async: free worker ctx->last_diag before free(ctx) so throws don't leak

leifericf · claude · leifericf · commit 8b0a934b2ace · 2026-05-17T00:27:24.000+02:00
When a future's body threw with no enclosing try, prim_throw_classified
installed a diag into the worker's per-thread ctx-&gt;last_diag. The
diag's cached_map got captured into impl-&gt;exception (reachable from
the future on the GC heap), but worker_run's free(ctx) at exit
discarded the diag struct pointer without diag_free'ing it. Leak was
~160 bytes per throwing future.

Pre-existing latent: macOS clang ASan ships without LSan, so it
never surfaced locally. ubuntu gcc-asan + LSan default-on caught it
when v0.255.18's new async test added a throwing future.

worker_run now calls diag_free(ctx-&gt;last_diag) before free(ctx). The
diag's malloc'd kind/code/message/notes/spans/frames all reclaim;
the Mino cached_map stays GC-reachable.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,28 @@
 # Changelog
 
+## v0.255.19 — Fix: Worker leaks last_diag on uncaught throw
+
+LSan on the gcc-built ubuntu-24.04 runners reported a 160-byte
+direct leak from `diag_new` via `set_eval_diag_with_data` after the
+v0.255.18 async test added `(future (throw (ex-info ...)))`. The
+worker's per-thread ctx allocates a `mino_diag_t` when its body
+throws and the throw lands at try_depth == 0 (no enclosing try);
+the diag installed itself into `ctx->last_diag`, its cached_map
+got captured into `impl->exception` for consumer-side rethrow, and
+then `worker_run` called `free(ctx)` without freeing the diag
+itself.
+
+The leak predates v0.255.18 — any future that threw leaked its
+diag — but macOS clang ASan ships without LSan, so it never showed
+locally. v0.255.17's CI run had no async test that threw; v0.255.18
+added one and surfaced it.
+
+Fix: `worker_run` now calls `diag_free(ctx->last_diag)` before
+`free(ctx)`. The diag struct's malloc'd fields (kind/code/msg
+strings, notes, spans, frames) all get reclaimed; the Mino-side
+cached_map stays reachable from the future's `impl->exception` on
+the GC heap.
+
 ## v0.255.18 — Fix: Preserve ex-info data through futures + expose `>!` / `<!`
 
 Two async-surface canon-parity fixes surfaced by an adversarial
diff --git a/src/mino.h b/src/mino.h
@@ -28,7 +28,7 @@
  */
 #define MINO_VERSION_MAJOR 0
 #define MINO_VERSION_MINOR 255
-#define MINO_VERSION_PATCH 18
+#define MINO_VERSION_PATCH 19
 
 /*
  * Human-readable version string of the *linked* runtime, e.g. "0.48.0".
diff --git a/src/runtime/host_threads.c b/src/runtime/host_threads.c
@@ -377,6 +377,18 @@ static void worker_run(mino_future_t *impl, char *stack_anchor)
     }
     mino_worker_list_lock_release(S);
 
+    /* Worker may have set ctx->last_diag if its body threw and the
+     * throw landed at try_depth == 0 (no enclosing try). The diag's
+     * cached_map (if any) was already captured into impl->exception
+     * and is reachable from the future on the GC heap; only the
+     * unmanaged diag struct itself remains. Reclaim it before free(ctx)
+     * so a future that throws does not leak a ~160-byte diag per call.
+     * LSan surfaced this on the gcc-built linux runners where libasan
+     * runs the leak detector at exit. */
+    if (ctx->last_diag != NULL) {
+        diag_free(ctx->last_diag);
+        ctx->last_diag = NULL;
+    }
     mino_tls_ctx = NULL;
     free(ctx);
 }
