RESOLVED DUPLICATE of bug 242670242638
Segfault with top-level await using async generator 
https://bugs.webkit.org/show_bug.cgi?id=242638
Summary Segfault with top-level await using async generator
Jarred Sumner
Reported 2022-07-12 05:14:13 PDT
To reproduce, run the script below in the `jsc` shell with `-m` flag The crash happens in JSC::VirtualRegister::VirtualRegister(), guessing that one of the virtual registers necessary for async generators is missing for top-level await and so the register ID is a nullptr. If the async generator is wrapped in an (async function() {})(), then it no longer happens. I wasn't able to reproduce this in Safari, though it seemed like the <script type="module"> with this code never executed (it never logged anything). See also: https://github.com/oven-sh/bun/issues/605 function countUp(count) { let value = 0; const q = { async next() { if (value === count) { return { done: true, value: undefined, }; } value++; return { done: false, value, }; }, }; return { [Symbol.asyncIterator]: () => q, }; } for await (const i of countUp(10)) { console.log(i); }
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2022-07-12 12:47:42 PDT
I can reproduce a crash on macOS, although the signature appears to be different. Thread[0] EXC_BAD_ACCESS (SIGSEGV) (0x0000000000000001, 0x0000000000000004) [ 0] 0x00000001a0652b14 JavaScriptCore`JSC::BytecodeGenerator::emitYieldPoint(JSC::RegisterID*, JSC::JSAsyncGenerator::AsyncGeneratorSuspendReason) + 120 0x00000001a0652b04: ldrb w9, [x9, #0x2a] 0x00000001a0652b08: mov w10, #-0x6001 0x00000001a0652b0c: lsr w9, w10, w9 0x00000001a0652b10: and w23, w9, #0x1 -> 0x00000001a0652b14: ldr w24, [x8, #0x4] 0x00000001a0652b18: ldr w25, [x0, #0x4] 0x00000001a0652b1c: mov x0, x19 0x00000001a0652b20: mov x1, x24 0x00000001a0652b24: mov x2, x23 [ 1] 0x00000001a0652af3 JavaScriptCore`JSC::BytecodeGenerator::emitYieldPoint(JSC::RegisterID*, JSC::JSAsyncGenerator::AsyncGeneratorSuspendReason) + 87 [ 2] 0x00000001a06533c3 JavaScriptCore`JSC::BytecodeGenerator::emitYield(JSC::RegisterID*, JSC::JSAsyncGenerator::AsyncGeneratorSuspendReason) + 35 [ 3] 0x00000001a064f7c7 JavaScriptCore`JSC::BytecodeGenerator::emitIteratorGenericClose(JSC::RegisterID*, JSC::ThrowableExpressionData const*, JSC::EmitAwait) + 1267 [ 4] 0x00000001a064de47 JavaScriptCore`JSC::BytecodeGenerator::emitGenericEnumeration(JSC::ThrowableExpressionData*, JSC::ExpressionNode*, WTF::ScopedLambda<void (JSC::BytecodeGenerator&, JSC::RegisterID*)> const&, JSC::ForOfNode*, JSC::RegisterID*) + 2591 [ 5] 0x00000001a0672017 JavaScriptCore`JSC::ForOfNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) + 211
Radar WebKit Bug Importer
Comment 2 2022-07-12 12:47:52 PDT
<rdar://problem/96904926>
Yusuke Suzuki
Comment 3 2022-07-12 19:26:16 PDT
Oops, opened a bug and fix is in https://bugs.webkit.org/show_bug.cgi?id=242670
Yusuke Suzuki
Comment 4 2022-07-12 19:38:53 PDT
Fixed in bug 242670, thank you!!! *** This bug has been marked as a duplicate of bug 242670 ***
Note You need to log in before you can comment on or make changes to this bug.