try/catch not catching an error + Segmentation fault when executing `TextDecoder.decode`

[niieani]

How can we reproduce the crash?

https://codesandbox.io/p/devbox/bun-segfault-repro-ywl98g?file=/http.ts:35,7

The segfault isn't the only problem. Some additional weirdness that's going on is the try/catch doesn't seem to be catching the error. If you remove console.log('Decoded:', bytes, v), you'll get that exact circumstance.

Relevant log output

Failed to decode: Uint8Array(1) [ 135 ]
Decoding: Uint8Array(1) [ 136 ]
Failed to decode: Uint8Array(1) [ 136 ]
Decoding: Uint8Array(1) [ 137 ]
Failed to decode: Uint8Array(1) [ 137 ]
Decoding: Uint8Array(1) [ 138 ]
Failed to decode: Uint8Array(1) [ 138 ]
Decoding: Uint8Array(1) [ 139 ]
Failed to decode: Uint8Array(1) [ 139 ]
Decoding: Uint8Array(1) [ 140 ]
Failed to decode: Uint8Array(1) [ 140 ]
Decoding: Uint8Array(1) [ 141 ]
Decoded: <Revoked Proxy> undefined
============================================================
Bun v1.1.27 (267afa29) macOS Silicon
macOS v15.0
Args: "bun" "./generateJsEncodings.ts"
Features: jsc tsconfig 
Builtins: "bun:main" "node:fs/promises" "node:path" "node:url" 
Elapsed: 86ms | User: 107ms | Sys: 17ms
RSS: 120.60MB | Peak: 120.60MB | Commit: 1.07GB | Faults: 65

panic(main thread): Segmentation fault at address 0x5
oh no: Bun has crashed. This indicates a bug in Bun, not your code.

Stack Trace (bun.report)

Bun v1.1.27 (267afa2) on macos aarch64 [AutoCommand]

Segmentation fault at address 0x00000005

• 2 unknown/js code
• llint_entry
• llint_entry
• llint_entry
• llint_entry
• 1 unknown/js code
• vmEntryToJavaScript
• JSC::Interpreter::executeCall
• JSC::runJSMicrotask

[dylan-conway]

minimum reproduction:

function loop(bytes) {
  const decoder = new TextDecoder("utf-8", { fatal: true });
  try {
    decoder.decode(bytes);
  } catch {}
}

for (let i = 0; i < 256; i++) {
  loop(Uint8Array.from([i]));
}

To fix this, we will likely need to disable DOMJIT