View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0030992Open CASCADEOCCT:Foundation Classespublic2019-09-24 08:272020-12-02 17:12
ReporterabvAssigned Toabv 
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Target Version7.5.0Fixed in Version7.5.0 
Summary0030992: Foundation Classes - heap-buffer-overflow reported by Clang address sanitizer in BSplCLib::BuildKnots()
DescriptionWhen running OCCT built on Linux with Clang with option -fsanitize=address, error heap-buffer-overflow is reported on test bugs moddata_3 bug24621:

offset obs bs -2
=================================================================
==4262==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000ba00 at pc 0x7f5e0b3feb40 bp 0x7ffecd4a4c60 sp 0x7ffecd4a4c58

READ of size 8 at 0x61200000ba00 thread T0
    #0 0x7f5e0b3feb3f in BSplCLib::BuildKnots(int, int, bool, NCollection_Array1 const&, NCollection_Array1 const*, double&) /home/abv/occt/src/BSplCLib/BSplCLib.cxx:1545:14
    0000001 0x7f5e0b4270db in PrepareEval(double, double, int, int, int, int, bool, bool, bool, bool, NCollection_Array2 const&, NCollection_Array2 const*, NCollection_Array1 const&, NCollection_Array1 const&, NCollection_Array1 const*, NCollection_Array1 const*, double&, double&, int&, int&, bool&, BSplSLib_DataContainer&) /home/abv/occt/src/BSplSLib/BSplSLib.cxx:462:5
    0000002 0x7f5e0b42f63a in BSplSLib::BuildCache(double, double, double, double, bool, bool, int, int, int, int, NCollection_Array1 const&, NCollection_Array1 const&, NCollection_Array2 const&, NCollection_Array2 const*, NCollection_Array2&, NCollection_Array2*) /home/abv/occt/src/BSplSLib/BSplSLib.cxx:1943:5
    #3 0x7f5e0bd260f2 in Geom_OsculatingSurface::BuildOsculatingSurface(double, int, int, opencascade::handle const&, opencascade::handle&) const /home/abv/occt/src/Geom/Geom_OsculatingSurface.cxx:581:5
    #4 0x7f5e0bd23c18 in Geom_OsculatingSurface::Init(opencascade::handle const&, double) /home/abv/occt/src/Geom/Geom_OsculatingSurface.cxx:190:29
    #5 0x7f5e0bd22e66 in Geom_OsculatingSurface::Geom_OsculatingSurface(opencascade::handle const&, double) /home/abv/occt/src/Geom/Geom_OsculatingSurface.cxx:53:3
    #6 0x7f5e0bd1b047 in Geom_OffsetSurface::SetBasisSurface(opencascade::handle const&, bool) /home/abv/occt/src/Geom/Geom_OffsetSurface.cxx:232:21
    0000007 0x7f5e0bd1a3e0 in Geom_OffsetSurface::Geom_OffsetSurface(opencascade::handle const&, double, bool) /home/abv/occt/src/Geom/Geom_OffsetSurface.cxx:103:3
    0000008 0x7f5e0153303d in offseting(Draw_Interpretor&, int, char const**) /home/abv/occt/src/GeomliteTest/GeomliteTest_SurfaceCommands.cxx:801:41
    0000009 0x7f5e0f489349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    #10 0x7f5e0f496b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    0000011 0x7f5e09826b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)
    #12 0x7f5e09828fa6 in TclNRRunCallbacks (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x3afa6)
    0000013 0x7f5e098c787a in Tcl_RecordAndEvalObj (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0xd987a)
    0000014 0x7f5e098c7756 in Tcl_RecordAndEval (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0xd9756)
    0000015 0x7f5e0f4980bf in Draw_Interpretor::RecordAndEval(char const*, int) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:496:10
    0000016 0x7f5e0f47edad in Draw_Interprete(char const*) /home/abv/occt/src/Draw/Draw.cxx:608:19
    0000017 0x7f5e0f47fb90 in interpreteTclCommand(TCollection_AsciiString const&) /home/abv/occt/src/Draw/Draw.cxx:110:5
    0000018 0x7f5e0f47d37b in ReadInitFile(TCollection_AsciiString const&) /home/abv/occt/src/Draw/Draw.cxx:121:3
    0000019 0x7f5e0f47c973 in Draw_Appli(int, char**, void (*)(Draw_Interpretor&)) /home/abv/occt/src/Draw/Draw.cxx:497:5
    0000020 0x7f5e0f499328 in Draw_Main(int, char**, void (*)(Draw_Interpretor&)) /home/abv/occt/src/Draw/Draw_Main.cxx:113:3
    0000021 0x51aaef in main /home/abv/occt/src/DRAWEXE/DRAWEXE.cxx:33:1
    0000022 0x7f5e0825282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    0000023 0x41aac8 in _start (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x41aac8)

0x61200000ba00 is located 0 bytes to the right of 320-byte region [0x61200000b8c0,0x61200000ba00)
allocated by thread T0 here:
    #0 0x516918 in operator new[](unsigned long) (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x516918)
    0000001 0x7f5e0f4c7cf7 in NCollection_Array1::NCollection_Array1(int, int) /home/abv/occt/src/NCollection/NCollection_Array1.hxx:176:27
    0000002 0x7f5e0ea89ce1 in TColStd_HArray1OfReal::TColStd_HArray1OfReal(int, int) /home/abv/occt/src/TColStd/TColStd_HArray1OfReal.hxx:22:1
    #3 0x7f5e0bced468 in Geom_BSplineSurface::UpdateUKnots() /home/abv/occt/src/Geom/Geom_BSplineSurface.cxx:1078:19
    #4 0x7f5e0bcee142 in Geom_BSplineSurface::Geom_BSplineSurface(NCollection_Array2 const&, NCollection_Array2 const&, NCollection_Array1 const&, NCollection_Array1 const&, NCollection_Array1 const&, NCollection_Array1 const&, int, int, bool, bool) /home/abv/occt/src/Geom/Geom_BSplineSurface.cxx:287:3
    #5 0x7f5e0bcec50e in Geom_BSplineSurface::Copy() const /home/abv/occt/src/Geom/Geom_BSplineSurface.cxx:140:13
    #6 0x7f5e0bd2309a in Geom_OsculatingSurface::Init(opencascade::handle const&, double) /home/abv/occt/src/Geom/Geom_OsculatingSurface.cxx:68:52
    0000007 0x7f5e0bd22e66 in Geom_OsculatingSurface::Geom_OsculatingSurface(opencascade::handle const&, double) /home/abv/occt/src/Geom/Geom_OsculatingSurface.cxx:53:3
    0000008 0x7f5e0bd1b047 in Geom_OffsetSurface::SetBasisSurface(opencascade::handle const&, bool) /home/abv/occt/src/Geom/Geom_OffsetSurface.cxx:232:21
    0000009 0x7f5e0bd1a3e0 in Geom_OffsetSurface::Geom_OffsetSurface(opencascade::handle const&, double, bool) /home/abv/occt/src/Geom/Geom_OffsetSurface.cxx:103:3
    #10 0x7f5e0153303d in offseting(Draw_Interpretor&, int, char const**) /home/abv/occt/src/GeomliteTest/GeomliteTest_SurfaceCommands.cxx:801:41
    0000011 0x7f5e0f489349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    #12 0x7f5e0f496b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    0000013 0x7f5e09826b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/abv/occt/src/BSplCLib/BSplCLib.cxx:1545:14 in BSplCLib::BuildKnots(int, int, bool, NCollection_Array1 const&, NCollection_Array1 const*, double&)
Shadow bytes around the buggy address:
  0x0c247fff96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9710: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff9740:[fa]fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==4262==ABORTING
Steps To Reproducetest bugs moddata_3 bug24621
TagsNo tags attached.
Test case numberbugs moddata_3 bug24621

Relationships

related to 0024621 closedbugmaster Community Failed to build Geom_OffsetSurface on B-Spline 
child of 0030557 newdpasukhi Open CASCADE Coding - eliminate errors reported by -fsanitize 

Activities

git

2019-10-01 08:27

administrator   ~0087648

Branch CR30992 has been created by abv.

SHA-1: d0e16ae43a6753bb3df264fd97a0723dde73f6d2


Detailed log of new commits:

Author: abv
Date: Tue Oct 1 08:23:26 2019 +0300

    0030992: Foundation Classes - heap-buffer-overflow reported by Clang address sanitizer in BSplCLib::BuildKnots()
    
    Inconsistent code for guessing bspline span index is removed in Geom_OsculatingSurface::BuildOsculatingSurface().

git

2019-10-01 15:48

administrator   ~0087666

Branch CR30992 has been updated forcibly by abv.

SHA-1: 92f981666a86a233d7242bb4aa6df8b0cf8a77ee

abv

2019-10-01 19:18

manager   ~0087673

The problem observed in debugger is that on one of calls to Geom_OsculatingSurface::BuildOsculatingSurface() done the cycle in method Init(), index of the interval for evaluation of B-Spline is computed equal to 1, due to multiplicity of the first knot being 1. With such an argument BsplSLib::BuildCache() does not perform search for the span, and uses that index 1. However, B-Spline has degree 13 and for its evaluation at span N it requires knots starting from N - Degree which becomes -12 in that case, thus knot out of range is requested.

Removal of ad-hoc code for guessing span index in Geom_OsculatingSurface::BuildOsculatingSurface() forces search of correct span index in BsplSLib::BuildCache() and seems to solve the problem reported in 0024621.

The proposed fix is pushed to CR30992 and tested, see Jenkins job CR30992-abv; please review.

abv

2019-10-06 08:36

manager   ~0087881

I confirm that the fix removes the issue reported by the sanitizer

git

2019-10-23 11:51

administrator   ~0088466

Branch CR30992 has been deleted by kgv.

SHA-1: 92f981666a86a233d7242bb4aa6df8b0cf8a77ee

Related Changesets

occt: master 9e3045da

2019-10-01 05:23:26

abv


Committer: abv Details Diff		 0030992: Foundation Classes - heap-buffer-overflow reported by Clang address sanitizer in BSplCLib::BuildKnots()

Inconsistent code for guessing bspline span index is removed in Geom_OsculatingSurface::BuildOsculatingSurface().		 Affected Issues
0030992
mod - src/Geom/Geom_OsculatingSurface.cxx Diff File
mod - tests/bugs/moddata_3/bug24621 Diff File

Issue History

Date Modified Username Field Change
2019-09-24 08:27 abv New Issue
2019-09-24 08:27 abv Assigned To => abv
2019-09-24 08:28 abv Relationship added child of 0030557
2019-09-30 22:18 abv Relationship added related to 0024621
2019-10-01 08:27 git Note Added: 0087648
2019-10-01 15:48 git Note Added: 0087666
2019-10-01 19:18 abv Note Added: 0087673
2019-10-01 19:18 abv Assigned To abv => azv
2019-10-01 19:18 abv Status new => resolved
2019-10-01 19:18 abv Steps to Reproduce Updated
2019-10-06 08:36 abv Note Added: 0087881
2019-10-08 10:37 azv Assigned To azv => bugmaster
2019-10-08 10:37 azv Status resolved => reviewed
2019-10-23 01:07 abv Changeset attached => occt master 9e3045da
2019-10-23 01:07 abv Assigned To bugmaster => abv
2019-10-23 01:07 abv Status reviewed => verified
2019-10-23 01:07 abv Resolution open => fixed
2019-10-23 11:51 git Note Added: 0088466
2019-10-23 17:02 apn Test case number => bugs moddata_3 bug24621
2020-12-02 16:40 emo Fixed in Version => 7.5.0
2020-12-02 17:12 emo Status verified => closed