View Issue Details

IDProjectCategoryView StatusLast Update
0002858FSSCPpublic2021-01-10 01:42
ReporterEchelon9 Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionsuspended 
Product Version3.6.19 
Target Version3.7.0 
Summary0002858: AddressSanitizer: memcpy-param-overlap: memory ranges in triggered_rotation::add_queue()
DescriptionReported by AddressSanitizer, a memory error detector for C/C++, in FS2Open builds based on trunk r9655.

ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x000129dbeb2c,0x000129dbf1f4) and [0x000129dbeba8, 0x000129dbf270) overlap
    #0 0x105a4b32c in wrap_memcpy (in libclang_rt.asan_osx_dynamic.dylib) + 588
    0000001 0x1028c1f12 in triggered_rotation::add_queue modelanim.cpp:223
    0000002 0x1028cbcc6 in model_anim_start_type modelanim.cpp:539
    0000003 0x1028cc74c in model_anim_start_type modelanim.cpp:559
    0000004 0x10231a24b in afterburners_start afterburner.cpp:131
    0000005 0x100575ec1 in ai_chase_ga aicode.cpp:7146
    0000006 0x10058eb81 in ai_chase aicode.cpp:8141
    0000007 0x1005f9b4c in ai_execute_behavior aicode.cpp:12686
    0000008 0x100613f6f in ai_frame aicode.cpp:13789
    0000009 0x1006165c5 in ai_process aicode.cpp:13875
    0000010 0x10210cf08 in ship_process_post ship.cpp:8418
    #11 0x101aa0b83 in obj_move_all_post object.cpp:1232
    0000012 0x101aa4e91 in obj_move_all object.cpp:1454
    0000013 0x1002f3fdc in game_simulation_frame freespace.cpp:4113
    0000014 0x1002f8ce0 in game_frame freespace.cpp:4506
    0000015 0x1002fe4fb in game_do_frame freespace.cpp:4917
    0000016 0x10030a036 in game_do_state freespace.cpp:6593
    0000017 0x100913538 in gameseq_process_events gamesequence.cpp:405
    0000018 0x1003108c6 in game_main freespace.cpp:7160
    ...


void triggered_rotation::add_queue(queued_animation *the_queue, int dir)
{
    int i;
    queued_animation new_queue;

    memcpy( &new_queue, the_queue, sizeof(queued_animation) );
        ...
    memcpy(queue_tmp, queue, sizeof(queued_animation) * MAX_TRIGGERED_ANIMATIONS);
        ...
        if (i != n_queue) {
            // replace if it's not the last item on the list
            if ( i != (MAX_TRIGGERED_ANIMATIONS-1) )
                memcpy( &queue_tmp[i], &queue_tmp[i+1], sizeof(queued_animation) * (MAX_TRIGGERED_ANIMATIONS-(i+1)) ); <===

            // ok these two animations cancelled each other out, so he doesn't get on the queue
            n_queue--;

            return;
        }
       ...
Steps To Reproduce1. Utilise a version of Clang that supports AddressSantizer (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer).
2. Build with -fsanitize=address C/C++ flag
3. Run the game with mediavps 3.6.12, and Blue Plant WiH2. Play through Icarus until such time as a number of ships with rotating subsystems are on screen i.e. Karunas.
Additional InformationERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x000129dbeb2c,0x000129dbf1f4) and [0x000129dbeba8, 0x000129dbf270) overlap
    #0 0x105a4b32c in wrap_memcpy (in libclang_rt.asan_osx_dynamic.dylib) + 588
    0000001 0x1028c1f12 in triggered_rotation::add_queue modelanim.cpp:223
    0000002 0x1028cbcc6 in model_anim_start_type modelanim.cpp:539
    0000003 0x1028cc74c in model_anim_start_type modelanim.cpp:559
    0000004 0x10231a24b in afterburners_start afterburner.cpp:131
    0000005 0x100575ec1 in ai_chase_ga aicode.cpp:7146
    0000006 0x10058eb81 in ai_chase aicode.cpp:8141
    0000007 0x1005f9b4c in ai_execute_behavior aicode.cpp:12686
    0000008 0x100613f6f in ai_frame aicode.cpp:13789
    0000009 0x1006165c5 in ai_process aicode.cpp:13875
    0000010 0x10210cf08 in ship_process_post ship.cpp:8418
    #11 0x101aa0b83 in obj_move_all_post object.cpp:1232
    0000012 0x101aa4e91 in obj_move_all object.cpp:1454
    0000013 0x1002f3fdc in game_simulation_frame freespace.cpp:4113
    0000014 0x1002f8ce0 in game_frame freespace.cpp:4506
    0000015 0x1002fe4fb in game_do_frame freespace.cpp:4917
    0000016 0x10030a036 in game_do_state freespace.cpp:6593
    0000017 0x100913538 in gameseq_process_events gamesequence.cpp:405
    0000018 0x1003108c6 in game_main freespace.cpp:7160
    0000019 0x100311f64 in SDL_main freespace.cpp:7294
    0000020 0x100003253 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000021 0x7fff8fc3bed9 in _CFXNotificationPost (in CoreFoundation) + 2553
    0000022 0x7fff91ce9e25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63
    0000023 0x7fff8c67e55c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291
    0000024 0x7fff8c67e295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215
    0000025 0x7fff8c67b481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565
    0000026 0x7fff8c67b07b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350
    0000027 0x7fff91d0370a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307
    0000028 0x7fff91d0356c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000029 0x7fff90c4b077 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 306
    0000030 0x7fff90c4aed8 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 36
    0000031 0x7fff90c4ad98 in aeProcessAppleEvent (in AE) + 317
    0000032 0x7fff8ec71708 in AEProcessAppleEvent (in HIToolbox) + 99
    0000033 0x7fff8c677865 in _DPSNextEvent (in AppKit) + 1455
    0000034 0x7fff8c676e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
    0000035 0x7fff8c66e1d2 in -[NSApplication run] (in AppKit) + 516
    0000036 0x1000053b2 in CustomApplicationMain SDLMain.m:227
    0000037 0x100004e1f in main SDLMain.m:377
    0000038 0x100001f73 in start (in FS2_Open (debug)) + 51
    0000039 0x0 in 0x0
0x000129dbeb2c is located 176940 bytes inside of 995200-byte region [0x000129d93800,0x000129e86780)
allocated by thread T0 here:
    #0 0x105a4ee05 in wrap_malloc (in libclang_rt.asan_osx_dynamic.dylib) + 53
    0000001 0x102623768 in _vm_malloc stubs.cpp:571
    0000002 0x1020bd2e9 in ship_allocate_subsystems ship.cpp:4457
    0000003 0x1021bcb64 in ship_page_in ship.cpp:15442
    0000004 0x100337ca8 in level_page_in levelpaging.cpp:39
    0000005 0x1002c33ed in freespace_mission_load_stuff freespace.cpp:1344
    0000006 0x1002c35ee in game_post_level_init freespace.cpp:1401
    0000007 0x1002c46d8 in game_start_mission freespace.cpp:1466
    0000008 0x100306824 in game_enter_state freespace.cpp:6049
    0000009 0x100911b1d in gameseq_set_state gamesequence.cpp:280
    0000010 0x100301500 in game_process_event freespace.cpp:5219
    #11 0x10091339e in gameseq_process_events gamesequence.cpp:395
    0000012 0x1003108c6 in game_main freespace.cpp:7160
    0000013 0x100311f64 in SDL_main freespace.cpp:7294
    0000014 0x100003253 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000015 0x7fff8fc3bed9 in _CFXNotificationPost (in CoreFoundation) + 2553
    0000016 0x7fff91ce9e25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63
    0000017 0x7fff8c67e55c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291
    0000018 0x7fff8c67e295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215
    0000019 0x7fff8c67b481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565
    0000020 0x7fff8c67b07b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350
    0000021 0x7fff91d0370a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307
    0000022 0x7fff91d0356c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000023 0x7fff90c4b077 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 306
    0000024 0x7fff90c4aed8 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 36
    0000025 0x7fff90c4ad98 in aeProcessAppleEvent (in AE) + 317
    0000026 0x7fff8ec71708 in AEProcessAppleEvent (in HIToolbox) + 99
    0000027 0x7fff8c677865 in _DPSNextEvent (in AppKit) + 1455
    0000028 0x7fff8c676e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
    0000029 0x7fff8c66e1d2 in -[NSApplication run] (in AppKit) + 516
0x000129dbeba8 is located 177064 bytes inside of 995200-byte region [0x000129d93800,0x000129e86780)
allocated by thread T0 here:
    #0 0x105a4ee05 in wrap_malloc (in libclang_rt.asan_osx_dynamic.dylib) + 53
    0000001 0x102623768 in _vm_malloc stubs.cpp:571
    0000002 0x1020bd2e9 in ship_allocate_subsystems ship.cpp:4457
    0000003 0x1021bcb64 in ship_page_in ship.cpp:15442
    0000004 0x100337ca8 in level_page_in levelpaging.cpp:39
    0000005 0x1002c33ed in freespace_mission_load_stuff freespace.cpp:1344
    0000006 0x1002c35ee in game_post_level_init freespace.cpp:1401
    0000007 0x1002c46d8 in game_start_mission freespace.cpp:1466
    0000008 0x100306824 in game_enter_state freespace.cpp:6049
    0000009 0x100911b1d in gameseq_set_state gamesequence.cpp:280
    0000010 0x100301500 in game_process_event freespace.cpp:5219
    #11 0x10091339e in gameseq_process_events gamesequence.cpp:395
    0000012 0x1003108c6 in game_main freespace.cpp:7160
    0000013 0x100311f64 in SDL_main freespace.cpp:7294
    0000014 0x100003253 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000015 0x7fff8fc3bed9 in _CFXNotificationPost (in CoreFoundation) + 2553
    0000016 0x7fff91ce9e25 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 63
    0000017 0x7fff8c67e55c in -[NSApplication _postDidFinishNotification] (in AppKit) + 291
    0000018 0x7fff8c67e295 in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 215
    0000019 0x7fff8c67b481 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 565
    0000020 0x7fff8c67b07b in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 350
    0000021 0x7fff91d0370a in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 307
    0000022 0x7fff91d0356c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000023 0x7fff90c4b077 in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 306
    0000024 0x7fff90c4aed8 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 36
    0000025 0x7fff90c4ad98 in aeProcessAppleEvent (in AE) + 317
    0000026 0x7fff8ec71708 in AEProcessAppleEvent (in HIToolbox) + 99
    0000027 0x7fff8c677865 in _DPSNextEvent (in AppKit) + 1455
    0000028 0x7fff8c676e21 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
    0000029 0x7fff8c66e1d2 in -[NSApplication run] (in AppKit) + 516
==14669==ABORTING
TagsNo tags attached.

Activities

Echelon9

2013-04-29 10:58

developer   ~0014980

This looks to be caused by the engine's attempt at reimplementing a standard STL container incompletely.

Best be here is to work out which algorithm is being attempted, and then refactor with proper STL and a proper clean implementation leveraging off the container where possible.

MjnMixael

2021-01-10 01:42

manager   ~0017098

Migrated to GitHub.

Issue History

Date Modified Username Field Change
2013-04-29 10:57 Echelon9 New Issue
2013-04-29 10:58 Echelon9 Note Added: 0014980
2013-04-30 12:47 Echelon9 Assigned To => Echelon9
2013-04-30 12:47 Echelon9 Status new => assigned
2021-01-10 01:42 MjnMixael Assigned To Echelon9 =>
2021-01-10 01:42 MjnMixael Status assigned => closed
2021-01-10 01:42 MjnMixael Resolution open => suspended
2021-01-10 01:42 MjnMixael Note Added: 0017098