Segmentation Fault in gc_mark_all

[FrancescoLucarini]

$ ./mqjs x.js
[COV] no shared memory bitmap available, skipping
[COV] edge counters initialized. Shared memory: (null) with 5765 edges
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==1136300==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000002 (pc 0x6235603cad67 bp 0x7abeafcfe010 sp 0x7ffd4e719520 T1136300)
==1136300==The signal is caused by a READ memory access.
==1136300==Hint: address points to the zero page.
#0 0x6235603cad67 in gc_mark_all /home/mag/mquickjs/mquickjs.c:12061:34
#1 0x6235603cad67 in JS_GC2 /home/mag/mquickjs/mquickjs.c:12420:5
#2 0x6235603bd242 in JS_GC /home/mag/mquickjs/mquickjs.c:12432:5
#3 0x6235603bd242 in check_free_mem /home/mag/mquickjs/mquickjs.c:508:9
#4 0x6235603daf21 in js_malloc /home/mag/mquickjs/mquickjs.c:539:9
#5 0x6235603bea5b in js_alloc_value_array /home/mag/mquickjs/mquickjs.c:2219:11
#6 0x6235603be85e in js_alloc_props /home/mag/mquickjs/mquickjs.c:2717:11
#7 0x6235603db528 in js_create_property /home/mag/mquickjs/mquickjs.c:2885:19
#8 0x6235603db528 in JS_DefinePropertyInternal /home/mag/mquickjs/mquickjs.c:3032:10
#9 0x6235603bf9b3 in JS_SetPropertyInternal /home/mag/mquickjs/mquickjs.c:3323:12
#10 0x6235603c3efc in JS_Call /home/mag/mquickjs/mquickjs.c:5946:27
#11 0x6235603cab4b in JS_Run /home/mag/mquickjs/mquickjs.c:11774:11
#12 0x6235603ba36b in eval_file /home/mag/mquickjs/mqjs.c:465:11
#13 0x6235603b9c58 in main /home/mag/mquickjs/mqjs.c:924:18
#14 0x7abeb122a577 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#15 0x7abeb122a63a in __libc_start_main csu/../csu/libc-start.c:360:3
#16 0x62356038f2f4 in _start (/home/mag/mquickjs/mqjs+0x102f4)

==1136300==Register values:
rax = 0x0000000000000000 rbx = 0x00007ffd4e719528 rcx = 0x00007abeafcfe010 rdx = 0x00006235603ffdc0
rdi = 0x00006235604227cc rsi = 0x00007abeafcfe2c9 rbp = 0x00007abeafcfe010 rsp = 0x00007ffd4e719520
r8 = 0x0000000000000000 r9 = 0x0000000000000000 r10 = 0x000000001c93bb9d r11 = 0x00007abeb1397c80
r12 = 0x00007abeafcfe2c8 r13 = 0x00007abeafcfe0e8 r14 = 0x00006235604227cc r15 = 0x0000000000000002
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/mag/mquickjs/mquickjs.c:12061:34 in gc_mark_all
==1136300==ABORTING

[FrancescoLucarini]

function F2(a4, a5) {
    try {
        try { new F2(); } catch (e) {}
        a4[Uint8ClampedArray] = 0.5407638611989529;
    } catch(e7) {
    }
    this.f = Uint8ClampedArray;
}
new F2(0.5407638611989529, Uint8ClampedArray);

$ git log -1
commit 4af13cc30323482ed2f3bef46ce18f12a11d1e37 (HEAD -> main, origin/main, origin/HEAD)
Author: Fabrice Bellard <fabrice@bellard.org>
Date:   Fri Dec 26 16:41:43 2025 +0100

    doc fix

Os: Ubuntu 24.04

[bellard]

I cannot reproduce the issue. It may be linked to a particular pattern of out of memory exceptions.

[FrancescoLucarini]

function F0(a2, a3) {
    if (!new.target) { throw 'must be called with new'; }
}
function f4(a5, a6) {
    try {
        f4();
    } catch(e8) {
        try {
            new f4(f4, a5);
        } catch(e10) {
        }
        F0[e8];
    }
    return a6;
}
f4(f4, F0);

I get this ASAN stacktrace

=================================================================
==2907168==ERROR: AddressSanitizer: stack-use-after-return on address 0x76c15f410620 at pc 0x5a3c8fa5365f bp 0x7ffcff5543b0 sp 0x7ffcff5543a8
READ of size 8 at 0x76c15f410620 thread T0
    #0 0x5a3c8fa5365e in gc_mark_all /home/mag/mq2/mquickasan/mquickjs.c:12061:34
    #1 0x5a3c8fa5365e in JS_GC2 /home/mag/mq2/mquickasan/mquickjs.c:12420:5
    #2 0x5a3c8fa0a8ae in JS_GC /home/mag/mq2/mquickasan/mquickjs.c:12432:5
    #3 0x5a3c8fa0a8ae in check_free_mem /home/mag/mq2/mquickasan/mquickjs.c:508:9
    #4 0x5a3c8fa0a728 in JS_StackCheck /home/mag/mq2/mquickasan/mquickjs.c:525:9
    #5 0x5a3c8fa46c6c in JS_GetPropertyInternal /home/mag/mq2/mquickasan/mquickjs.c:2627:27
    #6 0x5a3c8fa1b646 in JS_GetProperty /home/mag/mq2/mquickasan/mquickjs.c:2649:12
    #7 0x5a3c8fa1b646 in js_call_constructor_start /home/mag/mq2/mquickasan/mquickjs.c:5009:13
    #8 0x5a3c8fa1b646 in JS_Call /home/mag/mq2/mquickasan/mquickjs.c:5459:35
    #9 0x5a3c8fa5008e in JS_Run /home/mag/mq2/mquickasan/mquickjs.c:11774:11
    #10 0x5a3c8f9fc54c in eval_file /home/mag/mq2/mquickasan/mqjs.c:347:11
    #11 0x5a3c8f9fb9ac in main /home/mag/mq2/mquickasan/mqjs.c:751:17
    #12 0x76c16122a577 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x76c16122a63a in __libc_start_main csu/../csu/libc-start.c:360:3
    #14 0x5a3c8f937c44 in _start (/home/mag/mq2/mquickasan/mqjs+0xdcc44)

Address 0x76c15f410620 is located in stack of thread T0 at offset 32 in frame
    #0 0x5a3c8fa17137 in JS_ToPrimitive /home/mag/mq2/mquickasan/mquickjs.c:4022

  This frame has 2 object(s):
    [32, 48) 'val_ref' (line 4025) <== Memory access at offset 32 is inside this variable
    [64, 80) 'method_ref' (line 4025)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-return /home/mag/mq2/mquickasan/mquickjs.c:12061:34 in gc_mark_all
Shadow bytes around the buggy address:
  0x76c15f410380: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x76c15f410400: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x76c15f410480: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x76c15f410500: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x76c15f410580: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
=>0x76c15f410600: f5 f5 f5 f5[f5]f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x76c15f410680: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x76c15f410700: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x76c15f410780: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x76c15f410800: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x76c15f410880: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2907168==ABORTING

It's probably a stack exhaustion due to recursion

[bellard]

Iin fact the bug could be reproduced in the 32 bit build. It is fixed now.