Fix crash in console.log(urlSearchParams) on a URLSearchParams object with a lot of keys

author: Jarred Sumner <709451+Jarred-Sumner@users.noreply.github.com> 2023-07-17 04:17:12 -0700
committer: Jarred Sumner <709451+Jarred-Sumner@users.noreply.github.com> 2023-07-17 04:18:43 -0700
commit: 6ca20424d6aee5f68a1383293105473406faad81 (patch)
tree: 0a9f088eb91c5cbbf73ebd258dab54a2c9b52985 /src
parent: 36a25c358044b0c9a56a06d8246ae2b5098b3ae4 (diff)
download: bun-6ca20424d6aee5f68a1383293105473406faad81.tar.gz
bun-6ca20424d6aee5f68a1383293105473406faad81.tar.zst
bun-6ca20424d6aee5f68a1383293105473406faad81.zip
1 files changed, 12 insertions, 4 deletions
diff --git a/src/bun.js/bindings/webcore/JSURLSearchParams.cpp b/src/bun.js/bindings/webcore/JSURLSearchParams.cpp
index a99587d40..a988b0518 100644
--- a/src/bun.js/bindings/webcore/JSURLSearchParams.cpp
+++ b/src/bun.js/bindings/webcore/JSURLSearchParams.cpp
@@ -405,7 +405,13 @@ static inline JSC::EncodedJSValue jsURLSearchParamsPrototypeFunction_toJSONBody(
     auto& impl = castedThis->wrapped();
     auto iter = impl.createIterator();
 
-    auto* obj = JSC::constructEmptyObject(lexicalGlobalObject, lexicalGlobalObject->objectPrototype(), impl.size() + 1);
+    JSObject* obj;
+    if (impl.size() + 1 < 64) {
+        obj = JSC::constructEmptyObject(lexicalGlobalObject, lexicalGlobalObject->objectPrototype(), impl.size() + 1);
+    } else {
+        obj = JSC::constructEmptyObject(lexicalGlobalObject, lexicalGlobalObject->objectPrototype());
+    }
+
     obj->putDirect(vm, vm.propertyNames->toStringTagSymbol, jsNontrivialString(lexicalGlobalObject->vm(), "URLSearchParams"_s), JSC::PropertyAttribute::DontEnum | JSC::PropertyAttribute::ReadOnly | 0);
 
     RETURN_IF_EXCEPTION(throwScope, encodedJSValue());
@@ -417,6 +423,9 @@ static inline JSC::EncodedJSValue jsURLSearchParamsPrototypeFunction_toJSONBody(
         if (seenKeys.contains(key)) {
             JSValue jsValue = obj->getDirect(vm, ident);
             if (jsValue.isString()) {
+                JSValue stringResult = jsString(vm, value);
+                ensureStillAliveHere(stringResult);
+
                 GCDeferralContext deferralContext(lexicalGlobalObject->vm());
                 JSC::ObjectInitializationScope initializationScope(lexicalGlobalObject->vm());
 
@@ -426,13 +435,12 @@ static inline JSC::EncodedJSValue jsURLSearchParamsPrototypeFunction_toJSONBody(
                     2);
 
                 array->initializeIndex(initializationScope, 0, jsValue);
-                array->initializeIndex(initializationScope, 1, jsString(vm, value));
+                array->initializeIndex(initializationScope, 1, stringResult);
                 obj->putDirect(vm, ident, array, 0);
-            } else if (jsValue.isObject() && jsValue.getObject()->inherits<JSC::JSArray>()) {
+            } else if (jsValue.isCell() && jsValue.asCell()->type() == ArrayType) {
                 JSC::JSArray* array = jsCast<JSC::JSArray*>(jsValue.getObject());
                 array->push(lexicalGlobalObject, jsString(vm, value));
                 RETURN_IF_EXCEPTION(throwScope, encodedJSValue());
-
             } else {
                 RELEASE_ASSERT_NOT_REACHED();
             }
author	Jarred Sumner <709451+Jarred-Sumner@users.noreply.github.com>	2023-07-17 04:17:12 -0700
committer	Jarred Sumner <709451+Jarred-Sumner@users.noreply.github.com>	2023-07-17 04:18:43 -0700
commit	6ca20424d6aee5f68a1383293105473406faad81 (patch)
tree	0a9f088eb91c5cbbf73ebd258dab54a2c9b52985 /src
parent	36a25c358044b0c9a56a06d8246ae2b5098b3ae4 (diff)
download	bun-6ca20424d6aee5f68a1383293105473406faad81.tar.gz bun-6ca20424d6aee5f68a1383293105473406faad81.tar.zst bun-6ca20424d6aee5f68a1383293105473406faad81.zip