Bug 242638

Summary: Segfault with top-level await using async generator
Product: WebKit Reporter: Jarred Sumner <jarred>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: saam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Jarred Sumner 2022-07-12 05:14:13 PDT 
To reproduce, run the script below in the `jsc` shell with `-m` flag

The crash happens in JSC::VirtualRegister::VirtualRegister(), guessing that one of the virtual registers necessary for async generators is missing for top-level await and so the register ID is a nullptr.

If the async generator is wrapped in an (async function() {})(), then it no longer happens.

I wasn't able to reproduce this in Safari, though it seemed like the <script type="module"> with this code never executed (it never logged anything).

See also: https://github.com/oven-sh/bun/issues/605


function countUp(count) {
  let value = 0;

  const q = {
    async next() {
      if (value === count) {
        return {
          done: true,
          value: undefined,
        };
      }

      value++;

      return {
        done: false,
        value,
      };
    },
  };

  return {
    [Symbol.asyncIterator]: () => q,
  };
}


for await (const i of countUp(10)) {
  console.log(i);
}
Comment 1 Alexey Proskuryakov 2022-07-12 12:47:42 PDT 
I can reproduce a crash on macOS, although the signature appears to be different.

Thread[0] EXC_BAD_ACCESS (SIGSEGV) (0x0000000000000001, 0x0000000000000004)
[  0] 0x00000001a0652b14 JavaScriptCore`JSC::BytecodeGenerator::emitYieldPoint(JSC::RegisterID*, JSC::JSAsyncGenerator::AsyncGeneratorSuspendReason) + 120

     0x00000001a0652b04:     ldrb w9, [x9, #0x2a]
     0x00000001a0652b08:      mov w10, #-0x6001
     0x00000001a0652b0c:      lsr w9, w10, w9
     0x00000001a0652b10:      and w23, w9, #0x1
 ->  0x00000001a0652b14:      ldr w24, [x8, #0x4]
     0x00000001a0652b18:      ldr w25, [x0, #0x4]
     0x00000001a0652b1c:      mov x0, x19
     0x00000001a0652b20:      mov x1, x24
     0x00000001a0652b24:      mov x2, x23

[  1] 0x00000001a0652af3 JavaScriptCore`JSC::BytecodeGenerator::emitYieldPoint(JSC::RegisterID*, JSC::JSAsyncGenerator::AsyncGeneratorSuspendReason) + 87
[  2] 0x00000001a06533c3 JavaScriptCore`JSC::BytecodeGenerator::emitYield(JSC::RegisterID*, JSC::JSAsyncGenerator::AsyncGeneratorSuspendReason) + 35
[  3] 0x00000001a064f7c7 JavaScriptCore`JSC::BytecodeGenerator::emitIteratorGenericClose(JSC::RegisterID*, JSC::ThrowableExpressionData const*, JSC::EmitAwait) + 1267
[  4] 0x00000001a064de47 JavaScriptCore`JSC::BytecodeGenerator::emitGenericEnumeration(JSC::ThrowableExpressionData*, JSC::ExpressionNode*, WTF::ScopedLambda<void (JSC::BytecodeGenerator&, JSC::RegisterID*)> const&, JSC::ForOfNode*, JSC::RegisterID*) + 2591
[  5] 0x00000001a0672017 JavaScriptCore`JSC::ForOfNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) + 211
Comment 2 Radar WebKit Bug Importer 2022-07-12 12:47:52 PDT 
<rdar://problem/96904926>
Comment 3 Yusuke Suzuki 2022-07-12 19:26:16 PDT 
Oops, opened a bug and fix is in https://bugs.webkit.org/show_bug.cgi?id=242670
Comment 4 Yusuke Suzuki 2022-07-12 19:38:53 PDT 
Fixed in bug 242670, thank you!!!

*** This bug has been marked as a duplicate of bug 242670 ***