c8e805a2fa
fixes #25595 ## Bug A `let` bound to a field of a value-type **case object** with a `ref` field is inferred as a non-owning cursor, but the cursor's source can be mutated through the cursor's own ref during a call, freeing the ref while the borrow still reads it. Use-after-free under arc/orc (refc is unaffected, it has no cursor inference): ```nim var destroyed = false type O = ref object value: int home: H W = object case k: bool of true: r: O of false: discard H = ref object w: W proc `=destroy`(o: var typeof(O()[])) = destroyed = true proc clear(o: O): int = o.home.w = W() # overwrites h.w via the back-reference -> frees the ref doAssert not destroyed # fails: the element was destroyed during the call result = o.value proc go(h: H): int = let c = h.w # inferred cursor (borrow of h.w) result = clear(c.r) proc main = let h = H() let o = O(value: 42) o.home = h h.w = W(k: true, r: o) doAssert go(h) == 42 main() ``` The `not destroyed` assert fails: the element is destroyed during the call, so the following `o.value` read is a use-after-free. The same code with the `=destroy` guard removed (so the freed `o.value` is actually read) is reported as `heap-use-after-free` by ASan under `-d:useMalloc -fsanitize=address`. Longstanding (reproduces back to 2.2.0). `--cursorInference:off` is a workaround. ## Root cause Cursor inference (`varpartitions.computeCursors`) cursors `let c = h.w` unless `dangerousMutation` finds a mutation of `c`'s graph within `c`'s alive range `aliveStart..aliveEnd`. Here the mutation (the `clear(c.r)` call) *is* connected to `c`'s graph and *is* recorded with `isMutated`, but it is recorded at an `abstractTime` just past `c.aliveEnd`, so the range check misses it. The gap is timing. `aliveEnd` is set from the last `nkSym` use of `c`. A call records its argument's mutation *after* traversing the whole argument subtree (`potentialMutationViaArg`). When the argument is `c.r` on a case object it is an `nkCheckedFieldExpr` (the discriminant check), whose extra nodes advance `abstractTime` past `c`'s last `nkSym`. A plain `nkDotExpr` has no such gap, so the bug needs a case object. ## Fix In `potentialMutation`, extend the mutated variable's liveness to the mutation time: ```nim v.s[id].aliveEnd = max(v.s[id].aliveEnd, v.abstractTime) ``` A variable mutated at time T is provably alive at T, so this only completes the liveness computation that `dangerousMutation` relies on. The worst case is an extra copy, never an unsound cursor. ## Note on the locus The fix is conservative by mechanism (it runs at every recorded mutation) but perf-neutral in practice: it only suppresses a cursor where the corrected liveness proves the borrow unsafe (cursor counts are unchanged on the suites). I can scope it to call arguments if you'd prefer it narrower. ## Test `tests/arc/t25595.nim`, matrix `--mm:orc; --mm:arc; --mm:refc`: the repro above as a `doAssert`. Fails (UAF) on arc/orc before the fix and passes after. refc passes throughout. ## Checks - repro passes on orc/arc after the fix. The guard-removed variant (which reads the freed value) is ASan-clean after the fix and was heap-use-after-free before. refc unaffected. - testament `destructor` 90/90, `arc` 120/120. `views` 5/6, same as stock (the one failure is environmental and pre-exists this change). - perf-neutral: inferred-cursor count is identical stock vs fix across the `arc` and `destructor` test files under `--mm:orc` (322 vs 322).
Nim
This repository contains the Nim compiler, Nim's stdlib, tools, and documentation. For more information about Nim, including downloads and documentation for the latest release, check out Nim's website or bleeding edge docs.
Community
- The forum - the best place to ask questions and to discuss Nim.
- #nim IRC Channel (Libera Chat) - a place to discuss Nim in real-time. Also where most development decisions get made.
- Discord - an additional place to discuss Nim in real-time. Most channels there are bridged to IRC.
- Gitter - an additional place to discuss Nim in real-time. There is a bridge between Gitter and the IRC channel.
- Matrix - the main room to discuss Nim in real-time. Matrix space contains a list of rooms, most of them are bridged to IRC.
- Telegram - an additional place to discuss Nim in real-time. There is the official Telegram channel. Not bridged to IRC.
- Stack Overflow - a popular Q/A site for programming related topics that includes posts about Nim.
- GitHub Wiki - Misc user-contributed content.
Compiling
The compiler currently officially supports the following platform and architecture combinations:
| Operating System | Architectures Supported |
|---|---|
| Windows (Windows XP or greater) | x86 and x86_64 |
| Linux (most distributions) | x86, x86_64, ppc64, and armv6l |
| Mac OS X (10.4 or greater) | x86, x86_64, ppc64, and Apple Silicon (ARM64) |
More platforms are supported, however, they are not tested regularly and they may not be as stable as the above-listed platforms.
Compiling the Nim compiler is quite straightforward if you follow these steps:
First, the C source of an older version of the Nim compiler is needed to
bootstrap the latest version because the Nim compiler itself is written in the
Nim programming language. Those C sources are available within the
nim-lang/csources_v3 repository.
Next, to build from source you will need:
- A C compiler such as
gcc6.x/later or an alternative such asclang,Visual C++orIntel C++. It is recommended to usegcc6.x or later. - Either
gitorwgetto download the needed source repositories. - The
build-essentialpackage when usinggccon Ubuntu (and likely other distros as well). - On Windows MinGW 4.3.0 (GCC 8.10) is the minimum recommended compiler.
- Nim hosts a known working MinGW distribution:
Windows Note: Cygwin and similar POSIX runtime environments are not supported.
Then, if you are on a *nix system or Windows, the following steps should compile
Nim from source using gcc, git, and the koch build tool.
Note: The following commands are for the development version of the compiler. For most users, installing the latest stable version is enough. Check out the installation instructions on the website to do so: https://nim-lang.org/install.html.
For package maintainers: see packaging guidelines.
First, get Nim from GitHub:
git clone https://github.com/nim-lang/Nim.git
cd Nim
Next, run the appropriate build shell script for your platform:
build_all.sh(Linux, Mac)build_all.bat(Windows)
Finally, once you have finished the build steps (on Windows, Mac, or Linux) you
should add the bin directory to your PATH.
See also bootstrapping the compiler.
See also reproducible builds.
Koch
koch is the build tool used to build various parts of Nim and to generate
documentation and the website, among other things. The koch tool can also
be used to run the Nim test suite.
Assuming that you added Nim's bin directory to your PATH, you may execute
the tests using ./koch tests. The tests take a while to run, but you
can run a subset of tests by specifying a category (for example
./koch tests cat async).
For more information on the koch build tool please see the documentation
within the doc/koch.md file.
Nimble
nimble is Nim's package manager. To learn more about it, see the
nim-lang/nimble repository.
Contributors
This project exists thanks to all the people who contribute.
Contributing
See detailed contributing guidelines. We welcome all contributions to Nim regardless of how small or large they are. Everything from spelling fixes to new modules to be included in the standard library are welcomed and appreciated. Before you start contributing, you should familiarize yourself with the following repository structure:
bin/,build/- these directories are empty, but are used when Nim is built.compiler/- the compiler source code. Also includes plugins withincompiler/plugins.nimsuggest- the nimsuggest tool that previously lived in thenim-lang/nimsuggestrepository.config/- the configuration for the compiler and documentation generator.doc/- the documentation files in reStructuredText format.lib/- the standard library, including:pure/- modules in the standard library written in pure Nim.impure/- modules in the standard library written in pure Nim with dependencies written in other languages.wrappers/- modules that wrap dependencies written in other languages.
tests/- contains categorized tests for the compiler and standard library.tools/- the tools includingniminst(mostly invoked viakoch).koch.nim- the tool used to bootstrap Nim, generate C sources, build the website, and generate the documentation.
If you are not familiar with making a pull request using GitHub and/or git, please read this guide.
Ideally, you should make sure that all tests pass before submitting a pull request.
However, if you are short on time, you can just run the tests specific to your
changes by only running the corresponding categories of tests. CI verifies
that all tests pass before allowing the pull request to be accepted, so only
running specific tests should be harmless.
Integration tests should go in tests/untestable.
If you're looking for ways to contribute, please look at our issue tracker.
There are always plenty of issues labeled Easy; these should
be a good starting point for an initial contribution to Nim.
You can also help with the development of Nim by making donations. Donations can be made using:
If you have any questions feel free to submit a question on the Nim forum, or via IRC on the #nim channel.
Backers
Thank you to all our backers! [Become a backer]
Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]
You can also see a list of all our sponsors/backers from various payment services on the sponsors page of our website.
License
The compiler and the standard library are licensed under the MIT license, except for some modules which explicitly state otherwise. As a result, you may use any compatible license (essentially any license) for your own programs developed with Nim. You are explicitly permitted to develop commercial applications using Nim.
Please read the copying.txt file for more details.
Copyright © 2006-2026 Andreas Rumpf, all rights reserved.