Use after free

[orgads]

When running tests/async-rentry.js there is use-after-free.

ASAN:

$ ASAN_OPTIONS=new_delete_type_mismatch=0 LD_PRELOAD=/lib/x86_64-linux-gnu/libasan.so.8 node tests/async-rentry.js
pass
=================================================================
==2265968==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d0000a98c0 at pc 0x7fcd998b7efc bp 0x7ffc337a3b60 sp 0x7ffc337a3b50
READ of size 8 at 0x61d0000a98c0 thread T0
    #0 0x7fcd998b7efb in ivm::Executor::GetCurrentEnvironment() ../src/isolate/executor.h:172
    #1 0x7fcd998b7efb in ivm::IsolateEnvironment::GetCurrent() ../src/isolate/environment.h:201
    #2 0x7fcd998b7efb in ~ExternalStringOneByte ../src/external_copy/string.cc:49
    #3 0x7fcd998b7efb in ~ExternalStringOneByte ../src/external_copy/string.cc:50
    #4 0x55b84df14461 in v8::internal::Heap::ExternalStringTable::TearDown() (/usr/local/bin/node+0xf14461) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #5 0x55b84df14493 in v8::internal::Heap::TearDownWithSharedHeap() (/usr/local/bin/node+0xf14493) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #6 0x55b84de86fae in v8::internal::Isolate::Deinit() (/usr/local/bin/node+0xe86fae) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #7 0x55b84de89cd5 in v8::internal::Isolate::Delete(v8::internal::Isolate*) (/usr/local/bin/node+0xe89cd5) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #8 0x55b84db05820 in node::NodeMainInstance::~NodeMainInstance() (/usr/local/bin/node+0xb05820) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #9 0x55b84da70b0e in node::Start(int, char**) (/usr/local/bin/node+0xa70b0e) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #10 0x7fcda2a280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x7fcda2a28188 in __libc_start_main_impl ../csu/libc-start.c:360
    #12 0x55b84d9a0020 in _start (/usr/local/bin/node+0x9a0020) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)

0x61d0000a98c0 is located 576 bytes inside of 2400-byte region [0x61d0000a9680,0x61d0000a9fe0)
freed by thread T0 here:
    #0 0x7fcda32e0c50 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:164
    #1 0x7fcd999c68c7 in std::__new_allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/13/bits/new_allocator.h:168
    #2 0x7fcd999c68c7 in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/13/bits/alloc_traits.h:516
    #3 0x7fcd999c68c7 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> > >::~__allocated_ptr() /usr/include/c++/13/bits/allocated_ptr.h:74
    #4 0x7fcd999c68c7 in std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() /usr/include/c++/13/bits/shared_ptr_base.h:623
    #5 0x7fcd9990a1e3 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/13/bits/shared_ptr_base.h:347
    #6 0x7fcd9990a1e3 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/13/bits/shared_ptr_base.h:317
    #7 0x7fcd9990a1e3 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/13/bits/shared_ptr_base.h:1071
    #8 0x7fcd9990a1e3 in std::__shared_ptr<ivm::IsolateEnvironment, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/13/bits/shared_ptr_base.h:1524
    #9 0x7fcd9990a1e3 in std::__shared_ptr<ivm::IsolateEnvironment, (__gnu_cxx::_Lock_policy)2>::reset() /usr/include/c++/13/bits/shared_ptr_base.h:1642
    #10 0x7fcd9990a1e3 in ivm::IsolateHolder::Release() ../src/isolate/holder.cc:39
    #11 0x7fcd999c1eec in operator() ../src/module/isolate.cc:112
    #12 0x7fcd999c1eec in _FUN ../src/module/isolate.cc:115
    #13 0x55b84da0229b in node::CleanupQueue::Drain() (/usr/local/bin/node+0xa0229b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #14 0x55b84da2cb63 in node::Environment::RunCleanup() (/usr/local/bin/node+0xa2cb63) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #15 0x55b84d9cf90b in node::FreeEnvironment(node::Environment*) (/usr/local/bin/node+0x9cf90b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #16 0x55b84db05d71 in node::NodeMainInstance::Run() (/usr/local/bin/node+0xb05d71) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #17 0x55b84da70b03 in node::Start(int, char**) (/usr/local/bin/node+0xa70b03) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #18 0x7fcda2a280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x7fcda32dfba8 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:95
    #1 0x7fcd999c36c3 in std::__new_allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> >::allocate(unsigned long, void const*) /usr/include/c++/13/bits/new_allocator.h:147
    #2 0x7fcd999c36c3 in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> > >::allocate(std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> >&, unsigned long) /usr/include/c++/13/bits/alloc_traits.h:482
    #3 0x7fcd999c36c3 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> > > std::__allocate_guarded<std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> > >(std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> >&) /usr/include/c++/13/bits/allocated_ptr.h:98
    #4 0x7fcd999c36c3 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<ivm::IsolateEnvironment, std::allocator<void>>(ivm::IsolateEnvironment*&, std::_Sp_alloc_shared_tag<std::allocator<void> >) /usr/include/c++/13/bits/shared_ptr_base.h:969
    #5 0x7fcd999c36c3 in std::__shared_ptr<ivm::IsolateEnvironment, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<void>>(std::_Sp_alloc_shared_tag<std::allocator<void> >) /usr/include/c++/13/bits/shared_ptr_base.h:1712
    #6 0x7fcd999c36c3 in std::shared_ptr<ivm::IsolateEnvironment>::shared_ptr<std::allocator<void>>(std::_Sp_alloc_shared_tag<std::allocator<void> >) /usr/include/c++/13/bits/shared_ptr.h:464
    #7 0x7fcd999c36c3 in std::shared_ptr<std::enable_if<!std::is_array<ivm::IsolateEnvironment>::value, ivm::IsolateEnvironment>::type> std::make_shared<ivm::IsolateEnvironment>() /usr/include/c++/13/bits/shared_ptr.h:1010
    #8 0x7fcd999c36c3 in ivm::IsolateEnvironment::New(v8::Isolate*, v8::Local<v8::Context>) ../src/isolate/environment.h:182
    #9 0x7fcd999c36c3 in init ../src/module/isolate.cc:101
    #10 0x55b84da7c102 in std::_Function_handler<bool (node::binding::DLib*), node::binding::DLOpen(v8::FunctionCallbackInfo<v8::Value> const&)::{lambda(node::binding::DLib*)#1}>::_M_invoke(std::_Any_data const&, node::binding::DLib*&&) (/usr/local/bin/node+0xa7c102) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #11 0x55b84da2aadd in node::Environment::TryLoadAddon(char const*, int, std::function<bool (node::binding::DLib*)> const&) (/usr/local/bin/node+0xa2aadd) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #12 0x55b84da7b5ae in node::binding::DLOpen(v8::FunctionCallbackInfo<v8::Value> const&) (/usr/local/bin/node+0xa7b5ae) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #13 0x55b84dd5ab81 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo) (/usr/local/bin/node+0xd5ab81) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #14 0x55b84dd5b0ea in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, unsigned long*, int) (/usr/local/bin/node+0xd5b0ea) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #15 0x55b84dd5b8e7 in v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) (/usr/local/bin/node+0xd5b8e7) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #16 0x55b84e768df5 in Builtins_CEntry_Return1_ArgvOnStack_BuiltinExit (/usr/local/bin/node+0x1768df5) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #17 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #18 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #19 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #20 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #21 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #22 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #23 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #24 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #25 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #26 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #27 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #28 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #29 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #30 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #31 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #32 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #33 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #34 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #35 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #36 0x55b84e6d90db in Builtins_JSEntryTrampoline (/usr/local/bin/node+0x16d90db) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #37 0x55b84e6d8e02 in Builtins_JSEntry (/usr/local/bin/node+0x16d8e02) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)

SUMMARY: AddressSanitizer: heap-use-after-free ../src/isolate/executor.h:172 in ivm::Executor::GetCurrentEnvironment()
Shadow bytes around the buggy address:
  0x61d0000a9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x61d0000a9680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61d0000a9700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61d0000a9780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61d0000a9800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x61d0000a9880: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x61d0000a9900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61d0000a9980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61d0000a9a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61d0000a9a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61d0000a9b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2265968==ABORTING

[orgads]

This only happens in release build. Possibly related to some strict-aliasing warnings regarding uses of reinterpret_cast.