Bug 242638
| Summary: | Segfault with top-level await using async generator | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Jarred Sumner <jarred> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | saam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Jarred Sumner
To reproduce, run the script below in the `jsc` shell with `-m` flag
The crash happens in JSC::VirtualRegister::VirtualRegister(), guessing that one of the virtual registers necessary for async generators is missing for top-level await and so the register ID is a nullptr.
If the async generator is wrapped in an (async function() {})(), then it no longer happens.
I wasn't able to reproduce this in Safari, though it seemed like the <script type="module"> with this code never executed (it never logged anything).
See also: https://github.com/oven-sh/bun/issues/605
function countUp(count) {
let value = 0;
const q = {
async next() {
if (value === count) {
return {
done: true,
value: undefined,
};
}
value++;
return {
done: false,
value,
};
},
};
return {
[Symbol.asyncIterator]: () => q,
};
}
for await (const i of countUp(10)) {
console.log(i);
}
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
I can reproduce a crash on macOS, although the signature appears to be different.
Thread[0] EXC_BAD_ACCESS (SIGSEGV) (0x0000000000000001, 0x0000000000000004)
[ 0] 0x00000001a0652b14 JavaScriptCore`JSC::BytecodeGenerator::emitYieldPoint(JSC::RegisterID*, JSC::JSAsyncGenerator::AsyncGeneratorSuspendReason) + 120
0x00000001a0652b04: ldrb w9, [x9, #0x2a]
0x00000001a0652b08: mov w10, #-0x6001
0x00000001a0652b0c: lsr w9, w10, w9
0x00000001a0652b10: and w23, w9, #0x1
-> 0x00000001a0652b14: ldr w24, [x8, #0x4]
0x00000001a0652b18: ldr w25, [x0, #0x4]
0x00000001a0652b1c: mov x0, x19
0x00000001a0652b20: mov x1, x24
0x00000001a0652b24: mov x2, x23
[ 1] 0x00000001a0652af3 JavaScriptCore`JSC::BytecodeGenerator::emitYieldPoint(JSC::RegisterID*, JSC::JSAsyncGenerator::AsyncGeneratorSuspendReason) + 87
[ 2] 0x00000001a06533c3 JavaScriptCore`JSC::BytecodeGenerator::emitYield(JSC::RegisterID*, JSC::JSAsyncGenerator::AsyncGeneratorSuspendReason) + 35
[ 3] 0x00000001a064f7c7 JavaScriptCore`JSC::BytecodeGenerator::emitIteratorGenericClose(JSC::RegisterID*, JSC::ThrowableExpressionData const*, JSC::EmitAwait) + 1267
[ 4] 0x00000001a064de47 JavaScriptCore`JSC::BytecodeGenerator::emitGenericEnumeration(JSC::ThrowableExpressionData*, JSC::ExpressionNode*, WTF::ScopedLambda<void (JSC::BytecodeGenerator&, JSC::RegisterID*)> const&, JSC::ForOfNode*, JSC::RegisterID*) + 2591
[ 5] 0x00000001a0672017 JavaScriptCore`JSC::ForOfNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) + 211
Radar WebKit Bug Importer
<rdar://problem/96904926>
Yusuke Suzuki
Oops, opened a bug and fix is in https://bugs.webkit.org/show_bug.cgi?id=242670
Yusuke Suzuki
Fixed in bug 242670, thank you!!!
*** This bug has been marked as a duplicate of bug 242670 ***