From c6f74a3733343abb7e60d0115257ba42ffea64d6 Mon Sep 17 00:00:00 2001 From: robobun Date: Wed, 26 Nov 2025 22:36:58 +0000 Subject: [PATCH] Fix missing exception check in ProxyObject::performGetPrototype MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the Proxy's handler doesn't have a getPrototypeOf trap, we call target->getPrototype(globalObject) directly. This can throw an exception (e.g., stack overflow when the target is also a Proxy with a recursive chain), but the code was using RELEASE_AND_RETURN which releases the throw scope without checking for exceptions first. This fix properly checks for exceptions after the getPrototype call before returning, which satisfies WebKit's exception check validation (enabled via validateExceptionChecks). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- Source/JavaScriptCore/runtime/ProxyObject.cpp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Source/JavaScriptCore/runtime/ProxyObject.cpp b/Source/JavaScriptCore/runtime/ProxyObject.cpp index 2e656781c885..b73674598493 100644 --- a/Source/JavaScriptCore/runtime/ProxyObject.cpp +++ b/Source/JavaScriptCore/runtime/ProxyObject.cpp @@ -1245,8 +1245,11 @@ JSValue ProxyObject::performGetPrototype(JSGlobalObject* globalObject) RETURN_IF_EXCEPTION(scope, { }); JSObject* target = this->target(); - if (getPrototypeOfMethod.isUndefined()) - RELEASE_AND_RETURN(scope, target->getPrototype(globalObject)); + if (getPrototypeOfMethod.isUndefined()) { + JSValue result = target->getPrototype(globalObject); + RETURN_IF_EXCEPTION(scope, { }); + return result; + } MarkedArgumentBuffer arguments; arguments.append(target);