The International Simutrans Forum

 

Author Topic: [r9754] Crash when stepping year in network mode  (Read 257 times)

0 Members and 1 Guest are viewing this topic.

Offline ceeac

  • Devotee
  • *
  • Posts: 248
[r9754] Crash when stepping year in network mode
« on: May 05, 2021, 09:51:10 AM »
Steps to reproduce:
  • Start a server with a map with lots of trees (the likeliness of the bug happening increases with the number of trees)
  • Connect to server with client
  • On the client, switch to the public player and click the "step year" button multiple times
Result on the server:
Code: [Select]
==5069==ERROR: AddressSanitizer: heap-use-after-free on address 0x603001bfa690 at pc 0x55ae16fbbf75 bp 0x7fff078c2e00 sp 0x7fff078c2df0
READ of size 8 at 0x603001bfa690 thread T0
    #0 0x55ae16fbbf74 in objlist_t::check_season(bool) dataobj/objlist.cc:1361
    #1 0x55ae18783145 in karte_t::step() /home/ceeac/Projects/code/simutrans/simworld.cc:4191
    #2 0x55ae18785cad in karte_t::interactive(unsigned int) /home/ceeac/Projects/code/simutrans/simworld.cc:7370
    #3 0x55ae184f5414 in simu_main(int, char**) /home/ceeac/Projects/code/simutrans/simmain.cc:1588
    #4 0x55ae18974882 in sysmain(int, char**) sys/simsys.cc:1125
    #5 0x7f1cda62e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #6 0x55ae16d81c7d in _start (/media/ceeac/Projects/code/simutrans/build/client/sim+0x2d08c7d)

0x603001bfa690 is located 0 bytes inside of 24-byte region [0x603001bfa690,0x603001bfa6a8)
freed by thread T0 here:
    #0 0x7f1cdb845a37 in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb2a37)
    #1 0x55ae16fbbbd3 in objlist_t::check_season(bool) dataobj/objlist.cc:1361

previously allocated by thread T0 here:
    #0 0x7f1cdb844f17 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb1f17)
    #1 0x55ae16ef8439 in boden_t::boden_t(loadsave_t*, koord) boden/boden.cc:33

The bug might also happen in single player, but I could not reproduce it there.

Offline Dwachs

  • DevTeam, Coder/patcher
  • Administrator
  • *
  • Posts: 4869
  • Languages: EN, DE, AT
Re: [r9754] Crash when stepping year in network mode
« Reply #1 on: May 05, 2021, 02:57:53 PM »
It could be the following flow of steps:
- objlist_t::check_season puts a dying tree into to_remove list
- another tree on this tile spawns some saplings, some of them land on the same tile
- now the dying tree has a higher index than before and is processed by objlist_t::check_season again -> double free
It seems to have noting to do with networking (?)

Maybe this can be provoked by setting sx=sy=0 in tree_builder_t::spawn_tree_near
« Last Edit: May 05, 2021, 03:08:34 PM by Dwachs »

Offline Dwachs

  • DevTeam, Coder/patcher
  • Administrator
  • *
  • Posts: 4869
  • Languages: EN, DE, AT
Re: [r9754] Crash when stepping year in network mode
« Reply #2 on: May 05, 2021, 05:29:55 PM »
should be fixed with r9757