inspect: handle throwing Proxy traps when walking prototype chain

[robobun]

Fuzzilli fingerprint: 3ece47c123fdcdb2

What

Bun.inspect / console.log crashed with a null pointer dereference when formatting an object whose prototype chain contains a Proxy that throws from its getPrototypeOf trap, or whose target has a throwing getter.

Repro

const o = {};
Object.setPrototypeOf(o, new Proxy({ a: 1 }, {
  getPrototypeOf() { throw new Error("oops"); }
}));
console.log(o); // segfault

Why

JSC__JSValue__forEachPropertyImpl walks the prototype chain on the slow path via:

iterating = iterating->getPrototype(globalObject).getObject();

When iterating is a Proxy, getPrototype() invokes the getPrototypeOf trap, which can throw and return an empty JSValue. Calling .getObject() on an empty JSValue dereferences a null cell.

Additionally, when getPropertySlot() goes through a Proxy [[Get]] and the underlying getter throws, it returns false — but the existing CLEAR_IF_EXCEPTION was placed after the continue, so the pending exception leaked into the next getPrototype() call and produced the same empty value.

Fix

• Clear the exception from getPropertySlot() before checking its return value.
• Check the result of getPrototype() and break out of the loop if it's empty, clearing any exception from the trap.

This mirrors the handling already present in the fast path of the same function.

[robobun]

^{Updated 10:28 PM PT - Apr 8th, 2026}

❌ @robobun, your commit f74a274 has 4 failures in Build #44703 (All Failures):

• test/js/bun/webview/webview-chrome.test.ts - code 1 on 🍎 13 aarch64
• test/js/web/fetch/fetch.upgrade.test.ts - code 1 on 🐧 13 aarch64
• test/js/bun/s3/s3.test.ts - code 1 on 🐧 3.23 x64
• test/js/node/worker_threads/worker_threads.test.ts - pid 33359 segmentation fault on 🐧 13 x64

---

🧪   To try this PR locally:

bunx bun-pr 29069

That installs a local version of the PR into your bun-29069 executable, so you can run:

bun-29069 --bun

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d7231a01-b89a-4922-ba68-dd28f797edfb

📥 Commits

Reviewing files that changed from the base of the PR and between 4ee606e and f74a274.

📒 Files selected for processing (2)

• src/bun.js/bindings/bindings.cpp
• test/js/bun/util/inspect.test.js

---

Walkthrough

Modified the prototype chain traversal logic in JSC__JSValue__forEachPropertyImpl to capture property slot existence explicitly and handle exceptions from Proxy getPrototypeOf traps. Added test cases verifying that Bun.inspect correctly serializes objects even when their prototypes throw during resolution.

Changes

Cohort / File(s)	Summary
C++ Bindings - Prototype Chain Handling src/bun.js/bindings/bindings.cpp	Modified JSC__JSValue__forEachPropertyImpl to capture property slot existence via hasSlot variable, skip enumeration when no slot exists, store prototype references in a JSValue proto variable, clear exceptions from Proxy getPrototypeOf traps, and halt traversal on null/empty prototypes.
Inspection Tests test/js/bun/util/inspect.test.js	Added test cases verifying Bun.inspect stability when object prototypes are Proxies with throwing getPrototypeOf traps or when prototypes define throwing property getters, ensuring serialization completes and includes enumerable properties.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: handling throwing Proxy traps during prototype chain walking in the inspect functionality.
Description check	✅ Passed	The description provides comprehensive context with a clear 'What', 'Repro', 'Why', and 'Fix' section, exceeding the template requirements of 'What does this PR do?' and 'How did you verify your code works?'.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

This PR may be a duplicate of:

1. fix null deref in forEachProperty prototype walk #28991 - Adds null check and CLEAR_IF_EXCEPTION after getPrototype() in the same prototype-walk loop in forEachPropertyImpl
2. Handle exception from getPrototype in forEachProperty #28918 - Clears exceptions from Proxy getPrototype trap in both the fast path and slow path of forEachPropertyImpl
3. Fix use-after-poison in forEachProperty prototype chain walk #28919 - Restructures the prototype-walk loop with EnsureStillAliveScope and exception clearing after getPrototype() in forEachPropertyImpl
4. Fix null deref in forEachProperty when Proxy prototype throws #28882 - Adds CLEAR_IF_EXCEPTION and null check after getPrototype() in forEachPropertyImpl, also fixes the same pattern in napi.cpp
5. Fix crash in forEachProperty when prototype chain contains a Proxy #28854 - Adds CLEAR_IF_EXCEPTION and null/isObject check after getPrototype() in the prototype-walk loop of forEachPropertyImpl
6. fix: clear exception before continue in property enumeration slow path #28530 - Adds CLEAR_IF_EXCEPTION after getPropertySlot failure in forEachPropertyImpl to prevent exception leaking
7. Fix null deref in forEachProperty when prototype is a Proxy #28325 - Adds exception clearing and null check after getPrototype() in the slow-path prototype walk of forEachPropertyImpl
8. getPrototype exception checks #24985 - Broader fix that adds getPrototype exception checks across the codebase including forEachPropertyImpl

🤖 Generated with Claude Code

[robobun]

Duplicate of #28325 / #28530 (and several others — #28854, #28882, #28918, #28919, #28991, #24985). Fuzzer keeps rediscovering this because none have landed yet. Closing in favor of the existing PRs.

[claude]

🟡 The test for "Proxy prototype with throwing getter on target" only checks that bar: 2 appears in the output, but never asserts that foo (the throwing getter) is absent. If a regression caused foo to appear as [Getter], foo: undefined, or any other representation, the test would silently pass. Adding expect(result).not.toContain("foo") would make the negative intent explicit and catch such regressions.

Extended reasoning...

What the bug is: The test at the bottom of the PR diff verifies the "Proxy prototype with throwing getter on target" scenario by checking expect(result).toContain("bar: 2"). This only checks the positive case — that the non-throwing property appears — but never validates the negative case: that the throwing getter (foo) does not appear in the output.

The specific code path: The C++ fix in bindings.cpp (lines 5292–5296 of the diff) deliberately moves CLEAR_IF_EXCEPTION before hasSlot is checked, so that when getPropertySlot returns false (because the getter threw), the exception is cleared and the property is skipped via continue. The intent is for foo to be absent from the output entirely.

Why existing code does not prevent it: The test exercises crash prevention (running without segfaulting) and confirms bar appears, but there is no assertion guarding the secondary behavior — that foo is skipped. A future change that accidentally emits foo: [Getter] or foo: undefined would still satisfy toContain("bar: 2").

Impact: A regression in property-skipping logic for throwing getters would go undetected by this test. The symptom would be a silent leak of a throwing-getter property into inspect output, which could expose implementation details or confuse users inspecting objects.

How to fix: Add expect(result).not.toContain("foo") immediately after the existing toContain assertion. This makes the test intent explicit and catches any regression where the throwing getter appears under any name or value.

Regarding the refutation: The refuter argues this is a subjective test quality concern rather than a bug. That is fair — the crash-prevention intent is fully covered, and the C++ fix is correct. However, the purpose of the dedicated named test (distinct from the crash-fixture suite) is precisely to assert behavior, not merely absence of crash. Without the negative assertion, the test leaves the specific behavioral invariant — that throwing getters are skipped — entirely unverified. This is a real gap in test coverage, even if minor.

Step-by-step proof: Suppose a regression changes the C++ so that when hasSlot is false the property is emitted as foo: undefined. Then result becomes something like { foo: undefined, bar: 2 }. expect(result).toContain("bar: 2") passes because the string contains bar: 2. The test turns green despite the broken behavior. Adding expect(result).not.toContain("foo") would catch this.