| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
|---|---|---|---|---|---|---|---|---|---|
| 0005556 | Spring engine | General | public | 2017-05-14 18:14 | 2017-05-14 23:13 | ||||
| Reporter | abma | ||||||||
| Assigned To | Kloot | ||||||||
| Priority | normal | Severity | crash | Reproducibility | have not tried | ||||
| Status | resolved | Resolution | duplicate | ||||||
| Product Version | 103.0 +git | ||||||||
| Target Version | 104.0 | Fixed in Version | 103.0 +git | ||||||
| Summary | 0005556: heap overflow in testgame | ||||||||
| Description | ================================================================= ==4733==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060007c0b18 at pc 0xe181b7 bp 0x7ffefbb46670 sp 0x7ffefbb46668 READ of size 8 at 0x6060007c0b18 thread T0 (spring-main) #0 0xe181b6 in CObject::~CObject() rts/System/Object.cpp:62 #1 0xc6dbb7 in CWorldObject::~CWorldObject() rts/Sim/Objects/WorldObject.h:34 #2 0x130f695 in CSolidObject::~CSolidObject() rts/Sim/Objects/SolidObject.h:100 0000003 0x15c229c in CUnit::~CUnit() rts/Sim/Units/Unit.cpp:208 0000004 0x163541d in CBuilding::~CBuilding() rts/Sim/Units/UnitTypes/Building.h:17 0000005 0x131e9ec in void spring::SafeDestruct<AMoveType>(AMoveType*&) rts/System/SafeUtil.h:10 #6 0x161b9bc in void SimObjectMemPool<3808ul>::free<CUnit>(CUnit*&) rts/Sim/Misc/SimObjectMemPool.h:53 #7 0x1617dac in CUnitHandler::DeleteUnitNow(CUnit*) rts/Sim/Units/UnitHandler.cpp:209 #8 0x16178b3 in CUnitHandler::DeleteUnitsNow() rts/Sim/Units/UnitHandler.cpp:179 #9 0x1618361 in CUnitHandler::Update() rts/Sim/Units/UnitHandler.cpp:242 0000010 0x6403dc in CGame::SimFrame() rts/Game/Game.cpp:1561 #11 0x883c0f in CGame::ClientReadNet() rts/Net/NetCommands.cpp:511 0000012 0x639d50 in CGame::Update() rts/Game/Game.cpp:1049 0000013 0xe3b90d in SpringApp::Update() rts/System/SpringApp.cpp:857 0000014 0xe3bb1c in SpringApp::Run() rts/System/SpringApp.cpp:888 #15 0xe06f19 in Run(int, char**) rts/System/Main.cpp:46 #16 0xe07304 in main rts/System/Main.cpp:95 #17 0x7f19c7b91b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #18 0x5e2406 (/mnt/tmp/home/dev/spring/develop/spring+0x5e2406) 0x6060007c0b18 is located 24 bytes to the right of 64-byte region [0x6060007c0ac0,0x6060007c0b00) allocated by thread T0 (spring-main) here: #0 0x7f19cb86c73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0xc435df in emilib::HashMap<int, unsigned long, spring::synced_hash<int>, emilib::HashMapEqualTo<int> >::reserve(unsigned long) rts/System/SpringHashMap.hpp:484 #2 0xc43107 in emilib::HashMap<int, unsigned long, spring::synced_hash<int>, emilib::HashMapEqualTo<int> >::check_expand_need() rts/System/SpringHashMap.hpp:532 0000003 0xc421dc in emilib::HashMap<int, unsigned long, spring::synced_hash<int>, emilib::HashMapEqualTo<int> >::operator[](int const&) rts/System/SpringHashMap.hpp:417 0000004 0xe19cf5 in CObject::GetListeners(DependenceType) rts/System/Object.h:90 0000005 0xe18b76 in CObject::AddDeathDependence(CObject*, DependenceType) rts/System/Object.cpp:174 #6 0x1633014 in CBuilder::StartBuild(BuildInfo&, CFeature*&, bool&) rts/Sim/Units/UnitTypes/Builder.cpp:704 #7 0x1533e65 in CBuilderCAI::ExecuteBuildCmd(Command&) rts/Sim/Units/CommandAI/BuilderCAI.cpp:667 #8 0x15328b6 in CBuilderCAI::SlowUpdate() rts/Sim/Units/CommandAI/BuilderCAI.cpp:532 #9 0x1552be4 in CCommandAI::FinishCommand() rts/Sim/Units/CommandAI/CommandAI.cpp:1598 0000010 0x1574bd8 in CMobileCAI::FinishCommand() rts/Sim/Units/CommandAI/MobileCAI.cpp:1019 #11 0x1532cb0 in CBuilderCAI::FinishCommand() rts/Sim/Units/CommandAI/BuilderCAI.cpp:561 0000012 0x154f516 in CCommandAI::ExecuteRemove(Command const&) rts/Sim/Units/CommandAI/CommandAI.cpp:1200 0000013 0x15524c2 in CCommandAI::DependentDied(CObject*) rts/Sim/Units/CommandAI/CommandAI.cpp:1553 0000014 0xe182b6 in CObject::~CObject() rts/System/Object.cpp:63 #15 0xc6dbb7 in CWorldObject::~CWorldObject() rts/Sim/Objects/WorldObject.h:34 #16 0x130f695 in CSolidObject::~CSolidObject() rts/Sim/Objects/SolidObject.h:100 #17 0x15c229c in CUnit::~CUnit() rts/Sim/Units/Unit.cpp:208 #18 0x163541d in CBuilding::~CBuilding() rts/Sim/Units/UnitTypes/Building.h:17 #19 0x131e9ec in void spring::SafeDestruct<AMoveType>(AMoveType*&) rts/System/SafeUtil.h:10 0000020 0x161b9bc in void SimObjectMemPool<3808ul>::free<CUnit>(CUnit*&) rts/Sim/Misc/SimObjectMemPool.h:53 #21 0x1617dac in CUnitHandler::DeleteUnitNow(CUnit*) rts/Sim/Units/UnitHandler.cpp:209 #22 0x16178b3 in CUnitHandler::DeleteUnitsNow() rts/Sim/Units/UnitHandler.cpp:179 #23 0x1618361 in CUnitHandler::Update() rts/Sim/Units/UnitHandler.cpp:242 0000024 0x6403dc in CGame::SimFrame() rts/Game/Game.cpp:1561 #25 0x883c0f in CGame::ClientReadNet() rts/Net/NetCommands.cpp:511 0000026 0x639d50 in CGame::Update() rts/Game/Game.cpp:1049 0000027 0xe3b90d in SpringApp::Update() rts/System/SpringApp.cpp:857 #28 0xe3bb1c in SpringApp::Run() rts/System/SpringApp.cpp:888 0000029 0xe06f19 in Run(int, char**) rts/System/Main.cpp:46 SUMMARY: AddressSanitizer: heap-buffer-overflow rts/System/Object.cpp:62 CObject::~CObject() Shadow bytes around the buggy address: 0x0c0c800f0110: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd 0x0c0c800f0120: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c800f0130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c800f0140: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 0x0c0c800f0150: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 =>0x0c0c800f0160: fa fa fa[fa]fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0c800f0170: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 0x0c0c800f0180: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 0x0c0c800f0190: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x0c0c800f01a0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd 0x0c0c800f01b0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==4733==ABORTING | ||||||||
| Additional Information | sorry, no demo file | ||||||||
| Tags | No tags attached. | ||||||||
| Checked infolog.txt for Errors | |||||||||
| Attached Files |
| ||||||||
 Relationships |
|||||||||||
|
|||||||||||
 Relationships |
| Notes |
|
| There are no notes attached to this issue. |
| Notes |
| Issue History |
|||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2017-05-14 18:14 | abma | New Issue | |
| 2017-05-14 18:32 | Kloot | Relationship added | duplicate of 0005548 |
| 2017-05-14 18:38 | Kloot | Assigned To | => Kloot |
| 2017-05-14 18:38 | Kloot | Status | new => assigned |
| 2017-05-14 19:44 | Kloot | Status | assigned => resolved |
| 2017-05-14 19:44 | Kloot | Resolution | open => duplicate |
| 2017-05-14 19:44 | Kloot | Fixed in Version | => 103.0 +git |
| 2017-05-14 23:13 | abma | Relationship added | related to 0005558 |
| Issue History |