Aborted in qjs

###### Commit ID
b09ad82622fe083af51f736ea73f9f6728562f1c

###### Build platform
Ubuntu 22.04.3

###### Build steps
```sh
cmake -DCMAKE_C_COMPILER=gcc -DCMAKE_CXX_COMPILER=g++ -DCONFIG_ASAN=ON -DCMAKE_BUILD_TYPE=Debug
cmake --build . -j $(nproc)
```

###### Test case
```sh
function main() {
    delete this[this];
    for (const v6 of [1]) {
            for (const v10 in this) {
                const v12 = {}.__proto__;
                v12.toString = this[v10];
            }
            for (const v19 in this) {
                const v20 = this[v19]-1;
            }
    }
}
main();
```

###### Execution steps
```sh
./qjs poc.js
```

###### Output
```sh
pwndbg> bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007fe42e817859 in __GI_abort () at abort.c:79
#2  0x000055fa4dfbda25 in build_backtrace (ctx=0x615000000080, error_obj=..., filename=0x0, line_num=0, col_num=0, backtrace_flags=0) at /quickjs-ng/quickjs.c:6521
#3  0x000055fa4e0286c6 in JS_CallInternal (caller_ctx=0x615000000080, func_obj=..., this_obj=..., new_target=..., argc=0, argv=0x0, flags=2) at /quickjs-ng/quickjs.c:17087
#4  0x000055fa4e028f61 in JS_CallFree (ctx=0x615000000080, func_obj=..., this_obj=..., argc=0, argv=0x0) at /quickjs-ng/quickjs.c:17142
#5  0x000055fa4dfe24ee in JS_ToPrimitiveFree (ctx=0x615000000080, val=..., hint=0) at /quickjs-ng/quickjs.c:9985
#6  0x000055fa4dfe2784 in JS_ToPrimitive (ctx=0x615000000080, val=..., hint=0) at /quickjs-ng/quickjs.c:10005
#7  0x000055fa4dfec752 in JS_ToStringInternal (ctx=0x615000000080, val=..., is_ToPropertyKey=1) at /quickjs-ng/quickjs.c:11453
#8  0x000055fa4dfecd91 in JS_ToPropertyKey (ctx=0x615000000080, val=...) at /quickjs-ng/quickjs.c:11500
#9  0x000055fa4dfcd1ad in JS_ValueToAtom (ctx=0x615000000080, val=...) at /quickjs-ng/quickjs.c:7942
#10 0x000055fa4dff9f52 in js_operator_delete (ctx=0x615000000080, sp=0x7ffd02f17940) at /quickjs-ng/quickjs.c:13214
#11 0x000055fa4e02613c in JS_CallInternal (caller_ctx=0x615000000080, func_obj=..., this_obj=..., new_target=..., argc=0, argv=0x0, flags=2) at /quickjs-ng/quickjs.c:16863
#12 0x000055fa4e028f61 in JS_CallFree (ctx=0x615000000080, func_obj=..., this_obj=..., argc=0, argv=0x0) at /quickjs-ng/quickjs.c:17142
...
#677 0x000055fa4dfe24ee in JS_ToPrimitiveFree (ctx=0x615000000080, val=..., hint=1) at /quickjs-ng/quickjs.c:9985
#678 0x000055fa4dfe55f4 in JS_ToNumberHintFree (ctx=0x615000000080, val=..., flag=TON_FLAG_NUMERIC) at /quickjs-ng/quickjs.c:10377
#679 0x000055fa4dfe59e4 in JS_ToNumericFree (ctx=0x615000000080, val=...) at /quickjs-ng/quickjs.c:10417
#680 0x000055fa4dff3c57 in js_binary_arith_slow (ctx=0x615000000080, sp=0x7ffd02f929a0, op=OP_sub) at /quickjs-ng/quickjs.c:12379
#681 0x000055fa4e021b00 in JS_CallInternal (caller_ctx=0x615000000080, func_obj=..., this_obj=..., new_target=..., argc=0, argv=0x7ffd02f93b40, flags=0) at /quickjs-ng/quickjs.c:16544
#682 0x000055fa4e00d636 in JS_CallInternal (caller_ctx=0x615000000080, func_obj=..., this_obj=..., new_target=..., argc=0, argv=0x0, flags=2) at /quickjs-ng/quickjs.c:15012
#683 0x000055fa4e028f61 in JS_CallFree (ctx=0x615000000080, func_obj=..., this_obj=..., argc=0, argv=0x0) at /quickjs-ng/quickjs.c:17142
#684 0x000055fa4e0acb00 in JS_EvalFunctionInternal (ctx=0x615000000080, fun_obj=..., this_obj=..., var_refs=0x0, sf=0x0) at /quickjs-ng/quickjs.c:32786
#685 0x000055fa4e0adf91 in __JS_EvalInternal (ctx=0x615000000080, this_obj=..., input=0x6120000016c0 "\nfunction main() {\n    delete this[this];\n    for (const v6 of [1]) {\n", ' ' <repeats 12 times>, "for (const v10 in this) {\n", ' ' <repeats 16 times>, "const v12 = {}.__proto__;\n", ' ' <repeats 16 times>, "v12.toString = this[v10];\n        "..., input_len=316, filename=0x7ffd02f96f89 "/home/qbtly/Desktop/PatchFuzz/js/output/CONTRAST_TSET/Superion/qjs3d/superion/crashes/id:000000,sig:06,src:000168,op:python,pos:0", flags=0, scope_idx=-1) at /quickjs-ng/quickjs.c:32920
#686 0x000055fa4e0ae1f8 in JS_EvalInternal (ctx=0x615000000080, this_obj=..., input=0x6120000016c0 "\nfunction main() {\n    delete this[this];\n    for (const v6 of [1]) {\n", ' ' <repeats 12 times>, "for (const v10 in this) {\n", ' ' <repeats 16 times>, "const v12 = {}.__proto__;\n", ' ' <repeats 16 times>, "v12.toString = this[v10];\n        "..., input_len=316, filename=0x7ffd02f96f89 "/home/qbtly/Desktop/PatchFuzz/js/output/CONTRAST_TSET/Superion/qjs3d/superion/crashes/id:000000,sig:06,src:000168,op:python,pos:0", flags=0, scope_idx=-1) at /quickjs-ng/quickjs.c:32938
#687 0x000055fa4e0ae65a in JS_EvalThis (ctx=0x615000000080, this_obj=..., input=0x6120000016c0 "\nfunction main() {\n    delete this[this];\n    for (const v6 of [1]) {\n", ' ' <repeats 12 times>, "for (const v10 in this) {\n", ' ' <repeats 16 times>, "const v12 = {}.__proto__;\n", ' ' <repeats 16 times>, "v12.toString = this[v10];\n        "..., input_len=316, filename=0x7ffd02f96f89 "/home/qbtly/Desktop/PatchFuzz/js/output/CONTRAST_TSET/Superion/qjs3d/superion/crashes/id:000000,sig:06,src:000168,op:python,pos:0", eval_flags=0) at /quickjs-ng/quickjs.c:32969
#688 0x000055fa4e0ae74c in JS_Eval (ctx=0x615000000080, input=0x6120000016c0 "\nfunction main() {\n    delete this[this];\n    for (const v6 of [1]) {\n", ' ' <repeats 12 times>, "for (const v10 in this) {\n", ' ' <repeats 16 times>, "const v12 = {}.__proto__;\n", ' ' <repeats 16 times>, "v12.toString = this[v10];\n        "..., input_len=316, filename=0x7ffd02f96f89 "/home/qbtly/Desktop/PatchFuzz/js/output/CONTRAST_TSET/Superion/qjs3d/superion/crashes/id:000000,sig:06,src:000168,op:python,pos:0", eval_flags=0) at /quickjs-ng/quickjs.c:32977
#689 0x000055fa4df61f24 in eval_buf (ctx=0x615000000080, buf=0x6120000016c0, buf_len=316, filename=0x7ffd02f96f89 "/home/qbtly/Desktop/PatchFuzz/js/output/CONTRAST_TSET/Superion/qjs3d/superion/crashes/id:000000,sig:06,src:000168,op:python,pos:0", eval_flags=0) at /quickjs-ng/qjs.c:63
#690 0x000055fa4df622af in eval_file (ctx=0x615000000080, filename=0x7ffd02f96f89 "/home/qbtly/Desktop/PatchFuzz/js/output/CONTRAST_TSET/Superion/qjs3d/superion/crashes/id:000000,sig:06,src:000168,op:python,pos:0", module=0) at /quickjs-ng/qjs.c:95
#691 0x000055fa4df64fdd in main (argc=2, argv=0x7ffd02f95878) at /quickjs-ng/qjs.c:519
#692 0x00007fe42e819083 in __libc_start_main (main=0x55fa4df638ae <main>, argc=2, argv=0x7ffd02f95878, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd02f95868) at ../csu/libc-start.c:308
#693 0x000055fa4df6187e in _start ()
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Aborted in qjs #431

Commit ID

Build platform

Build steps

Test case

Execution steps

Output

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Aborted in qjs #431

Description

Commit ID

Build platform

Build steps

Test case

Execution steps

Output

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions