Inspector segmentation fault

[Hakerh400]

• Version: 12.2.0
• Platform: Windows 10, Linux Ubuntu 18.0, Mac HighSierra
• Subsystem: inspector

Accessing this in static class field initialization context in some conditions crashes the process. This seems to be related both to Node.js inspector and Chrome devtool inspector.

Here is an automated repro:

'use strict';

~class{a(){}};
debugger;
class A{static a = this};
if(process.argv.includes('test')) return;

const cp = require('child_process');
const proc1 = cp.spawn(process.execPath, ['--inspect-brk', __filename, 'test']);
const proc2 = cp.spawn(process.execPath, ['inspect', '-p', proc1.pid]);

proc1.on('exit', (code, signal) => {
  if(code) console.log('Exit code: ' + code.toString(16).toUpperCase());
  if(signal) console.log('Exit signal: ' + signal);
});

setTimeout(() => proc2.stdin.write('c\n'), 1000);
setTimeout(() => proc2.stdin.write('s\n'), 1100);
setTimeout(() => proc2.stdin.write('repl\n'), 1200);
setTimeout(() => proc2.stdin.write('this\n'), 1300);

Save as main.js, then run node main.js
Output:

Exit code: C0000005   // On Windows
Exit signal: SIGSEGV  // On Linux and Mac

[addaleax]

Stack trace:

0  v8::base::OS::Abort () at ../deps/v8/src/base/platform/platform-posix.cc:407
#1  0x0000000003b052b3 in V8_Fatal (file=0x42e49f8 "../deps/v8/src/debug/debug-scopes.cc", line=83, format=0x66440ad "Debug check failed: %s.") at ../deps/v8/src/base/logging.cc:182
#2  0x0000000003b03feb in v8::base::(anonymous namespace)::DefaultDcheckHandler (file=0x42e49f8 "../deps/v8/src/debug/debug-scopes.cc", line=83, message=0x42e4a69 "(current_scope_) != nullptr") at ../deps/v8/src/base/logging.cc:57
#3  0x0000000003b052dd in V8_Dcheck (file=0x42e49f8 "../deps/v8/src/debug/debug-scopes.cc", line=83, message=0x42e4a69 "(current_scope_) != nullptr") at ../deps/v8/src/base/logging.cc:195
#4  0x000000000235ce51 in v8::internal::ScopeIterator::Restart (this=0x7ffeda872938) at ../deps/v8/src/debug/debug-scopes.cc:83
#5  0x000000000235533a in v8::internal::DebugEvaluate::ContextBuilder::UpdateValues (this=0x7ffeda8728c0) at ../deps/v8/src/debug/debug-evaluate.cc:230
#6  0x00000000023546d9 in v8::internal::DebugEvaluate::Local (isolate=0x7158780, frame_id=-628668656, inlined_jsframe_index=0, source=..., throw_on_side_effect=false) at ../deps/v8/src/debug/debug-evaluate.cc:88
#7  0x0000000002364973 in v8::internal::DebugStackTraceIterator::Evaluate (this=0x71a1f30, source=..., throw_on_side_effect=false) at ../deps/v8/src/debug/debug-stack-trace-iterator.cc:178
#8  0x0000000002d5cf26 in v8_inspector::V8DebuggerAgentImpl::evaluateOnCallFrame (this=0x720d980, callFrameId=..., expression=..., objectGroup=..., includeCommandLineAPI=..., silent=..., returnByValue=..., generatePreview=..., throwOnSideEffect=..., timeout=..., result=0x7ffeda8732d0, exceptionDetails=0x7ffeda8732d8) at ../deps/v8/src/inspector/v8-debugger-agent-impl.cc:1116
#9  0x0000000002ebc743 in v8_inspector::protocol::Debugger::DispatcherImpl::evaluateOnCallFrame (this=0x720ddb0, callId=17, method=..., message=..., requestMessageObject=Python Exception <class 'TypeError'> expected string or bytes-like object: 
..., errors=0x7ffeda8734c0) at /home/sqrt/src/node/out/Debug/obj/gen/inspector-generated-output-root/src/inspector/protocol/Debugger.cpp:1098
#10 0x0000000002ebb507 in v8_inspector::protocol::Debugger::DispatcherImpl::dispatch (this=0x720ddb0, callId=17, method=..., message=..., messageObject=Python Exception <class 'TypeError'> expected string or bytes-like object: 
...) at /home/sqrt/src/node/out/Debug/obj/gen/inspector-generated-output-root/src/inspector/protocol/Debugger.cpp:952
#11 0x0000000002ea0e27 in v8_inspector::protocol::UberDispatcher::dispatch (this=0x720c500, callId=17, in_method=..., parsedMessage=Python Exception <class 'TypeError'> expected string or bytes-like object: 
..., rawMessage=...) at /home/sqrt/src/node/out/Debug/obj/gen/inspector-generated-output-root/src/inspector/protocol/Protocol.cpp:1136
#12 0x0000000002d929c0 in v8_inspector::V8InspectorSessionImpl::dispatchProtocolMessage (this=0x720c4d0, message=...) at ../deps/v8/src/inspector/v8-inspector-session-impl.cc:364
#13 0x000000000204943a in node::inspector::(anonymous namespace)::ChannelImpl::dispatchProtocolMessage (this=0x71dcc00, message=...) at ../src/inspector_agent.cc:274
#14 0x0000000002051fb6 in node::inspector::NodeInspectorClient::dispatchMessageFromFrontend (this=0x71db950, session_id=1, message=...) at ../src/inspector_agent.cc:570
#15 0x000000000204b96e in node::inspector::(anonymous namespace)::SameThreadInspectorSession::Dispatch (this=0x7211a20, message=...) at ../src/inspector_agent.cc:1042
#16 0x000000000207c34c in node::inspector::(anonymous namespace)::MainThreadSessionState::Dispatch (this=0x71dcbe0, message=Python Exception <class 'TypeError'> expected string or bytes-like object: 
...) at ../src/inspector/main_thread_interface.cc:164
#17 0x000000000207eceb in node::inspector::(anonymous namespace)::AnotherThreadObjectReference<node::inspector::(anonymous namespace)::MainThreadSessionState>::Apply<std::unique_ptr<v8_inspector::StringBuffer> > (target=0x71dcbe0, fn=(void (node::inspector::(anonymous namespace)::MainThreadSessionState::*)(node::inspector::(anonymous namespace)::MainThreadSessionState * const, std::unique_ptr<v8_inspector::StringBuffer, std::default_delete<v8_inspector::StringBuffer> >)) 0x207c2f8 <node::inspector::(anonymous namespace)::MainThreadSessionState::Dispatch(std::unique_ptr<v8_inspector::StringBuffer, std::default_delete<v8_inspector::StringBuffer> >)>, argument=Python Exception <class 'TypeError'> expected string or bytes-like object: 
...) at ../src/inspector/main_thread_interface.cc:139
#18 0x0000000002081852 in std::_Bind<void (*(std::_Placeholder<1>, void (node::inspector::(anonymous namespace)::MainThreadSessionState::*)(std::unique_ptr<v8_inspector::StringBuffer, std::default_delete<v8_inspector::StringBuffer> >), std::unique_ptr<v8_inspector::StringBuffer, std::default_delete<v8_inspector::StringBuffer> >))(node::inspector::(anonymous namespace)::MainThreadSessionState*, void (node::inspector::(anonymous namespace)::MainThreadSessionState::*)(std::unique_ptr<v8_inspector::StringBuffer, std::default_delete<v8_inspector::StringBuffer> >), std::unique_ptr<v8_inspector::StringBuffer, std::default_delete<v8_inspector::StringBuffer> >&)>::__call<void, node::inspector::(anonymous namespace)::MainThreadSessionState*&&, 0ul, 1ul, 2ul>(std::tuple<node::inspector::(anonymous namespace)::MainThreadSessionState*&&> &&, std::_Index_tuple<0ul, 1ul, 2ul>) (this=0x7fe56c001210, __args=...) at /usr/include/c++/6/functional:934
#19 0x0000000002081514 in std::_Bind<void (*(std::_Placeholder<1>, void (node::inspector::(anonymous namespace)::MainThreadSessionState::*)(std::unique_ptr<v8_inspector::StringBuffer, std::default_delete<v8_inspector::StringBuffer> >), std::unique_ptr<v8_inspector::StringBuffer, std::default_delete<v8_inspector::StringBuffer> >))(node::inspector::(anonymous namespace)::MainThreadSessionState*, void (node::inspector::(anonymous namespace)::MainThreadSessionState::*)(std::unique_ptr<v8_inspector::StringBuffer, std::default_delete<v8_inspector::StringBuffer> >), std::unique_ptr<v8_inspector::StringBuffer, std::default_delete<v8_inspector::StringBuffer> >&)>::operator()<node::inspector::(anonymous namespace)::MainThreadSessionState*>(node::inspector::(anonymous namespace)::MainThreadSessionState *&&) (this=0x7fe56c001210, __args#0=@0x7ffeda8739b0: 0x71dcbe0) at /usr/include/c++/6/functional:993
#20 0x0000000002081245 in node::inspector::(anonymous namespace)::CallRequest<node::inspector::(anonymous namespace)::MainThreadSessionState, std::_Bind<void (*(std::_Placeholder<1>, void (node::inspector::(anonymous namespace)::MainThreadSessionState::*)(std::unique_ptr<v8_inspector::StringBuffer, std::default_delete<v8_inspector::StringBuffer> >), std::unique_ptr<v8_inspector::StringBuffer, std::default_delete<v8_inspector::StringBuffer> >))(node::inspector::(anonymous namespace)::MainThreadSessionState*, void (node::inspector::(anonymous namespace)::MainThreadSessionState::*)(std::unique_ptr<v8_inspector::StringBuffer, std::default_delete<v8_inspector::StringBuffer> >), std::unique_ptr<v8_inspector::StringBuffer, std::default_delete<v8_inspector::StringBuffer> >&)> >::Call(node::inspector::MainThreadInterface *) (this=0x7fe56c001200, thread=0x71dc4d0) at ../src/inspector/main_thread_interface.cc:80
#21 0x000000000207ccfb in node::inspector::MainThreadInterface::DispatchMessages (this=0x71dc4d0) at ../src/inspector/main_thread_interface.cc:278
#22 0x000000000207c17c in node::inspector::(anonymous namespace)::DispatchMessagesTask::Run (this=0x7fe56c001120) at ../src/inspector/main_thread_interface.cc:94
#23 0x0000000001fbee18 in node::PerIsolatePlatformData::RunForegroundTask (task=Python Exception <class 'TypeError'> expected string or bytes-like object: 
...) at ../src/node_platform.cc:393
#24 0x0000000001fbf3f1 in node::PerIsolatePlatformData::FlushForegroundTasksInternal (this=0x71716d0) at ../src/node_platform.cc:458
#25 0x0000000001fbf733 in node::NodePlatform::FlushForegroundTasks (this=0x7152750, isolate=0x7158780) at ../src/node_platform.cc:490
#26 0x00000000020533f4 in node::inspector::NodeInspectorClient::runMessageLoop (this=0x71db950) at ../src/inspector_agent.cc:715
#27 0x000000000205190c in node::inspector::NodeInspectorClient::runMessageLoopOnPause (this=0x71db950, context_group_id=1) at ../src/inspector_agent.cc:481
#28 0x0000000002d40bbe in v8_inspector::V8Debugger::handleProgramBreak (this=0x71dbb80, pausedContext=..., exception=..., breakpointIds=std::vector of length 0, capacity 0, exceptionType=v8::debug::kException, isUncaught=false) at ../deps/v8/src/inspector/v8-debugger.cc:469
#29 0x0000000002d41127 in v8_inspector::V8Debugger::BreakProgramRequested (this=0x71dbb80, pausedContext=..., break_points_hit=std::vector of length 0, capacity 0) at ../deps/v8/src/inspector/v8-debugger.cc:539
#30 0x0000000002372dea in v8::internal::Debug::OnDebugBreak (this=0x71715b0, break_points_hit=...) at ../deps/v8/src/debug/debug.cc:1838
#31 0x000000000236c031 in v8::internal::Debug::Break (this=0x71715b0, frame=0x7ffeda8742d8, break_target=...) at ../deps/v8/src/debug/debug.cc:511
#32 0x0000000002a62017 in v8::internal::__RT_impl_Runtime_DebugBreakOnBytecode (args=..., isolate=0x7158780) at ../deps/v8/src/runtime/runtime-debug.cc:55
#33 0x0000000002a61dc0 in v8::internal::Runtime_DebugBreakOnBytecode (args_length=1, args_object=0x7ffeda874670, isolate=0x7158780) at ../deps/v8/src/runtime/runtime-debug.cc:54
#34 0x00000000031c1500 in Builtins_CEntry_Return2_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit () at ../deps/v8/src/builtins/builtins-async-iterator-gen.cc:268
#35 0x00000000033a1dd6 in Builtins_DebugBreak0Handler () at ../deps/v8/src/interpreter/interpreter-generator.cc:3023

/cc @nodejs/v8-inspector

[joyeecheung]

I can't reproduce this with master on MacOS. I can reproduce this with v12.14.0 though.

EDIT: this seems intermittent, I can reproduce it after several tries. However it does not seem to reproduce if I use the node inspect repl directly instead of spawning the process for the client in the code.

[eugeneo]

Suspicios line in stack trace:
#11 0x0000000002ea0e27 in v8_inspector::protocol::UberDispatcher::dispatch (this=0x720c500, callId=17, in_method=..., parsedMessage=Python Exception <class 'TypeError'> expected string or bytes-like object: ..., rawMessage=...) at /home/sqrt/src/node/out/Debug/obj/gen/inspector-generated-output-root/src/inspector/protocol/Protocol.cpp:1136

[mik-jozef]

I'm not sure this is the same issue or not, but I'm also experiencing segfaults when trying to inspect node with Chrome.

// asdf.js
class SyntaxTreeNode {
  constructor() {
    SyntaxTreeNode;
  }
}

// package.json
{
  "type": "module"
}

Cli:

$ node --inspect-brk asdf.js
Debugger listening on ws://127.0.0.1:9229/21077bf0-5dc5-48c7-a1ef-4fc8666234a7
For help, see: https://nodejs.org/en/docs/inspector
Debugger attached.
Segmentation fault (core dumped)

It is necessary for the class SyntaxTreeNode to mention itself in the constructor, and "type": "module" must be present.

Node version: v20.2.0
Chrome version: 114.0.5735.90 (Official Build) (64-bit)
Os: Ubuntu 22.04.2 LTS

Please let me know if you'd like me to make a separate issue.

[marco-ippolito]

I cannot reproduce on MacOS on node 20.9, maybe has been fixed, can you confirm @mik-jozef @Hakerh400

[mik-jozef]

I can still reproduce with Node v20.5.1 and Ubuntu 22.04.3 LTS.

Attaching a core dump (renamed from *.crash to *.txt bc GitHub is allowlisting file extensions (:

_usr_bin_node.1000.txt

[user7230724]

The original test case seems to be fixed. Tested on Windows 10 and Ubuntu 22.04:

Reproduces in v18.9.1
Does not reproduce in v19.0.0 and above (including v20.5.1)

Probably fixed in #44741

Unable to reproduce #27637 (comment)