I could reproduce this by loading doom2 map01 with skill 4, warp to position 1135,700 and wait that the imp on the elevator on the left fires a fireball. At a certain point I got this:
==3416==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500020cc88 at pc 0x000000924c26 bp 0x7ffd7ff7ad90 sp 0x7ffd7ff7ad80
READ of size 8 at 0x61500020cc88 thread T0
#0 0x924c25 in ADynamicLight::DistToSeg(TVector3<double> const&, seg_t*) /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:565
#1 0x925372 in ADynamicLight::CollectWithinRadius(TVector3<double> const&, subsector_t*, float) /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:617
#2 0x926604 in ADynamicLight::LinkLight() /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:725
#3 0x9241cf in ADynamicLight::UpdateLocation() /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:426
#4 0x9242e5 in ADynamicLight::SetOffset(TVector3<double> const&) /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:453
#5 0xaf4274 in FLightDefaults::ApplyProperties(ADynamicLight*) const /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/gl_dynlight.cpp:174
#6 0xaf7cc0 in gl_AttachLight(AActor*, unsigned int, FLightDefaults const*) /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/gl_dynlight.cpp:1138
#7 0xaf7f44 in gl_SetActorLights(AActor*) /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/gl_dynlight.cpp:1171
#8 0xad48ff in FGLInterface::StateChanged(AActor*) /home/edward-san/zdoom/gzdoom/trunk/src/gl/scene/gl_scene.cpp:1220
#9 0xe6bf19 in AActor::SetState(FState*, bool) /home/edward-san/zdoom/gzdoom/trunk/src/p_mobj.cpp:707
#10 0xe8a4f6 in AActor::Tick() /home/edward-san/zdoom/gzdoom/trunk/src/p_mobj.cpp:4256
#11 0xc16abb in AF_DThinker_Tick /home/edward-san/zdoom/gzdoom/trunk/src/dthinker.cpp:549
#12 0x1321af8 in VMFrameStack::Call(VMFunction*, VMValue*, int, VMReturn*, int, VMException**) /home/edward-san/zdoom/gzdoom/trunk/src/scripting/vm/vmframe.cpp:462
#13 0xc16ce5 in DThinker::CallTick() /home/edward-san/zdoom/gzdoom/trunk/src/dthinker.cpp:559
#14 0xc1677b in DThinker::TickThinkers(FThinkerList*, FThinkerList*) /home/edward-san/zdoom/gzdoom/trunk/src/dthinker.cpp:527
#15 0xc1659c in DThinker::RunThinkers() /home/edward-san/zdoom/gzdoom/trunk/src/dthinker.cpp:474
#16 0xf4cdae in P_Ticker() /home/edward-san/zdoom/gzdoom/trunk/src/p_tick.cpp:129
#17 0xc345cc in G_Ticker() /home/edward-san/zdoom/gzdoom/trunk/src/g_game.cpp:1206
#18 0xbd26a5 in TryRunTics() /home/edward-san/zdoom/gzdoom/trunk/src/d_net.cpp:1946
#19 0xbbe883 in D_DoomLoop() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:1016
#20 0xbc5be9 in D_DoomMain() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:2677
#21 0x6381dd in main /home/edward-san/zdoom/gzdoom/trunk/src/posix/sdl/i_main.cpp:306
#22 0x7f633322782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#23 0x629468 in _start (/home/edward-san/zdoom/gzdoom/trunk/debug-asan/gzdoom+0x629468)
0x61500020cc88 is located 264 bytes inside of 512-byte region [0x61500020cb80,0x61500020cd80)
freed by thread T0 here:
#0 0x7f6335c05961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
#1 0xc7cada in M_Realloc_Dbg(void*, unsigned long, char const*, int) /home/edward-san/zdoom/gzdoom/trunk/src/m_alloc.cpp:150
#2 0x92902d in TArray<LightLinkEntry, LightLinkEntry>::DoResize() /home/edward-san/zdoom/gzdoom/trunk/src/./tarray.h:424
#3 0x928f9b in TArray<LightLinkEntry, LightLinkEntry>::Grow(unsigned int) /home/edward-san/zdoom/gzdoom/trunk/src/./tarray.h:348
#4 0x92897c in TArray<LightLinkEntry, LightLinkEntry>::Push(LightLinkEntry const&) /home/edward-san/zdoom/gzdoom/trunk/src/./tarray.h:242
#5 0x925c85 in ADynamicLight::CollectWithinRadius(TVector3<double> const&, subsector_t*, float) /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:653
#6 0x926604 in ADynamicLight::LinkLight() /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:725
#7 0x9241cf in ADynamicLight::UpdateLocation() /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:426
#8 0x9242e5 in ADynamicLight::SetOffset(TVector3<double> const&) /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:453
#9 0xaf4274 in FLightDefaults::ApplyProperties(ADynamicLight*) const /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/gl_dynlight.cpp:174
#10 0xaf7cc0 in gl_AttachLight(AActor*, unsigned int, FLightDefaults const*) /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/gl_dynlight.cpp:1138
#11 0xaf7f44 in gl_SetActorLights(AActor*) /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/gl_dynlight.cpp:1171
#12 0xad48ff in FGLInterface::StateChanged(AActor*) /home/edward-san/zdoom/gzdoom/trunk/src/gl/scene/gl_scene.cpp:1220
#13 0xe6bf19 in AActor::SetState(FState*, bool) /home/edward-san/zdoom/gzdoom/trunk/src/p_mobj.cpp:707
#14 0xe8a4f6 in AActor::Tick() /home/edward-san/zdoom/gzdoom/trunk/src/p_mobj.cpp:4256
#15 0xc16abb in AF_DThinker_Tick /home/edward-san/zdoom/gzdoom/trunk/src/dthinker.cpp:549
#16 0x1321af8 in VMFrameStack::Call(VMFunction*, VMValue*, int, VMReturn*, int, VMException**) /home/edward-san/zdoom/gzdoom/trunk/src/scripting/vm/vmframe.cpp:462
#17 0xc16ce5 in DThinker::CallTick() /home/edward-san/zdoom/gzdoom/trunk/src/dthinker.cpp:559
#18 0xc1677b in DThinker::TickThinkers(FThinkerList*, FThinkerList*) /home/edward-san/zdoom/gzdoom/trunk/src/dthinker.cpp:527
#19 0xc1659c in DThinker::RunThinkers() /home/edward-san/zdoom/gzdoom/trunk/src/dthinker.cpp:474
#20 0xf4cdae in P_Ticker() /home/edward-san/zdoom/gzdoom/trunk/src/p_tick.cpp:129
#21 0xc345cc in G_Ticker() /home/edward-san/zdoom/gzdoom/trunk/src/g_game.cpp:1206
#22 0xbd26a5 in TryRunTics() /home/edward-san/zdoom/gzdoom/trunk/src/d_net.cpp:1946
#23 0xbbe883 in D_DoomLoop() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:1016
#24 0xbc5be9 in D_DoomMain() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:2677
#25 0x6381dd in main /home/edward-san/zdoom/gzdoom/trunk/src/posix/sdl/i_main.cpp:306
#26 0x7f633322782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7f6335c05961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
#1 0xc7cada in M_Realloc_Dbg(void*, unsigned long, char const*, int) /home/edward-san/zdoom/gzdoom/trunk/src/m_alloc.cpp:150
#2 0x92902d in TArray<LightLinkEntry, LightLinkEntry>::DoResize() /home/edward-san/zdoom/gzdoom/trunk/src/./tarray.h:424
#3 0x928f9b in TArray<LightLinkEntry, LightLinkEntry>::Grow(unsigned int) /home/edward-san/zdoom/gzdoom/trunk/src/./tarray.h:348
#4 0x92897c in TArray<LightLinkEntry, LightLinkEntry>::Push(LightLinkEntry const&) /home/edward-san/zdoom/gzdoom/trunk/src/./tarray.h:242
#5 0x924f4d in ADynamicLight::CollectWithinRadius(TVector3<double> const&, subsector_t*, float) /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:596
#6 0x926604 in ADynamicLight::LinkLight() /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:725
#7 0x9241cf in ADynamicLight::UpdateLocation() /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:426
#8 0x9242e5 in ADynamicLight::SetOffset(TVector3<double> const&) /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:453
#9 0xaf4274 in FLightDefaults::ApplyProperties(ADynamicLight*) const /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/gl_dynlight.cpp:174
#10 0xaf7cc0 in gl_AttachLight(AActor*, unsigned int, FLightDefaults const*) /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/gl_dynlight.cpp:1138
#11 0xaf7f44 in gl_SetActorLights(AActor*) /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/gl_dynlight.cpp:1171
#12 0xad48ff in FGLInterface::StateChanged(AActor*) /home/edward-san/zdoom/gzdoom/trunk/src/gl/scene/gl_scene.cpp:1220
#13 0xe6bf19 in AActor::SetState(FState*, bool) /home/edward-san/zdoom/gzdoom/trunk/src/p_mobj.cpp:707
#14 0xe8a4f6 in AActor::Tick() /home/edward-san/zdoom/gzdoom/trunk/src/p_mobj.cpp:4256
#15 0x10682a5 in AInventory::Tick() /home/edward-san/zdoom/gzdoom/trunk/src/g_inventory/a_pickups.cpp:181
#16 0xc16abb in AF_DThinker_Tick /home/edward-san/zdoom/gzdoom/trunk/src/dthinker.cpp:549
#17 0x1321af8 in VMFrameStack::Call(VMFunction*, VMValue*, int, VMReturn*, int, VMException**) /home/edward-san/zdoom/gzdoom/trunk/src/scripting/vm/vmframe.cpp:462
#18 0xc16ce5 in DThinker::CallTick() /home/edward-san/zdoom/gzdoom/trunk/src/dthinker.cpp:559
#19 0xc1677b in DThinker::TickThinkers(FThinkerList*, FThinkerList*) /home/edward-san/zdoom/gzdoom/trunk/src/dthinker.cpp:527
#20 0xc165e0 in DThinker::RunThinkers() /home/edward-san/zdoom/gzdoom/trunk/src/dthinker.cpp:483
#21 0xf4cdae in P_Ticker() /home/edward-san/zdoom/gzdoom/trunk/src/p_tick.cpp:129
#22 0xc345cc in G_Ticker() /home/edward-san/zdoom/gzdoom/trunk/src/g_game.cpp:1206
#23 0xbd26a5 in TryRunTics() /home/edward-san/zdoom/gzdoom/trunk/src/d_net.cpp:1946
#24 0xbbe883 in D_DoomLoop() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:1016
#25 0xbc5be9 in D_DoomMain() /home/edward-san/zdoom/gzdoom/trunk/src/d_main.cpp:2677
#26 0x6381dd in main /home/edward-san/zdoom/gzdoom/trunk/src/posix/sdl/i_main.cpp:306
#27 0x7f633322782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-use-after-free /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:565 ADynamicLight::DistToSeg(TVector3<double> const&, seg_t*)
Shadow bytes around the buggy address:
0x0c2a80039940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a80039950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a80039960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a80039970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a80039980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2a80039990: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a800399a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a800399b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a800399c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a800399d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a800399e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==3416==ABORTING
#7 0x0000000000924c26 in ADynamicLight::DistToSeg (this=0x61a0007bd280, pos=..., seg=0x631000a7a9c0) at /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:565
u = 6.953355807072167e-310
px = 6.953355807072167e-310
py = 2.3266681684861985e-316
seg_dx = -88
seg_dy = 0
seg_length_sq = 7744
#8 0x0000000000925373 in ADynamicLight::CollectWithinRadius (this=0x61a0007bd280, opos=..., subSec=0x629000ba4aa0, radius=16384) at /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:617
seg = 0x631000a7a9c0
i = 1
pos = @0x615000148108: {X = 668.4408339551361, Y = 687.36427712208331, Z = 124.35780188949346}
sec = 0x62d0020e7c10
i = 8
#9 0x0000000000926605 in ADynamicLight::LinkLight (this=0x61a0007bd280) at /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:725
subSec = 0x629000ba6840
node = 0x0
#10 0x00000000009241d0 in ADynamicLight::UpdateLocation (this=0x61a0007bd280) at /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:426
oldx = 658.50681053643609
oldy = 687.0952360740946
oldradius = 128
intensity = 64
__PRETTY_FUNCTION__ = "void ADynamicLight::UpdateLocation()"
#11 0x0000000000923788 in ADynamicLight::Tick (this=0x61a0007bd280) at /home/edward-san/zdoom/gzdoom/trunk/src/gl/dynlights/a_dynlight.cpp:365
No locals.
#12 0x0000000000c16abc in AF_DThinker_Tick (param=0x7fffffffc7e0, defaultparam=..., numparam=1, ret=0x0, numret=0) at /home/edward-san/zdoom/gzdoom/trunk/src/dthinker.cpp:549
paramnum = <error reading variable paramnum (Cannot access memory at address 0xffffffffffffffc0)>
__PRETTY_FUNCTION__ = "int AF_DThinker_Tick(VMValue*, TArray<VMValue>&, int, VMReturn*, int)"
self = 0x61a0007bd280
#13 0x0000000001321af9 in VMFrameStack::Call (this=0x7ffff7f30928, func=0x60800002be20, params=0x7fffffffc7e0, numparams=1, results=0x0, numresults=0, trap=0x0) at /home/edward-san/zdoom/gzdoom/trunk/src/scripting/vm/vmframe.cpp:462
__PRETTY_FUNCTION__ = "int VMFrameStack::Call(VMFunction*, VMValue*, int, VMReturn*, int, VMException**)"
allocated = false
#14 0x0000000000c16ce6 in DThinker::CallTick (this=0x61a0007bd280) at /home/edward-san/zdoom/gzdoom/trunk/src/dthinker.cpp:559
params = {{{i = 8114816, {a = 0x61a0007bd280, atag = 1}, f = 5.3032922817055894e-310, {pad = {8114816, 24992, 1}, Type = 3 '\003'}, biggest = {foo = {8114816, 24992, 1, 3}}}}}
VIndex = 0
__PRETTY_FUNCTION__ = "void DThinker::CallTick()"
clss = 0x615000000d00
func = 0x60800002be20
#15 0x0000000000c1677c in DThinker::TickThinkers (list=0x2d22ac0 <DThinker::Thinkers+512>, dest=0x0) at /home/edward-san/zdoom/gzdoom/trunk/src/dthinker.cpp:527
count = 11
node = 0x61a0007bd280
[/spoiler]
At the beginning I saw this with QZDoom with the new dynlights feature, then I found out it happens also in GZDoom.
I think there are some problems with the function ADynamicLight::CollectWithinRadius: 1) the inner loop with the subsector numlines has the same counter variable name as the main loop, 2) 'pos' can be invalidated when the collected_ss array pushes a new element and that's what the address sanitizer doesn't like.
[edit] Should be fixed with this PR, but I didn't check other situations involving lights.