AddressSanitizer: heap-buffer-overflow in the BodyContainer
Running "yade --test", which was compiled with the address sanitizer, detects the memory problem in the BodyContainer:
cmake -DCMAKE_INSTALL_PREFIX=./../inst -DSUFFIX=-asan -DCMAKE_CXX_FLAGS="-O1 -g -fsanitize=address -fno-omit-frame-pointer" -DENABLE_PFVFLOW=0 ../trunk/
LD_PRELOAD=/lib/x86_64-linux-gnu/libasan.so.5 ./../inst/bin/yade-asan --test
=====
Using python version: 3.7.3 (default, Apr 3 2019, 05:39:12)
[GCC 8.3.0]
testDummySomething (yade.tests.dummyTest.TestDummy) ... ok
testDummySomethingElse (yade.tests.dummyTest.TestDummy) ... ok
testMatrix3 (yade.TestEigenWrapper)
Math: Matrix3 operations ... ok
testQuaternion (yade.TestEigenWrapper)
Math: Quaternion operations ... ok
testVector2 (yade.TestEigenWrapper)
Math: Vector2 operations ... ok
testVector3 (yade.TestEigenWrapper)
Math: Vector3 operations ... ok
testClassCtors (yade.TestObjectInstantiation)
Core: correct types are instantiated ... ok
testDispatcherCtor (yade.TestObjectInstantiation)
Core: dispatcher ctors with functors ... ok
testHidden (yade.TestObjectInstantiation)
Core: Attr::hidden ... ok
testInteractionLoopCtor (yade.TestObjectInstantiation)
Core: InteractionLoop special ctor ... ok
testInvalidAttr (yade.TestObjectInstantiation)
Core: invalid attribute access raises AttributeError ... ok
testNoSave (yade.TestObjectInstantiation)
Core: Attr::noSave ... =================================================================
Using python version: 3.7.3 (default, Apr 3 2019, 05:39:12)
[GCC 8.3.0]
testDummySomething (yade.tests.dummyTest.TestDummy) ... ok
testDummySomethingElse (yade.tests.dummyTest.TestDummy) ... ok
testMatrix3 (yade.TestEigenWrapper)
Math: Matrix3 operations ... ok
testQuaternion (yade.TestEigenWrapper)
Math: Quaternion operations ... ok
testVector2 (yade.TestEigenWrapper)
Math: Vector2 operations ... ok
testVector3 (yade.TestEigenWrapper)
Math: Vector3 operations ... ok
testClassCtors (yade.TestObjectInstantiation)
Core: correct types are instantiated ... ok
testDispatcherCtor (yade.TestObjectInstantiation)
Core: dispatcher ctors with functors ... ok
testHidden (yade.TestObjectInstantiation)
Core: Attr::hidden ... ok
testInteractionLoopCtor (yade.TestObjectInstantiation)
Core: InteractionLoop special ctor ... ok
testInvalidAttr (yade.TestObjectInstantiation)
Core: invalid attribute access raises AttributeError ... ok
testNoSave (yade.TestObjectInstantiation)
Core: Attr::noSave ... =================================================================
==25985==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000843e0 at pc 0x7f258468ddf6 bp 0x7ffd5d30ccc0 sp 0x7ffd5d30ccb8
READ of size 8 at 0x6020000843e0 thread T0
#0 0x7f258468ddf5 in BodyContainer::smart_iterator::operator++() /trunk/core/BodyContainer.hpp:42
#1 0x7f258468ddf5 in void boost::foreach_detail_::next<BodyContainer, mpl_::bool_<false> >(boost::foreach_detail_::auto_any_base const&, boost::foreach_detail_::type2type<BodyContainer, mpl_::bool_<false> >*) /usr/include/boost/foreach.hpp:760
#2 0x7f258468ddf5 in Scene::checkStateTypes() /trunk/core/Scene.cpp:175
#3 0x7f2584693746 in Scene::moveToNextTimeStep() /trunk/core/Scene.cpp:74
#4 0x7f256546dbd6 in _object* boost::python::detail::invoke<int, void (pyOmega::*)(), boost::python::arg_from_python<pyOmega&> >(boost::python::detail::invoke_tag_<true, true>, int const&, void (pyOmega::*&)(), boost::python::arg_from_python<pyOmega&>&) /usr/include/boost/python/detail/invoke.hpp:92
#5 0x7f256546dbd6 in boost::python::detail::caller_arity<1u>::impl<void (pyOmega::*)(), boost::python::default_call_policies, boost::mpl::vector2<void, pyOmega&> >::operator()(_object*, _object*) /usr/include/boost/python/detail/caller.hpp:216
#6 0x7f256546dbd6 in boost::python::objects::caller_py_function_impl<boost::python::detail::caller<void (pyOmega::*)(), boost::python::default_call_policies, boost::mpl::vector2<void, pyOmega&> > >::operator()(_object*, _object*) /usr/include/boost/python/object/py_function.hpp:38
#7 0x7f2581dc012c in boost::python::objects::function::call(_object*, _object*) const (/lib/x86_64-linux-gnu/libboost_python37.so.1.67.0+0x2512c)
#8 0x7f2581dc0327 (/lib/x86_64-linux-gnu/libboost_python37.so.1.67.0+0x25327)
#9 0x7f2581dc6ed2 in boost::python::handle_exception_impl(boost::function0<void>) (/lib/x86_64-linux-gnu/libboost_python37.so.1.67.0+0x2bed2)
#10 0x7f2581dbea05 (/lib/x86_64-linux-gnu/libboost_python37.so.1.67.0+0x23a05)
#11 0x5d92aa in _PyObject_FastCallKeywords (/usr/bin/python3.7+0x5d92aa)
#12 0x54aec0 (/usr/bin/python3.7+0x54aec0)
#13 0x551f09 in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x551f09)
#14 0x5d847b in _PyFunction_FastCallKeywords (/usr/bin/python3.7+0x5d847b)
#15 0x54dfef in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x54dfef)
#16 0x54b7c1 in _PyEval_EvalCodeWithName (/usr/bin/python3.7+0x54b7c1)
#17 0x5d998d in _PyFunction_FastCallDict (/usr/bin/python3.7+0x5d998d)
#18 0x4d9bf1 (/usr/bin/python3.7+0x4d9bf1)
#19 0x5db615 in PyObject_Call (/usr/bin/python3.7+0x5db615)
#20 0x54f410 in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x54f410)
#21 0x54b7c1 in _PyEval_EvalCodeWithName (/usr/bin/python3.7+0x54b7c1)
#22 0x5d998d in _PyFunction_FastCallDict (/usr/bin/python3.7+0x5d998d)
#23 0x58eeba (/usr/bin/python3.7+0x58eeba)
#24 0x5d92aa in _PyObject_FastCallKeywords (/usr/bin/python3.7+0x5d92aa)
#25 0x552187 in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x552187)
#26 0x54b7c1 in _PyEval_EvalCodeWithName (/usr/bin/python3.7+0x54b7c1)
#27 0x5d998d in _PyFunction_FastCallDict (/usr/bin/python3.7+0x5d998d)
#28 0x4d9bf1 (/usr/bin/python3.7+0x4d9bf1)
#29 0x5db615 in PyObject_Call (/usr/bin/python3.7+0x5db615)
#30 0x54f410 in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x54f410)
#31 0x54b7c1 in _PyEval_EvalCodeWithName (/usr/bin/python3.7+0x54b7c1)
#32 0x5d998d in _PyFunction_FastCallDict (/usr/bin/python3.7+0x5d998d)
#33 0x58eeba (/usr/bin/python3.7+0x58eeba)
#34 0x5d92aa in _PyObject_FastCallKeywords (/usr/bin/python3.7+0x5d92aa)
#35 0x552187 in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x552187)
#36 0x54b7c1 in _PyEval_EvalCodeWithName (/usr/bin/python3.7+0x54b7c1)
#37 0x5d998d in _PyFunction_FastCallDict (/usr/bin/python3.7+0x5d998d)
#38 0x4d9bf1 (/usr/bin/python3.7+0x4d9bf1)
#39 0x5db615 in PyObject_Call (/usr/bin/python3.7+0x5db615)
#40 0x54f410 in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x54f410)
#41 0x54b7c1 in _PyEval_EvalCodeWithName (/usr/bin/python3.7+0x54b7c1)
#42 0x5d998d in _PyFunction_FastCallDict (/usr/bin/python3.7+0x5d998d)
#43 0x58eeba (/usr/bin/python3.7+0x58eeba)
#44 0x5d92aa in _PyObject_FastCallKeywords (/usr/bin/python3.7+0x5d92aa)
#45 0x552187 in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x552187)
#46 0x54b7c1 in _PyEval_EvalCodeWithName (/usr/bin/python3.7+0x54b7c1)
#47 0x5d998d in _PyFunction_FastCallDict (/usr/bin/python3.7+0x5d998d)
#48 0x4d9bf1 (/usr/bin/python3.7+0x4d9bf1)
#49 0x5db615 in PyObject_Call (/usr/bin/python3.7+0x5db615)
#50 0x54f410 in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x54f410)
#51 0x54b7c1 in _PyEval_EvalCodeWithName (/usr/bin/python3.7+0x54b7c1)
#52 0x5d998d in _PyFunction_FastCallDict (/usr/bin/python3.7+0x5d998d)
#53 0x58eeba (/usr/bin/python3.7+0x58eeba)
#54 0x5d92aa in _PyObject_FastCallKeywords (/usr/bin/python3.7+0x5d92aa)
#55 0x552187 in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x552187)
#56 0x5d847b in _PyFunction_FastCallKeywords (/usr/bin/python3.7+0x5d847b)
#57 0x54e220 in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x54e220)
#58 0x5d847b in _PyFunction_FastCallKeywords (/usr/bin/python3.7+0x5d847b)
#59 0x54acef (/usr/bin/python3.7+0x54acef)
#60 0x551f09 in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x551f09)
#61 0x54b7c1 in _PyEval_EvalCodeWithName (/usr/bin/python3.7+0x54b7c1)
#62 0x54dae2 in PyEval_EvalCode (/usr/bin/python3.7+0x54dae2)
#63 0x630af1 (/usr/bin/python3.7+0x630af1)
#64 0x630ba6 in PyRun_FileExFlags (/usr/bin/python3.7+0x630ba6)
#65 0x63180e in PyRun_SimpleFileExFlags (/usr/bin/python3.7+0x63180e)
#66 0x653f7d (/usr/bin/python3.7+0x653f7d)
#67 0x6542dd in _Py_UnixMain (/usr/bin/python3.7+0x6542dd)
#68 0x7f258c76709a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#69 0x5dfe99 in _start (/usr/bin/python3.7+0x5dfe99)
0x6020000843e0 is located 0 bytes to the right of 16-byte region [0x6020000843d0,0x6020000843e0)
allocated by thread T0 here:
#0 0x7f258ce6ed30 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xead30)
#1 0x7f25843fb313 in __gnu_cxx::new_allocator<boost::shared_ptr<Body> >::allocate(unsigned long, void const*) /usr/include/c++/8/ext/new_allocator.h:111
#2 0x7f25843fb313 in std::allocator_traits<std::allocator<boost::shared_ptr<Body> > >::allocate(std::allocator<boost::shared_ptr<Body> >&, unsigned long) /usr/include/c++/8/bits/alloc_traits.h:436
#3 0x7f25843fb313 in std::_Vector_base<boost::shared_ptr<Body>, std::allocator<boost::shared_ptr<Body> > >::_M_allocate(unsigned long) /usr/include/c++/8/bits/stl_vector.h:296
#4 0x7f25843fb313 in void std::vector<boost::shared_ptr<Body>, std::allocator<boost::shared_ptr<Body> > >::_M_realloc_insert<boost::shared_ptr<Body> const&>(__gnu_cxx::__normal_iterator<boost::shared_ptr<Body>*, std::vector<boost::shared_ptr<Body>, std::allocator<boost::shared_ptr<Body> > > >, boost::shared_ptr<Body> const&) /usr/include/c++/8/bits/vector.tcc:427
#5 0x7f25843eb831 in std::vector<boost::shared_ptr<Body>, std::allocator<boost::shared_ptr<Body> > >::push_back(boost::shared_ptr<Body> const&) /usr/include/c++/8/bits/stl_vector.h:1085
#6 0x7f25843eb831 in BodyContainer::insert(boost::shared_ptr<Body>) /trunk/core/BodyContainer.cpp:23
#7 0x7f25655fe7aa in pyBodyContainer::append(boost::shared_ptr<Body>) /trunk/py/wrapper/yadeWrapper.cpp:92
#8 0x7f2565564fd1 in _object* boost::python::detail::invoke<boost::python::to_python_value<int const&>, int (pyBodyContainer::*)(boost::shared_ptr<Body>), boost::python::arg_from_python<pyBodyContainer&>, boost::python::arg_from_python<boost::shared_ptr<Body> > >(boost::python::detail::invoke_tag_<false, true>, boost::python::to_python_value<int const&> const&, int (pyBodyContainer::*&)(boost::shared_ptr<Body>), boost::python::arg_from_python<pyBodyContainer&>&, boost::python::arg_from_python<boost::shared_ptr<Body> >&) /usr/include/boost/python/detail/invoke.hpp:86
#9 0x7f2565564fd1 in boost::python::detail::caller_arity<2u>::impl<int (pyBodyContainer::*)(boost::shared_ptr<Body>), boost::python::default_call_policies, boost::mpl::vector3<int, pyBodyContainer&, boost::shared_ptr<Body> > >::operator()(_object*, _object*) /usr/include/boost/python/detail/caller.hpp:216
#10 0x7f2565564fd1 in boost::python::objects::caller_py_function_impl<boost::python::detail::caller<int (pyBodyContainer::*)(boost::shared_ptr<Body>), boost::python::default_call_policies, boost::mpl::vector3<int, pyBodyContainer&, boost::shared_ptr<Body> > > >::operator()(_object*, _object*) /usr/include/boost/python/object/py_function.hpp:38
#11 0x7f2581dc012c in boost::python::objects::function::call(_object*, _object*) const (/lib/x86_64-linux-gnu/libboost_python37.so.1.67.0+0x2512c)
SUMMARY: AddressSanitizer: heap-buffer-overflow /trunk/core/BodyContainer.hpp:42 in BodyContainer::smart_iterator::operator++()
Shadow bytes around the buggy address:
0x0c0480008820: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480008830: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x0c0480008840: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c0480008850: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c0480008860: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
=>0x0c0480008870: fa fa fd fd fa fa 00 00 fa fa 00 00[fa]fa fd fd
0x0c0480008880: fa fa fd fd fa fa 00 00 fa fa fa fa fa fa fa fa
0x0c0480008890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800088a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800088b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800088c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25985==ABORTING
I think the code in the Bodycontainer should be fixed and simplified. This small piece of code should not cause such errorrs.
Edited by Anton Gladky