mi_free_size: pointer might not point to a valid heap region

[JeySamir]

Error:

mimalloc: warning: thread 0xDAB926C000: mi_free_size: pointer might not point to a valid heap region: 0x020000431230
(this may still be a valid very large allocation (over 64MiB))
mimalloc: error: thread 0xDAB926C000: mi_free_size: pointer does not point to a valid heap space: 0x020000431230
mimalloc: assertion failed: at "Z:\project\src\manual\mimalloc\src\free.c":343, mi_free_size                                                                                                            assertion: "p == NULL || size <= _mi_usable_size(p,"mi_free_size")"

OS: Windows 11 Pro x64
#include <mimalloc-new-delete.h> defined in main.cpp.

MyDLL is my library that I compile and use mimalloc in it. I inject MyDLL into target software that does NOT use mimalloc and for which I have NO source code.
After many initializations and releasing std::string in the code of my injected MyDLL library in the target software, this error occurs.

The error occurs when calling the delete operator in std::basic_string.

What could be the problem?

mimalloc v2.0.1
Generated solution for VS C++

cmake -G "Visual Studio 17 2022" -S . -B vsbuild

mimalloc-static buiit with default parameters for Debug configuration, the only thing added is the parameter:

Multi-threaded Debug (/MTd)

MyDLL compiled with MSVC:
C++ params:

/ifcOutput "MyDLL.dir\Debug\" /GS /W1 /Zc:wchar_t /I"Z:\projects\src\MyDLL\src\common" /I"Z:\projects\src\MyDLL\src\MyDLL" /I"Z:\projects\src\MyDLL\dependencies\manual\mimalloc\include" /I"Z:\projects\src\MyDLL\dependencies\manual\json"  /Zi /Od /Ob0 /Fd"MyDLL.dir\Debug\vc143.pdb" /Zc:inline /fp:precise /D "_WINDLL" /D "_UNICODE" /D "UNICODE" /D "WIN32" /D "_WINDOWS" /D "_LOG" /D "LOG_SWAP_STACK" /D "MyDLL" /D "MyDLL_EXPORTS" /D "MyDLLLIB_EXPORTS" /D "_DEBUG" /D "_USRDLL" /D "X64" /D "CMAKE_INTDIR=\"Debug\"" /D "MyDLL_EXPORTS" /errorReport:prompt /WX- /Zc:forScope /RTC1 /Gd /Oy- /MTd /std:c++17 /Fa"MyDLL.dir\Debug\" /EHsc /nologo /Fo"MyDLL.dir\Debug\" /Fp"MyDLL.dir\Debug\MyDLL.pch" /diagnostics:column

Linked params:

/OUT:"Z:\projects\src\MyDLL\build\Windows\AMD64\out\Debug\MyDLL.dll" /MANIFEST /NXCOMPAT /PDB:"C:/0my/projects/my/MyDLL/build/Windows/AMD64/out/Debug/MyDLL.pdb" /DYNAMICBASE "Z:\projects\src\MyDLL\build\Windows\AMD64\out\Debug\MyAnalyzer.lib" "mimalloc-static.lib" "capstone.lib" "DbgHelp.lib" "ntdll.lib" "Crypt32.lib" "ws2_32.lib" "winmm.lib" "wldap32.lib" "kernel32.lib" "user32.lib" "gdi32.lib" "winspool.lib" "comdlg32.lib" "advapi32.lib" "shell32.lib" "ole32.lib" "oleaut32.lib" "uuid.lib" "odbc32.lib" "odbccp32.lib" /IMPLIB:"C:/0my/projects/my/MyDLL/build/Windows/AMD64/out/Debug/MyDLL.lib" /DEBUG /DLL /MACHINE:X64 /OPT:NOREF /INCREMENTAL /PGD:"Z:\projects\src\MyDLL\build\Windows\AMD64\out\Debug\MyDLL.pgd" /SUBSYSTEM:CONSOLE /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /ManifestFile:"MyDLL.dir\Debug\MyDLL.dll.intermediate.manifest" /LTCGOUT:"MyDLL.dir\Debug\MyDLL.iobj" /OPT:NOICF /ERRORREPORT:PROMPT /ILK:"MyDLL.dir\Debug\MyDLL.ilk" /NOLOGO /LIBPATH:"C:/0my/projects/my/MyDLL/build/Windows/AMD64/out" /LIBPATH:"C:/0my/projects/my/MyDLL/build/Windows/AMD64/out/Debug" /LIBPATH:"C:/0my/projects/my/MyDLL/dep/mimalloc/vsbuild/Debug" /LIBPATH:"C:/0my/projects/my/MyDLL/dep/mimalloc/vsbuild/Debug/Debug" /LIBPATH:"C:/0my/projects/my/MyDLL/dep/capstone/vsbuild/Debug" /LIBPATH:"C:/0my/projects/my/MyDLL/dep/capstone/vsbuild/Debug/Debug" /TLBID:1 

Stacktrace:

0:005> kn
 # Child-SP          RetAddr               Call Site
00 000000da`b99fd258 00007ffe`80bdfd8e     ntdll!NtTerminateProcess+0x14
01 000000da`b99fd260 00007ffe`7f6918ab     ntdll!RtlExitUserProcess+0x11e
02 000000da`b99fd290 00007ffd`6cf1bb7a     KERNEL32!ExitProcessImplementation+0xb
03 000000da`b99fd2c0 00007ffd`6cf1bb12     MyDLL!exit_or_terminate_process+0x3a [minkernel\crts\ucrt\src\appcrt\startup\exit.cpp @ 138] 
04 000000da`b99fd2f0 00007ffd`6cf1be89     MyDLL!common_exit+0x92 [minkernel\crts\ucrt\src\appcrt\startup\exit.cpp @ 274] 
05 000000da`b99fd350 00007ffd`6ceaa7cb     MyDLL!_exit+0x19 [minkernel\crts\ucrt\src\appcrt\startup\exit.cpp @ 293] 
06 000000da`b99fd380 00007ffd`6cb35139     MyDLL!abort+0x7b [minkernel\crts\ucrt\src\appcrt\startup\abort.cpp @ 90] 
07 000000da`b99fd3c0 00007ffd`6cb29b3f     MyDLL!_mi_assert_fail+0x79 [Z:\projects\src\manual\mimalloc\src\options.c @ 480] 
08 000000da`b99fd420 00007ffd`6cb0e54e     MyDLL!mi_free_size+0x4f [Z:\projects\src\manual\mimalloc\src\free.c @ 343] 
09 000000da`b99fd450 00007ffd`6cae4f89     MyDLL!operator delete+0x1e [Z:\projects\src\manual\mimalloc\include\mimalloc-new-delete.h @ 47] 
0a 000000da`b99fd480 00007ffd`6cae58e9     MyDLL!std::_Deallocate<16>+0x39 [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.42.34433\include\xmemory @ 258] 
0b 000000da`b99fd4b0 00007ffd`6cae540e     MyDLL!std::allocator<char>::deallocate+0xa9 [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.42.34433\include\xmemory @ 949] 
0c 000000da`b99fd4f0 00007ffd`6cae56cb     MyDLL!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::_Deallocate_for_capacity+0x2e [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.42.34433\include\xstring @ 833] 
0d 000000da`b99fd520 00007ffd`6cae510a     MyDLL!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::_Tidy_deallocate+0x5b [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.42.34433\include\xstring @ 3062] 
0e 000000da`b99fd570 00007ffd`6cb12bdf     MyDLL!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::~basic_string<char,std::char_traits<char>,std::allocator<char> >+0x2a [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.42.34433\include\xstring @ 1372] 
0f 000000da`b99fd5d0 00007ffe`80b0814b     MyDLL!MyFuncUsesMenyStrings+0x2af

[JeySamir]

It looks like std::string doesn't use the mimalloc allocator when creating string, but uses mi_free_size to release memory.

MyDLL!MyFuncUsesMenyStrings+0x269:
00007ffd`74ef9d59 e81276fcff      call    MyDLL!ILT+875(?c_str?$basic_stringDU?$char_traitsDstdV?$allocatorD (00007ffd`74ec1370)
0:005> bp 00007ffd`74ef9d5e
0:005> t
MyDLL!ILT+875(?c_str?$basic_stringDU?$char_traitsDstdV?$allocatorD:
00007ffd`74ec1370 e97bb50000      jmp     MyDLL!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::c_str (00007ffd`74ecc8f0)
0:005> 
MyDLL!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::c_str:
00007ffd`74ecc8f0 48894c2408      mov     qword ptr [rsp+8],rcx ss:00000005`805fd3f0=00000005805fd498
0:005> 
MyDLL!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::c_str+0x5:
00007ffd`74ecc8f5 57              push    rdi
0:005> 
MyDLL!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::c_str+0x6:
00007ffd`74ecc8f6 4883ec20        sub     rsp,20h
0:005> 
MyDLL!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::c_str+0xa:
00007ffd`74ecc8fa 488b442430      mov     rax,qword ptr [rsp+30h] ss:00000005`805fd3f0=00000005805fd498
0:005> 
MyDLL!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::c_str+0xf:
00007ffd`74ecc8ff 488bc8          mov     rcx,rax
0:005> 
MyDLL!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::c_str+0x12:
00007ffd`74ecc902 e85d5bffff      call    MyDLL!ILT+5215(?_Myptr?$_String_valU?$_Simple_typesDstdstdQEBAPEBDXZ) (00007ffd`74ec2464)
0:005> 
MyDLL!ILT+5215(?_Myptr?$_String_valU?$_Simple_typesDstdstdQEBAPEBDXZ):
00007ffd`74ec2464 e957a10000      jmp     MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr (00007ffd`74ecc5c0)
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr:
00007ffd`74ecc5c0 48894c2408      mov     qword ptr [rsp+8],rcx ss:00000005`805fd3c0=cccccccccccccccc
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x5:
00007ffd`74ecc5c5 57              push    rdi
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x6:
00007ffd`74ecc5c6 4883ec30        sub     rsp,30h
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0xa:
00007ffd`74ecc5ca 488b442440      mov     rax,qword ptr [rsp+40h] ss:00000005`805fd3c0=00000005805fd498
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0xf:
00007ffd`74ecc5cf 4883c008        add     rax,8
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x13:
00007ffd`74ecc5d3 4889442420      mov     qword ptr [rsp+20h],rax ss:00000005`805fd3a0=0000000000000001
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x18:
00007ffd`74ecc5d8 488b4c2440      mov     rcx,qword ptr [rsp+40h] ss:00000005`805fd3c0=00000005805fd498
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x1d:
00007ffd`74ecc5dd e89b72ffff      call    MyDLL!ILT+10360(?_Large_mode_engaged?$_String_valU?$_Simple_typesDstdstdQEBA_NXZ) (00007ffd`74ec387d)
0:005> 
MyDLL!ILT+10360(?_Large_mode_engaged?$_String_valU?$_Simple_typesDstdstdQEBA_NXZ):
00007ffd`74ec387d e9fe8c0000      jmp     MyDLL!std::_String_val<std::_Simple_types<char> >::_Large_mode_engaged (00007ffd`74ecc580)
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Large_mode_engaged:
00007ffd`74ecc580 48894c2408      mov     qword ptr [rsp+8],rcx ss:00000005`805fd380=0000000000000000
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Large_mode_engaged+0x5:
00007ffd`74ecc585 57              push    rdi
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Large_mode_engaged+0x6:
00007ffd`74ecc586 4883ec10        sub     rsp,10h
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Large_mode_engaged+0xa:
00007ffd`74ecc58a 488b442420      mov     rax,qword ptr [rsp+20h] ss:00000005`805fd380=00000005805fd498
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Large_mode_engaged+0xf:
00007ffd`74ecc58f 488378200f      cmp     qword ptr [rax+20h],0Fh ds:00000005`805fd4b8=000000000000001f
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Large_mode_engaged+0x14:
00007ffd`74ecc594 7609            jbe     MyDLL!std::_String_val<std::_Simple_types<char> >::_Large_mode_engaged+0x1f (00007ffd`74ecc59f) [br=0]
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Large_mode_engaged+0x16:
00007ffd`74ecc596 c7042401000000  mov     dword ptr [rsp],1 ss:00000005`805fd360=00000000
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Large_mode_engaged+0x1d:
00007ffd`74ecc59d eb07            jmp     MyDLL!std::_String_val<std::_Simple_types<char> >::_Large_mode_engaged+0x26 (00007ffd`74ecc5a6)
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Large_mode_engaged+0x26:
00007ffd`74ecc5a6 0fb60424        movzx   eax,byte ptr [rsp] ss:00000005`805fd360=01
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Large_mode_engaged+0x2a:
00007ffd`74ecc5aa 4883c410        add     rsp,10h
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Large_mode_engaged+0x2e:
00007ffd`74ecc5ae 5f              pop     rdi
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Large_mode_engaged+0x2f:
00007ffd`74ecc5af c3              ret
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x22:
00007ffd`74ecc5e2 0fb6c0          movzx   eax,al
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x25:
00007ffd`74ecc5e5 85c0            test    eax,eax
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x27:
00007ffd`74ecc5e7 7413            je      MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x3c (00007ffd`74ecc5fc) [br=0]
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x29:
00007ffd`74ecc5e9 488b442440      mov     rax,qword ptr [rsp+40h] ss:00000005`805fd3c0=00000005805fd498
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x2e:
00007ffd`74ecc5ee 488b4808        mov     rcx,qword ptr [rax+8] ds:00000005`805fd4a0=0000020000431230
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x32:
00007ffd`74ecc5f2 e82376ffff      call    MyDLL!ILT+11285(??$_UnfancyDstdYAPEADPEADZ) (00007ffd`74ec3c1a)
0:005> 
MyDLL!ILT+11285(??$_UnfancyDstdYAPEADPEADZ):
00007ffd`74ec3c1a e911850000      jmp     MyDLL!std::_Unfancy<char> (00007ffd`74ecc130)
0:005> 
MyDLL!std::_Unfancy<char>:
00007ffd`74ecc130 48894c2408      mov     qword ptr [rsp+8],rcx ss:00000005`805fd380=00000005805fd498
0:005> 
MyDLL!std::_Unfancy<char>+0x5:
00007ffd`74ecc135 57              push    rdi
0:005> 
MyDLL!std::_Unfancy<char>+0x6:
00007ffd`74ecc136 488b442410      mov     rax,qword ptr [rsp+10h] ss:00000005`805fd380=0000020000431230
0:005> 
MyDLL!std::_Unfancy<char>+0xb:
00007ffd`74ecc13b 5f              pop     rdi
0:005> 
MyDLL!std::_Unfancy<char>+0xc:
00007ffd`74ecc13c c3              ret
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x37:
00007ffd`74ecc5f7 4889442420      mov     qword ptr [rsp+20h],rax ss:00000005`805fd3a0=00000005805fd4a0
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x3c:
00007ffd`74ecc5fc 488b442420      mov     rax,qword ptr [rsp+20h] ss:00000005`805fd3a0=0000020000431230
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x41:
00007ffd`74ecc601 4883c430        add     rsp,30h
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x45:
00007ffd`74ecc605 5f              pop     rdi
0:005> 
MyDLL!std::_String_val<std::_Simple_types<char> >::_Myptr+0x46:
00007ffd`74ecc606 c3              ret
0:005> 
MyDLL!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::c_str+0x17:
00007ffd`74ecc907 4883c420        add     rsp,20h
0:005> 
MyDLL!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::c_str+0x1b:
00007ffd`74ecc90b 5f              pop     rdi
0:005> 
MyDLL!std::basic_string<char,std::char_traits<char>,std::allocator<char> >::c_str+0x1c:
00007ffd`74ecc90c c3              ret

[res2k]

Is the std::string in question passed across DLL boundaries?
In that case, the string was most likely allocated not using mimalloc.