bellard / quickjs Goto Github PK
View Code? Open in Web Editor NEWPublic repository of the QuickJS Javascript Engine.
Home Page: https://bellard.org/quickjs
License: Other
Public repository of the QuickJS Javascript Engine.
Home Page: https://bellard.org/quickjs
License: Other
Now, quickjs is packaged in buildroot,
see details on https://git.busybox.net/buildroot/tree/package/quickjs.
The cross compilation support (with CROSS_PREFIX
) works well.
Buildroot allows to build against various libc :
stdatomic
fenv
At this time, it seems that quickjs requires a glibc
.
Have you plan to support others libc
or just to add the glibc
dependency in the documentation ?
According to https://bellard.org/quickjs/, this repository is just a mirror and there’s no proper commits history, just releases. Thus I’d like to ask, where can we find the project’s main (upstream) repository used for development?
The poc overflows the JavaScript stack.
Ubuntu 18.04
gcc version 6.5.0 (GCC)
QuickJS version 2020-09-06
function main() {
let v2 = 0;
var prGt = JSON;
while (v2 < 10) {
function v3(v4, v5, v6, v7, ...v8) {
const v11 = Math.asinh(Int32Array);
var MZCC = v11.constructor();
}
for (let v24 = 0; v24 < 10; v24++) {
const v25 = v3();
var sDYb = Date;
var HpBB = Symbol;
}
const v26 = v2 + 1;
var CfQP = v2.toFixed(v26);
var akHP = new Object();
var sWJC = escape('fw]/$pc]=#T]MM11'); var aZec = main(); var xwhW = JSON.parse('l<u0
I9');
CfQP.length = v26;
var BeHt = DataView;
var zeij = JSON.stringify('CG&wE5qa41v)g?Wo3SCFw');
}
}
main();
InternalError: stack overflow
at asinh (native)
at v3 (poc:6)
at main (poc:10)
at main (poc:18)
... ...
at (poc:25)
'top-level-await' is a killer feature. I suggest quickjs to support it.
Anyone did the porting? Especially on Cortex-M0.
Can't get opaque pointer on derived js obj
static JSClassID base_class_id = 0;
JSValue base_method_a(JSContext* ctx, JSValueConst this_val, int argc, JSValueConst* argv) {
JS_GetOpaque(this_val, base_class_id); // would return NULL if deriverd object call methodA
}
static JSCFunctionListEntry base_class_funcs[] = {
JS_CFUNC_DEF("methodA", 2, base_method_a),
};
void init() {
/**
* define base class
*/
JSValue proto = JS_NewObject(ctx);
JS_NewClassID(&base_class_id);
JS_NewClass(JS_GetRuntime(ctx), base_class_id, &base_class_def);
JS_SetClassProto(ctx, base_class_id, proto);
JS_SetPropertyFunctionList(ctx, proto, base_class_funcs, countof(base_class_funcs));
/**
* define derived class
*/
JSValue baseObj = JS_NewObjectClass(ctx, base_class_id);
JS_NewClassID(&derived_class_id);
JS_NewClass(JS_GetRuntime(ctx), derived_class_id, &derived_class_def);
JS_SetClassProto(ctx, derived_class_id, baseObj);
}
Ubuntu 18.04
gcc version 9.3.0
QuickJS version 2021-03-27
How to reproduce:
file "module.js":
class Parent {}
export class Child extends Parent {
childInstanceVar = 42;
constructor() {}
}
file "test.js"
import {Child} from "./module.js";
var child = new Child(); // <<< internal error here
console.log(child);
Running qjs -m test.js
Getting error:
ReferenceError: lexical variable is not initialized
at Child (module.js)
at <anonymous> (test.js:4)
QJS clearly fails to create instances of extended classes that reside in modules. But it works for classes that are a) either not extended or b) not in modules.
function shouldBe(actual, expected) {
if (actual !== expected)
throw new Error('bad value: ' + actual);
}
a = {defineProperties:Object};
function opt() {
a.__proto__ = new Proxy({}, {ownKeys:opt});
return [];
}
for(var i=0;i<400;i=i+1) {
var prop = null;
var count = 0;
for (t in a) {
opt();
prop = t;
++count;
}
shouldBe(prop, "defineProperties");
shouldBe(count, 1);
}
=================================================================
==13697==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000002710 at pc 0x000102f62f09 bp 0x7ffeecdccfd0 sp 0x7ffeecdccfc8
READ of size 8 at 0x604000002710 thread T0
#0 0x102f62f08 in js_proxy_get_own_property_names+0x1958 (qjs:x86_64+0x100132f08)
#1 0x102e999d6 in JS_GetOwnPropertyNamesInternal+0x1236 (qjs:x86_64+0x1000699d6)
#2 0x102e77f98 in build_for_in_iterator+0x668 (qjs:x86_64+0x100047f98)
#3 0x102e5171e in JS_CallInternal+0xc8ae (qjs:x86_64+0x10002171e)
#4 0x102ea92d4 in JS_EvalFunctionInternal+0x154 (qjs:x86_64+0x1000792d4)
#5 0x102f7cf95 in __JS_EvalInternal+0x2465 (qjs:x86_64+0x10014cf95)
#6 0x10305da1b in JS_Eval+0x7b (qjs:x86_64+0x10022da1b)
#7 0x102e33006 in eval_buf+0xc6 (qjs:x86_64+0x100003006)
#8 0x102e3322d in eval_file+0x16d (qjs:x86_64+0x10000322d)
#9 0x102e3291e in main+0x106e (qjs:x86_64+0x10000291e)
#10 0x7fff20351620 in start+0x0 (libdyld.dylib:x86_64+0x15620)
0x604000002710 is located 0 bytes inside of 40-byte region [0x604000002710,0x604000002738)
freed by thread T0 here:
#0 0x1032502c6 in wrap_free+0xa6 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x492c6)
#1 0x102e34ce4 in free_object+0x244 (qjs:x86_64+0x100004ce4)
#2 0x102e34395 in __JS_FreeValueRT+0x285 (qjs:x86_64+0x100004395)
#3 0x102e7c1c1 in JS_SetPropertyInternal+0x1be1 (qjs:x86_64+0x10004c1c1)
#4 0x102e5253a in JS_CallInternal+0xd6ca (qjs:x86_64+0x10002253a)
#5 0x102f61821 in js_proxy_get_own_property_names+0x271 (qjs:x86_64+0x100131821)
#6 0x102e999d6 in JS_GetOwnPropertyNamesInternal+0x1236 (qjs:x86_64+0x1000699d6)
#7 0x102e77f98 in build_for_in_iterator+0x668 (qjs:x86_64+0x100047f98)
#8 0x102e5171e in JS_CallInternal+0xc8ae (qjs:x86_64+0x10002171e)
#9 0x102ea92d4 in JS_EvalFunctionInternal+0x154 (qjs:x86_64+0x1000792d4)
#10 0x102f7cf95 in __JS_EvalInternal+0x2465 (qjs:x86_64+0x10014cf95)
#11 0x10305da1b in JS_Eval+0x7b (qjs:x86_64+0x10022da1b)
#12 0x102e33006 in eval_buf+0xc6 (qjs:x86_64+0x100003006)
#13 0x102e3322d in eval_file+0x16d (qjs:x86_64+0x10000322d)
#14 0x102e3291e in main+0x106e (qjs:x86_64+0x10000291e)
#15 0x7fff20351620 in start+0x0 (libdyld.dylib:x86_64+0x15620)
previously allocated by thread T0 here:
#0 0x10325017d in wrap_malloc+0x9d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4917d)
#1 0x102f693c4 in js_def_malloc+0x64 (qjs:x86_64+0x1001393c4)
#2 0x102f5fb37 in js_proxy_constructor+0x287 (qjs:x86_64+0x10012fb37)
#3 0x102f708f2 in js_call_c_function+0x382 (qjs:x86_64+0x1001408f2)
#4 0x102e702a2 in JS_CallConstructorInternal+0x4d2 (qjs:x86_64+0x1000402a2)
#5 0x102e505e9 in JS_CallInternal+0xb779 (qjs:x86_64+0x1000205e9)
#6 0x102e5665b in JS_CallInternal+0x117eb (qjs:x86_64+0x10002665b)
#7 0x102ea92d4 in JS_EvalFunctionInternal+0x154 (qjs:x86_64+0x1000792d4)
#8 0x102f7cf95 in __JS_EvalInternal+0x2465 (qjs:x86_64+0x10014cf95)
#9 0x10305da1b in JS_Eval+0x7b (qjs:x86_64+0x10022da1b)
#10 0x102e33006 in eval_buf+0xc6 (qjs:x86_64+0x100003006)
#11 0x102e3322d in eval_file+0x16d (qjs:x86_64+0x10000322d)
#12 0x102e3291e in main+0x106e (qjs:x86_64+0x10000291e)
#13 0x7fff20351620 in start+0x0 (libdyld.dylib:x86_64+0x15620)
SUMMARY: AddressSanitizer: heap-use-after-free (qjs:x86_64+0x100132f08) in js_proxy_get_own_property_names+0x1958
Shadow bytes around the buggy address:
0x1c0800000490: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c08000004a0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
0x1c08000004b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c08000004c0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x1c08000004d0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
=>0x1c08000004e0: fa fa[fd]fd fd fd fd fa fa fa 00 00 00 00 00 fa
0x1c08000004f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0800000500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0800000510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0800000520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0800000530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==13697==ABORTING
[1] 13697 abort ./qjs crash.js
Ubuntu 16.04
gcc 5.4.0
qjs version: af1420f(git hash)
test command: ./qjs poc
Below are the few examples of the DateAPI where parse method is returning incorrect values.
console.log(Date.parse('04 Dec 1995 00:12:00 GMT'));
returns -56797387680000
rather than 818035920000
console.log(Date.parse('2020-04-20T18:30:0000:0000'));' returns
1587432600000rather than
NaN`
There are a few other cases/formats where parse method returns unexpected values. Also, similar issue happens with Date constructor.
Ubuntu 16.04
gcc 5.4.0
qjs version: 7c312df
test command: ./qjs poc
There seems to be a memory leak problem around getOwnPropertyDescriptor
of a Proxy
.
The proof-of-concept script pasted below is causing an assertion error in JS_FreeRuntime
.
qjs: quickjs.c:1979: JS_FreeRuntime: Assertion `list_empty(&rt->gc_obj_list)' failed.
Dump with DUMP_LEAKS
:
Object leaks:
ADDRESS REFS SHRF PROTO CLASS PROPS
0x6070000044d0 1 0* 0x607000000090 Object { }
Ubuntu 18.04
Tested on gcc 7.5.0 and clang 6.0
Command: ./qjs poc.js
let o = {};
let p = new Proxy(o, {
getOwnPropertyDescriptor: function (target, name) {
abc;
}
});
p.x = {};
console.log("OK");
quickjs.c
line:6243
fprintf(fp, "\n" "JSObject classes\n");
if (obj_classes[0])
fprintf(fp, " %5d %2.0d %s\n", obj_classes[0], 0, "none");
for (class_id = 1; class_id < JS_CLASS_INIT_COUNT; class_id++) {
if (obj_classes[class_id]) {
char buf[ATOM_GET_STR_BUF_SIZE];
fprintf(fp, " %5d %2.0d %s\n", obj_classes[class_id], class_id,
JS_AtomGetStrRT(rt, buf, sizeof(buf), js_std_class_def[class_id - 1].class_name));
}
}
crash here JS_AtomGetStrRT(rt, buf, sizeof(buf), js_std_class_def[class_id - 1].class_name));
because of js_std_class_def's length < JS_CLASS_INIT_COUNT memory access error . trap 6
promise define in another array
>static JSClassShortDef const js_async_class_def[] = {
{ JS_ATOM_Promise, js_promise_finalizer, js_promise_mark }, /* JS_CLASS_PROMISE */
{ JS_ATOM_PromiseResolveFunction, js_promise_resolve_function_finalizer, js_promise_resolve_function_mark }, /* JS_CLASS_PROMISE_RESOLVE_FUNCTION */
{ JS_ATOM_PromiseRejectFunction, js_promise_resolve_function_finalizer, js_promise_resolve_function_mark }, /* JS_CLASS_PROMISE_REJECT_FUNCTION */
{ JS_ATOM_AsyncFunction, js_bytecode_function_finalizer, js_bytecode_function_mark }, /* JS_CLASS_ASYNC_FUNCTION */
{ JS_ATOM_AsyncFunctionResolve, js_async_function_resolve_finalizer, js_async_function_resolve_mark }, /* JS_CLASS_ASYNC_FUNCTION_RESOLVE */
{ JS_ATOM_AsyncFunctionReject, js_async_function_resolve_finalizer, js_async_function_resolve_mark }, /* JS_CLASS_ASYNC_FUNCTION_REJECT */
{ JS_ATOM_empty_string, js_async_from_sync_iterator_finalizer, js_async_from_sync_iterator_mark }, /* JS_CLASS_ASYNC_FROM_SYNC_ITERATOR */
{ JS_ATOM_AsyncGeneratorFunction, js_bytecode_function_finalizer, js_bytecode_function_mark }, /* JS_CLASS_ASYNC_GENERATOR_FUNCTION */
{ JS_ATOM_AsyncGenerator, js_async_generator_finalizer, js_async_generator_mark }, /* JS_CLASS_ASYNC_GENERATOR */
};
if (obj_classes[class_id] && class_id < countof(js_std_class_def)) {
Hello,
I have a C program that is meant to wrap Babel in quickjs. I compiled the attached JS code into a binary using qjsc -o babel-bundle.c -e babel-bundle.js
. In my C code I then load that into the Context as such:
js_std_eval_binary(ctx, babel_bundle, strlen(babel_bundle), 0);
I then call Babel using this:
const char* cScript = "Babel.transform('class Polygon { constructor(...sides) { this.sides = sides; } *getSides() { for(const side of this.sides){ yield side; } } get sides() { return sides; } set sides(sides) { this.sides = sides; } }', { presets: ['env'], sourceMaps: true, sourceType: 'script' })";
JSValue ret = JS_Eval(ctx, cScript, strlen(cScript), "<eval>", JS_EVAL_TYPE_GLOBAL);
if (JS_IsException(ret)) {
JSValue exception_value = JS_GetException(ctx);
const char* response = JS_ToCString(ctx, exception_value);
printf("%s", response);
}
And it's producing the following error: "InternalError: unknown: stack overflow"
If I pass other scripts to Babel.transform(...
it doesn't fail. It seems to be a hit and miss for this. For example, the same code without the javascript generator function works fine:
const char* cScript = "Babel.transform('class Polygon { constructor(...sides) { this.sides = sides; } get sides() { return sides; } set sides(sides) { this.sides = sides; } }', { presets: ['env'], sourceMaps: true, sourceType: 'script' })";
I know the mailing list is the official place for discussion, but I thought I should post this here for visibility.
JS_NewRuntime
sets stack_top
as the address of the current frame when the runtime is created. There is no relationship whatsoever between the stack frame JS_NewRuntime
is called in and the frame JS_Eval
is called in.
This appears to have been pointed out back in 2019: https://www.freelists.org/post/quickjs-devel/stackoverflow,3
But it doesn't appear to me that any progress has been made on this issue.
As pointed out on the mailing list, simply calling JS_NewRuntime
in a deeper stack frame than JS_Eval
leads to false positives in the single-threaded case, and there is no way to turn this off without editing the source. This is a very confusing default.
This is just off the top of my head, but perhaps it would make sense to use something like a thread local that is set every time JS_Eval
is called, and set back to NULL
when JS_Eval
isn't running. That way recursive invocations could be detected.
Anyway, thanks again for a very useful project!
Ubuntu 16.04
gcc 5.4.0
qjs version: af1420f(git hash)
test command: ./qjs poc
Below is the ASAN outputs.
At the moment JS_RunModule() function allows multiple evaluations of already loaded (and evaluated) module.
I propose to add simple check to prevent that (see /* check if it is already evaluated */
):
JSModuleDef *JS_RunModule(JSContext *ctx, const char *basename,
const char *filename)
{
JSModuleDef *m;
JSValue ret, func_obj;
m = js_host_resolve_imported_module(ctx, basename, filename);
if (!m)
return NULL;
if (js_resolve_module(ctx, m) < 0) {
js_free_modules(ctx, JS_FREE_MODULE_NOT_RESOLVED);
return NULL;
}
/* check if it is already evaluated */
if (m->evaluated)
return m; /* already evaluated, done */
/* Evaluate the module code */
func_obj = JS_DupValue(ctx, JS_MKPTR(JS_TAG_MODULE, m));
ret = JS_EvalFunction(ctx, func_obj);
if (JS_IsException(ret))
return NULL;
JS_FreeValue(ctx, ret);
return m;
}
I am getting more and more into vlang and I am thinking of writing a direct wrapper for QuickJS. But I would love to keep this as small as possible but also provide the full feature set.
So my question is:
The latter one is especially important as I am working with other single-file (amalgamated) libraries such as mongoose, in which it is actually save to include the C file, because it in turn includes the header file.
In V, it is possible to define what headers to include in a wrapper - so I would probably just include the entirity of QuickJS alongside the wrapper to expose just a single module, so the user doesn't have to mess with finding the right source/header files. Is this a safe practice with this library?
Thanks!
I tried many times ,but it always failed.I have studied the source code for a long time.There are too many GCC futures used in this project.Please help me.Thanks
Problem: given this JS input:
function main() {
const v2 = [1337,NaN,1337];
const v6 = new Int32Array(212559.11688867002);
const v7 = v6.join(v2);
const v8 = eval(v7);
}
main();
the thing crashes with "./qjs a.js"
Suggested fix:
diff --git a/quickjs.c b/quickjs.c
index efc1d54..670f758 100644
--- a/quickjs.c
+++ b/quickjs.c
@@ -31982,6 +31982,8 @@ static __exception int compute_stack_size_rec(JSContext *ctx,
const JSOpCode *oi;
const uint8_t *bc_buf;
+ if (js_check_stack_overflow(ctx->rt, 0))
+ goto stack_overflow;
Maybe there is some point in the code when increasing the stack TOP without doing the CHECKSTACK(n) which should have something to do with unbalanced number of parameters in function definition and function call.
Ubuntu 18.04
gcc version 6.5.0 (GCC)
QuickJS version 2020-09-06
command:
qjs poc
qjsc -o out poc && ./out
function f() {f(1,2)}
f(1)
InternalError: stack overflow
at f (poc)
at f (poc)
... ...
at (poc:2)
In JS_ReadFunctionTag()
if goto fail;
happens after b->cpool_count
is set to a >0 value but before b->cpool
is allocated, then JS_FreeValue()
will try to iterate over a NULL
b->cpool
and segfault.
Ubuntu 16.04
gcc 5.4.0
qjs version: 7c312df
test command: ./qjs poc
Ubuntu 16.04
gcc 5.4.0
qjs version: af1420f(git hash)
test command: ./qjs poc
Below is the ASAN outputs.
ASAN:SIGSEGV
==107042==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd4f3befb8 (pc 0x00000087b714 bp 0x7ffd4f3bf0c0 sp 0x7ffd4f3befb8 T0)
#0 0x87b713 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31754
#1 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#2 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#3 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#4 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#5 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#6 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#7 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#8 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#9 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#10 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#11 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#12 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#13 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#14 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#15 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#16 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#17 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#18 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#19 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#20 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#21 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#22 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#23 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#24 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#25 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#26 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#27 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#28 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#29 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#30 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#31 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#32 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#33 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#34 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#35 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#36 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#37 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#38 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#39 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#40 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#41 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#42 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#43 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#44 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#45 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#46 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#47 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#48 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#49 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#50 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#51 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#52 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#53 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#54 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#55 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#56 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#57 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#58 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#59 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#60 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#61 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#62 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#63 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#64 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#65 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#66 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#67 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#68 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#69 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#70 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#71 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#72 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#73 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#74 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#75 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#76 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#77 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#78 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#79 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#80 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#81 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#82 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#83 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#84 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#85 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#86 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#87 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#88 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#89 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#90 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#91 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#92 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#93 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#94 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#95 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#96 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#97 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#98 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#99 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#100 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#101 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#102 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#103 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#104 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#105 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#106 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#107 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#108 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#109 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#110 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#111 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#112 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#113 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#114 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#115 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#116 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#117 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#118 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#119 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#120 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#121 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#122 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#123 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#124 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#125 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#126 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#127 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#128 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#129 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#130 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#131 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#132 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#133 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#134 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#135 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#136 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#137 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#138 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#139 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#140 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#141 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#142 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#143 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#144 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#145 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#146 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#147 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#148 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#149 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#150 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#151 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#152 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#153 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#154 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#155 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#156 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#157 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#158 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#159 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#160 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#161 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#162 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#163 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#164 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#165 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#166 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#167 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#168 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#169 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#170 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#171 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#172 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#173 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#174 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#175 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#176 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#177 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#178 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#179 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#180 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#181 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#182 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#183 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#184 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#185 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#186 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#187 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#188 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#189 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#190 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#191 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#192 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#193 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#194 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#195 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#196 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#197 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#198 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#199 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#200 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#201 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#202 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#203 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#204 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#205 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#206 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#207 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#208 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#209 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#210 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#211 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#212 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#213 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#214 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#215 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#216 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#217 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#218 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#219 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#220 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#221 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#222 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#223 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#224 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#225 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#226 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#227 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#228 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#229 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#230 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#231 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#232 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#233 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#234 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#235 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#236 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#237 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#238 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#239 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#240 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#241 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#242 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#243 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#244 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#245 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#246 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#247 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#248 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#249 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#250 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
#251 0x87bd24 in compute_stack_size_rec /home/keven/Fuzzing/QuickJS/quickjs.c:31835
SUMMARY: AddressSanitizer: stack-overflow /home/keven/Fuzzing/QuickJS/quickjs.c:31754 compute_stack_size_rec
==107042==ABORTING
Copy of oss-fuzz issue 21397
(again, build with CONFIGURE_ASAN=y in Makefile)
Repro:
./qjs e21397.js.TXT
e21397.js.TXT
And a side-note: I'm happy to move all the public bugs from OSS-Fuzz/quickjs if it helps: i originally thought it makes more sense to comment there because it's access-controlled prior to disclosure.
The JS_IteratorNext2 function will be called recursively, causing the stack frame move to the bottom
Ubuntu 16.04
gcc version 6.5.0 20181026
→ 0x48164a <JS_IteratorNext2.lto_priv.35+202> call QWORD PTR [rax+0x38]
0x48164d <JS_IteratorNext2.lto_priv.35+205> pop rcx
0x48164e <JS_IteratorNext2.lto_priv.35+206> pop rsi
0x48164f <JS_IteratorNext2.lto_priv.35+207> jmp 0x481601
gef➤ vmmap stack
[ Legend: Code | Heap | Stack ]
Start End Offset Perm Path
0x00007fffff7ff000 0x00007ffffffff000 0x0000000000000000 rw- [stack]
gef➤ p $rsp
$1 = (void *) 0x7fffff7ff000
var nullChars = new Array();
var badIter = {};
iter = 3 / iter;
badIter[Symbol.iterator] = function () {
return {
next: function () {
return 8;
}
};
};
var PSXh = Error;
function* g() {
try {
yield* badIter;
var NFhf = new Uint8Array([
1.3,
-9007199254740991,
1200,
0,
0,
1,
1e+81,
4294967295,
9007199254740991
]);
} catch (err) {
caught = err;
}
}
var iter = g();
var result, caught;
badIter = g();
result = iter.next();
Clang-Cl does not yet have total 128-bit arithmetic support available for MSVC backend. You are likely going to see one of these linker error if you tried to compile libbf:
E:\Git\github.com\stevefan1999-personal\quickjspp\out\build\x64-RelWithDebInfo\lld-link : error : undefined symbol: __udivti3
>>> referenced by E:\Git\github.com\stevefan1999-personal\quickjspp\quickjs\libbf.c:1292
>>> lto.tmp:(mp_divnorm)
>>> referenced by E:\Git\github.com\stevefan1999-personal\quickjspp\quickjs\libbf.c:1318
>>> lto.tmp:(mp_divnorm)
>>> referenced by E:\Git\github.com\stevefan1999-personal\quickjspp\quickjs\libbf.c:1252
>>> lto.tmp:(mp_div1norm)
>>> referenced by E:\Git\github.com\stevefan1999-personal\quickjspp\quickjs\libbf.c:1260
>>> lto.tmp:(mp_div1norm)
>>> referenced by E:\Git\github.com\stevefan1999-personal\quickjspp\quickjs\libbf.c:1955
>>> lto.tmp:(mp_sqrtrem2)
>>> referenced by E:\Git\github.com\stevefan1999-personal\quickjspp\quickjs\libbf.c:3393
>>> lto.tmp:(bf_integer_to_radix_rec)
>>> referenced by E:\Git\github.com\stevefan1999-personal\quickjspp\quickjs\libbf.c:3396
>>> lto.tmp:(bf_integer_to_radix_rec)
>>> referenced by E:\Git\github.com\stevefan1999-personal\quickjspp\quickjs\libbf.c:8267
>>> lto.tmp:(ntt_static_init)
>>> referenced by E:\Git\github.com\stevefan1999-personal\quickjspp\quickjs\libbf.c:8277
>>> lto.tmp:(ntt_static_init)
>>> referenced by E:\Git\github.com\stevefan1999-personal\quickjspp\quickjs\libbf.c:8285
>>> lto.tmp:(ntt_static_init)
>>> referenced 1 more times
The bug has not been resolved for 5 years now.
To workaround the problem, you can simply patch the file to use 64-bit double limb rather than 128-bit or even not use BigNum at all.
index 6749b35..5a502ff 100644
--- a/libbf.h
+++ b/libbf.h
@@ -27,7 +27,7 @@
#include <stddef.h>
#include <stdint.h>
-#if defined(__x86_64__)
+#if defined(__x86_64__) && !defined(_WIN32)
#define LIMB_LOG2_BITS 6
#else
#define LIMB_LOG2_BITS 5
Using 64-bit double limb is fine even on 64-bit platform, but it will probably suffer some performance loss of up to 2x due to lack of AVX/vectorization. I didn't really benchmarked it but as an educated guess I think🤷♂️.
Ubuntu 16.04
gcc 5.4.0
qjs version: af1420f(git hash)
test command: ./qjs poc
Below is the ASAN outputs. Heap use-after-free at QuickJS/quickjs.h:661
typedef uint32_t JSClassID;
but store as uint16_t in the JSObject.
Invoke JS_NewClass use a class_id biger than maximum of uint16_t will success.
Invoke JS_NewObjectProtoClass use that class_id sueccss too, but the object created store a wrong class_id.
It may cause a wrong finalizer calling in the gc.
[again, needs CONFIG_ASAN=y in Makefile]
Repro:
./qjs JS_GetPropertyInternal.js.TXT
POC fix:
diff --git a/quickjs.c b/quickjs.c
index a39ff8f..6a2d259 100644
--- a/quickjs.c
+++ b/quickjs.c
@@ -39079,6 +39079,7 @@ static int64_t JS_FlattenIntoArray(JSContext *ctx, JSValueConst target,
Attached file:
JS_GetPropertyInternal.js.TXT
Could you ship a license file in your official tarball so that downstream packagers can use it (for example in buildroot)?
Although JS_MAX_LOCAL_VARS
is set to 65536, Array(65537)
, for example, can be used to bypass the constraints (fd->arg_count >= JS_MAX_LOCAL_VARS
) and create an invalid function.
Calling the function may cause a crash.
ASAN:DEADLYSIGNAL
=================================================================
==24999==ERROR: AddressSanitizer: SEGV on unknown address 0x100080017948 (pc 0x555555671d64 bp 0x7fffffffca00 sp 0x7fffffffc250 T0)
==24999==The signal is caused by a READ memory access.
#0 0x555555671d63 in JS_CallInternal.lto_priv.161 /home/ptr/Downloads/quickjs/quickjs.c:16930
#1 0x55555566f0b5 in JS_CallInternal.lto_priv.161 /home/ptr/Downloads/quickjs/quickjs.c:16547
#2 0x5555556994d5 in JS_CallFree.lto_priv.407 /home/ptr/Downloads/quickjs/quickjs.c:18628
#3 0x5555556d9ae9 in JS_EvalFunctionInternal.lto_priv.507 /home/ptr/Downloads/quickjs/quickjs.c:33427
#4 0x5555556f14d8 in __JS_EvalInternal.lto_priv.248 /home/ptr/Downloads/quickjs/quickjs.c:33581
#5 0x5555556d915d in JS_EvalInternal /home/ptr/Downloads/quickjs/quickjs.c:33599
#6 0x5555556d915d in JS_EvalThis /home/ptr/Downloads/quickjs/quickjs.c:33630
#7 0x5555556d91ed in JS_Eval /home/ptr/Downloads/quickjs/quickjs.c:33638
#8 0x5555555b24b0 in eval_buf /home/ptr/Downloads/quickjs/qjs.c:68
#9 0x5555555b2684 in eval_file /home/ptr/Downloads/quickjs/qjs.c:100
#10 0x555555588ee4 in main /home/ptr/Downloads/quickjs/qjs.c:516
#11 0x7ffff6a48bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#12 0x555555589539 in _start (/home/ptr/Downloads/quickjs/qjs+0x35539)
The PoC script should throwInternalError
(either stack overflow
or too many arguments
)
Ubuntu 18.04
Tested on gcc 7.5.0
Command: ./qjs poc.js
Reflect.apply(Function, undefined, Array(65537))();
Ubuntu 16.04
gcc 5.4.0
qjs version: af1420f(git hash)
test command: ./qjs poc
Below is the ASAN outputs. Heap use-after-free at QuickJS/quickjs.c:8115
When calling Array.prototype.unshift, the execution speed of quickjs is much slower than other JavaScript engines. What caused this problem? Does this problem need to be optimized?
quickjs-2020-11-08
var foo = function(v) {
for(var t = [], r = 0; r < 10000; r++) {
t.unshift(1);
}
}
var res = foo();
quickjs: 1188ms
JerryScript: 29ms
XS: 79ms
Intel(R) Core(TM) i9-9940X CPU @ 3.30GHz
My code:
var a = new Array(10**9); a=a.fill(0);
So I suggest:
Add memory limit e.g 2GB RAM
Add optimization for such arrays (like PHP Immutable arrays)
$a=array(); for($i=0;$i<1000000;$i++) $a[$i]=array("hello") memory_get_usage(true) //about 34mb
[this is a clone of https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21422 which is now open to everyone]
Using the attached file one can try (N.B. the build must have CONFIG_ASAN=y in the Makefile for this to show)
./qjs e26867.js.TXT
==32654==ERROR: AddressSanitizer: stack-overflow on address 0x7ffee78a8d80 (pc 0x000107da7d7a bp 0x7ffee78a93b0 sp 0x7ffee78a8d80 T0)
#0 0x107da7d7a in re_parse_term+0x8a (qjs:x86_64+0x100250d7a)
#1 0x107da7444 in re_parse_disjunction+0x184 (qjs:x86_64+0x100250444)
#2 0x107da92c2 in re_parse_term+0x15d2 (qjs:x86_64+0x1002522c2)
#3 0x107da7444 in re_parse_disjunction+0x184 (qjs:x86_64+0x100250444)
#4 0x107da92c2 in re_parse_term+0x15d2 (qjs:x86_64+0x1002522c2)
#5 0x107da7444 in re_parse_disjunction+0x184 (qjs:x86_64+0x100250444)
#6 0x107da92c2 in re_parse_term+0x15d2 (qjs:x86_64+0x1002522c2)
...
os.exec() function seems to be not available on qjs windows build.
When inspecting the code, it seems to be on purpose (#if !defined(_WIN32))
Is os.exec() something that could be supported. Or a comparable function to launch another program from within qjs ?
Ubuntu 16.04
gcc 5.4.0
qjs version: af1420f(git hash)
test command: ./qjs poc
Below is the ASAN outputs.
In CCF we've been using a patch from user Geequlim to access modules exports, specifically functions, from native code:
Is there a chance to make this part of quickjs? I'm not sure if the patch requires further tweaks to work more generally. I think it doesn't work as-is when a function/entry is re-exported from another module.
We're happy to help if it's useful.
Ubuntu 16.04
gcc 5.4.0
qjs version: af1420f(git hash)
test command: ./qjs poc
Except for the log function, other functions do not seem to be supported. Moreover, log currently does not support styled output
QuickJS - Type "\h" for help
qjs > console.error("aaa")
TypeError: not a function
at <eval> (<evalScript>)
qjs > console.log("%caaa","color:red;")
%caaa color:red;
undefined
Is there a possibility of support? Or only limited support, in a way similar to \033[41;37m
?
Hello.
Please support the work under Windows. Using native WinAPI. Through compilation conditional keys or something like that.
There are some projects that depend on yours (for example, javascript support for the Rust language). But the lack of proper Windows support is a big problem.
PS: MinGW does not fly
Ubuntu 16.04
gcc 5.4.0
qjs version: 7c312df
test command: ./qjs poc
Hello and thank you very much for QuickJS!
I have a question. Your documentation says:
-D module_name.
Compile a dynamically loaded module and its dependencies. This option is needed
when your code uses the import keyword or the os.Worker constructor because the compiler
cannot statically find the name of the dynamically loaded modules.
I have a script which starts a worker from another script file. When I use qjsc
to build it, I pass -D
parameter and path to worker script.
The result C file contains byte data of worker script:
But when I try to run the executable in another directory, I get this message:
ReferenceError: could not load module filename 'src/worker/worker_script.js'
I should change something to get it work? Or I should manually modify C file for writing this script?
Thank you
Basically, the parameter named 'x' and var declaration for 'x' create two distinct variables, with the declaration in the body not being visible to expressions in the parameter lists; the variable in the body is initialized with the value of the parameter after execution of the parameter list ends, but should not reflect subsequent changes to it.
Ubuntu 18.04
gcc version 6.5.0 (GCC)
QuickJS version 2020-09-06
function func(x = 0, read = () => x) {
var x = 1;
print('param x =', read());
print('body x =', x);
}
func();
$ qjs poc
param x = 1
body x = 1
param x = 0
body x = 1
An overloaded function 'func1' is not standard when declared in 'func2'. gfs reports an error in this situation although other js-compilers treats it as a warning. However, the SyntaxError is not clear enough on what is wrong in the code.
Ubuntu 18.04
gcc version 6.5.0 (GCC)
QuickJS version 2020-09-06
function func1(n) {
var obj = 'func1(){}';
var i;
for (i = 0; i < n; i++) {
print(JSON.stringify(obj));
}
}
function func2(n) {
for (var a = 0; a < 10; ++a)
//func1 = function (n,n) { //right
function func1(n,n) {
var obj = 'overload func1(){}';
var i;
for (i = 0; i < n; i++) {
print(JSON.stringify(obj));
}
}
}
try {
func2(10);
} catch (e) {
print(e.name, e);
}
$ qjs poc
SyntaxError: function declarations can't appear in single-statement context
at poc:11
None of the download links for binary releases of Linux at https://bellard.org/quickjs/ contain qjsc executable. The downloaded zip only contains qjs,run-test262 binaries.
Is any particular reason behind not including the qjsc binary in the zip? Currently, the only official way to get qjsc is by building them from source.
os module is not exporting realpath function, even though docs claim that.
I was using quickjs-win-x86_64-2020-11-08.zip
That breaks https://github.com/IvanGaravito/quickjs-require/blob/master/require.js, among other things.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.