View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
---|---|---|---|---|---|---|---|---|---|
0005763 | Spring engine | General | public | 2017-09-16 11:57 | 2017-09-16 12:36 | ||||
Reporter | abma | ||||||||
Assigned To | Kloot | ||||||||
Priority | normal | Severity | crash | Reproducibility | have not tried | ||||
Status | resolved | Resolution | fixed | ||||||
Product Version | 103.0 +git | ||||||||
Target Version | 104.0 | Fixed in Version | |||||||
Summary | 0005763: buffer overflow in rts/ExternalAI/AICallback.cpp:1268 | ||||||||
Description | [f=-000001] Warning: [Watchdog] Hang detection triggered for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless). [f=-000001] Warning: (in threads: {main,load,audio}={1,0,0}) [f=-000001] [CrashHandler] Warning: Suspended-thread Stacktrace (main) for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless): [f=-000001] [CrashHandler] Warning: Unable to create suspended stacktrace [f=-000001] Warning: [Watchdog] Hang detection triggered for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless). [f=-000001] Warning: (in threads: {main,load,audio}={1,0,0}) [f=-000001] [CrashHandler] Warning: Suspended-thread Stacktrace (main) for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless): [f=-000001] [CrashHandler] Warning: Unable to create suspended stacktrace [f=-000001] Warning: [Watchdog] Hang detection triggered for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless). [f=-000001] Warning: (in threads: {main,load,audio}={1,0,0}) [f=-000001] [CrashHandler] Warning: Suspended-thread Stacktrace (main) for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless): [f=-000001] [CrashHandler] Warning: Unable to create suspended stacktrace [f=-000001] Warning: [Watchdog] Hang detection triggered for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless). [f=-000001] Warning: (in threads: {main,load,audio}={1,0,0}) [f=-000001] [CrashHandler] Warning: Suspended-thread Stacktrace (main) for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless): [f=-000001] [CrashHandler] Warning: Unable to create suspended stacktrace ================================================================= ==7260==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060006bb5bc at pc 0x000000fb5045 bp 0x7ffc5ff1a310 sp 0x7ffc5ff1a300 WRITE of size 4 at 0x6060006bb5bc thread T0 (spring-main) #0 0xfb5044 in CAICallback::GetFeatures(int*, int, float3 const&, float) ../../rts/ExternalAI/AICallback.cpp:1268 #1 0x1013cba in skirmishAiCallback_getFeaturesIn ../../rts/ExternalAI/SSkirmishAICallbackImpl.cpp:4388 #2 0x7f74edc2cbbf in springLegacyAI::CAIAICallback::GetFeatures(int*, int, float3 const&, float) ../../AI/Wrappers/LegacyCpp/AIAICallback.cpp:1130 0000003 0x7f74edb2a4ea in cBuilder::UpdateKnownFeatures(int const&, UnitInfo*) ../../AI/Skirmish/RAI/Builder.cpp:1362 0000004 0x7f74edb225ea in cBuilder::UBuilderIdle(int const&, UnitInfo*) ../../AI/Skirmish/RAI/Builder.cpp:897 0000005 0x7f74edb42739 in cUnitManager::UnitIdle(int, UnitInfo*) ../../AI/Skirmish/RAI/UnitManager.cpp:115 #6 0x7f74edbaffd9 in cRAI::UnitIdle(int) ../../AI/Skirmish/RAI/RAI.cpp:534 #7 0x7f74edc09f0e in springLegacyAI::CAIUnitIdleEvent::Run(springLegacyAI::IGlobalAI&, springLegacyAI::IGlobalAICallback*) (/tmp/spring/tests/usr/local/share/games/spring/AI/Skirmish/RAI/0.601/libSkirmishAI.so+0x15af0e) #8 0x7f74edc0676e in springLegacyAI::CAIAI::handleEvent(int, void const*) ../../AI/Wrappers/LegacyCpp/AIAI.cpp:150 #9 0x7f74edbf6963 in handleEvent ../../AI/Skirmish/RAI/AIExport.cpp:100 0000010 0x1043bce in CSkirmishAILibrary::HandleEvent(int, int, void const*) const ../../rts/ExternalAI/SkirmishAILibrary.cpp:94 #11 0x104e5aa in CSkirmishAIWrapper::HandleEvent(int, void const*) const ../../rts/ExternalAI/SkirmishAIWrapper.cpp:467 0000012 0x104c6bb in CSkirmishAIWrapper::UnitIdle(int) ../../rts/ExternalAI/SkirmishAIWrapper.cpp:315 0000013 0xfe18cb in CEngineOutHandler::UnitIdle(CUnit const&) ../../rts/ExternalAI/EngineOutHandler.cpp:229 0000014 0x12e3362 in CCommandAI::FinishCommand() ../../rts/Sim/Units/CommandAI/CommandAI.cpp:1605 #15 0x1307561 in CMobileCAI::FinishCommand() ../../rts/Sim/Units/CommandAI/MobileCAI.cpp:1019 #16 0x12c2372 in CBuilderCAI::FinishCommand() ../../rts/Sim/Units/CommandAI/BuilderCAI.cpp:559 #17 0x13064c7 in CMobileCAI::StopMoveAndFinishCommand() ../../rts/Sim/Units/CommandAI/MobileCAI.cpp:955 #18 0x12c2ce3 in CBuilderCAI::ExecuteBuildCmd(Command&) ../../rts/Sim/Units/CommandAI/BuilderCAI.cpp:620 #19 0x12c1f64 in CBuilderCAI::SlowUpdate() ../../rts/Sim/Units/CommandAI/BuilderCAI.cpp:530 0000020 0x1364d61 in CUnit::SlowUpdate() ../../rts/Sim/Units/Unit.cpp:1096 #21 0x13c7ce5 in CBuilder::SlowUpdate() ../../rts/Sim/Units/UnitTypes/Builder.cpp:552 #22 0x13b2c0f in CUnitHandler::Update() ../../rts/Sim/Units/UnitHandler.cpp:314 #23 0x6466f1 in CGame::SimFrame() ../../rts/Game/Game.cpp:1590 0000024 0x8be457 in CGame::ClientReadNet() ../../rts/Net/NetCommands.cpp:510 #25 0x63fc99 in CGame::Update() ../../rts/Game/Game.cpp:1060 0000026 0xec4e03 in SpringApp::Update() ../../rts/System/SpringApp.cpp:853 0000027 0xec512c in SpringApp::Run() ../../rts/System/SpringApp.cpp:887 #28 0xe8a20e in Run(int, char**) ../../rts/System/Main.cpp:43 0000029 0xe8a2cc in main ../../rts/System/Main.cpp:92 #30 0x7f75132e282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #31 0x5da898 in _start (/tmp/spring/tests/usr/local/bin/spring-headless+0x5da898) 0x6060006bb5bc is located 0 bytes to the right of 60-byte region [0x6060006bb580,0x6060006bb5bc) allocated by thread T0 (spring-main) here: #0 0x7f75150b06b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2) #1 0x7f74edb2a328 in cBuilder::UpdateKnownFeatures(int const&, UnitInfo*) ../../AI/Skirmish/RAI/Builder.cpp:1361 #2 0x7f74edb225ea in cBuilder::UBuilderIdle(int const&, UnitInfo*) ../../AI/Skirmish/RAI/Builder.cpp:897 0000003 0x7f74edb42739 in cUnitManager::UnitIdle(int, UnitInfo*) ../../AI/Skirmish/RAI/UnitManager.cpp:115 0000004 0x7f74edbaffd9 in cRAI::UnitIdle(int) ../../AI/Skirmish/RAI/RAI.cpp:534 0000005 0x7f74edc09f0e in springLegacyAI::CAIUnitIdleEvent::Run(springLegacyAI::IGlobalAI&, springLegacyAI::IGlobalAICallback*) (/tmp/spring/tests/usr/local/share/games/spring/AI/Skirmish/RAI/0.601/libSkirmishAI.so+0x15af0e) #6 0x7f74edc0676e in springLegacyAI::CAIAI::handleEvent(int, void const*) ../../AI/Wrappers/LegacyCpp/AIAI.cpp:150 #7 0x7f74edbf6963 in handleEvent ../../AI/Skirmish/RAI/AIExport.cpp:100 #8 0x1043bce in CSkirmishAILibrary::HandleEvent(int, int, void const*) const ../../rts/ExternalAI/SkirmishAILibrary.cpp:94 #9 0x104e5aa in CSkirmishAIWrapper::HandleEvent(int, void const*) const ../../rts/ExternalAI/SkirmishAIWrapper.cpp:467 0000010 0x104c6bb in CSkirmishAIWrapper::UnitIdle(int) ../../rts/ExternalAI/SkirmishAIWrapper.cpp:315 #11 0xfe18cb in CEngineOutHandler::UnitIdle(CUnit const&) ../../rts/ExternalAI/EngineOutHandler.cpp:229 0000012 0x12e3362 in CCommandAI::FinishCommand() ../../rts/Sim/Units/CommandAI/CommandAI.cpp:1605 0000013 0x1307561 in CMobileCAI::FinishCommand() ../../rts/Sim/Units/CommandAI/MobileCAI.cpp:1019 0000014 0x12c2372 in CBuilderCAI::FinishCommand() ../../rts/Sim/Units/CommandAI/BuilderCAI.cpp:559 #15 0x13064c7 in CMobileCAI::StopMoveAndFinishCommand() ../../rts/Sim/Units/CommandAI/MobileCAI.cpp:955 #16 0x12c2ce3 in CBuilderCAI::ExecuteBuildCmd(Command&) ../../rts/Sim/Units/CommandAI/BuilderCAI.cpp:620 #17 0x12c1f64 in CBuilderCAI::SlowUpdate() ../../rts/Sim/Units/CommandAI/BuilderCAI.cpp:530 #18 0x1364d61 in CUnit::SlowUpdate() ../../rts/Sim/Units/Unit.cpp:1096 #19 0x13c7ce5 in CBuilder::SlowUpdate() ../../rts/Sim/Units/UnitTypes/Builder.cpp:552 0000020 0x13b2c0f in CUnitHandler::Update() ../../rts/Sim/Units/UnitHandler.cpp:314 #21 0x6466f1 in CGame::SimFrame() ../../rts/Game/Game.cpp:1590 #22 0x8be457 in CGame::ClientReadNet() ../../rts/Net/NetCommands.cpp:510 #23 0x63fc99 in CGame::Update() ../../rts/Game/Game.cpp:1060 0000024 0xec4e03 in SpringApp::Update() ../../rts/System/SpringApp.cpp:853 #25 0xec512c in SpringApp::Run() ../../rts/System/SpringApp.cpp:887 0000026 0xe8a20e in Run(int, char**) ../../rts/System/Main.cpp:43 0000027 0xe8a2cc in main ../../rts/System/Main.cpp:92 #28 0x7f75132e282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow ../../rts/ExternalAI/AICallback.cpp:1268 CAICallback::GetFeatures(int*, int, float3 const&, float) Shadow bytes around the buggy address: 0x0c0c800cf660: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0c800cf670: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x0c0c800cf680: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd 0x0c0c800cf690: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0c800cf6a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0c800cf6b0: 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa 0x0c0c800cf6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c800cf6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c800cf6e0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd 0x0c0c800cf6f0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 04 0x0c0c800cf700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==7260==ABORTING | ||||||||
Additional Information | http://buildbot.springrts.com/builders/validationtests/builds/5519/steps/validation%20test_4/logs/stdio | ||||||||
Tags | No tags attached. | ||||||||
Checked infolog.txt for Errors | |||||||||
Attached Files |
|
Notes | |
Kloot (developer) 2017-09-16 12:36 |
Fix 9837521394f44a40edccdd5c6b727d66c2ef537e committed to develop branch: fix 0005763 after 13517d8e7b7654a0178c8904896251b64bb03d9d#diff-5f8d61f00d2ba54bf017a831c6336272L1259 also fix unchecked maxFeatureIDs argument in CAICallback::GetFeatures/2, repo: spring changeset id: 8771 |
Issue History | |||
Date Modified | Username | Field | Change |
---|---|---|---|
2017-09-16 11:57 | abma | New Issue | |
2017-09-16 12:36 | Kloot | Changeset attached | => spring develop 98375213 |
2017-09-16 12:36 | Kloot | Note Added: 0018398 | |
2017-09-16 12:36 | Kloot | Assigned To | => Kloot |
2017-09-16 12:36 | Kloot | Status | new => resolved |
2017-09-16 12:36 | Kloot | Resolution | open => fixed |