Fix #636: [Bug] Heap-use-after-free in chaiscript::Type_Info::bare_equal (Race Condition during eval_error formatting)#653
Closed
leftibot wants to merge 1 commit into
Conversation
…ng engine destruction The Dispatch_Engine member destruction order destroyed m_state (containing type maps) before m_stack_holder (containing async futures), allowing async threads to access freed type map memory during eval_error formatting. The fix moves async() registration from the stdlib into ChaiScript_Basic with thread tracking, and adds a Dispatch_Engine destructor that joins all tracked async threads before m_state is destroyed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
leftibot
added a commit
to leftibot/ChaiScript
that referenced
this pull request
Apr 11, 2026
…revent heap-use-after-free Issues ChaiScript#632 and ChaiScript#636 (PRs ChaiScript#651 and ChaiScript#653) both stem from the same root cause: async threads spawned via async() can outlive the Dispatch_Engine, accessing shared state (global objects map, type maps) after it has been destroyed. The fix moves async() registration from the stdlib module into ChaiScript_Basic, where spawned threads are tracked via Dispatch_Engine. The engine's destructor now joins all outstanding async threads before destroying shared data structures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Member
|
closing in favor of #655 |
lefticus
pushed a commit
that referenced
this pull request
Apr 11, 2026
…656) * Fix #655: Join async threads before engine destruction to prevent heap-use-after-free Issues #632 and #636 (PRs #651 and #653) both stem from the same root cause: async threads spawned via async() can outlive the Dispatch_Engine, accessing shared state (global objects map, type maps) after it has been destroyed. The fix moves async() registration from the stdlib module into ChaiScript_Basic, where spawned threads are tracked via Dispatch_Engine. The engine's destructor now joins all outstanding async threads before destroying shared data structures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Address review: follow rule of 5, explicitly default move operations Requested by @lefticus in PR #656 review. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: leftibot <leftibot@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated fix by @leftibot.
What changed
Files
Closes #636
Triggered by @lefticus.