Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV /usr/include/c++/11/bits/unique_ptr.h:173 in std::__uniq_ptr_impl<JSC::Yarr::ByteDisjunction, std::default_delete<JSC::Yarr::ByteDisjunction> >::_M_ptr() const #1373

Open
7331akasokoan opened this issue Aug 26, 2024 · 1 comment
Open

SEGV /usr/include/c++/11/bits/unique_ptr.h:173 in std::__uniq_ptr_impl<JSC::Yarr::ByteDisjunction, std::default_delete<JSC::Yarr::ByteDisjunction> >::_M_ptr() const #1373

7331akasokoan opened this issue Aug 26, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@7331akasokoan
Copy link

commit: d398f1e

build setting:

cmake -DCMAKE_CXX_FLAGS=-fsanitize=address -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=shell -GNinja

poc.js:

function f0() {
    const v1 = /a\w/syu;
    v1.lastIndex = f0;
    try {
        v1[Symbol.replace]();
    } catch(e5) {
    }
}
f0.valueOf = f0;
f0();

ASAN report:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==28357==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x564eb0f148de bp 0x7ffee87b1330 sp 0x7ffee87b1320 T0)
==28357==The signal is caused by a READ memory access.
==28357==Hint: address points to the zero page.
    #0 0x564eb0f148de in std::__uniq_ptr_impl<JSC::Yarr::ByteDisjunction, std::default_delete<JSC::Yarr::ByteDisjunction> >::_M_ptr() const /usr/include/c++/11/bits/unique_ptr.h:173
    #1 0x564eb0f12fc7 in std::unique_ptr<JSC::Yarr::ByteDisjunction, std::default_delete<JSC::Yarr::ByteDisjunction> >::get() const /usr/include/c++/11/bits/unique_ptr.h:422
    #2 0x564eb0f11b03 in std::unique_ptr<JSC::Yarr::ByteDisjunction, std::default_delete<JSC::Yarr::ByteDisjunction> >::operator->() const /usr/include/c++/11/bits/unique_ptr.h:416
    #3 0x564eb0f09612 in Escargot::RegExpObject::match(Escargot::ExecutionState&, Escargot::String*, Escargot::RegexMatchResult&, bool, unsigned long) /home/fuzzer/escargot/src/runtime/RegExpObject.cpp:344
    #4 0x564eb0f08e84 in Escargot::RegExpObject::matchNonGlobally(Escargot::ExecutionState&, Escargot::String*, Escargot::RegexMatchResult&, bool, unsigned long) /home/fuzzer/escargot/src/runtime/RegExpObject.cpp:313
    #5 0x564eb084e2fe in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f22fe)
    #6 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #7 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #8 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #9 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #10 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #11 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #12 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #13 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #14 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #15 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #16 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #17 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #18 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #19 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #20 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #21 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #22 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #23 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #24 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #25 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #26 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #27 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #28 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #29 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #30 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #31 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #32 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #33 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #34 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #35 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #36 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #37 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #38 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #39 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #40 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #41 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #42 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #43 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #44 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #45 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #46 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #47 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #48 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #49 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #50 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #51 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #52 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #53 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #54 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #55 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #56 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #57 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #58 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #59 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #60 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #61 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #62 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #63 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #64 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #65 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #66 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #67 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #68 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #69 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #70 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #71 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #72 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #73 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #74 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #75 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #76 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #77 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #78 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #79 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #80 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #81 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #82 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #83 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #84 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #85 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #86 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #87 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #88 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #89 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #90 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #91 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #92 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #93 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #94 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #95 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #96 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #97 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #98 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #99 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #100 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #101 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #102 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #103 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #104 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #105 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #106 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #107 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #108 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #109 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #110 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #111 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #112 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #113 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #114 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #115 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #116 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #117 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #118 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #119 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #120 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #121 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #122 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #123 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #124 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #125 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #126 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #127 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #128 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #129 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #130 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #131 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #132 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #133 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #134 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #135 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #136 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #137 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #138 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #139 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #140 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #141 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #142 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #143 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #144 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #145 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #146 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #147 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #148 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #149 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #150 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #151 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #152 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #153 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #154 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #155 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #156 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #157 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #158 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #159 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #160 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #161 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #162 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #163 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #164 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #165 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #166 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #167 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #168 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #169 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #170 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #171 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #172 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #173 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #174 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #175 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #176 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #177 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #178 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #179 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #180 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #181 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #182 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #183 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #184 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #185 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #186 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #187 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #188 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #189 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #190 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #191 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #192 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #193 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #194 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #195 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #196 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #197 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #198 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #199 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #200 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #201 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #202 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #203 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #204 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #205 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #206 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #207 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #208 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #209 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #210 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #211 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #212 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #213 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #214 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #215 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #216 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #217 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #218 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #219 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #220 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #221 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #222 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #223 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #224 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #225 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #226 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #227 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #228 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #229 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #230 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #231 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #232 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #233 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #234 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #235 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #236 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #237 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #238 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #239 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #240 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #241 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #242 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #243 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #244 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #245 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #246 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #247 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #248 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/c++/11/bits/unique_ptr.h:173 in std::__uniq_ptr_impl<JSC::Yarr::ByteDisjunction, std::default_delete<JSC::Yarr::ByteDisjunction> >::_M_ptr() const
==28357==ABORTING
@7331akasokoan 7331akasokoan added the bug Something isn't working label Aug 26, 2024
@clover2123
Copy link
Contributor

Thank you for reporting. I'll investigate these issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@clover2123 @7331akasokoan and others