use-after-free bugs in object variants

[planetis-m]

What happened?

The bug happens specifically when deleting an item in a seq. The item taking it's place might not have the same case fields. Then =sink(x[i], move x[xl]) might leave the deleted item's fields still in memory! If the new item switches branches, you get a use-after-free bug.

type
  ContentNodeKind = enum
    P, Br, Text
  ContentNode = object
    case kind: ContentNodeKind
    of P: pChildren: seq[ContentNode]
    of Br: discard
    of Text: textStr: string

proc main =
  var x = ContentNode(kind: P, pChildren: @[
    ContentNode(kind: P, pChildren: @[ContentNode(kind: Text, textStr: "brrr")])
  ])
  x.pChildren.add ContentNode(kind: Br)
  x.pChildren.del(0)
  {.cast(uncheckedAssign).}:
    x.pChildren[0].kind = P
  echo x.pChildren

main()

Nim Version

Nim Compiler Version 1.7.1 [Linux: amd64]
Compiled at 2022-09-04
Copyright (c) 2006-2022 by Andreas Rumpf

git hash: b931e74
active boot switches: -d:release --gc:markAndSweep

Current Standard Output Logs

@[(kind: P, pChildren: @[(kind: Text, textStr: "brrr")])]
SIGSEGV: Illegal storage access. (Attempt to read from nil?)
Σφάλμα κατάτμησης (segmentation fault) (core dumped)

Expected Standard Output Logs

@[(kind: P, pChildren: @[])]

Possible Solution

No response

Additional Information

No response

[planetis-m]

Fixed in #20300

[ringabout]

A testcase will be appreciated.