Skip to content

[Bug] Heap-use-after-free in chaiscript::str_less::operator() due to race condition #632

Closed
Closed
[Bug] Heap-use-after-free in chaiscript::str_less::operator() due to race condition#632
@oneafter

Description

@oneafter
oneafter
opened on Jan 19, 2026

Description

We discovered a Heap-use-after-free vulnerability in ChaiScript caused by a race condition between threads. The crash occurs when a detached or async thread attempts to access a shared std::map (likely the function dispatch table or variable scope) while the main thread is destroying it.

The ASAN report shows a READ violation in chaiscript::str_less::operator() on a string object that was part of a map node already freed by the main thread.

Environment

  • OS: Linux x86_64
  • Complier: Clang
  • Build Configuration: Release mode with ASan enabled.

Vulnerability Details

  • Target: ChaiScript
  • Vulnerability Type: Heap-use-after-free (Race Condition)
  • Function: chaiscript::str_less::operator()
  • Location: include/chaiscript/chaiscript_defines.hpp:201
  • Root Cause Analysis: The vulnerability is caused by a race condition between the engine's shutdown process and active asynchronous threads.
  1. The provided PoC starts async threads (async(func)) that perform a loop.
  2. Inside the loop, the code accesses an undefined variable re6. This forces the worker thread to repeatedly perform lookups in the shared symbol table (std::map).
  3. The main script finishes execution and the ChaiScript engine begins to tear down, freeing the memory of the symbol table (Thread T0 calls operator delete).
  4. The worker thread (Thread T1), still running the loop, attempts to access the symbol map to look up re6. It tries to read a std::string key from a map node that was just freed by T0, resulting in a UAF.

Reproduce

  1. Build ChaiScript with Release optimization and ASAN enabled.
  2. Run with the crashing file:
poc 
var func = fun(){
  var ret = 0;
  for (var i = 0; i < 50000; ++i) {
    re6 += i; 
  }
  return ret;
}

var fut1 = async(func);
var fut2 = async(func);

./chai crash.chai
ASAN report 
==29807==ERROR: AddressSanitizer: heap-use-after-free on address 0x507000005280 at pc 0x56426d07d6db bp 0x7fec823fde90 sp 0x7fec823fde88
READ of size 8 at 0x507000005280 thread T1
    #0 0x56426d07d6da in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::_M_data() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/basic_string.h:223:28
    #1 0x56426d07d6da in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>::begin() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/basic_string.h:965:31
    #2 0x56426d07d6da in bool chaiscript::str_less::operator()<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::basic_string_view<char, std::char_traits<char>>>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::basic_string_view<char, std::char_traits<char>> const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/../dispatchkit/../chaiscript_defines.hpp:201:49
    #3 0x56426d07d6da in std::_Rb_tree_const_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>> std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::_M_lower_bound_tr<std::basic_string_view<char, std::char_traits<char>>, void>(std::basic_string_view<char, std::char_traits<char>> const&) const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:1338:11
    #4 0x56426d07d6da in std::_Rb_tree_const_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>> std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::_M_find_tr<std::basic_string_view<char, std::char_traits<char>>, void>(std::basic_string_view<char, std::char_traits<char>> const&) const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:1306:15
    #5 0x56426d07d6da in decltype((*this)._M_t._M_find_tr(fp)) std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::find<std::basic_string_view<char, std::char_traits<char>>>(std::basic_string_view<char, std::char_traits<char>> const&) const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_map.h:1251:16
    #6 0x56426d07d6da in chaiscript::detail::Dispatch_Engine::get_object(std::basic_string_view<char, std::char_traits<char>>, std::atomic<unsigned long>&, chaiscript::detail::Stack_Holder&) const /src/ChaiScript/static_libs/../include/chaiscript/language/../dispatchkit/dispatchkit.hpp:539:51
    #7 0x56426d0766ff in chaiscript::detail::Dispatch_State::get_object(std::basic_string_view<char, std::char_traits<char>>, std::atomic<unsigned long>&) const /src/ChaiScript/static_libs/../include/chaiscript/language/../dispatchkit/dispatchkit.hpp:1193:31
    #8 0x56426d0766ff in chaiscript::eval::Id_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:283:23
    #9 0x56426d0761e8 in chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:141:18
    #10 0x56426d1c3646 in chaiscript::eval::Equation_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const::'lambda'()::operator()() const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:426:41
    #11 0x56426d1c3646 in chaiscript::eval::Equation_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:420:23
    #12 0x56426d0761e8 in chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:141:18
    #13 0x56426d0ce60c in auto chaiscript::optimizer::For_Loop::optimize<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>(std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>)::'lambda'(std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&)::operator()(std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_optimizer.hpp:398:60
    #14 0x56426d0cd79d in chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail> std::__invoke_impl<chaiscript::Boxed_Value, auto chaiscript::optimizer::For_Loop::optimize<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>(std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>)::'lambda'(std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&)&, std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&>(std::__invoke_other, auto chaiscript::optimizer::For_Loop::optimize<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>(std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>)::'lambda'(std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&)&, std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:61:14
    #15 0x56426d0cd79d in std::enable_if<is_invocable_r_v<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>, auto chaiscript::optimizer::For_Loop::optimize<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>(std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>)::'lambda'(std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&)&, std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&>, chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::type std::__invoke_r<chaiscript::Boxed_Value, auto chaiscript::optimizer::For_Loop::optimize<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>(std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>)::'lambda'(std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&)&, std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&>(auto chaiscript::optimizer::For_Loop::optimize<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>(std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>)::'lambda'(std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&)&, std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:114:9
    #16 0x56426d0cd79d in std::_Function_handler<chaiscript::Boxed_Value (std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&), auto chaiscript::optimizer::For_Loop::optimize<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>(std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>)::'lambda'(std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&)>::_M_invoke(std::_Any_data const&, std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_function.h:290:9
    #17 0x56426d0d2b85 in std::function<chaiscript::Boxed_Value (std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&)>::operator()(std::vector<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>, std::allocator<std::unique_ptr<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>, std::default_delete<chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>>>>> const&, chaiscript::detail::Dispatch_State const&) const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_function.h:591:9
    #18 0x56426d0d2b85 in chaiscript::eval::Compiled_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:166:105
    #19 0x56426d0761e8 in chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:141:18
    #20 0x56426d0c891c in chaiscript::eval::Block_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:703:30
    #21 0x56426d0761e8 in chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:141:18
    #22 0x56426d11da68 in chaiscript::Boxed_Value chaiscript::eval::detail::eval_function<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>(chaiscript::detail::Dispatch_Engine&, chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, chaiscript::Function_Params const&, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>> const*, bool) /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:88:25
    #23 0x56426d11c00c in chaiscript::eval::Lambda_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const::'lambda'(chaiscript::Function_Params const&)::operator()(chaiscript::Function_Params const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:660:22
    #24 0x56426d11c00c in chaiscript::dispatch::Dynamic_Proxy_Function_Impl<chaiscript::eval::Lambda_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const::'lambda'(chaiscript::Function_Params const&)>::do_call(chaiscript::Function_Params const&, chaiscript::Type_Conversions_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/../dispatchkit/proxy_functions.hpp:413:20
    #25 0x56426cc473b3 in chaiscript::dispatch::Proxy_Function_Base::operator()(chaiscript::Function_Params const&, chaiscript::Type_Conversions_State const&) const /src/ChaiScript/include/chaiscript/dispatchkit/proxy_functions.hpp:181:18
    #26 0x56426cc473b3 in chaiscript::Boxed_Value chaiscript::dispatch::dispatch<std::vector<std::shared_ptr<chaiscript::dispatch::Proxy_Function_Base const>, std::allocator<std::shared_ptr<chaiscript::dispatch::Proxy_Function_Base const>>>>(std::vector<std::shared_ptr<chaiscript::dispatch::Proxy_Function_Base const>, std::allocator<std::shared_ptr<chaiscript::dispatch::Proxy_Function_Base const>>> const&, chaiscript::Function_Params const&, chaiscript::Type_Conversions_State const&) /src/ChaiScript/include/chaiscript/dispatchkit/proxy_functions.hpp:803:22
    #27 0x56426d018ef1 in chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>::call(chaiscript::Function_Params const&, chaiscript::Type_Conversions_State const&) /src/ChaiScript/static_libs/../include/chaiscript/dispatchkit/function_call_detail.hpp:40:32
    #28 0x56426d018ade in chaiscript::Boxed_Value chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>::operator()<>() /src/ChaiScript/static_libs/../include/chaiscript/dispatchkit/function_call_detail.hpp:50:16
    #29 0x56426d018767 in chaiscript::Boxed_Value std::__invoke_impl<chaiscript::Boxed_Value, chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>&>(std::__invoke_other, chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:61:14
    #30 0x56426d018767 in std::enable_if<is_invocable_r_v<chaiscript::Boxed_Value, chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>&>, chaiscript::Boxed_Value>::type std::__invoke_r<chaiscript::Boxed_Value, chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>&>(chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:114:9
    #31 0x56426d018767 in std::_Function_handler<chaiscript::Boxed_Value (), chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>>::_M_invoke(std::_Any_data const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_function.h:290:9
    #32 0x56426d012980 in std::function<chaiscript::Boxed_Value ()>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_function.h:591:9
    #33 0x56426d012980 in chaiscript::Boxed_Value std::__invoke_impl<chaiscript::Boxed_Value, std::function<chaiscript::Boxed_Value ()>>(std::__invoke_other, std::function<chaiscript::Boxed_Value ()>&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:61:14
    #34 0x56426d012980 in std::__invoke_result<std::function<chaiscript::Boxed_Value ()>>::type std::__invoke<std::function<chaiscript::Boxed_Value ()>>(std::function<chaiscript::Boxed_Value ()>&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:96:14
    #35 0x56426d012980 in chaiscript::Boxed_Value std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>::_M_invoke<0ul>(std::_Index_tuple<0ul>) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:292:13
    #36 0x56426d012980 in std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>::operator()() /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:299:11
    #37 0x56426d012980 in std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/future:1409:27
    #38 0x56426d012674 in std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter> std::__invoke_impl<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>&>(std::__invoke_other, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:61:14
    #39 0x56426d012674 in std::enable_if<is_invocable_r_v<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>&>, std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>>::type std::__invoke_r<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>&>(std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:114:9
    #40 0x56426d012674 in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>>::_M_invoke(std::_Any_data const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_function.h:290:9
    #41 0x56426d0121de in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_function.h:591:9
    #42 0x56426d0121de in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/future:589:27
    #43 0x7fec851fced2 in __pthread_once_slow nptl/pthread_once.c:116:7
    #44 0x56426d01189f in __gthread_once(int*, void (*)()) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/x86_64-linux-gnu/c++/13/bits/gthr-default.h:700:12
    #45 0x56426d01189f in void std::call_once<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*>(std::once_flag&, void (std::__future_base::_State_baseV2::*&&)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*&&, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*&&, bool*&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/mutex:907:21
    #46 0x56426d01189f in std::__future_base::_State_baseV2::_M_set_result(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>, bool) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/future:428:2
    #47 0x56426d00f38d in std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>::_M_run() /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/future:1774:6
    #48 0x7fec85583db3 in execute_native_thread_routine /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/src/c++11/../../../../../src/libstdc++-v3/src/c++11/thread.cc:104:18
    #49 0x56426cb132ba in asan_thread_start(void*) asan_interceptors.cpp.o
    #50 0x7fec851f7aa3 in start_thread nptl/pthread_create.c:447:8
    #51 0x7fec85284a63 in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:100

0x507000005280 is located 32 bytes inside of 80-byte region [0x507000005260,0x5070000052b0)
freed by thread T0 here:
    #0 0x56426cb57c66 in operator delete(void*, unsigned long) (/src/ChaiScript/build_afl/chai+0x27bc66) (BuildId: 8364a862145966bbe9fb7af8769bd28a4608a787)
    #1 0x56426cc80e41 in std::__new_allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::deallocate(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>*, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/new_allocator.h:172:2
    #2 0x56426cc80e41 in std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::deallocate(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>*, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/allocator.h:210:25
    #3 0x56426cc80e41 in std::allocator_traits<std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>>::deallocate(std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>&, std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>*, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/alloc_traits.h:517:13
    #4 0x56426cc80e41 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::_M_put_node(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>*) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:567:9
    #5 0x56426cc80e41 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::_M_drop_node(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>*) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:634:2
    #6 0x56426cc80e41 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::_M_erase(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>*) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:1938:4

previously allocated by thread T0 here:
    #0 0x56426cb56fe1 in operator new(unsigned long) (/src/ChaiScript/build_afl/chai+0x27afe1) (BuildId: 8364a862145966bbe9fb7af8769bd28a4608a787)
    #1 0x56426cb9e999 in std::__new_allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/new_allocator.h:151:27
    #2 0x56426cb9e999 in std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/allocator.h:198:32
    #3 0x56426cb9e999 in std::allocator_traits<std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>>::allocate(std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/alloc_traits.h:482:20
    #4 0x56426cb9e999 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::_M_get_node() /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:563:16
    #5 0x56426cb9e999 in std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>* std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::_M_create_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value>>(std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value>&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:613:23
    #6 0x56426cb9e999 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::_Auto_node::_Auto_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value>>(std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>&, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value>&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:1637:18
    #7 0x56426cb9e999 in std::_Rb_tree_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>> std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::_M_emplace_hint_unique<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value>>(std::_Rb_tree_const_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value>&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:2462:13
    #8 0x56426cb9e655 in std::_Rb_tree_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>> std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::emplace_hint<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value>>(std::_Rb_tree_const_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value>&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_map.h:640:16
    #9 0x56426cb9e655 in std::enable_if<is_constructible<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value>>::value, std::pair<std::_Rb_tree_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>, bool>>::type std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>>::insert<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value>>(std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value>&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_map.h:860:15

Thread T1 created by T0 here:
    #0 0x56426cafae75 in pthread_create (/src/ChaiScript/build_afl/chai+0x21ee75) (BuildId: 8364a862145966bbe9fb7af8769bd28a4608a787)
    #1 0x7fec85583eb0 in __gthread_create /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/include/x86_64-linux-gnu/bits/gthr-default.h:676:35
    #2 0x7fec85583eb0 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State>>, void (*)()) /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/src/c++11/../../../../../src/libstdc++-v3/src/c++11/thread.cc:172:37
    #3 0x56426d00ecc5 in std::thread::thread<void (std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>::*)(), std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>*, void>(void (std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>::*&&)(), std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>*&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:164:2
    #4 0x56426d00ecc5 in std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>::_Async_state_impl<std::function<chaiscript::Boxed_Value ()> const&>(std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/future:1756:16
    #5 0x56426d00d201 in void std::_Construct<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>, std::function<chaiscript::Boxed_Value ()> const&>(std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>*, std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_construct.h:119:25
    #6 0x56426d00d201 in void std::allocator_traits<std::allocator<void>>::construct<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>, std::function<chaiscript::Boxed_Value ()> const&>(std::allocator<void>&, std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>*, std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/alloc_traits.h:661:4
    #7 0x56426d00d201 in std::_Sp_counted_ptr_inplace<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>::_Sp_counted_ptr_inplace<std::function<chaiscript::Boxed_Value ()> const&>(std::allocator<void>, std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/shared_ptr_base.h:604:4
    #8 0x56426d00d201 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>, std::allocator<void>, std::function<chaiscript::Boxed_Value ()> const&>(std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>*&, std::_Sp_alloc_shared_tag<std::allocator<void>>, std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/shared_ptr_base.h:972:6
    #9 0x56426d00d201 in std::__shared_ptr<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<void>, std::function<chaiscript::Boxed_Value ()> const&>(std::_Sp_alloc_shared_tag<std::allocator<void>>, std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/shared_ptr_base.h:1712:14
    #10 0x56426d00d201 in std::shared_ptr<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>>::shared_ptr<std::allocator<void>, std::function<chaiscript::Boxed_Value ()> const&>(std::_Sp_alloc_shared_tag<std::allocator<void>>, std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/shared_ptr.h:464:4
    #11 0x56426d00d201 in std::shared_ptr<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>> std::make_shared<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>, std::function<chaiscript::Boxed_Value ()> const&>(std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/shared_ptr.h:1009:14
    #12 0x56426d00d201 in std::future<std::__invoke_result<std::decay<std::function<chaiscript::Boxed_Value ()> const&>::type>::type> std::async<std::function<chaiscript::Boxed_Value ()> const&>(std::launch, std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/future:1805:18
    #13 0x56426d0097ec in chaiscript::Std_Lib::library()::'lambda'(std::function<chaiscript::Boxed_Value ()> const&)::operator()(std::function<chaiscript::Boxed_Value ()> const&) const /src/ChaiScript/static_libs/../include/chaiscript/chaiscript_stdlib.hpp:53:88
    #14 0x56426d0097ec in std::future<chaiscript::Boxed_Value> chaiscript::dispatch::detail::call_func<chaiscript::Std_Lib::library()::'lambda'(std::function<chaiscript::Boxed_Value ()> const&), std::future<chaiscript::Boxed_Value>, std::function<chaiscript::Boxed_Value ()> const&, 0ul>(std::future<chaiscript::Boxed_Value> (*)(std::function<chaiscript::Boxed_Value ()> const&), std::integer_sequence<unsigned long, 0ul>, chaiscript::Std_Lib::library()::'lambda'(std::function<chaiscript::Boxed_Value ()> const&) const&, chaiscript::Function_Params const&, chaiscript::Type_Conversions_State const&) /src/ChaiScript/static_libs/../include/chaiscript/language/../dispatchkit/proxy_functions_detail.hpp:88:16
    #15 0x56426d0097ec in chaiscript::Boxed_Value chaiscript::dispatch::detail::call_func<chaiscript::Std_Lib::library()::'lambda'(std::function<chaiscript::Boxed_Value ()> const&), std::future<chaiscript::Boxed_Value>, std::function<chaiscript::Boxed_Value ()> const&>(std::future<chaiscript::Boxed_Value> (*)(std::function<chaiscript::Boxed_Value ()> const&), chaiscript::Std_Lib::library()::'lambda'(std::function<chaiscript::Boxed_Value ()> const&) const&, chaiscript::Function_Params const&, chaiscript::Type_Conversions_State const&) /src/ChaiScript/static_libs/../include/chaiscript/language/../dispatchkit/proxy_functions_detail.hpp:102:45
    #16 0x56426d0093c5 in chaiscript::dispatch::Proxy_Function_Callable_Impl<std::future<chaiscript::Boxed_Value> (std::function<chaiscript::Boxed_Value ()> const&), chaiscript::Std_Lib::library()::'lambda'(std::function<chaiscript::Boxed_Value ()> const&)>::do_call(chaiscript::Function_Params const&, chaiscript::Type_Conversions_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/../dispatchkit/proxy_functions.hpp:546:16
    #17 0x56426d0b6089 in chaiscript::eval::Fun_Call_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:343:105
    #18 0x56426d0d3941 in chaiscript::eval::Assign_Decl_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:539:72
    #19 0x56426d0761e8 in chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:141:18
    #20 0x56426d1ca255 in chaiscript::eval::File_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:1124:34
    #21 0x56426d0761e8 in chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:141:18
    #22 0x56426cb7db1e in chaiscript::ChaiScript_Basic::do_eval(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, bool) /src/ChaiScript/include/chaiscript/language/chaiscript_engine.hpp:85:19
    #23 0x56426cb76c5e in chaiscript::ChaiScript_Basic::eval(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::shared_ptr<chaiscript::detail::Exception_Handler_Base> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /src/ChaiScript/include/chaiscript/language/chaiscript_engine.hpp:645:16
    #24 0x56426cb76c5e in chaiscript::ChaiScript_Basic::eval_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::shared_ptr<chaiscript::detail::Exception_Handler_Base> const&) /src/ChaiScript/include/chaiscript/language/chaiscript_engine.hpp:660:14
    #25 0x56426cb6f1c5 in main /src/ChaiScript/src/main.cpp:338:16
    #26 0x7fec851851c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #27 0x7fec8518528a in __libc_start_main csu/../csu/libc-start.c:360:3
    #28 0x56426ca75b34 in _start (/src/ChaiScript/build_afl/chai+0x199b34) (BuildId: 8364a862145966bbe9fb7af8769bd28a4608a787)

SUMMARY: AddressSanitizer: heap-use-after-free /src/ChaiScript/static_libs/../include/chaiscript/language/../dispatchkit/../chaiscript_defines.hpp:201:49 in bool chaiscript::str_less::operator()<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::basic_string_view<char, std::char_traits<char>>>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::basic_string_view<char, std::char_traits<char>> const&) const
Shadow bytes around the buggy address:
  0x507000005000: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x507000005080: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x507000005100: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x507000005180: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
  0x507000005200: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
=>0x507000005280:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x507000005300: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x507000005380: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x507000005400: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x507000005480: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x507000005500: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29807==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions