oven-sh · Jarred-Sumner · May 18, 2026 · May 18, 2026 · May 18, 2026 · May 18, 2026
diff --git a/src/js_parser/lexer.rs b/src/js_parser/lexer.rs
@@ -3048,6 +3048,20 @@ lexer_impl_header! {
 
                     self.end = self.current;
                     self.token = T::TSyntaxError;
+                    // Advance `code_point`/`current` past the bad byte so that a
+                    // subsequent recovery `next()` (e.g. via `expect(...)` inside
+                    // `parse_jsx_prop_value_identifier`) dispatches on the *following*
+                    // byte instead of re-dispatching on the still-in-`code_point` bad
+                    // byte. Without this step the recovery `next()` synthesises a
+                    // zero-length token at the offset of the next byte, and the byte
+                    // after that then gets tokenised a second time at the same
+                    // `start` — the parser pushes two `FunctionArgs` scopes at that
+                    // offset in `parse_paren_expr` and trips the strict-monotonicity
+                    // debug assertion in `push_scope_for_parse_pass` (see #30959).
+                    // `end` was already advanced above, so the step below only moves
+                    // `current`/`code_point` forward and leaves the error range
+                    // `[start, end)` intact.
+                    self.step();
                 }
             }
 

diff --git a/test/regression/issue/jsx-template-string-crash.test.ts b/test/regression/issue/jsx-template-string-crash.test.ts
@@ -22,9 +22,51 @@ test("JSX lexer should not crash with slice bounds issues", async () => {
         at <cwd>/[eval]:1:34
 
     1 | export function x(){return<div a=\`\`/>}
-                                            ^
-    error: Unexpected >
-        at <cwd>/[eval]:1:37"
+                                          ^
+    error: Unterminated string literal
+        at <cwd>/[eval]:1:35"
   `);
   expect(normalizeBunSnapshot(stdout.toString())).toMatchInlineSnapshot(`""`);
 });
+
+test.concurrent("#30959 JSX attribute with invalid '(' value parses cleanly in debug builds", async () => {
+  // Previously, parsing `<r L=((` in a debug build panicked with
+  // `Scope location must be greater than previous 6 must be greater than 6`
+  // in push_scope_for_parse_pass. `next_inside_jsx_element`'s TSyntaxError
+  // branch set `end = current` on the first `(` without stepping past it,
+  // so the recovery `next()` (called via `expect(TOpenBrace).next()` inside
+  // `parse_jsx_prop_value_identifier`) re-dispatched on the still-in-
+  // `code_point` byte and synthesised a zero-length `TOpenParen` at the
+  // same offset as the real `(` that followed. `parse_paren_expr` then
+  // pushed two FunctionArgs scopes at offset 6 and tripped the
+  // strict-monotonicity debug assertion.
+  //
+  // Release builds already reported the two parse errors and recovered;
+  // the lexer now calls `step()` after setting TSyntaxError so debug
+  // matches release. We assert the expected release-mode error messages
+  // rather than the absence of a panic, so the test fails cleanly both
+  // when the panic returns (exit code / hang) and when the error output
+  // regresses.
+  await using proc = Bun.spawn({
+    cmd: [bunExe(), "-e", "export function x(){return<r L=((}"],
+    env: bunEnv,
+    stderr: "pipe",
+    stdout: "pipe",
+  });
+
+  const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
+
+  expect(normalizeBunSnapshot(stderr.toString().replace(/(Bun v.*)$/gm, ""))).toMatchInlineSnapshot(`
+    "1 | export function x(){return<r L=((}
+                                       ^
+    error: Expected "{" but found "("
+        at <cwd>/[eval]:1:32
+
+    1 | export function x(){return<r L=((}
+                                         ^
+    error: Unexpected }
+        at <cwd>/[eval]:1:34"
+  `);
+  expect(stdout).toBe("");
+  expect(exitCode).toBe(1);
+});