0004998: use after free in rts/Game/GameHelper.cpp:662

ID	Project	Category	View Status	Date Submitted	Last Update
0004998	Spring engine	General	public	2015-11-22 13:45	2016-01-14 01:44

Reporter	abma	Assigned To	hokomoko
Priority	normal	Severity	crash	Reproducibility	have not tried
Status	resolved	Resolution	fixed
Product Version	100.0+git
Target Version	101.0

Summary	0004998: use after free in rts/Game/GameHelper.cpp:662
Description	http://buildbot.springrts.com/builders/validationtests/builds/4941/steps/validation%20test_4/logs/stdio
Additional Information	READ of size 4 at 0x605203805a78 thread T0 (unknown) 0x60ccff 0x1366735 0x1366dfe 0x12bea88 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Game/GameHelper.cpp:662 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Weapons/Weapon.cpp:640 (discriminator 3) /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Weapons/Weapon.cpp:715 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Units/Unit.cpp:1168 0x1313735 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Units/UnitHandler.cpp:265 0x5ec144 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Game/Game.cpp:1560 0x858be9 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Net/NetCommands.cpp:506 0x600ddd /home/buildbot/zydox-fedora/build/build/validation/../../rts/Game/Game.cpp:1005 0xddb62b /home/buildbot/zydox-fedora/build/build/validation/../../rts/System/SpringApp.cpp:952 0xde59c7 /home/buildbot/zydox-fedora/build/build/validation/../../rts/System/SpringApp.cpp:988 0xd75c84 /home/buildbot/zydox-fedora/build/build/validation/../../rts/System/Main.cpp:48 0x57c393 ??:? freed by thread T0 (unknown) here: 0x131286d /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Units/UnitHandler.cpp:155 0x1312d85 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Units/UnitHandler.cpp:193 0x5ec144 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Game/Game.cpp:1560 0x858be9 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Net/NetCommands.cpp:506 0x600ddd /home/buildbot/zydox-fedora/build/build/validation/../../rts/Game/Game.cpp:1005 0xddb62b /home/buildbot/zydox-fedora/build/build/validation/../../rts/System/SpringApp.cpp:952 0xde59c7 /home/buildbot/zydox-fedora/build/build/validation/../../rts/System/SpringApp.cpp:988 0xd75c84 /home/buildbot/zydox-fedora/build/build/validation/../../rts/System/Main.cpp:48 previously allocated by thread T0 (unknown) here: 0x131c988 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Units/UnitLoader.cpp:78 0x13233e0 /home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Units/UnitTypes/Builder.cpp:698 0x122a5fb #/home/buildbot/zydox-fedora/build/build/validation/../../rts/Sim/Units/CommandAI/BuilderCAI.cpp:636
Tags	No tags attached.

Checked infolog.txt for Errors

abma 2015-11-22 14:23 administrator ~0015339	https://springrts.com/dl/buildbot/validation/develop/100.0.1-337-gc51dbda/validation/%5bvalidation%5d%7bdevelop%7d100.0.1-337-gc51dbda2015-11-22_06-37-24-dbg.7z

abma 2015-11-22 14:48 administrator ~0015340	can't reproduce with demo :-\|

Kloot 2015-11-22 14:54 developer ~0015341 Last edited: 2015-11-22 15:04	There is no use-after-free possible here afaics, unless quadfield contains stale pointers.

abma 2015-11-22 15:20 administrator ~0015342	for the reference: https://github.com/spring/spring/blob/100.0.1-337-gc51dbda/rts/Game/GameHelper.cpp#L662

abma 2015-11-22 15:20 administrator ~0015343	i guess more info is needed to be useful, i'll leave this open for a while, maybe it can be somehow reproduced.

abma 2015-12-08 11:54 administrator ~0015366 Last edited: 2015-12-08 11:56	seems to still happen: http://buildbot.springrts.com/builders/validationtests/builds/4961/steps/validation%20test_4/logs/stdio https://github.com/spring/spring/blob/f7915581746b941cd319c0e5b63c0799c2c1face/rts/Game/GameHelper.cpp#L665 https://springrts.com/dl/buildbot/validation/develop/100.0.1-444-gf791558/validation/%5bvalidation%5d%7bdevelop%7d100.0.1-444-gf7915582015-12-08_11-29-43-dbg.7z damn, demo files are 0 bytes! :-\|

abma 2016-01-04 09:59 administrator ~0015442	last time this error happened was here: http://buildbot.springrts.com/builders/validationtests/builds/5007/steps/validation%20test_6/logs/stdio sadly without any new info :-\| i've updated to gcc 5.2.1 on the buildslave, let's see what happens.

hokomoko 2016-01-14 01:05 developer ~0015509	I suspect the issue was that when a unit was given to another team, it was only removed from the quadfield after its allyteam was changed, so it tried to remove itself from the wrong vector. Fixed in https://github.com/spring/spring/commit/ec7b78616b20a8052186d77e203d33a0406d0ea4

Date Modified	Username	Field	Change
2015-11-22 13:45	abma	New Issue
2015-11-22 14:23	abma	Note Added: 0015339
2015-11-22 14:48	abma	Note Added: 0015340
2015-11-22 14:49	Kloot	Assigned To	=> Kloot
2015-11-22 14:49	Kloot	Status	new => assigned
2015-11-22 14:52	Kloot	Assigned To	Kloot =>
2015-11-22 14:54	Kloot	Note Added: 0015341
2015-11-22 15:04	Kloot	Note Edited: 0015341
2015-11-22 15:20	abma	Note Added: 0015342
2015-11-22 15:20	abma	Note Added: 0015343
2015-11-22 15:20	abma	Status	assigned => feedback
2015-12-08 11:54	abma	Note Added: 0015366
2015-12-08 11:54	abma	Status	feedback => new
2015-12-08 11:55	abma	Note Edited: 0015366
2015-12-08 11:56	abma	Note Edited: 0015366
2016-01-04 09:59	abma	Note Added: 0015442
2016-01-14 01:02	hokomoko	Changeset attached	=> spring develop ec7b7861
2016-01-14 01:05	hokomoko	Note Added: 0015509
2016-01-14 01:44	hokomoko	Status	new => resolved
2016-01-14 01:44	hokomoko	Resolution	open => fixed
2016-01-14 01:44	hokomoko	Assigned To	=> hokomoko

View Issue Details

Activities

Issue History