| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
|---|---|---|---|---|---|---|---|---|---|
| 0004982 | Spring engine | General | public | 2015-10-14 01:05 | 2015-11-27 08:03 | ||||
| Reporter | abma | ||||||||
| Assigned To | jK | ||||||||
| Priority | normal | Severity | crash | Reproducibility | have not tried | ||||
| Status | resolved | Resolution | fixed | ||||||
| Product Version | 100.0+git | ||||||||
| Target Version | 101.0 | Fixed in Version | |||||||
| Summary | 0004982: "use after free" in rts/Sim/Misc/LosMap.cpp:36 | ||||||||
| Description | validation test crashes, i.e. http://buildbot.springrts.com/builders/validationtests/builds/4875/steps/analyze%20core%20dumps_4/logs/stdio *** Error in `/tmp/spring/tests/usr/local/bin/spring-headless': free(): invalid next size (normal): 0x00000000061a5040 *** | ||||||||
| Additional Information | #0 0x00007f0c7dde9cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 resultvar = 0 pid = 6388 selftid = 6388 #1 0x00007f0c7dded0d8 in __GI_abort () at abort.c:89 save_stage = 2 act = {__sigaction_handler = {sa_handler = 0x400000039, sa_sigaction = 0x400000039}, sa_mask = {__val = {17, 0, 0, 3544388123678998528, 140722389797776, 18446744073709551615, 0, 10877715, 140722389798152, 4294967295, 127, 140722389798384, 139691631771616, 0, 140722389798384, 140722389798384}}, sa_flags = 2081312240, sa_restorer = 0x7ffc7c0e4df0} sigs = {__val = {32, 0 <repeats 15 times>}} #2 0x00007f0c7de26394 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7f0c7df34b28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 ap = {{gp_offset = 40, fp_offset = 0, overflow_arg_area = 0x7ffc7c0e4e40, reg_save_area = 0x7ffc7c0e4dd0}} fd = 2 on_2 = <optimized out> list = <optimized out> nlist = <optimized out> cp = <optimized out> written = <optimized out> 0000003 0x00007f0c7de3266e in malloc_printerr (ptr=<optimized out>, str=0x7f0c7df34cc8 "free(): invalid next size (fast)", action=1) at malloc.c:4996 buf = "0000000004e25a10" cp = <optimized out> 0000004 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840 size = <optimized out> fb = <optimized out> nextchunk = <optimized out> nextsize = <optimized out> nextinuse = <optimized out> prevsize = <optimized out> bck = <optimized out> fwd = <optimized out> errstr = <optimized out> locked = <optimized out> 0000005 0x00000000004bd06d in ~basic_string (this=0x50f3a10, __in_chrg=<optimized out>) at /usr/include/c++/4.8/bits/basic_string.h:539 No locals. #6 ~pair (this=0x50f3a10, __in_chrg=<optimized out>) at /usr/include/c++/4.8/bits/stl_pair.h:96 No locals. #7 ~_Rb_tree_node (this=0x50f39f0, __in_chrg=<optimized out>) at /usr/include/c++/4.8/bits/stl_tree.h:131 No locals. #8 destroy<std::_Rb_tree_node<std::pair<std::basic_string<char> const, int> > > (this=<optimized out>, __p=0x50f39f0) at /usr/include/c++/4.8/ext/new_allocator.h:124 No locals. #9 _M_destroy_node (this=0x479eba0, __p=0x50f39f0) at /usr/include/c++/4.8/bits/stl_tree.h:421 No locals. 0000010 std::_Rb_tree<std::string, std::pair<std::string const, int>, std::_Select1st<std::pair<std::string const, int> >, std::less<std::string>, std::allocator<std::pair<std::string const, int> > >::_M_erase (this=this@entry=0x479eba0, __x=0x50f39f0) at /usr/include/c++/4.8/bits/stl_tree.h:1127 No locals. #11 0x00000000004bd057 in std::_Rb_tree<std::string, std::pair<std::string const, int>, std::_Select1st<std::pair<std::string const, int> >, std::less<std::string>, std::allocator<std::pair<std::string const, int> > >::_M_erase (this=this@entry=0x479eba0, __x=0x4d39550) at /usr/include/c++/4.8/bits/stl_tree.h:1125 No locals. 0000012 0x00000000004bd057 in std::_Rb_tree<std::string, std::pair<std::string const, int>, std::_Select1st<std::pair<std::string const, int> >, std::less<std::string>, std::allocator<std::pair<std::string const, int> > >::_M_erase (this=this@entry=0x479eba0, __x=0x50f3910) at /usr/include/c++/4.8/bits/stl_tree.h:1125 No locals. 0000013 0x00000000004bd057 in std::_Rb_tree<std::string, std::pair<std::string const, int>, std::_Select1st<std::pair<std::string const, int> >, std::less<std::string>, std::allocator<std::pair<std::string const, int> > >::_M_erase (this=this@entry=0x479eba0, __x=0x519cca0) at /usr/include/c++/4.8/bits/stl_tree.h:1125 No locals. 0000014 0x00000000004bd057 in std::_Rb_tree<std::string, std::pair<std::string const, int>, std::_Select1st<std::pair<std::string const, int> >, std::less<std::string>, std::allocator<std::pair<std::string const, int> > >::_M_erase (this=0x479eba0, __x=0x4dd7940) at /usr/include/c++/4.8/bits/stl_tree.h:1125 No locals. #15 0x00000000004b347e in SafeDelete<C3DOTextureHandler*> (a=<optimized out>) at ../../rts/System/Util.h:197 tmp = 0x479eba0 #16 CGame::KillRendering (this=0x1f6cfd0) at ../../rts/Game/Game.cpp:810 __FUNCTION__ = "KillRendering" #17 0x00000000004bbcd3 in CGame::~CGame (this=0x1f6cfd0, __in_chrg=<optimized out>) at ../../rts/Game/Game.cpp:344 No locals. #18 0x00000000004bbdf9 in CGame::~CGame (this=0x1f6cfd0, __in_chrg=<optimized out>) at ../../rts/Game/Game.cpp:358 No locals. #19 0x000000000077842e in SafeDelete<CGame*> (a=<optimized out>) at ../../rts/System/Util.h:197 tmp = 0x18f4 0000020 SpringApp::ShutDown () at ../../rts/System/SpringApp.cpp:1013 numCalls = 1 __FUNCTION__ = "ShutDown" #21 0x00000000007786f8 in SpringApp::Run (this=this@entry=0x7ffc7c0e5220) at ../../rts/System/SpringApp.cpp:985 __FUNCTION__ = "Run" #22 0x0000000000751ae5 in Run (argc=3, argv=0x7ffc7c0e5488) at ../../rts/System/Main.cpp:48 app = {cmdline = {px = 0x1d7b620, pn = {pi_ = 0x1d7b950}}, clientSetup = {px = 0x263b910, pn = {pi_ = 0x1dcfb10}}} ret = -1 err = <optimized out> #23 0x00007f0c7ddd4ec5 in __libc_start_main (main=0x4664c0 <main(int, char**)>, argc=3, argv=0x7ffc7c0e5488, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc7c0e5478) at libc-start.c:287 result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 4345687302918502483, 4787120, 140722389800064, 0, 0, -4344280875756554157, -4443363805059352493}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0xa3c570 <__libc_csu_init>, 0x7ffc7c0e5488}, data = {prev = 0x0, cleanup = 0x0, canceltype = 10732912}}} not_first_call = <optimized out> 0000024 0x0000000000490bd9 in _start () | ||||||||
| Tags | No tags attached. | ||||||||
| Checked infolog.txt for Errors | |||||||||
| Attached Files |
| ||||||||
 Relationships |
|
 Relationships |
| Notes |
|
|
abma (administrator) 2015-10-29 23:35 Last edited: 2015-10-29 23:35 |
http://buildbot.springrts.com/builders/validationtests/builds/4902/steps/validation%20test_1/logs/stdio addr2line -e /tmp/spring/tests/usr/local/bin/spring-headless 0xfb6408 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Misc/LosMap.cpp:36 0xfbcf2b /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Misc/LosMap.cpp:490 0xfb94d0 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Misc/LosMap.cpp:648 0xfba894 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Misc/LosMap.cpp:439 0xa2a3b7 /usr/include/c++/4.8/functional:1296 0xa1fdbe /usr/include/boost/thread/future.hpp:2218 0xde90f4 /home/buildbot/zydox-fedora/build/build/validation/../../rts/System/ThreadPool.cpp:145 0xfa3a55 /home/buildbot/zydox-fedora/build/build/validation/../../rts/System/ThreadPool.h:116 0xfa5d83 /home/buildbot/zydox-fedora/build/build/validation/../../rts/System/ThreadPool.h:325 (discriminator 1) 0xfa6e8c /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Misc/LosHandler.cpp:651 0xa2a3b7 /usr/include/c++/4.8/functional:1296 0xa1fdbe /usr/include/boost/thread/future.hpp:2218 0xde90f4 /home/buildbot/zydox-fedora/build/build/validation/../../rts/System/ThreadPool.cpp:145 0xfa3a55 /home/buildbot/zydox-fedora/build/build/validation/../../rts/System/ThreadPool.h:116 0xfa400d /home/buildbot/zydox-fedora/build/build/validation/../../rts/System/ThreadPool.h:325 0x5e5821 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Game/Game.cpp:1566 0x847880 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Net/NetCommands.cpp:506 0x5f98f7 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Game/Game.cpp:1005 0xdab0ed /home/buildbot/zydox-fedora/build/build/validation/../../rts/System/SpringApp.cpp:949 0xdb4fcf /home/buildbot/zydox-fedora/build/build/validation/../../rts/System/SpringApp.cpp:985 0xd478e4 /home/buildbot/zydox-fedora/build/build/validation/../../rts/System/Main.cpp:48 |
|
abma (administrator) 2015-10-29 23:38 |
is more info needed? |
|
abma (administrator) 2015-10-29 23:51 |
this very likely doesn't work when multiple threads are accessing the same vector: https://github.com/spring/spring/blob/develop/rts/Sim/Misc/LosMap.cpp#L32 std::vector::push_back: "This effectively increases the container size by one, which causes an automatic reallocation of the allocated storage space if -and only if- the new vector size surpasses the current vector capacity." http://www.cplusplus.com/reference/vector/vector/push_back/ |
|
jK (developer) 2015-11-01 13:42 |
Fix 9b75b21ea9ed872db98c55c46633ce3ebd2a345f committed to develop branch: fix 0004982: fix mutex, repo: spring changeset id: 5743 |
|
abma (administrator) 2015-11-19 22:18 |
Fix 503334c6eb76c32ac193d9ffc0dbfbce2b2aeff3 committed to loshandlerspeedup branch: Revert "Revert "fix 0004982: fix mutex"" This reverts commit 502d716e5b04595c7d13dc18b051f98a67b62773., repo: spring changeset id: 5792 |
|
jK (developer) 2015-11-27 08:03 |
Fix e78699cd87b6a19a5d1bfefa227885146263d724 committed to develop branch: Revert "Revert "fix 0004982: fix mutex"" This reverts commit 68ce14d33af5a6e40c73001b0987f29505c274bc., repo: spring changeset id: 5834 |
| Notes |
| Issue History |
|||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2015-10-14 01:05 | abma | New Issue | |
| 2015-10-14 01:06 | abma | Description Updated | View Revisions |
| 2015-10-29 23:35 | abma | Note Added: 0015303 | |
| 2015-10-29 23:35 | abma | Note Edited: 0015303 | View Revisions |
| 2015-10-29 23:38 | abma | Assigned To | => jK |
| 2015-10-29 23:38 | abma | Status | new => assigned |
| 2015-10-29 23:38 | abma | Note Added: 0015304 | |
| 2015-10-29 23:46 | abma | Summary | crash in LosMap.h:17 => "use after free" in rts/Sim/Misc/LosMap.cpp:36 |
| 2015-10-29 23:51 | abma | Note Added: 0015305 | |
| 2015-11-01 13:42 | jK | Changeset attached | => spring develop 9b75b21e |
| 2015-11-01 13:42 | jK | Note Added: 0015308 | |
| 2015-11-01 13:42 | jK | Status | assigned => resolved |
| 2015-11-01 13:42 | jK | Resolution | open => fixed |
| 2015-11-19 22:18 | abma | Changeset attached | => spring loshandlerspeedup 68ce14d3 |
| 2015-11-19 22:18 | abma | Changeset attached | => spring loshandlerspeedup 503334c6 |
| 2015-11-19 22:18 | abma | Note Added: 0015338 | |
| 2015-11-19 22:18 | abma | Assigned To | jK => abma |
| 2015-11-27 08:03 | jK | Changeset attached | => spring develop e78699cd |
| 2015-11-27 08:03 | jK | Note Added: 0015346 | |
| 2015-11-27 08:03 | jK | Assigned To | abma => jK |
| Issue History |