fix: ensure retrieving the property definitions of ObjectStoreEntry.prototype.body and ObjectStoreEntry.bodyUsed do not cause panics by ensuring we have a valid entry in their Slots

Jake Champion · JakeChampion · commit 311b84c80cbc · 2023-01-06T15:19:39.000Z
diff --git a/c-dependencies/js-compute-runtime/builtins/object-store.cpp b/c-dependencies/js-compute-runtime/builtins/object-store.cpp
@@ -52,11 +52,17 @@ bool bodyAll(JSContext *cx, unsigned argc, JS::Value *vp) {
 
 bool body_get(JSContext *cx, unsigned argc, JS::Value *vp) {
   METHOD_HEADER(0)
+  if (!JS::GetReservedSlot(self, Slots::HasBody).isBoolean()) {
+    JS::SetReservedSlot(self, Slots::HasBody, JS::BooleanValue(false));
+  }
   return RequestOrResponse::body_get(cx, args, self, true);
 }
 
 bool bodyUsed_get(JSContext *cx, unsigned argc, JS::Value *vp) {
   METHOD_HEADER(0)
+  if (!JS::GetReservedSlot(self, Slots::BodyUsed).isBoolean()) {
+    JS::SetReservedSlot(self, Slots::BodyUsed, JS::BooleanValue(false));
+  }
   args.rval().setBoolean(RequestOrResponse::body_used(self));
   return true;
 }
@@ -85,7 +91,7 @@ JSObject *create(JSContext *cx, fastly_body_handle_t body_handle) {
 
   JS::SetReservedSlot(objectStoreEntry, Slots::Body, JS::Int32Value(body_handle));
   JS::SetReservedSlot(objectStoreEntry, Slots::BodyStream, JS::NullValue());
-  JS::SetReservedSlot(objectStoreEntry, Slots::HasBody, JS::TrueValue());
+  JS::SetReservedSlot(objectStoreEntry, Slots::HasBody, JS::BooleanValue(true));
   JS::SetReservedSlot(objectStoreEntry, Slots::BodyUsed, JS::FalseValue());
 
   return objectStoreEntry;
diff --git a/c-dependencies/js-compute-runtime/builtins/object-store.h b/c-dependencies/js-compute-runtime/builtins/object-store.h
@@ -5,6 +5,8 @@
 namespace ObjectStoreEntry {
 // Register the class.
 bool init_class(JSContext *cx, JS::HandleObject global);
+bool is_instance(JSObject *obj);
+bool is_instance(JS::Value val);
 } // namespace ObjectStoreEntry
 
 namespace ObjectStore {
diff --git a/c-dependencies/js-compute-runtime/js-compute-builtins.cpp b/c-dependencies/js-compute-runtime/js-compute-builtins.cpp
@@ -427,7 +427,10 @@ bool is_instance(JSObject *obj);
 }
 
 namespace RequestOrResponse {
-bool is_instance(JSObject *obj) { return Request::is_instance(obj) || Response::is_instance(obj); }
+bool is_instance(JSObject *obj) {
+  return Request::is_instance(obj) || Response::is_instance(obj) ||
+         ObjectStoreEntry::is_instance(obj);
+}
 
 uint32_t handle(JSObject *obj) {
   MOZ_ASSERT(is_instance(obj));
diff --git a/integration-tests/js-compute/fixtures/object-store/fastly.toml.in b/integration-tests/js-compute/fixtures/object-store/fastly.toml.in
@@ -13,7 +13,10 @@ service_id = ""
 
 [local_server]
   [local_server.object_store]
-  example-test-object-store = []
+
+  [[local_server.object_store.example-test-object-store]]
+  key = "placeholder"
+  data = 'placholder'
 
   [local_server.backends]
 
