From 82a588c17bc7673ac61ad7871280e049fb5ea353 Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Mon, 13 Oct 2025 17:37:11 -0700 Subject: [PATCH] QuickJS: fixed r.subrequest() to a location with JS handler. Previously, when a subrequest location had a JS handler, an object of a subrequest JS context was provided as an argument to a parent contexts. This may cause all sorts of problems due to incorrect reference counting. After this change in bellard/quickjs@42eb2795 the bug became apparent. --- nginx/ngx_http_js_module.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/nginx/ngx_http_js_module.c b/nginx/ngx_http_js_module.c index 467a5eea..e3ee4271 100644 --- a/nginx/ngx_http_js_module.c +++ b/nginx/ngx_http_js_module.c @@ -5843,17 +5843,11 @@ ngx_http_qjs_subrequest_done(ngx_http_request_t *r, void *data, ngx_int_t rc) cx = ctx->engine->u.qjs.ctx; - if (!JS_IsObject(ngx_qjs_arg(sctx->args[0]))) { - reply = ngx_http_qjs_request_make(cx, NGX_QJS_CLASS_ID_HTTP_REQUEST, r); - if (JS_IsException(reply)) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "js subrequest reply creation failed"); - return NGX_ERROR; - } - - - } else { - reply = JS_DupValue(cx, ngx_qjs_arg(sctx->args[0])); + reply = ngx_http_qjs_request_make(cx, NGX_QJS_CLASS_ID_HTTP_REQUEST, r); + if (JS_IsException(reply)) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "js subrequest reply creation failed"); + return NGX_ERROR; } rc = ngx_qjs_call(cx, event->function, &reply, 1); -- 2.47.3