AddressSanitizer: heap-use-after-free

[norrath-hero-cn]

Description

compiler: llvm-mingw-20230603-ucrt-x86_64, https://github.com/mstorsjo/llvm-mingw/releases/tag/20230603

nim: nim-1.9.3, https://github.com/nim-lang/nightlies/releases/download/2023-03-31-version-2-0-2e4ba4ad93c6d9021b6de975cf7ac78e67acba26/nim-1.9.3-windows_x64.zip

minimal reproduce project: https://github.com/nimgl/nimgl#usage

build command: nimble.exe --verbose -d:debug --debugger:native --passC:"-fsanitize=address" --passL:"-fsanitize=address" build

PS Z:\setup\vscode_nim\projects\opengl> .\opengl.exe

==8800==ERROR: AddressSanitizer: heap-use-after-free on address 0x12112f7a00a0 at pc 0x7ffc2fdf1f47 bp 0x002c887bea90 sp 0x002c887bead8
READ of size 24 at 0x12112f7a00a0 thread T0
#0 0x7ffc2fdf1f46 in __asan_memcpy /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
#1 0x7ff63f00423f in callClosures__stdZexitprocs_19 Z:\setup\vscode_nim\nim-1.9.3\lib/system.nim:903:5
#2 0x7ffc6aad42d5 (C:\WINDOWS\System32\ucrtbase.dll+0x1800142d5)
#3 0x7ffc6aad41fa (C:\WINDOWS\System32\ucrtbase.dll+0x1800141fa)
#4 0x7ffc6aad41b3 (C:\WINDOWS\System32\ucrtbase.dll+0x1800141b3)
#5 0x7ffc6aae0521 (C:\WINDOWS\System32\ucrtbase.dll+0x180020521)
#6 0x7ffc6aae04aa (C:\WINDOWS\System32\ucrtbase.dll+0x1800204aa)
#7 0x7ffc6aae044d (C:\WINDOWS\System32\ucrtbase.dll+0x18002044d)
#8 0x7ff63efc134a in __tmainCRTStartup /home/runner/work/llvm-mingw/llvm-mingw/mingw-w64/mingw-w64-crt/build-x86_64/../crt/crtexe.c:269:7
#9 0x7ff63efc1365 in .l_start /home/runner/work/llvm-mingw/llvm-mingw/mingw-w64/mingw-w64-crt/build-x86_64/../crt/crtexe.c:188:9
#10 0x7ffc6b167613 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017613)
#11 0x7ffc6ccc26f0 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800526f0)

0x12112f7a00a0 is located 32 bytes inside of 56-byte region [0x12112f7a0080,0x12112f7a00b8)
freed by thread T0 here:
#0 0x7ffc2fdf2671 in free /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:82:3
#1 0x7ff63f011888 in alignedDealloc Z:\setup\vscode_nim\nim-1.9.3\lib\system/memalloc.nim
#2 0x7ff63f05b2c5 in NimMainModule Z:\setup\vscode_nim\nim-1.9.3\lib\std/exitprocs.nim:23:2
#3 0x7ff63f05b605 in NimMainInner Z:\setup\vscode_nim\nim-1.9.3\lib\system/threadlocalstorage.nim:147:2
#4 0x7ff63f05b605 in NimMain Z:\setup\vscode_nim\nim-1.9.3\lib\system/threadlocalstorage.nim:158:2
#5 0x7ff63f05b605 in main Z:\setup\vscode_nim\nim-1.9.3\lib\system/threadlocalstorage.nim:166:2
#6 0x7ff63efc1314 in __tmainCRTStartup /home/runner/work/llvm-mingw/llvm-mingw/mingw-w64/mingw-w64-crt/build-x86_64/../crt/crtexe.c:267:15
#7 0x7ff63efc1365 in .l_start /home/runner/work/llvm-mingw/llvm-mingw/mingw-w64/mingw-w64-crt/build-x86_64/../crt/crtexe.c:188:9
#8 0x7ffc6b167613 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017613)
#9 0x7ffc6ccc26f0 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800526f0)

previously allocated by thread T0 here:
#0 0x7ffc2fdf29d6 in realloc /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:135:3
#1 0x7ff63f0192a6 in reallocImpl__system_1774 Z:\setup\vscode_nim\nim-1.9.3\lib\system\mm/malloc.nim:17:11
#2 0x7ff63f0192a6 in realloc0Impl__system_1777 Z:\setup\vscode_nim\nim-1.9.3\lib\system\mm/malloc.nim:23:11
#3 0x7ff63f0192a6 in reallocShared0Impl__system_1790 Z:\setup\vscode_nim\nim-1.9.3\lib\system\mm/malloc.nim:43:11
#4 0x7ff63f0192a6 in alignedRealloc0__system_1968 Z:\setup\vscode_nim\nim-1.9.3\lib\system/memalloc.nim:392:12
#5 0x7ff63f0198cb in prepareSeqAdd Z:\setup\vscode_nim\nim-1.9.3\lib\system/seqs_v2.nim:72:30
#6 0x7ff63f022466 in add__stdZexitprocs_202 Z:\setup\vscode_nim\nim-1.9.3\lib\system/seqs_v2.nim:111:26
#7 0x7ff63f00514f in addExitProc__stdZexitprocs_196 Z:\setup\vscode_nim\nim-1.9.3\lib\std/exitprocs.nim:62:95
#8 0x7ff63f006bb7 in atmdotdotatsdotdotatsdotdotatsnimminus1dot9dot3atslibatsstdatssynciodotnim_Init000 Z:\setup\vscode_nim\nim-1.9.3\lib\std/syncio.nim:840:3
#9 0x7ff63f05b5fb in PreMainInner Z:\setup\vscode_nim\nim-1.9.3\lib\system/threadlocalstorage.nim:123:2
#10 0x7ff63f05b5fb in PreMain Z:\setup\vscode_nim\nim-1.9.3\lib\system/threadlocalstorage.nim:142:2
#11 0x7ff63f05b5fb in NimMain Z:\setup\vscode_nim\nim-1.9.3\lib\system/threadlocalstorage.nim:157:2
#12 0x7ff63f05b5fb in main Z:\setup\vscode_nim\nim-1.9.3\lib\system/threadlocalstorage.nim:166:2
#13 0x7ff63efc1314 in __tmainCRTStartup /home/runner/work/llvm-mingw/llvm-mingw/mingw-w64/mingw-w64-crt/build-x86_64/../crt/crtexe.c:267:15
#14 0x7ff63efc1365 in .l_start /home/runner/work/llvm-mingw/llvm-mingw/mingw-w64/mingw-w64-crt/build-x86_64/../crt/crtexe.c:188:9
#15 0x7ffc6b167613 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017613)
#16 0x7ffc6ccc26f0 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800526f0)

SUMMARY: AddressSanitizer: heap-use-after-free /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
Shadow bytes around the buggy address:
0x12112f79fe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x12112f79fe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x12112f79ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x12112f79ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x12112f7a0000: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
=>0x12112f7a0080: fd fd fd fd[fd]fd fd fa fa fa fa fa fa fa fa fa
0x12112f7a0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x12112f7a0180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x12112f7a0200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x12112f7a0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x12112f7a0300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8800==ABORTING
PS Z:\setup\vscode_nim\projects\opengl>

updates 2023-06-18:
The issues can also re-produce with the latest llvm-mingw: llvm-mingw-20230614-ucrt-x86_64, https://github.com/mstorsjo/llvm-mingw/releases/tag/20230614

updates 2023-08-04:
These problems can still reproduce in Nim 2.0, and I believe it's because of the order between the global object destructor and the atexit hooks, the atexit hook "callClosures" uses an already destroyed object "gFuns: seq[Fun]".

https://stackoverflow.com/questions/16010083/order-between-destruction-of-global-object-and-atexit-in-c

Nim Version

nim-1.9.3

Current Output

No response

Expected Output

No response

Possible Solution

No response

Additional Information

No response

[Araq]

That looks like a bug in the OpenGL wrapper to me.

[norrath-hero-cn]

That looks like a bug in the OpenGL wrapper to me.

Maybe not, same testcase works fine for nim-1.6.12

[Araq]

That doesn't mean much, compile with --mm:orc on 1.6.12 to see if that also produces the error.

[norrath-hero-cn]

That doesn't mean much, compile with --mm:orc on 1.6.12 to see if that also produces the error.

I use the same build opts for both versions of Nim, no heap-use-after-free reporting on 1.6.12

nim.cfg
-d:useMalloc
--mm:orc
--cc:gcc

[Araq]

Sorry, wasn't aware.

[norrath-hero-cn]

Close this because I now fully understand what the problem is and have fixed it in #22386