0004984: heap overflow in rts/Sim/Misc/LosMap.cpp:433

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

Project

Category

View Status

Date Submitted

Last Update

0004984

Spring engine

General

public

2015-11-01 00:44

2015-11-27 08:03

Reporter

abma

Assigned To

Priority

normal

Severity

crash

Reproducibility

have not tried

Status

resolved

Resolution

fixed

Product Version

100.0

Target Version

101.0

Fixed in Version

Summary

0004984: heap overflow in rts/Sim/Misc/LosMap.cpp:433

Description

==7373==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63300008c7fe at pc 0x000001221574 bp 0x7f96edf3fe80 sp 0x7f96edf3fe70
READ of size 2 at 0x63300008c7fe thread T4 (worker2)
    #0 0x1221573 in CLosMap::AddRaycast(SLosInstance*, int) rts/Sim/Misc/LosMap.cpp:433
    #1 0x1217ac8 in ILosType::LosAdd(SLosInstance*) rts/Sim/Misc/LosHandler.cpp:219
    #2 0x1217ac8 in ILosType::Update() rts/Sim/Misc/LosHandler.cpp:474
    0000003 0x1219244 in operator() rts/Sim/Misc/LosHandler.cpp:651
    0000004 0x1219244 in _M_invoke /usr/include/c++/5/functional:1871
    0000005 0x95c262 in std::function<void (int)>::operator()(int) const /usr/include/c++/5/functional:2271
    #6 0x95c262 in void std::_Bind<std::function<void (int)> (int)>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /usr/include/c++/5/functional:1074
    #7 0x95c262 in void std::_Bind<std::function<void (int)> (int)>::operator()<, void>() /usr/include/c++/5/functional:1133
    #8 0x95c262 in boost::detail::task_shared_state<std::_Bind<std::function<void (int)> (int)>, void>::do_run() /usr/include/boost/thread/future.hpp:2917
    #9 0x953a12 in std::_Function_handler<void (), TaskGroup<std::function<void (int)> const, int const>::enqueue(std::function<void (int)> const&, int const&)::{lambda()#1}>::_M_invoke(std::_Any_data const&) (/mnt/tmp/home/dev/spring/develop/spring+0x953a12)
    0000010 0xd24c4a in std::function<void ()>::operator()() const /usr/include/c++/5/functional:2271
    #11 0xd24c4a in DoTask rts/System/ThreadPool.cpp:105
    0000012 0xd24c4a in WorkerLoop rts/System/ThreadPool.cpp:165
    0000013 0x7f97001a3bc4 (/usr/lib/x86_64-linux-gnu/libboost_thread.so.1.58.0+0x10bc4)
    0000014 0x7f9702aaa6a9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76a9)
    #15 0x7f96ff1a1eec in clone (/lib/x86_64-linux-gnu/libc.so.6+0x106eec)

0x63300008c7fe is located 2 bytes to the left of 102400-byte region [0x63300008c800,0x6330000a5800)
allocated by thread T0 (unknown) here:
    #0 0x7f97030648b2 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x998b2)
    #1 0x12144c6 in __gnu_cxx::new_allocator<unsigned short>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
    #2 0x12144c6 in std::allocator_traits<std::allocator<unsigned short> >::allocate(std::allocator<unsigned short>&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:360
    0000003 0x12144c6 in std::_Vector_base<unsigned short, std::allocator<unsigned short> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
    0000004 0x12144c6 in std::_Vector_base<unsigned short, std::allocator<unsigned short> >::_M_create_storage(unsigned long) /usr/include/c++/5/bits/stl_vector.h:185
    0000005 0x12144c6 in std::_Vector_base<unsigned short, std::allocator<unsigned short> >::_Vector_base(unsigned long, std::allocator<unsigned short> const&) /usr/include/c++/5/bits/stl_vector.h:136
    #6 0x12144c6 in std::vector<unsigned short, std::allocator<unsigned short> >::vector(std::vector<unsigned short, std::allocator<unsigned short> > const&) /usr/include/c++/5/bits/stl_vector.h:320
    #7 0x12144c6 in CLosMap::CLosMap(CLosMap const&) rts/Sim/Misc/LosMap.h:17
    #8 0x12144c6 in void std::_Construct<CLosMap, CLosMap const&>(CLosMap*, CLosMap const&) /usr/include/c++/5/bits/stl_construct.h:75
    #9 0x12144c6 in CLosMap* std::__uninitialized_fill_n<false>::__uninit_fill_n<CLosMap*, unsigned long, CLosMap>(CLosMap*, unsigned long, CLosMap const&) /usr/include/c++/5/bits/stl_uninitialized.h:202
    0000010 0x12144c6 in CLosMap* std::uninitialized_fill_n<CLosMap*, unsigned long, CLosMap>(CLosMap*, unsigned long, CLosMap const&) /usr/include/c++/5/bits/stl_uninitialized.h:247
    #11 0x12144c6 in CLosMap* std::__uninitialized_fill_n_a<CLosMap*, unsigned long, CLosMap, CLosMap>(CLosMap*, unsigned long, CLosMap const&, std::allocator<CLosMap>&) /usr/include/c++/5/bits/stl_uninitialized.h:358
    0000012 0x12144c6 in std::vector<CLosMap, std::allocator<CLosMap> >::_M_fill_initialize(unsigned long, CLosMap const&) /usr/include/c++/5/bits/stl_vector.h:1301
    0000013 0x12144c6 in std::vector<CLosMap, std::allocator<CLosMap> >::vector(unsigned long, CLosMap const&, std::allocator<CLosMap> const&) /usr/include/c++/5/bits/stl_vector.h:292
    0000014 0x12144c6 in ILosType::ILosType(int, ILosType::LosType) rts/Sim/Misc/LosHandler.cpp:83

Thread T4 (worker2) created by T0 (unknown) here:
    #0 0x7f97030016a3 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x366a3)
    #1 0x7f97001a2ed8 in boost::thread::start_thread_noexcept() (/usr/lib/x86_64-linux-gnu/libboost_thread.so.1.58.0+0xfed8)

SUMMARY: AddressSanitizer: heap-buffer-overflow rts/Sim/Misc/LosMap.cpp:433 CLosMap::AddRaycast(SLosInstance*, int)
Shadow bytes around the buggy address:
  0x0c66800098a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c66800098b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c66800098c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c66800098d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c66800098e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c66800098f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c6680009900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c6680009910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c6680009920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c6680009930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c6680009940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
==7373==ABORTING

Steps To Reproduce

compile 100.0.1-275-g9046711 spring with -fsanitize=address

build same air scouts

Notes
~0015312 abma (administrator) 2015-11-01 17:48 Last edited: 2015-11-01 17:48 View 2 revisions	a similar one exists in LosMap.cpp:410, too: 0xfe7718 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Misc/LosMap.cpp:410 0xfd9f7f /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Misc/LosHandler.cpp:219 0xfdbdee /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Misc/LosHandler.cpp:651 0xa4372b /usr/include/c++/4.8/functional:1296 0xa38f3b /usr/include/boost/thread/future.hpp:2218 http://buildbot.springrts.com/builders/validationtests/builds/4911/steps/validation%20test_6/logs/stdio

~0015348 jK (developer) 2015-11-27 08:03	Fix 65d8b7823d11ebf25361a8783372bf3c68754170 committed to develop branch: fix 0004984: broken mutexing in LosMap, repo: spring changeset id: 5836

Date Modified	Username	Field	Change
Issue History
2015-11-01 00:44	abma	New Issue
2015-11-01 00:44	abma	Status	new => assigned
2015-11-01 00:44	abma	Assigned To	=> jK
2015-11-01 17:48	abma	Note Added: 0015312
2015-11-01 17:48	abma	Note Edited: 0015312	View Revisions
2015-11-27 08:03	jK	Changeset attached	=> spring develop 65d8b782
2015-11-27 08:03	jK	Note Added: 0015348
2015-11-27 08:03	jK	Status	assigned => resolved
2015-11-27 08:03	jK	Resolution	open => fixed

Relationships