Issue687

Issues
Show Not Resolved
Show All
Search

Login




Register
Lost your login?

Help
Roundup docs

Title ASAN: sanitize address crash if bot placed within wall and without near waypoint.
Priority important Status open
Assigned To Keywords
Linked issues Watchers

Submitted on 2013-09-12 00h51 by matthiaskrgr, last changed by matthiaskrgr.

Messages
Author: matthiaskrgr Date: 2013-09-12   00h51 
Place a droid in tutorial inside wall, playtest => boom.



Tux looks stuck...ESCAPING just for this frame...

Found robot that seems really stuck on position: 23.823231/32.761005/37.
More details on this robot:  Type=4.
Short Description=296 Sawmill.
Private Pathway[0]: 23.823231/32.761005.
Private Pathway[1]:
-1.000000/-1.000000.=================================================================
==13828== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x605200006364 at pc 0x49c1eb bp 0x7fffcec15be0 sp 0x7fffcec15bd8
READ of size 4 at 0x605200006364 thread T0
    #0 0x49c1ea (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x49c1ea)
    #1 0x49d5a4 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x49d5a4)
    #2 0x4a82a0 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4a82a0)
    #3 0x4ae729 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4ae729)
    #4 0x5049f7 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x5049f7)
    #5 0x5174b7 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x5174b7)
    #6 0x5104e3 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x5104e3)
    #7 0x504a64 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x504a64)
    #8 0x415ca4 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x415ca4)
    #9 0x7fa9821f0bc4 (/usr/lib/libc-2.18.so+0x21bc4)
    #10 0x41644c (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x41644c)
0x605200006364 is located 28 bytes to the left of 1984-byte region
[0x605200006380,0x605200006b40)
allocated by thread T0 here:
    #0 0x7fa983ca769f (/usr/lib/libasan.so.0.0.0+0x1569f)
    #1 0x43af0c (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x43af0c)
    #2 0x45ebb0 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x45ebb0)
    #3 0x468d90 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x468d90)
    #4 0x41e16c (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x41e16c)
    #5 0x41bd83 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x41bd83)
    #6 0x41e252 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x41e252)
    #7 0x415c84 (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x415c84)
    #8 0x7fa9821f0bc4 (/usr/lib/libc-2.18.so+0x21bc4)
Shadow bytes around the buggy address:
  0x0c0abfff8c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0abfff8c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0abfff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0abfff8c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0abfff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0abfff8c60: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c0abfff8c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0abfff8c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0abfff8c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0abfff8ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0abfff8cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==13828== ABORTING

 addr2line -e ./src/freedroidRPG 0x49c1ea 0x49d5a4 0x4a82a0 0x4ae729 0x5049f7
0x5174b7 0x5104e3 0x504a64 0x415ca4 0x43af0c 0x45ebb0 0x468d90 0x41e16c 0x41bd83
0x41e252 0x415c84 
/home/matthias/vcs/git/freedroid/src/enemy.c:1204
/home/matthias/vcs/git/freedroid/src/enemy.c:1379
/home/matthias/vcs/git/freedroid/src/enemy.c:2039
/home/matthias/vcs/git/freedroid/src/main.c:109
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit.c:251
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit_menu.c:1089
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit_input.c:193
/home/matthias/vcs/git/freedroid/src/lvledit/lvledit.c:281
/home/matthias/vcs/git/freedroid/src/main.c:185
/home/matthias/vcs/git/freedroid/src/dynarray.c:66
/home/matthias/vcs/git/freedroid/src/map.c:861
/home/matthias/vcs/git/freedroid/src/init.c:880
/home/matthias/vcs/git/freedroid/src/menu.c:797
/home/matthias/vcs/git/freedroid/src/menu.c:735
/home/matthias/vcs/git/freedroid/src/menu.c:764
/home/matthias/vcs/git/freedroid/src/main.c:175


@ 52fe5c8cd46b121dfbeb5356097f06d404f0e590
Author: Xenux Date: 2013-09-26   19h32 
I don't think it's a important bug since it's something wrong at start.
Author: matthiaskrgr Date: 2013-09-26   19h44 
Well the game crashes (with this compile flag) which imo should not happen. :P
Author: salimiles Date: 2013-11-21   07h30 
Hum, does this normally crash?

If so, we should try to make the escape mechanism more robust, so we don't get
as many crashes.

If it doesn't normally crash, then this shouldn't be listed as "important" IMHO.
Author: matthiaskrgr Date: 2013-11-21   08h20 
No, it doesn't normally crash.

You have to compile with  " ./configure --enable-sanitize-address " to make it
crash (also needs some up to date gcc version).

I think it was ahuillet (or fluzz?) who said that ASAN crashes should be marked
as important.
I think it should remain marked a important.
Author: matthiaskrgr Date: 2013-11-21   08h36 
From the gcc website:
"AddressSanitizer , a fast memory error detector, has been added and can be
enabled via -fsanitize=address. Memory access instructions will be instrumented
to detect heap-, stack-, and global-buffer overflow as well as use-after-free
bugs. To get nicer stacktraces, use -fno-omit-frame-pointer. The
AddressSanitizer is available on IA-32/x86-64/x32/PowerPC/PowerPC64 GNU/Linux
and on x86-64 Darwin."
Author: matthiaskrgr Date: 2014-08-15   23h56 
update trace:

Found robot that seems really stuck on position: 41.325642/42.310719/8.
More details on this robot:  Type=8.
Short Description=476 Coward.
Private Pathway[0]: 41.325642/42.310719.
Private Pathway[1]:
-1.000000/-1.000000.=================================================================
==898==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250003868e4
at pc 0x4b8e80 bp 0x7fff5aa221b0 sp 0x7fff5aa221a0
READ of size 4 at 0x6250003868e4 thread T0
    #0 0x4b8e7f in enemy_handle_stuck_in_walls
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4b8e7f)
    #1 0x4ba13c in state_machine_inconditional_updates
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4ba13c)
    #2 0x4be496 in update_enemy
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4be496)
    #3 0x4beff0 in move_enemies
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4beff0)
    #4 0x4cbbe1 in Game (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4cbbe1)
    #5 0x525add in TestMap
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x525add)
    #6 0x53e83b in DoLevelEditorMainMenu
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x53e83b)
    #7 0x533a09 in leveleditor_process_input
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x533a09)
    #8 0x525bb3 in LevelEditor
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x525bb3)
    #9 0x4c9b39 in input_key
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4c9b39)
    #10 0x4cb7af in input_key_event
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4cb7af)
    #11 0x4cb8b1 in input_key_press
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4cb8b1)
    #12 0x4c63cc in input_handle
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4c63cc)
    #13 0x4cbb89 in Game
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4cbb89)
    #14 0x525add in TestMap
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x525add)
    #15 0x53e83b in DoLevelEditorMainMenu
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x53e83b)
    #16 0x533a09 in leveleditor_process_input
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x533a09)
    #17 0x525bb3 in LevelEditor
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x525bb3)
    #18 0x4cbf1f in main
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4cbf1f)
    #19 0x7f59fbc65fff in __libc_start_main (/usr/lib/libc.so.6+0x1ffff)
    #20 0x4162db (/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4162db)

0x6250003868e4 is located 28 bytes to the left of 8128-byte region
[0x625000386900,0x6250003888c0)
allocated by thread T0 here:
    #0 0x7f59fd776e56 in __interceptor_realloc (/usr/lib/libasan.so.1+0x57e56)
    #1 0x442dce in dynarray_resize
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x442dce)
    #2 0x443000 in dynarray_add
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x443000)
    #3 0x46ac8b in decode_waypoints
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x46ac8b)
    #4 0x46bfac in decode_level
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x46bfac)
    #5 0x46ca85 in LoadShip
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x46ca85)
    #6 0x478c1a in prepare_level_editor
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x478c1a)
    #7 0x41a241 in Startup_handle
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x41a241)
    #8 0x419e5a in RunSubMenu
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x419e5a)
    #9 0x41a122 in RunMenu
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x41a122)
    #10 0x41a137 in StartupMenu
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x41a137)
    #11 0x4cbeb7 in main
(/home/matthias/vcs/git/freedroid/src/freedroidRPG+0x4cbeb7)
    #12 0x7f59fbc65fff in __libc_start_main (/usr/lib/libc.so.6+0x1ffff)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 enemy_handle_stuck_in_walls
Shadow bytes around the buggy address:
  0x0c4a80068cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80068cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80068ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80068cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80068d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a80068d10: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c4a80068d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80068d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80068d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80068d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80068d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==898==ABORTING
History
Date User Action Args
2014-08-15 23:56:53matthiaskrgrsetmessages: + msg2873
2014-08-15 23:34:51matthiaskrgrsettitle: sanitize address crash if bot placed within wall and without near waypoint. -> ASAN: sanitize address crash if bot placed within wall and without near waypoint.
2013-11-21 08:37:00matthiaskrgrsetmessages: + msg2636
2013-11-21 08:20:35matthiaskrgrsetmessages: + msg2634
2013-11-21 07:30:28salimilessetmessages: + msg2633
2013-09-26 19:44:10matthiaskrgrsetmessages: + msg2569
2013-09-26 19:32:06Xenuxsetmessages: + msg2567
2013-09-12 00:51:37matthiaskrgrcreate