AddressSanitizer: heap-buffer-overflow in pkg/dem/BlockGen.cpp:2521
Running "yade --check", which was compiled with the address sanitizer, detects the memory problem in the BlockGen.cpp. Heap-Buffer-Overflow is detected. The problem is in this code:
unsigned int h = 0; unsigned int k = 1; unsigned int m =2;
Vector3r pt1 = verticesOnPlane[h];
Vector3r pt2 = verticesOnPlane[k];
Vector3r pt3 = verticesOnPlane[m]; <------------- crash is here
I have checked - in some cases the size of the verticesOnPlane is just 2 (0, 1). But here the code is trying to access the third element [m = 2]. It leads to overflow.
I think that the original author of this code should have a closer look into the logic.
The full AddressSanitizer output is here:
LD_PRELOAD=/lib/x86_64-linux-gnu/libasan.so.5 ASAN_OPTIONS=detect_leaks=0 ./../inst/bin/yade-asan --check
...
___________________________________
###################################
running: checkBlockGen.py
=================================================================
==20967==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040003c8640 at pc 0x7f0aef4b2cb6 bp 0x7fffc5e0fd90 sp 0x7fffc5e0fd88
READ of size 24 at 0x6040003c8640 thread T0
#0 0x7f0aef4b2cb5 in Eigen::DenseStorage<double, 3, 3, 1, 0>::DenseStorage(Eigen::DenseStorage<double, 3, 3, 1, 0> const&) /usr/include/eigen3/Eigen/src/Core/DenseStorage.h:194
#1 0x7f0aef4b2cb5 in Eigen::PlainObjectBase<Eigen::Matrix<double, 3, 1, 0, 3, 1> >::PlainObjectBase(Eigen::PlainObjectBase<Eigen::Matrix<double, 3, 1, 0, 3, 1> > const&) /usr/include/eigen3/Eigen/src/Core/PlainObjectBase.h:520
#2 0x7f0aef4b2cb5 in Eigen::Matrix<double, 3, 1, 0, 3, 1>::Matrix(Eigen::Matrix<double, 3, 1, 0, 3, 1> const&) /usr/include/eigen3/Eigen/src/Core/Matrix.h:368
#3 0x7f0aef4b2cb5 in yade::BlockGen::calCentroid(yade::BlockGen::Block, double&) /home/gladk/dem/yade/trunk/pkg/dem/BlockGen.cpp:2520
#4 0x7f0aef4c1572 in yade::BlockGen::createBlock(boost::shared_ptr<yade::Body>&, yade::BlockGen::Block, int) /home/gladk/dem/yade/trunk/pkg/dem/BlockGen.cpp:1665
#5 0x7f0aef4eb363 in yade::BlockGen::generate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) /home/gladk/dem/yade/trunk/pkg/dem/BlockGen.cpp:1552
#6 0x7f0aee1f73ba in yade::FileGenerator::generateAndSave(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) /home/gladk/dem/yade/trunk/core/FileGenerator.cpp:25
#7 0x7f0aee1f8291 in yade::FileGenerator::pyGenerate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/gladk/dem/yade/trunk/core/FileGenerator.cpp:60
#8 0x7f0aee1f90e4 in yade::FileGenerator::pyLoad() /home/gladk/dem/yade/trunk/core/FileGenerator.cpp:67
#9 0x7f0aee1fef96 in _object* boost::python::detail::invoke<int, void (yade::FileGenerator::*)(), boost::python::arg_from_python<yade::FileGenerator&> >(boost::python::detail::invoke_tag_<true, true>, int const&, void (yade::FileGenerator::*&)(), boost::python::arg_from_python<yade::FileGenerator&>&) /usr/include/boost/python/detail/invoke.hpp:92
#10 0x7f0aee1fef96 in boost::python::detail::caller_arity<1u>::impl<void (yade::FileGenerator::*)(), boost::python::default_call_policies, boost::mpl::vector2<void, yade::FileGenerator&> >::operator()(_object*, _object*) /usr/include/boost/python/detail/caller.hpp:216
#11 0x7f0aee1fef96 in boost::python::objects::caller_py_function_impl<boost::python::detail::caller<void (yade::FileGenerator::*)(), boost::python::default_call_policies, boost::mpl::vector2<void, yade::FileGenerator&> > >::operator()(_object*, _object*) /usr/include/boost/python/object/py_function.hpp:38
#12 0x7f0aeb9ec12c in boost::python::objects::function::call(_object*, _object*) const (/lib/x86_64-linux-gnu/libboost_python37.so.1.67.0+0x2512c)
#13 0x7f0aeb9ec327 (/lib/x86_64-linux-gnu/libboost_python37.so.1.67.0+0x25327)
#14 0x7f0aeb9f2ed2 in boost::python::handle_exception_impl(boost::function0<void>) (/lib/x86_64-linux-gnu/libboost_python37.so.1.67.0+0x2bed2)
#15 0x7f0aeb9eaa05 (/lib/x86_64-linux-gnu/libboost_python37.so.1.67.0+0x23a05)
#16 0x5d92aa in _PyObject_FastCallKeywords (/usr/bin/python3.7+0x5d92aa)
#17 0x54aec0 (/usr/bin/python3.7+0x54aec0)
#18 0x551f09 in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x551f09)
#19 0x54b7c1 in _PyEval_EvalCodeWithName (/usr/bin/python3.7+0x54b7c1)
#20 0x5589b4 (/usr/bin/python3.7+0x5589b4)
#21 0x5d7ab2 in _PyMethodDef_RawFastCallKeywords (/usr/bin/python3.7+0x5d7ab2)
#22 0x551db2 in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x551db2)
#23 0x54b7c1 in _PyEval_EvalCodeWithName (/usr/bin/python3.7+0x54b7c1)
#24 0x5d8781 in _PyFunction_FastCallKeywords (/usr/bin/python3.7+0x5d8781)
#25 0x54dfef in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x54dfef)
#26 0x54b7c1 in _PyEval_EvalCodeWithName (/usr/bin/python3.7+0x54b7c1)
#27 0x5589b4 (/usr/bin/python3.7+0x5589b4)
#28 0x5d7ab2 in _PyMethodDef_RawFastCallKeywords (/usr/bin/python3.7+0x5d7ab2)
#29 0x551db2 in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x551db2)
#30 0x54b7c1 in _PyEval_EvalCodeWithName (/usr/bin/python3.7+0x54b7c1)
#31 0x5d8781 in _PyFunction_FastCallKeywords (/usr/bin/python3.7+0x5d8781)
#32 0x54dfef in _PyEval_EvalFrameDefault (/usr/bin/python3.7+0x54dfef)
#33 0x54b7c1 in _PyEval_EvalCodeWithName (/usr/bin/python3.7+0x54b7c1)
#34 0x54dae2 in PyEval_EvalCode (/usr/bin/python3.7+0x54dae2)
#35 0x630af1 (/usr/bin/python3.7+0x630af1)
#36 0x630ba6 in PyRun_FileExFlags (/usr/bin/python3.7+0x630ba6)
#37 0x63180e in PyRun_SimpleFileExFlags (/usr/bin/python3.7+0x63180e)
#38 0x653f7d (/usr/bin/python3.7+0x653f7d)
#39 0x6542dd in _Py_UnixMain (/usr/bin/python3.7+0x6542dd)
#40 0x7f0af603009a in __libc_start_main ../csu/libc-start.c:308
#41 0x5dfe99 in _start (/usr/bin/python3.7+0x5dfe99)
0x6040003c8640 is located 0 bytes to the right of 48-byte region [0x6040003c8610,0x6040003c8640)
allocated by thread T0 here:
#0 0x7f0af6737d30 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xead30)
#1 0x7f0aeeb055d6 in __gnu_cxx::new_allocator<Eigen::Matrix<double, 3, 1, 0, 3, 1> >::allocate(unsigned long, void const*) /usr/include/c++/8/ext/new_allocator.h:111
#2 0x7f0aeeb055d6 in std::allocator_traits<std::allocator<Eigen::Matrix<double, 3, 1, 0, 3, 1> > >::allocate(std::allocator<Eigen::Matrix<double, 3, 1, 0, 3, 1> >&, unsigned long) /usr/include/c++/8/bits/alloc_traits.h:436
#3 0x7f0aeeb055d6 in std::_Vector_base<Eigen::Matrix<double, 3, 1, 0, 3, 1>, std::allocator<Eigen::Matrix<double, 3, 1, 0, 3, 1> > >::_M_allocate(unsigned long) /usr/include/c++/8/bits/stl_vector.h:296
#4 0x7f0aeeb055d6 in void std::vector<Eigen::Matrix<double, 3, 1, 0, 3, 1>, std::allocator<Eigen::Matrix<double, 3, 1, 0, 3, 1> > >::_M_realloc_insert<Eigen::Matrix<double, 3, 1, 0, 3, 1> const&>(__gnu_cxx::__normal_iterator<Eigen::Matrix<double, 3, 1, 0, 3, 1>*, std::vector<Eigen::Matrix<double, 3, 1, 0, 3, 1>, std::allocator<Eigen::Matrix<double, 3, 1, 0, 3, 1> > > >, Eigen::Matrix<double, 3, 1, 0, 3, 1> const&) /usr/include/c++/8/bits/vector.tcc:427
#5 0x7f0aef4b16b2 in std::vector<Eigen::Matrix<double, 3, 1, 0, 3, 1>, std::allocator<Eigen::Matrix<double, 3, 1, 0, 3, 1> > >::push_back(Eigen::Matrix<double, 3, 1, 0, 3, 1> const&) /usr/include/c++/8/bits/stl_vector.h:1085
#6 0x7f0aef4b16b2 in yade::BlockGen::calCentroid(yade::BlockGen::Block, double&) /home/gladk/dem/yade/trunk/pkg/dem/BlockGen.cpp:2510
#7 0x7f0aef4c1572 in yade::BlockGen::createBlock(boost::shared_ptr<yade::Body>&, yade::BlockGen::Block, int) /home/gladk/dem/yade/trunk/pkg/dem/BlockGen.cpp:1665
#8 0x7f0aef4eb363 in yade::BlockGen::generate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) /home/gladk/dem/yade/trunk/pkg/dem/BlockGen.cpp:1552
#9 0x7f0aee1f73ba in yade::FileGenerator::generateAndSave(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) /home/gladk/dem/yade/trunk/core/FileGenerator.cpp:25
#10 0x7f0aee1f8291 in yade::FileGenerator::pyGenerate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/gladk/dem/yade/trunk/core/FileGenerator.cpp:60
#11 0x7f0aee1f90e4 in yade::FileGenerator::pyLoad() /home/gladk/dem/yade/trunk/core/FileGenerator.cpp:67
#12 0x7f0aee1fef96 in _object* boost::python::detail::invoke<int, void (yade::FileGenerator::*)(), boost::python::arg_from_python<yade::FileGenerator&> >(boost::python::detail::invoke_tag_<true, true>, int const&, void (yade::FileGenerator::*&)(), boost::python::arg_from_python<yade::FileGenerator&>&) /usr/include/boost/python/detail/invoke.hpp:92
#13 0x7f0aee1fef96 in boost::python::detail::caller_arity<1u>::impl<void (yade::FileGenerator::*)(), boost::python::default_call_policies, boost::mpl::vector2<void, yade::FileGenerator&> >::operator()(_object*, _object*) /usr/include/boost/python/detail/caller.hpp:216
#14 0x7f0aee1fef96 in boost::python::objects::caller_py_function_impl<boost::python::detail::caller<void (yade::FileGenerator::*)(), boost::python::default_call_policies, boost::mpl::vector2<void, yade::FileGenerator&> > >::operator()(_object*, _object*) /usr/include/boost/python/object/py_function.hpp:38
#15 0x7f0aeb9ec12c in boost::python::objects::function::call(_object*, _object*) const (/lib/x86_64-linux-gnu/libboost_python37.so.1.67.0+0x2512c)
SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/eigen3/Eigen/src/Core/DenseStorage.h:194 in Eigen::DenseStorage<double, 3, 3, 1, 0>::DenseStorage(Eigen::DenseStorage<double, 3, 3, 1, 0> const&)
Shadow bytes around the buggy address:
0x0c0880071070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0880071080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0880071090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c08800710a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c08800710b0: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
=>0x0c08800710c0: fa fa 00 00 00 00 00 00[fa]fa 00 00 00 00 00 00
0x0c08800710d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c08800710e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c08800710f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0880071100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0880071110: fa fa 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20967==ABORTING
Edited by Anton Gladky