[r11479] Crash when rotating map

[ceeac]

Code Select Expand

=================================================================
==73060==ERROR: AddressSanitizer: SEGV on unknown address 0x570637a5a5c8 (pc 0x5706350afd1e bp 0x7ffe83be9f10 sp 0x7ffe83be9db0 T0)
==73060==The signal is caused by a WRITE memory access.
AddressSanitizer:DEADLYSIGNAL
/home/ceeac/code/simutrans/src/simutrans/builder/../obj/../tpl/freelist_tpl.h:120:19: runtime error: member access within misaligned address 0x570635ff452c for type 'struct nodelist_node_t', which requires 8 byte alignment
0x570635ff452c: note: pointer points here
  00 5d c3 90 55 48 89 e5  53 48 83 ec 18 48 89 7d  e8 48 8d 05 78 60 a6 01  48 8d 50 10 48 83 f8 f0
              ^
/home/ceeac/code/simutrans/src/simutrans/builder/../obj/../tpl/freelist_tpl.h:140:31: runtime error: member access within misaligned address 0x570635ff452c for type 'struct nodelist_node_t', which requires 8 byte alignment
0x570635ff452c: note: pointer points here
  00 5d c3 90 55 48 89 e5  53 48 83 ec 18 48 89 7d  e8 48 8d 05 78 60 a6 01  48 8d 50 10 48 83 f8 f0
              ^
AddressSanitizer:DEADLYSIGNAL
/home/ceeac/code/simutrans/src/simutrans/dataobj/objlist.cc:633:17: runtime error: store to misaligned address 0x570635ff452c for type 'struct obj_t *', which requires 8 byte alignment
0x570635ff452c: note: pointer points here
  00 5d c3 90 55 48 89 e5  53 48 83 ec 18 48 89 7d  e8 48 8d 05 78 60 a6 01  48 8d 50 10 48 83 f8 f0
              ^
AddressSanitizer:DEADLYSIGNAL
    #0 0x5706350afd1e in objlist_t::rotate90_moving() /home/ceeac/code/simutrans/src/simutrans/dataobj/objlist.cc:633
    #1 0x57063533c007 in grund_t::rotate90() /home/ceeac/code/simutrans/src/simutrans/ground/grund.cc:506
    #2 0x570636acd8aa in karte_t::rotate90_plans(short, short, short, short) /home/ceeac/code/simutrans/src/simutrans/world/simworld.cc:2299
    #3 0x570636a99992 in karte_t::world_xy_loop_thread(void*) /home/ceeac/code/simutrans/src/simutrans/world/simworld.cc:183
    #4 0x570636a9b794 in karte_t::world_xy_loop(void (karte_t::*)(short, short, short, short), unsigned char) /home/ceeac/code/simutrans/src/simutrans/world/simworld.cc:258
    #5 0x570636acff35 in karte_t::rotate90() /home/ceeac/code/simutrans/src/simutrans/world/simworld.cc:2378
    #6 0x57063685f7db in tool_rotate90_t::init(player_t*) /home/ceeac/code/simutrans/src/simutrans/tool/simtool.cc:7379
    #7 0x570636acb47c in karte_t::local_set_tool(tool_t*, player_t*) /home/ceeac/code/simutrans/src/simutrans/world/simworld.cc:2242
    #8 0x570636aca74e in karte_t::set_tool_api(tool_t*, player_t*, bool&) /home/ceeac/code/simutrans/src/simutrans/world/simworld.cc:2219
    #9 0x5706354a889c in karte_t::set_tool(tool_t*, player_t*) /home/ceeac/code/simutrans/src/simutrans/world/../world/simworld.h:935
    #10 0x570635dbaddc in tool_selector_t::infowin_event(event_t const*) /home/ceeac/code/simutrans/src/simutrans/gui/tool_selector.cc:214
    #11 0x570635d59c7a in check_pos_win(event_t*, bool) /home/ceeac/code/simutrans/src/simutrans/gui/simwin.cc:1559
    #12 0x5706366b4503 in interaction_t::process_event(event_t&) /home/ceeac/code/simutrans/src/simutrans/siminteraction.cc:308
    #13 0x5706366b6275 in interaction_t::check_events() /home/ceeac/code/simutrans/src/simutrans/siminteraction.cc:400
    #14 0x570636ad69bb in karte_t::sync_step(unsigned int) /home/ceeac/code/simutrans/src/simutrans/world/simworld.cc:2676
    #15 0x5706366b6eb7 in interrupt_check(char const*) /home/ceeac/code/simutrans/src/simutrans/simintr.cc:114
    #16 0x570636ae5b00 in karte_t::step() /home/ceeac/code/simutrans/src/simutrans/world/simworld.cc:3256
    #17 0x570636b2b573 in karte_t::interactive(unsigned int) /home/ceeac/code/simutrans/src/simutrans/world/simworld.cc:6307
    #18 0x5706366dd635 in simu_main(int, char**) /home/ceeac/code/simutrans/src/simutrans/simmain.cc:1693
    #19 0x570636702d20 in sysmain(int, char**) /home/ceeac/code/simutrans/src/simutrans/sys/simsys.cc:1471
    #20 0x570636de6543 in main /home/ceeac/code/simutrans/src/simutrans/sys/simsys_s2.cc:1191
    #21 0x704ad3234e07  (/usr/lib/libc.so.6+0x25e07) (BuildId: 98b3d8e0b8c534c769cb871c438b4f8f3a8e4bf3)
    #22 0x704ad3234ecb in __libc_start_main (/usr/lib/libc.so.6+0x25ecb) (BuildId: 98b3d8e0b8c534c769cb871c438b4f8f3a8e4bf3)
    #23 0x570634efac84 in _start (/home/ceeac/code/simutrans/build/linux-asan/simutrans/simutrans+0x3b96c84) (BuildId: 67912ff4263877608fb50e27ff26c7de399fc1a5)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ceeac/code/simutrans/src/simutrans/dataobj/objlist.cc:633 in objlist_t::rotate90_moving()
==73060==ABORTING

To reproduce, compile and link with -fsanitize=address, load the save from here, then rotate the map.

EDIT: Seems to be related to r11449.

[prissi]

Some error was the missing multithreading protection. But something in rotation writes beyond the end of the list, as some nodes are overwritten. I fixed the debug code, but could not find the culprit. Using just malloc for objectlist also crashes after freeing. But then, ASAN only detects writing beyond the next 256 border.

[prissi]

I think it is related to this routine being mutlithreaded and somewhat accessing the freelist twice while rotate90_moving is executed despite mutex. Because all crashes go away if I use an array on the heap (which should be faser anyway).

Also the many insert operations look not so fast ... but then, there are only few objects on most tiles.