79653b6148
Fixes a JSCell assertion failure that occurs when calling process.nextTick()
inside a recursive method that hits the JavaScript stack limit.
The bug manifests as:
ASSERTION FAILED: isSymbol() || isHeapBigInt()
vendor/WebKit/Source/JavaScriptCore/runtime/JSCell.cpp(252) :
JSString *JSC::JSCell::toStringSlowCase(JSGlobalObject *) const
Minimal reproducer:
```javascript
const obj = {
o() {
try { this.o(); } catch (e) {} // Recurse until stack overflow
try { process.nextTick(() => {}); } catch (e) {}
},
};
obj.o();
```
Root Cause Analysis:
When a stack overflow exception occurs and process.nextTick() is subsequently
called, the error formatting code attempts to generate a stack trace. During
this process, toString() methods are called on JSCell objects to extract
function names and source URLs. However, after a stack overflow, some of
these JSCell references may be in an invalid state, causing the assertion
to fail when toStringSlowCase() is called on a cell that is neither a
Symbol nor a HeapBigInt.
Changes Made:
1. **ZigException.cpp**: Added exception checking after all toWTFString()
calls in exceptionFromString() to handle cases where string conversion
fails.
2. **ErrorStackTrace.cpp**: Modified functionName() to use jsDynamicCast
for safer type checking and added immediate exception handling after
JSString::value() calls.
3. **CallSite.cpp**: Added comprehensive exception handling in
formatAsString() after toStringOrNull() and getString() calls to
prevent crashes when formatting corrupted call sites.
4. **Test**: Added regression test (marked as .todo) documenting the
issue and expected behavior.
Status:
These changes improve error handling robustness and prevent some crashes,
but do not fully resolve the underlying memory corruption issue. The root
cause appears to be that stack overflow exceptions can leave JSCell objects
in an invalid state that persists into subsequent operations.
Further investigation is needed into:
- How JSC handles stack overflow exceptions
- Whether additional GC safepoints are needed before nextTick operations
- If stack trace generation should be skipped or simplified when the VM
is in a corrupted state
Partial fix for the reported assertion failure. The defensive checks prevent
some crashes but the test remains marked as .todo pending a complete solution.
Tests
Finding tests
Tests are located in the test/ directory and are organized using the following structure:
test/js/- tests for JavaScript APIs.cli/- tests for commands, configs, and stdout.bundler/- tests for the transpiler/bundler.regression/- tests that reproduce a specific issue.harness.ts- utility functions that can be imported from any test.
The tests in test/js/ directory are further categorized by the type of API.
test/js/bun/- tests forBun-specific APIs.node/- tests for Node.js APIs.web/- tests for Web APIs, likefetch().first_party/- tests for npm packages that are built-in, likeundici.third_party/- tests for npm packages that are not built-in, but are popular, likeesbuild.
Running tests
To run a test, use Bun's built-in test command: bun test.
bun test # Run all tests
bun test js/bun # Only run tests in a directory
bun test sqlite.test.ts # Only run a specific test
If you encounter lots of errors, try running bun install, then trying again.
Writing tests
Tests are written in TypeScript (preferred) or JavaScript using Jest's describe(), test(), and expect() APIs.
import { describe, test, expect } from "bun:test";
import { gcTick } from "harness";
describe("TextEncoder", () => {
test("can encode a string", async () => {
const encoder = new TextEncoder();
const actual = encoder.encode("bun");
await gcTick();
expect(actual).toBe(new Uint8Array([0x62, 0x75, 0x6E]));
});
});
If you are fixing a bug that was reported from a GitHub issue, remember to add a test in the test/regression/ directory.
// test/regression/issue/02005.test.ts
import { it, expect } from "bun:test";
it("regex literal should work with non-latin1", () => {
const text = "这是一段要替换的文字";
expect(text.replace(new RegExp("要替换"), "")).toBe("这是一段的文字");
expect(text.replace(/要替换/, "")).toBe("这是一段的文字");
});
In the future, a bot will automatically close or re-open issues when a regression is detected or resolved.
Zig tests
These tests live in various .zig files throughout Bun's codebase, leveraging Zig's builtin test keyword.
Currently, they're not run automatically nor is there a simple way to run all of them. We will make this better soon.
TypeScript
Test files should be written in TypeScript. The types in packages/bun-types should be updated to support all new APIs. Changes to the .d.ts files in packages/bun-types will be immediately reflected in test files; no build step is necessary.
Writing a test will often require using invalid syntax, e.g. when checking for errors when an invalid input is passed to a function. TypeScript provides a number of escape hatches here.
// @ts-expect-error- This should be your first choice. It tells TypeScript that the next line should fail typechecking.// @ts-ignore- Ignore the next line entirely.// @ts-nocheck- Put this at the top of the file to disable typechecking on the entire file. Useful for autogenerated test files, or when ignoring/disabling type checks an a per-line basis is too onerous.