SEGV in njs_value_to_primitive

[Asuk4]

Environment

OS      : Linux ubuntu 5.13.0-44-generic #49~20.04.1-Ubuntu SMP Wed May 18 18:44:28 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit  : d09868bc71f9a990445959329ad8c1b10d3898f5
Version : 0.7.4
Build   :
          NJS_CFLAGS="$NJS_CFLAGS -fsanitize=address"
          NJS_CFLAGS="$NJS_CFLAGS -fno-omit-frame-pointer"

Proof of concept

var v = 1;
async function f() {
    await 1;

    var a = [];
    function g() {
        return v;
    }

    a.toString = g;

    Function(a);

    function s() {
        g + 1;
    }
}

f();

Stack dump

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3153076==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004e2b44 bp 0x7ffd8a5ee0c0 sp 0x7ffd8a5ed820 T0)
==3153076==The signal is caused by a READ memory access.
==3153076==Hint: address points to the zero page.
    #0 0x4e2b44 in njs_scope_valid_value /path/to/njs/src/njs_scope.h:86:10
    #1 0x4e2b44 in njs_vmcode_interpreter /path/to/njs/src/njs_vmcode.c:733:17
    #2 0x53a49c in njs_function_lambda_call /path/to/njs/src/njs_function.c:693:11
    #3 0x5396bc in njs_function_frame_invoke /path/to/njs/src/njs_function.c:769:16
    #4 0x5396bc in njs_function_call2 /path/to/njs/src/njs_function.c:592:11
    #5 0x4d4c06 in njs_function_apply /path/to/njs/src/njs_function.h:186:12
    #6 0x4d4c06 in njs_value_to_primitive /path/to/njs/src/njs_value.c:166:23
    #7 0x53c960 in njs_value_to_chain /path/to/njs/src/njs_value_conversion.h:217:19
    #8 0x53c960 in njs_function_constructor /path/to/njs/src/njs_function.c:1151:11
    #9 0x53afac in njs_function_native_call /path/to/njs/src/njs_function.c:728:11
    #10 0x4e44a4 in njs_vmcode_interpreter /path/to/njs/src/njs_vmcode.c:799:23
    #11 0x603263 in njs_await_fulfilled /path/to/njs/src/njs_async.c:91:11
    #12 0x53afac in njs_function_native_call /path/to/njs/src/njs_function.c:728:11
    #13 0x539699 in njs_function_frame_invoke /path/to/njs/src/njs_function.c:766:16
    #14 0x539699 in njs_function_call2 /path/to/njs/src/njs_function.c:592:11
    #15 0x5f2727 in njs_function_call /path/to/njs/src/njs_function.h:178:12
    #16 0x5f2727 in njs_promise_reaction_job /path/to/njs/src/njs_promise.c:1171:15
    #17 0x53afac in njs_function_native_call /path/to/njs/src/njs_function.c:728:11
    #18 0x4dde50 in njs_vm_invoke /path/to/njs/src/njs_vm.c:428:12
    #19 0x4dde50 in njs_vm_call /path/to/njs/src/njs_vm.c:412:12
    #20 0x4dde50 in njs_vm_handle_events /path/to/njs/src/njs_vm.c:572:19
    #21 0x4dde50 in njs_vm_run /path/to/njs/src/njs_vm.c:532:12
    #22 0x4c7fd7 in njs_process_script /path/to/njs/src/njs_shell.c:924:15
    #23 0x4c71eb in njs_process_file /path/to/njs/src/njs_shell.c:619:11
    #24 0x4c71eb in main /path/to/njs/src/njs_shell.c:303:15
    #25 0x7fb975f84082 in __libc_start_main /build/glibc-KZwQYS/glibc-2.31/csu/../csu/libc-start.c:308:16
    #26 0x41da7d in _start (/path/to/njs/build/njs+0x41da7d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /path/to/njs/src/njs_scope.h:86:10 in njs_scope_valid_value
==3153076==ABORTING