Crash Occurs When Running on Windows 11 (24H2 26100.2033) with ARM Processor

[DuShijun]

I wrote a simple console application, as:

int main()
{
mi_version();
const char* ptr = ::_Getdays();
::free((void*)ptr);
}

The following is the log output when the DLL is attached:

mimalloc: option 'show_errors': 0
mimalloc: option 'show_stats': 0
mimalloc: option 'verbose': 3
mimalloc: option 'eager_commit': 1
mimalloc: option 'arena_eager_commit': 2
mimalloc: option 'purge_decommits': 1
mimalloc: option 'allow_large_os_pages': 0
mimalloc: option 'reserve_huge_os_pages': 0
mimalloc: option 'reserve_huge_os_pages_at': -1
mimalloc: option 'reserve_os_memory': 0 KiB
mimalloc: option 'deprecated_segment_cache': 0
mimalloc: option 'deprecated_page_reset': 0
mimalloc: option 'abandoned_page_purge': 0
mimalloc: option 'deprecated_segment_reset': 0
mimalloc: option 'eager_commit_delay': 1
mimalloc: option 'purge_delay': 10
mimalloc: option 'use_numa_nodes': 0
mimalloc: option 'disallow_os_alloc': 0
mimalloc: option 'os_tag': 100
mimalloc: option 'max_errors': 32
mimalloc: option 'max_warnings': 32
mimalloc: option 'max_segment_reclaim': 10
mimalloc: option 'destroy_on_exit': 0
mimalloc: option 'arena_reserve': 1048576 KiB
mimalloc: option 'arena_purge_mult': 10
mimalloc: option 'purge_extend_delay': 1
mimalloc: option 'abandoned_reclaim_on_free': 1
mimalloc: option 'disallow_arena_alloc': 0
mimalloc: option 'retry_on_oom': 400
mimalloc: process init: 0xB15AD0B000
mimalloc: secure level: 0
mimalloc: mem tracking: none
mimalloc: malloc is redirected.
mimalloc-redirect: trace: build: Feb 1 2023
mimalloc-redirect: trace: windows version: 10.0.26100
mimalloc-redirect: trace: checking for target mimalloc.dll
mimalloc-redirect: trace: checking for target mimalloc-override.dll
mimalloc-redirect: trace: module "D:\mimalloc-2.1.7\mimalloc-2.1.7\out\msvc-x64\Release\ConsoleApplication1.exe"
mimalloc-redirect: trace: module "C:\Windows\SYSTEM32\ntdll.dll"
mimalloc-redirect: trace: module "C:\Windows\System32\xtajit64.dll"
mimalloc-redirect: trace: module "C:\Windows\System32\KERNEL32.DLL"
mimalloc-redirect: trace: module "C:\Windows\System32\KERNELBASE.dll"
mimalloc-redirect: trace: module "C:\Windows\SYSTEM32\apphelp.dll"
mimalloc-redirect: trace: module "C:\Windows\System32\ucrtbase.dll"
mimalloc-redirect: trace: resolving "ucrtbase.dll"
mimalloc-redirect: trace: module: ucrtbase.dll 0x7FFBB80E0000: code start 0x7FFBB80EC000, size: 0x196DE2
mimalloc-redirect: trace: resolve "malloc" at ucrtbase.dll!0x00007FFBB80EBAF0 to mimalloc!0x00007FFB646A3500 (0)
mimalloc-redirect: trace: resolve "calloc" at ucrtbase.dll!0x00007FFBB80EBAD0 to mimalloc!0x00007FFB646A2780 (0)
mimalloc-redirect: trace: resolve "realloc" at ucrtbase.dll!0x00007FFBB80EBB00 to mimalloc!0x00007FFB646A3990 (0)
mimalloc-redirect: trace: resolve "free" at ucrtbase.dll!0x00007FFBB80EBAE0 to mimalloc!0x00007FFB646A2850 (0)
mimalloc-redirect: trace: resolve "_expand" at ucrtbase.dll!0x00007FFBB80EBAB0 to mimalloc!0x00007FFB646A27B0 (0)
mimalloc-redirect: trace: resolve "_recalloc" at ucrtbase.dll!0x00007FFBB80E8D50 to mimalloc!0x00007FFB646A3B30 (0)
mimalloc-redirect: trace: resolve "_msize" at ucrtbase.dll!0x00007FFBB80EBAC0 to mimalloc!0x00007FFB646A3C20 (0)
mimalloc-redirect: trace: resolve "_malloc_base" at ucrtbase.dll!0x00007FFBB80E4070 to mimalloc!0x00007FFB646A3500 (0)
mimalloc-redirect: trace: resolve "_calloc_base" at ucrtbase.dll!0x00007FFBB80E2AC0 to mimalloc!0x00007FFB646A2780 (0)
mimalloc-redirect: trace: resolve "_realloc_base" at ucrtbase.dll!0x00007FFBB80E8D40 to mimalloc!0x00007FFB646A3990 (0)
mimalloc-redirect: trace: resolve "_free_base" at ucrtbase.dll!0x00007FFBB80E3200 to mimalloc!0x00007FFB646A2850 (0)
mimalloc-redirect: warning: unable to resolve "ucrtbase.dll!_expand_base" -- enabling MIMALLOC_PATCH_IMPORTS to prevent allocation errors.
mimalloc-redirect: warning: unable to resolve "ucrtbase.dll!_recalloc_base" -- enabling MIMALLOC_PATCH_IMPORTS to prevent allocation errors.
mimalloc-redirect: warning: unable to resolve "ucrtbase.dll!_msize_base" -- enabling MIMALLOC_PATCH_IMPORTS to prevent allocation errors.
mimalloc-redirect: trace: resolve import "ntdll.dll!RtlSizeHeap" in ucrtbase.dll at 0x00007FFBB8284238 to 0x00007FFB805A5FE0 (0)
mimalloc-redirect: trace: resolve import "ntdll.dll!RtlFreeHeap" in ucrtbase.dll at 0x00007FFBB8284220 to 0x00007FFB805A6050 (0)
mimalloc-redirect: trace: resolve import "ntdll.dll!RtlReAllocateHeap" in ucrtbase.dll at 0x00007FFBB8284230 to 0x00007FFB805A60E0 (0)
mimalloc-redirect: trace: resolve "_aligned_malloc" at ucrtbase.dll!0x00007FFBB80E28F0 to mimalloc!0x00007FFB646A1AE0 (0)
mimalloc-redirect: trace: resolve "_aligned_realloc" at ucrtbase.dll!0x00007FFBB80E2940 to mimalloc!0x00007FFB646A1C10 (0)
mimalloc-redirect: trace: resolve "_aligned_free" at ucrtbase.dll!0x00007FFBB80E28E0 to mimalloc!0x00007FFB646A2850 (0)
mimalloc-redirect: trace: resolve "_aligned_recalloc" at ucrtbase.dll!0x00007FFBB80E2950 to mimalloc!0x00007FFB646A1F80 (0)
mimalloc-redirect: trace: resolve "_aligned_msize" at ucrtbase.dll!0x00007FFBB80E2900 to mimalloc!0x00007FFB805A5CD0 (0)
mimalloc-redirect: trace: resolve "_aligned_offset_malloc" at ucrtbase.dll!0x00007FFBB80E2910 to mimalloc!0x00007FFB646A1B70 (0)
mimalloc-redirect: trace: resolve "_aligned_offset_realloc" at ucrtbase.dll!0x00007FFBB80E2920 to mimalloc!0x00007FFB646A1C40 (0)
mimalloc-redirect: trace: resolve "_aligned_offset_recalloc" at ucrtbase.dll!0x00007FFBB80E2930 to mimalloc!0x00007FFB646A1F70 (0)
mimalloc-redirect: trace: module "D:\mimalloc-2.1.7\mimalloc-2.1.7\out\msvc-x64\Release\mimalloc-override.dll"
mimalloc-redirect: trace: module "C:\Windows\System32\ADVAPI32.dll"
mimalloc-redirect: trace: module "C:\Windows\System32\msvcrt.dll"
mimalloc-redirect: trace: module "C:\Windows\System32\sechost.dll"
mimalloc-redirect: trace: module "C:\Windows\System32\RPCRT4.dll"
mimalloc-redirect: trace: module "C:\Windows\SYSTEM32\VCRUNTIME140.dll"
mimalloc-redirect: trace: module "D:\mimalloc-2.1.7\mimalloc-2.1.7\out\msvc-x64\Release\mimalloc-redirect.dll"
mimalloc-redirect: trace: write entry: 0x00007FFB805A55FB, 5, 0x7FFB646A3B30, na
mimalloc-redirect: trace: write entry: 0x00007FFB805A556B, 5, 0x7FFB646A3500, na
mimalloc-redirect: trace: write entry: 0x00007FFB805A559B, 5, 0x7FFB646A2780, na
mimalloc-redirect: trace: write entry: 0x00007FFB805A55CB, 5, 0x7FFB646A3990, na
mimalloc-redirect: trace: write entry: 0x00007FFB805A566B, 5, 0x7FFB646A2850, na
mimalloc-redirect: trace: write entry: 0x00007FFB805A563B, 5, 0x7FFB646A27B0, na
mimalloc-redirect: trace: write entry: 0x00007FFB805A569B, 5, 0x7FFB646A3C20, na
mimalloc-redirect: trace: write entry: 0x00007FFB805A56FB, 5, 0x7FFB646A36B0, na
mimalloc-redirect: trace: write entry: 0x00007FFB805A56CB, 5, 0x7FFB646AE310, na
mimalloc-redirect: trace: write entry: 0x00007FFB805A572B, 5, 0x7FFB646A1AE0, na
mimalloc-redirect: trace: write entry: 0x00007FFB805A575B, 5, 0x7FFB646A1C10, na
mimalloc-redirect: trace: write entry: 0x00007FFB805A579B, 5, 0x7FFB646A1F80, na
mimalloc-redirect: trace: write entry: 0x00007FFB805A57DB, 5, 0x7FFB646A1B70, na
mimalloc-redirect: trace: write entry: 0x00007FFB805A581B, 5, 0x7FFB646A1C40, na
mimalloc-redirect: trace: write entry: 0x00007FFB805A585B, 5, 0x7FFB646A1F70, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80EBAF0, 2, 0x7FFB646A3500, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80EBAD0, 2, 0x7FFB646A2780, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80EBB00, 2, 0x7FFB646A3990, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80EBAE0, 2, 0x7FFB646A2850, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80EBAB0, 2, 0x7FFB646A27B0, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80E8D50, 2, 0x7FFB646A3B30, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80EBAC0, 2, 0x7FFB646A3C20, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80E4070, 2, 0x7FFB646A3500, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80E2AC0, 2, 0x7FFB646A2780, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80E8D40, 2, 0x7FFB646A3990, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80E3200, 2, 0x7FFB646A2850, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80E28F0, 2, 0x7FFB646A1AE0, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80E2940, 2, 0x7FFB646A1C10, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80E28E0, 2, 0x7FFB646A2850, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80E2950, 2, 0x7FFB646A1F80, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80E2900, 2, 0x7FFB805A5CD0, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80E2910, 2, 0x7FFB646A1B70, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80E2920, 2, 0x7FFB646A1C40, na
mimalloc-redirect: trace: write entry: 0x00007FFBB80E2930, 2, 0x7FFB646A1F70, na
mimalloc-redirect: trace: standard malloc is redirected (v1.1c)

At this point, the disassembly shows that "_malloc_base" at ucrtbase.dll!0x00007FFBB80E4070 has been redirected to mi_malloc.

However, #_malloc_base is called within ::Getdays without being redirected, causing a mismatch between the memory allocated here and the memory freed later, which ultimately results in a crash.

So, I’d like to ask:
Is this a common bug, or does mimalloc have a special version or compilation configuration specifically for the ARM architecture?
Is it possible for mi_free to implement some checks or error handling to prevent crashes when attempting to free memory that wasn’t allocated by mimalloc?

[daanx]

Working on this..

[daanx]

(wrong issue)

[DuShijun]

(wrong issue)

Thanks for your work.
The crash issue on the ARM architecture is different from issue #957 (crash on Windows 11 24H2). On the ARM architecture, the problem occurs because mimalloc-redirect writes a jmp instruction into the .hexpthk section of ucrtbase. However, internal functions of ucrtbase (such as Getdays) allocate memory without going through the .hexpthk section but instead directly execute instructions in the .text section. As a result, when freeing strings obtained via functions like Getdays (using mi_free), a mismatch occurs between allocation and deallocation, leading to a crash.

[daanx]

The latest dev and dev-slice branches contain a bin\mimalloc-redirect-arm64.dll -- not tested on larger programs yet but it seems to work. Give it a try if you can and let me know how it goes.
(this is for pure arm64 executables -- not for arm64EC or x64 emulated)

[DuShijun]

The latest dev and dev-slice branches contain a bin\mimalloc-redirect-arm64.dll -- not tested on larger programs yet but it seems to work. Give it a try if you can and let me know how it goes. (this is for pure arm64 executables -- not for arm64EC or x64 emulated)

Thanks a lot for your work😀
I tested with the simple example that previously failed, and the new dev branch works fine now. However, my program is currently not adapted for the ARM architecture but is running on x64 emulation. Will future updates still provide a version of mimalloc-redirect that supports x64 emulation?

[daanx]

That's great to hear it worked for you too.

I have not yet looked into x64 emulated processes .. if it is emulated correctly it should just work right? ;-) I'll take a look at that too when I have time. (You might want to try compiling as arm64 though.. often it just works with minor tweaks.)

[daanx]

I also looked into x64 emulated code -- and indeed it won't work as is since the C runtime itself is running in arm64ec mode (and runs arm64 instructions). To make it work, you need to compile just mimalloc-override.dll for arm64ec and use the matching mimalloc-redirect-arm64ec.dll . The main program can just stay as x64 code; this will run mimalloc with arm instructions too (like the C runtime) and all the rest is emulated. The latest dev branch contains this -- including an updated readme that gives more detailed build instructions. Let me know how it goes.

ps. of course, rebuilding everything to target native arm64 will have better performance.