fix: heap-use-after-free in build_backtrace when dbuf OOM frees current_exception#1472
Open
mvanhorn wants to merge 1 commit into
Conversation
…nt_exception If JS_NewError() during build_backtrace triggered dbuf OOM, JS_ThrowOutOfMemory freed the current exception (error_val from the caller's stack frame), then the rest of build_backtrace continued using the freed error_val for the prepareStackTrace call and the JS_DefinePropertyValue of the stack property. The fix duplicates error_val into a local error_obj at function entry, uses error_obj throughout the function, and frees it at exit. Fixes quickjs-ng#1469
saghul
reviewed
May 16, 2026
Contributor
saghul
left a comment
saghul
left a comment
There was a problem hiding this comment.
A small, sugestion, LGTM otherwise, thanks!
| if (rt->in_build_stack_trace) | ||
| return; | ||
| rt->in_build_stack_trace = true; | ||
| error_obj = JS_DupValue(ctx, error_val); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
If
JS_NewErrorduringbuild_backtracetriggered dbuf OOM, the OOM path freed the current exception (which iserror_valon the caller's stack), thenbuild_backtracekept using the danglingerror_valfor both theprepareStackTracecall and theJS_DefinePropertyValueof thestackproperty. Fix is to duplicateerror_valinto a localerror_obj, use that throughout the function, and free it at exit.Why this matters
ASan flags this as a clean heap-use-after-free with a small repro that exercises
Error.prepareStackTraceunder low-memory conditions. Thert->in_build_stack_traceguard prevents recursion but not the freed-pointer reuse, since the free happens viaJS_ThrowOutOfMemory-> exception slot replacement, not via recursion.Changes
quickjs.c- addJSValue error_obj = JS_DupValue(ctx, error_val)at function entry, useerror_objfor the two remaining references after the dbuf-can-fail region, free at exit.api-test.c- add a regression test that constructs the OOM scenario and walks the backtrace path.Testing
make all && ./run-test262 -c tests/test262.confclean. ASan build with the new api-test passes.Fixes #1469