SEGV /usr/include/c++/11/bits/unique_ptr.h:173 in std::__uniq_ptr_impl<JSC::Yarr::ByteDisjunction, std::default_delete<JSC::Yarr::ByteDisjunction> >::_M_ptr() const

commit: d398f1ece3bae25c00465aea7f00b548d1131241

build setting:

cmake -DCMAKE_CXX_FLAGS=-fsanitize=address -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=shell -GNinja

poc.js:


function f0() {
    const v1 = /a\w/syu;
    v1.lastIndex = f0;
    try {
        v1[Symbol.replace]();
    } catch(e5) {
    }
}
f0.valueOf = f0;
f0();

ASAN report:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==28357==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x564eb0f148de bp 0x7ffee87b1330 sp 0x7ffee87b1320 T0)
==28357==The signal is caused by a READ memory access.
==28357==Hint: address points to the zero page.
    #0 0x564eb0f148de in std::__uniq_ptr_impl<JSC::Yarr::ByteDisjunction, std::default_delete<JSC::Yarr::ByteDisjunction> >::_M_ptr() const /usr/include/c++/11/bits/unique_ptr.h:173
    #1 0x564eb0f12fc7 in std::unique_ptr<JSC::Yarr::ByteDisjunction, std::default_delete<JSC::Yarr::ByteDisjunction> >::get() const /usr/include/c++/11/bits/unique_ptr.h:422
    #2 0x564eb0f11b03 in std::unique_ptr<JSC::Yarr::ByteDisjunction, std::default_delete<JSC::Yarr::ByteDisjunction> >::operator->() const /usr/include/c++/11/bits/unique_ptr.h:416
    #3 0x564eb0f09612 in Escargot::RegExpObject::match(Escargot::ExecutionState&, Escargot::String*, Escargot::RegexMatchResult&, bool, unsigned long) /home/fuzzer/escargot/src/runtime/RegExpObject.cpp:344
    #4 0x564eb0f08e84 in Escargot::RegExpObject::matchNonGlobally(Escargot::ExecutionState&, Escargot::String*, Escargot::RegexMatchResult&, bool, unsigned long) /home/fuzzer/escargot/src/runtime/RegExpObject.cpp:313
    #5 0x564eb084e2fe in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f22fe)
    #6 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #7 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #8 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #9 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #10 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #11 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #12 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #13 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #14 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #15 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #16 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #17 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #18 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #19 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #20 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #21 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #22 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #23 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #24 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #25 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #26 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #27 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #28 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #29 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #30 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #31 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #32 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #33 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #34 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #35 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #36 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #37 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #38 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #39 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #40 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #41 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #42 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #43 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #44 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #45 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #46 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #47 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #48 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #49 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #50 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #51 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #52 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #53 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #54 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #55 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #56 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #57 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #58 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #59 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #60 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #61 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #62 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #63 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #64 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #65 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #66 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #67 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #68 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #69 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #70 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #71 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #72 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #73 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #74 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #75 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #76 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #77 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #78 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #79 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #80 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #81 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #82 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #83 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #84 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #85 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #86 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #87 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #88 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #89 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #90 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #91 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #92 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #93 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #94 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #95 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #96 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #97 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #98 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #99 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #100 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #101 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #102 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #103 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #104 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #105 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #106 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #107 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #108 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #109 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #110 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #111 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #112 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #113 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #114 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #115 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #116 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #117 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #118 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #119 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #120 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #121 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #122 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #123 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #124 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #125 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #126 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #127 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #128 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #129 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #130 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #131 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #132 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #133 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #134 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #135 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #136 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #137 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #138 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #139 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #140 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #141 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #142 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #143 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #144 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #145 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #146 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #147 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #148 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #149 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #150 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #151 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #152 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #153 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #154 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #155 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #156 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #157 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #158 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #159 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #160 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #161 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #162 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #163 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #164 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #165 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #166 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #167 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #168 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #169 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #170 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #171 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #172 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #173 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #174 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #175 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #176 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #177 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #178 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #179 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #180 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #181 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #182 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #183 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #184 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #185 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #186 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #187 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #188 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #189 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #190 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #191 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #192 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #193 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #194 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #195 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #196 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #197 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #198 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #199 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #200 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #201 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #202 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #203 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #204 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #205 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #206 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #207 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #208 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #209 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #210 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #211 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #212 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #213 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #214 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #215 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #216 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #217 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #218 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #219 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #220 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #221 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #222 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #223 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #224 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #225 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #226 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #227 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #228 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #229 0x564eb084ec0b in Escargot::regExpExec(Escargot::ExecutionState&, Escargot::Object*, Escargot::String*) (/home/fuzzer/escargot/escargot+0x3f2c0b)
    #230 0x564eb0853ff2 in builtinRegExpReplace /home/fuzzer/escargot/src/builtins/BuiltinRegExp.cpp:443
    #231 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312
    #232 0x564eb0e9833f in Escargot::NativeFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/NativeFunctionObject.cpp:78
    #233 0x564eb097a5e0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:791
    #234 0x564eb0995c3b in Escargot::InterpreterSlowPath::tryOperation(Escargot::ExecutionState*&, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3315
    #235 0x564eb097d7d0 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1257
    #236 0x564eb0f5283e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #237 0x564eb0f50d38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #238 0x564eb0eb4267 in Escargot::Object::call(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/Object.cpp:1332
    #239 0x564eb0feb49d in Escargot::Value::ordinaryToPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:217
    #240 0x564eb0febd02 in Escargot::Value::toPrimitiveSlowCase(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/Value.cpp:249
    #241 0x564eb07819be in Escargot::Value::toPrimitive(Escargot::ExecutionState&, Escargot::Value::PrimitiveTypeHint) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:819
    #242 0x564eb0fef238 in Escargot::Value::toNumberSlowCase(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/Value.cpp:793
    #243 0x564eb070cac1 in Escargot::Value::toNumber(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:777
    #244 0x564eb070d1ce in Escargot::Value::toInteger(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:940
    #245 0x564eb070d396 in Escargot::Value::toLength(Escargot::ExecutionState&) const /home/fuzzer/escargot/src/runtime/ValueInlines.h:965
    #246 0x564eb084c9aa in Escargot::RegExpObject::computedLastIndex(Escargot::ExecutionState&) /home/fuzzer/escargot/src/runtime/RegExpObject.h:105
    #247 0x564eb084e1e0 in Escargot::builtinRegExpExec(Escargot::ExecutionState&, Escargot::Value, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) (/home/fuzzer/escargot/escargot+0x3f21e0)
    #248 0x564eb0e98ee6 in Escargot::Value Escargot::NativeFunctionObject::processNativeFunctionCall<false, true>(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Optional<Escargot::Object*>) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:312

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/c++/11/bits/unique_ptr.h:173 in std::__uniq_ptr_impl<JSC::Yarr::ByteDisjunction, std::default_delete<JSC::Yarr::ByteDisjunction> >::_M_ptr() const
==28357==ABORTING

Samsung / escargot

SEGV /usr/include/c++/11/bits/unique_ptr.h:173 in std::__uniq_ptr_impl<JSC::Yarr::ByteDisjunction, std::default_delete<JSC::Yarr::ByteDisjunction> >::_M_ptr() const #1373