From ffcff9c61204fe66394dbb40958a9f77421fd356 Mon Sep 17 00:00:00 2001 From: Claude Bot Date: Mon, 24 Nov 2025 00:38:26 +0000 Subject: [PATCH] test(regression): add repro for ENG-21644 JSC butterfly null crash MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit JSC Butterfly null pointer dereference when Array.prototype.splice calls valueOf on an object whose valueOf recursively modifies and deletes properties. Related to WebKit bug 303015. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- test/regression/issue/ENG-21644.test.ts | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 test/regression/issue/ENG-21644.test.ts diff --git a/test/regression/issue/ENG-21644.test.ts b/test/regression/issue/ENG-21644.test.ts new file mode 100644 index 0000000000..1d0013e47c --- /dev/null +++ b/test/regression/issue/ENG-21644.test.ts @@ -0,0 +1,24 @@ +import { expect, test } from "bun:test"; + +// ENG-21644: JSC Butterfly null pointer dereference +// When Array.prototype.splice calls valueOf on an object whose valueOf +// recursively modifies and deletes properties, the butterfly becomes null. +// This is a JavaScriptCore bug at Butterfly.h:182. +// Related to WebKit bug https://bugs.webkit.org/show_bug.cgi?id=303015 + +test("splice with valueOf that recursively deletes properties should not crash", () => { + // This test documents a JSC bug - it currently crashes bun-debug + // The test is expected to throw (stack overflow) but should NOT segfault + const Cls = class { + valueOf(): number { + (this as any).h = this; + delete (this as any).h; + return this.valueOf(); + } + }; + const obj = new Cls(); + + expect(() => { + [807983515].splice(obj as unknown as number); + }).toThrow(); // Stack overflow, but not crash +});