mirrors/bun.sh
1
0
Fork 0
mirror of https://github.com/oven-sh/bun synced 2026-02-09 10:28:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

test(regression): add repro for ENG-21644 JSC butterfly null crash

Browse Source 
JSC Butterfly null pointer dereference when Array.prototype.splice
calls valueOf on an object whose valueOf recursively modifies and
deletes properties. Related to WebKit bug 303015.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Claude Bot
2025-11-24 00:38:26 +00:00
parent f31db64bd4
commit ffcff9c612
1 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
test/regression/issue/ENG-21644.test.ts Normal file
View File

@@ -0,0 +1,24 @@
import { expect, test } from "bun:test";
// ENG-21644: JSC Butterfly null pointer dereference
// When Array.prototype.splice calls valueOf on an object whose valueOf
// recursively modifies and deletes properties, the butterfly becomes null.
// This is a JavaScriptCore bug at Butterfly.h:182.
// Related to WebKit bug https://bugs.webkit.org/show_bug.cgi?id=303015
test("splice with valueOf that recursively deletes properties should not crash", () => {
// This test documents a JSC bug - it currently crashes bun-debug
// The test is expected to throw (stack overflow) but should NOT segfault
const Cls = class {
valueOf(): number {
(this as any).h = this;
delete (this as any).h;
return this.valueOf();
}
};
const obj = new Cls();
expect(() => {
[807983515].splice(obj as unknown as number);
}).toThrow(); // Stack overflow, but not crash
});