Fix speculative crashes in console.log(formData) and console.log(headers)

2 files changed, 24 insertions, 30 deletions

diff --git a/src/bun.js/bindings/webcore/JSDOMFormData.cpp b/src/bun.js/bindings/webcore/JSDOMFormData.cpp
index 181b20e45..ca91bd83e 100644
--- a/src/bun.js/bindings/webcore/JSDOMFormData.cpp
+++ b/src/bun.js/bindings/webcore/JSDOMFormData.cpp
@@ -533,16 +533,26 @@ static inline JSC::EncodedJSValue jsDOMFormDataPrototypeFunction_toJSONBody(JSC:
         if (seenKeys.contains(key)) {
             JSValue jsValue = obj->getDirect(vm, ident);
             if (jsValue.isString() || jsValue.inherits<JSBlob>()) {
-                GCDeferralContext deferralContext(lexicalGlobalObject->vm());
-                JSC::ObjectInitializationScope initializationScope(lexicalGlobalObject->vm());
+                // Make sure this runs before the deferral scope is called.
+                JSValue resultValue = toJSValue(value);
+                ensureStillAliveHere(resultValue);
 
-                JSC::JSArray* array = JSC::JSArray::tryCreateUninitializedRestricted(
-                    initializationScope, &deferralContext,
-                    lexicalGlobalObject->arrayStructureForIndexingTypeDuringAllocation(JSC::ArrayWithContiguous),
-                    2);
+                JSC::JSArray* array = nullptr;
+
+                {
+                    GCDeferralContext deferralContext(lexicalGlobalObject->vm());
+                    JSC::ObjectInitializationScope initializationScope(lexicalGlobalObject->vm());
+
+                    array = JSC::JSArray::tryCreateUninitializedRestricted(
+                        initializationScope, &deferralContext,
+                        lexicalGlobalObject->arrayStructureForIndexingTypeDuringAllocation(JSC::ArrayWithContiguous),
+                        2);
+                    RELEASE_ASSERT(array);
+
+                    array->initializeIndex(initializationScope, 0, jsValue);
+                    array->initializeIndex(initializationScope, 1, resultValue);
+                }
 
-                array->initializeIndex(initializationScope, 0, jsValue);
-                array->initializeIndex(initializationScope, 1, toJSValue(value));
                 obj->putDirect(vm, ident, array, 0);
             } else if (jsValue.isObject() && jsValue.getObject()->inherits<JSC::JSArray>()) {
                 JSC::JSArray* array = jsCast<JSC::JSArray*>(jsValue.getObject());
diff --git a/src/bun.js/bindings/webcore/JSFetchHeaders.cpp b/src/bun.js/bindings/webcore/JSFetchHeaders.cpp
index 6bea5dc84..bb9a14833 100644
--- a/src/bun.js/bindings/webcore/JSFetchHeaders.cpp
+++ b/src/bun.js/bindings/webcore/JSFetchHeaders.cpp
@@ -416,31 +416,15 @@ static inline JSC::EncodedJSValue jsFetchHeadersPrototypeFunction_toJSONBody(JSC
         size_t count = values.size();
 
         if (count > 0) {
-            JSC::JSArray* array = nullptr;
-            GCDeferralContext deferralContext(lexicalGlobalObject->vm());
-            JSC::ObjectInitializationScope initializationScope(lexicalGlobalObject->vm());
-            if ((array = JSC::JSArray::tryCreateUninitializedRestricted(
-                     initializationScope, &deferralContext,
-                     lexicalGlobalObject->arrayStructureForIndexingTypeDuringAllocation(JSC::ArrayWithContiguous),
-                     count))) {
-                for (unsigned i = 0; i < count; ++i) {
-                    array->initializeIndex(initializationScope, i, jsString(vm, values[i]));
-                    RETURN_IF_EXCEPTION(throwScope, JSValue::encode(jsUndefined()));
-                }
-            } else {
-                array = constructEmptyArray(lexicalGlobalObject, nullptr, count);
-                RETURN_IF_EXCEPTION(throwScope, JSValue::encode(jsUndefined()));
-                if (!array) {
-                    throwOutOfMemoryError(lexicalGlobalObject, throwScope);
-                    return JSValue::encode(jsUndefined());
-                }
-                for (unsigned i = 0; i < count; ++i) {
-                    array->putDirectIndex(lexicalGlobalObject, i, jsString(vm, values[i]));
-                    RETURN_IF_EXCEPTION(throwScope, JSValue::encode(jsUndefined()));
-                }
+            JSC::JSArray* array = constructEmptyArray(lexicalGlobalObject, nullptr, count);
+            RETURN_IF_EXCEPTION(throwScope, JSValue::encode(jsUndefined()));
+
+            for (size_t i = 0; i < count; ++i) {
+                array->putDirectIndex(lexicalGlobalObject, i, jsString(vm, values[i]));
                 RETURN_IF_EXCEPTION(throwScope, JSValue::encode(jsUndefined()));
             }
 
+            RETURN_IF_EXCEPTION(throwScope, JSValue::encode(jsUndefined()));
             obj->putDirect(vm, JSC::Identifier::fromString(vm, httpHeaderNameString(HTTPHeaderName::SetCookie).toStringWithoutCopying()), array, 0);
         }
     }