Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LibJS: Crash in GeneratorObject::execute on github.com #24356

Closed
shannonbooth opened this issue May 18, 2024 · 0 comments · Fixed by #24362
Closed

LibJS: Crash in GeneratorObject::execute on github.com #24356

shannonbooth opened this issue May 18, 2024 · 0 comments · Fixed by #24362
Labels
bug Something isn't working has-repro We have a way to reproduce this bug. reduction-of-web-content Issue has a simplified reduction based on real-world web content. regression

Comments

@shannonbooth
Copy link
Member

shannonbooth commented May 18, 2024
edited

Steps to reproduce:

  1. Visit https://github.com/SerenityOS/serenity
  2. Click on "pull requests" button

It looks like GeneratorObject::execute is getting called and the "continuation" in the generated continuation is the empty object. This results in a "is_number" verification failure, indicating a probable bytecode bug.

The responsible JS function from github is:

async perform(){var e,t;let{fetchOptions:s}=this;null===(t=(e=this.delegate).prepareHeadersForRequest)||void 0===t||t.call(e,this.headers,this),await this.allowRequestToBeIntercepted(s);try{this.delegate.requestStarted(this);let e=await fetch(this.url.href,s);return await this.receive(e)}catch(e){if("AbortError"!==e.name)throw this.willDelegateErrorHandling(e)&&this.delegate.requestErrored(this,e),e}finally{this.delegate.requestFinished(this)}

Using that minimized JS I came up with this standalone reproducer JS:

async function perform() {
    try {
        return {y: 5};
    } finally {
    }
}

perform()
@shannonbooth shannonbooth added bug Something isn't working regression has-repro We have a way to reproduce this bug. reduction-of-web-content Issue has a simplified reduction based on real-world web content. labels May 18, 2024
shannonbooth added a commit to shannonbooth/serenity that referenced this issue May 18, 2024
@shannonbooth
Revert "LibJS: Make return control flow more static"
f60734f 
This reverts commit c8e4499.

I don't understand why, but this is causing the crash seen in SerenityOS#24356.
@shannonbooth shannonbooth mentioned this issue May 18, 2024
Closed
@Hendiadyoin1 Hendiadyoin1 mentioned this issue May 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working has-repro We have a way to reproduce this bug. reduction-of-web-content Issue has a simplified reduction based on real-world web content. regression
Projects
Ladybird
Status: Done
Milestone
No milestone
1 participant
@shannonbooth