Crash in js_typed_array_slice when compile quickjs with asan. #378
Description
First compile quickjs with asan:
cmake -S . -B build -DCONFIG_ASAN
The JS code:
var ab = new ArrayBuffer(100);
var ta = new Uint8Array(ab, 0, 20);
ta.constructor = {
[Symbol.species]: function (len) {
return new Uint8Array(ab, 1, len);
},
};
var tb = ta.slice();The qjs's output is
./build/qjs test.js ─╯
=================================================================
==93388==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x000105d03b61,0x000105d03b75) and [0x000105d03b60, 0x000105d03b74) overlap
#0 0x102cdd064 in __asan_memcpy+0x23c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x51064)
#1 0x102761a58 in js_typed_array_slice+0x928 (qjs:arm64+0x100279a58)
#2 0x10255db24 in js_call_c_function+0x310 (qjs:arm64+0x100075b24)
#3 0x1025a4bf4 in JS_CallInternal+0x17fc (qjs:arm64+0x1000bcbf4)
#4 0x1025b49d0 in JS_CallInternal+0x115d8 (qjs:arm64+0x1000cc9d0)
#5 0x1025da340 in JS_EvalFunctionInternal+0x150 (qjs:arm64+0x1000f2340)
#6 0x1025f9b54 in __JS_EvalInternal+0x18c8 (qjs:arm64+0x100111b54)
#7 0x1025da7d8 in JS_Eval+0x64 (qjs:arm64+0x1000f27d8)
#8 0x1024ea7e0 in eval_buf+0x130 (qjs:arm64+0x1000027e0)
#9 0x1024eaa4c in eval_file+0x108 (qjs:arm64+0x100002a4c)
#10 0x1024e9fb0 in main+0xbe4 (qjs:arm64+0x100001fb0)
#11 0x19615bf24 (<unknown module>)
0x000105d03b61 is located 1 bytes inside of 100-byte region [0x000105d03b60,0x000105d03bc4)
allocated by thread T0 here:
#0 0x102cdf244 in wrap_malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x53244)
#1 0x102609d78 in js_def_malloc+0x5c (qjs:arm64+0x100121d78)
#2 0x1025fecd4 in js_array_buffer_constructor3+0x3b0 (qjs:arm64+0x100116cd4)
#3 0x1026011dc in js_array_buffer_constructor+0x254 (qjs:arm64+0x1001191dc)
#4 0x10255db24 in js_call_c_function+0x310 (qjs:arm64+0x100075b24)
#5 0x1025d0c38 in JS_CallConstructorInternal+0x4f0 (qjs:arm64+0x1000e8c38)
#6 0x1025a6730 in JS_CallInternal+0x3338 (qjs:arm64+0x1000be730)
#7 0x1025da340 in JS_EvalFunctionInternal+0x150 (qjs:arm64+0x1000f2340)
#8 0x1025f9b54 in __JS_EvalInternal+0x18c8 (qjs:arm64+0x100111b54)
#9 0x1025da7d8 in JS_Eval+0x64 (qjs:arm64+0x1000f27d8)
#10 0x1024ea7e0 in eval_buf+0x130 (qjs:arm64+0x1000027e0)
#11 0x1024eaa4c in eval_file+0x108 (qjs:arm64+0x100002a4c)
#12 0x1024e9fb0 in main+0xbe4 (qjs:arm64+0x100001fb0)
#13 0x19615bf24 (<unknown module>)
0x000105d03b60 is located 0 bytes inside of 100-byte region [0x000105d03b60,0x000105d03bc4)
allocated by thread T0 here:
#0 0x102cdf244 in wrap_malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x53244)
#1 0x102609d78 in js_def_malloc+0x5c (qjs:arm64+0x100121d78)
#2 0x1025fecd4 in js_array_buffer_constructor3+0x3b0 (qjs:arm64+0x100116cd4)
#3 0x1026011dc in js_array_buffer_constructor+0x254 (qjs:arm64+0x1001191dc)
#4 0x10255db24 in js_call_c_function+0x310 (qjs:arm64+0x100075b24)
#5 0x1025d0c38 in JS_CallConstructorInternal+0x4f0 (qjs:arm64+0x1000e8c38)
#6 0x1025a6730 in JS_CallInternal+0x3338 (qjs:arm64+0x1000be730)
#7 0x1025da340 in JS_EvalFunctionInternal+0x150 (qjs:arm64+0x1000f2340)
#8 0x1025f9b54 in __JS_EvalInternal+0x18c8 (qjs:arm64+0x100111b54)
#9 0x1025da7d8 in JS_Eval+0x64 (qjs:arm64+0x1000f27d8)
#10 0x1024ea7e0 in eval_buf+0x130 (qjs:arm64+0x1000027e0)
#11 0x1024eaa4c in eval_file+0x108 (qjs:arm64+0x100002a4c)
#12 0x1024e9fb0 in main+0xbe4 (qjs:arm64+0x100001fb0)
#13 0x19615bf24 (<unknown module>)
SUMMARY: AddressSanitizer: memcpy-param-overlap (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x51064) in __asan_memcpy+0x23c
==93388==ABORTING
[1] 93388 abort ./build/qjs test.js