CVE-2023-48184 : crash on Windows and Linux #1200
Description
Issue
While trying to check if CVE-2023-48184 was fixed, I face a crash on both Windows and Linux version.
To reproduce run qjs then .load test.js
Resources
- heap-use-after-free quickjs.h:657 in JS_FreeValueRT bellard/quickjs#198
- Use-after-free in enqueued promise bellard/quickjs#156
- https://nvd.nist.gov/vuln/detail/CVE-2023-48184
CMake Build options
- BUILD_SHARED_LIBS: OFF
- QJS_BUILD_EXAMPLES: OFF
- QJS_BUILD_CLI_STATIC: ON
- QJS_BUILD_CLI_WITH_MIMALLOC: OFF
- QJS_BUILD_CLI_WITH_STATIC_MIMALLOC: OFF
- QJS_DISABLE_PARSER: OFF
- QJS_ENABLE_ASAN: OFF
- QJS_ENABLE_MSAN: OFF
- QJS_ENABLE_TSAN: OFF
- QJS_ENABLE_UBSAN: OFF
- QJS_BUILD_LIBC: OFF
Compiler version
- Microsoft Visual Studio Professional 2022 (64-bit) - Version 17.14.13 (August 2025)
- g++ (Debian 12.2.0-14+deb12u1) 12.2.0
sample 1
function Foo() {
function Bar(arg) {
async function Baz(arg1, arg2) {
function empty() {
}
function pro() {
function zero() {
return 0;
}
function inner() {
function inn(a) {
return inn(empty);
}
return 0;
}
Object.defineProperty(zero, 1, { configurable: true, get: inner, set: inner });
const apple = new Promise(pro);
Object.defineProperty(arg2, "constructor", { configurable: true, value: zero });
apple.finally(arg);
return apple;
}
const banana = new Promise(pro);
async function* asy_func(a) {
return a;
}
const bear = asy_func(0);
Object.defineProperty(bear, "g", { configurable: true, enumerable: true, get: empty });
await banana;
return banana;
}
Baz(Baz, Foo, arg);
return arg;
}
new Promise(Bar);
}
function test() {
try {
test();
}
catch (e) {
print(e);
}
new Foo();
}
test();
On Linux
Terminal output
qjs > .load test3.js
Maximum call stack size exceeded
malloc(): unaligned fastbin chunk detected 3
Aborted (core dumped)
Valgrind output
Maximum call stack size exceeded
==3205== Invalid read of size 4
==3205== at 0x140755: JS_FreeValueRT (quickjs.c:5783)
==3205== by 0x1463E8: free_var_ref (quickjs.c:5476)
==3205== by 0x1463E8: free_var_ref (quickjs.c:5470)
==3205== by 0x1463E8: js_bytecode_function_finalizer (quickjs.c:5555)
==3205== by 0x1406A3: free_object (quickjs.c:5663)
==3205== by 0x140907: free_gc_object (quickjs.c:5683)
==3205== by 0x140907: free_zero_refcount (quickjs.c:5705)
==3205== by 0x140907: js_free_value_rt (quickjs.c:5753)
==3205== by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==3205== by 0x13C721: JS_DefineProperty (quickjs.c:9648)
==3205== by 0x1897F5: JS_DefinePropertyDesc (quickjs.c:37874)
==3205== by 0x1897F5: js_object_defineProperty (quickjs.c:38010)
==3205== by 0x17350C: js_call_c_function (quickjs.c:16283)
==3205== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205== by 0x13169A: JS_CallInternal (quickjs.c:16903)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
==3205== by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205== by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205== Address 0x4dde410 is 0 bytes inside a block of size 72 free'd
==3205== at 0x484417B: free (vg_replace_malloc.c:872)
==3205== by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==3205== by 0x1450D8: JS_RunGC (quickjs.c:6068)
==3205== by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==3205== by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==3205== by 0x133C0D: JS_CallInternal (quickjs.c:16638)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
==3205== by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205== by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
==3205== by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205== by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205== Block was alloc'd at
==3205== at 0x48417B4: malloc (vg_replace_malloc.c:381)
==3205== by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==3205== by 0x13EAD1: js_malloc (quickjs.c:1567)
==3205== by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==3205== by 0x174728: js_closure (quickjs.c:16031)
==3205== by 0x132374: JS_CallInternal (quickjs.c:16580)
==3205== by 0x13E71B: async_func_resume (quickjs.c:19200)
==3205== by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==3205== by 0x1A8368: js_async_function_call (quickjs.c:19574)
==3205== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205== by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
==3205==
==3205== Invalid write of size 4
==3205== at 0x14075A: JS_FreeValueRT (quickjs.c:5783)
==3205== by 0x1463E8: free_var_ref (quickjs.c:5476)
==3205== by 0x1463E8: free_var_ref (quickjs.c:5470)
==3205== by 0x1463E8: js_bytecode_function_finalizer (quickjs.c:5555)
==3205== by 0x1406A3: free_object (quickjs.c:5663)
==3205== by 0x140907: free_gc_object (quickjs.c:5683)
==3205== by 0x140907: free_zero_refcount (quickjs.c:5705)
==3205== by 0x140907: js_free_value_rt (quickjs.c:5753)
==3205== by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==3205== by 0x13C721: JS_DefineProperty (quickjs.c:9648)
==3205== by 0x1897F5: JS_DefinePropertyDesc (quickjs.c:37874)
==3205== by 0x1897F5: js_object_defineProperty (quickjs.c:38010)
==3205== by 0x17350C: js_call_c_function (quickjs.c:16283)
==3205== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205== by 0x13169A: JS_CallInternal (quickjs.c:16903)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
==3205== by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205== by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205== Address 0x4dde410 is 0 bytes inside a block of size 72 free'd
==3205== at 0x484417B: free (vg_replace_malloc.c:872)
==3205== by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==3205== by 0x1450D8: JS_RunGC (quickjs.c:6068)
==3205== by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==3205== by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==3205== by 0x133C0D: JS_CallInternal (quickjs.c:16638)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
==3205== by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205== by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
==3205== by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205== by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205== Block was alloc'd at
==3205== at 0x48417B4: malloc (vg_replace_malloc.c:381)
==3205== by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==3205== by 0x13EAD1: js_malloc (quickjs.c:1567)
==3205== by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==3205== by 0x174728: js_closure (quickjs.c:16031)
==3205== by 0x132374: JS_CallInternal (quickjs.c:16580)
==3205== by 0x13E71B: async_func_resume (quickjs.c:19200)
==3205== by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==3205== by 0x1A8368: js_async_function_call (quickjs.c:19574)
==3205== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205== by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
==3205==
==3205== Invalid read of size 8
==3205== at 0x140834: list_del (list.h:77)
==3205== by 0x140834: js_free_value_rt (quickjs.c:5750)
==3205== by 0x140834: JS_FreeValueRT (quickjs.c:5784)
==3205== by 0x1463E8: free_var_ref (quickjs.c:5476)
==3205== by 0x1463E8: free_var_ref (quickjs.c:5470)
==3205== by 0x1463E8: js_bytecode_function_finalizer (quickjs.c:5555)
==3205== by 0x1406A3: free_object (quickjs.c:5663)
==3205== by 0x140907: free_gc_object (quickjs.c:5683)
==3205== by 0x140907: free_zero_refcount (quickjs.c:5705)
==3205== by 0x140907: js_free_value_rt (quickjs.c:5753)
==3205== by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==3205== by 0x13C721: JS_DefineProperty (quickjs.c:9648)
==3205== by 0x1897F5: JS_DefinePropertyDesc (quickjs.c:37874)
==3205== by 0x1897F5: js_object_defineProperty (quickjs.c:38010)
==3205== by 0x17350C: js_call_c_function (quickjs.c:16283)
==3205== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205== by 0x13169A: JS_CallInternal (quickjs.c:16903)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
==3205== by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205== by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205== Address 0x4dde420 is 16 bytes inside a block of size 72 free'd
==3205== at 0x484417B: free (vg_replace_malloc.c:872)
==3205== by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==3205== by 0x1450D8: JS_RunGC (quickjs.c:6068)
==3205== by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==3205== by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==3205== by 0x133C0D: JS_CallInternal (quickjs.c:16638)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
==3205== by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205== by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
==3205== by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205== by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205== Block was alloc'd at
==3205== at 0x48417B4: malloc (vg_replace_malloc.c:381)
==3205== by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==3205== by 0x13EAD1: js_malloc (quickjs.c:1567)
==3205== by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==3205== by 0x174728: js_closure (quickjs.c:16031)
==3205== by 0x132374: JS_CallInternal (quickjs.c:16580)
==3205== by 0x13E71B: async_func_resume (quickjs.c:19200)
==3205== by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==3205== by 0x1A8368: js_async_function_call (quickjs.c:19574)
==3205== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205== by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
....
==3205== Invalid read of size 4
==3205== at 0x140606: free_object (quickjs.c:5644)
==3205== by 0x140907: free_gc_object (quickjs.c:5683)
==3205== by 0x140907: free_zero_refcount (quickjs.c:5705)
==3205== by 0x140907: js_free_value_rt (quickjs.c:5753)
==3205== by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==3205== by 0x13C721: JS_DefineProperty (quickjs.c:9648)
==3205== by 0x1897F5: JS_DefinePropertyDesc (quickjs.c:37874)
==3205== by 0x1897F5: js_object_defineProperty (quickjs.c:38010)
==3205== by 0x17350C: js_call_c_function (quickjs.c:16283)
==3205== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205== by 0x13169A: JS_CallInternal (quickjs.c:16903)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
==3205== by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205== by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
==3205== Address 0x28 is not stack'd, malloc'd or (recently) free'd
==3205==
==3205==
==3205== Process terminating with default action of signal 11 (SIGSEGV)
==3205== Access not within mapped region at address 0x28
==3205== at 0x140606: free_object (quickjs.c:5644)
==3205== by 0x140907: free_gc_object (quickjs.c:5683)
==3205== by 0x140907: free_zero_refcount (quickjs.c:5705)
==3205== by 0x140907: js_free_value_rt (quickjs.c:5753)
==3205== by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==3205== by 0x13C721: JS_DefineProperty (quickjs.c:9648)
==3205== by 0x1897F5: JS_DefinePropertyDesc (quickjs.c:37874)
==3205== by 0x1897F5: js_object_defineProperty (quickjs.c:38010)
==3205== by 0x17350C: js_call_c_function (quickjs.c:16283)
==3205== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205== by 0x13169A: JS_CallInternal (quickjs.c:16903)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
==3205== by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205== by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205== by 0x13A342: JS_Call (quickjs.c:18941)
==3205== If you believe this happened as a result of a stack
==3205== overflow in your program's main thread (unlikely but
==3205== possible), you can try to increase the size of the
==3205== main thread stack using the --main-stacksize= flag.
==3205== The main thread stack size used in this run was 8388608.
==3205==
==3205== HEAP SUMMARY:
==3205== in use at exit: 299,104 bytes in 3,694 blocks
==3205== total heap usage: 22,045 allocs, 18,351 frees, 1,573,223 bytes allocated
==3205==
==3205== LEAK SUMMARY:
==3205== definitely lost: 0 bytes in 0 blocks
==3205== indirectly lost: 0 bytes in 0 blocks
==3205== possibly lost: 36,939 bytes in 156 blocks
==3205== still reachable: 262,165 bytes in 3,538 blocks
==3205== suppressed: 0 bytes in 0 blocks
==3205== Rerun with --leak-check=full to see details of leaked memory
==3205==
==3205== For lists of detected and suppressed errors, rerun with: -s
==3205== ERROR SUMMARY: 16 errors from 15 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
On Windows
Terminal output
qjs > .load test3.js
Maximum call stack size exceeded
Visual debugger callstack
> qjs.exe!list_del(list_head * el) Line 78 C
qjs.exe!js_free_value_rt(JSRuntime * rt, JSValue v) Line 5751 C
qjs.exe!JS_FreeValueRT(JSRuntime * rt, JSValue v) Line 5784 C
qjs.exe!free_var_ref(JSRuntime * rt, JSVarRef * var_ref) Line 5477 C
qjs.exe!js_bytecode_function_finalizer(JSRuntime * rt, JSValue val) Line 5555 C
qjs.exe!free_object(JSRuntime * rt, JSObject * p) Line 5663 C
qjs.exe!free_gc_object(JSRuntime * rt, JSGCObjectHeader * gp) Line 5683 C
qjs.exe!free_zero_refcount(JSRuntime * rt) Line 5705 C
qjs.exe!js_free_value_rt(JSRuntime * rt, JSValue v) Line 5753 C
qjs.exe!JS_FreeValueRT(JSRuntime * rt, JSValue v) Line 5784 C
qjs.exe!JS_FreeValue(JSContext * ctx, JSValue v) Line 5791 C
qjs.exe!JS_DefineProperty(JSContext * ctx, JSValue this_obj, unsigned int prop, JSValue val, JSValue getter, JSValue setter, int flags) Line 9648 C
qjs.exe!JS_DefinePropertyDesc(JSContext * ctx, JSValue obj, unsigned int prop, JSValue desc, int flags) Line 37874 C
qjs.exe!js_object_defineProperty(JSContext * ctx, JSValue this_val, int argc, JSValue * argv, int magic) Line 38010 C
qjs.exe!js_call_c_function(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv, int flags) Line 16283 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16485 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16903 C
qjs.exe!JS_Call(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv) Line 18941 C
qjs.exe!js_promise_constructor(JSContext * ctx, JSValue new_target, int argc, JSValue * argv) Line 50563 C
qjs.exe!js_call_c_function(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv, int flags) Line 16270 C
qjs.exe!JS_CallConstructorInternal(JSContext * ctx, JSValue func_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 19054 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16885 C
qjs.exe!JS_Call(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv) Line 18941 C
qjs.exe!js_promise_constructor(JSContext * ctx, JSValue new_target, int argc, JSValue * argv) Line 50563 C
qjs.exe!js_call_c_function(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv, int flags) Line 16270 C
qjs.exe!JS_CallConstructorInternal(JSContext * ctx, JSValue func_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 19054 C
...
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16885 C
qjs.exe!JS_Call(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv) Line 18941 C
qjs.exe!js_promise_constructor(JSContext * ctx, JSValue new_target, int argc, JSValue * argv) Line 50563 C
qjs.exe!js_call_c_function(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv, int flags) Line 16270 C
qjs.exe!JS_CallConstructorInternal(JSContext * ctx, JSValue func_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 19054 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16885 C
qjs.exe!async_func_resume(JSContext * ctx, JSAsyncFunctionState * s) Line 19200 C
qjs.exe!js_async_function_resume(JSContext * ctx, JSAsyncFunctionData * s) Line 19455 C
qjs.exe!js_async_function_call(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv, int flags) Line 19574 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16485 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_Call(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv) Line 18941 C
qjs.exe!js_promise_constructor(JSContext * ctx, JSValue new_target, int argc, JSValue * argv) Line 50563 C
qjs.exe!js_call_c_function(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv, int flags) Line 16270 C
qjs.exe!JS_CallConstructorInternal(JSContext * ctx, JSValue func_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 19054 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16885 C
qjs.exe!JS_CallConstructorInternal(JSContext * ctx, JSValue func_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 19067 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16885 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallFree(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv) Line 18948 C
qjs.exe!JS_EvalFunctionInternal(JSContext * ctx, JSValue fun_obj, JSValue this_obj, JSVarRef * * var_refs, JSStackFrame * sf) Line 34858 C
qjs.exe!__JS_EvalInternal(JSContext * ctx, JSValue this_obj, const char * input, unsigned __int64 input_len, const char * filename, int line, int flags, int scope_idx) Line 34993 C
qjs.exe!JS_EvalInternal(JSContext * ctx, JSValue this_obj, const char * input, unsigned __int64 input_len, const char * filename, int line, int flags, int scope_idx) Line 35019 C
qjs.exe!JS_EvalThis2(JSContext * ctx, JSValue this_obj, const char * input, unsigned __int64 input_len, JSEvalOptions * options) Line 35074 C
qjs.exe!JS_Eval(JSContext * ctx, const char * input, unsigned __int64 input_len, const char * filename, int eval_flags) Line 35088 C
qjs.exe!js_loadScript(JSContext * ctx, JSValue this_val, int argc, JSValue * argv) Line 489 C
qjs.exe!js_call_c_function(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv, int flags) Line 16270 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16485 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16903 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866 C
qjs.exe!JS_Call(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv) Line 18941 C
qjs.exe!call_handler(JSContext * ctx, JSValue func) Line 2370 C
qjs.exe!js_os_poll(JSContext * ctx) Line 2601 C
qjs.exe!js_std_loop(JSContext * ctx) Line 4359 C
qjs.exe!main(int argc, char * * argv) Line 701 C
sample 2
async function createTask () {
return new Promise((resolve) => {
Promise.resolve().then(function () {
const buf = new Uint8Array(1000000)
resolve(buf)
})
})
}
run()
async function run () {
let fn = () => {}
let done = () => {
fn()
}
createTask().then(done)
const p = new Promise(() => {})
console.log('pre await')
await p
console.log('post done')
}
On Linux
Terminal output
QuickJS-ng - Type ".help" for help
qjs > .load test.js
pre await
qjs > malloc(): unaligned tcache chunk detected
Aborted (core dumped)
qjs > ==4831== Invalid read of size 4
==4831== at 0x131B08: js_dup (quickjs.c:1404)
==4831== by 0x131B08: JS_CallInternal (quickjs.c:17380)
==4831== by 0x13A342: JS_Call (quickjs.c:18941)
==4831== by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831== by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Address 0x4bfb8f0 is 0 bytes inside a block of size 72 free'd
==4831== at 0x484417B: free (vg_replace_malloc.c:872)
==4831== by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831== by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831== by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831== by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831== by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831== by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831== by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831== by 0x13A342: JS_Call (quickjs.c:18941)
==4831== by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831== by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Block was alloc'd at
==4831== at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831== by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831== by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831== by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831== by 0x174728: js_closure (quickjs.c:16031)
==4831== by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831== by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831== by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831== by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831== by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831== by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831== by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid read of size 2
==4831== at 0x130838: JS_CallInternal (quickjs.c:16478)
==4831== by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831== by 0x13A342: JS_Call (quickjs.c:18941)
==4831== by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831== by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Address 0x4bfb8f6 is 6 bytes inside a block of size 72 free'd
==4831== at 0x484417B: free (vg_replace_malloc.c:872)
==4831== by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831== by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831== by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831== by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831== by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831== by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831== by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831== by 0x13A342: JS_Call (quickjs.c:18941)
==4831== by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831== by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Block was alloc'd at
==4831== at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831== by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831== by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831== by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831== by 0x174728: js_closure (quickjs.c:16031)
==4831== by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831== by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831== by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831== by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831== by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831== by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831== by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid read of size 4
==4831== at 0x140755: JS_FreeValueRT (quickjs.c:5783)
==4831== by 0x130FEB: JS_CallInternal (quickjs.c:18896)
==4831== by 0x13A342: JS_Call (quickjs.c:18941)
==4831== by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831== by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Address 0x4bfb8f0 is 0 bytes inside a block of size 72 free'd
==4831== at 0x484417B: free (vg_replace_malloc.c:872)
==4831== by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831== by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831== by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831== by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831== by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831== by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831== by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831== by 0x13A342: JS_Call (quickjs.c:18941)
==4831== by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831== by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Block was alloc'd at
==4831== at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831== by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831== by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831== by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831== by 0x174728: js_closure (quickjs.c:16031)
==4831== by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831== by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831== by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831== by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831== by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831== by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831== by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid write of size 4
==4831== at 0x14075A: JS_FreeValueRT (quickjs.c:5783)
==4831== by 0x130FEB: JS_CallInternal (quickjs.c:18896)
==4831== by 0x13A342: JS_Call (quickjs.c:18941)
==4831== by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831== by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Address 0x4bfb8f0 is 0 bytes inside a block of size 72 free'd
==4831== at 0x484417B: free (vg_replace_malloc.c:872)
==4831== by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831== by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831== by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831== by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831== by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831== by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831== by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831== by 0x13A342: JS_Call (quickjs.c:18941)
==4831== by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831== by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Block was alloc'd at
==4831== at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831== by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831== by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831== by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831== by 0x174728: js_closure (quickjs.c:16031)
==4831== by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831== by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831== by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831== by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831== by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831== by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831== by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid read of size 4
==4831== at 0x140755: JS_FreeValueRT (quickjs.c:5783)
==4831== by 0x1463E8: free_var_ref (quickjs.c:5476)
==4831== by 0x1463E8: free_var_ref (quickjs.c:5470)
==4831== by 0x1463E8: js_bytecode_function_finalizer (quickjs.c:5555)
==4831== by 0x1406A3: free_object (quickjs.c:5663)
==4831== by 0x140907: free_gc_object (quickjs.c:5683)
==4831== by 0x140907: free_zero_refcount (quickjs.c:5705)
==4831== by 0x140907: js_free_value_rt (quickjs.c:5753)
==4831== by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==4831== by 0x1421D1: JS_ExecutePendingJob (quickjs.c:2010)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Address 0x4bfb8f0 is 0 bytes inside a block of size 72 free'd
==4831== at 0x484417B: free (vg_replace_malloc.c:872)
==4831== by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831== by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831== by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831== by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831== by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831== by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831== by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831== by 0x13A342: JS_Call (quickjs.c:18941)
==4831== by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831== by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Block was alloc'd at
==4831== at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831== by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831== by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831== by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831== by 0x174728: js_closure (quickjs.c:16031)
==4831== by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831== by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831== by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831== by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831== by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831== by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831== by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid write of size 4
==4831== at 0x14075A: JS_FreeValueRT (quickjs.c:5783)
==4831== by 0x1463E8: free_var_ref (quickjs.c:5476)
==4831== by 0x1463E8: free_var_ref (quickjs.c:5470)
==4831== by 0x1463E8: js_bytecode_function_finalizer (quickjs.c:5555)
==4831== by 0x1406A3: free_object (quickjs.c:5663)
==4831== by 0x140907: free_gc_object (quickjs.c:5683)
==4831== by 0x140907: free_zero_refcount (quickjs.c:5705)
==4831== by 0x140907: js_free_value_rt (quickjs.c:5753)
==4831== by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==4831== by 0x1421D1: JS_ExecutePendingJob (quickjs.c:2010)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Address 0x4bfb8f0 is 0 bytes inside a block of size 72 free'd
==4831== at 0x484417B: free (vg_replace_malloc.c:872)
==4831== by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831== by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831== by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831== by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831== by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831== by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831== by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831== by 0x13A342: JS_Call (quickjs.c:18941)
==4831== by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831== by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Block was alloc'd at
==4831== at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831== by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831== by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831== by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831== by 0x174728: js_closure (quickjs.c:16031)
==4831== by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831== by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831== by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831== by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831== by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831== by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831== by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid read of size 8
==4831== at 0x140834: list_del (list.h:77)
==4831== by 0x140834: js_free_value_rt (quickjs.c:5750)
==4831== by 0x140834: JS_FreeValueRT (quickjs.c:5784)
==4831== by 0x1463E8: free_var_ref (quickjs.c:5476)
==4831== by 0x1463E8: free_var_ref (quickjs.c:5470)
==4831== by 0x1463E8: js_bytecode_function_finalizer (quickjs.c:5555)
==4831== by 0x1406A3: free_object (quickjs.c:5663)
==4831== by 0x140907: free_gc_object (quickjs.c:5683)
==4831== by 0x140907: free_zero_refcount (quickjs.c:5705)
==4831== by 0x140907: js_free_value_rt (quickjs.c:5753)
==4831== by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==4831== by 0x1421D1: JS_ExecutePendingJob (quickjs.c:2010)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Address 0x4bfb900 is 16 bytes inside a block of size 72 free'd
==4831== at 0x484417B: free (vg_replace_malloc.c:872)
==4831== by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831== by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831== by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831== by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831== by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831== by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831== by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831== by 0x13A342: JS_Call (quickjs.c:18941)
==4831== by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831== by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Block was alloc'd at
==4831== at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831== by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831== by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831== by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831== by 0x174728: js_closure (quickjs.c:16031)
==4831== by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831== by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831== by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831== by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831== by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831== by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831== by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
...
==4831== Invalid read of size 8
==4831== at 0x1405FE: free_object (quickjs.c:5642)
==4831== by 0x140907: free_gc_object (quickjs.c:5683)
==4831== by 0x140907: free_zero_refcount (quickjs.c:5705)
==4831== by 0x140907: js_free_value_rt (quickjs.c:5753)
==4831== by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==4831== by 0x1421D1: JS_ExecutePendingJob (quickjs.c:2010)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Address 0x4bfb908 is 24 bytes inside a block of size 72 free'd
==4831== at 0x484417B: free (vg_replace_malloc.c:872)
==4831== by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831== by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831== by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831== by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831== by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831== by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831== by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831== by 0x13A342: JS_Call (quickjs.c:18941)
==4831== by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831== by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Block was alloc'd at
==4831== at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831== by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831== by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831== by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831== by 0x174728: js_closure (quickjs.c:16031)
==4831== by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831== by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831== by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831== by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831== by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831== by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831== by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid read of size 1
==4831== at 0x140602: free_object (quickjs.c:5639)
==4831== by 0x140907: free_gc_object (quickjs.c:5683)
==4831== by 0x140907: free_zero_refcount (quickjs.c:5705)
==4831== by 0x140907: js_free_value_rt (quickjs.c:5753)
==4831== by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==4831== by 0x1421D1: JS_ExecutePendingJob (quickjs.c:2010)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Address 0x4bfb8f5 is 5 bytes inside a block of size 72 free'd
==4831== at 0x484417B: free (vg_replace_malloc.c:872)
==4831== by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831== by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831== by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831== by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831== by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831== by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831== by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831== by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831== by 0x13A342: JS_Call (quickjs.c:18941)
==4831== by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831== by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Block was alloc'd at
==4831== at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831== by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831== by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831== by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831== by 0x174728: js_closure (quickjs.c:16031)
==4831== by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831== by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831== by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831== by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831== by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831== by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831== by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831== by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid read of size 4
==4831== at 0x140606: free_object (quickjs.c:5644)
==4831== by 0x140907: free_gc_object (quickjs.c:5683)
==4831== by 0x140907: free_zero_refcount (quickjs.c:5705)
==4831== by 0x140907: js_free_value_rt (quickjs.c:5753)
==4831== by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==4831== by 0x1421D1: JS_ExecutePendingJob (quickjs.c:2010)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== Address 0x28 is not stack'd, malloc'd or (recently) free'd
==4831==
==4831==
==4831== Process terminating with default action of signal 11 (SIGSEGV)
==4831== Access not within mapped region at address 0x28
==4831== at 0x140606: free_object (quickjs.c:5644)
==4831== by 0x140907: free_gc_object (quickjs.c:5683)
==4831== by 0x140907: free_zero_refcount (quickjs.c:5705)
==4831== by 0x140907: js_free_value_rt (quickjs.c:5753)
==4831== by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==4831== by 0x1421D1: JS_ExecutePendingJob (quickjs.c:2010)
==4831== by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831== by 0x11C843: main (qjs.c:701)
==4831== If you believe this happened as a result of a stack
==4831== overflow in your program's main thread (unlikely but
==4831== possible), you can try to increase the size of the
==4831== main thread stack using the --main-stacksize= flag.
==4831== The main thread stack size used in this run was 8388608.
==4831==
==4831== HEAP SUMMARY:
==4831== in use at exit: 1,228,916 bytes in 2,580 blocks
==4831== total heap usage: 5,599 allocs, 3,019 frees, 1,533,146 bytes allocated
==4831==
==4831== LEAK SUMMARY:
==4831== definitely lost: 120 bytes in 1 blocks
==4831== indirectly lost: 0 bytes in 0 blocks
==4831== possibly lost: 1,036,059 bytes in 151 blocks
==4831== still reachable: 192,737 bytes in 2,428 blocks
==4831== suppressed: 0 bytes in 0 blocks
==4831== Rerun with --leak-check=full to see details of leaked memory
==4831==
==4831== For lists of detected and suppressed errors, rerun with: -s
==4831== ERROR SUMMARY: 21 errors from 19 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
On Windows
Terminal output
QuickJS-ng - Type ".help" for help
qjs > .load test1.js
pre await
Exception thrown: read access violation.
Visual debugger callstack
> qjs.exe!list_del(list_head * el) Line 78 C
qjs.exe!js_free_value_rt(JSRuntime * rt, JSValue v) Line 5751 C
qjs.exe!JS_FreeValueRT(JSRuntime * rt, JSValue v) Line 5784 C
qjs.exe!JS_FreeValue(JSContext * ctx, JSValue v) Line 5791 C
qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 18897 C
qjs.exe!JS_Call(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv) Line 18941 C
qjs.exe!promise_reaction_job(JSContext * ctx, int argc, JSValue * argv) Line 50198 C
qjs.exe!JS_ExecutePendingJob(JSRuntime * rt, JSContext * * pctx) Line 2008 C
qjs.exe!js_std_loop(JSContext * ctx) Line 4351 C
qjs.exe!main(int argc, char * * argv) Line 701 C