This issue was reproduced in a custom fuzzing harness -- fuzz_eval.
It was not reproduced as a crash with the standard command:
qjs --std worker_crash.js
Minimal Reproducer
new os.Worker("/tmp/existent_worker.js");
A second reproducer triggering the same root cause is:
new os.Worker("data:text/javascript,");
The module argument does not appear to be important because the crash occurs while creating the worker runtime or context.
Reproduction Command
timeout 30 ./fuzz_eval worker_crash.js
The exact path to the embedding executable may be changed as needed.
Observed Result
The sanitizer reports a segmentation fault at address zero in a worker thread.
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1893264762
INFO: Loaded 1 modules (29133 inline 8-bit counters): 29133 [0x5ca490be13c8, 0x5ca490be8595),
INFO: Loaded 1 PC tables (29133 PCs): 29133 [0x5ca490be8598,0x5ca490c5a268),
./fuzz_eval: Running 1 inputs 1 time(s) each.
Running: bug_seeds/worker_crash.js
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==945968==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x7448534fbe80 sp 0x7448534fbe48 T945970)
==945968==Hint: pc points to the zero page.
==945968==The signal is caused by a READ memory access.
==945968==Hint: address points to the zero page.
Executed bug_seeds/worker_crash.js in 2 ms
***
*** NOTE: fuzzing was not performed, you have only
*** executed the target code on a fixed set of inputs.
***
Build.sh
sed -i -e 's/CFLAGS=/CFLAGS+=/' Makefile
sed -i -e 's/CC=$(CROSS_PREFIX)clang//' Makefile
CONFIG_CLANG=y make libquickjs.fuzz.a .obj/fuzz_common.o .obj/libregexp.fuzz.o .obj/cutils.fuzz.o .obj/libunicode.fuzz.o
zip -r $OUT/fuzz_eval_seed_corpus.zip $SRC/quickjs-corpus/js/*.js
zip -r $OUT/fuzz_compile_seed_corpus.zip $SRC/quickjs-corpus/js/*.js
export CFLAGS="${CFLAGS} -fsanitize=fuzzer-no-link"
export CXXFLAGS="${CXXFLAGS} -fsanitize=fuzzer-no-link"
build_fuzz_target () {
local target=$1
shift
$CC $CFLAGS -I. -c fuzz/$target.c -o $target.o
$CXX $CXXFLAGS $target.o -o $OUT/$target $@ $LIB_FUZZING_ENGINE
}
build_fuzz_target fuzz_eval .obj/fuzz_common.o libquickjs.fuzz.a
build_fuzz_target fuzz_compile .obj/fuzz_common.o libquickjs.fuzz.a
build_fuzz_target fuzz_regexp .obj/libregexp.fuzz.o .obj/cutils.fuzz.o .obj/libunicode.fuzz.o
cp fuzz/fuzz.dict $OUT/fuzz_eval.dict
cp fuzz/fuzz.dict $OUT/fuzz_compile.dict
QuickJS version
Git commit: 04be246
Operating system: Ubuntu 24.04 x86_64
This issue was reproduced in a custom fuzzing harness --
fuzz_eval.It was not reproduced as a crash with the standard command:
Minimal Reproducer
A second reproducer triggering the same root cause is:
The module argument does not appear to be important because the crash occurs while creating the worker runtime or context.
Reproduction Command
The exact path to the embedding executable may be changed as needed.
Observed Result
The sanitizer reports a segmentation fault at address zero in a worker thread.
Build.sh
QuickJS version
Git commit: 04be246
Operating system: Ubuntu 24.04 x86_64