heap-use-after-free on std::thread

[emaxx-google]

The following program:

#include <thread>
int main() {
  std::thread([]{}).join();
}

compiled with -fsanitize=address (Emscripten 2.0.6):

emcc main-thread.cc -pthread -fsanitize=address -s INITIAL_MEMORY=134217728 -s PROXY_TO_PTHREAD=1 -s EXIT_RUNTIME=1

results in the following errors:

Pthread 0x3d03d80 exited.
Proxied main thread 0x3d03ec0 finished with return code 0. EXIT_RUNTIME=1 set, quitting process.
Pthread 0x3d03ec0 exited.
=================================================================
==42==ERROR: AddressSanitizer: heap-use-after-free on address 0x03d03d8c at pc 0x00033f16 bp 0x0196a6b0 sp 0x0196a6bc
WRITE of size 4 at 0x03d03d8c thread T0
    #0 0x33f16 in wasm-function[1157]+0x33f16 (a.out.wasm+0x33f16)

0x03d03d8c is located 12 bytes inside of 232-byte region [0x03d03d80,0x03d03e68)
freed by thread T0 here:
    #0 0x234e4 in wasm-function[759]+0x234e4 (a.out.wasm+0x234e4)
    #1 0x80000521  (JavaScript+0x521)
    #2 0x800007bc in Object.freeThreadData a.out.js:1980:4
    #3 0x800007c7 in Object.returnWorkerToPool a.out.js:1991:11
    #4 0x800007f4 in Worker.worker.onmessage a.out.js:2036:14
    #5 0x8000080e in Worker.<anonymous> a.out.js:2062:12
    #6 0x8000013b in Worker.emit events.js:315:20
    #7 0x800000c0 in MessagePort.<anonymous> internal/worker.js:192:55

previously allocated by thread T0 here:
    #0 0x2367d in wasm-function[760]+0x2367d (a.out.wasm+0x2367d)
    #1 0x80000521  (JavaScript+0x521)
    #2 0x80001403 in _emscripten_builtin_pthread_create a.out.js:5123:25
    #3 0x108bf in wasm-function[483]+0x108bf (a.out.wasm+0x108bf)
    #4 0x10217 in wasm-function[482]+0x10217 (a.out.wasm+0x10217)
    #5 0x15029 in wasm-function[500]+0x15029 (a.out.wasm+0x15029)
    #6 0x80000521  (JavaScript+0x521)
    #7 0x800007db in Worker.worker.onmessage a.out.js:2011:5

SUMMARY: AddressSanitizer: heap-use-after-free (a.out.wasm+0x33f15) in wasm-function[1157]+0x33f15
Shadow bytes around the buggy address:
  0x007a0760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x007a0770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x007a0780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x007a0790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x007a07a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x007a07b0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x007a07c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x007a07d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x007a07e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x007a07f0: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
  0x007a0800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==42==ABORTING

=================================================================
==42==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 4 byte(s) in 1 object(s) allocated from:
    #0 0x23a29 in wasm-function[778]+0x23a29 (a.out.wasm+0x23a29)
    #1 0x19c1 in wasm-function[62]+0x19c1 (a.out.wasm+0x19c1)
    #2 0x1809 in wasm-function[61]+0x1809 (a.out.wasm+0x1809)
    #3 0x3d36 in wasm-function[128]+0x3d36 (a.out.wasm+0x3d36)
    #4 0x800000cb  (JavaScript+0xcb)
    #5 0x800000cb  (JavaScript+0xcb)
    #6 0x15a43 in wasm-function[503]+0x15a43 (a.out.wasm+0x15a43)
    #7 0x16b98 in wasm-function[543]+0x16b98 (a.out.wasm+0x16b98)

Indirect leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x23a29 in wasm-function[778]+0x23a29 (a.out.wasm+0x23a29)
    #1 0x9581 in wasm-function[311]+0x9581 (a.out.wasm+0x9581)
    #2 0x19c8 in wasm-function[62]+0x19c8 (a.out.wasm+0x19c8)
    #3 0x1809 in wasm-function[61]+0x1809 (a.out.wasm+0x1809)
    #4 0x3d36 in wasm-function[128]+0x3d36 (a.out.wasm+0x3d36)
    #5 0x800000cb  (JavaScript+0xcb)
    #6 0x800000cb  (JavaScript+0xcb)
    #7 0x15a43 in wasm-function[503]+0x15a43 (a.out.wasm+0x15a43)

SUMMARY: AddressSanitizer: 28 byte(s) leaked in 2 allocation(s).

[emaxx-google]

Hello, is there any update on this issue? I'm wondering whether it's an actual use-after-free (which could maybe be related to other threading issues, like #12988, #12970, #12971 and other flaky issues that I'm observing in my real-world application) or is it just a spurious warning.

[abujalski]

Hi, during work on #10524 I've fixed this in bb07cde

[emaxx-google]

Hi, during work on #10524 I've fixed this in bb07cde

Hi @abujalski, thanks for pointing that out! Looking forward to that PR landed (AFAICS, there's already an LGTM there - cool!).

[emaxx-google]

Thanks for the fix, @abujalski! Closing, as I confirmed that the issue isn't reproducible on tot anymore.