View Issue Details

IDProjectCategoryView StatusLast Update
0030989Open CASCADEOCCT:Visualizationpublic2024-01-12 21:56
ReporterabvAssigned Tovpozdyayev 
PrioritynormalSeverityminor 
Status newResolutionopen 
Target VersionUnscheduled 
Summary0030989: Visualization - heap-use-after-free reported by Clang address sanitizer in OpenGl_Structure::IsRaytracable()
DescriptionWhen running OCCT built on Linux with Clang with option -fsanitize=address, error heap-use-after-free is reported on test bugs vis bug26029:

Remove s_13_90
=================================================================
==22996==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000897a4 at pc 0x7f0c7671db32 bp 0x7fffc8d698e0 sp 0x7fffc8d698d8
READ of size 4 at 0x6120000897a4 thread T0
    #0 0x7f0c7671db31 in NCollection_Sequence<opencascade::handle<Graphic3d_Group> >::IsEmpty() const /home/abv/occt/src/NCollection/NCollection_Sequence.hxx:148:13
    0000001 0x7f0c7612f461 in OpenGl_Structure::IsRaytracable() const /home/abv/occt/src/OpenGl/OpenGl_Structure.cxx:227:17
    0000002 0x7f0c7612f4a8 in OpenGl_Structure::IsRaytracable() const /home/abv/occt/src/OpenGl/OpenGl_Structure.cxx:234:32
    #3 0x7f0c76204964 in OpenGl_LayerList::RemoveStructure(OpenGl_Structure const*) /home/abv/occt/src/OpenGl/OpenGl_LayerList.cxx:334:23
    #4 0x7f0c7615db82 in OpenGl_View::eraseStructure(opencascade::handle<Graphic3d_CStructure> const&) /home/abv/occt/src/OpenGl/OpenGl_View.cxx:781:13
    #5 0x7f0c793c58d2 in Graphic3d_CView::Erase(opencascade::handle<Graphic3d_Structure> const&) /home/abv/occt/src/Graphic3d/Graphic3d_CView.cxx:848:5
    #6 0x7f0c7940785a in Graphic3d_StructureManager::Erase(opencascade::handle<Graphic3d_Structure> const&) /home/abv/occt/src/Graphic3d/Graphic3d_StructureManager.cxx:359:22
    0000007 0x7f0c793fcfa8 in Graphic3d_Structure::Erase() /home/abv/occt/src/Graphic3d/Graphic3d_Structure.cxx:220:25
    0000008 0x7f0c794ec089 in PrsMgr_Presentation::Erase() /home/abv/occt/src/PrsMgr/PrsMgr_Presentation.cxx:107:14
    0000009 0x7f0c794eea3d in PrsMgr_PresentationManager::Erase(opencascade::handle<PrsMgr_PresentableObject> const&, int) /home/abv/occt/src/PrsMgr/PrsMgr_PresentationManager.cxx:110:13
    #10 0x7f0c795745a2 in AIS_InteractiveContext::ClearGlobal(opencascade::handle<AIS_InteractiveObject> const&, bool) /home/abv/occt/src/AIS/AIS_InteractiveContext.cxx:2042:13
    0000011 0x7f0c79574346 in AIS_InteractiveContext::Remove(opencascade::handle<AIS_InteractiveObject> const&, bool) /home/abv/occt/src/AIS/AIS_InteractiveContext.cxx:676:3
    #12 0x7f0c76691eff in ViewerTest::Clear() /home/abv/occt/src/ViewerTest/ViewerTest.cxx:876:22
    0000013 0x7f0c76769594 in VClear(Draw_Interpretor&, int, char const**) /home/abv/occt/src/ViewerTest/ViewerTest_ViewerCommands.cxx:3930:5
    0000014 0x7f0c87c5c349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    0000015 0x7f0c87c69b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    0000016 0x7f0c81ff9b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)
    0000017 0x7f0c81ffbfa6 in TclNRRunCallbacks (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x3afa6)
    0000018 0x7f0c8209a87a in Tcl_RecordAndEvalObj (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0xd987a)
    0000019 0x7f0c8209a756 in Tcl_RecordAndEval (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0xd9756)
    0000020 0x7f0c87c6b0bf in Draw_Interpretor::RecordAndEval(char const*, int) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:496:10
    0000021 0x7f0c87c51dad in Draw_Interprete(char const*) /home/abv/occt/src/Draw/Draw.cxx:608:19
    0000022 0x7f0c87c52b90 in interpreteTclCommand(TCollection_AsciiString const&) /home/abv/occt/src/Draw/Draw.cxx:110:5
    0000023 0x7f0c87c5037b in ReadInitFile(TCollection_AsciiString const&) /home/abv/occt/src/Draw/Draw.cxx:121:3
    0000024 0x7f0c87c4f973 in Draw_Appli(int, char**, void (*)(Draw_Interpretor&)) /home/abv/occt/src/Draw/Draw.cxx:497:5
    0000025 0x7f0c87c6c328 in Draw_Main(int, char**, void (*)(Draw_Interpretor&)) /home/abv/occt/src/Draw/Draw_Main.cxx:113:3
    #26 0x51aaef in main /home/abv/occt/src/DRAWEXE/DRAWEXE.cxx:33:1
    #27 0x7f0c80a2582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #28 0x41aac8 in _start (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x41aac8)

0x6120000897a4 is located 100 bytes inside of 296-byte region [0x612000089740,0x612000089868)
freed by thread T0 here:
    #0 0x4deb18 in __interceptor_cfree.localalias.0 (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x4deb18)
    0000001 0x7f0c835c26db in Standard_MMgrRaw::Free(void*) /home/abv/occt/src/Standard/Standard_MMgrRaw.cxx:55:3
    0000002 0x7f0c835b880c in Standard::Free(void*) /home/abv/occt/src/Standard/Standard.cxx:250:36
    #3 0x7f0c87c5310a in Standard_Transient::operator delete(void*) /home/abv/occt/src/Standard/Standard_Transient.hxx:35:3
    #4 0x7f0c7612f0a5 in OpenGl_Structure::~OpenGl_Structure() /home/abv/occt/src/OpenGl/OpenGl_Structure.cxx:120:1
    #5 0x7f0c835ccaa1 in Standard_Transient::Delete() const /home/abv/occt/src/Standard/Standard_Transient.cxx:23:3
    #6 0x7f0c7621a04f in opencascade::handle<Graphic3d_CStructure>::EndScope() /home/abv/occt/src/Standard/Standard_Handle.hxx:394:17
    0000007 0x7f0c76218d68 in opencascade::handle<Graphic3d_CStructure>::Nullify() /home/abv/occt/src/Standard/Standard_Handle.hxx:90:7
    0000008 0x7f0c762172ff in OpenGl_GraphicDriver::RemoveStructure(opencascade::handle<Graphic3d_CStructure>&) /home/abv/occt/src/OpenGl/OpenGl_GraphicDriver.cxx:627:17
    0000009 0x7f0c793fb847 in Graphic3d_Structure::Remove() /home/abv/occt/src/Graphic3d/Graphic3d_Structure.cxx:134:34
    #10 0x7f0c794ec0ab in PrsMgr_Presentation::Erase() /home/abv/occt/src/PrsMgr/PrsMgr_Presentation.cxx:112:14
    0000011 0x7f0c794eea3d in PrsMgr_PresentationManager::Erase(opencascade::handle<PrsMgr_PresentableObject> const&, int) /home/abv/occt/src/PrsMgr/PrsMgr_PresentationManager.cxx:110:13
    #12 0x7f0c795745a2 in AIS_InteractiveContext::ClearGlobal(opencascade::handle<AIS_InteractiveObject> const&, bool) /home/abv/occt/src/AIS/AIS_InteractiveContext.cxx:2042:13
    0000013 0x7f0c79574346 in AIS_InteractiveContext::Remove(opencascade::handle<AIS_InteractiveObject> const&, bool) /home/abv/occt/src/AIS/AIS_InteractiveContext.cxx:676:3
    0000014 0x7f0c76691eff in ViewerTest::Clear() /home/abv/occt/src/ViewerTest/ViewerTest.cxx:876:22
    0000015 0x7f0c76769594 in VClear(Draw_Interpretor&, int, char const**) /home/abv/occt/src/ViewerTest/ViewerTest_ViewerCommands.cxx:3930:5
    0000016 0x7f0c87c5c349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    0000017 0x7f0c87c69b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    0000018 0x7f0c81ff9b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)

previously allocated by thread T0 here:
    #0 0x4deef0 in calloc (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x4deef0)
    0000001 0x7f0c835c2658 in Standard_MMgrRaw::Allocate(unsigned long) /home/abv/occt/src/Standard/Standard_MMgrRaw.cxx:41:39
    0000002 0x7f0c835b87ac in Standard::Allocate(unsigned long) /home/abv/occt/src/Standard/Standard.cxx:240:43
    #3 0x7f0c87c530f8 in Standard_Transient::operator new(unsigned long) /home/abv/occt/src/Standard/Standard_Transient.hxx:35:3
    #4 0x7f0c76216ff3 in OpenGl_GraphicDriver::CreateStructure(opencascade::handle<Graphic3d_StructureManager> const&) /home/abv/occt/src/OpenGl/OpenGl_GraphicDriver.cxx:608:41
    #5 0x7f0c793fb196 in Graphic3d_Structure::Graphic3d_Structure(opencascade::handle<Graphic3d_StructureManager> const&, opencascade::handle<Graphic3d_Structure> const&) /home/abv/occt/src/Graphic3d/Graphic3d_Structure.cxx:57:49
    #6 0x7f0c794ebd1f in PrsMgr_Presentation::PrsMgr_Presentation(opencascade::handle<PrsMgr_PresentationManager> const&, opencascade::handle<PrsMgr_PresentableObject> const&, int) /home/abv/occt/src/PrsMgr/PrsMgr_Presentation.cxx:53:3
    0000007 0x7f0c794ee023 in PrsMgr_PresentationManager::Presentation(opencascade::handle<PrsMgr_PresentableObject> const&, int, bool, opencascade::handle<PrsMgr_PresentableObject> const&) const /home/abv/occt/src/PrsMgr/PrsMgr_PresentationManager.cxx:513:42
    0000008 0x7f0c794edafe in PrsMgr_PresentationManager::Display(opencascade::handle<PrsMgr_PresentableObject> const&, int) /home/abv/occt/src/PrsMgr/PrsMgr_PresentationManager.cxx:52:40
    0000009 0x7f0c795728cf in AIS_InteractiveContext::Display(opencascade::handle<AIS_InteractiveObject> const&, int, int, bool, AIS_DisplayStatus) /home/abv/occt/src/AIS/AIS_InteractiveContext.cxx:452:15
    #10 0x7f0c7669b837 in VDisplay2(Draw_Interpretor&, int, char const**) /home/abv/occt/src/ViewerTest/ViewerTest.cxx:5152:15
    0000011 0x7f0c87c5c349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    #12 0x7f0c87c69b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    0000013 0x7f0c81ff9b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)

SUMMARY: AddressSanitizer: heap-use-after-free /home/abv/occt/src/NCollection/NCollection_Sequence.hxx:148:13 in NCollection_Sequence<opencascade::handle<Graphic3d_Group> >::IsEmpty() const
Shadow bytes around the buggy address:
  0x0c24800092a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c24800092b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c24800092c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c24800092d0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c24800092e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c24800092f0: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480009300: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c2480009310: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2480009320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2480009330: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c2480009340: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==22996==ABORTING
Additional information
and documentation updates
The same in bugs vis bug26199

It should be noted that I am running under Ubuntu 16.04 virtual machine under Virtual Box, host is Windows 10 64-bit, and in that setting I seem to have only software OpenGL implementation:

Draw[7]> vglinfo
OpenGL info:
  GLXDirectRendering: Yes
  GLXVendor: SGI
  GLXVersion: 1.4
  GLXClientVendor: Mesa Project and SGI
  GLXClientVersion: 1.4
  GLvendor: VMware, Inc.
  GLdevice: Gallium 0.4 on llvmpipe (LLVM 3.8, 256 bits)
  GLversion: 3.0 Mesa 11.2.0
  GLSLversion: 1.30
  Max texture size: 8192
  Max FBO dump size: 8192x8192
  Max combined texture units: 54
  Max MSAA samples: 1
  Viewport: 409x409
  GPU memory: 1999 MiB
  ResolutionRatio: 1
TagsNo tags attached.
Test case number

Relationships

duplicate of 0025341 closedapn Open CASCADE Visualization - disallow displaying object as part of connected one and as a free one at the same time 
related to 0030516 closedbugmaster Community Visualization - Pointer to an OpenGl_Structure is deleted and accessed later after PrsMgr_Presentation::Highlight() 
child of 0030557 newvpozdyayev Open CASCADE Coding - eliminate errors reported by -fsanitize 

Activities

kgv

2019-09-28 12:00

developer   ~0087589

Last edited: 2019-09-28 12:00

Minimized:
pload MODELING VISUALIZATION
psphere s 0.5
vclear
vinit View1
vaxo
vsetdispmode 1
vdisplay s
vconnectto s_2 2 0 0 s
vclear


Issue History

Date Modified Username Field Change
2019-09-21 08:03 abv New Issue
2019-09-21 08:03 abv Assigned To => kgv
2019-09-21 08:04 abv Relationship added child of 0030557
2019-09-21 10:04 kgv Relationship added related to 0030516
2019-09-28 09:31 abv Additional Information Updated
2019-09-28 12:00 kgv Note Added: 0087589
2019-09-28 12:00 kgv Note Edited: 0087589
2019-09-28 12:02 kgv Relationship added related to 0025341
2019-09-28 12:03 kgv Relationship replaced duplicate of 0025341
2019-09-29 10:13 abv Additional Information Updated
2020-08-28 14:30 kgv Target Version 7.5.0 => 7.6.0
2021-08-24 14:13 kgv Target Version 7.6.0 => 7.7.0
2022-08-17 11:59 kgv Target Version 7.7.0 => 7.8.0
2022-10-19 15:49 smoskvin Assigned To kgv => vpozdyayev
2023-08-01 15:09 dpasukhi Target Version 7.8.0 => Unscheduled