oven-sh
Bun panic on `hasOwnProperty` call with custom `valueOf` and async `Bun.$` call
How can we reproduce the crash?
Hi, I would like to report a crash in Bun which can be reproduced by running the following PoC:
var obj = {};
var wrapper = {
valueOf: function () {
(async function () {
const output = await (Bun.$)`pwd`.text();
console.log(output);
})();
},
toString: null
};
Object.defineProperty(Array.prototype, "0", {
set: function (v) {
throw Error()
}
});
console.log(obj.hasOwnProperty(wrapper))
Relevant log output
Bun v1.2.14 (6a363a38) Windows x64
Windows v.win11_dt
CPU: sse42 avx avx2 avx512
Args: "C:\Users\Kevin\.bun\bin\bun.exe" "run" ".\toreport_chunk33_round10_bun_panic.js"
Features: jsc
Builtins: "bun:main"
Elapsed: 105ms | User: 31ms | Sys: 46ms
RSS: 103.50MB | Peak: 103.50MB | Commit: 0.15GB | Faults: 25488
panic(main thread): Segmentation fault at address 0x5
oh no: Bun has crashed. This indicates a bug in Bun, not your code.
To send a redacted crash report to Bun's team,
please file a GitHub issue using the link below:
https://bun.report/1.2.14/wr16a363a3AgggQkllhvBys/nqB8k3wqBmtqrnBy8r10B67z2wB2nz2wBu7qluCykpluCkk6mvCA2AK
Stack Trace (bun.report)
Bun v1.2.14 (6a363a3) on windows x86_64 [RunCommand]
Segmentation fault at address 0x00000005
-
MarkedSpace.cpp:108:JSC::\anonymous namespace'::sizeClasses` -
ZigGeneratedClasses+lazyStructureImpl.h:268:Zig::GlobalObject::initGeneratedLazyClasses::<lambda_45>::operator() -
PropertyName.h:151:JSC::fastIsCanonicalNumericIndexString -
V8Number.cpp:16:v8::Number::Value -
neon.h:104420:simde_mm_movemask_epi8 -
DisallowVMEntry.h:58:JSC::DisallowVMEntryImpl<JSC::VM>::~DisallowVMEntryImpl -
JSCJSValueInlines.h:563:JSC::JSValue::isCell -
InPlaceInterpreter.cpp:144:JSC::IPInt::initialize -
InPlaceInterpreter.cpp:141:JSC::IPInt::initialize -
X86Assembler.h:3113:JSC::X86Assembler::movq_mr
Features: jsc
Sentry Issue: BUN-MCJ
@kevgeoleo, the latest version of Bun is v1.2.16, but this crash was reported on Bun v1.2.14.
Are you able to reproduce this crash on the latest version of Bun?
bun upgrade
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Yes it is reproducible on 1.2.16 as well
PS D:\HIWI\test262_May22\reduced2> bun -v
1.2.16
PS D:\HIWI\test262_May22\reduced2> bun run .\toreport_chunk33_round10_bun_panic.js
============================================================
Bun v1.2.16 (631e6748) Windows x64
Windows v.win11_dt
CPU: sse42 avx avx2 avx512
Args: "C:\Users\Kevin\.bun\bin\bun.exe" "run" ".\toreport_chunk33_round10_bun_panic.js"
Features: jsc
Builtins: "bun:main"
Elapsed: 72ms | User: 15ms | Sys: 78ms
RSS: 109.36MB | Peak: 109.36MB | Commit: 0.36GB | Faults: 26933
panic(main thread): Segmentation fault at address 0x5
oh no: Bun has crashed. This indicates a bug in Bun, not your code.
To send a redacted crash report to Bun's team,
please file a GitHub issue using the link below:
https://bun.report/1.2.16/wr1631e674AgggQkm3uvByuhzqB8rq8qBmq21nBy4tg1B6k2jxB2w1jxBut7lvCy25lvCk0n1vCA2AK
Found 2 possible duplicate issues:
- https://github.com/oven-sh/bun/issues/20514
- https://github.com/oven-sh/bun/issues/18004
This issue will be automatically closed as a duplicate in 3 days.
- If your issue is a duplicate, please close it and 👍 the existing issue instead
- To prevent auto-closure, add a comment or 👎 this comment
🤖 Generated with Claude Code
Duplicate of #20514.
This issue has been automatically closed as a duplicate.
If this is incorrect, please re-open this issue or create a new one.
🤖 Generated with Claude Code