Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Segmentation Fault in gc_mark_all #55

New issue
New issue
Closed
Closed
Segmentation Fault in gc_mark_all#55
@FrancescoLucarini

Description

@FrancescoLucarini
FrancescoLucarini
opened on Jan 1, 2026

PoC:

var v2;
try { v2 = String.fromCodePoint(-404234.2222305058); } catch (e) {}
function F3(a5) {
}

function F9() {
    function F11() {
        try {
        } catch(e25) {
        }
        new F11();
    }
    function F28() {
    }
    new F11();
}
new F9();

Commit:

$ git log -1
commit 84d793e0a98703c8c31d4e85cfe4d85839cb0f85 (HEAD -> main, origin/main, origin/HEAD)
Author: Fabrice Bellard <[email protected]>
Date:   Tue Dec 30 11:35:56 2025 +0100

    more compatible Object.defineProperty (#46)

ASAN StackTrace:

=================================================================
==524813==ERROR: AddressSanitizer: stack-use-after-return on address 0x75e54d002d20 at pc 0x648777879e4a bp 0x7fffd98b16f0 sp 0x7fffd98b16e8
READ of size 8 at 0x75e54d002d20 thread T0
    #0 0x648777879e49 in gc_mark_all /home/mag/mquick_normal/mquickasan/mquickjs.c:12085:34
    #1 0x648777879e49 in JS_GC2 /home/mag/mquick_normal/mquickasan/mquickjs.c:12444:5
    #2 0x648777861a65 in JS_GC /home/mag/mquick_normal/mquickasan/mquickjs.c:12456:5
    #3 0x648777861a65 in check_free_mem /home/mag/mquick_normal/mquickasan/mquickjs.c:508:9
    #4 0x648777893e4c in js_malloc /home/mag/mquick_normal/mquickasan/mquickjs.c:539:9
    #5 0x648777887738 in js_alloc_byte_array /home/mag/mquick_normal/mquickasan/mquickjs.c:2286:11
    #6 0x6487778875bf in js_array_buffer_alloc /home/mag/mquick_normal/mquickasan/mquickjs.c:15095:11
    #7 0x648777887bc6 in js_typed_array_constructor /home/mag/mquick_normal/mquickasan/mquickjs.c:15191:18
    #8 0x6487778683f1 in JS_Call /home/mag/mquick_normal/mquickasan/mquickjs.c:5426:35
    #9 0x648777878b41 in JS_Run /home/mag/mquick_normal/mquickasan/mquickjs.c:11797:11
    #10 0x64877785c51f in eval_file /home/mag/mquick_normal/mquickasan/mqjs.c:347:11
    #11 0x64877785bcf0 in main /home/mag/mquick_normal/mquickasan/mqjs.c:751:17
    #12 0x75e54ee2a577 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x75e54ee2a63a in __libc_start_main csu/../csu/libc-start.c:360:3
    #14 0x648777798834 in _start (/home/mag/mquick_normal/mquickasan/mqjs+0x63834)

Address 0x75e54d002d20 is located in stack of thread T0 at offset 32 in frame
    #0 0x6487778b5577 in i32toa /home/mag/mquick_normal/mquickasan/dtoa.c:606

  This frame has 2 object(s):
    [32, 42) 'buf1.i6' (line 592) <== Memory access at offset 32 is inside this variable
    [64, 74) 'buf1.i' (line 592)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-return /home/mag/mquick_normal/mquickasan/mquickjs.c:12085:34 in gc_mark_all
Shadow bytes around the buggy address:
  0x75e54d002a80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x75e54d002b00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x75e54d002b80: f1 f1 f1 f1 f8 f8 f2 f2 f8 f8 f3 f3 00 00 00 00
  0x75e54d002c00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x75e54d002c80: f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
=>0x75e54d002d00: f5 f5 f5 f5[f5]f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x75e54d002d80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x75e54d002e00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x75e54d002e80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x75e54d002f00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x75e54d002f80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==524813==ABORTING

GDB Backtrace:

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x555555560390 <gc_mark_all+0106> lea    rbp, [rsp+0x10]
   0x555555560395 <gc_mark_all+010b> test   r12, r12
   0x555555560398 <gc_mark_all+010e> je     0x5555555603bf <gc_mark_all+309>
 → 0x55555556039a <gc_mark_all+0110> mov    rsi, QWORD PTR [r12]
   0x55555556039e <gc_mark_all+0114> mov    rdi, rbp
   0x5555555603a1 <gc_mark_all+0117> mov    QWORD PTR [rsp+0x18], r8
   0x5555555603a6 <gc_mark_all+011c> mov    DWORD PTR [rsp+0x30], ecx
   0x5555555603aa <gc_mark_all+0120> call   0x55555555de8f <gc_mark_root>
   0x5555555603af <gc_mark_all+0125> mov    r8, QWORD PTR [rsp+0x18]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:mquickjs.c+12085 ────
   12080	     }
   12081	 
   12082	     {
   12083	         JSGCRef *ref;
   12084	         for(ref = ctx->top_gc_ref; ref != NULL; ref = ref->prev) {
 → 12085	             gc_mark_root(s, ref->val);
   12086	         }
   12087	         for(ref = ctx->last_gc_ref; ref != NULL; ref = ref->prev) {
   12088	             gc_mark_root(s, ref->val);
   12089	         }
   12090	     }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "mqjs", stopped 0x55555556039a in gc_mark_all (), reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x55555556039a → gc_mark_all(ctx=0x7ffff6bff010, keep_atoms=0x1)
[#1] 0x55555556159e → JS_GC2(ctx=0x7ffff6bff010, keep_atoms=0x1)
[#2] 0x55555556159e → JS_GC(ctx=0x7ffff6bff010)
[#3] 0x5555555651b5 → check_free_mem(ctx=0x7ffff6bff010, stack_bottom=0x7ffff7be6a60, size=0x2008)
[#4] 0x5555555651b5 → js_malloc(ctx=0x7ffff6bff010, size=0x2008, mtag=0x6)
[#5] 0x5555555662d9 → js_alloc_byte_array(ctx=<optimized out>, size=0x2000)
[#6] 0x555555574d1c → js_array_buffer_alloc(ctx=0x7ffff6bff010, len=0x2000)
[#7] 0x555555574f1c → js_typed_array_constructor(ctx=0x7ffff6bff010, this_val=<optimized out>, argc=<optimized out>, argv=0x7ffff7be6b00, magic=0x17)
[#8] 0x555555561c29 → JS_Call(ctx=0x7ffff6bff010, call_flags=0x10001)
[#9] 0x555555572cff → JS_Run(ctx=0x7ffff6bff010, val=<optimized out>)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions