Bug 257091

Stack trace: ``` WTFCrashWithInfo(int, char const*, char const*, int) (/Users/jarred/Code/bun/node_modules/bun-webkit-macos-arm64/include/wtf/Assertions.h:758) JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (@JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode):67) JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()::operator()() const (/Users/jarred/Code/bun/node_modules/bun-webkit-macos-arm64/include/JavaScriptCore/LocalAllocatorInlines.h:41) JSC::HeapCell* JSC::FreeList::allocateWithCellSize<JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()>(JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'() const&, unsigned long) (/Users/jarred/Code/bun/node_modules/bun-webkit-macos-arm64/include/JavaScriptCore/FreeListInlines.h:44) JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/Users/jarred/Code/bun/node_modules/bun-webkit-macos-arm64/include/JavaScriptCore/LocalAllocatorInlines.h:38) JSC::GCClient::IsoSubspace::allocate(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/Users/jarred/Code/bun/node_modules/bun-webkit-macos-arm64/include/JavaScriptCore/IsoSubspaceInlines.h:34) void* JSC::tryAllocateCellHelper<JSC::JSString, (JSC::AllocationFailureMode)0>(JSC::VM&, unsigned long, JSC::GCDeferralContext*) (/Users/jarred/Code/bun/node_modules/bun-webkit-macos-arm64/include/JavaScriptCore/JSCellInlines.h:190) void* JSC::allocateCell<JSC::JSString>(JSC::VM&, unsigned long) (/Users/jarred/Code/bun/node_modules/bun-webkit-macos-arm64/include/JavaScriptCore/JSCellInlines.h:206) JSC::JSString::create(JSC::VM&, WTF::Ref<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>>&&) (/Users/jarred/Code/bun/node_modules/bun-webkit-macos-arm64/include/JavaScriptCore/JSString.h:187) JSC::JSFunction::originalName(JSC::JSGlobalObject*) (@JSC::JSFunction::originalName(JSC::JSGlobalObject*):253) JSC::JSBoundFunction::nameSlow(JSC::VM&) (@JSC::JSBoundFunction::nameSlow(JSC::VM&):47) JSC::JSFunction::name(JSC::VM&) (@JSC::JSFunction::name(JSC::VM&):58) JSC::getCalculatedDisplayName(JSC::VM&, JSC::JSObject*) (@JSC::getCalculatedDisplayName(JSC::VM&, JSC::JSObject*):65) JSC::StackFrame::functionName(JSC::VM&) const (@JSC::StackFrame::functionName(JSC::VM&) const:43) JSC::StackFrame::toString(JSC::VM&) const (@JSC::StackFrame::toString(JSC::VM&) const:13) JSC::Interpreter::stackTraceAsString(JSC::VM&, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) (@JSC::Interpreter::stackTraceAsString(JSC::VM&, WTF::Vector<JSC::StackFrame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&):35) JSC::ErrorInstance::computeErrorInfo(JSC::VM&) (@JSC::ErrorInstance::computeErrorInfo(JSC::VM&):23) JSC::Heap::finalizeUnconditionalFinalizers() (@JSC::Heap::finalizeUnconditionalFinalizers():306) JSC::Heap::runEndPhase(JSC::GCConductor) (@JSC::Heap::runEndPhase(JSC::GCConductor):355) JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*) (@JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*):97) WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_25>::implFunction(void*, JSC::CurrentThreadState&) (@WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_25>::implFunction(void*, JSC::CurrentThreadState&):12) JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&) (@JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&):45) JSC::Heap::collectInMutatorThread() (@JSC::Heap::collectInMutatorThread():27) JSC::Heap::waitForCollection(unsigned long long) (@JSC::Heap::waitForCollection(unsigned long long):42) JSC::Heap::collectSync(JSC::GCRequest) (@JSC::Heap::collectSync(JSC::GCRequest):30) ``` Still trying to reproduce in JSC shell Here is code which **does not reproduce it** (I tried a variation that imported it in another file, called Loader.registry.clear() and that didn't reproduce it either) ``` const gc = globalThis.fullGC || (() => Bun.gc(true)); // import { bench, run } from "../../node_modules/mitata/src/cli.mjs"; globalThis.a = 0; const count = 1000; Error.stackTraceLimit = 100; globalThis.veryLongName = "super long name".repeat(999_999).split("").join(""); for (let i = 0; i < count; i++) { (function () { var errors = new Array(count); globalThis.errors = errors; try { globalThis.a = 0; eval(` var veryLongFunctionA; veryLongFunctionA = function veryLongFunctionName(remaining) { if (remaining-- === 0) { var capturedStack; try { throw new Error(); } catch(e) { capturedStack = e.stack; } throw new Error("i threw! " + veryLongName); } globalThis.a += 1; return veryLongFunction(remaining, undefined); }; globalThis.veryLongFunctionA = veryLongFunctionA; Object.defineProperty(veryLongFunction = veryLongFunction.bind(undefined), "name", { value: "veryLongFunction" + veryLongName, configurable: true, writable: true, }); globalThis.veryLongFunction = veryLongFunction; var j = 0; var veryLongFunction = veryLongFunctionA; veryLongFunction(1000); `); } catch (e) { errors.push(e); } delete globalThis.errors; })(); gc(); } ``` More context: https://github.com/oven-sh/bun/issues/198#issuecomment-1555961906