[Webkit-unassigned] [Bug 242638] New: Segfault with top-level await using async generator
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jul 12 05:14:13 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=242638
Bug ID: 242638
Summary: Segfault with top-level await using async generator
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: jarred at jarredsumner.com
To reproduce, run the script below in the `jsc` shell with `-m` flag
The crash happens in JSC::VirtualRegister::VirtualRegister(), guessing that one of the virtual registers necessary for async generators is missing for top-level await and so the register ID is a nullptr.
If the async generator is wrapped in an (async function() {})(), then it no longer happens.
I wasn't able to reproduce this in Safari, though it seemed like the <script type="module"> with this code never executed (it never logged anything).
See also: https://github.com/oven-sh/bun/issues/605
function countUp(count) {
let value = 0;
const q = {
async next() {
if (value === count) {
return {
done: true,
value: undefined,
};
}
value++;
return {
done: false,
value,
};
},
};
return {
[Symbol.asyncIterator]: () => q,
};
}
for await (const i of countUp(10)) {
console.log(i);
}
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220712/16b2e277/attachment-0001.htm>
More information about the webkit-unassigned
mailing list