[Bug] Heap-use-after-free in chaiscript::Type_Info::bare_equal (Race Condition during eval_error formatting)

### Description

We discovered a Heap-use-after-free vulnerability in ChaiScript triggered by a race condition between the main thread (engine destruction) and a worker thread (exception handling).

The crash occurs when an asynchronous thread throws an exception (e.g., eval_error) and attempts to format the error message by looking up type names (get_type_name), while the main thread is simultaneously destroying the Dispatch_Engine and its internal type maps.

### Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.

### Vulnerability Details
- Target: ChaiScript
- Vulnerability Type: Heap-use-after-free (Race Condition)
- Function: chaiscript::Type_Info::bare_equal
- Location: include/chaiscript/dispatchkit/type_info.hpp:58 called from dispatchkit.hpp:586
- Root Cause Analysis: 
1. The PoC launches an async task that executes a loop with a potential logic error or type mismatch (!+i), which triggers a chaiscript::exception::eval_error.
2. The main thread reaches the end of the script (or encounters the syntax error at the end of the PoC) and begins destroying the ChaiScript instance.
3. Thread T0 (Main) frees the memory associated with the internal type map (std::_Rb_tree::_M_erase).
4. Thread T1 (Worker), while constructing the eval_error message, calls Dispatch_Engine::get_type_name -> Type_Info::bare_equal to describe the objects involved in the error.
5. T1 accesses the memory of a type node that T0 has just freed, causing the UAF.

### Reproduce
1. Build ChaiScript with Release optimization and ASAN enabled.
2. Run with the crashing file:

<details>
<summary>poc</summary>

```
var func = fun(){
  var ret = 0;
  for (var i = 0; i < 50000; !+i) {
    ret += i;
  }
  return ret;
}

var fut1 = async(func);
var fut2 = async(func);

?print(" ${fut1.get()} ${fut2.get()} ")
```

</details>

```
./chai crash.chai
```

<details>
<summary>ASAN report</summary>

```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==30557==ERROR: AddressSanitizer: heap-use-after-free on address 0x508000001ee8 at pc 0x55d4f13f3f91 bp 0x7f33c65fdde0 sp 0x7f33c65fddd8
READ of size 8 at 0x508000001ee8 thread T1
    #0 0x55d4f13f3f90 in chaiscript::Type_Info::bare_equal(chaiscript::Type_Info const&) const /src/ChaiScript/include/chaiscript/dispatchkit/type_info.hpp:58:37
    #1 0x55d4f13f3f90 in chaiscript::detail::Dispatch_Engine::get_type_name[abi:cxx11](chaiscript::Type_Info const&) const /src/ChaiScript/include/chaiscript/dispatchkit/dispatchkit.hpp:586:27
    #2 0x55d4f18959f7 in chaiscript::detail::Dispatch_Engine::type_name[abi:cxx11](chaiscript::Boxed_Value const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/../dispatchkit/dispatchkit.hpp:965:68
    #3 0x55d4f18959f7 in chaiscript::exception::eval_error::format_parameters[abi:cxx11](std::vector<chaiscript::Boxed_Value, std::allocator<chaiscript::Boxed_Value>> const&, bool, chaiscript::detail::Dispatch_Engine const&) /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_common.hpp:491:30
    #4 0x55d4f189377e in chaiscript::exception::eval_error::format(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::vector<chaiscript::Boxed_Value, std::allocator<chaiscript::Boxed_Value>> const&, bool, chaiscript::detail::Dispatch_Engine const&) /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_common.hpp:559:38
    #5 0x55d4f188e502 in chaiscript::exception::eval_error::eval_error(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::vector<chaiscript::Boxed_Value, std::allocator<chaiscript::Boxed_Value>> const&, std::vector<std::shared_ptr<chaiscript::dispatch::Proxy_Function_Base const>, std::allocator<std::shared_ptr<chaiscript::dispatch::Proxy_Function_Base const>>> const&, bool, chaiscript::detail::Dispatch_Engine const&) /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_common.hpp:327:32
    #6 0x55d4f1946f54 in chaiscript::eval::Prefix_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:1175:17
    #7 0x55d4f185f1e8 in chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:141:18
    #8 0x55d4f1990693 in chaiscript::eval::For_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:950:125
    #9 0x55d4f185f1e8 in chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:141:18
    #10 0x55d4f18b191c in chaiscript::eval::Block_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:703:30
    #11 0x55d4f185f1e8 in chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:141:18
    #12 0x55d4f1906a68 in chaiscript::Boxed_Value chaiscript::eval::detail::eval_function<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>(chaiscript::detail::Dispatch_Engine&, chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, chaiscript::Function_Params const&, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Boxed_Value, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Boxed_Value>>> const*, bool) /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:88:25
    #13 0x55d4f190500c in chaiscript::eval::Lambda_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const::'lambda'(chaiscript::Function_Params const&)::operator()(chaiscript::Function_Params const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:660:22
    #14 0x55d4f190500c in chaiscript::dispatch::Dynamic_Proxy_Function_Impl<chaiscript::eval::Lambda_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const::'lambda'(chaiscript::Function_Params const&)>::do_call(chaiscript::Function_Params const&, chaiscript::Type_Conversions_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/../dispatchkit/proxy_functions.hpp:413:20
    #15 0x55d4f14303b3 in chaiscript::dispatch::Proxy_Function_Base::operator()(chaiscript::Function_Params const&, chaiscript::Type_Conversions_State const&) const /src/ChaiScript/include/chaiscript/dispatchkit/proxy_functions.hpp:181:18
    #16 0x55d4f14303b3 in chaiscript::Boxed_Value chaiscript::dispatch::dispatch<std::vector<std::shared_ptr<chaiscript::dispatch::Proxy_Function_Base const>, std::allocator<std::shared_ptr<chaiscript::dispatch::Proxy_Function_Base const>>>>(std::vector<std::shared_ptr<chaiscript::dispatch::Proxy_Function_Base const>, std::allocator<std::shared_ptr<chaiscript::dispatch::Proxy_Function_Base const>>> const&, chaiscript::Function_Params const&, chaiscript::Type_Conversions_State const&) /src/ChaiScript/include/chaiscript/dispatchkit/proxy_functions.hpp:803:22
    #17 0x55d4f1801ef1 in chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>::call(chaiscript::Function_Params const&, chaiscript::Type_Conversions_State const&) /src/ChaiScript/static_libs/../include/chaiscript/dispatchkit/function_call_detail.hpp:40:32
    #18 0x55d4f1801ade in chaiscript::Boxed_Value chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>::operator()<>() /src/ChaiScript/static_libs/../include/chaiscript/dispatchkit/function_call_detail.hpp:50:16
    #19 0x55d4f1801767 in chaiscript::Boxed_Value std::__invoke_impl<chaiscript::Boxed_Value, chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>&>(std::__invoke_other, chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:61:14
    #20 0x55d4f1801767 in std::enable_if<is_invocable_r_v<chaiscript::Boxed_Value, chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>&>, chaiscript::Boxed_Value>::type std::__invoke_r<chaiscript::Boxed_Value, chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>&>(chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:114:9
    #21 0x55d4f1801767 in std::_Function_handler<chaiscript::Boxed_Value (), chaiscript::dispatch::detail::Build_Function_Caller_Helper<chaiscript::Boxed_Value>>::_M_invoke(std::_Any_data const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_function.h:290:9
    #22 0x55d4f17fb980 in std::function<chaiscript::Boxed_Value ()>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_function.h:591:9
    #23 0x55d4f17fb980 in chaiscript::Boxed_Value std::__invoke_impl<chaiscript::Boxed_Value, std::function<chaiscript::Boxed_Value ()>>(std::__invoke_other, std::function<chaiscript::Boxed_Value ()>&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:61:14
    #24 0x55d4f17fb980 in std::__invoke_result<std::function<chaiscript::Boxed_Value ()>>::type std::__invoke<std::function<chaiscript::Boxed_Value ()>>(std::function<chaiscript::Boxed_Value ()>&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:96:14
    #25 0x55d4f17fb980 in chaiscript::Boxed_Value std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>::_M_invoke<0ul>(std::_Index_tuple<0ul>) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:292:13
    #26 0x55d4f17fb980 in std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>::operator()() /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:299:11
    #27 0x55d4f17fb980 in std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/future:1409:27
    #28 0x55d4f17fb674 in std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter> std::__invoke_impl<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>&>(std::__invoke_other, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:61:14
    #29 0x55d4f17fb674 in std::enable_if<is_invocable_r_v<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>&>, std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>>::type std::__invoke_r<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>&>(std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:114:9
    #30 0x55d4f17fb674 in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<chaiscript::Boxed_Value>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>>::_M_invoke(std::_Any_data const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_function.h:290:9
    #31 0x55d4f17fb1de in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_function.h:591:9
    #32 0x55d4f17fb1de in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/future:589:27
    #33 0x7f33c9343ed2 in __pthread_once_slow nptl/pthread_once.c:116:7
    #34 0x55d4f17fa89f in __gthread_once(int*, void (*)()) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/x86_64-linux-gnu/c++/13/bits/gthr-default.h:700:12
    #35 0x55d4f17fa89f in void std::call_once<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*>(std::once_flag&, void (std::__future_base::_State_baseV2::*&&)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*&&, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*&&, bool*&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/mutex:907:21
    #36 0x55d4f17fa89f in std::__future_base::_State_baseV2::_M_set_result(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>, bool) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/future:428:2
    #37 0x55d4f17f838d in std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>::_M_run() /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/future:1774:6
    #38 0x7f33c96cadb3 in execute_native_thread_routine /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/src/c++11/../../../../../src/libstdc++-v3/src/c++11/thread.cc:104:18
    #39 0x55d4f12fc2ba in asan_thread_start(void*) asan_interceptors.cpp.o
    #40 0x7f33c933eaa3 in start_thread nptl/pthread_create.c:447:8
    #41 0x7f33c93cba63 in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:100

0x508000001ee8 is located 72 bytes inside of 88-byte region [0x508000001ea0,0x508000001ef8)
freed by thread T0 here:
    #0 0x55d4f1340c66 in operator delete(void*, unsigned long) (/src/ChaiScript/build_afl/chai+0x27bc66) (BuildId: 8364a862145966bbe9fb7af8769bd28a4608a787)
    #1 0x55d4f1469991 in std::__new_allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>::deallocate(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>*, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/new_allocator.h:172:2
    #2 0x55d4f1469991 in std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>::deallocate(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>*, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/allocator.h:210:25
    #3 0x55d4f1469991 in std::allocator_traits<std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>>::deallocate(std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>&, std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>*, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/alloc_traits.h:517:13
    #4 0x55d4f1469991 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>::_M_put_node(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>*) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:567:9
    #5 0x55d4f1469991 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>::_M_drop_node(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>*) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:634:2
    #6 0x55d4f1469991 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>::_M_erase(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>*) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:1938:4

previously allocated by thread T0 here:
    #0 0x55d4f133ffe1 in operator new(unsigned long) (/src/ChaiScript/build_afl/chai+0x27afe1) (BuildId: 8364a862145966bbe9fb7af8769bd28a4608a787)
    #1 0x55d4f138b6e6 in std::__new_allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/new_allocator.h:151:27
    #2 0x55d4f138b6e6 in std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>::allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/allocator.h:198:32
    #3 0x55d4f138b6e6 in std::allocator_traits<std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>>::allocate(std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/alloc_traits.h:482:20
    #4 0x55d4f138b6e6 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>::_M_get_node() /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:563:16
    #5 0x55d4f138b6e6 in std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>* std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>::_M_create_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Type_Info>>(std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Type_Info>&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:613:23
    #6 0x55d4f138b6e6 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>::_Auto_node::_Auto_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Type_Info>>(std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>&, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Type_Info>&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:1637:18
    #7 0x55d4f138b6e6 in std::_Rb_tree_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>> std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>::_M_emplace_hint_unique<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Type_Info>>(std::_Rb_tree_const_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Type_Info>&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_tree.h:2462:13
    #8 0x55d4f1386895 in std::_Rb_tree_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>> std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Type_Info, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>::emplace_hint<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Type_Info>>(std::_Rb_tree_const_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Type_Info>&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_map.h:640:16
    #9 0x55d4f1386895 in std::enable_if<is_constructible<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Type_Info>>::value, std::pair<std::_Rb_tree_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>, bool>>::type std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Type_Info, chaiscript::str_less, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, chaiscript::Type_Info>>>::insert<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Type_Info>>(std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, chaiscript::Type_Info>&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_map.h:860:15

Thread T1 created by T0 here:
    #0 0x55d4f12e3e75 in pthread_create (/src/ChaiScript/build_afl/chai+0x21ee75) (BuildId: 8364a862145966bbe9fb7af8769bd28a4608a787)
    #1 0x7f33c96caeb0 in __gthread_create /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/include/x86_64-linux-gnu/bits/gthr-default.h:676:35
    #2 0x7f33c96caeb0 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State>>, void (*)()) /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/src/c++11/../../../../../src/libstdc++-v3/src/c++11/thread.cc:172:37
    #3 0x55d4f17f7cc5 in std::thread::thread<void (std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>::*)(), std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>*, void>(void (std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>::*&&)(), std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>*&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:164:2
    #4 0x55d4f17f7cc5 in std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>::_Async_state_impl<std::function<chaiscript::Boxed_Value ()> const&>(std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/future:1756:16
    #5 0x55d4f17f6201 in void std::_Construct<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>, std::function<chaiscript::Boxed_Value ()> const&>(std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>*, std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_construct.h:119:25
    #6 0x55d4f17f6201 in void std::allocator_traits<std::allocator<void>>::construct<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>, std::function<chaiscript::Boxed_Value ()> const&>(std::allocator<void>&, std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>*, std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/alloc_traits.h:661:4
    #7 0x55d4f17f6201 in std::_Sp_counted_ptr_inplace<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>::_Sp_counted_ptr_inplace<std::function<chaiscript::Boxed_Value ()> const&>(std::allocator<void>, std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/shared_ptr_base.h:604:4
    #8 0x55d4f17f6201 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>, std::allocator<void>, std::function<chaiscript::Boxed_Value ()> const&>(std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>*&, std::_Sp_alloc_shared_tag<std::allocator<void>>, std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/shared_ptr_base.h:972:6
    #9 0x55d4f17f6201 in std::__shared_ptr<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<void>, std::function<chaiscript::Boxed_Value ()> const&>(std::_Sp_alloc_shared_tag<std::allocator<void>>, std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/shared_ptr_base.h:1712:14
    #10 0x55d4f17f6201 in std::shared_ptr<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>>::shared_ptr<std::allocator<void>, std::function<chaiscript::Boxed_Value ()> const&>(std::_Sp_alloc_shared_tag<std::allocator<void>>, std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/shared_ptr.h:464:4
    #11 0x55d4f17f6201 in std::shared_ptr<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>> std::make_shared<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<std::function<chaiscript::Boxed_Value ()>>>, chaiscript::Boxed_Value>, std::function<chaiscript::Boxed_Value ()> const&>(std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/shared_ptr.h:1009:14
    #12 0x55d4f17f6201 in std::future<std::__invoke_result<std::decay<std::function<chaiscript::Boxed_Value ()> const&>::type>::type> std::async<std::function<chaiscript::Boxed_Value ()> const&>(std::launch, std::function<chaiscript::Boxed_Value ()> const&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/future:1805:18
    #13 0x55d4f17f27ec in chaiscript::Std_Lib::library()::'lambda'(std::function<chaiscript::Boxed_Value ()> const&)::operator()(std::function<chaiscript::Boxed_Value ()> const&) const /src/ChaiScript/static_libs/../include/chaiscript/chaiscript_stdlib.hpp:53:88
    #14 0x55d4f17f27ec in std::future<chaiscript::Boxed_Value> chaiscript::dispatch::detail::call_func<chaiscript::Std_Lib::library()::'lambda'(std::function<chaiscript::Boxed_Value ()> const&), std::future<chaiscript::Boxed_Value>, std::function<chaiscript::Boxed_Value ()> const&, 0ul>(std::future<chaiscript::Boxed_Value> (*)(std::function<chaiscript::Boxed_Value ()> const&), std::integer_sequence<unsigned long, 0ul>, chaiscript::Std_Lib::library()::'lambda'(std::function<chaiscript::Boxed_Value ()> const&) const&, chaiscript::Function_Params const&, chaiscript::Type_Conversions_State const&) /src/ChaiScript/static_libs/../include/chaiscript/language/../dispatchkit/proxy_functions_detail.hpp:88:16
    #15 0x55d4f17f27ec in chaiscript::Boxed_Value chaiscript::dispatch::detail::call_func<chaiscript::Std_Lib::library()::'lambda'(std::function<chaiscript::Boxed_Value ()> const&), std::future<chaiscript::Boxed_Value>, std::function<chaiscript::Boxed_Value ()> const&>(std::future<chaiscript::Boxed_Value> (*)(std::function<chaiscript::Boxed_Value ()> const&), chaiscript::Std_Lib::library()::'lambda'(std::function<chaiscript::Boxed_Value ()> const&) const&, chaiscript::Function_Params const&, chaiscript::Type_Conversions_State const&) /src/ChaiScript/static_libs/../include/chaiscript/language/../dispatchkit/proxy_functions_detail.hpp:102:45
    #16 0x55d4f17f23c5 in chaiscript::dispatch::Proxy_Function_Callable_Impl<std::future<chaiscript::Boxed_Value> (std::function<chaiscript::Boxed_Value ()> const&), chaiscript::Std_Lib::library()::'lambda'(std::function<chaiscript::Boxed_Value ()> const&)>::do_call(chaiscript::Function_Params const&, chaiscript::Type_Conversions_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/../dispatchkit/proxy_functions.hpp:546:16
    #17 0x55d4f189f089 in chaiscript::eval::Fun_Call_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:343:105
    #18 0x55d4f18bc941 in chaiscript::eval::Assign_Decl_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:539:72
    #19 0x55d4f185f1e8 in chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:141:18
    #20 0x55d4f19b3255 in chaiscript::eval::File_AST_Node<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval_internal(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:1124:34
    #21 0x55d4f185f1e8 in chaiscript::eval::AST_Node_Impl<chaiscript::eval::Tracer<chaiscript::eval::Noop_Tracer_Detail>>::eval(chaiscript::detail::Dispatch_State const&) const /src/ChaiScript/static_libs/../include/chaiscript/language/chaiscript_eval.hpp:141:18
    #22 0x55d4f1366b1e in chaiscript::ChaiScript_Basic::do_eval(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, bool) /src/ChaiScript/include/chaiscript/language/chaiscript_engine.hpp:85:19
    #23 0x55d4f135fc5e in chaiscript::ChaiScript_Basic::eval(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::shared_ptr<chaiscript::detail::Exception_Handler_Base> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /src/ChaiScript/include/chaiscript/language/chaiscript_engine.hpp:645:16
    #24 0x55d4f135fc5e in chaiscript::ChaiScript_Basic::eval_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::shared_ptr<chaiscript::detail::Exception_Handler_Base> const&) /src/ChaiScript/include/chaiscript/language/chaiscript_engine.hpp:660:14
    #25 0x55d4f13581c5 in main /src/ChaiScript/src/main.cpp:338:16
    #26 0x7f33c92cc1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #27 0x7f33c92cc28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #28 0x55d4f125eb34 in _start (/src/ChaiScript/build_afl/chai+0x199b34) (BuildId: 8364a862145966bbe9fb7af8769bd28a4608a787)

SUMMARY: AddressSanitizer: heap-use-after-free /src/ChaiScript/include/chaiscript/dispatchkit/type_info.hpp:58:37 in chaiscript::Type_Info::bare_equal(chaiscript::Type_Info const&) const
Shadow bytes around the buggy address:
  0x508000001c00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x508000001c80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x508000001d00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x508000001d80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x508000001e00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x508000001e80: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fa
  0x508000001f00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x508000001f80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x508000002000: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x508000002080: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x508000002100: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30557==ABORTING
```

</details>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug] Heap-use-after-free in chaiscript::Type_Info::bare_equal (Race Condition during eval_error formatting) #636

Description

Environment

Vulnerability Details

Reproduce

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Bug] Heap-use-after-free in chaiscript::Type_Info::bare_equal (Race Condition during eval_error formatting) #636

Description

Description

Environment

Vulnerability Details

Reproduce

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions