fix: URLSearchParams construction and iteration spec compliance

[adrian-niculescu]

This is the iOS counterpart of NativeScript/android#1970. Same story: we noticed our app hitting a URL that looked like

https://api.example.com/items?[object+Object]=

because the binding only handles the string init form, so an innocent new URLSearchParams({ limit: "50", cursor: "abc123" }) got stringified to "[object Object]" and the whole query collapsed into one bogus key. The same code works in browsers and Node.

Same fix as on Android, adapted to this runtime's helpers:

• The constructor follows the WebIDL init dispatch from the URL spec: record form for plain objects (own enumerable keys in order; a Symbol key throws), sequence form for iterables (Array, Map, Set, another URLSearchParams, generators, with IteratorClose on abrupt completion and a TypeError for a pair whose length isn't 2), USVString coercion for other primitives and null (a Symbol throws; null parses as the string "null", matching the whatwg-url reference implementation), and empty params for undefined (the IDL default).
• entries()/keys()/values() return live ES iterators per spec instead of plain arrays, and @@iterator aliases entries, so for..of, spread, and the new URLSearchParams(other) copy form work. This also fixes a duplicate-key bug: the old get_keys()+get() walk returned the first value for every occurrence of a repeated key.
• get() returns null for a missing name instead of undefined (one existing test asserted undefined and was updated to match the spec).
• delete(name, value) and has(name, value) honor the optional value argument, which ada already exposes. An explicit undefined value is treated as omitted, matching WPT.

Tests are mirrored from the Android suite (49 specs in the URLSearchParams group; the pre-existing keys/values/entries tests now consume iterators via spread). Verified with the TestRunner scheme on an iPhone 17 simulator (iOS 26.5): TEST SUCCEEDED, 0 failures.

Update after review: every name and value argument across get/getAll/has/delete/append/set now goes through the same USVString coercion (a Symbol throws), entries()/keys()/values() and the iterator's next() brand-check their receivers, and GetPointer no longer reads an internal field from objects that have none (entries.call({}) used to be an out-of-bounds read). A second pass against the IDL and the whatwg-url reference implementation aligned three more corners: new URLSearchParams(null) parses as the string "null" instead of being treated as empty (the union conversion has no null special case; WPT does not cover it and Node is the outlier), an enumerable Symbol key in a record init throws, and the remaining members (get/getAll/has/append/set/delete/forEach/sort/toString/size) brand-check their receiver like the iterator methods.

Summary by CodeRabbit

• New Features

  • Constructor accepts records, sequences, iterables, and primitives with spec-style coercion; iterators (entries/keys/values/@@iterator) are live, branded, and alias the default iterator.

• Bug Fixes

  • Methods now throw on illegal (foreign) receivers.
  • delete(name[, value]) filters by value when provided; explicit undefined is treated as omitted.
  • get() returns null for missing names; Symbol coercion now throws.
  • Append/set/coercion behavior tightened to match spec.

• Tests

  • Expanded tests for constructor variants, iterator behavior/branding/closure, coercions, and receiver safety.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR refactors URLSearchParams to implement WHATWG spec compliance: adds live iterators for entries/keys/values with Symbol.iterator aliasing, reworks the constructor to accept strings/records/sequences/primitives via USVString-like coercion, updates delete/has to support value-filtered operations, and changes get to return null.

Changes

URLSearchParams Spec Compliance

Layer / File(s)	Summary
Live iterator infrastructure NativeScript/runtime/URLSearchParamsImpl.cpp, TestRunner/app/tests/URLSearchParams.js	Implements spec-compliant live iterators for entries(), keys(), and values() with hidden iterator state, next() brand/receiver checks, and Symbol.iterator aliasing. Adds iterator open/step/close helpers and tests for liveness, receiver-brand errors, and iterator closing on abrupt completion.
Constructor input coercion and initialization NativeScript/runtime/URLSearchParamsImpl.cpp, TestRunner/app/tests/URLSearchParams.js	Reworks URLSearchParamsImpl::Ctor to dispatch on input type: strings are URL-parsed; objects route to record or sequence initialization based on @@iterator presence and callability; primitives are coerced per USVString-like rules (Symbol throws); null/undefined produce empty params. Tests cover record inputs, sequence-of-pairs (Maps/Sets/generators), primitives, copy-construction, and error cases.
Method semantic updates and iterator returns NativeScript/runtime/URLSearchParamsImpl.cpp, TestRunner/app/tests/URLSearchParams.js	entries()/keys()/values() now return live iterators; delete(name, value) supports optional value-filtered removal (explicit undefined treated as omitted); get returns null for missing names; getAll/has coerce name/value using shared conversion; core methods throw on illegal receivers. Tests validate coercion, error paths (e.g., Symbol), duplicate-key ordering, and receiver-brand behavior.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

A rabbit hops through iterator land,
Where live keys/values go hand-in-hand,
entries() hums as Symbol takes stage,
Constructor reads every input page—
Spec burrows lined, now snug and grand! 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 42.86% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main focus of the PR: fixing URLSearchParams to comply with spec requirements for construction and iteration behavior.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@NativeScript/runtime/URLSearchParamsImpl.cpp`:
- Around line 568-584: The Delete and Has implementations still call
tns::ToString(args[0].As<v8::String>()) and must instead coerce the first
argument with ValueToString to follow USVString semantics; replace the existing
key acquisition in URLSearchParamsImpl::Delete and URLSearchParamsImpl::Has by
calling ValueToString(isolate->GetCurrentContext(), args[0], key) into a
std::string key, return immediately if coercion fails (preserving exceptions),
and then call ptr->GetURLSearchParams()->remove(key, ...) or remove(key.c_str())
/ ptr->GetURLSearchParams()->has(key) using that coerced key; remove the use of
args[0].As<v8::String>() and tns::ToString for the name.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: b1464f66-8765-406b-bb66-26af6cb0d7fe

📥 Commits

Reviewing files that changed from the base of the PR and between cd28c41 and 2fa428f.

📒 Files selected for processing (2)

• NativeScript/runtime/URLSearchParamsImpl.cpp
• TestRunner/app/tests/URLSearchParams.js

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

NativeScript/runtime/URLSearchParamsImpl.cpp (2)

652-670: ⚠️ Potential issue | 🟠 Major

Guard URLSearchParams.forEach callback before args[0].As<v8::Function>().
v8::Local<T>::As<S>() is a cast that doesn’t do runtime type checking; without an args[0]->IsFunction() (and length) guard, non-function/undefined callbacks can reach the Call path instead of throwing the expected JS TypeError.

Proposed fix

 void URLSearchParamsImpl::ForEach(
     const v8::FunctionCallbackInfo<v8::Value>&amp; args) {
   URLSearchParamsImpl* ptr = GetPointer(args.This());
   auto isolate = args.GetIsolate();
   auto context = isolate-&gt;GetCurrentContext();
   if (ptr == nullptr) {
     ThrowTypeError(isolate, "Illegal invocation");
     return;
   }
+  if (args.Length() &lt; 1 || !args[0]-&gt;IsFunction()) {
+    ThrowTypeError(isolate, "URLSearchParams.forEach callback must be a function");
+    return;
+  }
   auto callback = args[0].As&lt;v8::Function&gt;();
   auto searchParams = args.This();

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@NativeScript/runtime/URLSearchParamsImpl.cpp` around lines 652 - 670, The
forEach implementation currently casts args[0] to v8::Function without runtime
checking; before calling args[0].As<v8::Function>() (and before using
callback->Call), add a guard that args.Length() > 0 and args[0]->IsFunction(),
and if not throw a JS TypeError (via v8::Exception::TypeError /
v8::TypeError::New and context->Throw). Move or defer creation of the
v8::Local<v8::Function> callback until after that check, keep thisArg and
entries logic the same, and ensure the code paths that call callback->Call only
run when the argument is a validated function (referencing the variables
callback, args, thisArg, and the existing Call invocation).

---

25-37: ⚠️ Potential issue | 🟠 Major

Strengthen receiver brand check before unwrapping slot 0 internal pointers

URLSearchParamsImpl::GetPointer only checks InternalFieldCount() >= 1, then casts slot 0 to URLSearchParamsImpl* (lines 25-37). Other wrapped natives also use internal field slot 0 (e.g. URLImpl / URLPatternImpl write slot 0 and their GetPointer also only casts), so calling URLSearchParams methods with a foreign receiver can bypass the “Illegal invocation” path and reinterpret a different native pointer as URLSearchParamsImpl*.

• Add a real URLSearchParams brand/type gate in GetPointer (e.g., dedicated type tag in the internal field, or an instance-of/identity check) before performing the cast.
• In URLSearchParamsImpl::ForEach, guard args[0] before auto callback = args[0].As<v8::Function>(); (missing/non-callable callback should throw TypeError instead of relying on an unsafe cast).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@NativeScript/runtime/URLSearchParamsImpl.cpp` around lines 25 - 37, The
GetPointer implementation in URLSearchParamsImpl currently trusts slot 0 and can
miscast foreign receivers; modify URLSearchParamsImpl::GetPointer to perform a
real brand/type check before casting (e.g., store and verify a dedicated type
tag or magic value in another internal field or use an instance identity check)
instead of only checking InternalFieldCount and slot 0 with
GetAlignedPointerFromInternalField; additionally, harden
URLSearchParamsImpl::ForEach to validate args[0] is a callable before doing auto
callback = args[0].As<v8::Function>() and throw a TypeError when it is missing
or not a function. Ensure references to InternalFieldCount,
GetAlignedPointerFromInternalField, URLSearchParamsImpl::GetPointer and
URLSearchParamsImpl::ForEach are updated accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@NativeScript/runtime/URLSearchParamsImpl.cpp`:
- Around line 652-670: The forEach implementation currently casts args[0] to
v8::Function without runtime checking; before calling args[0].As<v8::Function>()
(and before using callback->Call), add a guard that args.Length() > 0 and
args[0]->IsFunction(), and if not throw a JS TypeError (via
v8::Exception::TypeError / v8::TypeError::New and context->Throw). Move or defer
creation of the v8::Local<v8::Function> callback until after that check, keep
thisArg and entries logic the same, and ensure the code paths that call
callback->Call only run when the argument is a validated function (referencing
the variables callback, args, thisArg, and the existing Call invocation).
- Around line 25-37: The GetPointer implementation in URLSearchParamsImpl
currently trusts slot 0 and can miscast foreign receivers; modify
URLSearchParamsImpl::GetPointer to perform a real brand/type check before
casting (e.g., store and verify a dedicated type tag or magic value in another
internal field or use an instance identity check) instead of only checking
InternalFieldCount and slot 0 with GetAlignedPointerFromInternalField;
additionally, harden URLSearchParamsImpl::ForEach to validate args[0] is a
callable before doing auto callback = args[0].As<v8::Function>() and throw a
TypeError when it is missing or not a function. Ensure references to
InternalFieldCount, GetAlignedPointerFromInternalField,
URLSearchParamsImpl::GetPointer and URLSearchParamsImpl::ForEach are updated
accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 09a44c34-d1e0-4493-a560-7db4692a020b

📥 Commits

Reviewing files that changed from the base of the PR and between 380e162 and c959e05.

📒 Files selected for processing (2)

• NativeScript/runtime/URLSearchParamsImpl.cpp
• TestRunner/app/tests/URLSearchParams.js

🚧 Files skipped from review as they are similar to previous changes (1)

• TestRunner/app/tests/URLSearchParams.js

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

NativeScript/runtime/URLSearchParamsImpl.cpp (2)

652-670: ⚠️ Potential issue | 🟠 Major

Add a type-check for the forEach callback before casting to v8::Function.

URLSearchParamsImpl::ForEach casts args[0] directly via args[0].As<v8::Function>() with no IsFunction() (or args-length) guard. Passing a non-callable (or missing) callback should throw a JS TypeError at the API boundary instead of relying on V8’s cast/call path.

Minimal fix

-  auto callback = args[0].As<v8::Function>();
+  if (args.Length() < 1 || !args[0]->IsFunction()) {
+    ThrowTypeError(isolate, "The callback provided as parameter 1 is not a function");
+    return;
+  }
+  auto callback = args[0].As<v8::Function>();

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@NativeScript/runtime/URLSearchParamsImpl.cpp` around lines 652 - 670, In
URLSearchParamsImpl::ForEach, validate the first argument before casting: check
args.Length() > 0 and args[0]->IsFunction() (or context->Global()->Get(isolate,
...) style check) and if not, throw a JS TypeError; replace the direct cast
args[0].As<v8::Function>() with a guarded branch that creates a
v8::Local<v8::Function> only when IsFunction() is true and otherwise calls
isolate->ThrowException(v8::Exception::TypeError(...)) (referencing symbols:
URLSearchParamsImpl::ForEach, args, callback, thisArg, and the v8::Function
cast).

---

25-37: ⚠️ Potential issue | 🟠 Major

Fix receiver branding in URLSearchParamsImpl::GetPointer to prevent type confusion (UB)

The guard only checks InternalFieldCount() >= 1 and that internal field 0 is non-null, then unconditionally static_casts it to URLSearchParamsImpl*. Since other NativeScript bindings also use SetInternalFieldCount(1) and store their own native pointers in internal field 0 (e.g., NativeScript/runtime/URLImpl.cpp, NativeScript/runtime/URLPatternImpl.cpp), a foreign native wrapper can bypass the intended TypeError("Illegal invocation") path and produce undefined behavior from pointer re-interpretation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@NativeScript/runtime/URLSearchParamsImpl.cpp` around lines 25 - 37,
GetPointer currently trusts any object with InternalFieldCount() >= 1 and a
non-null internal field 0, which allows other native wrappers to be
misinterpreted; fix by adding a receiver-brand check before static_cast: store a
unique branding token (e.g., a static void* kURLSearchParamsBrand) in a second
internal field when creating URLSearchParams instances and in
URLSearchParamsImpl::GetPointer require InternalFieldCount() >= 2 and verify
object->GetAlignedPointerFromInternalField(1) equals that branding token (or
check the type of the internal field is the expected v8::External containing the
brand) before casting the pointer from field 0 to URLSearchParamsImpl*. Ensure
the code references URLSearchParamsImpl::GetPointer and the new
URLSearchParamsImpl::kURLSearchParamsBrand (or similar) to locate changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@NativeScript/runtime/URLSearchParamsImpl.cpp`:
- Around line 394-395: StepIterator failures in MaterializeInnerSequence and
BuildFromSequence return false early and skip ES IteratorClose; update both
functions so that whenever StepIterator(context, iterator, next, element, done)
returns false you first call CloseIterator(context, iterator) (preserving any
original error/abrupt completion behavior) and only then return false,
propagating CloseIterator failures as appropriate; ensure you reference the same
iterator/next values used in the failing StepIterator call and follow the
existing error-return semantics used elsewhere in the file for IteratorClose
handling.

---

Outside diff comments:
In `@NativeScript/runtime/URLSearchParamsImpl.cpp`:
- Around line 652-670: In URLSearchParamsImpl::ForEach, validate the first
argument before casting: check args.Length() > 0 and args[0]->IsFunction() (or
context->Global()->Get(isolate, ...) style check) and if not, throw a JS
TypeError; replace the direct cast args[0].As<v8::Function>() with a guarded
branch that creates a v8::Local<v8::Function> only when IsFunction() is true and
otherwise calls isolate->ThrowException(v8::Exception::TypeError(...))
(referencing symbols: URLSearchParamsImpl::ForEach, args, callback, thisArg, and
the v8::Function cast).
- Around line 25-37: GetPointer currently trusts any object with
InternalFieldCount() >= 1 and a non-null internal field 0, which allows other
native wrappers to be misinterpreted; fix by adding a receiver-brand check
before static_cast: store a unique branding token (e.g., a static void*
kURLSearchParamsBrand) in a second internal field when creating URLSearchParams
instances and in URLSearchParamsImpl::GetPointer require InternalFieldCount() >=
2 and verify object->GetAlignedPointerFromInternalField(1) equals that branding
token (or check the type of the internal field is the expected v8::External
containing the brand) before casting the pointer from field 0 to
URLSearchParamsImpl*. Ensure the code references URLSearchParamsImpl::GetPointer
and the new URLSearchParamsImpl::kURLSearchParamsBrand (or similar) to locate
changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: b96c87d0-944b-48d1-8c23-f6af1eccf024

📥 Commits

Reviewing files that changed from the base of the PR and between c959e05 and c45030e.

📒 Files selected for processing (2)

• NativeScript/runtime/URLSearchParamsImpl.cpp
• TestRunner/app/tests/URLSearchParams.js

🚧 Files skipped from review as they are similar to previous changes (1)

• TestRunner/app/tests/URLSearchParams.js