LibJs: Static Initialization Block Crash

Found with fuzzilli: Original Crash: [Uploading program_20240409052048_0C492C66-D7D1-4480-817A-E681B77B7C06_flaky.js.txt…]() Minified by @ttrssreal

function f(){
    class C {
        static {
            let a = 0
        }
    }
}
f();

Asan output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==67805==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fdca16f6ace bp 0x7fff5a04d0b0 sp 0x7fff5a04cee0 T0)
==67805==The signal is caused by a WRITE memory access.
==67805==Hint: address points to the zero page.
    #0 0x7fdca16f6ace in JS::Bytecode::Interpreter::run_bytecode() /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:345:79
    #1 0x7fdca16f3b8a in JS::Bytecode::Interpreter::run_and_return_frame(JS::Bytecode::Executable&, JS::Bytecode::BasicBlock const*, JS::Bytecode::CallFrame*) /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:494:5
    #2 0x7fdca1bdb253 in JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() /home/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:1234:55
    #3 0x7fdca1bd7c2a in JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) /home/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:411:19
    #4 0x7fdca196c28e in JS::call_impl(JS::VM&, JS::FunctionObject&, JS::Value, AK::Span<JS::Value const>) /home/serenity/Userland/Libraries/LibJS/Runtime/AbstractOperations.cpp:72:21
    #5 0x7fdca1602612 in JS::ThrowCompletionOr<JS::Value> JS::call<>(JS::VM&, JS::FunctionObject&, JS::Value) /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Runtime/AbstractOperations.h:119:12
    #6 0x7fdca1602612 in JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_1::operator()(JS::Handle<JS::ECMAScriptFunctionObject>) const /home/serenity/Userland/Libraries/LibJS/AST.cpp:437:9
    #7 0x7fdca1602612 in decltype(auto) AK::Detail::VisitImpl<unsigned char, JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>::visit<AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>, AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>::Visitor<JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_0, JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_1>, (unsigned char)1>(AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>&, unsigned char, void const*, AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>::Visitor<JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_0, JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_1>&&) /home/serenity/Meta/Lagom/../../AK/Variant.h:112:24
    #8 0x7fdca1602612 in decltype(auto) AK::Detail::VisitImpl<unsigned char, JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>::visit<AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>, AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>::Visitor<JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_0, JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_1>, (unsigned char)0>(AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>&, unsigned char, void const*, AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>::Visitor<JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_0, JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_1>&&) /home/serenity/Meta/Lagom/../../AK/Variant.h:118:20
    #9 0x7fdca1602612 in decltype(auto) AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>::visit<JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_0, JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_1>(JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_0&&, JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_1&&) /home/serenity/Meta/Lagom/../../AK/Variant.h:435:16
    #10 0x7fdca1602612 in JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const /home/serenity/Userland/Libraries/LibJS/AST.cpp:437:9
    #11 0x7fdca1784e39 in JS::Bytecode::new_class(JS::VM&, JS::Value, JS::ClassExpression const&, AK::Optional<AK::DistinctNumeric<unsigned long, JS::Bytecode::__IdentifierTableIndex_tag, AK::DistinctNumericFeature::Comparison>> const&) /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Bytecode/CommonImplementations.h:661:12
    #12 0x7fdca175faf0 in JS::Bytecode::Op::NewClass::execute_impl(JS::Bytecode::Interpreter&) const /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:1630:28
    #13 0x7fdca16f7204 in JS::Bytecode::Instruction::execute(JS::Bytecode::Interpreter&) const /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Bytecode/Op.h:1908:9
    #14 0x7fdca16f7204 in JS::Bytecode::Interpreter::run_bytecode() /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:409:38
    #15 0x7fdca16f3b8a in JS::Bytecode::Interpreter::run_and_return_frame(JS::Bytecode::Executable&, JS::Bytecode::BasicBlock const*, JS::Bytecode::CallFrame*) /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:494:5
    #16 0x7fdca1bdb253 in JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() /home/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:1234:55
    #17 0x7fdca1bd7c2a in JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) /home/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:411:19
    #18 0x7fdca196c28e in JS::call_impl(JS::VM&, JS::FunctionObject&, JS::Value, AK::Span<JS::Value const>) /home/serenity/Userland/Libraries/LibJS/Runtime/AbstractOperations.cpp:72:21
    #19 0x7fdca17744ee in JS::call(JS::VM&, JS::FunctionObject&, JS::Value, AK::Span<JS::Value const>) /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Runtime/AbstractOperations.h:102:12
    #20 0x7fdca17744ee in JS::Bytecode::perform_call(JS::Bytecode::Interpreter&, JS::Value, JS::Bytecode::Op::CallType, JS::Value, AK::Span<JS::Value const>) /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Bytecode/CommonImplementations.h:329:24
    #21 0x7fdca174736c in JS::Bytecode::Op::Call::execute_impl(JS::Bytecode::Interpreter&) const /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:1297:28
    #22 0x7fdca16f777e in JS::Bytecode::Instruction::execute(JS::Bytecode::Interpreter&) const /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Bytecode/Op.h:1908:9
    #23 0x7fdca16f777e in JS::Bytecode::Interpreter::run_bytecode() /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:409:38
    #24 0x7fdca16f3b8a in JS::Bytecode::Interpreter::run_and_return_frame(JS::Bytecode::Executable&, JS::Bytecode::BasicBlock const*, JS::Bytecode::CallFrame*) /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:494:5
    #25 0x7fdca16f129c in JS::Bytecode::Interpreter::run(JS::Script&, JS::GCPtr<JS::Environment>) /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:266:36
    #26 0x5227c9 in auto parse_and_run(JS::Realm&, AK::StringView, AK::StringView)::$_0::operator()<JS::NonnullGCPtr<JS::Script>>(JS::NonnullGCPtr<JS::Script>&) const /home/serenity/Userland/Utilities/js.cpp:214:44
    #27 0x5227c9 in parse_and_run(JS::Realm&, AK::StringView, AK::StringView) /home/serenity/Userland/Utilities/js.cpp:229:13
    #28 0x51dfe0 in serenity_main(Main::Arguments) /home/serenity/Userland/Utilities/js.cpp:851:14
    #29 0x53cbe8 in main /home/serenity/Userland/Libraries/LibMain/Main.cpp:39:19
    #30 0x7fdc9fa1a149 in __libc_start_call_main /usr/src/debug/glibc-2.38-17.fc39.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #31 0x7fdc9fa1a20a in __libc_start_main@GLIBC_2.2.5 /usr/src/debug/glibc-2.38-17.fc39.x86_64/csu/../csu/libc-start.c:360:3
    #32 0x42fd74 in _start (/home/serenity/Build/lagom/bin/js+0x42fd74) (BuildId: 498c30ee301d0e17992f957d4298c6ec2fca6aa3)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:345:79 in JS::Bytecode::Interpreter::run_bytecode()
==67805==ABORTING

SerenityOS / serenity

LibJs: Static Initialization Block Crash #23994