Invalid `free()` attempting to instantiate an expression with Arch Linux Nix package

[LordMZTE]

Describe the bug

Instantiating the below Nix expression will lead to memory corruption. In the case of the following example, this manifests itself as an invalid free() call, but in a flake where I first encountered this, it caused a segmentation fault.

Steps To Reproduce

1. Create a file bug.nix:

with import <nixpkgs> { };
(pkgs.mkYarnPackage {
  name = "yamlls";
  src = pkgs.fetchFromGitHub {
    owner = "redhat-developer";
    repo = "yaml-language-server";
    rev = "dfccc6fc095faeb5d07051b51f308478cdac70fd";
    hash = "sha256-klgAyp7rZvKhVPsOetaubizG5ZoynjdVd33vj/50/CM=";
  };
})

2. nix-instantiate bug.nix

free(): invalid next size (fast)
fish: Job 2, 'nix-instantiate bug.nix' terminated by signal SIGABRT (Abort)

Expected behavior

The expression is instantiated successfully.

nix-env --version output nix-env (Nix) 2.22.0

Additional context

• OS: Arch Linux 6.8.8
• A nix daemon is in use but does not report any errors
• lib.trivial.version of the nixpkgs used: 24.05pre588366.9a9dae8f6319

GDB Backtrace

#0  0x00007ffff72ac194 in ?? () from /usr/lib/libc.so.6
#1  0x00007ffff7258d70 in raise () from /usr/lib/libc.so.6
#2  0x00007ffff72404c0 in abort () from /usr/lib/libc.so.6
#3  0x00007ffff72413c2 in ?? () from /usr/lib/libc.so.6
#4  0x00007ffff72b6305 in ?? () from /usr/lib/libc.so.6
#5  0x00007ffff72b874c in ?? () from /usr/lib/libc.so.6
#6  0x00007ffff72bb07e in free () from /usr/lib/libc.so.6
#7  0x00007ffff7c70d1e in ?? () from /usr/lib/libnixexpr.so
#8  0x00007ffff7c9985d in nix::ExprConcatStrings::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#9  0x00007ffff7d05856 in ?? () from /usr/lib/libnixexpr.so
#10 0x00007ffff7c936cc in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#11 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#12 0x00007ffff7c7b88d in ?? () from /usr/lib/libnixexpr.so
#13 0x00007ffff7d02582 in nix::prim_getAttr(nix::EvalState&, nix::PosIdx, nix::Value**, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#14 0x00007ffff7c936cc in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#15 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#16 0x00007ffff7c94bb8 in nix::ExprSelect::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#17 0x00007ffff7c98782 in nix::EvalState::coerceToString(nix::PosIdx, nix::Value&, std::set<nix::NixStringContextElem, std::less<nix::NixStringContextElem>, std::allocator<nix::NixStringContextElem> >&, std::basic_string_view<char, std::char_traits<char> >, bool, bool, bool) () from /usr/lib/libnixexpr.so
#18 0x00007ffff7c98aa1 in nix::EvalState::coerceToString(nix::PosIdx, nix::Value&, std::set<nix::NixStringContextElem, std::less<nix::NixStringContextElem>, std::allocator<nix::NixStringContextElem> >&, std::basic_string_view<char, std::char_traits<char> >, bool, bool, bool) () from /usr/lib/libnixexpr.so
#19 0x00007ffff7c98f04 in nix::ExprConcatStrings::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#20 0x00007ffff7c9468f in nix::ExprSelect::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#21 0x00007ffff7d05856 in ?? () from /usr/lib/libnixexpr.so
#22 0x00007ffff7c936cc in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#23 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#24 0x00007ffff7c7b88d in ?? () from /usr/lib/libnixexpr.so
#25 0x00007ffff7d02582 in nix::prim_getAttr(nix::EvalState&, nix::PosIdx, nix::Value**, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#26 0x00007ffff7c936cc in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#27 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#28 0x00007ffff7c94bb8 in nix::ExprSelect::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#29 0x00007ffff7c98782 in nix::EvalState::coerceToString(nix::PosIdx, nix::Value&, std::set<nix::NixStringContextElem, std::less<nix::NixStringContextElem>, std::allocator<nix::NixStringContextElem> >&, std::basic_string_view<char, std::char_traits<char> >, bool, bool, bool) () from /usr/lib/libnixexpr.so
#30 0x00007ffff7c98aa1 in nix::EvalState::coerceToString(nix::PosIdx, nix::Value&, std::set<nix::NixStringContextElem, std::less<nix::NixStringContextElem>, std::allocator<nix::NixStringContextElem> >&, std::basic_string_view<char, std::char_traits<char> >, bool, bool, bool) () from /usr/lib/libnixexpr.so
#31 0x00007ffff7c98f04 in nix::ExprConcatStrings::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#32 0x00007ffff7d05856 in ?? () from /usr/lib/libnixexpr.so
#33 0x00007ffff7c936cc in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#34 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#35 0x00007ffff7c7b88d in ?? () from /usr/lib/libnixexpr.so
#36 0x00007ffff7d02582 in nix::prim_getAttr(nix::EvalState&, nix::PosIdx, nix::Value**, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#37 0x00007ffff7c936cc in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#38 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#39 0x00007ffff7c94bb8 in nix::ExprSelect::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#40 0x00007ffff7c98782 in nix::EvalState::coerceToString(nix::PosIdx, nix::Value&, std::set<nix::NixStringContextElem, std::less<nix::NixStringContextElem>, std::allocator<nix::NixStringContextElem> >&, std::basic_string_view<char, std::char_traits<char> >, bool, bool, bool) () from /usr/lib/libnixexpr.so
#41 0x00007ffff7c98aa1 in nix::EvalState::coerceToString(nix::PosIdx, nix::Value&, std::set<nix::NixStringContextElem, std::less<nix::NixStringContextElem>, std::allocator<nix::NixStringContextElem> >&, std::basic_string_view<char, std::char_traits<char> >, bool, bool, bool) () from /usr/lib/libnixexpr.so
#42 0x00007ffff7ca4638 in nix::EvalState::coerceToPath(nix::PosIdx, nix::Value&, std::set<nix::NixStringContextElem, std::less<nix::NixStringContextElem>, std::allocator<nix::NixStringContextElem> >&, std::basic_string_view<char, std::char_traits<char> >) () from /usr/lib/libnixexpr.so
#43 0x00007ffff7d76e5b in ?? () from /usr/lib/libnixexpr.so
#44 0x00007ffff7cff9af in ?? () from /usr/lib/libnixexpr.so
#45 0x00007ffff7c936cc in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#46 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#47 0x00007ffff7c94485 in nix::ExprVar::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#48 0x00007ffff7c94e14 in nix::ExprOpHasAttr::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#49 0x00007ffff7c91402 in ?? () from /usr/lib/libnixexpr.so
#50 0x00007ffff7c91639 in nix::ExprIf::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#51 0x00007ffff7c93493 in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#52 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#53 0x00007ffff7c7b88d in ?? () from /usr/lib/libnixexpr.so
#54 0x00007ffff7d0dc10 in ?? () from /usr/lib/libnixexpr.so
#55 0x00007ffff7c936cc in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#56 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#57 0x00007ffff7c7b88d in ?? () from /usr/lib/libnixexpr.so
#58 0x00007ffff7d0b5a6 in ?? () from /usr/lib/libnixexpr.so
#59 0x00007ffff7c936cc in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#60 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#61 0x00007ffff7d12914 in ?? () from /usr/lib/libnixexpr.so
#62 0x00007ffff7c936cc in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#63 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#64 0x00007ffff7d0e652 in ?? () from /usr/lib/libnixexpr.so
#65 0x00007ffff7c936cc in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#66 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#67 0x00007ffff7c93493 in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#68 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#69 0x00007ffff7c94485 in nix::ExprVar::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#70 0x00007ffff7c923a3 in nix::ExprOpEq::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#71 0x00007ffff7c91402 in ?? () from /usr/lib/libnixexpr.so
#72 0x00007ffff7c91639 in nix::ExprIf::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#73 0x00007ffff7c92d16 in nix::ExprLet::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#74 0x00007ffff7c93493 in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#75 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#76 0x00007ffff7c94485 in nix::ExprVar::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#77 0x00007ffff7c94503 in nix::ExprSelect::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#78 0x00007ffff7c92d16 in nix::ExprLet::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#79 0x00007ffff7c93493 in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#80 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#81 0x00007ffff7c94485 in nix::ExprVar::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#82 0x00007ffff7c98fe8 in nix::ExprConcatStrings::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#83 0x00007ffff7d05856 in ?? () from /usr/lib/libnixexpr.so
#84 0x00007ffff7c936cc in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#85 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#86 0x00007ffff7c7b88d in ?? () from /usr/lib/libnixexpr.so
#87 0x00007ffff7d02582 in nix::prim_getAttr(nix::EvalState&, nix::PosIdx, nix::Value**, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#88 0x00007ffff7c936cc in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#89 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#90 0x00007ffff7c94bb8 in nix::ExprSelect::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#91 0x00007ffff7c98782 in nix::EvalState::coerceToString(nix::PosIdx, nix::Value&, std::set<nix::NixStringContextElem, std::less<nix::NixStringContextElem>, std::allocator<nix::NixStringContextElem> >&, std::basic_string_view<char, std::char_traits<char> >, bool, bool, bool) () from /usr/lib/libnixexpr.so
#92 0x00007ffff7c98aa1 in nix::EvalState::coerceToString(nix::PosIdx, nix::Value&, std::set<nix::NixStringContextElem, std::less<nix::NixStringContextElem>, std::allocator<nix::NixStringContextElem> >&, std::basic_string_view<char, std::char_traits<char> >, bool, bool, bool) () from /usr/lib/libnixexpr.so
#93 0x00007ffff7c98f04 in nix::ExprConcatStrings::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#94 0x00007ffff7c9468f in nix::ExprSelect::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#95 0x00007ffff7d05856 in ?? () from /usr/lib/libnixexpr.so
#96 0x00007ffff7c936cc in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) () from /usr/lib/libnixexpr.so
#97 0x00007ffff7c96714 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#98 0x00007ffff7c94485 in nix::ExprVar::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#99 0x00007ffff7c94503 in nix::ExprSelect::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#100 0x00007ffff7c94bb8 in nix::ExprSelect::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /usr/lib/libnixexpr.so
#101 0x00007ffff7c98782 in nix::EvalState::coerceToString(nix::PosIdx, nix::Value&, std::set<nix::NixStringContextElem, std::less<nix::NixStringContextElem>, std::allocator<nix::NixStringContextElem> >&, std::basic_string_view<char, std::char_traits<char> >, bool, bool, bool) () from /usr/lib/libnixexpr.so
#102 0x00007ffff7ca17dc in nix::EvalState::coerceToStorePath(nix::PosIdx, nix::Value&, std::set<nix::NixStringContextElem, std::less<nix::NixStringContextElem>, std::allocator<nix::NixStringContextElem> >&, std::basic_string_view<char, std::char_traits<char> >) () from /usr/lib/libnixexpr.so
#103 0x00007ffff7ce5b74 in nix::PackageInfo::queryDrvPath() const () from /usr/lib/libnixexpr.so
#104 0x00007ffff7ce5c9d in nix::PackageInfo::requireDrvPath() const () from /usr/lib/libnixexpr.so
#105 0x000055555560b1ad in ?? ()
#106 0x000055555560d0ec in ?? ()
#107 0x00005555556719e9 in ?? ()
#108 0x00007ffff7facd7e in nix::handleExceptions(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::function<void ()>) () from /usr/lib/libnixmain.so
#109 0x00005555555c08b2 in ?? ()
#110 0x00007ffff7241d4a in ?? () from /usr/lib/libc.so.6
#111 0x00007ffff7241e0c in __libc_start_main () from /usr/lib/libc.so.6
#112 0x00005555555c5135 in ?? ()

Priorities

Add :+1: to issues you find important.

[LordMZTE]

Note that I cannot reproduce this with Nix from nixpkgs; only with Nix from Arch Linux packages.

[RaitoBezarius]

Note that I cannot reproduce this with Nix from nixpkgs; only with Nix from Arch Linux packages.

Can you be precise? Nix 2.22 from nixpkgs or Nix 2.18 from nixpkgs?

[LordMZTE]

Can you be precise? Nix 2.22 from nixpkgs or Nix 2.18 from nixpkgs?

Sorry, I was unaware of the version difference. Another check revealed that I was indeed using Nix 2.18 from nixpkgs as opposed to 2.22 from Arch, which is likely the important factor.

[Ericson2314]

Can you check Nix 2.22 not from Arch but our build? nix-store -r a store path from https://releases.nixos.org/nix/nix-2.22.0/fallback-paths.nix for your system and try that.

[LordMZTE]

I cannot reproduce this bug with the version you provided. It's probably a packaging issue then.

[Ericson2314]

We can reopen this if we learn more (e.g., as @edolstra just said in the team meeting, if there is a latent issue on our end that only turns up because the way the Arch build works).