View Issue Details

IDProjectCategoryView StatusLast Update
0026428CommunityOCCT:Application Frameworkpublic2016-04-20 15:48
ReporterVico Liang Assigned Tokgv  
PrioritynormalSeveritycrash 
Status closedResolutionfixed 
PlatformWindowsOSVC++ 2013 
Product Version6.9.0 
Target Version7.0.0Fixed in Version7.0.0 
Summary0026428: TNaming_Selector::Solve crash for empty named shape.
DescriptionThe problem is that the referenced named shape has a null naming node which results in a null pointer access "myNode->myNew" in TNaming_NewShapeIterator constructor.

The stack frame as below:

     TKCAF.dll!TNaming_NewShapeIterator::TNaming_NewShapeIterator(const TNaming_Iterator & anIterator) Line 1052 C++
> TKCAF.dll!TNaming_NamingTool::BuildDescendants(const Handle_TNaming_NamedShape & NS, TDF_LabelMap & Descendants) Line 284 C++
     TKCAF.dll!ModifUntil(const TDF_Label & L, const TDF_LabelMap & Valid, const TNaming_ListOfNamedShape & Args, const Handle_TNaming_NamedShape & Stop) Line 615 C++
     TKCAF.dll!TNaming_Name::Solve(const TDF_Label & aLab, const TDF_LabelMap & Valid) Line 2045 C++
     TKCAF.dll!TNaming_Naming::Regenerate(TDF_LabelMap & MDF) Line 1917 C++
     TKCAF.dll!TNaming_Naming::Solve(TDF_LabelMap & Valid) Line 174 C++
     TKCAF.dll!TNaming_Naming::Solve(TDF_LabelMap & Valid) Line 159 C++
     TKCAF.dll!TNaming_Naming::Solve(TDF_LabelMap & Valid) Line 159 C++
     TKCAF.dll!TNaming_Selector::Solve(TDF_LabelMap & Valid) Line 423 C++
Steps To ReproduceUse attached script t1.tcl
TagsNo tags attached.
Test case numberbugs caf bug26428

Attached Files

  • t1.tcl (292 bytes)

Activities

szy

2015-08-11 17:19

manager   ~0043982

Insufficient description.
I suggest you to make the registered issue reproducible.
Provide, please:
1) data - document in any supported by OCCT format (to be used to reproduce the case) or procedure (tcl script) building it
2)standalone C++ sample presenting the issue (or set of Draw commands)
Without this additional information the issue can't be processed.

Vico Liang

2015-08-12 05:43

developer   ~0044002

Dear szy,

There is no OCCT document saved for this case, it's reproduced in the middle of running program.

Also i'm not know how to write the tcl script to reproduce this.

From the description, it is not hard to find the problem by static code analysis. It's obvious that there is null ponter access in TNaming_NewShapeIterator constructor.

To fix the issus, it just needs null pointer protection.

Vico Liang

2015-08-12 05:56

developer   ~0044003

Code Snippet of below can reproduce the issue:

TDF_Label aLabel = // any label
TNaming_Builder aNB(aLabel);
TNaming_Iterator aNameIter(aLabel);
TNaming_NewShapeIterator aNewShapeIter(aNameIter);

Vico Liang

2015-08-12 05:59

developer   ~0044004

TNaming_OldShapeIterator has the same issue:

TDF_Label aLabel = // any label
TNaming_Builder aNB(aLabel);
TNaming_Iterator aNameIter(aLabel);
TNaming_OldShapeIterator aOldShapeIter(aNameIter);

Vico Liang

2015-08-12 06:54

developer   ~0044005

TNaming_OldShapeIterator and TNaming_NewShapeIterator all constructors have to protect null node access.

git

2015-09-17 18:34

administrator   ~0045831

Branch CR26428 has been created by szy.

SHA-1: 7f7ba10f01dd6f78996f8b8993709e679ea7cddc


Detailed log of new commits:

Author: szy
Date: Thu Sep 17 18:22:15 2015 +0300

    26428: TNaming_Selector::Solve crash for empty named shape.

szy

2015-09-17 18:39

manager   ~0045833

Review, please branch CR26428.
In fact exception is raised because the provided structure is not correct.
Now constructor raises exception like "NoSuchObject" (as the expected node is not created).

vro

2015-09-18 07:03

developer   ~0045847

Everything is Ok.

git

2015-09-18 16:58

administrator   ~0045910

Branch CR26428 has been updated forcibly by mkv.

SHA-1: 385b492ab16b9f12df53fb7328813596f4707588

mkv

2015-09-18 17:29

tester   ~0045916

Dear BugMaster,
Branch CR26428 was rebased on current master of occt git-repository.
SHA-1: 385b492ab16b9f12df53fb7328813596f4707588

szy

2015-09-21 11:44

manager   ~0045938

Some additional comments.
The provided reproducer (independently of usage of New or Old shapes Iterator) is a good example of incorrect approach of TNaming_Builder usage:
"TDF_Label aLabel = // any label
TNaming_Builder aNB(aLabel);
TNaming_Iterator aNameIter(aLabel);
TNaming_NewShapeIterator aNewShapeIter(aNameIter);"

TNaming_Builder aNB(aLabel) - just creates a new empty NamedShape attribute (or cleans existing one). Empty (not initialized) NamedShape has null Node (myNode = 0L;). This feature is used to identify empty NamedShape. Logically an attempt to iterate empty shape is not a good idea.
In other words after creation empty NamedShape attribute (see chapter "5.OCAF Shape Attributes" of OCAF User's Guide) it should be filled using one of available methods: Generated(), Modify()..., for example:
TopoDS_Shape aShape;
TNaming_Builder aNB(aLabel);
aNB.Generated(aShape); // <<== Initialization of the attribute by the 'aShape'
                       //with PRIMITIVE evolution
TNaming_Iterator aNameIter(aLabel);
TNaming_NewShapeIterator aNewShapeIter(aNameIter);

szy

2015-09-21 17:22

manager  

t1.tcl (292 bytes)

mkv

2015-09-21 20:03

tester   ~0045961

Dear BugMaster,
Branch CR26428 from occt git-repository (and master from products git-repository) was compiled on Linux, MacOS and Windows platforms and tested on Release mode.
SHA-1: 385b492ab16b9f12df53fb7328813596f4707588

Number of compiler warnings:

occt component :
Linux: 15 (15 on master)
Windows: 0 (0 on master)

products component :
Linux: 39 (39 on master)
Windows: 0 (0 on master)

Regressions/Differences/Improvements:
No regressions/differences

Testing cases:
http://occt-tests/CR26428-master-occt-64/Debian70-64/bugs/caf/bug26428.html
http://occt-tests/CR26428-master-occt-64/Windows-64-VC10/bugs/caf/bug26428.html
bugs caf bug26428: OK

Testing on Linux:
occt component :
Total MEMORY difference: 92342608 / 92149486 [+0.21%]
Total CPU difference: 18506.01999999955 / 18841.999999998985 [-1.78%]
products component :
Total MEMORY difference: 25923664 / 25980951 [-0.22%]
Total CPU difference: 7299.409999999985 / 7208.589999999996 [+1.26%]

Testing on Windows:
occt component :
Total MEMORY difference: 56831633 / 56826033 [+0.01%]
Total CPU difference: 18043.24726109894 / 16810.65215989913 [+7.33%]
products component :
Total MEMORY difference: 16784084 / 16784150 [-0.00%]
Total CPU difference: 5933.888037500007 / 5525.21221779996 [+7.40%]

There are no differences in images found by testdiff.

git

2015-09-21 20:04

administrator   ~0045962

Branch CR26428 has been updated by mkv.

SHA-1: 27ef0a623843a97604d58106b413f723dbfb48da


Detailed log of new commits:

Author: mkv
Date: Mon Sep 21 19:55:09 2015 +0300

    Test case for issue CR26428

git

2015-10-16 16:57

administrator   ~0047070

Branch CR26428 has been deleted by kgv.

SHA-1: 27ef0a623843a97604d58106b413f723dbfb48da

Related Changesets

occt: master ddd926fe

2015-09-24 09:36:11

szy


Committer: kgv Details Diff
26428: TNaming_Selector::Solve crash for empty named shape.

Test case for issue CR26428
Affected Issues
0026428
mod - src/DNaming/DNaming_BasicCommands.cxx Diff File
mod - src/TNaming/TNaming_NamedShape.cxx Diff File
add - tests/bugs/caf/bug26428 Diff File

Issue History

Date Modified Username Field Change
2015-07-14 13:03 Vico Liang New Issue
2015-07-14 13:03 Vico Liang Assigned To => szy
2015-08-11 17:19 szy Note Added: 0043982
2015-08-11 17:19 szy Assigned To szy => Vico Liang
2015-08-11 17:19 szy Status new => feedback
2015-08-12 05:43 Vico Liang Note Added: 0044002
2015-08-12 05:44 Vico Liang Assigned To Vico Liang => szv
2015-08-12 05:56 Vico Liang Note Added: 0044003
2015-08-12 05:57 Vico Liang Status feedback => assigned
2015-08-12 05:59 Vico Liang Note Added: 0044004
2015-08-12 06:54 Vico Liang Note Added: 0044005
2015-08-12 07:55 Vico Liang Assigned To szv => szy
2015-09-17 18:34 git Note Added: 0045831
2015-09-17 18:39 szy Note Added: 0045833
2015-09-17 18:39 szy Assigned To szy => vro
2015-09-17 18:39 szy Status assigned => resolved
2015-09-17 18:39 szy Steps to Reproduce Updated
2015-09-18 07:03 vro Note Added: 0045847
2015-09-18 07:03 vro Assigned To vro => bugmaster
2015-09-18 07:03 vro Status resolved => reviewed
2015-09-18 16:07 mkv Assigned To bugmaster => mkv
2015-09-18 16:58 git Note Added: 0045910
2015-09-18 17:29 mkv Note Added: 0045916
2015-09-21 11:44 szy Note Added: 0045938
2015-09-21 17:22 szy File Added: t1.tcl
2015-09-21 20:03 mkv Note Added: 0045961
2015-09-21 20:03 mkv Assigned To mkv => bugmaster
2015-09-21 20:03 mkv Status reviewed => tested
2015-09-21 20:03 mkv Test case number => bugs caf bug26428
2015-09-21 20:04 git Note Added: 0045962
2015-09-28 12:58 kgv Changeset attached => occt master ddd926fe
2015-09-28 12:58 kgv Assigned To bugmaster => kgv
2015-09-28 12:58 kgv Status tested => verified
2015-09-28 12:58 kgv Resolution open => fixed
2015-10-16 16:57 git Note Added: 0047070
2016-04-20 15:44 aiv Fixed in Version => 7.0.0
2016-04-20 15:48 aiv Status verified => closed