dynamic-stack-buffer-overflow in release build

Branch: master Commit : cbb9b101d18e4c1682ca39a52a201d8e4241ea17 POC :

function Run() {
    var intl = new Intl.Collator();
    intl.compare('a','b');/**bp:resume('step_into');locals()**/
    let C1 = class NotC1 {
    attemptOuterBindingChange() { C1 = 1; }
    attemptInnerBindingChange() { NotC1 = 1; }
    outerbindingUnmodified() { return C1 !== 1; }
    innerbindingUnmodified() { return NotC1 !== 1; }
}.Echo('PASS');
}

WScript.Attach(Run);

In release build, ./build.sh --sanitize=address --static -j I get the following log:

==10284==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffcceecb558 at pc 0x55bf9a7362b3 bp 0x7ffcceec3300 sp 0x7ffcceec32f8
READ of size 8 at 0x7ffcceecb558 thread T0
    #0 0x55bf9a7362b2 in Js::ScopeSlots::IsDebuggerScopeSlotArray() (/root/ChakraCore-latest/out/Release/ch+0x6d42b2)
    #1 0x55bf9a918523 in Js::SlotArrayVariablesWalker::PopulateMembers() (/root/ChakraCore-latest/out/Release/ch+0x8b6523)
    #2 0x55bf9a916f14 in Js::VariableWalkerBase::GetChildrenCount() (/root/ChakraCore-latest/out/Release/ch+0x8b4f14)
    #3 0x55bf9a91ed1a in Js::DiagScopeVariablesWalker::GetChildrenCount() (/root/ChakraCore-latest/out/Release/ch+0x8bcd1a)
    #4 0x55bf9a924b4c in Js::LocalsWalker::GetChildrenCount() (/root/ChakraCore-latest/out/Release/ch+0x8c2b4c)
    #5 0x55bf9a55b7ca in JsrtDebuggerStackFrame::GetLocalsObject(Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0x4f97ca)
    #6 0x55bf9a5ed7f5 in JsDiagGetStackProperties (/root/ChakraCore-latest/out/Release/ch+0x58b7f5)
    #7 0x55bf9a41c96b in Debugger::GetStackProperties(void*, bool, void**, unsigned short, void*) (/root/ChakraCore-latest/out/Release/ch+0x3ba96b)
    #8 0x55bf9b012f61 in Js::JavascriptExternalFunction::StdCallExternalFunctionThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0xfb0f61)
    #9 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #10 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
    #11 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #12 0x55bf9b024e91 in void* Js::JavascriptFunction::CalloutHelper<false>(Js::RecyclableObject*, void*, void*, void*, Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0xfc2e91)
    #13 0x55bf9b0174ef in Js::JavascriptFunction::EntryApply(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0xfb54ef)
    #14 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #15 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
    #16 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #17 0x55bf9adbe385 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd5c385)
    #18 0x55bf9adbdde1 in void Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd5bde1)
    #19 0x55bf9ab602d9 in Js::InterpreterStackFrame::ProcessProfiled() (/root/ChakraCore-latest/out/Release/ch+0xafe2d9)
    #20 0x55bf9aab41dd in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa521dd)
    #21 0x55bf9aab256f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
    #22 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
    #23 0x7f43138e1f41  (<unknown module>)
    #24 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #25 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
    #26 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #27 0x55bf9adbb9c5 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd599c5)
    #28 0x55bf9aaef893 in Js::InterpreterStackFrame::ProcessUnprofiled() (/root/ChakraCore-latest/out/Release/ch+0xa8d893)
    #29 0x55bf9aab424a in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa5224a)
    #30 0x55bf9aab256f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
    #31 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
    #32 0x7f43138e1eb9  (<unknown module>)
    #33 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #34 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
    #35 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #36 0x55bf9b024e91 in void* Js::JavascriptFunction::CalloutHelper<false>(Js::RecyclableObject*, void*, void*, void*, Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0xfc2e91)
    #37 0x55bf9b0174ef in Js::JavascriptFunction::EntryApply(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0xfb54ef)
    #38 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #39 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
    #40 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #41 0x55bf9adbe385 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd5c385)
    #42 0x55bf9aaeed79 in Js::InterpreterStackFrame::ProcessUnprofiled() (/root/ChakraCore-latest/out/Release/ch+0xa8cd79)
    #43 0x55bf9aab424a in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa5224a)
    #44 0x55bf9aab256f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
    #45 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
    #46 0x7f43138e1ef1  (<unknown module>)
    #47 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #48 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
    #49 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #50 0x55bf9adbbb55 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd59b55)
    #51 0x55bf9aaef893 in Js::InterpreterStackFrame::ProcessUnprofiled() (/root/ChakraCore-latest/out/Release/ch+0xa8d893)
    #52 0x55bf9aab424a in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa5224a)
    #53 0x55bf9aab256f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
    #54 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
    #55 0x7f43138e1f01  (<unknown module>)
    #56 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #57 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
    #58 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #59 0x55bf9b024e91 in void* Js::JavascriptFunction::CalloutHelper<false>(Js::RecyclableObject*, void*, void*, void*, Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0xfc2e91)
    #60 0x55bf9b0174ef in Js::JavascriptFunction::EntryApply(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0xfb54ef)
    #61 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #62 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
    #63 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #64 0x55bf9adbe385 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd5c385)
    #65 0x55bf9aaeed79 in Js::InterpreterStackFrame::ProcessUnprofiled() (/root/ChakraCore-latest/out/Release/ch+0xa8cd79)
    #66 0x55bf9aab424a in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa5224a)
    #67 0x55bf9aab256f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
    #68 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
    #69 0x7f43138e1f09  (<unknown module>)
    #70 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #71 0x55bf9a78331a in Js::ScriptContext::ProfileModeThunk_DebugModeWrapper(Js::JavascriptFunction*, Js::ScriptContext*, void* (*)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments&) (/root/ChakraCore-latest/out/Release/ch+0x72131a)
    #72 0x55bf9a78136d in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f36d)
    #73 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #74 0x55bf9b018a61 in Js::JavascriptFunction::CallRootFunctionInternal(Js::RecyclableObject*, Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb6a61)
    #75 0x55bf9b01872f in Js::JavascriptFunction::CallRootFunction(Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb672f)
    #76 0x55bf9a51175a in JsCallFunction (/root/ChakraCore-latest/out/Release/ch+0x4af75a)
    #77 0x55bf9a41ec15 in Debugger::CallFunction(char const*, void**, void*, void*) (/root/ChakraCore-latest/out/Release/ch+0x3bcc15)
    #78 0x55bf9a41b319 in Debugger::HandleDebugEvent(_JsDiagDebugEvent, void*) (/root/ChakraCore-latest/out/Release/ch+0x3b9319)
    #79 0x55bf9a550d20 in JsrtDebugManager::CallDebugEventCallback(_JsDiagDebugEvent, Js::DynamicObject*, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0x4eed20)
    #80 0x55bf9a551f0a in JsrtDebugManager::CallDebugEventCallbackForBreak(_JsDiagDebugEvent, Js::DynamicObject*, Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0x4eff0a)
    #81 0x55bf9a54f7c3 in JsrtDebugManager::ReportBreak(Js::InterpreterHaltState*) (/root/ChakraCore-latest/out/Release/ch+0x4ed7c3)
    #82 0x55bf9a54f2a5 in JsrtDebugManager::DispatchHalt(Js::InterpreterHaltState*) (/root/ChakraCore-latest/out/Release/ch+0x4ed2a5)
    #83 0x55bf9a95adc9 in Js::ProbeContainer::DispatchStepHandler(Js::InterpreterHaltState*, Js::OpCode*) (/root/ChakraCore-latest/out/Release/ch+0x8f8dc9)
    #84 0x55bf9aacd2a0 in Js::InterpreterStackFrame::ProcessWithDebugging() (/root/ChakraCore-latest/out/Release/ch+0xa6b2a0)
    #85 0x55bf9aab3b77 in Js::InterpreterStackFrame::DebugProcess() (/root/ChakraCore-latest/out/Release/ch+0xa51b77)
    #86 0x55bf9aab2981 in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa50981)
    #87 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
    #88 0x7f43138e0f99  (<unknown module>)
    #89 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #90 0x55bf9a78165a in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f65a)
    #91 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
    #92 0x55bf9b018a61 in Js::JavascriptFunction::CallRootFunctionInternal(Js::RecyclableObject*, Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb6a61)
    #93 0x55bf9b01872f in Js::JavascriptFunction::CallRootFunction(Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb672f)
    #94 0x55bf9a51175a in JsCallFunction (/root/ChakraCore-latest/out/Release/ch+0x4af75a)
    #95 0x55bf9a439b1a in WScriptJsrt::CallbackMessage::CallFunction(char const*) (/root/ChakraCore-latest/out/Release/ch+0x3d7b1a)
    #96 0x55bf9a43ce0b in CustomMessage<WScriptJsrt::AttachCallback(void*, bool, void**, unsigned short, void*)::$_1, WScriptJsrt::CallbackMessage>::Call(char const*) (/root/ChakraCore-latest/out/Release/ch+0x3dae0b)
    #97 0x55bf9a416804 in RunScript(char const*, char const*, unsigned long, void (*)(void*), void*, char*, void*) (/root/ChakraCore-latest/out/Release/ch+0x3b4804)
    #98 0x55bf9a419913 in ExecuteTest(char const*) (/root/ChakraCore-latest/out/Release/ch+0x3b7913)
    #99 0x55bf9a41a606 in main (/root/ChakraCore-latest/out/Release/ch+0x3b8606)
    #100 0x7f4317ecfc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #101 0x55bf9a318d59 in _start (/root/ChakraCore-latest/out/Release/ch+0x2b6d59)

Address 0x7ffcceecb558 is located in stack of thread T0 at offset 2968 in frame
    #0 0x55bf9aacc8bf in Js::InterpreterStackFrame::ProcessWithDebugging() (/root/ChakraCore-latest/out/Release/ch+0xa6a8bf)

  This frame has 22 object(s):
    [32, 40) 'thisVar.i'
    [64, 70) 'ldElemInfo.i'
    [96, 112) 'agg.tmp36.i.i'
    [128, 144) 'agg.tmp2.i.i.i.i3477'
    [160, 176) 'agg.tmp2.i.i.i.i3459'
    [192, 208) 'agg.tmp2.i.i.i.i3436'
    [224, 240) 'agg.tmp2.i.i.i.i'
    [256, 272) 'agg.tmp2.i.i.i'
    [288, 352) 'info.i.i3194'
    [384, 448) 'info.i.i3153'
    [480, 544) 'info.i.i3117'
    [576, 640) 'info.i.i3087'
    [672, 736) 'info.i.i'
    [768, 776) 'ip.addr.i'
    [800, 808) 'ip'
    [832, 834) 'op'
    [848, 912) 'haltState'
    [944, 1008) 'haltState83'
    [1040, 1048) 'yieldValue'
    [1072, 1080) 'yieldValue1592'
    [1104, 1168) 'haltState1625'
    [1200, 1264) 'haltState1672' <== Memory access at offset 2968 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow (/root/ChakraCore-latest/out/Release/ch+0x6d42b2) in Js::ScopeSlots::IsDebuggerScopeSlotArray()
Shadow bytes around the buggy address:
  0x100019dd1650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100019dd1660: ca ca ca ca 00 00 00 00 00 00 00 00 00 00 00 00
  0x100019dd1670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100019dd1680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100019dd1690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100019dd16a0: 00 00 00 00 00 cb cb cb cb cb cb[cb]f1 f1 f1 f1
  0x100019dd16b0: f8 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
  0x100019dd16c0: f8 f2 f2 f2 f8 f3 f3 f3 00 00 00 00 00 00 00 00
  0x100019dd16d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100019dd16e0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x100019dd16f0: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10284==ABORTING

chakra-core / ChakraCore

dynamic-stack-buffer-overflow in release build #6884