Skip to content

Unhandled memory allocation errors #1098

New issue
New issue
Open
Open
Unhandled memory allocation errors#1098
@v-p-b

Description

@v-p-b
v-p-b
opened on Feb 26, 2026

I keep hitting this bug on Windows using Stalker and the V8 JS engine:

rax=0000000000000000 rbx=0000000000000000 rcx=0000000000001000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=00007fff3f9d7442 rsp=000000dd539fbe80 rbp=000000dd539fbee8
 r8=0000000000000017  r9=00000000000002c8 r10=000000000000005d
r11=00000000c0000018 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
frida!gum_slab_init [inlined in frida!gum_exec_block_new+0x9e]:
0033:00007fff`3f9d7442 48c7401000000000 mov     qword ptr [rax+10h],0 ds:00000000`00000010=????????????????
Resetting default scope

STACK_TEXT:  
ffff8409`02a9b718 fffff801`cb9b2b52     : ffff8409`02a9b798 00000000`00000001 00000000`00000100 fffff801`cbac4101 : nt!DbgBreakPointWithStatus
ffff8409`02a9b720 fffff801`cb9b207c     : 00000000`00000003 ffff8409`02a9b880 fffff801`cbac42b0 00000000`000000ef : nt!KiBugCheckDebugBreak+0x12
ffff8409`02a9b780 fffff801`cb8fb9c7     : ffff8409`02a9c180 fffff801`cb64d594 00000000`00020000 ffff8409`02a9bf80 : nt!KeBugCheck2+0xb2c
ffff8409`02a9bf10 fffff801`cbb774c0     : 00000000`000000ef ffff8687`2fa0d100 00000000`00000000 ffff8687`2fa0d100 : nt!KeBugCheckEx+0x107
ffff8409`02a9bf50 fffff801`cbd49483     : ffff8687`2fa0d100 00000000`00000001 00000000`00000001 fffff801`cb88d0a1 : nt!PspCatchCriticalBreak+0x128
ffff8409`02a9bff0 fffff801`cbd38097     : ffff8687`2fa0d100 00000000`00000000 ffff8687`2fa0d100 00000000`00000000 : nt!PspTerminateAllThreads+0x27f
ffff8409`02a9c070 fffff801`cbd3999a     : ffff8687`2fa0d100 00000000`00000001 ffff8687`2fabc080 ffff8687`2fa0d100 : nt!PspTerminateProcess+0xf7
ffff8409`02a9c0b0 fffff801`cbabdc55     : ffff8687`2fa0d100 ffff8687`2fabc080 01dca736`cdf9cc30 00670000`0000000d : nt!NtTerminateProcess+0xca
ffff8409`02a9c130 fffff801`cbaac100     : fffff801`cb7e247b ffffffff`ffffffff ffff8409`02a9c300 ffff8409`02a9c800 : nt!KiSystemServiceCopyEnd+0x25
ffff8409`02a9c2c8 fffff801`cb7e247b     : ffffffff`ffffffff ffff8409`02a9c300 ffff8409`02a9c800 ffff8409`02a9cae0 : nt!KiServiceLinkage
ffff8409`02a9c2d0 fffff801`cb7dfe73     : 00000000`00000002 0000025c`d2df0001 ffff8409`02a9cc20 00000000`00000000 : nt!KiDispatchException+0x84b
ffff8409`02a9c9c0 fffff801`cbaaa296     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiRaiseException+0x103
ffff8409`02a9cae0 fffff801`cbabdc55     : 00000000`e9582cd6 00007fff`92920000 ffff8687`2fabc080 0000025d`5156f000 : nt!NtRaiseException+0x96
ffff8409`02a9cc20 00007fff`3f9d7442     : 00007fff`92a1165a 0000025c`b185c750 00000000`00000000 00007fff`3ea9549e : nt!KiSystemServiceCopyEnd+0x25
(Inline Function) --------`--------     : --------`-------- --------`-------- --------`-------- --------`-------- : frida!gum_code_slab_new+0x46 [C:\Users\Administrator\Desktop\frida_17_7_3\subprojects\frida-gum\gum\backend-x86\gumstalker-x86.c @ 6182] 
000000dd`539fbe80 00007fff`3f9d8f1c     : 00000000`000023ec 0000025c`9abb78c0 0000025c`d2e0fb77 0000025c`9abb7948 : frida!gum_exec_block_new+0x9e [C:\Users\Administrator\Desktop\frida_17_7_3\subprojects\frida-gum\gum\backend-x86\gumstalker-x86.c @ 4035] 
000000dd`539fbf30 00007fff`3f9d9c1e     : 0000025c`92a1165d 00007fff`3eb09724 0000025c`b1899400 000000dd`539fc020 : frida!gum_exec_ctx_build_block+0x14 [C:\Users\Administrator\Desktop\frida_17_7_3\subprojects\frida-gum\gum\backend-x86\gumstalker-x86.c @ 2930] 
000000dd`539fbfc0 00007fff`3f9da317     : 0000025c`d2df0000 0000025c`d2e0faa9 0000025c`9d660000 0000025c`d2e0fbd1 : frida!gum_exec_ctx_obtain_block_for+0xae [C:\Users\Administrator\Desktop\frida_17_7_3\subprojects\frida-gum\gum\backend-x86\gumstalker-x86.c @ 2874] 
000000dd`539fc030 0000025c`5388c445     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : frida!gum_exec_ctx_switch_block+0x83 [C:\Users\Administrator\Desktop\frida_17_7_3\subprojects\frida-gum\gum\backend-x86\gumstalker-x86.c @ 2755] 
000000dd`539fc090 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`0000027f : 0x0000025c`5388c445


FAULTING_SOURCE_LINE:  C:\Users\Administrator\Desktop\frida_17_7_3\subprojects\frida-gum\gum\backend-x86\gumstalker-x86.c

FAULTING_SOURCE_FILE:  C:\Users\Administrator\Desktop\frida_17_7_3\subprojects\frida-gum\gum\backend-x86\gumstalker-x86.c

FAULTING_SOURCE_LINE_NUMBER:  4035

FAULTING_SOURCE_CODE:  
  6300: {
  6301:   slab->data = (guint8 *) slab + header_size;
  6302:   slab->offset = 0;
  6303:   slab->size = slab_size - header_size;
> 6304:   slab->next = NULL;
  6305: }
  6306: 
  6307: static gsize
  6308: gum_slab_available (GumSlab * self)
  6309: {

The relevant source code is this (in the binary functions are inlined and slab member assignment is reordered, so slab->next = NULL happens before anything else):

frida-gum/gum/backend-x86/gumstalker-x86.c

Lines 6253 to 6256 in 7804914

slab = gum_memory_allocate_near (&spec, slab_size, stalker->page_size,
GUM_PAGE_RW);
gum_data_slab_init (slab, slab_size);

gum_memory_allocate_near can return NULL at multiple places, yet this value is never checked, resulting in a NULL deref. I also notice that this is a common pattern in this file. I'm not sure how allocation errors should be handled in similar situations, I for one would definitely appreciate a JS exception that I can handle instead of crashing.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions