View Issue Details

IDProjectCategoryView StatusLast Update
0003035FSSCPpublic2014-04-24 16:23
ReporterEchelon9 Assigned ToEchelon9  
PriorityurgentSeverityblockReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.7.1 
Target Version3.7.2Fixed in Version3.7.2 
Summary0003035: AddressSanitizer: double-free in interp_configure_vertex_buffers() of memory contained in buffer_data object
DescriptionDouble free on the index memory within the buffer_data object.

Caused because upon calling model->buffer.tex_buf.push_back( new_buffer ) at modelinterp.cpp:4365 which at sufficient size of the container will lead to an attempted copy-constructor when the SCP_vector<buffer_data> tex_buf is resized.

At present buffer_data does not have:

1. copy-constructor, nor
2. assignment operator

Whilst it directly manages memory allocated within new.
Additional Information11442==ERROR: AddressSanitizer: attempting double-free on 0x6150000f5800 in thread T0:
    #0 0x105671577 in wrap_free _asan_rtl_
    0000001 0x1026eeaa5 in _vm_free stubs.cpp:692
    0000002 0x1000069d3 in operator delete[] fsmemory.cpp:35
    0000003 0x1014ea751 in buffer_data::release 2d.h:164
    0000004 0x1014ed43b in buffer_data::~buffer_data 2d.h:189
    0000005 0x1014ed29b in buffer_data::~buffer_data 2d.h:188
    0000006 0x1014ed0f3 in SCP_vm_allocator<buffer_data>::destroy vmallocator.h:57
    0000007 0x1014ec26d in void std::_Destroy<buffer_data*, SCP_vm_allocator<buffer_data> > stl_construct.h:174
    0000008 0x101589525 in std::vector<buffer_data, SCP_vm_allocator<buffer_data> >::_M_insert_aux vector.tcc:293
    0000009 0x10158005b in std::vector<buffer_data, SCP_vm_allocator<buffer_data> >::push_back stl_vector.h:608
    0000010 0x10157806f in interp_configure_vertex_buffers modelinterp.cpp:4365
    #11 0x10144c081 in create_vertex_buffer modelread.cpp:826
    0000012 0x10147ffd0 in model_load modelread.cpp:2565
    0000013 0x101098106 in techroom_select_new_entry techmenu.cpp:332
    0000014 0x1010a3a03 in techroom_change_tab techmenu.cpp:921
    0000015 0x1010a7f93 in techroom_init techmenu.cpp:1170
    0000016 0x100176274 in game_enter_state freespace.cpp:6323
    0000017 0x1007b2888 in gameseq_set_state gamesequence.cpp:284
    0000018 0x10016e861 in game_process_event freespace.cpp:5185
    0000019 0x1007b422f in gameseq_process_events gamesequence.cpp:399
    0000020 0x10017db34 in game_main freespace.cpp:7142
    0000021 0x10017f1f8 in SDL_main freespace.cpp:7276
    0000022 0x1000026c4 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000023 0x7fff8c596e0b in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (in CoreFoundation) + 11
    0000024 0x7fff8c48a8dc in _CFXNotificationPost (in CoreFoundation) + 2892
    0000025 0x7fff917f07b9 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 67
    0000026 0x7fff8d107cf8 in -[NSApplication _postDidFinishNotification] (in AppKit) + 288
    0000027 0x7fff8d107a2b in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 194
    0000028 0x7fff8d104915 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 569
    0000029 0x7fff8d10436a in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 241
    0000030 0x7fff9180ef09 in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 293
    0000031 0x7fff9180ed7c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000032 0x7fff85692e1e in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 380
    0000033 0x7fff85692c31 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 30
    0000034 0x7fff85692b35 in aeProcessAppleEvent (in AE) + 314
    0000035 0x7fff8f51e160 in AEProcessAppleEvent (in HIToolbox) + 55
    0000036 0x7fff8d100245 in _DPSNextEvent (in AppKit) + 1025
    0000037 0x7fff8d0ffa2a in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 121
    0000038 0x7fff8d0f3b2b in -[NSApplication run] (in AppKit) + 552
    0000039 0x100004665 in CustomApplicationMain SDLMain.m:227
    0000040 0x100004195 in main SDLMain.m:377
    0000041 0x100001393 in start (in FS2_Open 3.7.1 (debug)) + 51
    0000042 0x0 in 0x0

0x6150000f5800 is located 0 bytes inside of 468-byte region [0x6150000f5800,0x6150000f59d4)
freed by thread T0 here:
    #0 0x105671577 in wrap_free _asan_rtl_
    0000001 0x1026eeaa5 in _vm_free stubs.cpp:692
    0000002 0x1000069d3 in operator delete[] fsmemory.cpp:35
    0000003 0x1014ea751 in buffer_data::release 2d.h:164
    0000004 0x1014ed43b in buffer_data::~buffer_data 2d.h:189
    0000005 0x1014ed29b in buffer_data::~buffer_data 2d.h:188
    0000006 0x101578081 in interp_configure_vertex_buffers modelinterp.cpp:4366
    0000007 0x10144c081 in create_vertex_buffer modelread.cpp:826
    0000008 0x10147ffd0 in model_load modelread.cpp:2565
    0000009 0x101098106 in techroom_select_new_entry techmenu.cpp:332
    0000010 0x1010a3a03 in techroom_change_tab techmenu.cpp:921
    #11 0x1010a7f93 in techroom_init techmenu.cpp:1170
    0000012 0x100176274 in game_enter_state freespace.cpp:6323
    0000013 0x1007b2888 in gameseq_set_state gamesequence.cpp:284
    0000014 0x10016e861 in game_process_event freespace.cpp:5185
    0000015 0x1007b422f in gameseq_process_events gamesequence.cpp:399
    0000016 0x10017db34 in game_main freespace.cpp:7142
    0000017 0x10017f1f8 in SDL_main freespace.cpp:7276
    0000018 0x1000026c4 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000019 0x7fff8c596e0b in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (in CoreFoundation) + 11
    0000020 0x7fff8c48a8dc in _CFXNotificationPost (in CoreFoundation) + 2892
    0000021 0x7fff917f07b9 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 67
    0000022 0x7fff8d107cf8 in -[NSApplication _postDidFinishNotification] (in AppKit) + 288
    0000023 0x7fff8d107a2b in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 194
    0000024 0x7fff8d104915 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 569
    0000025 0x7fff8d10436a in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 241
    0000026 0x7fff9180ef09 in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 293
    0000027 0x7fff9180ed7c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000028 0x7fff85692e1e in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 380
    0000029 0x7fff85692c31 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 30

previously allocated by thread T0 here:
    #0 0x1056713de in wrap_malloc _asan_rtl_
    0000001 0x1026ecba5 in _vm_malloc stubs.cpp:574
    0000002 0x10000735f in operator new[] fsmemory.cpp:51
    0000003 0x10159ae31 in buffer_data::buffer_data 2d.h:184
    0000004 0x10157f198 in buffer_data::buffer_data 2d.h:185
    0000005 0x10157734f in interp_configure_vertex_buffers modelinterp.cpp:4335
    0000006 0x10144c081 in create_vertex_buffer modelread.cpp:826
    0000007 0x10147ffd0 in model_load modelread.cpp:2565
    0000008 0x101098106 in techroom_select_new_entry techmenu.cpp:332
    0000009 0x1010a3a03 in techroom_change_tab techmenu.cpp:921
    0000010 0x1010a7f93 in techroom_init techmenu.cpp:1170
    #11 0x100176274 in game_enter_state freespace.cpp:6323
    0000012 0x1007b2888 in gameseq_set_state gamesequence.cpp:284
    0000013 0x10016e861 in game_process_event freespace.cpp:5185
    0000014 0x1007b422f in gameseq_process_events gamesequence.cpp:399
    0000015 0x10017db34 in game_main freespace.cpp:7142
    0000016 0x10017f1f8 in SDL_main freespace.cpp:7276
    0000017 0x1000026c4 in -[SDLMain applicationDidFinishLaunching:] SDLMain.m:300
    0000018 0x7fff8c596e0b in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (in CoreFoundation) + 11
    0000019 0x7fff8c48a8dc in _CFXNotificationPost (in CoreFoundation) + 2892
    0000020 0x7fff917f07b9 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 67
    0000021 0x7fff8d107cf8 in -[NSApplication _postDidFinishNotification] (in AppKit) + 288
    0000022 0x7fff8d107a2b in -[NSApplication _sendFinishLaunchingNotification] (in AppKit) + 194
    0000023 0x7fff8d104915 in -[NSApplication(NSAppleEventHandling) _handleAEOpenEvent:] (in AppKit) + 569
    0000024 0x7fff8d10436a in -[NSApplication(NSAppleEventHandling) _handleCoreEvent:withReplyEvent:] (in AppKit) + 241
    0000025 0x7fff9180ef09 in -[NSAppleEventManager dispatchRawAppleEvent:withRawReply:handlerRefCon:] (in Foundation) + 293
    0000026 0x7fff9180ed7c in _NSAppleEventManagerGenericHandler (in Foundation) + 105
    0000027 0x7fff85692e1e in aeDispatchAppleEvent(AEDesc const*, AEDesc*, unsigned int, unsigned char*) (in AE) + 380
    0000028 0x7fff85692c31 in dispatchEventAndSendReply(AEDesc const*, AEDesc*) (in AE) + 30
    0000029 0x7fff85692b35 in aeProcessAppleEvent (in AE) + 314

SUMMARY: AddressSanitizer: double-free ??:0 ??
==11442==ABORTING
TagsNo tags attached.

Activities

Echelon9

2014-04-24 16:20

developer   ~0015708

Refer:

https://stackoverflow.com/questions/4172722/what-is-the-rule-of-three

Echelon9

2014-04-24 16:23

developer   ~0015709

Fixed in r10592.

This is a critical fix if r10581 is included in code base.

Issue History

Date Modified Username Field Change
2014-04-24 14:57 Echelon9 New Issue
2014-04-24 14:57 Echelon9 Status new => assigned
2014-04-24 14:57 Echelon9 Assigned To => Echelon9
2014-04-24 16:20 Echelon9 Note Added: 0015708
2014-04-24 16:23 Echelon9 Note Added: 0015709
2014-04-24 16:23 Echelon9 Status assigned => resolved
2014-04-24 16:23 Echelon9 Fixed in Version => 3.7.2
2014-04-24 16:23 Echelon9 Resolution open => fixed