Issue727

Title asan crash: editor: add, move obstacle, press z (undo) twice
Priority critical Status resolved
Assigned To fluzz Keywords
Linked issues Watchers fluzz

Submitted on 2014-02-19 12h04 by matthiaskrgr, last changed by fluzz.

Messages
Author: matthiaskrgr Date: 2014-02-19   12h04
open editor, add a new obstacle to the map, select and move the obstacle a bit,
press z twice in order to remove the obstacle again => crash:

INFO: AddressSanitizer ignores mlock/mlockall/munlock/munlockall
=================================================================
==18809== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60a4000147d8 at pc 0x539a8d bp 0x7fffd9177120 sp 0x7fffd9177118
READ of size 8 at 0x60a4000147d8 thread T0
    #0 0x539a8c (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x539a8c)
    #1 0x4fa6f1 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4fa6f1)
    #2 0x5073d9 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x5073d9)
    #3 0x417a64 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x417a64)
    #4 0x7f695a16fb04 (/usr/lib/libc-2.19.so+0x21b04)
    #5 0x41828b (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x41828b)
0x60a4000147d8 is located 40 bytes to the left of 73728-byte region
[0x60a400014800,0x60a400026800)
allocated by thread T0 here:
    #0 0x7f695b9f04f5 (/usr/lib/libasan.so.0.0.0+0x154f5)
    #1 0x43b3ea (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x43b3ea)
    #2 0x4697d6 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4697d6)
    #3 0x46b90c (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x46b90c)
    #4 0x417987 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x417987)
    #5 0x7f695a16fb04 (/usr/lib/libc-2.19.so+0x21b04)
Shadow bytes around the buggy address:
  0x0c14ffffa8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c14ffffa8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c14ffffa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c14ffffa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c14ffffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c14ffffa8f0: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
  0x0c14ffffa900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c14ffffa910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c14ffffa920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c14ffffa930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c14ffffa940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==18809== ABORTING


addr2line -e src/freedroidRPG 0x539a8c 0x4fa6f1 0x5073d9 0x417a64 0x41828b
0x43b3ea 0x4697d6 0x46b90c 0x417987
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit_widgets.c:317
/home/matthias/vcs/git/freedroid/src/widgets/widget_group.c:225
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit.c:282
/home/matthias/vcs/git/freedroid/src/main.c:216
??:?
/home/matthias/vcs/git/freedroid/src/dynarray.c:37
/home/matthias/vcs/git/freedroid/src/init.c:607
/home/matthias/vcs/git/freedroid/src/init.c:1153
/home/matthias/vcs/git/freedroid/src/main.c:180


@ 2bba87846dac758a754362f8d56c4a02b0df4b82
Author: matthiaskrgr Date: 2014-02-19   14h15
Note, this also makes the game crash without ASAN!!
Author: matthiaskrgr Date: 2014-02-19   14h28
I think the problem is that we try to delete (by pressing undo) a _selected_
obstacle.
Author: matthiaskrgr Date: 2014-02-19   23h09
Ok, apparently this is quite an old bug, funny that we never noticed this before...
I was not able to find the revision that introduced this but I still had it in
919bf6ac0d211fa6a7a6cffa09adfcdb9863f584
Date:   Sun Jun 9 21:20:21 2013 +0200
    map: level 12: disable infinite running.

the bug seems not to be present in a made-compile version of 0.15.1 though
(0.15.1 + some commits added which were intended to make some 0.15.2 release at
some point).
Author: jesusalva Date: 2014-02-24   19h51
Strange... I couldn't reproduce...
If it presented a SIGSEGV or SIGFPE, try applying RR 2002.

perror() will give you a human-readable string, giving you better idea of the issue.

Again, I couldn't reproduce... :(
Author: matthiaskrgr Date: 2014-02-24   20h13
Note: it it does NOT crash (not even with asan) when I select 2 obstacles and
z-remove them one by one.
Author: matthiaskrgr Date: 2014-02-24   20h52
[..]
21:43 <@ahuillet> oh yes, I know why
21:43 <@ahuillet> chest button requires *single* selection ;)
21:43 <@ahuillet> multiple selected items = we don't bother
21:43 <@ahuillet> but they're still selected under the hood
21:43 <@ahuillet> which probably leads to a crash later on, after two hours of
level editing
21:45 <@ahuillet> damn we have code to *add* an object to the selection but not
to remove it 
[..]
21:46 <@ahuillet> what it does is correct
21:46 <@ahuillet> it asks if there is a single item selected, and we answer yes
21:46 <@ahuillet> then it asks for its type, and we answer -1
21:46 <@ahuillet> and there, crash
21:46 <@ahuillet> (except when you're lucky with certain compilers and kernels)
21:46 <@ahuillet> and we answer -1 because the selected obstacle was deleted
21:46 <@ahuillet> so the correct thing to do is to write code to unselect a
single element
21:47 <@ahuillet> and make sure that the deletion functions always unselect an
element before removing it
[..]
Author: fluzz Date: 2015-04-28   17h08
Seems to be same bug than issue796
Author: fluzz Date: 2015-04-28   19h47
Indeed a duplicate of issue796, which is now fixed.
History
Date User Action Args
2015-04-28 19:47:05fluzzsetstatus: open -> resolved
messages: + msg3139
2015-04-28 17:08:45fluzzsetassignedto: fluzz
messages: + msg3136
nosy: + fluzz
2014-08-01 09:40:35fluzzsetpriority: release-blocker -> critical
2014-08-01 09:40:20fluzzsetpriority: critical -> release-blocker
2014-02-24 20:52:59matthiaskrgrsetmessages: + msg2738
2014-02-24 20:13:41matthiaskrgrsetmessages: + msg2737
2014-02-24 19:51:09jesusalvasetmessages: + msg2736
2014-02-19 23:09:49matthiaskrgrsetmessages: + msg2734
2014-02-19 14:28:55matthiaskrgrsetmessages: + msg2732
2014-02-19 14:15:28matthiaskrgrsetpriority: important -> critical
messages: + msg2731
2014-02-19 12:04:36matthiaskrgrcreate