Fix crash when calling hasOwnProperty() on proxy object

Property pointer p needs to be checked for nullptr value in
QV4::ProxyObject::virtualGetOwnProperty(). This can happen when calling
hasOwnProperty() or propertyIsEnumerable().

Fixes: QTBUG-88786
Change-Id: I43da58fed4d8656f9187213f7317f17398739e34
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
(cherry picked from commit 9b321a34490cd17c0eb043b69bd7c9d8d8f513d5)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

2 files changed, 36 insertions, 5 deletions

diff --git a/src/qml/jsruntime/qv4proxy.cpp b/src/qml/jsruntime/qv4proxy.cpp
index 24676ffd00..1505eae426 100644
--- a/src/qml/jsruntime/qv4proxy.cpp
+++ b/src/qml/jsruntime/qv4proxy.cpp
@@ -265,9 +265,9 @@ PropertyAttributes ProxyObject::virtualGetOwnProperty(const Managed *m, Property
     ScopedProperty targetDesc(scope);
     PropertyAttributes targetAttributes = target->getOwnProperty(id, targetDesc);
     if (trapResult->isUndefined()) {
-        p->value = Encode::undefined();
-        if (targetAttributes == Attr_Invalid) {
+        if (p)
             p->value = Encode::undefined();
+        if (targetAttributes == Attr_Invalid) {
             return Attr_Invalid;
         }
         if (!targetAttributes.isConfigurable() || !target->isExtensible()) {
@@ -295,8 +295,10 @@ PropertyAttributes ProxyObject::virtualGetOwnProperty(const Managed *m, Property
         }
     }
 
-    p->value = resultDesc->value;
-    p->set = resultDesc->set;
+    if (p) {
+        p->value = resultDesc->value;
+        p->set = resultDesc->set;
+    }
     return resultAttributes;
 }
 
diff --git a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp
index 03fc8e5ad4..d7cb85a75d 100644
--- a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp
+++ b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp
@@ -392,7 +392,7 @@ private slots:
     void urlSearchParamsMethods();
     void variantConversionMethod();
     void sequenceConversionMethod();
-
+    void proxyHandlerTraps();
     void gcCrashRegressionTest();
 
 private:
@@ -9512,6 +9512,35 @@ void tst_qqmlecmascript::sequenceConversionMethod()
     QCOMPARE(obj.funcCalled, QLatin1String("stringlist"));
 }
 
+void tst_qqmlecmascript::proxyHandlerTraps()
+{
+    const QString expression = QStringLiteral(R"SNIPPET(
+        (function(){
+            const target = {
+                prop: 47
+            };
+            const handler = {
+                getOwnPropertyDescriptor(target, prop) {
+                    return { configurable: true, enumerable: true, value: 47 };
+                }
+            };
+            const proxy = new Proxy(target, handler);
+
+            // QTBUG-88786
+            if (!proxy.propertyIsEnumerable("prop"))
+                throw Error("FAIL: propertyisEnumerable");
+            if (!proxy.hasOwnProperty("prop"))
+                throw Error("FAIL: hasOwnProperty");
+
+            return "SUCCESS";
+        })()
+    )SNIPPET");
+
+    QJSEngine engine;
+    QJSValue value = engine.evaluate(expression);
+    QVERIFY(value.isString() && value.toString() == QStringLiteral("SUCCESS"));
+}
+
 QTEST_MAIN(tst_qqmlecmascript)
 
 #include "tst_qqmlecmascript.moc"