctor = new_js_object_data(mc);
     object_set_key_value(mc, &func_ctor, "name", Value::String(utf8_to_utf16("Function")))?;

src/js_json.rs

@@ -157,22 +157,30 @@ fn js_value_to_json_value<'gc>(mc: &MutationContext<'gc>, js_value: &Value<'gc>)
 
 // Minimal JSON stringifier that respects JS property ordering defined by ordinary_own_property_keys.
 fn js_value_to_json_string<'gc>(mc: &MutationContext<'gc>, v: &Value<'gc>) -> Option<String> {
-    fn escape_json_str(s: &str) -> String {
-        let mut out = String::with_capacity(s.len() + 2);
-        for ch in s.chars() {
-            match ch {
-                '"' => out.push_str("\\\""),
-                '\\' => out.push_str("\\\\"),
-                '\n' => out.push_str("\\n"),
-                '\r' => out.push_str("\\r"),
-                '\t' => out.push_str("\\t"),
-                c if c.is_control() => out.push_str(&format!("\\u{:04x}", c as u32)),
-                c => out.push(c),
-            }
+    inner(mc, v, 0)
+}
+
+fn escape_json_str(s: &str) -> String {
+    let mut out = String::with_capacity(s.len() + 2);
+    for ch in s.chars() {
+        match ch {
+            '"' => out.push_str("\\\""),
+            '\\' => out.push_str("\\\\"),
+            '\n' => out.push_str("\\n"),
+            '\r' => out.push_str("\\r"),
+            '\t' => out.push_str("\\t"),
+            c if c.is_control() => out.push_str(&format!("\\u{:04x}", c as u32)),
+            c => out.push(c),
         }
-        out
     }
+    out
+}
 
+// Inner helper with depth to avoid infinite recursion on cycles
+fn inner<'gc>(mc: &MutationContext<'gc>, v: &Value<'gc>, depth: usize) -> Option<String> {
+    if depth > 32 {
+        return None;
+    }
     match v {
         Value::Undefined => None,
         Value::Boolean(b) => Some(if *b { "true".to_string() } else { "false".to_string() }),
@@ -195,7 +203,7 @@ fn js_value_to_json_string<'gc>(mc: &MutationContext<'gc>, v: &Value<'gc>) -> Op
                 for i in 0..len {
                     let key = i.to_string();
                     if let Some(val_rc) = get_own_property(obj, &key.into()) {
-                        if let Some(item_str) = js_value_to_json_string(mc, &val_rc.borrow()) {
+                        if let Some(item_str) = inner(mc, &val_rc.borrow(), depth + 1) {
                             parts.push(item_str);
                         } else {
                             parts.push("null".to_string());
@@ -214,10 +222,10 @@ fn js_value_to_json_string<'gc>(mc: &MutationContext<'gc>, v: &Value<'gc>) -> Op
                             continue;
                         }
                         if let Some(val_rc) = object_get_key_value(obj, &key) {
-                            if let Some(val_str) = js_value_to_json_string(mc, &val_rc.borrow()) {
+                            if let Some(val_str) = inner(mc, &val_rc.borrow(), depth + 1) {
                                 parts.push(format!("\"{}\":{}", escape_json_str(s), val_str));
                             } else {
-                                // skip undefined/functions
+                                // skip undefined/functions or deep/cyclic values
                             }
                         }
                     }