From 8824fb62b9bf38e11b429f17e82d15be8d75dc74 Mon Sep 17 00:00:00 2001
From: robobun <117481402+robobun@users.noreply.github.com>
Date: Mon, 11 May 2026 20:45:46 +0000
Subject: [PATCH] Fix null deref in Bun.inspect when Proxy getPrototypeOf trap
 throws

When walking the prototype chain in forEachPropertyImpl, getPrototype()
can throw (e.g. via a Proxy getPrototypeOf trap) and return an empty
JSValue. Calling .getObject() on an empty JSValue dereferences null.
---
 src/jsc/bindings/bindings.cpp    |  5 ++++-
 test/js/bun/util/inspect.test.js | 23 +++++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/src/jsc/bindings/bindings.cpp b/src/jsc/bindings/bindings.cpp
index 22ac3806337..9498c755e5a 100644
--- a/src/jsc/bindings/bindings.cpp
+++ b/src/jsc/bindings/bindings.cpp
@@ -5444,7 +5444,10 @@ static void JSC__JSValue__forEachPropertyImpl(JSC::EncodedJSValue JSValue0, JSC:
                 break;
             if (iterating == globalObject)
                 break;
-            iterating = iterating->getPrototype(globalObject).getObject();
+            JSValue proto = iterating->getPrototype(globalObject);
+            // Ignore exceptions from Proxy "getPrototypeOf" trap.
+            CLEAR_IF_EXCEPTION(scope);
+            iterating = proto ? proto.getObject() : nullptr;
         }
     }
 
diff --git a/test/js/bun/util/inspect.test.js b/test/js/bun/util/inspect.test.js
index 32a70af3018..322f2fa7ddc 100644
--- a/test/js/bun/util/inspect.test.js
+++ b/test/js/bun/util/inspect.test.js
@@ -451,6 +451,29 @@ const fixture = [
         },
       },
     ),
+  () =>
+    Object.setPrototypeOf(
+      { yolo: 1 },
+      new Proxy(
+        {},
+        {
+          getPrototypeOf() {
+            throw new Error("nope");
+          },
+        },
+      ),
+    ),
+  () =>
+    Object.create(
+      new Proxy(
+        { yolo: 1 },
+        {
+          getPrototypeOf() {
+            throw new Error("nope");
+          },
+        },
+      ),
+    ),
 ];
 
 describe("crash testing", () => {