News:

The Forum Rules and Guidelines
Our forum has Rules and Guidelines. Please, be kind and read them ;).

[r9754] Crash when stepping year in network mode

Started by ceeac, May 05, 2021, 09:51:10 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

ceeac

May 05, 2021, 09:51:10 AM
Steps to reproduce:

  • Start a server with a map with lots of trees (the likeliness of the bug happening increases with the number of trees)
  • Connect to server with client
  • On the client, switch to the public player and click the "step year" button multiple times
Result on the server:
Code Select

==5069==ERROR: AddressSanitizer: heap-use-after-free on address 0x603001bfa690 at pc 0x55ae16fbbf75 bp 0x7fff078c2e00 sp 0x7fff078c2df0
READ of size 8 at 0x603001bfa690 thread T0
    #0 0x55ae16fbbf74 in objlist_t::check_season(bool) dataobj/objlist.cc:1361
    #1 0x55ae18783145 in karte_t::step() /home/ceeac/Projects/code/simutrans/simworld.cc:4191
    #2 0x55ae18785cad in karte_t::interactive(unsigned int) /home/ceeac/Projects/code/simutrans/simworld.cc:7370
    #3 0x55ae184f5414 in simu_main(int, char**) /home/ceeac/Projects/code/simutrans/simmain.cc:1588
    #4 0x55ae18974882 in sysmain(int, char**) sys/simsys.cc:1125
    #5 0x7f1cda62e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #6 0x55ae16d81c7d in _start (/media/ceeac/Projects/code/simutrans/build/client/sim+0x2d08c7d)

0x603001bfa690 is located 0 bytes inside of 24-byte region [0x603001bfa690,0x603001bfa6a8)
freed by thread T0 here:
    #0 0x7f1cdb845a37 in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb2a37)
    #1 0x55ae16fbbbd3 in objlist_t::check_season(bool) dataobj/objlist.cc:1361

previously allocated by thread T0 here:
    #0 0x7f1cdb844f17 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb1f17)
    #1 0x55ae16ef8439 in boden_t::boden_t(loadsave_t*, koord) boden/boden.cc:33


The bug might also happen in single player, but I could not reproduce it there.

Dwachs

#1
May 05, 2021, 02:57:53 PM Last Edit: May 05, 2021, 03:08:34 PM by Dwachs
It could be the following flow of steps:
- objlist_t::check_season puts a dying tree into to_remove list
- another tree on this tile spawns some saplings, some of them land on the same tile
- now the dying tree has a higher index than before and is processed by objlist_t::check_season again -> double free
It seems to have noting to do with networking (?)

Maybe this can be provoked by setting sx=sy=0 in tree_builder_t::spawn_tree_near
Parsley, sage, rosemary, and maggikraut.

Dwachs

#2
May 05, 2021, 05:29:55 PM
should be fixed with r9757
Parsley, sage, rosemary, and maggikraut.
Print
Go Up Pages1
User actions