heap-buffer-overflow in Array.prototype.push() after resize.

[xeioex]

var v0=[], i = 0; 
 
while (i++ < 100) {
    v0.push(v0.shift(0));
} 

$ njs test.js
==13374==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000c7d0 at pc 0x000000447165 bp 0x7ffd25e422b0 sp 0x7ffd25e422a
0
WRITE of size 16 at 0x60d00000c7d0 thread T0
    #0 0x447164 in njs_array_prototype_push njs/njs_array.c:679
    #1 0x45f1f2 in njs_function_native_call njs/njs_function.c:587
    #2 0x41bd8f in njs_vmcode_function_call njs/njs_vm.c:2061
    #3 0x413d10 in njs_vmcode_interpreter njs/njs_vm.c:159
    #4 0x412be5 in njs_vm_start njs/njs.c:594
    #5 0x4049a7 in njs_process_script njs/njs_shell.c:770
    #6 0x403f7d in njs_process_file njs/njs_shell.c:619
    #7 0x402aa9 in main njs/njs_shell.c:281

0x60d00000c7d0 is located 0 bytes to the right of 128-byte region [0x60d00000c750,0x60d00000c7d0)
allocated by thread T0 here:
    #0 0x7f297b5a5076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x4b5c7d in nxt_memalign nxt/nxt_malloc.c:26
    #2 0x4100ec in njs_align njs/njs.c:41
    #3 0x40b5aa in nxt_mp_alloc_large nxt/nxt_mp.c:594
    #4 0x40b3cf in nxt_mp_align nxt/nxt_mp.c:353
    #5 0x444eb8 in njs_array_alloc njs/njs_array.c:148
    #6 0x4145ee in njs_vmcode_array njs/njs_vm.c:342
    #7 0x413d10 in njs_vmcode_interpreter njs/njs_vm.c:159
    #8 0x412be5 in njs_vm_start njs/njs.c:594
    #9 0x4049a7 in njs_process_script njs/njs_shell.c:770
    #10 0x403f7d in njs_process_file njs/njs_shell.c:619
    #11 0x402aa9 in main njs/njs_shell.c:281
SUMMARY: AddressSanitizer: heap-buffer-overflow njs/njs_array.c:679 njs_array_prototype_push
Shadow bytes around the buggy address:
  0x0c1a7fff98a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98e0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c1a7fff98f0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
  0x0c1a7fff9900: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fff9910: fd fd fd fd fa fa fa fa fa fa fa fa fa fa 00 00
  0x0c1a7fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c1a7fff9930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1a7fff9940: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa

Minified test from fluff report.