address CodeRabbit review (#5606)

- js_object_has_property: narrow the handle-band crash guard to the fetch/zlib
  bands (>= COMMON_HANDLE_BAND_END). Common/small handles now fall through to
  the registered small-handle property path instead of always returning false.
- headers_init_json_ptr: normalize null/undefined headers to {} in the shared
  helper so the codegen js_fetch_headers_to_json path matches the runtime thunk
  (previously serialized headers:null as "null").

Author: Ralph Küpper

crates/perry-runtime/src/object/field_get_set.rs

@@ -2263,17 +2263,21 @@ pub extern "C" fn js_object_has_property(obj: f64, key: f64) -> f64 {
         };
     }
 
-    // A handle-band value (Web Fetch Headers/Request/Response, net/http handles,
-    // zlib streams) is a registry id, not a heap object — the pointer paths below
-    // would dereference the id and segfault. `key in <handle>` has no own-property
-    // meaning for these registry handles, so report `false` instead of crashing.
-    // Same handle-band family as the string_from_header / inline-`.length` guards.
-    if obj_val.is_pointer()
-        && crate::value::addr_class::is_handle_band(
-            (obj_val.bits() & crate::value::POINTER_MASK) as usize,
-        )
-    {
-        return nanbox_false;
+    // A Web Fetch / zlib handle-band value (Headers/Request/Response, zlib
+    // streams) at or above the fetch band is a registry id, not a heap object —
+    // the pointer paths below would dereference the id and segfault. `key in
+    // <handle>` has no own-property meaning for these, so report `false`.
+    // Common/small handles (below the fetch band) are intentionally NOT caught
+    // here: they fall through to the registered small-handle property path later
+    // in this function. Same family as the string_from_header / inline-`.length`
+    // guards.
+    if obj_val.is_pointer() {
+        let addr = (obj_val.bits() & crate::value::POINTER_MASK) as usize;
+        if addr >= crate::value::addr_class::COMMON_HANDLE_BAND_END
+            && crate::value::addr_class::is_handle_band(addr)
+        {
+            return nanbox_false;
+        }
     }
 
     // #1758: a SYMBOL key. The class-ref path below + the keys_array scan

crates/perry-runtime/src/object/global_fetch.rs

@@ -160,14 +160,9 @@ pub extern "C" fn js_fetch_headers_to_json(headers: f64) -> i64 {
 
 fn fetch_headers_json_ptr(init: f64) -> *const crate::StringHeader {
     let headers = fetch_option(init, b"headers");
-    if matches!(
-        headers.to_bits(),
-        crate::value::TAG_UNDEFINED | crate::value::TAG_NULL
-    ) {
-        return crate::string::js_string_from_bytes(b"{}".as_ptr(), 2);
-    }
-    // `init.headers` may be a `Headers` instance (a fetch-band handle) rather
-    // than a plain object — JSON-stringify it without dereferencing the handle.
+    // `init.headers` may be a `Headers` instance (a fetch-band handle), a plain
+    // object, or null/undefined — `headers_init_json_ptr` normalizes all three
+    // (Headers handle read from its registry, null/undefined → `{}`).
     headers_init_json_ptr(headers)
 }
 
@@ -301,6 +296,16 @@ fn call_global_headers_object_json(value: f64) -> *mut crate::StringHeader {
 /// safely. Same family as #5559/#5560 (handle-band ids mis-dereferenced as heap
 /// pointers).
 fn headers_init_json_ptr(headers: f64) -> *const crate::StringHeader {
+    // Normalize null/undefined to an empty object so BOTH entry points — the
+    // codegen `js_fetch_headers_to_json` and the runtime `fetch_headers_json_ptr`
+    // — serialize `headers: null` as `{}` rather than the literal `"null"` that
+    // `js_fetch_with_options` cannot parse.
+    if matches!(
+        headers.to_bits(),
+        crate::value::TAG_UNDEFINED | crate::value::TAG_NULL
+    ) {
+        return crate::string::js_string_from_bytes(b"{}".as_ptr(), 2);
+    }
     let jsv = crate::value::JSValue::from_bits(headers.to_bits());
     if jsv.is_pointer() {
         let addr = (headers.to_bits() & 0x0000_FFFF_FFFF_FFFF) as usize;