2019-12-08 14:14 CET
  

View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0005034Spring engineGeneralpublic2016-01-14 02:562016-01-14 12:45
Reporterabma 
Assigned Tohokomoko 
PrioritynormalSeveritycrashReproducibilityhave not tried
StatusresolvedResolutionfixed 
Product Version100.0+git 
Target Version101.0Fixed in Version 
Summary0005034: use after free in rts/Sim/Units/Scripts/UnitScript.cpp:484 / crash at exit
Descriptionvalidation test fails:

http://buildbot.springrts.com/builders/validationtests/builds/5081/steps/validation%20test_6/logs/stdio
Additional Information==20103==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500035e1ec at pc 0x0000011fdcd7 bp 0x7fffa25e61a0 sp 0x7fffa25e6190
READ of size 4 at 0x61500035e1ec thread T0 (unknown)
    0 0x11fdcd6 in CUnitScript::MoveNow(int, int, float) ../../rts/Sim/Units/Scripts/UnitScript.cpp:484
    1 0x11e8e1c in CCobInstance::MoveNow(int, int, int) ../../rts/Sim/Units/Scripts/CobInstance.h:102
    2 0x11e8e1c in CCobThread::Tick() ../../rts/Sim/Units/Scripts/CobThread.cpp:575
    3 0x11dd799 in CCobInstance::RealCall(int, std::vector<int, std::allocator<int> >&, void (*)(int, void*, void*), void*, void*) ../../rts/Sim/Units/Scripts/CobInstance.cpp:504
    4 0x11ddf23 in CCobInstance::Call(int, std::vector<int, std::allocator<int> >&, void (*)(int, void*, void*), void*, void*) ../../rts/Sim/Units/Scripts/CobInstance.cpp:589
    5 0x11ddf23 in CCobInstance::Call(int) ../../rts/Sim/Units/Scripts/CobInstance.cpp:571
    6 0x128a3f0 in CFactory::StopBuild() ../../rts/Sim/Units/UnitTypes/Factory.cpp:302
    7 0x128a686 in CFactory::DependentDied(CObject*) ../../rts/Sim/Units/UnitTypes/Factory.cpp:321
    8 0xcae0e8 in CObject::~CObject() ../../rts/System/Object.cpp:51
    9 0x122d6ac in CWorldObject::~CWorldObject() ../../rts/Sim/Objects/WorldObject.h:38
    10 0x122d6ac in CSolidObject::~CSolidObject() ../../rts/Sim/Objects/SolidObject.h:96
    11 0x122d6ac in CUnit::~CUnit() ../../rts/Sim/Units/Unit.cpp:193
    12 0x122da60 in CUnit::~CUnit() ../../rts/Sim/Units/Unit.cpp:246
    13 0x12668df in CUnitHandler::~CUnitHandler() ../../rts/Sim/Units/UnitHandler.cpp:88
    14 0x5346a5 in void SafeDelete<CUnitHandler*>(CUnitHandler*&) ../../rts/System/Util.h:227
    15 0x5346a5 in CGame::KillSimulation() ../../rts/Game/Game.cpp:815
    16 0x53ebfb in CGame::~CGame() ../../rts/Game/Game.cpp:330
    17 0x53ee70 in CGame::~CGame() ../../rts/Game/Game.cpp:342
    18 0xd097b7 in void SafeDelete<CGame*>(CGame*&) ../../rts/System/Util.h:227
    19 0xd097b7 in SpringApp::ShutDown() ../../rts/System/SpringApp.cpp:1034
    20 0xd0d844 in SpringApp::ShutDown() ../../rts/System/SpringApp.cpp:1007
    21 0xd0d844 in SpringApp::Run() ../../rts/System/SpringApp.cpp:1003
    22 0xca047b in Run(int, char**) ../../rts/System/Main.cpp:48
    23 0x7f90abd0aa3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    24 0x4d5618 in _start (/tmp/spring/tests/usr/local/bin/spring-headless+0x4d5618)

0x61500035e1ec is located 236 bytes inside of 480-byte region [0x61500035e100,0x61500035e2e0)
freed by thread T0 (unknown) here:
    0 0x7f90ae59feaa in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99eaa)
    1 0xb10ec9 in S3DModel::DeletePieces(S3DModelPiece*) ../../rts/Rendering/Models/3DModel.cpp:54
    2 0xb10ec9 in S3DModel::DeletePieces(S3DModelPiece*) ../../rts/Rendering/Models/3DModel.cpp:54
    3 0xb3a875 in C3DModelLoader::~C3DModelLoader() ../../rts/Rendering/Models/IModelParser.cpp:197
    4 0xbfe0a5 in void SafeDelete<C3DModelLoader*>(C3DModelLoader*&) ../../rts/System/Util.h:227
    5 0xbfe0a5 in CWorldDrawer::~CWorldDrawer() ../../rts/Rendering/WorldDrawer.cpp:74
    6 0x52a77f in void SafeDelete<CWorldDrawer*>(CWorldDrawer*&) ../../rts/System/Util.h:227
    7 0x52a77f in CGame::KillRendering() ../../rts/Game/Game.cpp:769
    8 0x53ebeb in CGame::~CGame() ../../rts/Game/Game.cpp:328
    9 0x53ee70 in CGame::~CGame() ../../rts/Game/Game.cpp:342
    10 0xd097b7 in void SafeDelete<CGame*>(CGame*&) ../../rts/System/Util.h:227
    11 0xd097b7 in SpringApp::ShutDown() ../../rts/System/SpringApp.cpp:1034
    12 0xd0d844 in SpringApp::ShutDown() ../../rts/System/SpringApp.cpp:1007
    13 0xd0d844 in SpringApp::Run() ../../rts/System/SpringApp.cpp:1003
    14 0xca047b in Run(int, char**) ../../rts/System/Main.cpp:48
    15 0x7f90abd0aa3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

previously allocated by thread T5 here:
    0 0x7f90ae59f8b2 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x998b2)
    1 0xb689a2 in CS3OParser::LoadPiece(S3DModel*, SS3OPiece*, unsigned char*, int) ../../rts/Rendering/Models/S3OParser.cpp:62
    2 0xb69cb4 in CS3OParser::LoadPiece(S3DModel*, SS3OPiece*, unsigned char*, int) ../../rts/Rendering/Models/S3OParser.cpp:117
    3 0xb69cb4 in CS3OParser::LoadPiece(S3DModel*, SS3OPiece*, unsigned char*, int) ../../rts/Rendering/Models/S3OParser.cpp:117
    4 0xb6b0c6 in CS3OParser::Load(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../../rts/Rendering/Models/S3OParser.cpp:43
    5 0xb3d5c5 in C3DModelLoader::ParseModel(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../../rts/Rendering/Models/IModelParser.cpp:334
    6 0xb3d830 in C3DModelLoader::CreateModel(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) ../../rts/Rendering/Models/IModelParser.cpp:301
    7 0xb3e6c3 in C3DModelLoader::Load3DModel(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, bool) ../../rts/Rendering/Models/IModelParser.cpp:268
    8 0xb3e957 in LoadQueue::Pump() ../../rts/Rendering/Models/IModelParser.cpp:129
    9 0x7f90acdf2bc4 (/usr/lib/x86_64-linux-gnu/libboost_thread.so.1.58.0+0x10bc4)

Thread T5 created by T0 (unknown) here:
    0 0x7f90ae53c6a3 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x366a3)
    1 0x7f90acdf1ed8 in boost::thread::start_thread_noexcept() (/usr/lib/x86_64-linux-gnu/libboost_thread.so.1.58.0+0xfed8)
    2 0x12253c7 in CUnit::PreInit(UnitLoadParams const&) ../../rts/Sim/Units/Unit.cpp:283
    3 0x1272bb6 in CUnitLoader::LoadUnit(UnitLoadParams const&) ../../rts/Sim/Units/UnitLoader.cpp:95
    4 0x854da0 in LuaSyncedCtrl::CreateUnit(lua_State*) ../../rts/Lua/LuaSyncedCtrl.cpp:1255
    5 0x134c12f in luaD_precall(lua_State*, lua_TValue*, int) ../../rts/lib/lua/src/ldo.cpp:320
    6 0x137105f in luaV_execute(lua_State*, int) ../../rts/lib/lua/src/lvm.cpp:613
    7 0x134c984 in luaD_call(lua_State*, lua_TValue*, int) ../../rts/lib/lua/src/ldo.cpp:378
    8 0x1349ff4 in luaD_rawrunprotected(lua_State*, void (*)(lua_State*, void*), void*) ../../rts/lib/lua/src/ldo.cpp:116
    9 0x134ce61 in luaD_pcall(lua_State*, void (*)(lua_State*, void*), void*, long, long) ../../rts/lib/lua/src/ldo.cpp:464
    10 0x133f228 in lua_pcall(lua_State*, int, int, int) ../../rts/lib/lua/src/lapi.cpp:833
    11 0x7bd245 in ScopedLuaCall ../../rts/Lua/LuaHandle.cpp:297
    12 0x7bd245 in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const*, int, int, int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, bool) ../../rts/Lua/LuaHandle.cpp:368
    13 0x7be12b in CLuaHandle::RunCallInTraceback(lua_State*, LuaHashString const&, int, int, int, bool) ../../rts/Lua/LuaHandle.cpp:378
    14 0x7cb6c2 in CLuaHandle::GameStart() ../../rts/Lua/LuaHandle.cpp:552
    15 0xc57b5f in CEventHandler::GameStart() ../../rts/System/EventHandler.cpp:417
    16 0x52b5c9 in CGame::StartPlaying() ../../rts/Game/Game.cpp:1421
    17 0x789eef in CGame::ClientReadNet() ../../rts/Net/NetCommands.cpp:285
    18 0x53f0ae in CGame::Update() ../../rts/Game/Game.cpp:957
    19 0xd03099 in SpringApp::Update() ../../rts/System/SpringApp.cpp:960
    20 0xd0d79f in SpringApp::Run() ../../rts/System/SpringApp.cpp:996
    21 0xca047b in Run(int, char**) ../../rts/System/Main.cpp:48
    22 0x7f90abd0aa3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

SUMMARY: AddressSanitizer: heap-use-after-free ../../rts/Sim/Units/Scripts/UnitScript.cpp:484 CUnitScript::MoveNow(int, int, float)
Shadow bytes around the buggy address:
  0x0c2a80063be0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80063bf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80063c00: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c2a80063c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a80063c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2a80063c30: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c2a80063c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80063c50: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c2a80063c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a80063c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80063c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
==20103==ABORTING
TagsNo tags attached.
Checked infolog.txt for Errors
Attached Files

-Relationships
+Relationships

-Notes

~0015516

hokomoko (developer)

2016-01-14 12:45

 Fix e8eca5c7049cd03a44f7d0802055e2f51a04d75e committed to develop branch: Fix 0005034, repo: spring changeset id: 6260
+Notes

-Related Changesets
spring: develop e8eca5c7
Timestamp: 2016-01-14 12:40:24
Author: hokomoko
Details ] Diff ] 		Fix 0005034
mod - rts/Sim/Units/UnitHandler.cpp Diff ] File ]

+Related Changesets

-Issue History
Date Modified Username Field Change
2016-01-14 02:56 abma New Issue
2016-01-14 02:56 abma Severity minor => crash
2016-01-14 02:56 abma Product Version => 100.0+git
2016-01-14 02:56 abma Target Version => 101.0
2016-01-14 02:56 abma Summary use after free in rts/Sim/Units/Scripts/UnitScript.cpp:484 => use after free in rts/Sim/Units/Scripts/UnitScript.cpp:484 / crash at exit
2016-01-14 03:25 hokomoko Assigned To => hokomoko
2016-01-14 03:25 hokomoko Status new => assigned
2016-01-14 12:45 hokomoko Changeset attached => spring develop e8eca5c7
2016-01-14 12:45 hokomoko Note Added: 0015516
2016-01-14 12:45 hokomoko Status assigned => resolved
2016-01-14 12:45 hokomoko Resolution open => fixed
+Issue History