CVE-2023-48184 : crash on Windows and Linux

## Issue

While trying to check if CVE-2023-48184 was fixed, I face a crash on both Windows and Linux version.

To reproduce run qjs then .load test.js


## Resources

 - https://github.com/bellard/quickjs/issues/198
 - https://github.com/bellard/quickjs/issues/156
 - https://nvd.nist.gov/vuln/detail/CVE-2023-48184

## CMake Build options

 - BUILD_SHARED_LIBS: OFF
 - QJS_BUILD_EXAMPLES: OFF
 - QJS_BUILD_CLI_STATIC: ON
 - QJS_BUILD_CLI_WITH_MIMALLOC: OFF
 - QJS_BUILD_CLI_WITH_STATIC_MIMALLOC: OFF
 - QJS_DISABLE_PARSER: OFF
 - QJS_ENABLE_ASAN: OFF
 - QJS_ENABLE_MSAN: OFF
 - QJS_ENABLE_TSAN: OFF
 - QJS_ENABLE_UBSAN: OFF
 - QJS_BUILD_LIBC: OFF


## Compiler version

 - Microsoft Visual Studio Professional 2022 (64-bit) - Version 17.14.13 (August 2025)
 - g++ (Debian 12.2.0-14+deb12u1) 12.2.0



### sample 1 


```
function Foo() {
    
    function Bar(arg) {
        
        async function Baz(arg1, arg2) {
            function empty() {
            }
            
            function pro() {
            
                function zero() {
                    return 0;
                }
                
                function inner() {
                    function inn(a) {
                        return inn(empty);
                    }
                    return 0;
                }
                
                Object.defineProperty(zero, 1, { configurable: true, get: inner, set: inner });
                
                const apple = new Promise(pro);
                
                Object.defineProperty(arg2, "constructor", { configurable: true, value: zero });
                
                apple.finally(arg);
                return apple;
            }
            
            const banana = new Promise(pro);
            
            async function* asy_func(a) {
                return a;
            }
            const bear = asy_func(0);

            Object.defineProperty(bear, "g", { configurable: true, enumerable: true, get: empty });
            await banana;
            return banana;
        }
        
        Baz(Baz, Foo, arg);
        return arg;
    }
    
    new Promise(Bar);
}

function test() {
    try { 
    	test(); 
    } 
    catch (e) {
    	print(e);
    }
    new Foo();
}

test();
```

**On Linux**

Terminal output

```
qjs > .load test3.js
Maximum call stack size exceeded
malloc(): unaligned fastbin chunk detected 3
Aborted (core dumped)
```

Valgrind output

```
Maximum call stack size exceeded
==3205== Invalid read of size 4
==3205==    at 0x140755: JS_FreeValueRT (quickjs.c:5783)
==3205==    by 0x1463E8: free_var_ref (quickjs.c:5476)
==3205==    by 0x1463E8: free_var_ref (quickjs.c:5470)
==3205==    by 0x1463E8: js_bytecode_function_finalizer (quickjs.c:5555)
==3205==    by 0x1406A3: free_object (quickjs.c:5663)
==3205==    by 0x140907: free_gc_object (quickjs.c:5683)
==3205==    by 0x140907: free_zero_refcount (quickjs.c:5705)
==3205==    by 0x140907: js_free_value_rt (quickjs.c:5753)
==3205==    by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==3205==    by 0x13C721: JS_DefineProperty (quickjs.c:9648)
==3205==    by 0x1897F5: JS_DefinePropertyDesc (quickjs.c:37874)
==3205==    by 0x1897F5: js_object_defineProperty (quickjs.c:38010)
==3205==    by 0x17350C: js_call_c_function (quickjs.c:16283)
==3205==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205==    by 0x13169A: JS_CallInternal (quickjs.c:16903)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
==3205==    by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205==    by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205==  Address 0x4dde410 is 0 bytes inside a block of size 72 free'd
==3205==    at 0x484417B: free (vg_replace_malloc.c:872)
==3205==    by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==3205==    by 0x1450D8: JS_RunGC (quickjs.c:6068)
==3205==    by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==3205==    by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==3205==    by 0x133C0D: JS_CallInternal (quickjs.c:16638)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
==3205==    by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205==    by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
==3205==    by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205==    by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205==  Block was alloc'd at
==3205==    at 0x48417B4: malloc (vg_replace_malloc.c:381)
==3205==    by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==3205==    by 0x13EAD1: js_malloc (quickjs.c:1567)
==3205==    by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==3205==    by 0x174728: js_closure (quickjs.c:16031)
==3205==    by 0x132374: JS_CallInternal (quickjs.c:16580)
==3205==    by 0x13E71B: async_func_resume (quickjs.c:19200)
==3205==    by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==3205==    by 0x1A8368: js_async_function_call (quickjs.c:19574)
==3205==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205==    by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
==3205==
==3205== Invalid write of size 4
==3205==    at 0x14075A: JS_FreeValueRT (quickjs.c:5783)
==3205==    by 0x1463E8: free_var_ref (quickjs.c:5476)
==3205==    by 0x1463E8: free_var_ref (quickjs.c:5470)
==3205==    by 0x1463E8: js_bytecode_function_finalizer (quickjs.c:5555)
==3205==    by 0x1406A3: free_object (quickjs.c:5663)
==3205==    by 0x140907: free_gc_object (quickjs.c:5683)
==3205==    by 0x140907: free_zero_refcount (quickjs.c:5705)
==3205==    by 0x140907: js_free_value_rt (quickjs.c:5753)
==3205==    by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==3205==    by 0x13C721: JS_DefineProperty (quickjs.c:9648)
==3205==    by 0x1897F5: JS_DefinePropertyDesc (quickjs.c:37874)
==3205==    by 0x1897F5: js_object_defineProperty (quickjs.c:38010)
==3205==    by 0x17350C: js_call_c_function (quickjs.c:16283)
==3205==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205==    by 0x13169A: JS_CallInternal (quickjs.c:16903)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
==3205==    by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205==    by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205==  Address 0x4dde410 is 0 bytes inside a block of size 72 free'd
==3205==    at 0x484417B: free (vg_replace_malloc.c:872)
==3205==    by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==3205==    by 0x1450D8: JS_RunGC (quickjs.c:6068)
==3205==    by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==3205==    by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==3205==    by 0x133C0D: JS_CallInternal (quickjs.c:16638)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
==3205==    by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205==    by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
==3205==    by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205==    by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205==  Block was alloc'd at
==3205==    at 0x48417B4: malloc (vg_replace_malloc.c:381)
==3205==    by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==3205==    by 0x13EAD1: js_malloc (quickjs.c:1567)
==3205==    by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==3205==    by 0x174728: js_closure (quickjs.c:16031)
==3205==    by 0x132374: JS_CallInternal (quickjs.c:16580)
==3205==    by 0x13E71B: async_func_resume (quickjs.c:19200)
==3205==    by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==3205==    by 0x1A8368: js_async_function_call (quickjs.c:19574)
==3205==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205==    by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
==3205==
==3205== Invalid read of size 8
==3205==    at 0x140834: list_del (list.h:77)
==3205==    by 0x140834: js_free_value_rt (quickjs.c:5750)
==3205==    by 0x140834: JS_FreeValueRT (quickjs.c:5784)
==3205==    by 0x1463E8: free_var_ref (quickjs.c:5476)
==3205==    by 0x1463E8: free_var_ref (quickjs.c:5470)
==3205==    by 0x1463E8: js_bytecode_function_finalizer (quickjs.c:5555)
==3205==    by 0x1406A3: free_object (quickjs.c:5663)
==3205==    by 0x140907: free_gc_object (quickjs.c:5683)
==3205==    by 0x140907: free_zero_refcount (quickjs.c:5705)
==3205==    by 0x140907: js_free_value_rt (quickjs.c:5753)
==3205==    by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==3205==    by 0x13C721: JS_DefineProperty (quickjs.c:9648)
==3205==    by 0x1897F5: JS_DefinePropertyDesc (quickjs.c:37874)
==3205==    by 0x1897F5: js_object_defineProperty (quickjs.c:38010)
==3205==    by 0x17350C: js_call_c_function (quickjs.c:16283)
==3205==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205==    by 0x13169A: JS_CallInternal (quickjs.c:16903)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
==3205==    by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205==    by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205==  Address 0x4dde420 is 16 bytes inside a block of size 72 free'd
==3205==    at 0x484417B: free (vg_replace_malloc.c:872)
==3205==    by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==3205==    by 0x1450D8: JS_RunGC (quickjs.c:6068)
==3205==    by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==3205==    by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==3205==    by 0x133C0D: JS_CallInternal (quickjs.c:16638)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
==3205==    by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205==    by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
==3205==    by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205==    by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205==  Block was alloc'd at
==3205==    at 0x48417B4: malloc (vg_replace_malloc.c:381)
==3205==    by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==3205==    by 0x13EAD1: js_malloc (quickjs.c:1567)
==3205==    by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==3205==    by 0x174728: js_closure (quickjs.c:16031)
==3205==    by 0x132374: JS_CallInternal (quickjs.c:16580)
==3205==    by 0x13E71B: async_func_resume (quickjs.c:19200)
==3205==    by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==3205==    by 0x1A8368: js_async_function_call (quickjs.c:19574)
==3205==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205==    by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
....
==3205== Invalid read of size 4
==3205==    at 0x140606: free_object (quickjs.c:5644)
==3205==    by 0x140907: free_gc_object (quickjs.c:5683)
==3205==    by 0x140907: free_zero_refcount (quickjs.c:5705)
==3205==    by 0x140907: js_free_value_rt (quickjs.c:5753)
==3205==    by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==3205==    by 0x13C721: JS_DefineProperty (quickjs.c:9648)
==3205==    by 0x1897F5: JS_DefinePropertyDesc (quickjs.c:37874)
==3205==    by 0x1897F5: js_object_defineProperty (quickjs.c:38010)
==3205==    by 0x17350C: js_call_c_function (quickjs.c:16283)
==3205==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205==    by 0x13169A: JS_CallInternal (quickjs.c:16903)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
==3205==    by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205==    by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
==3205==  Address 0x28 is not stack'd, malloc'd or (recently) free'd
==3205==
==3205==
==3205== Process terminating with default action of signal 11 (SIGSEGV)
==3205==  Access not within mapped region at address 0x28
==3205==    at 0x140606: free_object (quickjs.c:5644)
==3205==    by 0x140907: free_gc_object (quickjs.c:5683)
==3205==    by 0x140907: free_zero_refcount (quickjs.c:5705)
==3205==    by 0x140907: js_free_value_rt (quickjs.c:5753)
==3205==    by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==3205==    by 0x13C721: JS_DefineProperty (quickjs.c:9648)
==3205==    by 0x1897F5: JS_DefinePropertyDesc (quickjs.c:37874)
==3205==    by 0x1897F5: js_object_defineProperty (quickjs.c:38010)
==3205==    by 0x17350C: js_call_c_function (quickjs.c:16283)
==3205==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==3205==    by 0x13169A: JS_CallInternal (quickjs.c:16903)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
==3205==    by 0x173D57: js_promise_constructor (quickjs.c:50563)
==3205==    by 0x17357D: js_call_c_function (quickjs.c:16270)
==3205==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==3205==    by 0x13A342: JS_Call (quickjs.c:18941)
==3205==  If you believe this happened as a result of a stack
==3205==  overflow in your program's main thread (unlikely but
==3205==  possible), you can try to increase the size of the
==3205==  main thread stack using the --main-stacksize= flag.
==3205==  The main thread stack size used in this run was 8388608.
==3205==
==3205== HEAP SUMMARY:
==3205==     in use at exit: 299,104 bytes in 3,694 blocks
==3205==   total heap usage: 22,045 allocs, 18,351 frees, 1,573,223 bytes allocated
==3205==
==3205== LEAK SUMMARY:
==3205==    definitely lost: 0 bytes in 0 blocks
==3205==    indirectly lost: 0 bytes in 0 blocks
==3205==      possibly lost: 36,939 bytes in 156 blocks
==3205==    still reachable: 262,165 bytes in 3,538 blocks
==3205==         suppressed: 0 bytes in 0 blocks
==3205== Rerun with --leak-check=full to see details of leaked memory
==3205==
==3205== For lists of detected and suppressed errors, rerun with: -s
==3205== ERROR SUMMARY: 16 errors from 15 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
```

**On Windows**

Terminal output

```
qjs > .load test3.js
Maximum call stack size exceeded
```

Visual debugger callstack

```
>	qjs.exe!list_del(list_head * el) Line 78	C
 	qjs.exe!js_free_value_rt(JSRuntime * rt, JSValue v) Line 5751	C
 	qjs.exe!JS_FreeValueRT(JSRuntime * rt, JSValue v) Line 5784	C
 	qjs.exe!free_var_ref(JSRuntime * rt, JSVarRef * var_ref) Line 5477	C
 	qjs.exe!js_bytecode_function_finalizer(JSRuntime * rt, JSValue val) Line 5555	C
 	qjs.exe!free_object(JSRuntime * rt, JSObject * p) Line 5663	C
 	qjs.exe!free_gc_object(JSRuntime * rt, JSGCObjectHeader * gp) Line 5683	C
 	qjs.exe!free_zero_refcount(JSRuntime * rt) Line 5705	C
 	qjs.exe!js_free_value_rt(JSRuntime * rt, JSValue v) Line 5753	C
 	qjs.exe!JS_FreeValueRT(JSRuntime * rt, JSValue v) Line 5784	C
 	qjs.exe!JS_FreeValue(JSContext * ctx, JSValue v) Line 5791	C
 	qjs.exe!JS_DefineProperty(JSContext * ctx, JSValue this_obj, unsigned int prop, JSValue val, JSValue getter, JSValue setter, int flags) Line 9648	C
 	qjs.exe!JS_DefinePropertyDesc(JSContext * ctx, JSValue obj, unsigned int prop, JSValue desc, int flags) Line 37874	C
 	qjs.exe!js_object_defineProperty(JSContext * ctx, JSValue this_val, int argc, JSValue * argv, int magic) Line 38010	C
 	qjs.exe!js_call_c_function(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv, int flags) Line 16283	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16485	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16903	C
 	qjs.exe!JS_Call(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv) Line 18941	C
 	qjs.exe!js_promise_constructor(JSContext * ctx, JSValue new_target, int argc, JSValue * argv) Line 50563	C
 	qjs.exe!js_call_c_function(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv, int flags) Line 16270	C
 	qjs.exe!JS_CallConstructorInternal(JSContext * ctx, JSValue func_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 19054	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16885	C
 	qjs.exe!JS_Call(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv) Line 18941	C
 	qjs.exe!js_promise_constructor(JSContext * ctx, JSValue new_target, int argc, JSValue * argv) Line 50563	C
 	qjs.exe!js_call_c_function(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv, int flags) Line 16270	C
 	qjs.exe!JS_CallConstructorInternal(JSContext * ctx, JSValue func_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 19054	C
 	...
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16885	C
 	qjs.exe!JS_Call(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv) Line 18941	C
 	qjs.exe!js_promise_constructor(JSContext * ctx, JSValue new_target, int argc, JSValue * argv) Line 50563	C
 	qjs.exe!js_call_c_function(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv, int flags) Line 16270	C
 	qjs.exe!JS_CallConstructorInternal(JSContext * ctx, JSValue func_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 19054	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16885	C
 	qjs.exe!async_func_resume(JSContext * ctx, JSAsyncFunctionState * s) Line 19200	C
 	qjs.exe!js_async_function_resume(JSContext * ctx, JSAsyncFunctionData * s) Line 19455	C
 	qjs.exe!js_async_function_call(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv, int flags) Line 19574	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16485	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_Call(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv) Line 18941	C
 	qjs.exe!js_promise_constructor(JSContext * ctx, JSValue new_target, int argc, JSValue * argv) Line 50563	C
 	qjs.exe!js_call_c_function(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv, int flags) Line 16270	C
 	qjs.exe!JS_CallConstructorInternal(JSContext * ctx, JSValue func_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 19054	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16885	C
 	qjs.exe!JS_CallConstructorInternal(JSContext * ctx, JSValue func_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 19067	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16885	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallFree(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv) Line 18948	C
 	qjs.exe!JS_EvalFunctionInternal(JSContext * ctx, JSValue fun_obj, JSValue this_obj, JSVarRef * * var_refs, JSStackFrame * sf) Line 34858	C
 	qjs.exe!__JS_EvalInternal(JSContext * ctx, JSValue this_obj, const char * input, unsigned __int64 input_len, const char * filename, int line, int flags, int scope_idx) Line 34993	C
 	qjs.exe!JS_EvalInternal(JSContext * ctx, JSValue this_obj, const char * input, unsigned __int64 input_len, const char * filename, int line, int flags, int scope_idx) Line 35019	C
 	qjs.exe!JS_EvalThis2(JSContext * ctx, JSValue this_obj, const char * input, unsigned __int64 input_len, JSEvalOptions * options) Line 35074	C
 	qjs.exe!JS_Eval(JSContext * ctx, const char * input, unsigned __int64 input_len, const char * filename, int eval_flags) Line 35088	C
 	qjs.exe!js_loadScript(JSContext * ctx, JSValue this_val, int argc, JSValue * argv) Line 489	C
 	qjs.exe!js_call_c_function(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv, int flags) Line 16270	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16485	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16903	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 16866	C
 	qjs.exe!JS_Call(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv) Line 18941	C
 	qjs.exe!call_handler(JSContext * ctx, JSValue func) Line 2370	C
 	qjs.exe!js_os_poll(JSContext * ctx) Line 2601	C
 	qjs.exe!js_std_loop(JSContext * ctx) Line 4359	C
 	qjs.exe!main(int argc, char * * argv) Line 701	C

```

### sample 2

```
async function createTask () {
  return new Promise((resolve) => {
    Promise.resolve().then(function () {
      const buf = new Uint8Array(1000000)
      resolve(buf)
    })
  })
}

run()

async function run () {
  let fn = () => {}

  let done = () => {
    fn()
  }

  createTask().then(done)

  const p = new Promise(() => {})

  console.log('pre await')
  await p
  console.log('post done')
}
```

**On Linux**

Terminal output
```
QuickJS-ng - Type ".help" for help
qjs > .load test.js
pre await
qjs > malloc(): unaligned tcache chunk detected
Aborted (core dumped)
```

```
qjs > ==4831== Invalid read of size 4
==4831==    at 0x131B08: js_dup (quickjs.c:1404)
==4831==    by 0x131B08: JS_CallInternal (quickjs.c:17380)
==4831==    by 0x13A342: JS_Call (quickjs.c:18941)
==4831==    by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831==    by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Address 0x4bfb8f0 is 0 bytes inside a block of size 72 free'd
==4831==    at 0x484417B: free (vg_replace_malloc.c:872)
==4831==    by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831==    by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831==    by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831==    by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831==    by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831==    by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831==    by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831==    by 0x13A342: JS_Call (quickjs.c:18941)
==4831==    by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831==    by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Block was alloc'd at
==4831==    at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831==    by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831==    by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831==    by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831==    by 0x174728: js_closure (quickjs.c:16031)
==4831==    by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831==    by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831==    by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831==    by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831==    by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831==    by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831==    by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid read of size 2
==4831==    at 0x130838: JS_CallInternal (quickjs.c:16478)
==4831==    by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831==    by 0x13A342: JS_Call (quickjs.c:18941)
==4831==    by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831==    by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Address 0x4bfb8f6 is 6 bytes inside a block of size 72 free'd
==4831==    at 0x484417B: free (vg_replace_malloc.c:872)
==4831==    by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831==    by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831==    by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831==    by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831==    by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831==    by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831==    by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831==    by 0x13A342: JS_Call (quickjs.c:18941)
==4831==    by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831==    by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Block was alloc'd at
==4831==    at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831==    by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831==    by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831==    by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831==    by 0x174728: js_closure (quickjs.c:16031)
==4831==    by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831==    by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831==    by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831==    by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831==    by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831==    by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831==    by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid read of size 4
==4831==    at 0x140755: JS_FreeValueRT (quickjs.c:5783)
==4831==    by 0x130FEB: JS_CallInternal (quickjs.c:18896)
==4831==    by 0x13A342: JS_Call (quickjs.c:18941)
==4831==    by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831==    by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Address 0x4bfb8f0 is 0 bytes inside a block of size 72 free'd
==4831==    at 0x484417B: free (vg_replace_malloc.c:872)
==4831==    by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831==    by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831==    by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831==    by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831==    by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831==    by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831==    by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831==    by 0x13A342: JS_Call (quickjs.c:18941)
==4831==    by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831==    by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Block was alloc'd at
==4831==    at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831==    by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831==    by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831==    by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831==    by 0x174728: js_closure (quickjs.c:16031)
==4831==    by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831==    by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831==    by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831==    by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831==    by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831==    by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831==    by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid write of size 4
==4831==    at 0x14075A: JS_FreeValueRT (quickjs.c:5783)
==4831==    by 0x130FEB: JS_CallInternal (quickjs.c:18896)
==4831==    by 0x13A342: JS_Call (quickjs.c:18941)
==4831==    by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831==    by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Address 0x4bfb8f0 is 0 bytes inside a block of size 72 free'd
==4831==    at 0x484417B: free (vg_replace_malloc.c:872)
==4831==    by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831==    by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831==    by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831==    by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831==    by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831==    by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831==    by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831==    by 0x13A342: JS_Call (quickjs.c:18941)
==4831==    by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831==    by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Block was alloc'd at
==4831==    at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831==    by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831==    by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831==    by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831==    by 0x174728: js_closure (quickjs.c:16031)
==4831==    by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831==    by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831==    by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831==    by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831==    by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831==    by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831==    by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid read of size 4
==4831==    at 0x140755: JS_FreeValueRT (quickjs.c:5783)
==4831==    by 0x1463E8: free_var_ref (quickjs.c:5476)
==4831==    by 0x1463E8: free_var_ref (quickjs.c:5470)
==4831==    by 0x1463E8: js_bytecode_function_finalizer (quickjs.c:5555)
==4831==    by 0x1406A3: free_object (quickjs.c:5663)
==4831==    by 0x140907: free_gc_object (quickjs.c:5683)
==4831==    by 0x140907: free_zero_refcount (quickjs.c:5705)
==4831==    by 0x140907: js_free_value_rt (quickjs.c:5753)
==4831==    by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==4831==    by 0x1421D1: JS_ExecutePendingJob (quickjs.c:2010)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Address 0x4bfb8f0 is 0 bytes inside a block of size 72 free'd
==4831==    at 0x484417B: free (vg_replace_malloc.c:872)
==4831==    by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831==    by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831==    by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831==    by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831==    by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831==    by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831==    by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831==    by 0x13A342: JS_Call (quickjs.c:18941)
==4831==    by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831==    by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Block was alloc'd at
==4831==    at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831==    by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831==    by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831==    by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831==    by 0x174728: js_closure (quickjs.c:16031)
==4831==    by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831==    by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831==    by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831==    by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831==    by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831==    by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831==    by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid write of size 4
==4831==    at 0x14075A: JS_FreeValueRT (quickjs.c:5783)
==4831==    by 0x1463E8: free_var_ref (quickjs.c:5476)
==4831==    by 0x1463E8: free_var_ref (quickjs.c:5470)
==4831==    by 0x1463E8: js_bytecode_function_finalizer (quickjs.c:5555)
==4831==    by 0x1406A3: free_object (quickjs.c:5663)
==4831==    by 0x140907: free_gc_object (quickjs.c:5683)
==4831==    by 0x140907: free_zero_refcount (quickjs.c:5705)
==4831==    by 0x140907: js_free_value_rt (quickjs.c:5753)
==4831==    by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==4831==    by 0x1421D1: JS_ExecutePendingJob (quickjs.c:2010)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Address 0x4bfb8f0 is 0 bytes inside a block of size 72 free'd
==4831==    at 0x484417B: free (vg_replace_malloc.c:872)
==4831==    by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831==    by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831==    by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831==    by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831==    by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831==    by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831==    by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831==    by 0x13A342: JS_Call (quickjs.c:18941)
==4831==    by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831==    by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Block was alloc'd at
==4831==    at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831==    by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831==    by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831==    by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831==    by 0x174728: js_closure (quickjs.c:16031)
==4831==    by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831==    by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831==    by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831==    by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831==    by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831==    by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831==    by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid read of size 8
==4831==    at 0x140834: list_del (list.h:77)
==4831==    by 0x140834: js_free_value_rt (quickjs.c:5750)
==4831==    by 0x140834: JS_FreeValueRT (quickjs.c:5784)
==4831==    by 0x1463E8: free_var_ref (quickjs.c:5476)
==4831==    by 0x1463E8: free_var_ref (quickjs.c:5470)
==4831==    by 0x1463E8: js_bytecode_function_finalizer (quickjs.c:5555)
==4831==    by 0x1406A3: free_object (quickjs.c:5663)
==4831==    by 0x140907: free_gc_object (quickjs.c:5683)
==4831==    by 0x140907: free_zero_refcount (quickjs.c:5705)
==4831==    by 0x140907: js_free_value_rt (quickjs.c:5753)
==4831==    by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==4831==    by 0x1421D1: JS_ExecutePendingJob (quickjs.c:2010)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Address 0x4bfb900 is 16 bytes inside a block of size 72 free'd
==4831==    at 0x484417B: free (vg_replace_malloc.c:872)
==4831==    by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831==    by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831==    by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831==    by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831==    by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831==    by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831==    by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831==    by 0x13A342: JS_Call (quickjs.c:18941)
==4831==    by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831==    by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Block was alloc'd at
==4831==    at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831==    by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831==    by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831==    by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831==    by 0x174728: js_closure (quickjs.c:16031)
==4831==    by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831==    by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831==    by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831==    by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831==    by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831==    by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831==    by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
...
==4831== Invalid read of size 8
==4831==    at 0x1405FE: free_object (quickjs.c:5642)
==4831==    by 0x140907: free_gc_object (quickjs.c:5683)
==4831==    by 0x140907: free_zero_refcount (quickjs.c:5705)
==4831==    by 0x140907: js_free_value_rt (quickjs.c:5753)
==4831==    by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==4831==    by 0x1421D1: JS_ExecutePendingJob (quickjs.c:2010)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Address 0x4bfb908 is 24 bytes inside a block of size 72 free'd
==4831==    at 0x484417B: free (vg_replace_malloc.c:872)
==4831==    by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831==    by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831==    by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831==    by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831==    by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831==    by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831==    by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831==    by 0x13A342: JS_Call (quickjs.c:18941)
==4831==    by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831==    by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Block was alloc'd at
==4831==    at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831==    by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831==    by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831==    by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831==    by 0x174728: js_closure (quickjs.c:16031)
==4831==    by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831==    by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831==    by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831==    by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831==    by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831==    by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831==    by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid read of size 1
==4831==    at 0x140602: free_object (quickjs.c:5639)
==4831==    by 0x140907: free_gc_object (quickjs.c:5683)
==4831==    by 0x140907: free_zero_refcount (quickjs.c:5705)
==4831==    by 0x140907: js_free_value_rt (quickjs.c:5753)
==4831==    by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==4831==    by 0x1421D1: JS_ExecutePendingJob (quickjs.c:2010)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Address 0x4bfb8f5 is 5 bytes inside a block of size 72 free'd
==4831==    at 0x484417B: free (vg_replace_malloc.c:872)
==4831==    by 0x1450D8: gc_free_cycles (quickjs.c:6052)
==4831==    by 0x1450D8: JS_RunGC (quickjs.c:6068)
==4831==    by 0x14B38B: js_trigger_gc (quickjs.c:1434)
==4831==    by 0x14B38B: JS_NewObjectFromShape (quickjs.c:4897)
==4831==    by 0x14C205: js_create_from_ctor (quickjs.c:19024)
==4831==    by 0x18E661: js_typed_array_constructor (quickjs.c:56041)
==4831==    by 0x17350C: js_call_c_function (quickjs.c:16283)
==4831==    by 0x1355CC: JS_CallInternal (quickjs.c:16885)
==4831==    by 0x13A342: JS_Call (quickjs.c:18941)
==4831==    by 0x142C75: promise_reaction_job (quickjs.c:50198)
==4831==    by 0x14219D: JS_ExecutePendingJob (quickjs.c:2008)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Block was alloc'd at
==4831==    at 0x48417B4: malloc (vg_replace_malloc.c:381)
==4831==    by 0x12D2A8: js_malloc_rt (quickjs.c:1484)
==4831==    by 0x13EAD1: js_malloc (quickjs.c:1567)
==4831==    by 0x14B3AC: JS_NewObjectFromShape (quickjs.c:4898)
==4831==    by 0x174728: js_closure (quickjs.c:16031)
==4831==    by 0x132374: JS_CallInternal (quickjs.c:16580)
==4831==    by 0x13E71B: async_func_resume (quickjs.c:19200)
==4831==    by 0x19BB9F: js_async_function_resume (quickjs.c:19455)
==4831==    by 0x1A8368: js_async_function_call (quickjs.c:19574)
==4831==    by 0x13112C: JS_CallInternal (quickjs.c:16485)
==4831==    by 0x130BB9: JS_CallInternal (quickjs.c:16866)
==4831==    by 0x1A8EEC: JS_CallFree (quickjs.c:18948)
==4831==    by 0x1A8EEC: JS_EvalFunctionInternal (quickjs.c:34858)
==4831==
==4831== Invalid read of size 4
==4831==    at 0x140606: free_object (quickjs.c:5644)
==4831==    by 0x140907: free_gc_object (quickjs.c:5683)
==4831==    by 0x140907: free_zero_refcount (quickjs.c:5705)
==4831==    by 0x140907: js_free_value_rt (quickjs.c:5753)
==4831==    by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==4831==    by 0x1421D1: JS_ExecutePendingJob (quickjs.c:2010)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  Address 0x28 is not stack'd, malloc'd or (recently) free'd
==4831==
==4831==
==4831== Process terminating with default action of signal 11 (SIGSEGV)
==4831==  Access not within mapped region at address 0x28
==4831==    at 0x140606: free_object (quickjs.c:5644)
==4831==    by 0x140907: free_gc_object (quickjs.c:5683)
==4831==    by 0x140907: free_zero_refcount (quickjs.c:5705)
==4831==    by 0x140907: js_free_value_rt (quickjs.c:5753)
==4831==    by 0x140907: JS_FreeValueRT (quickjs.c:5784)
==4831==    by 0x1421D1: JS_ExecutePendingJob (quickjs.c:2010)
==4831==    by 0x125D2A: js_std_loop (quickjs-libc.c:4351)
==4831==    by 0x11C843: main (qjs.c:701)
==4831==  If you believe this happened as a result of a stack
==4831==  overflow in your program's main thread (unlikely but
==4831==  possible), you can try to increase the size of the
==4831==  main thread stack using the --main-stacksize= flag.
==4831==  The main thread stack size used in this run was 8388608.
==4831==
==4831== HEAP SUMMARY:
==4831==     in use at exit: 1,228,916 bytes in 2,580 blocks
==4831==   total heap usage: 5,599 allocs, 3,019 frees, 1,533,146 bytes allocated
==4831==
==4831== LEAK SUMMARY:
==4831==    definitely lost: 120 bytes in 1 blocks
==4831==    indirectly lost: 0 bytes in 0 blocks
==4831==      possibly lost: 1,036,059 bytes in 151 blocks
==4831==    still reachable: 192,737 bytes in 2,428 blocks
==4831==         suppressed: 0 bytes in 0 blocks
==4831== Rerun with --leak-check=full to see details of leaked memory
==4831==
==4831== For lists of detected and suppressed errors, rerun with: -s
==4831== ERROR SUMMARY: 21 errors from 19 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

```

**On Windows**

Terminal output
```
QuickJS-ng - Type ".help" for help
qjs > .load test1.js
pre await
Exception thrown: read access violation.
```

Visual debugger callstack

```
>	qjs.exe!list_del(list_head * el) Line 78	C
 	qjs.exe!js_free_value_rt(JSRuntime * rt, JSValue v) Line 5751	C
 	qjs.exe!JS_FreeValueRT(JSRuntime * rt, JSValue v) Line 5784	C
 	qjs.exe!JS_FreeValue(JSContext * ctx, JSValue v) Line 5791	C
 	qjs.exe!JS_CallInternal(JSContext * caller_ctx, JSValue func_obj, JSValue this_obj, JSValue new_target, int argc, JSValue * argv, int flags) Line 18897	C
 	qjs.exe!JS_Call(JSContext * ctx, JSValue func_obj, JSValue this_obj, int argc, JSValue * argv) Line 18941	C
 	qjs.exe!promise_reaction_job(JSContext * ctx, int argc, JSValue * argv) Line 50198	C
 	qjs.exe!JS_ExecutePendingJob(JSRuntime * rt, JSContext * * pctx) Line 2008	C
 	qjs.exe!js_std_loop(JSContext * ctx) Line 4351	C
 	qjs.exe!main(int argc, char * * argv) Line 701	C

```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2023-48184 : crash on Windows and Linux #1200

Issue

Resources

CMake Build options

Compiler version

sample 1

sample 2

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2023-48184 : crash on Windows and Linux #1200

Description

Issue

Resources

CMake Build options

Compiler version

sample 1

sample 2

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions