Function Returned by IIFE Crashes in v8::internal::ScopeInfo::scope_type()

[Sam Cao]

Hello,

I'd like to report a weird crash issue from V8 v13.5 to v13.7.

• Compile and run the following code in V8, then get an instance of v8::internal::JSFunction.

(() => {

  let a = 1;

  let b = 3;

  return () => a + b + 1;

})();

• Get v8::internal::SharedFunctionInfo from  v8::internal::JSFunction::shared().
• Get  v8::internal::ScopeInfo from  v8::internal:: SharedFunctionInfo ::scope_info(v8::kAcquireLoad).
• Call  v8::internal::ScopeInfo::scope_type()  and V8 crashes.

It seems v8::internal::ScopeInfo is not fully initialized and the memory is corrupted in this case. Most of the API crash as well. E.g. IsEmpty(), Flags(), etc. If I run that function, the memory corruption will be fixed and there will be no more crashes.

My test env is: Windows 10 64bit + Visual Studio 2022 v17.13.6 + V8 v13.5-v13.7.

Best regards,

Sam

[Jakob Kummerow]

Have you tried debugging it? Does a Debug build perhaps run into some DCHECK failure with an insightful error message?

Generally speaking, it's not surprising that things are created lazily (e.g. the scope info is created as part of lazy compilation); but the implementation of SharedFunctionInfo::scope_info looks like it should always give you a valid ScopeInfo (possibly the canonical empty ScopeInfo); if it doesn't do that, then it would be interesting to understand why.

[Sam Cao]

Good question. I've been embedding V8 in my app for many years. It's quite challenging for me to build the debug version, so I always build the release version. I tried to debug in Visual Studio. scope_info() eventually calls Flags() which tries to access unallocated / initialized memory. IsEmpty() also calls Flags() so that I cannot even check if this function info is empty or not. Most of the other API assert !IsEmpty() internally, so they all crash. My workaround is to execute the function so that the memory corruption is fixed.

This API used to work till v13.4. I agree with you that my understand is also no matter the function is lazily compiled or not, the scope info, flags shall be ready for use.