Skip to content

AddressSanitizer detected heap-use-after-free in Interpreter.cpp:165 (set) #26337

New issue
New issue
Open
Open
AddressSanitizer detected heap-use-after-free in Interpreter.cpp:165 (set)#26337
@kost

Description

@kost
kost
opened on Oct 29, 2025

Summary

AddressSanitizer detected heap-use-after-free in Interpreter.cpp:165 (set)

Versions

Versions tested and affected:

Output of following command

$ git rev-parse HEAD
970b12eddcec8827f4d72a0bd0edd81660602d2c

Build and test platform

Ubuntu 24.04.3

Test case

$ /htp/lagom/serenity/Meta/Lagom/Build/lagom-fuzzers/bin/FuzzJs pocs/poc_heap-use-after-free_458ee3f94f9769c0.js
function main() {
const v0 = class {
}
const v1 = class {
    static {
        const v3 = this instanceof v0;
        v3 || v3;
    }
}
}
main();

Confirmation

Confirmed by ASAN:

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1273392666
INFO: Loaded 15 modules   (428043 inline 8-bit counters): 20617 [0x775c1505ee48, 0x775c15063ed1), 3306 [0x775c14917220, 0x775c14917f0a), 3549 [0x775c12e9a130, 0x775c12e9af0d), 4451 [0x775c149ea708, 0x775c149eb86b), 5652 [0x775c14d04fd0, 0x775c14d065e4), 10281 [0x775c13e7a1e8, 0x775c13e7ca11), 2874 [0x775c14dbe750, 0x775c14dbf28a), 32867 [0x775c1439d9a8, 0x775c143a5a0b), 7196 [0x775c155d90c8, 0x775c155dace4), 1351 [0x775c14df94f0, 0x775c14df9a37), 6179 [0x775c183c4d78, 0x775c183c659b), 13390 [0x775c154425a8, 0x775c154459f6), 16232 [0x775c147dcb70, 0x775c147e0ad8), 299904 [0x775c17c57270, 0x775c17ca05f0), 194 [0x5e53e7facb98, 0x5e53e7facc5a), 
INFO: Loaded 15 PC tables (428043 PCs): 20617 [0x775c15063ed8,0x775c150b4768), 3306 [0x775c14917f10,0x775c14924db0), 3549 [0x775c12e9af10,0x775c12ea8ce0), 4451 [0x775c149eb870,0x775c149fcea0), 5652 [0x775c14d065e8,0x775c14d1c728), 10281 [0x775c13e7ca18,0x775c13ea4ca8), 2874 [0x775c14dbf290,0x775c14dca630), 32867 [0x775c143a5a10,0x775c14426040), 7196 [0x775c155dace8,0x775c155f6ea8), 1351 [0x775c14df9a38,0x775c14dfeea8), 6179 [0x775c183c65a0,0x775c183de7d0), 13390 [0x775c154459f8,0x775c15479ed8), 16232 [0x775c147e0ad8,0x775c14820158), 299904 [0x775c17ca05f0,0x775c18133df0), 194 [0x5e53e7facc60,0x5e53e7fad880), 
/htp/lagom/serenity/Meta/Lagom/Build/lagom-fuzzers/bin/FuzzJs: Running 1 inputs 1 time(s) each.
Running: triage-reports-2025-10-28-8/pocs/poc_heap-use-after-free_458ee3f94f9769c0.js
=================================================================
==4067385==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x506000001378 at pc 0x775c16a83453 bp 0x7ffe35d94e50 sp 0x7ffe35d94e48
WRITE of size 8 at 0x506000001378 thread T0
    #0 0x775c16a83452 in set /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:165:61
    #1 0x775c16a83452 in execute_impl /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:1809:1
    #2 0x775c16a83452 in JS::Bytecode::Interpreter::run_bytecode(unsigned long) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:621:13
    #3 0x775c16a1083a in JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:735:5
    #4 0x775c16f93d2f in JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() /htp/lagom/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:838:55
    #5 0x775c16f900aa in JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) /htp/lagom/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:421:19
    #6 0x775c167fe804 in call<> /htp/lagom/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Runtime/AbstractOperations.h:118:12
    #7 0x775c167fe804 in operator() /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9
    #8 0x775c167fe804 in visit<AK::Variant<JS::ClassFieldDefinition, JS::NonnullGCPtr<JS::ECMAScriptFunctionObject> >, AK::Variant<JS::ClassFieldDefinition, JS::NonnullGCPtr<JS::ECMAScriptFunctionObject> >::Visitor<(lambda at /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9), (lambda at /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9)>, (unsigned char)'\x01'> /htp/lagom/serenity/Meta/Lagom/../../AK/Variant.h:112:24
    #9 0x775c167fe804 in visit<AK::Variant<JS::ClassFieldDefinition, JS::NonnullGCPtr<JS::ECMAScriptFunctionObject> >, AK::Variant<JS::ClassFieldDefinition, JS::NonnullGCPtr<JS::ECMAScriptFunctionObject> >::Visitor<(lambda at /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9), (lambda at /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9)>, (unsigned char)'\x00'> /htp/lagom/serenity/Meta/Lagom/../../AK/Variant.h:118:20
    #10 0x775c167fe804 in visit<(lambda at /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9), (lambda at /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9)> /htp/lagom/serenity/Meta/Lagom/../../AK/Variant.h:419:16
    #11 0x775c167fe804 in JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Span<JS::Value const>, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9
    #12 0x775c16b0a7bd in JS::Bytecode::new_class(JS::VM&, JS::Value, JS::ClassExpression const&, AK::Optional<JS::Bytecode::IdentifierTableIndex> const&, AK::Span<JS::Value const>) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:1505:12
    #13 0x775c16a25514 in execute_impl /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:2872:28
    #14 0x775c16a25514 in JS::Bytecode::Interpreter::run_bytecode(unsigned long) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:637:13
    #15 0x775c16a1083a in JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:735:5
    #16 0x775c16f93d2f in JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() /htp/lagom/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:838:55
    #17 0x775c16f900aa in JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) /htp/lagom/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:421:19
    #18 0x775c16afd6a3 in call /htp/lagom/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Runtime/AbstractOperations.h:101:12
    #19 0x775c16afd6a3 in JS::Bytecode::perform_call(JS::Bytecode::Interpreter&, JS::Value, JS::Bytecode::Op::CallType, JS::Value, AK::Span<JS::Value const>) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:1237:24
    #20 0x775c16a46e85 in execute_impl /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:2557:28
    #21 0x775c16a46e85 in JS::Bytecode::Interpreter::run_bytecode(unsigned long) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:575:13
    #22 0x775c16a1083a in JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:735:5
    #23 0x775c16a0e151 in JS::Bytecode::Interpreter::run(JS::Script&, JS::GCPtr<JS::Environment>) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:249:36
    #24 0x5e53e7fa3093 in LLVMFuzzerTestOneInput /htp/lagom/serenity/Meta/Lagom/Fuzzers/FuzzJs.cpp:27:42
    #25 0x5e53e7eadda4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) crtstuff.c
    #26 0x5e53e7e96eb6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) crtstuff.c
    #27 0x5e53e7e9c96a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) crtstuff.c
    #28 0x5e53e7ec7186 in main (/htp/lagom/serenity/Meta/Lagom/Build/lagom-fuzzers/bin/FuzzJs+0xb0186) (BuildId: b3060d427d42e971)
    #29 0x775c14a2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #30 0x775c14a2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #31 0x5e53e7e91a84 in _start (/htp/lagom/serenity/Meta/Lagom/Build/lagom-fuzzers/bin/FuzzJs+0x7aa84) (BuildId: b3060d427d42e971)

0x506000001378 is located 0 bytes after 56-byte region [0x506000001340,0x506000001378)
allocated by thread T0 here:
    #0 0x5e53e7f61f13 in malloc (/htp/lagom/serenity/Meta/Lagom/Build/lagom-fuzzers/bin/FuzzJs+0x14af13) (BuildId: b3060d427d42e971)
    #1 0x775c169740fc in AK::Vector<JS::Value, 0ul>::try_ensure_capacity(unsigned long) /htp/lagom/serenity/Meta/Lagom/../../AK/Vector.h:678:54
    #2 0x775c169735d1 in AK::Vector<JS::Value, 0ul>::try_resize(unsigned long, bool) requires !AK::Vector::contains_reference /htp/lagom/serenity/Meta/Lagom/../../AK/Vector.h:705:9
    #3 0x775c168c35f2 in AK::Vector<JS::Value, 0ul>::resize(unsigned long, bool) requires !AK::Vector::contains_reference /htp/lagom/serenity/Meta/Lagom/../../AK/Vector.h:751:9
    #4 0x775c16f93c2b in JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() /htp/lagom/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:836:71
    #5 0x775c16f900aa in JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) /htp/lagom/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:421:19
    #6 0x775c167fe804 in call<> /htp/lagom/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Runtime/AbstractOperations.h:118:12
    #7 0x775c167fe804 in operator() /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9
    #8 0x775c167fe804 in visit<AK::Variant<JS::ClassFieldDefinition, JS::NonnullGCPtr<JS::ECMAScriptFunctionObject> >, AK::Variant<JS::ClassFieldDefinition, JS::NonnullGCPtr<JS::ECMAScriptFunctionObject> >::Visitor<(lambda at /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9), (lambda at /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9)>, (unsigned char)'\x01'> /htp/lagom/serenity/Meta/Lagom/../../AK/Variant.h:112:24
    #9 0x775c167fe804 in visit<AK::Variant<JS::ClassFieldDefinition, JS::NonnullGCPtr<JS::ECMAScriptFunctionObject> >, AK::Variant<JS::ClassFieldDefinition, JS::NonnullGCPtr<JS::ECMAScriptFunctionObject> >::Visitor<(lambda at /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9), (lambda at /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9)>, (unsigned char)'\x00'> /htp/lagom/serenity/Meta/Lagom/../../AK/Variant.h:118:20
    #10 0x775c167fe804 in visit<(lambda at /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9), (lambda at /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9)> /htp/lagom/serenity/Meta/Lagom/../../AK/Variant.h:419:16
    #11 0x775c167fe804 in JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Span<JS::Value const>, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const /htp/lagom/serenity/Userland/Libraries/LibJS/AST.cpp:434:9
    #12 0x775c16b0a7bd in JS::Bytecode::new_class(JS::VM&, JS::Value, JS::ClassExpression const&, AK::Optional<JS::Bytecode::IdentifierTableIndex> const&, AK::Span<JS::Value const>) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:1505:12
    #13 0x775c16a25514 in execute_impl /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:2872:28
    #14 0x775c16a25514 in JS::Bytecode::Interpreter::run_bytecode(unsigned long) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:637:13
    #15 0x775c16a1083a in JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:735:5
    #16 0x775c16f93d2f in JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() /htp/lagom/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:838:55
    #17 0x775c16f900aa in JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) /htp/lagom/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:421:19
    #18 0x775c16afd6a3 in call /htp/lagom/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Runtime/AbstractOperations.h:101:12
    #19 0x775c16afd6a3 in JS::Bytecode::perform_call(JS::Bytecode::Interpreter&, JS::Value, JS::Bytecode::Op::CallType, JS::Value, AK::Span<JS::Value const>) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:1237:24
    #20 0x775c16a46e85 in execute_impl /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:2557:28
    #21 0x775c16a46e85 in JS::Bytecode::Interpreter::run_bytecode(unsigned long) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:575:13
    #22 0x775c16a1083a in JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:735:5
    #23 0x775c16a0e151 in JS::Bytecode::Interpreter::run(JS::Script&, JS::GCPtr<JS::Environment>) /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:249:36
    #24 0x5e53e7fa3093 in LLVMFuzzerTestOneInput /htp/lagom/serenity/Meta/Lagom/Fuzzers/FuzzJs.cpp:27:42
    #25 0x5e53e7eadda4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) crtstuff.c
    #26 0x5e53e7e96eb6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) crtstuff.c
    #27 0x5e53e7e9c96a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) crtstuff.c
    #28 0x5e53e7ec7186 in main (/htp/lagom/serenity/Meta/Lagom/Build/lagom-fuzzers/bin/FuzzJs+0xb0186) (BuildId: b3060d427d42e971)
    #29 0x775c14a2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #30 0x775c14a2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #31 0x5e53e7e91a84 in _start (/htp/lagom/serenity/Meta/Lagom/Build/lagom-fuzzers/bin/FuzzJs+0x7aa84) (BuildId: b3060d427d42e971)

SUMMARY: AddressSanitizer: heap-buffer-overflow /htp/lagom/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:165:61 in set
Shadow bytes around the buggy address:
  0x506000001080: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x506000001100: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x506000001180: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x506000001200: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x506000001280: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
=>0x506000001300: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00[fa]
  0x506000001380: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x506000001400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x506000001480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x506000001500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x506000001580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4067385==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions